“Most of you probably don’t realize this, but you’re using zero-trust architectures right now.” That’s what Joseph Salazar, identity security technologist at SentinelOne, told participants at the CDW Solution Forum on Cybersecurity, which took place Oct. 19 and 20 in San Antonio.
Salazar noted that zero trust — a security philosophy that assumes no party can be trusted, whether inside or outside the system — is gaining popularity among organizations. That’s in part due to a 2021 presidential executive order mandating zero trust across federal agencies, which has established zero trust as a baseline more broadly.
When panel moderator Buck Bell of CDW asked the crowd who had used the term zero trust when discussing cybersecurity with non-IT leadership, numerous hands went up.
“I used to have to go around with my hat and be like, ‘Can I please have some money, sir?’” Jeremiah Salzburg, chief security technologist at CDW, said at the event. “And now, the boards are saying, ‘Are we doing enough in security? Are we doing enough in zero trust?’”
Click the banner to learn the signs of a phishing attack before it escalates.
Because access points continuously shift, the definition of zero trust continually evolves. According to a Fortinet survey, just 28 percent of organizations say they have fully implemented zero-trust principles, down from 40 percent in 2021.
“What it comes down to is that zero trust is a strategy. It’s a strategy that has to work at all levels of your organization, from the executives down to the lowest entry level,” Salazar said. “It’s not something where you just wave your hands and say, ‘We’re done.’”
LEARN MORE: How to improve your zero trust architecture and maturity.
How Do You Build Trust in Zero Trust?
Because zero trust is a concept, not a tool, its biggest challenges aren’t technological; they are strategic and cultural.
“Every person here, every organization, is going to have a different risk profile, so they’re going to have a different set of decisions,” Salazar said. “Zero trust as a concept is great. As for you individually? That definition is going to be different.”
Communication with organizational leaders about why zero trust is important and what it will entail — from financial resources to compliance issues and educating staff members on why workarounds put the organization at risk — can help security leaders ensure that stakeholders know that they’re not buying into a platform rather than a concept.
Because it’s a concept, it will be imperfect. Executives will need to be patient while the organization builds its zero trust strategy to maturity — a maturity that will never be complete. “A lot of the questions that I get are about the maturity model,” Bell said.
Three Ways to Make Zero Trust Your Baseline
The tools of zero trust vary by organization, but cultural concerns crop up regardless of technical requirements. Here are three ways panelists recommended working around roadblocks to a zero-trust approach.
- Look for quick, visible wins. Bell told the audience of IT and security leaders that the top reason single sign-on became popular is that users became tired of signing on multiple times to different tools throughout the day. Salzburg suggested using convenience as a lever to gain trust. “Every time I go to a new application, I see the little thing spin, and then I don’t have to put in my password because there’s been a posture check done on my device,” he said. “That’s something all of your executives will see, and it’s something that your team will get kudos on.”
- Demonstrate the value of zero trust to stakeholders. Leaders are more open to zero trust than they were in the past, but getting the necessary resources may still take some reporting. “We’re going to show you, ‘Hey, we’re reducing the time it takes every day to do these activities, we’re saving 1,000 people time each day from trying to log in and find passwords,’” said Peter Romness, cybersecurity principal at Cisco.
- Be the turtle, not the hare. “Don’t try to make big changes,” Salazar said. “Make small, incremental, logical steps.” That allows the cultural and behavioral shifts needed to make zero-trust architectures accepted, and it also grants security leaders more agility.
Find BizTech’s full coverage of the event here, follow our live news coverage of the CDW Executive SummIT on X (formerly Twitter) at @BizTechMagazine and join the conversation using hashtag #JoinCDW.