The Zero Trust Rollout Notebook

 In Cybersecurity

Zero trust thought leadership group members: Geeta Kapoor (MSC Direct), Noah Davis (Trane Technologies), Leon Ravenna (KAR Global), Barney Baldwin (ex-MUFG, Columbia), Chase Cunningham (Ericom), Eve Maler (ForgeRock), Sean Frazier (Okta).

While structured guidance on business drivers, key technologies, deployment strategies, and metrics are critical to developing an effective zero trust strategy, many executives also benefit from observations about the journey that provide a real-world perspective on considerations, roadblocks, and workaround options. Zero trust thought leadership group discussions (and internal conversations about ZT) elicited observations that may help inform CISOs as they move to tie strategy to frameworks and activity plans.

Executive summary

Every hiring manager (and job seeker) understands the distinction between “hard skills,” which relate directly to core job requirements, and “soft skills,” which are important to a professional’s ability to function effectively in a business environment. A similar distinction applies to zero trust strategy development. CISOs need to address specific issues that are – and ought to be – critical points of emphasis for the CIO, senior leadership team (SLT), and board of directors: why would we invest in zero trust, what capabilities will we need, what does the path forward involve, how will we measure progress or success? But CISOs also require insight into issues that are important to navigating that journey:

  • How to identify and communicate the importance of security hygiene.
  • How to transition from a “build-out” to a “build-in” mindset.
  • Incrementalism as a guiding principle in deploying ZT and reaping complexity and cost reductions.
  • The importance of frameworks in bringing transparency to strategy updates.
  • Understanding the scope of the ZT commitment.
  • Setting executive expectations.

By adding this information to the “hard skill” toolkit, the CISO becomes better able to work with corporate stakeholders to deliver a viable ZT plan.

Six considerations that impact ZT rollout plans

Hygiene is a necessary first step

The need to address security before launching new ZT (or other security) initiatives was a point of emphasis across the thought leadership group. One contributor asked, “What happens when regulators do an audit and find hundreds or thousands of IDs for people who have left the firm?” Another wondered, “Do we have patching test cycles – and the great test environments and associated administrative processes that they require?” Similar questions – “Do we know how many devices we are securing or where our sensitive data is?” “Are we continuously authenticating communications protocols and monitoring communications and changes to the network?” – illustrate the need to ensure that the security foundation is sound before assembling a ZT framework atop it. One expert stated that he likes to use “GIGO” (garbage in, garbage out) messaging – “that, or is the foundation of your ZT built on quicksand? You do all this great work, but your fundamentals are weak,” detracting from the overall effectiveness of ZT investments and activity.

CISOs need to paint a clear picture of how and why hygiene is important. Security staff must understand why they need to focus on these “blocking and tackling” issues before embarking on a more fulfilling ZT journey. Senior leadership has to appreciate that a ZT strategy can’t succeed unless the organization has demonstrated that it has addressed the basic issues that determine base-level success – or create easily exploited vulnerabilities.

Build-in, not build-out

Every discussion of zero trust strategy will eventually touch on the question, “How do we build momentum for ZT rollouts?” – especially given the reality that the ZT strategy is likely to evolve over years, not be deployed in project form.[1] One really interesting response to this question was, “I don’t think of ZT in terms of ‘rolling it out’ but rather ‘building it in’ – baking security into the things that you do from an access and IT perspective.” This contributor continued, “[ZT] is going to be built into existing projects and things that you’re doing. So, [for example], if you’re rolling out identity and access management, you build in the things that zero trust requires: MFA and secure single sign-on, strong identity auth [authentication].”

The build-in approach can also be extended to other parts of the organization. One example involves linking to the development team, bringing awareness of the need for “security from cradle to grave” – including “if you want to use identity stack, do multi-factor authentication. Make sure you’re encrypting the data at rest and the data in motion.”

Incrementalism

No participant in any of the zero trust research discussions used the word “incrementalism.” But the concept arose several times, and in contexts that helped illustrate how zero trust can help reduce not only complexity but also cost.

One thought gleaned from the discussions and repeated to general agreement holds that “zero trust is an incremental journey rooted in existing technologies and processes.” ZT doesn’t demand that CISOs unplug their current infrastructure in favor of new and different technology. It is a concept holding that a long-term strategy for reorienting security focus from the perimeter to identity/access and data can be articulated in a framework of capabilities needed across six core pillars and realized through a “journey” that emphasizes or reinforces relevant current technologies and processes, adds new resources where needed, and allows for the removal of unneeded tools.

The gray dots on the diagram above indicate the potential for ZT-inspired rationalization. In some cases, current portfolio assets are oriented at issues that are not a priority in a ZT strategy. In others, an organization may have several tools that perform similar or overlapping functions. ZT provides an opportunity to identify the one that best aligns with the long-term vision and to disconnect those that are not as well connected to the evolving framework. As one expert observed, “rationalize controls – rationalize products – rationalize vendors. ZT is a means of reducing complexity and spend.”

Elsewhere in this series, we observed that security vendors have contributed to confusion around the development of simplified ZT frameworks by positioning their products as ZT solutions.[2] This “silver bullet product,” piecemeal/fragmented approach is the antithesis of the ZT success route. As one contributor observed,

It gets confusing when vendors come in with their version of Zero Trust, which is wrapped around how their product can be used as a part of zero trust. That doesn’t make it a ‘zero trust product.’ Zero trust is that expansive business-driven conversation” focused on prioritizing the protection of critical business intellectual property (IP) assets.

