Anudeep Parhar is the CIO at Entrust , a leading global provider of trusted identities, payments and data protection.
getty
Over the past several months, we have seen the real-world impacts of cybersecurity incidents. For MGM, it meant losing an expected $100 million due to a data breach. For 23andMe, it meant allegedly over one million data profiles being sold on the black market.
Because phishing and ransomware attacks continue to be so successful, cybercriminals won’t be slowing down, which means a robust zero-trust strategy is no longer a want but a need. However, while the need for zero trust has become clear, enterprises continue to struggle to implement it. Why?
A recent survey found that “the quarter of respondents who’ve partially or fully implemented zero trust say they struggle to get full buy-in from other departments when it comes to scaling these ideas across the enterprise.” To properly implement a zero-trust framework, security leaders require buy-in from numerous stakeholders, including the C-suite, and cooperation across the organization. While this process may be challenging, it is essential in the current threat landscape.
The Challenge Of Zero Trust
Achieving a zero-trust framework is a multi-year maturity mindset, one that requires trust and cooperation to ensure that the framework is built on a solid foundation. With a zero-trust architecture, stored data can be encrypted with the least privileged access control policies that ensure employees only have access to data required to fulfill their role. The conventional method involved securing digital entry points using firewalls to ward off potential threats, but the rise in multicloud usage and the adoption of hybrid work environments are making these approaches outdated and ineffectual.
To adapt to the new security landscape, organizations need to adopt the idea of “never trust, always verify.” This means that rather than leveraging trusted identities to provide access to resources and applications, identities are continuously verified and access decisions are determined based on a policy driven by a multitude of factors such as role, location of access, endpoint used to access and access history.
It is important to acknowledge that this process requires organizations to assess the current state of their security controls and infrastructure, identify gaps and weaknesses and develop a plan to address those gaps. While this requires a significant investment of time and resources, it is essential as the types of threats organizations face continue to change and evolve.
Achieving zero trust requires that organizations operate under the assumption that a malicious actor has already infiltrated their system. The emphasis should then be placed on safeguarding the organization against the unauthorized movements of such actors within its system.
Attackers will always have the “first-mover” advantage, making it essential for security teams to adopt an “always-on” approach. To start this process, security leaders need to look to their C-suite for buy-in and support from the organization.
Closing The C-Suite Gap
A recent survey found that 61% of respondents “believe that their company’s leadership ‘overlooks’ the role of cybersecurity in business success.” Further, “Only 39% of them think that their board of directors and C-suite has a ‘sound understanding’ of cybersecurity’s role as a business enabler.”
To achieve the C-suite buy-in that is essential to a zero-trust strategy, technology leaders need to be able to draw a direct line between cybersecurity and company growth. The ability to convey the business value of investing in cybersecurity strategies in relation to the threat landscape without sensationalizing it and getting in the weeds is critical.
By presenting the information in business-relevant language and themes of growth, risk reduction and productivity, security teams will not only have the support they need to develop these programs, but they will also be able to secure the funding needed for a strong cyber risk posture. DEI and ESG are seen as growth enablers—we now need to have that same view for cybersecurity.
To accomplish this, security leaders need to do the following.
• Educate the board. CIOs and CISOs need to ensure the board is educated on the latest cybersecurity tactics and what the landscape looks like today. It is important to find the balance between high-level explanations and overly technical descriptions so that boards can properly digest the information and understand the impacts of these threats.
• Quantify the threats and set ROI goals. The best way to have a board sign off on cybersecurity spending is to put the potential risks in terms they understand. By explaining the cost of a breach and why a zero-trust strategy would save them money in the long run, the C-suite can quantify the value of the investment.
• Connect security initiatives to business outcomes. At the end of the day, business leaders are looking for strategies that are going to benefit their bottom line. When the board understands how zero-trust maturity will help the organization achieve its goals, they are more likely to not only provide the necessary funding but also create a culture shift around zero trust and set the tone from the top down.
Adopting a zero-trust strategy is not an overnight change; it is a future operating mindset for the entire business. However, with C-suite buy-in and support from the entire organization, security teams are setting themselves up for long-term success.
The Future Of Zero Trust
With the rapid acceleration of the threat landscape, a defensive strategy is no longer enough. Businesses need to take the offensive as well to rise to the challenge and ensure their most sensitive information is safe. As security teams mature their zero-trust strategies, the need for C-suite buy-in and organization participation will become clear.
Sooner than we think, customers and business partners will start to take notice of these increasingly frequent high-profile breaches and demand a higher security posture as a condition of doing business. Staying ahead of cyber risk threats is a new growth vector for your business, not an inhibitor.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
