I have done a few exercises on implementing Zero Trust and Zero Trust eXtended (ZTX) in enterprises. The impetus behind these exercises is that the participating organizations have leaders that are Forrester clients and had read, or at least breezed through, the research that has been published on the topic of Zero Trust, and that they have bought in on implementing Zero Trust in their systems. Great, this is how it's supposed to be, but that's where the rails come off.
The moment that I asked what their security strategy was, everyone in the room began pointing at one another and arguments began. Follow that up with the question of what's the one thing they think can be fix based on this simple framework, and whoa, things get ugly.
No one would take ownership of who could implement change, and there was no single point of leadership willing to own the decisions needed to make anything happen. The session essentially ended up with finger-pointing, arguing, a slew of profanity, and a general realization that the current situation would continue. It was painful.
So, that brings me to this point: In most sessions that I have conducted, it has never been a technology problem. It is a management, leadership, and ownership issue. Almost every group I talked to had plenty of next-generation technology in place, such as Carbon Black, Centrify, Cisco, Digital Guardian, ForcePoint, Okta, Palo Alto Networks, and Symantec.
There was no lack of technology to solve the problem; solid technical solutions were in play in every environment. Excuses, a lack of ownership, and "culture" were the problems. All the coolest, most powerful technology in the world combined with the best strategy will always fail if those in positions to do something cannot employ the technology that fixes the issue.
Also: Why companies need to implement a zero trust TechRepublic
Pointing to culture as being the "problem" is a cop-out and shows a lack of tenacity and fortitude. If security is to be put in place, then the culture must come along and accept that, if it wants to survive in today's threat environment, a degree of discomfort is tolerable.
Leadership needs to make sure everyone knows that:
- They will be watching the network.
- All users will be monitored, all the time.
- Users will have to authenticate to every asset.
- It's not their data; it's the company's, so the company controls it.
- Security isn't optional.
Users need to learn to deal with security -- it's a way of life now (or at least, it should be). If that's not going to work for some folks, then tell them to go somewhere else and be their security problem -- or make the choice to allow them to hinder security and be ready to be part of a breach. Tell the board or shareholders that, thanks to the groans of a few individuals, you have chosen to allow "culture" to threaten the bottom line of the company.
In today's world, it is no longer acceptable to allow a few individuals' fears and unfounded concerns about monitoring and security operations to impede a secure digital future for the majority.
If interested in attending my deep-dive workshop on how to architect a Zero Trust solution, register for Forrester's Privacy & Security 2018 Forum on September 25-26 in Washington D.C. and contact firstname.lastname@example.org for your VIP invite. Use discount code ZDNET to save $500.
This post originally appeared here.
- How to create a security strategy for IoT
- Online security 101: Tips for protecting your privacy
- Your biggest threat is inside your organisation
- Improve your cybersecurity strategy: Do these 2 things
- Okta offers free multi-factor authentication
- The future of IoT? State-sponsored attacks
- Cybersecurity: How to devise a winning strategy