It’s All Geek to Me: Communicating The Business Value of Zero Trust
- It's All Greek to Me, Communicating the Business Value of Zero Trust. And I'll hand it over to Jason. - All right, thank you.
And it's all geek to me, so we got our little pun in there. I think we were pretty proud of ourselves for. (panelists laugh) So I'm Jason Garbis, I'll be moderating this, this rag tag bunch of Zero Trust experts.
Professionally, I am a principal and founder at a company called Numberline Security. It's a consulting firm I founded to help enterprises prepare for, define, and execute on effective Zero Trust strategies. I'm also co-chair along with Chris and Jerry of the Cloud Security Alliance Zero Trusts working group.
And I think we're probably violating the business continuity rule by having us all in the same place. - You have no idea. - Right, right, yeah. (all giggle) - That is for sure. - Jerry and I wrote a book on Zero Trust Security, and I recently published another one on that about getting started with Zero Trust.
I'm gonna let each panelist briefly introduce themselves. If anyone gets confused, Megha is the one without the beard. - That's me. (Jason chuckles) Hi everybody. (all giggle)
- So let's do that and then gotta dive into it. Jerry, why don't you start, we'll go from right to left. - Sure, so I'm Jerry Chapman.
I'm a Chief Identity Officer at an identity company called, Fischer Identity. I've been doing identity for well over 20 years. Jason and I met about seven years ago, and that was about the time I started really getting interested in Zero Trust and the last, my former employer, I spent a lot of time building the Zero Trust message around that.
It's a cybersecurity firm named Optiv. I spent a lot of time developing messaging and then obviously Jason and I wrote the book and it's been a whirlwind since. And really, this is one of my favorite topics, one of two. You could probably guess the second one, but we'll leave it there.
- Hi everybody, my name is Megha Kalsi and I'm a director in AlixPartners Cybersecurity practice. And I've been doing cybersecurity consulting my entire career and throughout my career in consulting have helped many organizations across various different industries, shape, sizes, improve their security posture. And one of my, you know, as you go through consulting, you develop specializations. And one of my specializations as a Zero Trust strategist is to, and passion, is to help companies figure out what Zero Trust means to them, because Zero Trust means something a little different to everybody.
And help them uncover what that is, what it means to them, where they fall in their maturity model of Zero Trust and help them strategize, develop that roadmap to make those incremental changes, right? And to help them through that process. So that's what I most enjoy doing and I'm really excited to be here and share that with you. - I'm Chris Steffen. I'm here to talk to you about the last episode of Star Trek Picard (audience and panelists laugh) or the Mandalorian. I'm happy to talk about either, and if you want to talk about Zero Trust, we can do that as well.
I am the Vice President of Research for Information Security at Enterprise Management Associates. I obviously cover the whole gamut of information security, but I have been covering Zero Trust for a long, long time. I've worked obviously with both Jason and Jerry at points in our illustrious careers.
And it really is kind of an exciting thing. In fact, I actually did a session on the floor a couple days ago that talked about Zero Trust not being just a buzzword. Part of it is understanding what it actually means.
It's not a project, it is a journey, but really taking and embracing the idea of Zero Trust to even incrementally improve your security strategy. So I know we're gonna talk about a lot of those things during our panel today, but I am really excited to be able to kind of promote and get the idea of Zero Trust out into the world and hopefully with greater acceptance and understanding of what it really means. - Great, thank you all for the intros and. - Star Trek Picard and Mandalorian. (audience and panelists chuckle) - No, spoiler alerts.
- Yeah. - No spoilers. So most of us here, I would say probably all of us are security practitioners, security experts. And we know when we love security and we can talk about it all day long. And I think we all view expertise in this domain as a character strength, but in some ways it can actually be a weakness because when we are trying to do things inside our organization, sometimes we're not speaking the same language as other stakeholders. And good lord, we can talk all day long about MFA, micro segmentation and things like that.
And we think it's really interesting and it is interesting, but it's not interesting to the people on the finance team necessarily, or the HR team or running the manufacturing, et cetera. A Zero Trust strategy properly done really requires cross-department, cross-functional integration and collaboration because ultimately we'll cut to the chase here, right? That it needs to be a business driven initiative that delivers business value, not just security value. And as much as it may pain us to understand this, the inherent security value of doing things like this is not gonna be important to many of the other stakeholders in the organization. And that's why we're talking through this to help everyone get armed and educated so we can communicate what the business value of a Zero Trust strategy is.
Now, let's very briefly give each of you a moment to talk about and define Zero Trust. And the reason I wanna do that is it's gonna tie into both the technical value and the business value. And I'm gonna be a little bit reckless and let Chris go first. (panelists chuckle) - We're all done now, okay? (Jason chuckles) I'll start out with the most basic definition that everybody talks about, and that's trust no one, right? Trust but verify. And it's so much more complicated than that.
