As the threat landscape continues to intensify, Zero Trust has come to define today’s cybersecurity agenda. Recently, the U.S. Federal Government announced a new strategy to move toward this approach in order to “dramatically reduce the risk of successful cyber attacks against the Federal Government’s digital infrastructure.” To explore current industry thinking around Zero Trust, Palo Alto Networks and our technology partner, Tufin, sponsored a Vation Ventures Roundtable Session, bringing together the chief information officer (CISO) consensus from leading organizations.
As CTO of Network Security Technology Partnerships for Palo Alto Networks, I participated in the panel together with Pamela Cyr, Senior Vice President of Business and Corporate Development for Tufin. The discussion was highly valuable in illuminating the challenges in Zero Trust implementation, as well as best practices for achieving its potential.
Here are a few of our takeaways from the CISO consensus.
The CISOs on our panel shared a strong consensus that Zero Trust is a valid framework for reducing cyber exposure, with buy-in and a willingness from upper management to fund Zero Trust initiatives. However, its implementation will be more of a process than an overnight transformation. Participants emphasized the need to proceed step-by-step, use incremental victories to gain advocacy and momentum, and expand the Zero Trust model gradually across the organization. Collaboration with both internal business stakeholders and external resources, such as peers, experts and solution providers, is key to building best practices for designing, deploying and operating a Zero Trust infrastructure.
As for where to begin, some panelists saw value in targeting areas where a Zero Trust architecture could have the greatest impact in the shortest amount of time. Others felt it wiser to focus first on areas with a lower profile, where CISOs can better afford to make mistakes and learn lessons without undermining longer-term security and Zero Trust goals.
Participants engaged in a fascinating exploration of the relationships among the three pillars of Zero Trust success: people, process and technology. While technology is critical, the first priority is to define the right processes for Zero Trust, and then to educate employees and set their expectations accordingly. Technology, in turn, enables these processes and provides a way for people to adhere to Zero Trust practices.
Technology solutions can also play a vital role in addressing a lack of resources or expertise in the other two areas, allowing the CISO to focus on delivering on enterprise business priorities without disruption. Capabilities such as IAM, micro-segmentation, visibility and automation are essential, but only in support of the right processes and human expectations.
With both business applications and employees more widely distributed than ever, complex network topologies can make it impossible for security operations center teams to maintain comprehensive visibility without becoming overwhelmed. By automating a majority of the networking and security tasks, CISOs can enable analysts to focus on the highest fidelity alerts, making it possible to balance speed and security.
On a daily basis, business demands the deployment of new services and new connections across this agile and complex environment. Lacking automation for network changes, IT cannot design and deploy the changes needed to support the business in a timely fashion. This creates windows of opportunity for threat actors to gain access to networks and defeat the objectives of deploying a Zero Trust architecture (ZTA).
While the scope of implementation across a large organization can be daunting, Zero Trust is just too promising and too visible with senior leadership not to proceed. The CISOs who participated in our roundtable have embraced their mission and charted a path forward to Zero Trust success. Visit our page and learn how to become a Zero Trust Enterprise.