Zero Trust Interest and Investment Drivers

 In Cybersecurity, Horizon Reports

Zero trust thought leadership group members: Geeta Kapoor (MSC Direct), Noah Davis (Trane Technologies), Leon Ravenna (KAR Global), Barney Baldwin (ex-MUFG, Columbia), Chase Cunningham (Ericom), Eve Maler (ForgeRock), Sean Frazier (Okta).

Zero trust (ZT) demands a multiyear commitment that incorporates existing and new solutions across six technology pillars. Leaders have been investing in ZT to become more proactive in risk management, establish security as a source of differentiation and advantage, conserve scarce security resources, and improve business efficiency.

Executive summary

Contributors to this report identify four linked objectives as key drivers for zero trust (ZT) interest and investment. Most agree that CISOs are looking to zero trust as a means of moving beyond a security approach optimized for reacting to vulnerabilities and threats toward a more proactive approach. Some also see ZT as a framework that enables optimization of scarce resources; reduces the number of deployed controls, tools, and vendors; and results in staff time savings. A number of CISOs connect zero trust to business outcomes as well. Some believe that ZT will help their firms drive competitive advantage in areas like scale, speed to market, and customer confidence, while others think ZT will enable business efficiencies. By aligning ZT strategy with one or more of these business drivers, CISOs can build support for ZT in discussions with both executives and IT/security team members.

Four anticipated benefits drive interest and investment in zero trust

The thought leadership research group identified four key ZT investment and interest drivers:

  • Establishing a proactive approach to risk management.
  • Positioning security as a source of differentiation and competitive advantage.
  • Optimizing scarce security resources through improved automation and tool rationalization.
  • Linking security capabilities to business efficiency.

Zero trust can support each of these objectives, and the zero trust thought leadership group provided experience-based analysis of the connections between ZT and target business outcomes.

Proactive risk management

  • “Risk is an important driver [of zero trust interest and investment].”
  • “From an IT and a security perspective, we’re all tired of being reactive to the next threat, to the next zero day, and then putting in controls as a reactionary measure. Zero trust seems like that proactive methodology where we could stay a step ahead of the bad guys and have some level of assurance that we’re secure. Whatever comes above that, we’ll be able to handle. But right now, it’s just a game of Whac-a-Mole.”
  • “If we can show in a measured way that implementing zero trust is going to eliminate that chaos and stop taking resources from planned activity to do incident response every time something new happens, I think that has great value.”
  • “I always say that zero trust is an inevitability of where we are as a society.”

 

The first three quotes above encapsulate a theme that ran through all our ZT thought leadership group discussions: ZT enables security teams to move from being in perpetual ‘react mode’ to implementing a framework that allows for proactive mitigation of corporate risk.

The second quote expands on this idea that arose in several different conversations by referencing “Whac-a-Mole” – a carnival game in which players scramble to knock down a succession of plastic moles emerging from random holes. CISOs want to establish a framework that enables them to invest in reducing future urgent incidents rather than just remediating problems as they arise; many are tired of continuously responding to a succession of emergency situations.

As the third quote states, an approach that can “eliminate chaos and stop taking resources from planned activities” offers great value to the security function and to the businesses that invest in and depend on security.

The final quote makes an interesting claim – ZT is “an inevitability.” This position is rooted in the belief that “the indirect costs of security risks and breaches” drive much of the current interest in ZT: “Yes, there’s a compliance concern, and privacy, consumer sentiment, and regulation feed off of each other. But [more importantly], there’s this erosion of believability of data. There’s an erosion of how we interact with other people,” tied to the entire concept of consent. ZT, the contributor believes, responds to this need to view interactions as authentic and to combat a sense that the data we access is, in some way, corrupted – a sense that would erode the underpinnings of digital business.

 

Reactive security highlights opportunity for a ZT framework. Not exactly as pictured.
[photo credit: Sarah Stierch (CC BY 4.0)]

Security as a source of differentiation and competitive advantage

  • [A key zero trust driver is] “being able to operate in a secure fashion; the ability to position security as a competitive differentiator or a market enabler.”
  • “Speed to market [motivates investment in ZT], for sure.”
  • Companies investing in ZT are looking to attain the “ability to operate at scale.”
  • “Consumers are more willing to do business with an organization that they feel has a strategic focus on security.”
  • Zero trust helps with employee retention – “meeting users where they are” is important to younger workers.

Research contributors also discussed the sense that zero trust adoption ties directly to competitive advantage and market differentiation. Thought leadership group members claimed that a proactive approach – enabling the business to align security with a constantly changing mix of inputs, assets, demands, and external threats and regulatory pressures – could support key enterprise objectives, including speed to market, the ability to operate at scale, and increased consumer confidence.

The final quote addresses a separate aspect of competitiveness: the ability to attract younger workers who – accustomed to features like built-in smartphone biometrics – may chafe at authenticating via traditional VPN/perimeter-based security features. The thought here is that by “meeting users where they live” – incorporating familiar security features into the ZT fabric rather than channeling users through a rigid (and outdated) authentication process – businesses can both appeal to younger workers and reduce the risk of workarounds that negatively impact the corporate security posture.

Optimize scarce security resources

  • “In security, the biggest cost center is…humans to do the work. And those humans are becoming increasingly expensive because there aren’t enough of them, and they are getting pulled into many different things.”
  • One key ZT driver is “resource reallocation – away from investing in maintenance of perimeter-based security to focus on security investments [staff and technology] that are better aligned with current needs.”
  • “I think that an argument can be made for cost savings” derived from ZT.

The challenge of fully staffing security teams often arises in Stratascale research projects and executive discussions. CISOs are constrained by the talent shortage. They expect this shortage to continue and seek ways to streamline processes and introduce automation to mitigate the talent shortfall.