When you look at Zero Trust in general you can take and come up with a marketing phrase and that's fine. I'm not going to bash any of the marketers out there, but it really is that philosophy that encompasses identity, device, the users and the network to truly, and data, to try to understand how to best allow an accessible and available network while minimizing your risk. So you can build upon that definition, that definition is relatively inclusive and you can make it more exclusive depending on your particular environment. But the reality of it is, is that if you encompass those five pillars, you at least are going down the right path for your Zero Trust journey.
- Thank you. - So I can go next. So for me, I guess Zero Trust, it's really a set of architectural principles and they're data centric and it utilizes really a risk based approach to access an identity in my mind. So I know that's a lot, but in reality that definition touches upon all those different core elements, right? That Chris was talking about.
We're talking about data centric, so data security, we're talking about access and least privilege, so access control, we're talking about architectural guidelines, which really lend to that network piece that even portions of application endpoints and so on. And the risk based piece is that black box that most people consider and is probably one of the most important, I would say, pieces. So that's kind of how I would define it. - Obviously, those are all very awesome definitions. And typically when I talk about Zero Trust I want to take it even simpler.
I wanna make it even simpler because everything they said is exactly right. But I talk about three words. I talk about identity, who's doing what? I talk about the integration of security controls, and then I talk about risk. Those three words in any Zero Trust or I should say, in every Zero Trust conversation is important.
And it doesn't matter if you're talking about data, if you're talking about applications, if you're talking about endpoints, infrastructure, all those things, those three words has gotta be the core part of that conversation and it simplifies it. And it just really takes all the stuff out of it. 'Cause I think (Jerry chuckles) Jason and I, when we wrote the book, we literally wrote a paragraph to define Zero Trust. So you can do that and we've all done it, but just keep it very simple and understand, right? It is a, I'm sorry? - [Speaker 1] Can you repeat the three words? - Identity, security, risk. - Yep. - It is a program or it's a paradigm and the last thing I will say, you never end this thing because the point is your cybersecurity program never ends.
That's why there's no insight 'cause your cyber security program always change. So it's a thought process, it's a mindset in those three words. And I'll leave it there 'cause I'd like Chris to go through all of us.
- I'll share too, 'cause I've done research on this. And so out of the research that I've done, 17% of the people have not started a Zero Trust project for the very simple reason that they couldn't find a definition that meshed with what they want to do. And that's the people in this room. Who's implemented Zero Trust in here? No, no, go ahead, raise your hands, please. Who wants to implement Zero Trust in this room? Who's scared to death to implement Zero Trust in this room? Right. (audience and panelists giggle) Okay, and so part of the inherent barrier to Zero Trust in general is that this massive hero draconian project that's going to wipe us all out and kill us all.
And one of the things that no matter what definition you choose to accept, you have to remember that we're probably making things overly complex. - Yep. - And it's. - We love doing that. - We do, right? And as IT people, as security people, we look for complexity in everything.
And it doesn't have to be that way. So if I leave you with anything from the definition portion of our conversation, don't get hung up on the definition. Look at your outcomes, look at your goals, and look at how Zero Trust can help improve those things.
No matter what your goals, no matter what your outcomes are, there is a part of Zero Trust that you're accomplishing. - So let's pull on that a little bit 'cause we're gonna run outta the time otherwise so, (panelist laugh) - That's for sure. - Let's talk about business value. And as part of this, you're not allowed to talk about security, right? What does business value mean? And Megha let's start with you because I know you've had a lot of great interactions with your clients and I know in our prep calls you talked about this is really important, an important part of the upfront. So please start. - Yeah, so business value can, I'm gonna make it really simple for everybody.
It's what the business values (Megha chuckles) and what that means in general, when I think about it, it's one core thing. I see it as two layers. One layer is at the bottom, which businesses value money, right? Green. So whether that is the, is my business growing? Is my business staying consistent? Is the business losing money? Is the business gaining money? So the underlying layer usually is related to money. There's a layer above it actually as well, which are your business objectives, right? And that's what the business values, which are reputational loss. So if I do X, will it impact my reputation thus resulting in loss of money? The other is the operizational pieces as well, optimizing operation, right? Am I able to optimize my operations and can I save money as a result of that? So that's how the business is actually thinking pretty much at all times.
