Companies and governments have suffered from delaying the fundamental cybersecurity overhauls necessary to defend against increasingly sophisticated and common attacks for too long.
The Executive Order
As a response to this threat landscape, President Joe Biden issued an executive order on improving the nation’s cybersecurity, specifically with Zero Trust security architecture.
In a White House memo that followed the order, the administration addressed the private sector, imploring companies to invest in cybersecurity and to segment their networks, which is the first step toward Zero Trust security.
Biden’s order and the subsequent memo spotlight the need for government agencies and businesses alike to move rapidly to a Zero Trust architecture.
Impacts on the Private Sector
So what does this mean for private industry professionals today? Business leaders, managers, department heads, and anyone in a position to lead the charge needs to shift the way they think about security and help their teams do the same.
Zero Trust is more than just a new set of tools and procedures. It’s a whole new strategy for protecting your business.
In brief, a Zero Trust security model stems from the concept of “never trust, always verify,” and “assume breach.” With a Zero Trust framework, only confirmed-safe traffic, processes, and users are trusted. It acknowledges that the biggest threats to security can come from within the organization and leaves nothing up to chance.
The Need for Zero Trust
As the United States’ third federal CIO serving from 2015 to 2017, I’ve seen firsthand the mounting number of cyber threats against U.S. organizations. One of my first projects on the job was leading the federal government response to the Office of Personnel Management cyber intrusions, which the previous year had exposed security clearance background information on about 21.5 million government employees and laid bare the vulnerabilities in existing cybersecurity models.
One upshot of these breaches was the Cybersecurity National Action Plan, which sought to strengthen cybersecurity both in the federal government agencies and within all Americans’ digital lives.
On the front lines of cybersecurity as CIO of Microsoft and Disney, I saw that cyber threats were only becoming more destructive and more widespread. It became clear to me that traditional, perimeter-based security would continue to fail and that the single most effective long-term strategy would be to adopt a Zero Trust framework.
So, what’s holding companies back from implementing Zero Trust?
Challenges have ranged from psychological to material.
The biggest worry that many businesses or team leaders have is that moving swiftly into the unknown will only cause more problems. They might think, “How will I transition to this entirely new framework without breaking something?”
Another common block is the misconception that adopting a Zero Trust framework is a massively heavy lift that will certainly overload teams. Other challenges include lack of skills, time, budget, or managerial commitment.
It’s Well Worth the Effort
As companies come to terms with the inevitable threat to their revenues and reputations, they’re recognizing that the need for a Zero Trust security posture far outweighs the implementation challenges.
Modernized cloud-based Zero Trust technology
And today’s modernized cloud-based Zero Trust technology is simplifying the path to Zero Trust for enterprises, using powerfully streamlined automation and machine learning, and integrating with existing security tools.
As Biden’s executive order puts cybersecurity in stark focus for the public sector and the White House urges the private sector to follow suit, companies should look to the order as a guiding star for cybersecurity standards across industries moving forward. To make Zero Trust implementation smoother, organizations need to prepare in the following three ways:
1. Focus on organization-wide education first
Because an entire institution must embrace Zero Trust implementation, organization-wide education is the necessary first step.
Educating employees is essential for changing mindsets and gaining buy-in, and everyone must understand that Zero Trust isn’t just an exercise for the IT department. Instead, it requires full participation across the organization to establish and maintain business processes for verified identities, protected devices, and secure data, networks, and infrastructures.
Education begins with leaders, both at the top and managerial levels. Company leaders should set the implementation in motion by making it a company goal to ensure every person understands what the Zero Trust model is, why it’s important, and how it can help secure the organization and its assets.
Managers and department heads can help translate this into more specific and targeted communication and education for employees. For example, features such as single sign-on and multifactor authentication are basic examples of implementation that employees might already be familiar with.
Employees need to know that the organization’s strengthened cybersecurity workflows won’t render their jobs impossible. Managers can show employees how Zero Trust architecture will affect their work and reiterate the benefits along the way.
2. Build the Zero Trust muscle
Anything worth doing requires learning, practice, and refining, the same goes for Zero Trust. Implementing Zero Trust doesn’t start on Friday morning and end just in time for happy hour. Zero Trust is a new security framework, so it is a marathon that you will build on at a reasonable pace, it’s not a sprint.
Practice with a small patch and learn how to manage it, then expand from there.
SaaS platforms can kickstart the path to Zero Trust and simplify legwork with AI and machine learning that make policy recommendations for you. And they allow you to test in simulation mode, reducing uncertainty to help you scale faster.
At the early stages, it’s also important to identify what compliance standards you need to adhere to (e.g., HIPAA, PCI, GDPR) so that you can build your security posture with those regulations in mind.
As the Zero Trust muscle grows, I’ve found that many businesses can move quickly in scaling Zero Trust implementation, especially with today’s cloud-delivered platforms.
When I was at Microsoft, we were one of the most attacked organizations globally. Through our experience warding off attacks, we got pretty good at it. But we knew we weren’t completely invulnerable, so we started to think harder about what more we could do to cover the necessary surface area to be safe, scaling bit by bit.
I can’t say that you’ll get this down right away, but it’s a truly effective long-term strategy, and so it’s also a long game compared to “set and forget,” tools.
3. Overcome the organization’s internal silos
It is common that teams are experts in their function, such as cloud administration, but have little visibility into others, such as end-user device administration.
The greatest implementations break down some of those barriers during the Zero Trust journey, to educate across domains and strengthen posture not only on a technological level, but also on an organizational level.
Each implementation of Zero Trust that I have witnessed “a-ha” moments of discovery within the company’s environments, including undetected traffic from the outside, outdated internal interfaces they didn’t think were still running, and misrouted traffic putting an unknown burden on the network.
Let’s face it: Intruders don’t have the governance and budget constraints of a regular institution. They’re always looking for new ways to break through your perimeter. But when you have embraced Zero Trust implementation, you can isolate the threat before it does any more damage and therefore recover much faster.
A Zero Trust framework can make your organization resilient to cyber threats, even when attackers remain undiscovered. It’s time to admit that the bad guys will probably find a way in and adopt a Zero Trust approach that “assumes breach,” stopping ransomware in its tracks before it can wreak havoc.