Zero Trust: Going beyond an IT-centric view to deliver success
Our world is increasingly relying on digital systems. Yet the IT industry’s concepts for managing the growing complexity, and therefore vulnerability, of critical services hasn’t kept pace. This is particularly relevant to cyber security as many organisations struggle to calibrate the controls they’re applying to complex IT estates in a dynamic threat environment.
Protecting your organisation and customers from growing cyber risks will take a nuanced and sophisticated approach to security, and many organisations see Zero Trust – an approach to context-aware, adaptive security controls – as the answer. That’s because it enables greater flexibility in ways of working and opens opportunities for operational efficiencies. It also allows for a more structured approach to defining security controls for complex IT estates.
Many organisations struggle to fully understand Zero Trust (a view supported by a recent survey commissioned by Illumio), but that’s hardly surprising when technology vendors often repackage existing technology capabilities and market them as ‘Zero Trust’, presenting it as a purely technical solution. In a recent survey by Ericom Software, over 40 per cent of respondents believed that vendors ‘market everything as a solution’.
Organisations need to look beyond technology and address more fundamental aspects of Zero Trust, such as Board-level buy-in and creating a strategy that directly supports the business. With such foundations in place, organisations can prepare for, and transition to, Zero Trust and achieve all the benefits it offers.
Set clear business-led strategy and goals
Organisations need to have business and IT strategies that clearly define the need for, and benefits of, Zero Trust.
We see many organisations say they’re aiming for the benefits Zero Trust brings, such as enabling remote working, reducing risks and cutting costs. Yet few firms align Zero Trust objectives with a wider set of business benefits or strategic goals, which makes it difficult to secure adequate investment and buy-in.
To deliver a successful Zero Trust transformation, start by assessing the readiness and maturity of your organisation to support Zero Trust. That means checking your Zero Trust goals align with your business objectives, organisational structure, target operating model and technology strategy. Zero Trust will only succeed if it contributes to the achievement of the wider organisational strategy.
For example, one of our clients wanted to adopt Zero Trust but also wanted to sweat their legacy IT assets to keep down costs. Zero Trust wouldn’t have been effective on their legacy infrastructure, so it wouldn’t have supported their core organisational goals of reducing costs.
Such an example shows why it’s important to work through key business decisions prior to agreeing a Zero Trust strategy. Doing so might show your organisation is already well on the way towards Zero Trust. Or it might highlight that the organisation isn’t yet ready for a complete Zero Trust transformation and needs to do some foundational work first. You might even discover that full Zero Trust isn’t the right solution for you; given your most pressing challenges, so you should focus efforts elsewhere.
Think beyond products to deliver successful business change
Moving to Zero Trust usually requires an IT transformation, but that’s not a purely technical exercise. Organisations need to consider the future operating model and the business change activities. As a minimum, that means focusing on:
- Ensuring core functionality is in place
Zero Trust relies on core capabilities such as identity and access management, service management, security monitoring, asset management and data classification schemes.
- Workforce design
Organisations will need to significantly change the workforce – in terms of both existing and future skills. Cloud skills will be key as cloud services become a primary enabler of Zero Trust ambitions. Firms may need to retrain staff or engage with external partners to deliver expertise.
- Zero Trust service ownership
A successful Zero Trust implementation will need to integrate and underpin the entire IT stack. Finding service owners and technical support teams that can meet the challenge of managing an integrated technology estate is vital. Firms will need to train and develop staff to allow them to flourish in these new roles.
- Business area and workforce engagement
You need to engage staff across the business to align with their expectations of how IT will support them. Zero Trust also needs to be seamless for users and not impact on usability and performance. For example, one of our clients hadn’t accounted for the impact on users of greater latency caused by their implementation of Zero Trust Network Access, so had to halt proof-of-concept work. People are unlikely to use a solution that degrades their experience.
- Success metrics
Programmes delivering Zero Trust must have business focused KPIs that link to specific technology decisions, such as usability and performance, to ensure success at an organisational level and not just from a narrow technology viewpoint.
Consider technologies that support your vision
With a clear strategy, goals and operating model defined, the transformation programme can start to focus on technology. But you shouldn’t select products in isolation – successful Zero Trust implementations need products that can integrate with each other and the existing technology stack. This is key, as current technical standards for Zero Trust functionality and interoperability are still immature.
You also need to ensure you’re getting quality data from your Zero Trust technologies, so they can support decisions that align to your strategy. We see many organisations struggle to gain good quality data and insights from the technology they deploy, but this is vital to successfully deliver Zero Trust benefits. So, make the ability to collect quality data a requirement for technology procurement.
Zero Trust holds great promise for resolving long-standing security issues for organisations. So firms need to make sure they have the right strategy, capabilities and knowledge in place before starting on a journey of successful delivery of Zero Trust.