And for us to be able to take Zero Trust and tie what we're doing from a Zero Trust perspective and Zero Trust is not really a project, right? It's a series of projects and initiatives that are very purposeful trying to get you from one maturity level to the other and to the other, and taking that information, taking those projects and tying them back to what the business values, right? So. (panelist chuckle) - Listen to what she just said, right? If you take nothing away, Zero Trust is not a project, right here. (Megha chuckles) Listen to her. (panelists chuckle) - I've heard that so much from clients and I'm like, "No." (Megha chuckles)
"It's not a project." So that's really what business value means in my eyes. - Jerry, Chris. - So, I'll always go right? So, (panelists chuckle) if you have a CISO in your organization that CISO will be there for 31 months.
- Right. - That's just the harsh reality. They have basically two and a half years to get into the door, find where the coffee maker is, make a impact.
It's almost always going to be because there's some kind of disaster related to regulatory vendor due diligence controls that needs to be addressed, get out the door and go work at their next job. And so for those CISOs out there, the clock is ticking. And so one of those ways that you have to be thinking about Zero Trust from a business perspective is how as a CISO, how as an executive, how even as a practitioner are we tying into the business to bring the business value? And there's plenty of ways, right? I mean and Megha just kind of outlined what some of those ideas are. My bigger point in all of that is keep in mind, when you are taking and talking about Zero Trust from a business perspective, you have to have multiple business champions. It cannot be an IT project, it cannot be a security project. It is a business project because it brings business value.
You are going to be there for 30 months. If you don't have multiple champions, your Zero Trust journey will not succeed. And so that is a critical concept that you all need to leave with.
This is not a one and done thing. This is not a hero project for that one champion takes in mirage through the muck. This is something that everybody in your business has to be able to participate in.
- Right, right. - Absolutely. - If you're pushing the rock uphill as a security only or an IT only project, sometimes you can be successful. Most of the time you won't be very successful.
And sometimes you'll have active obstacles and people who put it the hand and say, "Nope, this is my domain, you're not doing this." Jerry, any, talk. - Yes. - Talk us a little about business value. - So from a business value, one of the things I talk a lot about is having, an organization needs to have a business impact analysis happen, they need to understand what's fundamental to their business and what operationally keeps that business moving.
So to your point if, revenue obviously is going to be a driver for all organizations. But if you do an impact analysis and you determine that X, Y, Z thing in my organization drives my business and drives revenue in my business, then Zero Trust needs to get tied to that. And that's how you start to bring value to Zero Trust to those things in that analysis to drive Zero Trust or to drive the program, to drive the whole cyber security program.
- And that's where you find your champions too, by the way, (Jerry coughs) exactly that way. - So let's take this down one level and if you think about what a business is valuing, every business is different, but top line revenue, reduced cost, increased efficiency or employee productivity, reduce compliance cost and things like that, and it's important for us as security practitioners to understand this vocabulary. So I would highly encourage you, if you work for a public company, listen to the earnings call every quarter, read the annual report and ask questions from people in other departments. I remember years ago I was working for a software company. We were a public company and the CFO was talking about, on the earnings call they ordered a cash process and how many days it was, et cetera, I didn't know what that was and I'm dating myself, but I couldn't Google it. 'Cause Google didn't exist.
(panelists and audience chuckle) But I went and talked to someone on the finance team and first of all, they loved that someone was asking them a question about their job. So they explained what it was to me and I learned something from it. Now I wasn't in the security, the IT team, I had a different role. But that's the kind of conversation where if your CFO gets a question from an analyst around order to cash or some other metric, for example, that's a great thing to now have a conversation with the finance team. "Oh, I heard that you're getting beaten up because order to cash is too long.
Let's talk about the systems and the IT processes behind that. How can we accelerate that? What would it mean to you if we reduce that by 30 percent?" And you'll probably get a really great answer. - And a really big raise. (panelists chuckle) - It's those kinds of conversations to have your antenna and your awareness of the elements of your organization. Now the financial ones are maybe a little bit easier because as a public company they have to be disclosed.
But you can make connections and talk to people who run the hospital or the manufacturing or whatever it is to really understand for my business or my university, whatever the organization is, this is what it means. And try to arm yourself to be able to ask the, what would it mean to you, question in, that's appropriate for the person you're talking to. Okay, so now we talked a little bit about what we mean by business value. Let's talk about what are the business benefits of Zero Trust. What are some of the actual benefits? Jerry, you wanna start? - My favorite conversation when I start talking about the benefits is, let's just face it, user experience.
If you are properly deploying a solution to drive business value, part of that is increasing or, I won't say increasing, improving your user experience. And that may not be immediate, let's be very clear, right? User experience is, I always say user experience is on a bell curve, it's gonna be very difficult at the beginning, but over time it gets much, much better. And that's where you want, because that's that trust, right? We're talking about Zero Trust. It's not Zero Trust, you said it's trust but verify. Well that verified process becomes better over time because they start to understand behavior and what you're trying to do and the context in which you're doing things. So that process of, or improving user experience is one of the, in my opinion, one of the best benefits you can get out of Zero Trust because it makes your user happy and oh, by the way, it makes your security team happy.