Frameworks and transparency

Discussions that center on controls, like the one resulting in the graph above, often highlight the value of standard frameworks. “I’m a big fan of frameworks,” one CISO said, “and I think that zero trust can leverage frameworks, like CIS [the Center for Internet Security] – where you’ve got 18 critical controls – and NIST CSF [cyber security framework]. Those things are really important. If you focus on just the first few CIS controls, your security program is going to be a lot better off. Just start there – there’s your checklist. Or measure yourself against NIST CSF. But – be honest. Come up with a maturity rating and say, ‘you know what, we’re actually only like 1 on identify…and, maybe you want to get to a 2.5 or a 3 before you start to do zero trust. They say the first step [to recovery] is admitting you have a problem. You have to do that with your security program.” The temptation to attack all problems as quickly as possible is understandable. Still, CISOs benefit from taking a step back, focusing on the most broadly useful controls, and then building out a plan to move forward as their core operations mature.

This willingness to be candid about weaknesses is not universal. One contributor pointed out that “some CISOs will say, ‘We’re “green” – we’ve had third-party assessments done where we look pretty good,’ and that instilled a sense of confidence within the board. I say that’s one of the most dangerous positions you can be in: when you have a false sense of how secure you are or how mature your security program is. You have to be honest and measure it objectively” via a framework. “And that’s a good place to start with zero trust,” the expert added. “Are we going to even be able to do this? And over what time frame? Are we looking to do zero trust in two months, or is this a journey?”

Scoping the journey

Contributors articulated the dichotomy of viewing ZT as a short-term project versus a long-term journey. We’ve already indicated that a project approach will fail, and ZT is often referenced as a journey. But how long is the trip?

One CISO stated that a ZT rollout will take “three to five years, easily. So, what’s your timeline for zero trust?” This is a complicated issue. The CISO continued by asking, “Do you have the executive sponsorship to be able to take that much time to grow the security program? I don’t know. Is eight years a good timeframe to implement zero trust? Or are you never done with zero trust? And it’s my position [that] you’re never done.” This last phrase sounds almost ominous, but it was a recurring theme: a second contributor said, “It’s a continuous thing,” and a third added, “I call it ‘the infinite game.’ It’s not a project.”

Setting expectations

Zero trust requires a multi-year commitment, substantial and ongoing investment, and affects most internal (and potentially, a number of external) users and processes. Given this context, CISOs need to set expectations that help executives understand what they should and shouldn’t expect from ZT.

One thought leadership group member provided a concise opening statement: “Zero trust does not mean that you will never be breached.” That may prove to be a difficult pill for the SLT to swallow: “I think that the board would be extremely upset if, at one point in time, they said, ‘We’ve invested $140 million over the past few years, but we just had a breach.’…[But] zero trust is not this magic state in which you’re never going to be breached. It’s about risk mitigation.” The CISO went on to state that “you need to have a strong GRC program [at the core of your ZT strategy]…[A]n immature governance, risk, and compliance function could be a very large obstacle to achieving zero trust.”

It isn’t easy to both request significant investment and executive commitment and also decline to provide a firm guarantee of success. As the previous paragraph notes, zero trust is an exercise in risk mitigation: it represents best current practice in protecting critical IP against compromise or theft – and by doing so, protects against financial, regulatory, reputational, and other threats to the business. But as discussed in the Metrics report in this series,[3] “The better the job you’re doing, the harder it is to show it. It’s almost like proving a negative – you didn’t get impacted by a new vulnerability. How do you prove the impact of not having to do something?”

This dichotomy makes it difficult for CISOs to tie value to cost. But security leaders should remember that they are hardly alone in not having the ability to translate current investment into guarantees of future performance; after all, in words used by a participant in our GRC roundtable, “The finance guys can’t promise us that we’re always going to make budget. And I can’t promise you that we’re never going to get hacked.”[4]

Working with this content

The structure of the ZT rollout discussions didn’t lend itself to big-picture perspectives on ZT constraints and takeaways. But we gleaned two smaller ones:

Constraint

Zero trust strategies and frameworks are “very much constrained by dominant vertical applications [or similarly core applications like ERP, Workday, etc.]. Innovation in security [including a focus on ZT] needs to connect to the systems that run the business.”

This observation is not included to level blame at dominant software platforms — in fact, the CISO who made this observation hastened to add that “this isn’t to say that vertical application leaders neglect security at all” — just to note that use of these applications limits approaches that aren’t tightly coupled with their technologies and associated processes. This observation is important to security generally, and to zero trust strategies specifically. No company wants to deploy security via a series of point solutions. To be effective, a holistic strategy like ZT needs to integrate with business applications and with other deployed security tools.

Takeaway

We asked contributors, “Is there anything the business should do or do differently to position itself for ZT success?” One expert called for CISOs to “take a center of excellence approach, working within your organization, within your business. In most organizations, security is a separate ’thing.’ But it needs to be part and parcel of what you deliver as a business. The business needs to be accepting of the fact that when it builds things, it needs to build in the basic tenets of ZT.”


[1] See, in particular, the Key Zero Trust Technologies and Management Imperatives section on “Planning for the Journey.”

[2] See, for example, Key Zero Trust Technologies and Management Imperatives.

[3] See Zero Trust Metrics.

[4] For additional discussion on how best to address uncertainties relating to risk and the corporate need for clarity and assurance, please see the Stratascale Horizon Report Cybersecurity Strategy for the Looming Regulatory Quagmire.

This is the sixth of eight source documents included in Stratascale’s “An Executive Guide to Zero Trust” research series. We will also publish a capstone report connecting these eight pieces, plus a six-part companion series (“The Technical Manager’s Guide to Zero Trust”) and several compilations and ancillary documents and tools.

Readers interested in specific executive-level perspectives on zero trust may wish to explore the other publications in this series: