While the cyber threat landscape remains daunting, the rise in awareness and adoption of zero trust serves as an important source of optimism in the security community.
Gregory J. Touhill
CISM, CISSP, Brigadier General (ret.), ISACA Board Chair
It is easy to be disheartened by the barrage of cyberattacks experienced across industries and affecting organizations of all sizes and in all sectors. Supply chain vulnerabilities, the ransomware scourge, and navigating the growing remote work landscape have combined to make this an especially difficult year for many security leaders.
When you add the challenges wrought by the pandemic and the “Great Resignation,” it is easy to feel that we are losing ground in a hopeless effort to secure our information.
Despite these challenges, let’s not lose sight of the security progress that is being made, with rising awareness and adoption of the zero trust security strategy representing a leading cause for optimism about the future. Zero trust is a new hope.
Reason for hope
Zero trust is a security strategy requiring all users to be authenticated, authorized, and continuously validated before being granted or keeping access to applications and data. Zero trust is the starting point, not the destination of the journey.
High-profile attacks, such as SolarWinds, Kaseya, and so many others over the past year are accelerating the implementation of zero trust — in both the public and private sectors — because they underscored widespread supply chain vulnerabilities.
Cybersecurity is about people, processes, and technology. If you rely on tools alone, you’ll never sufficiently buy down your risk. Zero trust is a worthy strategy because it is not just focused on technology — it is based on each of those elements. Employing a zero trust security strategy reduces risk by taking the “blast radius” of a successful cyberattack down from the entire enterprise to the compromised asset.
Data-centric
While many people claim identity is the focal point in implementing zero trust, that’s not the reality. More and more organizations going through their zero trust journey find that taking a data-centric approach to zero trust leads to greater success.
The objective of the strategy is that you only see the data you are authorized to see and nothing else. As a consequence, you have to know your data (all of it!), define the conditions and entitlements necessary to access it, then apply appropriate identity and access management controls.
I contend that gaining and maintaining positive control of your data is the most expensive — in both time and resources — part of the zero trust journey. Sadly, one of the things I see through my research is that many organizations don’t have a firm handle on what kind of data they have, where it is, and the data’s value.
When an organization wants to determine its path forward to improve its cybersecurity posture, Step 1 has to be creating an inventory of your data. Many of the best practices in cybersecurity — and zero trust is an increasingly important example — rely on those accurate data inventories. It’s also important to bear in mind that not all data is equal and deserving of the same protection.
Executive order
The recognition of zero trust as an imperative in countering cyberthreats was further validated by its prominent placement in President Joe Biden’s recent Cybersecurity Executive Order (EO). I was pleased to see the inclusion of initiatives that we had been promoting when I was in service as the U.S. Federal CISO, such as zero trust and setting up a cybersecurity review board so we could take a disciplined approach to looking into significant cybersecurity incidents, as we would with an airplane disaster.
The EO also creates a standard playbook to be used in cyber-defense responses, but also to inform our cyber exercises, which makes us more proactive than reactive. These and other worthwhile initiatives as part of the EO inspire confidence that we are making progress in improving our government information systems, and that nearly all government actions can also be effectively applied in the private sector.
Cybersecurity and data management must be top of mind for all organizations in today’s world. The impacts of cyberattacks can be grave, with damage to organizational reputation, financial harms, and supply chain disruptions the most glaring concerns for security professionals, according to ISACA’s 2021 State of Cybersecurity report.
Enterprises need to have a strategy in place that allows them to be resilient enough to absorb a punch and keep on going. It’s become clear that a data-centric, zero trust strategy is an integral part of security teams demonstrating due care and due diligence, enabling their organizations to contend with a daunting range of cyberthreats that otherwise will continue to wreak havoc.
The time to implement zero trust is now. As the Department of Defense CISO recently said, “Zero trust is the only solution out there right now that gives us a fighting chance.”