- So let's double click on that. So what does an improved user experience really do? - What does it really do? So, (Jerry chuckles) if you've got MFA or you got some sort of authoritative token and you gotta do it 10 times on your phone, that's not it. (Megha and Jason chuckle) That's a horrible user experience, right? - I've thrown phones for less than that. - Right. - Right.
- Right? So let's just say then you do that the first three days you're working, and don't quote me on the exact timeframe, but over the time as the curve gets better you start off with, "Yeah, my experience, it's horrible, I've gotta do MFA 10 times." But as I start to continue to work, that curve shifts. And now I'm only doing MFA twice, maybe, and that twice is because I'm doing something a little different than I normally do during the day, but if I'm doing the same thing day in, day out, I have an understanding, or the security team, their behaviors, there's an understanding of what this entity, this user entity does and therefore provides the opportunity to say, "Oh, we know what they're doing, we get it, let's let them do that and do the continuous authentication and authorization in the background because we know it's not any different than what they normally do."
But the moment they step out of those boundaries say, "Wait a minute, I've gotta introduce more friction." So it's that frictionless to, or the not frictionless, enough friction to be just secure. To be secure. - So aside from the security benefits, there's improved user productivity, there's reduced user frustration. And so that has a secondary effect of hopefully improving the standing of the IT and security team in the organization to perhaps give you the ability to push other changes or do other things.
There's probably also something that's measurable, such as reduced help desk ticket volume for certain areas. The one enterprise I work with implemented a Zero Trust platform. They started doing some things and they were able to reduce their help desk load for access related issues by 80%. And that's a pretty measurable outcome and everyone was really happy about that. - Yeah, so I actually wanna talk about that specifically.
So one of the biggest business values of Zero Trust, is cost reduction. But a lot of people have really, like, it's difficult for security organizations to articulate to the business what that looks like. So it's important for us as security professionals, as security leaders to say, "Okay, in the next three years, based on my roadmap, my strategy for Zero Trust, we are gonna be able to rationalize our security tools, which will save us X amount of money." Give it to the business in small sound bites, if you can.
You can even do like in the next one year, we'll be able to, once we do this project, it'll save X amount of money in the next three years we'll be able to save three million dollars by doing these projects. One of those items, Jason just mentioned, which is reduction of help desk tickets and help desk being so involved and so on. There is a dollar amount you can extrapolate from each effort that you put in, and that's what you need to communicate to the business and say, "Hey, we're gonna be able to save money." The other piece of this is also if your organization is into mergers and acquisitions. Zero Trust makes acquisitions much easier, much smoother. And a lot of organizations from a MNA perspective, they are trying to reduce costs.
They are trying to make security easier. They are trying to reduce risk, security risk as those mergers and acquisitions happen. And if you have Zero Trust implemented, it's easier to acquire and that timeline for integration becomes shorter. - So let's touch on that 'cause that's a real, that's a real killer. - Yeah.
- Use case, the MNA and it's one of these, what would it mean to you conversations if you go to the MNA team and say, "What would it mean to you if on day one we can give you pinpoint access to this acquired company's network? We don't have to wait three and a half months to re IP address and do all this nonsense. We can be productive on day one." Their eyes would light up.
That's a fantastic. - Huge deal. - Scenario. Let's talk a little bit about the cost reduction though, I've certainly seen enterprises who have saved considerable amounts. It feels a little bit, I won't say one off, but a little bit of more of an aberration as opposed to the first thing you talk about which is, "Hey, if we do Zero Trust, we're gonna save money." Chris, do you wanna talk about a little bit? - Yeah, I'll go even a step further.
So I mean, saving money and doing Zero Trust is almost oxymoronic. You're going to spend money to save money is kind of weird but it's kind of true also, right? And so in your organization, you're doing that every day. You end up spending money to take, make more money and so on and so forth. I'll give you another competitive, another business advantage that may not be absolutely obvious 'cause it's at a hundred thousand foot view and that's a competitive differ differentiator, right? You can take and use Zero Trust and talk with your vendors and say, "Boom, we have our security program down.
We have a Zero Trust strategy and Zero Trust architecture within our environment." And I promise you the vendors that you do business with, especially if you're in a highly regulated environment that is interesting to them, that is going to be something that is going to set you apart from a lot of your competitors. And so taking and using Zero Trust as a competitive differentiator is something that's very real. Does it cost money? It does cost money. I promise you, you may take and have money savings in the ends from FTEs and whatever have you, but the overall spend that you're going to have in Zero Trust in the incremental spend that you're going to have in Zero Trust is worth it. I mentioned specifically on the CISO scale that you have 30 months, 31 months.
