Jan 31 2024

How to Sell Zero Trust to Leaders and Employees

To succeed at deploying modern security architectures, IT leaders must get funding from the C-suite and buy-in from their colleagues.

Businesses today rely on a remote workforce, so organizations of all sizes must ensure that only trusted users access sensitive corporate data and resources. This means moving toward a zero-trust strategy, which has been embraced by 67 percent of small and midsized businesses, according to Okta.

The concept is familiar to IT and security teams, but zero trust can be a tough sell both up the corporate ladder, where executives must approve budgets for zero-trust projects, and to ordinary employees, who must embrace new security policies and practices.

How can IT leaders get everyone on board when it comes to a zero-trust framework, whether that means deploying new security solutions or implementing early first steps such as multifactor authentication?

Click the banner to learn how to assess your zero-trust maturity level.

Three Steps to Persuading Leaders to Support Zero Trust

Technology conversations with senior management can be difficult. Zero trust is an especially challenging concept because it is not a clearly defined undertaking but rather a philosophical approach to risk management. Three steps can lead to strong organizational support for zero trust.

Step 1: Explain the business value. Start the senior management conversation with a clear understanding that zero trust is not just a buzzword. It is a fundamentally different security approach designed to overcome the weaknesses in the traditional “castle and moat” method that allowed users broad access to sensitive resources while on the corporate network.

Zero trust replaces the idea of absolute trust with the requirement for all users — whether inside or outside the network, on premises, remote, or in the cloud — to be authenticated, authorized and continually validated before accessing applications and data.

When senior leaders understand that zero trust isn’t just a shiny new object that excites tech people and is instead a critical tool for protecting the organization’s data — its most precious asset — they tend to take the matter more seriously.

RELATED: Find out how Windows 11 supports zero trust.

Step 2: Enlist leaders’ help. Once they realize the stakes, senior management should be more supportive of any initiative that reduces the risk of cyberattacks affecting mission-critical operations and profits.

Every organization’s weakest security link is its employees, who are constantly targeted by clever cybercriminals seeking network entry. Remote workers reliant on the cloud may be the most vulnerable to escalating security threats.

The proof is that cyberattacks are on the rise. The global insurance company Allianz reported in October that it expected to see a 25 percent increase in claims on cyber insurance policies by the end of 2023.

By continuously verifying access, zero trust greatly reduces the risk of a breach as well as its potential impact. A management team that understands how zero trust leads to increased productivity and successful digital transformation can become an ally in the process.


The rate at which cyber insurance claims were expected to increase by the end of 2023

Source: commercial.allianz.com, “Detection and response tools increasingly important as cyber claims surge: Allianz,” Oct. 25, 2023

Step 3: Engage leaders in budget discussions. Zero trust will require investment in new technologies and processes, but requests for massive budget increases can be fraught.

Consider launching a small pilot program affecting a critical part of the business. Start with identity and access management to authenticate each request for access based on the least-privilege principle; once authenticated, ensure that users can only access resources for which they are authorized.

Multifactor authentication, provided in solutions such as Duo and Okta, can be instrumental in this process and has the added benefit of producing quick wins for the organization. Use benchmarks, visuals and clear metrics to demonstrate value from a business perspective. Further steps might include microsegmentation (to contain security breaches), strong encryption and regular patching of critical systems.

LEARN MORE: How to improve your zero trust architecture and maturity.

How to Get Coworkers Comfortable with Zero-Trust Policies

Zero trust brings change, and this can be daunting to users. A four-step approach can build and maintain a solid, organizationwide foundation for a zero-trust initiative.

Step 1: Explain to colleagues why zero trust matters. Frame zero trust as a user-centric approach to security rather than something punitive. Zero trust ensures that everyone has exactly the level of access they need, which reduces the attack surface and makes it easier for users to focus on their roles. This reduces stress, since users are less likely to make mistakes that could lead to breaches.

Step 2: Instruct users on how it works. Set up training sessions to help users understand the new systems and policies. If you start with a pilot program, focus on the users involved in it, and make sure you provide ongoing support to help them with any questions or problems. Convert early users into allies to help you sell zero trust throughout the organization.

Step 3: Involve workers in decisions. Solicit feedback from users, engaging them in testing and refining changes to processes and technology that support zero trust. Encourage them to participate by listening to their concerns and using their firsthand experience to smooth the path for future users. Gather their comments on the pros and cons of the solutions you’re using. Find out what benefits they perceive and remove obstacles to adoption.

Step 4: Incentivize following the new policies. Based on the results of the previous step, look for real-world, practical examples of the benefits of zero trust, such as seamless access to systems thanks to context-aware controls or fewer distractions leading to increased productivity. While not easy to quantify, they can pack an emotional punch if presented in terms of early users’ experiences.

Zero trust is not the responsibility of a single team. It must involve business leaders, security practitioners and users across the organization, working together to ensure that security becomes an integral part of the company culture. Clear communication of the benefits and enlistment of allies in reaching a shared goal can go a long way toward ensuring that the organization reaps the benefits of zero trust. In the process, the business will send a strong message about its commitment to security and privacy and the way it values and protects both its people and its data.

LaylaBird/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT