It was back in 2017 that the Economist predicted data would replace crude oil as the world’s most valuable resource and that there would be a new “asset-light” economy built on digital rather than physical infrastructures. In hindsight, we could say, yes, of course that’s the case. We know the value of data and those digital infrastructures today, especially as we witnessed the exploding of remote work, online transactions, and virtual interactions brought about by the coronavirus pandemic.
We also know that data is not just a valuable resource. It can also be a liability. Bruce Schiener describes it as a “toxic asset.” The more data you have and the more accessible it becomes, the larger your attack surface. So while data is driving change in the business, it is also introducing risk. Our digital infrastructures and data, therefore, require a delicate balance of security and risk — and it’s a balance many organizations have yet to strike.
Zero Trust Architectures are a byproduct of this evolution, and, I’d argue, an enabler of future digital transformation. Because ultimately, a Zero Trust approach is about making business assets accessible to the right people at the right time regardless of where they or the asset reside. (If you’re looking for more information about Zero Trust Architectures and how to get started, I recommend this blog post by my colleague Bojan Zelic.)
Unfortunately, that’s not the way most people think about Zero Trust. They may think it’s another product they have to buy and configure. Or they may think Zero Trust is too restrictive and will inhibit business processes and operations. Fortunately, neither of those things is true. The right security measures, just like brakes on a car, can and will enable the business to move faster. But it will take a shift in perceptions across business, IT, and, yes, even security in order to make it possible.
Security needs to be perceived differently by Business owners, all the way up to the CEO
For many companies today, the C-suite will evaluate security based on the number of incidents that occur. If there are no security incidents, security must be doing a fantastic job! Incidents, as we know, do not represent the entire security picture.
Expanding on the car analogy above, when somebody wins a Formula 1 race, the press will talk about the driver and the engine. Was it a Red Bull or a Ferrari? What doesn’t get mentioned is the security that made the win possible — the brakes that worked correctly, the pit crew that changed out a worn tire. These security features are enablers of the car’s performance just as Zero Trust is an enabler of the business.
This is the type of shift in thinking that needs to happen in order for Zero Trust and security in general to be more accepted by the business. So how do you do this? Frame the conversation in terms of risk. If the car doesn’t have brakes, it will spin out on the turns. If medical data ends up in the wrong hands, what are the consequences? If we want to offer more personalized financial services, what data will we need and who will have access?
Security needs to be perceived differently by the IT Organization.
For many engineers and IT professionals, security is perceived as a checklist dictated from above. It’s another task added to an already long to-do list rather than something that can add value to the organization. There are a few strategies for changing this mindset.
First, security should be greatly incentivized with bonuses during the IT engineering processes. If someone in the company finds a bug or vulnerability, it should be rewarded.
Second, I recommend decoupling security goals from IT projects to avoid security becoming a roadblock. In other words, don’t make your goals as a security team someone else’s problem.
Finally, create a direct link between the CISO and the CEO. Oftentimes, the CISO will report into the IT organization. If it’s not possible to move this team out from under the CIO, at least ensure that there are strong communication lines between the CISO and the rest of the C-suite. If there is a risk that would impact the entire company financially or reputationally, the CEO should be aware.
Security needs to be perceived differently by Security professionals.
This one will hit a bit close to home, but stick with me. We as security professionals have gotten comfortable in one of two lanes. We either take a theoretical, top-down approach to security or a more practical, hands-on approach. Neither of these is inherently wrong, but ideally we’d have a blend of both.
In a theoretical, top-down approach, you spend a lot of time on documentation, assessments, and reviewing industry standards. These are all valuable exercises, but we come up short when we fail to turn these requirements into practices.
On the other hand, sometimes we leave security up to two highly skilled engineers who have no problem staying on top of day-to-day tasks but don’t necessarily have the 10,000-foot view of what the organization’s security needs are and how to standardize them.
To understand how both approaches can work together, let’s use a security monitoring scenario.
The MITRE ATT&CK framework is a widely known, comprehensive taxonomy of real-world use cases for how to monitor security incidents along the attack chain. This is a wonderful industry standard that applies to the majority of attacks security teams will encounter. And, better yet, managing security against this framework can be automated.
But, for more sophisticated attacks, there is still a need for a more practical, hands-on approach led by a seasoned security analyst. It requires someone with a lateral-thinking mindset, similar to experienced chess players. Even in chess, if you’re an expert in all the openings, the best players are the ones who can improvise to outsmart their adversary. Security teams will need to adopt this lateral-thinking approach to stay one step ahead of attackers.
Starting Your Zero Trust Journey
This post presented a high-level view of the changes that must take place culturally and politically in order for Zero Trust security to enable digital transformation for the business. Of course, there are many finer points to consider when it comes to implementing Zero Trust architectures and controls within your own organization. Kudelski Security’s Advisory team can help identify the right plan or evaluate programs that are already in place. Contact us here to learn more.