Cultural managements

The Cultural Changes Required by Zero Trust Security – The New Stack

At the heart of a zero-trust strategy is rethinking how companies approach security, from who is involved to what the goal is.

“Zero trust is a strategy designed to stop data breaches and then thwart other cyberattacks,” said John Kindervagsenior vice president, cybersecurity strategy at ON2IT, who is often considered the creator of zero trust.

In most cyberattacks, the goal is to exfiltrate some sort of sensitive data, and zero trust is a framework for designing a system where that won’t happen.

Safety first

The basis of a zero-trust strategy is to force security decision makers to step back and think more like CEOs – or involve CEOs themselves.

In many organizations, IT teams in general and security teams in particular have been so separated from business management that they don’t stop, as part of their day-to-day responsibilities, to think about how whose organization makes money.

Security teams often have very narrow scopes of work and focus on meeting compliance requirements rather than thinking strategically about how to actually protect the business.

Businesses must ultimately be pragmatic and cannot simply turn off all communications. When working on projects with companies, the starting point is always to ask yourself what are the things that could harm the organization the most if compromised, and start there, according to Leonid Belkind, director in technology and co-founder of Torq, a security automation company.

Top down, no silos

Since zero trust is not about ticking compliance boxes or blindly following established company protocols, but about aligning the security program with business realities, the strategy is often (but not always ) adopted first by the leaders and imposed on the security team in a top-down manner.

This is a cultural shift: it tells the security team to focus on protecting laptops from malware to ensure that key business assets are as protected as possible and on a zero-trust network.

When working on projects with businesses, said Torq’s Leonid Belkind, the starting point is always to ask yourself what are the things that could harm the organization the most if compromised, and start there. .

Success with zero trust must also include restructuring the organization. “If you look at the traditional organizational structure, they’re organized to stay in silos – developers, platform engineers, security teams – and it’s like a relay race where they pass the baton,” said said Ratan Tipirneni, CEO of Tigera, a cloud-native application observability company.

“That kind of organizational structure won’t work when implementing those kinds of security models. You should design security policies from the start, even while the code is being built. »

The need for organizational change is one reason Tipirneni believes strong executive leadership is almost always necessary to succeed with zero trust.

Although not everyone interviewed for “Trust No One and Automate (Almost) Everything” said executives should be the champions, Kindervag and Belkind agreed that there is often high-level involvement in moving to zero trust, and involving executives and aligning security with business interests is critical.

Gradual improvement

Often, security managers are reluctant to make changes because they fear being blamed for disruptions. It’s possible to dramatically improve zero-trust maturity without disrupting normal IT operations, but the key is incremental improvement.

Start with something that is absolutely essential. “If we are a bank, we could protect the SWIFT gateway,” Kindervag said, referring to the secure cross-border payment and financial messaging system.

“It’s a manageable project, unlike if I say, ‘We’re going to turn the whole network into zero trust,’ everyone is just going to say, ‘How can we do this?

Eliminate trust

Security experts talk about “trust” (trusted users, trusted devices) and design security programs that assume that certain humans and computers are “trusted” by default.

But, Kindervag noted, “trust is a human emotion that has been injected into digital systems for no reason.”

He gave the example of infamous data leakers Edward Snowden and Chelsea Manning for how the trust model fails to protect digital assets, as well as highlighting the role that identity management should play in zero-trust systems.

Start implementing a zero-trust security strategy slowly, advised John Kindervag of ON2IT, often called the creator of zero-trust. A bank, for example, could start with the SWIFT gateway, the cross-border payment and financial messaging system.

In both cases, Snowden and Manning — a former National Security Agency computer intelligence contractor and a former US Army soldier, respectively — were “trusted” users, using “trusted” devices. who were able to bypass powerful authentication systems and who were allowed to access information they should never have had access to and download that information.

Going from a scenario where there might even be a trusted user to one where, by default, all users are denied unless they have a reason to access the data in question is both a technical challenge and a fundamental philosophical/strategic change. Both are the key to zero trust. Considering that, as a 2022 survey by strongDM indicated, 65% of companies use shared connections, that’s a pretty hefty cultural lift.

The main takeaway is that zero trust is a strategy, a philosophy, an architecture – not a tool or a technology. There are tools that will help you implement zero trust, but effectively implementing zero trust requires more than buying software.

Featured image by Natalie Pedigo via Unsplash.

The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Torq, Tigera.