Zero TrustSecurity
Blog6 minute read

Zero Trust and The Risk You've Already Taken

Your organization is likely talking about zero trust somewhere at a technical level. However, unless it's being discussed by the enterprise risk owners, the impact it can have will never outweigh the cost and effort.

In this blog

  1. Zero trust: Where to start?
  2. Executive support is critical
  3. Risk ownership
  4. Too easy?
  5. There is risk in trust. Hard stop
  6. Where can you go from here?

 Zero trust: Where to start?

Zero Trust can be a conversation topic that heads down many different routes, whether it's a Zero Trust architecture, Zero Trust products or a Zero Trust philosophy. 

All of these conversations inevitably lead to the same question: 'Where do we start?' Some will say to start with what is already happening. Do you have a segmentation project, a data discovery project or a ZTNA project? 

The true starting point of any Zero Trust initiative needs to be executive buy-in. This step is essential, and the one that differentiates an enterprise Zero Trust initiative from any number of attempts to deploy best-practice security controls in the name of Zero Trust.

 Executive support is critical

The support of an organization's executives can mean the difference between a successful initiative and settling for 'good enough'. Anyone who's attempted to deploy new policies or controls to an environment knows that the business will always push back. Not out of malice or contempt, but because change is difficult, and things are the way they are for a reason. Every time a change impacts an existing process, it costs time and money to update that process. Those decisions need to be supported at a high enough level that every change isn't a battle. This all sounds great in theory, and 'the executives' sound like a nebulous group of people, so who do you start with?

 Risk ownership

Every organization operates with an acceptable risk tolerance. This isn't a colloquialism; organizations define risk according to the type of business they do, how to rate that risk, and what is an acceptable level of it. Even not performing these activities is a form of risk acceptance, sometimes referred to as burying one's head in the sand, which is typically done by organizations with the largest risk tolerances. Those organizations are few and far between. 

Risk management is the process of defining what risk is acceptable by an organization and working with stakeholders to drive residual risk below that threshold. Eliminating as much risk as possible should be every organization's goal. Practically, that means bringing it below the lines where the likelihood of occurrence and the cost of mitigating controls arrive at an agreeable intersection. When risk remains in an organization, it must be reviewed, and the acceptance must be renewed on a regular basis, typically yearly. Sometimes this process is completed with the goal of reducing the risk further; sometimes it's done with relief that another year has passed without it affecting anyone. This process is where Zero Trust can find the executive support needed to drive real change. Next to each line of risk is the signature of a person who attests that there's nothing more the organization can/will do to reduce it further. Add a few of those risks together, boil them down to a short list of missing controls, and you'll start to see a pattern emerge that will form the blueprint for an actionable Zero Trust roadmap.

 Too easy?

That sounds really easy, doesn't it? Identify the known risks within an organization, determine which controls eliminate most of them, and implement them. The controls needed to reduce the kind of risk that organizations sign off on year after year aren't a matter of deploying stronger passwords or implementing screen locks. There are serious challenges to eliminating these kinds of risks, and that's where a Zero Trust Architecture comes into play. Knowing that the time and effort devoted to eliminating long-standing risks will also be used to future-proof the network is a correlation that's not often made when having one or both of those conversations. IT budgets will be spent, security systems and services will be purchased, and new controls will be deployed. By focusing its spending in a clear and concise Zero Trust direction, an organization can address both new and existing problems while mitigating known risks and liabilities, making the effort easier to justify. 

 There is risk in trust. Hard stop

Now we get to the relationship between the thankless role of risk management and the literal impossibility of Zero Trust. The market is always looking for slick ways to rebrand, for the digital world, what has always been common sense in the real world. Zero Trust is a nice term, but the realization that it's a journey, and not a destination, is what often comes later. No one control, process, or environment can ever be 100% Zero Trust while enabling business. You'll always have the people who build the controls and the users who are constantly looking for the most efficient way to do something. Couple that to the fact that every day brings a new list of vulnerabilities and outages in the platforms we rely on to enforce controls, and your list of inherent trusts starts getting very long. A well-supported risk management process can help an organization craft its own Zero Trust journey while providing guardrails, accountability, and off-ramps along the way. Eventually, the controls will be built, the processes to refine them will be established, the schedule for auditing them will be defined, and the cycle to feed lessons learned back into the controls will be complete. The goal for all of this is to reduce risk to an acceptable level, not zero, but certainly enough to limit the blast radius of a failure to a manageable level.

 Where can you go from here?

Cyber Security, Audit, and Risk Management departments often have a cat-and-mouse relationship. I can remember playing that game, fix what you can, but make sure to leave one or two things for the auditors to find, or they won't stop looking. This is a self-defeating strategy that takes valuable time and resources away from the organization's overall goal of risk reduction. Auditors aren't looking to get people fired. Risk managers aren't looking to pile on to a security department's woes. Security practitioners aren't purposely trying to hide risks. Everyone is just looking for the path of least resistance to get the job done in a way that doesn't lead to more work tomorrow. Zero Trust can be the catalyst that helps begin to build trust within an organization that is often internally siloed. When Cyber, Audit, and Risk are all singing the same tune, you'll find fewer barriers and more friends to help overcome them. For more information on how we can assist you in your Zero Trust journey, contact our team.