How many CISOs have KPIs that are some kind of revenue oriented, right? And the answer is everybody does. I mean, you're in a business, you're there to make money, you're not there to give people's money away. And so those are things that you have to be aware of. So to Megha's point, it's important to be able to explain how Zero Trust is going to have a net positive impact on your revenues, be it through reputational awareness from a vendor due diligence perspective, be it from a competitive differentiation perspective, even being from things like an FTE decrease or a user experience improvement. Those are all things that have a business value, sometimes difficult to take and put a price tag on what that is. But when you take a look at them in a large format, those are things that your board of directors are going to be able to understand.
And if you haven't thrown your phone across the room after having 10 different (Jerry and Megha chuckle) queries saying, "Re enter your password." You haven't been dealing with Facebook or Apple enough. But I I'll also say it makes you want to throw your phone. And so if you have the ability to decrease that number in your environment for the customers that are using your service, you will be the winner that is a big deal. - I wanna touch on one main point that you just mentioned. It's around the third parties doing business potentially with your organization.
I don't know how many times I've gone to organizations and they're like, "Well the third parties we're working with are saying we're not meeting their minimum security requirements so they don't wanna do business with us anymore." And as a result, your organization is going to lose money. That is what the business understands.
And if you communicate it that way, you're more likely to of course get funding to do things like Zero Trust and so on. But it's our reality and I've seen that happen a lot. - Security is not a like to have. - Yeah.
- I hope everybody in this room understands that security is not one of those things that's nice, right? (Jason and Jerry chuckle) We all kind of want to have security, but we really do need to have security. - Yes. - And it's gotten to the point, to make's point.
It's not one of those things on your checkbox bingo that, "Well, yes, they have Zero Trust so we're going to use them." It's going to become table stakes. In fact, you don't even get to talk to a lot of organizations, especially those that are highly regulated unless you have a security plan, a security strategy in place that details identity how you're going to handle data, those things.
And if don't have that, then you just don't even get to play. So when you're talking about business value, if you don't wanna play in that industry that's fine. If you wanna play and be able to accomplish things in those verticals, then you would better be able to take and address those kind of considerations. - So I wanna say one thing, Chris, 'cause I think very quick statement is, you called out the fact that you have to do things with identity, you have to have different security controls in place to support a potentially a third party.
Notice there that that's not a Zero Trust statement. - Nope. - That's right.
- You have to have Zero Trust. There's no checkbox, like Chris said, there's no checkbox to say Zero Trust. These controls must be in place, whether it's principle of least privilege, whether it's defense in depth, whatever the different things are that needs to be in place to support what they're doing.
Absolutely. It is not saying you have to have Zero Trust, 'cause there is no definition truly to say, "Oh, you're a zero trust compliant." And we could talk don't get Chris started about it.
(Jason and Megha laugh) - Right. - And some of these are certainly, they're characteristics of an overall level of maturity and thoughtfulness that we all need. I mean, imagine you're working with a potential partner, it's gonna drive business for you, but you gotta do some sort of API integration or data exchange. I mean, there's a world of difference between, "Okay, here's our APIs, here's how you access them, here's the access control mechanism, et cetera, et cetera," To "Yeah, email us a CSV file."
I mean. - Right. - Those can literally make the difference between a vendor wanting to do business with you versus not. So let's kinda get to our penultimate topic of, so how do you communicate the value of business, of the business value of Zero Trust internally? And Meg, I know you had a couple of ideas that you use and. - Yeah. - You've done this
- Definitely. - a couple of times. (Megha chuckles) - So I highly recommend a couple of things. Number one, please find somebody internally that, in air quotes I'm gonna put, "Speaks business." Because one of the things as security professionals and security groups that we struggle with sometimes is the business speak. And if you can find stakeholders, people internally that are supportive of Zero Trust, like advocates of Zero Trust, and that can also speak the business language, you will be able to more effectively get the Zero Trust journey that you're trying to take across to the business and across to other stakeholders.
So making sure, and if that involves finding someone internally, finding a third party to help you with that case, then go down that path. Couple other things is identifying, what Zero Trusts does, it's actually really good with creating and developing relationships internally. So let's say you wanna go to the board, talk to them about Zero Trust before you even go to the board and educate them, educate some of these folks that are gonna be in the board meeting ahead of time. Have one-on-one meetings with them, make sure that they are your supporters.
Make sure they understand in detail what is Zero Trust, what are we trying to do? They're going to ask you all sorts of questions that, if you wanna bring someone along with you to explain what Zero Trust means, take someone with you. And then the third piece is educating the board. The board needs to understand what Zero Trust means. And like I said, you can do it one-on-one, initially, but I would also recommend as a group you go in and say, "All right, some of you we've met one-on-one with, now let's talk about this as a group." And let all the pieces come together, all of you have a conversation and let's talk about Zero Trust.
