Security leaders shed light on their zero trust journeys – Source: www.csoonline.com

Zero trust has become a bellwether for access management across the security industry. But while security chiefs have by and large embraced the approach — founded on the philosophy that no person or computing entity should be trusted inside or outside the organization’s network — not every organization has completed its journey.

Nearly two-thirds (63%) of organizations worldwide have implemented a zero-trust strategy to some extent, according to a 2024 survey from research firm Gartner. Many of those (58%), however, are just starting on this path, with less than 50% of their environments covered by zero trust.

“The majority of organizations have a strategy in place,” says John Watts, vice president analyst and key initiative leader at Gartner. But, Watts notes, many security leaders are still just piloting the enabling technologies and building out the necessary architecture as they work to overcome roadblocks.

To help you better understand the components, complexities, and challenges that come with such an undertaking, security chiefs share their experiences on the road to zero trust.

Getting the business to embrace change

For Mary Carmichael, the zero-trust journey is as much about changing culture as it is about evolving an organization’s security infrastructure.

Carmichael, who was hired two years ago as a consultant at a Canadian regulatory agency, saw right away the need to improve the agency’s security posture, which included many remote workers handling sensitive data, much of which was provided by the entities it regulates.

The agency, like many organizations, had a security infrastructure that for the most part trusted entities — people, devices, and applications — once they were within the tech environment, Carmichael says.

“It was: Once you log into the network, you’re trusted. But zero trust is about validating all along the way. That is a big change,” says Carmichael, director of strategy, risk, and compliance advisory at Momentum Technology and a member of the Emerging Trends Working Group at professional governance association ISACA.

The agency had a base-level identity and access management (IAM) capability but neither multi-factor authentication (MFA) nor privileged access management (PAM) in place — two key technologies involved in zero trust architectures. It also did not have the tools to track an entity’s movement within the environment so there was no way to challenge an entity’s access to every system it tried to use, Carmichael says.

And while the agency at one point had created identities and paired them with appropriate levels of access, it had experienced “access creep, because there was no governance and, when people left organization, there was a delay in getting people out of the identity management system,” Carmichael explains.

But to begin tackling the agency’s security posture, Carmichael first had to provide stakeholders a shared definition of zero trust and a persuasive reason for investing in the required work. Only then could she educate the agency on the technological pieces necessary to create zero trust, such as network segmentation, PAM, and MFA, and the process changes that would be needed to enable it.

Nick Puetz, managing director in charge of the cyber strategy practice at consultancy Protiviti, says Carmichael’s journey mirrors that of most organizations, which often have various components of zero trust in place before they formally adopt the approach but not working in concert. Using a zero-trust framework can help.

“It’s a way to bring all the moving parts together,” he says.

As Carmichael moved the agency along its zero-trust journey, her top hurdle was getting the business to embrace change.

With zero trust, business leaders and HR have significant work to do around creating and governing identities and establishing the appropriate level of access for each identity, Carmichael says. And they have to take responsibility for getting that work right — and governing it on an ongoing basis.

That’s an organizational change, she emphasizes, which is why organizational change management and senior-level sponsorship are critical for a successful shift to zero trust.

Focusing on “value at risk” — what would happen if hackers accessed sensitive data to create urgency for change — helped drive support for zero trust among her business stakeholders. So, too, did education and training, Carmichael adds.

“Moving to zero trust involves so many different groups and process changes and people. I don’t think people are aware of the extent of the needed changes when it comes to zero trust,” she says.

Balancing usability with security

When Niel Harper was CISO at the United Nations Office for Project Services, he faced a daunting task: ensuring security for an organization with 8,000 users spread across the globe, many of whom worked out in the field far from its offices in Copenhagen, Geneva, and New York City.

In response, Harper launched the organization on its zero-trust journey during his 2019-2022 tenure.

Like Carmichael, Harper started by examining the organization’s network, devices, applications, workloads, data, and identities to understand where granular controls could and should be placed. He also had to determine, based on business objectives and critical assets, what technical components and process changes would be needed to move from implicit to zero trust.

“Let’s define our crown jewels; those are typically 2% to 10% of your data or assets. Identify them and classify them — critical, high value, confidential, strictly confidential. That gives you a better idea of what you want to protect,” he says. “Then look at the technology investments that best align with those objectives you defined to get a prioritized set of assets you want to protect.”

Harper also took time in advance to identify quick wins and areas where zero trust might not be feasible — such as with legacy tech.

In implementing his strategy, Harper took an incremental approach.

“I don’t think zero trust is well suited for a big bang; it’s too disruptive,” he says, adding that he convened user groups early in the journey.

“A zero-trust architecture introduces additional friction, because it’s continually verifying people’s access, who they are, their permissions, and that friction can be frustrating for users,” he says. “So we had focus groups and cross-functional teams from the business with representation from users, so we could explain our objectives and [users could share] their pain points and concerns, so as we implemented controls, we could still have a strong user experience. You don’t want to degrade the quality of experience for users. You always have to balance usability with security.”

To move forward, Harper’s team first implemented controls in the offices, starting with those quick wins. Those included implementing MFA and technology to enforce conditional access.

Harper then devised a roadmap that would address more complex implementations that could continue after he left the organization.

Harper, who is now CISO and global data protection officer at software company Doodle as well as ISACA board vice chair, says he is taking a similar approach as he advances a zero-trust model at his new company.

‘People, process, and systems coming together’

A 2021 hack put OHLA USA and its CIO, Srivatsan Raghavan, on the zero-trust journey. The incident, Raghavan explains, highlighted the fact that the security measures that had been in place “collectively put together were inadequate.”

“We went through several years where we had no incidents at all, so we thought we were doing something right. I wouldn’t call it overconfidence, but it was a feeling of validation,” Raghavan says.

The breach challenged that validation and gave the company “a stepping stone to do better, because with zero trust, there is a belief that [security] tools are not enough. It’s people, process, and systems coming together”

Raghavan, who oversees security, and his team started with self-examination: “We had to think about how we were operating on a daily basis. You put all that on the table, and you reflect on it.”

He says that showed him the need to add more controls — as is typically the case for an organization as it builds a zero-trust security environment — as well as the need to break down siloes.

“We had to destroy all those siloes in the organization for IT to become a better IT team and have a better understanding of the whole business,” he says.

To help with that, Raghavan created a framework by combining ones from the National Institute of Standards and Technology (NIST) and Microsoft. His custom framework enables his team to bucket and tackle projects as they advance the company’s zero-trust journey. And the framework helps them evaluate how well the company does with identifying, protecting, detecting, responding to, and recovering from potential intrusions and incidents in specific areas.

Puetz, the Protiviti managing director, says many organizations find value in zero trust for similar reasons. “Zero trust allows CISOs to break their strategy into bite-size pieces and to explain where the cybersecurity program is and where it needs to go,” he adds.

Raghavan has made significant progress in maturing his zero-trust program.

For example, he eliminated the use of a wide-area network (WAN) and replaced it with cloud-based controls including an always-on VPN, a mobile device management (MDM) solution, MFA, and conditional-access capabilities.

He also dropped titles such as server manager and network engineer, saying “we didn’t want those buckets anymore,” and shifted to senior technologist and junior technologist to break down siloes.