How to Talk to the Board About Zero Trust

Framing zero trust as a cybersecurity strategy for reducing business risk is a surefire way to get your executive leadership to take notice.

It's no secret that CISOs and other cybersecurity leaders struggle to communicate with executive management and boards of directors in a language they can understand. Business leaders naturally want to discuss cybersecurity in business terms. For many infosec leaders, learning how to "speak business" is akin to learning a second language; they're much more comfortable talking in tactical and technical terms. 

But there's more to the story. In my experience, board members and C-level business executives oftentimes allow ego to circumvent common sense. They've risen to their current lofty positions thanks to their unique blend of knowledge, talent and ambition. They're driven to be seen as the smartest person in the room at all times. And some think rules don't apply to them. So, what happens when a cybersecurity leader walks into a board meeting spouting technical jargon unfamiliar to these captains of industry and dares to suggest that their own behavior might be part of the problem? It solidifies a longstanding bias among executive leaders toward viewing cybersecurity as an inhibitor to the business. 

What if you could, instead, frame the discussion as a grand strategy articulated in one simple goal: to stop data breaches. Such framing would enable you to engage business leaders on a strategic level using plain language they can easily understand. Frankly speaking, a data breach is the only IT event that can get a CEO or company president fired. Plus, a data breach is the only cybersecurity event that is non-recoverable: you can never get the data back and you can't turn back the clock so that it's as if the breach never happened. 

A cybersecurity leader who can articulate a practical plan to stop data breaches will get the time and attention of the board.

The principles of zero trust architecture allow you to do just that. It's a new way of thinking about information security that treats trust as a vulnerability. The model was designed to resonate with the highest levels of the organization without necessarily requiring them to make a significant investment in new tools. And, it levels the playing field, immediately derailing any execs who see themselves as "trustier than thou." A cybersecurity strategy that removes trust entirely from digital systems is, in fact, a great equalizer, one that any proponent of "flat" corporate hierarchies ought to be more than happy to embrace.

Zero trust is built upon the idea that security must become ubiquitous throughout the infrastructure. The model is designed to be strategically resonant at the highest levels of any organization. The concepts of zero trust are simple:

• All resources are accessed in a secure manner, regardless of location.

• Access control is on a "need-to-know" basis and is strictly enforced.

• All traffic is inspected and logged.

• The network is designed from the inside out.

• The network is designed to verify everything and never trust


While the zero trust model represents a significant divergence from the legacy, moat-and-castle approach to network security, it can be implemented by practitioners using commercial off-the-shelf technology. And it's built upon current cyber best practices and sound cyber hygiene, such as vulnerability management, proactive patching and continuous monitoring, already implemented in most organizations today.  

Boards of directors have a major role to play in shaping the future of cybersecurity strategy. Just as the recent Executive Order issued by the Biden Administration made zero trust a strategic imperative for the U.S., so, too, can boards wield their considerable power to elevate cybersecurity as a strategic business priority. Here are eight ways to start:

Stop seeing cybersecurity as an inhibitor of business. Having your business systems frozen in a ransomware attack is an inhibitor of business. Cybersecurity must be seen as an enabler of the business if we have any hope of reducing risk.


• Change the incentive structure. Reward everyone for doing the right thing.

• Give your cybersecurity experts the same amount of time to present as you give to your executive compensation committee.

• Create a culture of transparency and drop the blame game. The environment you have was most likely created long before these threats existed. Current employees are dealing with years of decisions made by predecessors over which they had no control. The system is organic. Instead of looking to place blame when bad things happen, reward those who are trying to fix the problems before bad things occur.

• Incentivize and reward those who are earnestly trying to fix the problems. And give them the time and support they need to do so.

• Demand all CISOs report to the CEO, not to the CIO. This gives executive leadership an unvarnished view of the organization's cyber risk. 

• Consider increasing the budgets for cybersecurity. If only 5% to 10% of your technology budget is going to cybersecurity, you're probably not doing enough.


Addressing today's cybersecurity challenges requires changing the ways we think about the problem at all levels of the organization. It requires as much commitment on the part of boards of directors and c-suite executives as it does from the rank-and-file admins who work tirelessly and against significant headwinds to protect sensitive data and reduce risk.

John Kindervag, senior vice president of ON2IT, is a guest contributor to the Tenable blog.

Learn more

• Read the blogs: The Path to Zero Trust: Is it Time to Rethink What We're Calling a Vulnerability? and Tenable and the Path to Zero Trust
• View the solution brief: Disrupt Attack Paths with Zero Trust