The Journey to Zero Trust: Best Practices to Achieve Consensus at Your Organization
The Journey to Zero Trust: Best Practices to Achieve Consensus at Your Organization
In today’s digital world, organizations are experiencing unprecedented levels of cyber risk. In May, we released a white paper “Securing a New Digital World with Zero Trust: How Zero Trust Cybersecurity is Transforming the IoT (internet of things) Industry.” We outlined how to take steps to safeguard your data, assets, users, and IoT from malicious hackers through the Zero Trust framework, which regards all network activity as potentially harmful until proven otherwise. Now that we’ve discussed the technical side, let’s take a look at best practices for aligning with organizational leadership on the Zero Trust journey.
Given the advantages of Zero Trust to reducing cyber risk by establishing robust safeguards, protocols and security practices that stop malicious actors from gaining traction, one might think it easier to get enterprises aligned with the perimeter-less model. Yet many have not yet begun the journey. A 2020 study by Okta found about 60% of organizations in North America, and only 40% globally, are working on Zero Trust projects. In this blog, we’ll discuss strategies for promoting Zero Trust as a key cybersecurity framework to the decision makers within your organizations.
Advocating for Zero Trust to Leadership in Your Organization
Zero Trust typically requires buy-in from many levels and departments, often from IT, management, and operations. To secure the endorsement from IT and business decision makers to undergo the Zero Trust journey, consider each department’s own goals and needs and speak their language: some business functions may be more interested in reducing cyber risk exposure, while others may be concerned with introducing friction to how users go about their work - or simply may have concerns with changing the status quo. Implementing Zero Trust can seem like a complex business sale, in that evangelizing for the cybersecurity framework can require making a personalized case to all involved stakeholders (management, IT, operations) to secure their sign-off.
Some leaders respond to different business cases for Zero Trust. You can make the case for Zero Trust’s ability to achieve stronger compliance, particularly if you work with customers or partners with enhanced regulatory safeguards or needs. Separately, you can highlight the benefits of scalability, with some Zero Trust architectures enabling you to scale applications and cloud access with a lower investment than traditional security measures that are less effective. Finally, the reduced risk exposure to cyber threats is a clear incentive. Use data and facts to make your case for mitigating risk. It can also help to bring in expert third-party counsel to advise your organization on best practices and make the case for Zero Trust. If you go this route, ensure that your outside partners have strong familiarity with your industry and can speak the business language of your leadership.
Understanding the Practicalities of Zero Trust Implementation
Organizations should also understand how cybersecurity implementations will affect the end user. How will measures like multi-factor authentication, password security practices and new security solutions impact users’ ability to access data and handle their day job? If the security practices are considered too overbearing, there can be a risk of users finding ways to sidestep or ignore certain security practices, such as sharing logins or moving sensitive data offline. These factors should be considered at the outset, and it can help to have informal conversations with internal stakeholders before launching new vendor systems and cyber solutions. Further, identifying these roadblocks early can help enable realistic conversations with management, operations, and IT on how Zero Trust practices will work.
On the journey to implementing Zero Trust, it’s best to be proactive and consider your organization’s needs for both securing assets and data as well as how end users will respond to new security protocols. If there’s a concern that users will not respond well to security changes that inconvenience them, consider strategies to address this through better communication. One solution is simply to educate staff and end users on how security practices will benefit them, particularly if they are inconvenienced by more restricted access, new security protocols like automatic sign-out and lock-outs, and greater two-factor authentication requirements. By educating users on how Zero Trust protocols will safeguard them and the organization, you can increase the likelihood that they will adhere to security protocols.
Building Zero Trust as a Commercial Differentiator
Increasingly, customers are more loyal to companies with strong cybersecurity. Partners are more likely to trust organizations that prioritize cybersecurity best practices. Investors view cybersecurity best practices as non-negotiable. Yet for most customers, there’s a significant gap between expectations and reality. In a 2020 study, 70% of consumers across North America, the United Kingdom, France, and Germany believe businesses aren’t doing enough to secure their personal data. The same study found that 59% of consumers would be likely to avoid conducting business with an organization that experienced a cyberattack in the last 12 months.
Organizations that prioritize cybersecurity are better equipped to do business. While reducing exposure to cyber breaches is typically the most important objective, companies with stronger cybersecurity posture can also enjoy commercial benefits in the form of stronger customer loyalty and more trusted partnerships and stakeholder relationships. When evangelizing on Zero Trust internally, consider pointing to the commercial benefits of cybersecurity best practices for your enterprise’s growth prospects and ability to create long-term value for customers and shareholders.
Achieving Zero Trust is a journey, and it often requires achieving stakeholder buy-in from many different functions within your organization. To do this, be sure to highlight the business benefits alongside the reduction in cyber risk exposure.
Learn more about Zero Trust in our white paper, available here: “Securing a New Digital World with Zero Trust.”