So it's gonna take from our security teams a little more effort in that space, but it's worth it because you'll have the right stakeholders giving you that support to actually start and continue this journey. - So I think, I agree with everything you said, I'm gonna challenge one thing here though. - Okay.
- So I think that boards are starting to bring on cybersecurity experts as a part of the board. - Yes. - And so as they're doing this, you've got some education that's happened and the board has the ability to refer to their expert on the panel or on the board, if you will.
But I also think that relating Zero Trust specifically to the cybersecurity program, because the board's interested in what's going on with cybersecurity, they wanna understand the risk, they wanna understand the reputation awareness. They wanna understand all those things. And so the cybersecurity expert on that board is gonna have some of that knowledge and be able to understand that.
And coming in with saying, "Hey, let's talk about Zero Trust." I don't know if that's the right approach, right? I think it's, this is our cybersecurity program, Zero Trust is a part of that and the way we implement those controls is, depends on the organization obviously, but saying this is cybersecurity and not saying this is Zero Trust, in my mind has always been a better approach because then you don't get that marketecture term, Zero Trust, in the board meeting and create this, I think from the very beginning, the iconic of, "Oh, this is a monstrous event that we're gonna rip out everything and start over and we gotta do a 10 million investment to change our entire business process." - Right. - Yeah, so I actually agree with that approach, which is making it a part of the security conversation.
So, but at the same time, I think in those one-on-ones, if you are pursuing a Zero Trust journey, people in the room do need to understand. - Yeah. - A little bit of what it is, but as a group, absolutely. You know, going to the board and actually saying, "Hey, this is our security program approach." Absolutely.
- Right. - Security program approach that delivers, - Right. - business value. - Yeah. Exactly. (panelists chuckle)
- I guess the simplest to, to kind of compliment all of that, you don't have to eat the elephant all at once. - Right. - And this is a journey. This is something that I promise you, there is no one kick solution for Zero Trust, no matter what the people in the expo hall will tell you. (Jason and Jerry chuckle) This is something that's going to take time.
And you don't need to go to your board of directors and basically say, "We're going to implement Zero Trust tomorrow, gimme 50 million dollars and I'll have it done." - Yes. - One, it's never gonna happen. Two, it's never gonna happen no matter how much money (Jason chuckles) you have.
And the reality of it is that you can have a Zero Trust strategy. You, okay? You can piecemeal share that accordingly and share it in ways that they can understand and communicate the business value of the various pieces that you want to get to. But you can have trusted champions that understand what you're trying to do, so on and so forth. But there's no need to take and encumber your board with this overreaching strategy and overwhelm them at once. Because again, as complicated as Zero Trust is not complicated, it's still something that takes a lot of time for people to kind of get around their head.
So taking and giving it to them in pieces so that it is part of your overall security program, I think is very important. You don't have to eat the elephant all in one day. - True. - So I'd like to make sure that we reserve time for audience questions.
So please, there's microphones on both sides and we welcome them and. - Yeah, we have about 10 minutes-ish. - 14 Minutes. - Yep. - So let's go ahead and open the floor and take it away. Yes, sir. You have a question? (Jason chuckles) - Yeah, what are the challenges on, say, following a Zero Trust model? And one of the easiest Zero Trust models is, for instance, spam and fishing, enforcing SPF, DKIM restrictions and things of that nature.
And what I find as a challenge is that, I'm an MSP so we're a consultancy, I get them on board, everybody's like, "Yeah, yeah, yeah, we need to lock that stuff down. Boy, I really don't like all this stuff." So you enforce SPF and of course they're still using ATT (speaker 2 chuckles) some of their people are still using att.net
that doesn't have an SPF record, things like that. And so of course those mail messages get blocked. And now I've got that champion coming back to me telling me, "Get rid of all those settings you just put in place to protect us." So I had an advocate that's now coming to me and is no longer my advocate, is actually trying to get me to circumvent those things. What have y'all done to keep up the good faith? - [Chris] Yeah - [Jason] Right, right. (Jason chuckles) - You know what I mean? - The biggest irony is, is that Zero Trust fails when you have the exception, right? So how many CEOs want to have access and domain access and everything, right? - [Speaker 3] Oh my God.
- If you're not raising your hands, you're lying, right? (Jason and Megha chuckle) I mean, we've all run into that situation where, "Well, I want that policy for everybody except me." - Right. - Right? And so keep in mind that Zero Trust is one of those things where you're applying policy and protection to your environment in total. And so you have to communicate that, do as I say, not as I do, is not gonna cut it, right? And so you have to have that constant level of communication to make them understand that there is value across the board. But I will tell you, and if you need to start scaring them with facts that the bad guys love the fact of the exception, right? - That's right. - They love the idea. - Yes.
