Headline
How to Win at Cyber by Influencing People
Zero trust is a mature approach that will improve your organization’s security.
Source: Alexander Yakimov via Alamy Stock Photo
COMMENTARY
Knowing you would like to implement zero trust and actually implementing it are two different things. That’s at least in part because zero trust is not a single solution one can install and walk away from. Rather, it’s an approach to IT and security that emphasizes validating every connection, whether it’s user to app, app to app, or process to process. The advantages are clear though: a reduced attack surface; lateral movement across a network by attackers is prevented; and each and every access to any corporate resource is granted on a per-request basis.
In short: Never trust, always verify.
Many of the challenges associated with a large initiative like zero trust are not technical issues, but rather relate to driving change. There are significant interpersonal and organizational components to adopting this approach that must be carefully considered. Over the course of my career — most recently as chief technical officer (CTO) for GE and Synchrony Financial — I had the opportunity to work on many “big word projects,” including AI, cloud, and of course, zero trust. What follows are some of my top tips for ensuring you win at cyber by influencing key stakeholders within your organization.
How to Win at Cyber in Five Easy Steps
1. Organizational Partnership
Zero trust is a team sport. Successfully executing a zero-trust transformation requires understanding all the personas involved and aligning on intended outcomes.
- The CTO is focused on the infrastructure: design, maintenance, configuration, execution, and tech strategy.
- The chief information security officer (CISO) knows and owns the security strategy, security execution, and monitoring.
- The chief information officer (ClO) is focused on the technologies and applications of the organization, overseeing the people and process aspect of transformation and day-to-day operations.
- The risk leader confirms the technology group is covering all the risks to the organization and end consumer.
Bringing the CTO and CISO together on a common goal of zero trust and then inviting the risk leader along on the journey is a huge step in your success. Establishing a rhythm of these leaders with the CIO brings it all together. These roles might be slightly different in your organization, but understanding each stakeholder’s role and connecting them before the project begins is key.
2. Communication and Board-Level Metrics
Once key leaders are aligned behind your zero-trust initiative, you need the backing of your board. This won’t be accomplished by lengthy, wonky discussions of the underlying technology you hope to implement. Instead, boards want to understand your organization’s risk exposure, and how you intend to manage it.
The ability to demonstrate a comprehensive risk score is a powerful asset for establishing a baseline and reporting on progress over the course of what is likely to be a multistep, multipronged zero-trust deployment journey. Once you’ve established this score, continue to revisit it along each phase of your initiative to demonstrate maturity backed by real-world data from your environment.
3. Phased Deployment Plan
It’s no accident we speak about zero trust as a journey, one that rarely unfolds along a straight line. Transformation initiatives often begin in response to a stimulus — implementing a VPN replacement or incorporating a new acquisition into existing IT systems, for example — and then maturing over time.
One thing is critical, though: Develop a plan that incorporates individual use cases into an overarching strategy for deployment. A phased deployment allows stakeholders to avoid the feeling of needing to “accomplish” zero trust overnight. The first project will doubtless be the most difficult; it gets easier from there.
4. Pragmatic Technical Deliverables
Throughout my career I have encountered a number of CIOs with impeccable strategic instincts who nevertheless struggle to translate them into pragmatic deliverables. When we’re dealing with complex, sometimes nebulous concepts like AI, the cloud, or zero trust, it’s easy to get lost in the weeds.
It’s critical that tactical actions like a VPN replacement are framed in terms of the business problems they solve. I return to the VPN example because it is a perfect illustration of enhancing security and the user experience, making it a model IT solution for a business issue. Users become more productive and benefit from a smoother experience, the opportunity for lateral movement is reduced, and cost savings are likely to accrue.
5. Fix the Basics
It may sound simple, but it’s a critical point that I have often seen overlooked. Tackle the low-hanging fruit, or threat actors will do it for you. So, what are the basics? Phishing not only remains the number one threat vector facing most organizations, it’s also only solvable by creating a culture of security within your organization. I don’t mean in terms of high-tech solutions, but by fostering basic cybersecurity literacy organization wide. With the advent of AI-assisted pretext creation, this will only become more critical in the near future.
Zero trust is a mature approach that will up-level your organization’s security. If you haven’t yet started out or if you are simply looking for a more complete implementation, I hope you find this advice useful.
Don’t miss the latest Dark Reading Confidential podcast, where we talk about NIST’s post-quantum cryptography standards and what comes next for cybersecurity practitioners. Guests from General Dynamics Information Technology (GDIT) and Carnegie Mellon University break it all down. Listen now!
About the Author
Former CTO of GE & Former CTO of Synchrony Financial
Greg Simpson is an experienced technologist, having been CTO at numerous GE businesses, and GE overall. As CTO of Synchrony, Greg first launched the foundational infrastructure to support its IPO and then drove a transformation built on a strategic technology stack that was built on the cloud, a new data lake, application APIs, and AI, enabling faster solution delivery for Synchrony customers. He also was instrumental in its transformation to a work-from-home culture during the pandemic, Greg was named a Premier 100 Technology Leader by Computerworld in 2016. Greg recently published his first a techno-thriller novel called The Quantum Contingent. His follow-up novel, Quantum Time, is coming out later this year.