Zero trust frameworks accommodate both process and automation objectives. By integrating security initiatives across the six pillars, ZT reduces the need for duplicated effort, and by focusing on proactive solutions to pervasive challenges, ZT helps security teams avoid some of the reactive activity that diverts attention from strategic initiatives.

At the same time, some of the most important ZT focus areas – including identity and device management, network, and data segmentation, DevSecOps, attack surface management, and data security measures – use automation to reduce human error and facilitate orchestration across complex processes. ZT aligns new automation with existing systems and helps CISOs direct staff resources toward issues with the greatest need for human attention.

The issue of cost and zero trust, which we address more fully in Stratascale’s reporting on “Key Considerations in Zero Trust Deployment,” attracts a great deal of attention. The statements “building a zero trust architecture will cost a great deal of money” and “cybersecurity is an expensive but necessary capability, regardless of an organization’s zero trust status” are both true. The question isn’t whether ZT deployment will entail expenditures but whether the cost will be less (or value, greater) for firms that invest in ZT than for those that pursue other paths.

Security as a source of business efficiency

  • “Zero trust doesn’t rank particularly high as a global objective in the overall strategic priority queue, but inches higher when it is tied to specific objectives, especially to processes used to achieve business goals…Tying to the value of automation helps connect ZT to the business’s priorities. Focus on your ability to [enable] change.”
  • “For us [a key ZT benefit] was changing the culture and the perception of security as the ‘office of no’ to being an enabler with frictionless security,” supporting “flexible future” options for agile IT delivery.
  • “If [with ZT] you can help a manager know what to do and take the sting out of approvals and their part in certifications, you start making [business/security collaboration] the right thing to do. The easier thing to do.”
  • [In some industries], “where you have a special duty of care, and there is [only one or a limited number of organizations responsible for delivery of critical functions], you are a big target. [Robust security] really matters a lot. There’s lives at stake.”
  • “IT cares about managing the cost and the efficiency, and that’s something that can be positively impacted if you can manage to make everything finer grained.”

While “proactive risk management” was the most frequently cited ZT interest and investment driver in our expert interviews, “establishing security as a source of business efficiency” was probably the most vigorously discussed. CISOs believe – strongly – that zero trust enables them to have a significant positive impact on process timeliness and cost.

The first two quotes above relate directly to this central point. Security as a corporate capability is most important when it ties directly to business objectives, particularly around enabling agility and the capacity to change. Some level of security investment is a constant in a digital business world; the key to demonstrating value is to meaningfully connect investment to compelling outcomes. Per the third quote, ZT helps to facilitate this connection in tangible ways – for example, by streamlining processes associated with access and authorization.

The fourth quote speaks to the idea that in some industries – and though it’s not included here, across virtually all large companies – performance of critical functions and possession of sensitive data makes the organization a target for attackers. Business leaders understand this and are likely to understand the importance of effective cybersecurity defenses; moving forward, the contributor added, they are also likely to recognize zero trust as an enabler of digital transformation.

The final bullet raises an interesting issue. Granularity, or the ability to consider inputs like telemetry signals at varying levels of specificity, is likely to emerge as a critical factor in future security frameworks. Thought leaders (including contributors to this report, and many others, including the Executive Office of the President)[1] see granularity as an important factor in optimizing security – and as an important attribute of zero trust.

 

Working with this content

CISOs looking to integrate this perspective on zero trust within executive-level strategy discussions can use the following challenges/constraints and takeaways to inform their approach.

Key challenges/constraints to building interest and investment in a ZT strategy

  • ZT is “not going to happen in a year – it’s going to evolve over time.” Maintaining corporate interest and commitment to the ZT journey may be challenging (particularly if/as turnover impacts the management team).
  • Cost is also a potential obstacle: “Even if we have a project focused on ZT, we need to understand incremental cost vs. capabilities delivered by technologies that are already deployed.”
  • “The mapping exercise [connecting ZT across pillars] can be very difficult and time-consuming, and you got to get that business buying in.”

Takeaways from “Interest and Investment Drivers”

  • Businesses need to move to proactive risk management. CISOs agree that the perimeter-based approach to security is no longer viable. They know that a ZT approach is better suited for the current business and technical environment, which includes public cloud, SaaS, mobility, work from home, etc. Furthermore, CISOs are committed to moving from “whac-a-mole” to a proactive security strategy, and ZT enables this transition.
  • ZT’s ability to streamline processes and meaningfully integrate automation has significant benefits for security teams challenged by resource constraints and enhances their ability to support business objectives. “Tying to the value of automation helps connect ZT to the business’s priorities. [For example], if you can’t release changes quickly, your vulnerabilities will last longer. And [automating the security capabilities needed to enable rapid change] is also a strategic strength because you can roll out new business features much more quickly.”
  • CISOs who obtain ZT commitment and investment believe that focusing on business efficiency is important to making the ZT case. There are sound arguments – improved use of automation, reduced friction between security and business units, reduced friction for end users, better protection against targeted attacks, improved ability to optimize granularity to enhance the ability of the business to act on voluminous and diverse telemetry signals – supporting the connection between ZT and efficiency that impacts operations and financial results.

 

[1] See for example Memorandum M-22-09: https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf

 

This is the third of eight source documents included in Stratascale’s “An Executive Guide to Zero Trust” research series. We will also publish a capstone report connecting these eight pieces; a six-part companion series (“The Technical Manager’s Guide to Zero Trust”); and several compilations, ancillary documents, and tools.

Readers interested in specific executive-level perspectives on zero trust may wish to explore the other publications in this series: