Strategies for cultivating a supportive culture in zero-trust adoption

In this Help Net Security interview, Wolfgang Goerlich, Advisory CISO at Cisco, discusses the benefits of implementing a mature zero-trust model for both security and business outcomes, revealing a decrease in reported security incidents and enhanced adaptability.

Goerlich emphasizes the role of organizational culture in successfully adopting zero trust, outlines strategies for cultivating a supportive culture, and talks about future trends in the evolution of the zero-trust model.

What are the measurable benefits of implementing a mature zero-trust model regarding security and business outcomes?

Good security first delivers a business outcome and, as a result, then increases the security posture. When we research outcomes, we look to those around enabling the business, managing risk, and increasing operating efficiency.

Organizations maturing their zero-trust programs are doing so in support of digital transformation, workforce modernization, and adopting hybrid cloud infrastructure. We’ve seen measurable increases in the security function’s ability to keep up with the business, adapt to external events, and create a security culture.

Specific to security, organizations maturing zero trust are half as likely to report security incidents (dropping 67% to 33%). The likelihood of incidents across the board decline, from a data breach, DDoS attacks, accidental disclosure, or malicious insider. Ransomware is significantly less likely given zero trust’s identity controls (11% decrease) and network and workload protections (8% less likely). We see fewer incidents, the severity is lesser, and the speed of response and recovery is greater.

How influential is organizational culture in successfully adopting zero trust, and what strategies should leaders employ to cultivate a supportive culture?

Culture and relationships are significant drivers for successful programs. In the previous year’s study, we found organizations with mature zero-trust programs were twice as likely to report strong relationships with their executives, their peers, their directs (as measured by retention), and their business partners (as measured by security culture). We see similar correlations in this recent study. Strong relationships lead to good programs, leading to stronger relationships and better security programs.

Security leaders should take a three-pronged strategy. First, invest time in cultivating stakeholders and sponsors. Second, find opportunities to collaborate with their peers. Finally, leverage and strengthen the security champions and security advocates program. This will position leadership well for maturing zero trust, but it doesn’t end there. Down the chain, there also needs to be relationship building between IT, security, and business functions. It begins with the CISO and CIO on the same page to kick the work off. But it doesn’t end until the front-line security professional can contact the network admin and get the work done.

What role does securing the IT stack play in a mature zero-trust model, and how should companies approach this?

This study researched zero-trust capabilities for identity, device, network, workload, automation and orchestration. These capabilities align with the CISA zero-trust maturity pillars. The zero-trust model uses policy to extend or revoke a trust boundary when a person or service connects to an application or resource. To be effective, this policy enforcement is across the IT environment and up-and-down the IT stack. This includes directories and identity providers, device management, firewall and networking infrastructure, software development tooling, and more.

While 86.5% of organizations surveyed have embarked on zero-trust programs, only 2% of organizations have achieved maturity across all zero-trust pillars. Why? There are many reasons, but certainly, IT complexity and a lack of engagement from IT owners are contributing factors. Successful programs embed zero-trust principles in the IT stack, leveraging relationships between security leadership and IT leadership.

How do integration and automation drive the maturity of zero-trust implementations, and what are some best practices for achieving this?

This was a surprise from this year’s study: organizations using Security Orchestration and Automated Response (SOAR) are more likely to report having zero trust in place (13.7%). We’re seeing a shift in how the industry defines zero trust. Now we still have a long way to go in order to see automation widely deployed, with 47% of organizations not yet started on the capability and only 15% of organizations reporting having completed it.

Successful zero trust programs must integrate multiple tools in policy decision and automate multiple systems for policy enforcement. Otherwise, we run the risk of siloed tech stacks, unused functionality, and unrealized benefits. Start by including automation with future-state roadmaps and investigate what functionality the current tooling will support. In addition, security leaders should evaluate new purchases based on integrations, automation, and API features.

How does identity and access management serve as a cornerstone in zero trust, and what are the challenges in implementing effective identity strategies?

Strong authentication, MFA, continues to have strong stopping power against ransomware and supply chain attacks (8% reduction and 4%, respectively.) Yet the phrase “identity is the new perimeter” will send a shiver through anyone who’s had to lead an enterprise identity and access management program. It’s challenging to properly on-board and off-board people, and to provision them across the thousands of applications a typical organization relies upon.

This complexity won’t be going away any time soon. An effective strategy focuses on successfully deploying key capabilities – like MFA, SSO, and RBAC – to a tightly scoped set of people and applications. Then balance usability with defensibility to get out of the way of the user while getting in the way of the adversary.

By deploying a set of high-value security capabilities to a well-scoped high-risk area of the business, security leaders can demonstrate the value of zero trust and position the program for expansion and maturation.

What future trends do you foresee in the evolution of zero trust, and how should organizations prepare to adapt to these changes?

Zero trust has moved beyond the buzzword to be an actionable set of capabilities and a defined architecture. Organizations are taking a standards-based approach by leveraging NIST and CISA guidance.

While many of the early successes were with identity and device security, success in zero trust requires enhancements in networks and workloads. We must avoid zero trust becoming another siloed capability or bolted-on security control. Therefore, organizations should prepare for integration and automation becoming more important.

Security leaders bring capabilities and technologies to bear to solve business problems and deliver business outcomes. Within this context, the future of zero trust is taking its place alongside our fundamental security principles. At every level, at every request, our IT environment must be able to extend or revoke trust to provide access while protecting assets.