Businesses and governments have suffered from delaying for too long the fundamental cybersecurity reviews needed to defend against increasingly sophisticated and common attacks.
The Executive Order
In response to this threat landscape, President Joe Biden issued a executive order on enhancing the nation’s cybersecurityspecifically with Zero Trust security architecture.
in a White House Note Following the order, the administration turned to the private sector, imploring companies to invest in cybersecurity and segment their networks, which is the first step toward Zero Trust security.
Biden’s order and subsequent memo highlight the need for government agencies and businesses to quickly move to a Zero Trust architecture.
Impacts on the Private Sector
So what does this mean for private industry professionals today? Business leaders, managers, department heads and anyone in a position to lead the charge need to change the way they think about security and help their teams do the same.
Zero Trust is more than a new set of tools and procedures. It is a completely new strategy to protect your business.
In short, a Zero Trust security model is derived from the concept of “never trust, always verify” and “assume a breach”. With a Zero Trust framework, only confirmed secure users, processes, and traffic are trusted. It recognizes that the biggest security threats can come from within the organization and leaves nothing to chance.
The need for zero trust
As the third United States federal CIO serving from 2015 to 2017, I have seen firsthand the growing number of cyber threats against American organizations. One of my first projects on the job was leading the federal government’s response to the Office of Personnel Management Cyber Intrusionswhich the previous year exposed security clearance background information on approximately 21.5 million government employees and exposed vulnerabilities in existing cybersecurity models.
One result of these violations was the National Cybersecurity Action Planwhich sought to strengthen cybersecurity both in federal government agencies and in the digital lives of all Americans.
On the front lines of cyber security as CIO of Microsoft and Disney, I saw that cyber threats were only getting more destructive and more widespread. It became clear to me that traditional perimeter-based security would continue to fail and that the most effective long-term strategy would be to adopt a zero-trust framework.
So what stops companies from implementing Zero Trust?
The challenges have ranged from the psychological to the material.
The biggest concern many companies or team leaders have is that moving quickly into the unknown will only cause more problems. They might think, “How am I going to transition to this whole new framework without breaking something?”
Another common roadblock is the misconception that adopting a Zero Trust framework is very heavy lifting that will undoubtedly overwhelm teams. Other challenges include a lack of skills, time, budget, or managerial commitment.
worth the effort
As companies come to terms with the inevitable threat to their revenues and reputations, they recognize that the need for a Zero Trust security posture far outweighs the implementation challenges.
Modernized cloud-based Zero Trust technology
And today’s modernized cloud-based Zero Trust technology is simplifying the path to Zero Trust for enterprises, using powerfully optimized automation and machine learning, and integrating with existing security tools.
With Biden’s executive order putting cybersecurity in the spotlight for the public sector and the White House urging the private sector to follow suit, businesses should look to the order as a guiding star for cybersecurity standards in the United States. all industries in the future. For Zero Trust implementation to go more smoothly, organizations should prepare in the following three ways:
1. Focus first on organization-wide education
Because an entire institution must adopt Zero Trust implementation, organization-wide education is the necessary first step.
Educating employees is essential to changing mindsets and gaining buy-in, and everyone needs to understand that Zero Trust is not just an exercise for the IT department. Instead, it requires the full engagement of the entire organization to establish and maintain business processes for verified identities, protected devices and secure data, networks and infrastructure.
Education begins with leaders, both at senior and managerial levels. Company leaders should kick-start implementation by making it a company goal to ensure everyone understands what the Zero Trust model is, why it matters, and how it can help protect the organization and its assets.
Managers and department heads can help translate this into more focused and targeted communication and education for employees. For example, features like single sign-on and multi-factor authentication are basic implementation examples that employees may already be familiar with.
Employees need to know that the organization’s hardened cybersecurity workflows won’t make their jobs impossible. Managers can show employees how Zero Trust architecture will affect their work and reiterate the benefits along the way.
2. Build Zero Trust Muscle
Anything worth doing takes learning, practice, and refinement, the same goes for Zero Trust. Zero Trust implementation doesn’t start on Friday morning and ends just in time for happy hour. Zero Trust is a new security framework, so it’s a marathon where you’ll build at a reasonable pace, not a sprint.
Practice with a small patch and get the hang of it, then expand from there.
SaaS platforms can start the journey to Zero Trust and simplify the legwork with AI and machine learning that make policy recommendations for you. And they let you test in simulation mode, reducing uncertainty to help you scale faster.
In the early stages, it’s also important to identify which compliance standards you need to meet (for example, HIPAA, PCI, GDPR) so that you can build your security posture with those regulations in mind.
As the Zero Trust muscle grows, I’ve found that many companies can move quickly to scale their Zero Trust implementation, especially with today’s cloud-delivered platforms.
When I was at Microsoft, we were one of the most attacked organizations globally. Through our experience protecting ourselves from attacks, we did quite well. But we knew that we weren’t completely invulnerable, so we started to think more about what else we could do to cover the necessary surface to be safe, climbing little by little.
I can’t say you’ll understand this right away, but it’s a truly effective long-term strategy, so it’s also a long game compared to “set and forget” tools.
3. Overcome internal organization silos
It’s common for teams to be experts in their role, such as cloud management, but have little visibility into others, such as end-user device management.
The best implementations break down some of those barriers during the Zero Trust journey, to educate across domains and strengthen posture not only on a technological level, but also on an organizational level.
Every Zero Trust implementation I’ve witnessed “a-ha” moments of discovery within enterprise environments, including undetected traffic from the outside, stale internal interfaces that they didn’t think were still running, and diverted traffic that puts an unknown load on the network.
Let’s face it: Intruders don’t have the budgetary and governance constraints of a normal institution. They are always looking for new ways to get through their perimeter. But when you’ve adopted the Zero Trust implementation, you can isolate the threat before it does more damage, and therefore recover much faster.
A Zero Trust framework can make your organization resilient to cyber threats, even when attackers remain undiscovered. It’s time to admit that the bad guys will probably find a way in and take a Zero Trust approach that “assumes a breach”, stopping the ransomware in its tracks. before can wreak havoc.