How to Talk to Your Boss About Zero Trust

A recent Executive Order from the Biden Administration put zero trust architecture in the spotlight. When your top execs come asking about it, here's what you need to know.

President Joseph R. Biden's May 12 Executive Order on Improving the Nation's Cybersecurity brought renewed interest in zero trust architecture, the ripple effects of which are just starting to be felt in government and private sector organizations around the world. 

The principles of zero trust, first introduced by then-Forrester analyst John Kindervag in 2010, require rethinking the trust-but-verify model upon which so much IT infrastructure has been built. It calls for viewing trust as a vulnerability instead and posits that we remove the notion of trust from digital systems entirely. With ransomware attacks on the rise, the software supply chain compromised and the attack surface growing exponentially, it's clear that a new approach to cybersecurity is in order. If your executive leadership hasn't yet come around asking about your plans for zero trust, we assure you it's only a matter of time.

With misperception about zero trust running rampant, here are five things your boss needs to know about zero trust:

1. Zero trust is a strategy, not a SKU. In most organizations, it can be implemented using existing off-the-shelf cybersecurity products. There is no single zero trust product your organization can purchase and plug in to transform your risk posture overnight.
2. Zero trust requires a foundation of strong cyber hygiene. As the National Institute of Standards and Technology (NIST) guidelines make clear, you can't build a zero trust strategy without first having accurate visibility into all of the organization's assets — including IT, cloud, operational technology (OT) internet of things (IoT).
3. User profiles matter more than ever. A zero trust strategy requires you to continuously monitor all users all the time. Tools such as Active Directory, which are used to manage user profiles and privileges, must be continuously monitored and kept up to date. 
4. No one is trusted — no exceptions. This may not please the CEO or other C-suite executives, who can sometimes behave as if the rules don't apply to them. Brushing up on your diplomatic skills is advised. 
5. Zero trust requires thoughtful change management. There are people throughout the organization who have built their careers on the legacy cybersecurity principles of moat-and-castle and trust-but-verify. They may be threatened or feel that their jobs are in jeopardy if they aren't engaged in the zero trust buildout from day one.

The bottom line? It won't happen overnight. Zero trust as a concept is simple to grasp. What makes it complex to implement are the same factors that make any cybersecurity strategy complex: the unique mix of process, procedure, education and technology found in your IT infrastructure. It's best to start small and roll out from there, rather than trying to boil the ocean. 

Cybersecurity in a world without perimeters

As organizations around the globe emerge from pandemic lockdown and embrace a hybrid model that allows working from home to be as seamless on premises, it's clear that the legacy approaches to cybersecurity are no longer in order. A successful zero trust journey requires executive support and buy-in from all areas of the organization. It's not something cybersecurity leaders can execute in a vacuum. It's a strategic decision that will ultimately change the way every employee in the organization uses technology, reducing risk every step of the way. 

Learn more

• Visit our web page: Rethinking Your Security with a Zero Trust Approach
• Read the blogs:  How to Talk to the Board About Zero Trust | The Path to Zero Trust: Is it Time to Rethink What We're Calling A Vulnerability? | Tenable and the Path to Zero Trust
• View the on-demand webinar: Security Beyond the Perimeter: Accelerate Your Journey to Zero Trust