Our world is increasingly relying on digital systems. Yet the IT industry’s concepts for managing the growing complexity, and therefore vulnerability, of critical services hasn’t kept pace. This is particularly relevant to cyber security as many organisations struggle to calibrate the controls they’re applying to complex IT estates in a dynamic threat environment.
Protecting your organisation and customers from growing cyber risks will take a nuanced and sophisticated approach to security, and many organisations see Zero Trust – an approach to context-aware, adaptive security controls – as the answer. That’s because it enables greater flexibility in ways of working and opens opportunities for operational efficiencies. It also allows for a more structured approach to defining security controls for complex IT estates.
Many organisations struggle to fully understand Zero Trust (a view supported by a recent survey commissioned by Illumio), but that’s hardly surprising when technology vendors often repackage existing technology capabilities and market them as ‘Zero Trust’, presenting it as a purely technical solution. In a recent survey by Ericom Software, over 40 per cent of respondents believed that vendors ‘market everything as a solution’.
Organisations need to look beyond technology and address more fundamental aspects of Zero Trust, such as Board-level buy-in and creating a strategy that directly supports the business. With such foundations in place, organisations can prepare for, and transition to, Zero Trust and achieve all the benefits it offers.
Organisations need to have business and IT strategies that clearly define the need for, and benefits of, Zero Trust.
We see many organisations say they’re aiming for the benefits Zero Trust brings, such as enabling remote working, reducing risks and cutting costs. Yet few firms align Zero Trust objectives with a wider set of business benefits or strategic goals, which makes it difficult to secure adequate investment and buy-in.
To deliver a successful Zero Trust transformation, start by assessing the readiness and maturity of your organisation to support Zero Trust. That means checking your Zero Trust goals align with your business objectives, organisational structure, target operating model and technology strategy. Zero Trust will only succeed if it contributes to the achievement of the wider organisational strategy.
For example, one of our clients wanted to adopt Zero Trust but also wanted to sweat their legacy IT assets to keep down costs. Zero Trust wouldn’t have been effective on their legacy infrastructure, so it wouldn’t have supported their core organisational goals of reducing costs.
Such an example shows why it’s important to work through key business decisions prior to agreeing a Zero Trust strategy. Doing so might show your organisation is already well on the way towards Zero Trust. Or it might highlight that the organisation isn’t yet ready for a complete Zero Trust transformation and needs to do some foundational work first. You might even discover that full Zero Trust isn’t the right solution for you; given your most pressing challenges, so you should focus efforts elsewhere.
Moving to Zero Trust usually requires an IT transformation, but that’s not a purely technical exercise. Organisations need to consider the future operating model and the business change activities. As a minimum, that means focusing on:
With a clear strategy, goals and operating model defined, the transformation programme can start to focus on technology. But you shouldn’t select products in isolation – successful Zero Trust implementations need products that can integrate with each other and the existing technology stack. This is key, as current technical standards for Zero Trust functionality and interoperability are still immature.
You also need to ensure you’re getting quality data from your Zero Trust technologies, so they can support decisions that align to your strategy. We see many organisations struggle to gain good quality data and insights from the technology they deploy, but this is vital to successfully deliver Zero Trust benefits. So, make the ability to collect quality data a requirement for technology procurement.
Zero Trust holds great promise for resolving long-standing security issues for organisations. So firms need to make sure they have the right strategy, capabilities and knowledge in place before starting on a journey of successful delivery of Zero Trust.