- That they're going to look up online, Bob Smith is the CEO of Bob's House of Widgets, and Bob Smith, by very definition, may be the most public person in that company because he's the CEO, but he's also the guy that wants the exceptions. And so who's the bad guys gonna go after first? - Right, and Bob, guess what? There's dozens of hours of Bob Smith's video. - Yeah. - That they can use.
- So they know you can spoof Bob all day. - Right. - And so remember, if you need just the smallest piece of evidence or an example, remember that Bob Smith is the most public person of Bob's House of Widgets, therefore we should be protecting him the most.
And if Bob Smith has a problem with that, send them to me and I'll talk and scare the out of him. (Jason and Megha laugh) - All right, yes sir. Oh, okay. - It's a quick one. How do you measure success in Zero Trust? So you've got the business to understand the value.
They've said go ahead and do it. How do you show, what metrics do you use? How do you measure success? - [Jason] Oh, I love that topic. Yeah, I'm having gonna hand it up to the panel I love it so much. - I can, real quick, speak on that.
So usually when it comes to Zero Trust, when you're developing your strategy for Zero Trust, it looks different for everybody. You're gonna have, sometimes it's a five year journey, sometimes it's seven, sometimes it's three, sometimes it's less. So it depends on your organization's maturity.
So when you develop the strategy, you can also start to create, and the beauty of I think Zero Trust is it makes milestones, It's very intentional, it's very intentional with what you're trying to achieve. And then if you look at the Zero Trust maturity models, right? It goes from traditional, then you move up another level to intermediate and then you're moving to optimized. So using that maturity model to establish metrics for let's say, progress, is a great way, I would say, to show improvement, To show that you're actually taking those steps one at a time and turning on those levers from a security perspective.
And those metrics you can clearly articulate to the board which short term, medium term and long term goals that you have. So that's one way. - I will tell you that our leadership team met yesterday. - Yeah. - And we specifically were talking about this particular issue right here. - Yeah.
- How are you going to measure, how are you going to assess? One of the things that constantly bothers me is, again, you go out at the expo portal and people will tell you that they're Zero Trust verified or Zero Trust certified. No, that's false, okay? But there is some assessments that we're looking at a way to attest and so on and so forth. So we're looking into it. There's things that are on the horizon that might be interesting to obviously everybody in this room that we're gonna be able to do. - And I'll just say. - Sorry. - I think it depends on what you're trying to protect.
So if one of the things you're trying to do is, I refer back to the InStack document a lot and it talks about defining your protect surface, what is it you're trying to protect? And having a full understanding of that system. And then effectively, if you have a full understanding of that system, are you protecting the components of that system? And protecting means things like, are you getting denies on your network? Are you receiving events in your environment? Are your identity, is there an identity crisis for, and I'm not trying to be a pun, but is there an identity crisis with what's happening within that protect surface? Those are the types of things you can start to measure and get value out of. My psychology teacher would love me right now. It depends, it depends on what it is you're trying to protect, what kind of KPIs you're ultimately gonna get out of that. And I think you have to measure that.
- And I wanna. - And there - Sorry. - No, please go ahead. Go ahead. - I wanna add to that real quick is there are actually specific principles of Zero Trust, like is all the traffic encrypted and so on between the systems and so on? You can use those as metrics as well to communicate if you're actually achieving what you want to achieve from a Zero Trusts perspective. - Yeah, I think there are definitely technical and security things that can and should be applied across the different pillars and as you move up in the percent of traffic that's encrypted? How much data is. - Yeah.
- Accessed through a DLP solution. Those things are definitely technical and measurable and valuable. you can and should choose those things for your organization. But there's also, remember, business value that can be measured such as help desk ticket volume, how much revenue is this new digital business creating? How much has our order to cash cycle reduced, et cetera? The things that hopefully started this conversation in the beginning with your organization can and should also be measured. Yes. - Thank you, so as a cyber guy, I get to carry the Zero Trust flag.
I brief my board, I brief people across my organization, but as a cyber guy, I can't do it by myself, right? I need the networking team. I need the application, - [Megha] Yes. - development team. And that's where I'm struggling with, right? I have the money to do what I need to do, but I need these folks to work in collaboration with me. So the challenge is, and they're all busy like everyone else is in the organization, how do I convince them to, let's focus on those things that are important to the organization so we can move forward? Again, 'cause I can't do it by myself. - [Jason] There's so, - [Megha] Right. - [Jason] many ways, they can get (Jason chuckles) and form obstacles.
