I have done a few exercises on implementing Zero Trust and Zero Trust eXtended (ZTX) in enterprises. The impetus behind these exercises from a strategy standpoint is that the participating organizations have leaders that are Forrester clients and had read, or at least breezed through, the research that has been published on the topic of Zero Trust and that they have bought in on implementing Zero Trust in their systems. Great, this is how it’s supposed to be. But . . . that’s where the rails come off.
The moment that we asked the first question — “What is your security strategy?” — everyone in the room began pointing at one another, and arguments began. Follow that up with this question — “What’s the one thing you think you can fix based on this simple framework?” — and, whoa . . . things get ugly. No one would take ownership of who could implement change, and there was no single point of leadership willing to own the decisions needed to make anything happen. The session essentially ended up with finger-pointing, arguing, a slew of profanity, and a general realization that the current situation would continue . . . it was painful.
So that brings me to this point: In most sessions that I have conducted, it has never been a technology problem. It is a management, leadership, and ownership issue. Almost every group I talked to had plenty of next-generation technology in place, such as:
- Carbon Black
- Digital Guardian
- Palo Alto Networks
There was no lack of technology to solve the problem; solid technical solutions were in play in every environment. Excuses, a lack of ownership, and “culture” were the problems. All the coolest, most powerful technology in the world combined with the best strategy will always fail if those in positions to do something cannot employ the technology that fixes the issue.
Pointing to culture as being the “problem” is a cop-out and shows a lack of tenacity and fortitude. If security is to be put in place, then the culture must come along and accept that if it wants to survive in today’s threat environment, a degree of discomfort is tolerable.
The leadership needs to make sure everyone knows that:
- They will be watching the network.
- All users will be monitored, all the time.
- Users will have to authenticate to every asset.
- It’s not their data; it’s the company’s, so the company controls it.
- Security isn’t optional.
Users need to learn to deal with security — it’s a way of life now (or at least, it should be). If that’s not going to work for some folks, then tell them to go somewhere else and be their security problem — or make the choice to allow them to hinder security and be ready to be part of a breach. Tell the board or shareholders that, thanks to the groans of a few individuals, you have chosen to allow “culture” to threaten the bottom line of the company. In today’s world, it is no longer acceptable to allow a few individuals’ fears and unfounded concerns about monitoring and security operations to impede a secure digital future for the majority.