- Start with a big bat, right? (panelists laugh) And you're describing the challenge that everybody has. How do you convince the champions in the various organizations that you have to deal with that this is important? And so you have to describe to them what the, you have to be very prescriptive into what the value is going to be. One of the things that we're working on at the CSA is a matrix of buyer personas, right? And it's out there, it's on comment and you can see it. You can download it.
But you know, at the most basic term, what are the challenges that this kind of person, like a CEO, a CFO, a networking guy, boxes and wires guy, desktop guy, what are they seeing? And then how do you address some of those challenges? It's not all encompassing. I don't claim to have every answer, but each of those different organizations has different stressors, right? They have different things that are important to them. And how is your Zero Trust journey going to impact them and address some of those concerns? It's gonna change, right? How do you take in and do it for networking? Maybe it decreases their workload.
Maybe micro-seg solves a lot of the problems with the VPN solution that they have today. Never been wild about VPNs, micro-seg is a better way to go. And so maybe this solves some of those problems taking and going down that journey.
Maybe that's not even step one in your journey, that's step 37. But if they help you get there, then they can see the light at the end of that tunnel. - Yeah, and I'd like to add to that.
So similar to Cloud, right? When Cloud was new, there's like the Cloud center of excellence, right? That you would establish. So similar with Zero Trust, Zero Trust is a horizontal, it's gonna go across many departments and you have to break down of course those silos. But one of the best ways I've seen it done is creating a Zero Trust center of excellence where you actually have proper steering committees, proper operation committees that are dedicated to making this happen. And it will, that center of excellence, will help break down those silos. - Great. - One last thing
and I'll make it really quick. Typically you have things like architecture review boards, you have different boards that are across those domains already. - Yeah. - Bring it into that type of environment to address it there because I think it addresses everything they just talked about. Where it's addressing some of those problems that, or challenges that those organizations are having. And you start to see where, "Oh we can solve some of that through these means."
And you introduce it there and then that allows it to go across the organization. - And again, if that doesn't work, use a bat. (Megha chuckle) - And now you get a bat. That's right. - I prefer the carrot approach than the stick approach. - I do not. Bat. (Jason and Megha chuckle)
Yeah. - All right. I know we're almost outta of time. Yes sir.
- All right, so Jason is the moderator. You get to dodge this question this time. (Jason chuckles) But Chris does not, so one of the things that as as you said, that Zero Trust is a journey. It is absolutely a journey, but also at the same time cybersecurity needs to be continuous improvement. Now obviously with Zero Trust, we're going to start off with a large scope such as, don't trust other people's networks, and then we're gonna start shrinking the scope.
Don't trust other network segments. Don't trust other hosts. How granular do we need to make Zero Trust become? Do we need to shrink it down to the data level? Perhaps even the row level in the database? How granular should we make our Zero Trust journey go? - [Jerry] Can I take this first? - [Jason] Yeah, please. - So first off, I think you went the wrong way, right? I think you go at the data level and how do you manage that? And then if you need to go further, so the point would be, I just use that example 'cause you use that, but the point would be you go to the resource you're trying to protect. What are you trying to protect? And how much of that do you need to protect? And can you do that with more defense in depth, right? And I'm using that very, I don't like that word, but I've used it twice so I apologize.
(Jerry chuckles) But it's what is it you really are trying to protect? And then protect that asset and then all that other stuff you described, guess what? They're not even a part of the conversation anymore. - Yeah, so this goes back to my definition from earlier. It's a very data centric approach. So if you don't know where your data is, what it is, where it is, all of that, it'll be difficult, to move down the Zero Trust path. So you do have to get a bit more granular in that space. - Great, so I apologize, we are out of time here, but we happen to answer your question after speaking of the man with a bat.
Steve is coming up to cut us off here. So I want to, any, 15 seconds of each or so, any final thoughts for the audience? And then I'll wrap up - I can barely say my name in 15 seconds. - All right, we'll move on, Jerry. (panelists laugh) - I will tell you though, again, don't make Zero Trust overly complicated. It is something that, the concept may be scary, but the implementation is actually a lot more simple than you might think.
You already have some of this in place, iterate on that and make incremental changes to make your infrastructure and security journey just that much better. - Fantastic. - I would encourage this group to utilize Zero Trust as a bridge to the business because it is a fantastic bridge to start that conversation, have a better relationship with the business and use it in that way. And as a result, you're not seen as the group that says, "No." All the time. You become a group that says, "Yes."
And that actually has that good relationship with the business to continue that journey. - Identity, security, risk, I'm done. (panelists chuckle) - Yay.
- All right, well I wanna thank, thanks to the panel. This was excellent. (audience applauds) Very good.