Success with Zero Trust Starts with Creating a Culture
I came to Southern Methodist University in 2003 to go to law school. I ended up with a law degree and a job leading cybersecurity. I also write, teach and speak at many events. I often find myself atop the proverbial soapbox. When it comes to Zero Trust, one of my biggest soapbox speeches is this: If you’re the only one focused on Zero Trust, you’re not going to have much success.
It is essential to create a culture that embraces Zero Trust. This means broadening the conversation. When we talk about cybersecurity at SMU—and Zero Trust specifically—we bring everyone in; all of IT, faculty, human resources, athletics, you name it. The first question our business leaders ask is: “What do you mean, we can’t trust?” To be successful in running an organization, we need trust. Trust is the currency of business.
Zero Trust isn’t about individuals, it’s about packets. We can trust an individual, but we don’t have to trust the packets that are attached to that individual through the devices and networks that are the lifeblood of our organization.
Zero Trust is more than an architecture; it’s a philosophy. To change culture, you need a strong, underlying philosophy.
Know Your Organization
So how do you make sure you are having the right conversations and are building the right culture for Zero Trust? It starts with knowing your organization. Every organization is different, with diverse digital technologies transforming our workplaces and creating new expectations for users and customers.
For example, when I came to SMU, I discovered one of the driving values of higher education – the concept of academic freedom. This is critical to protecting the vitality of research. But one particular faculty member interpreted this value to mean that universities should not have firewalls at all because they could be used to monitor users, or they might slow down Internet connections.
Fortunately for SMU, the decision was made to prioritize protecting student data and critical research by putting firewalls in place or by encrypting laptops. But this argument was part of what caused some schools to delay putting resources into cybersecurity for years. Fast forward to today, and the attitude has shifted completely. Today our board members and faculty leaders are focused on cybersecurity and, instead of looking at scaling back, they want to make sure we are doing everything possible to enhance protection and mitigate risk.
Inspire Trust
For years, we have all been saying that security is everyone’s job. Zero Trust forces you to put that culture in place, to get everyone involved in recognizing that he or she has a vested interest in securing a role in their community. How do you accomplish that?
In my view, it comes down to habits. When we have conversations and work with people, we try to understand what their bad habits are so we can fix them together. It’s important to get your community to rally around a common message of fixing those day-to-day bad habits that are creating more risk for the organization.
To break through the barriers of culture, get to know your community. People want to be secure, but you can’t lead and change the culture by instilling fear and telling them that the sky is falling all of the time. You can’t create a cybersecurity culture from behind your desk, you need to be out there building relationships. You have to develop and inspire trust in order to succeed with Zero Trust.
Managing Up and Around
Another critical component of building a Zero Trust culture is to manage up the organization. We have four or five vital partnerships on campus. We have a wonderful relationship with our CIO and often our biggest proponent is our CFO. The key for us has been to be totally transparent and honest.
With the CFO we needed to build credibility. We never used fear tactics. She knows when we ask for something it is 100% needed, that it has to happen, and it has to happen now. That’s a level of trust that is a foundation for a Zero Trust culture.
The same with our general counsel, working together on investigations, e-discovery, and compliance issues. Also, with our police department, enrollment services, and registrar. Ultimately you have conversations with everyone; not based on fear, but on how we can all work together to make everyone more secure.
Deploying Zero Trust Architecture
Conversations, community and culture are the starting point and an ongoing, continuous process. But there is also a critical technological aspect to Zero Trust that comes down to the architectural model you deploy for cybersecurity.
At SMU, we understood back in 2006 and 2007 that the threat landscape was changing, and that prepared us to be ready to adopt new ideas like Zero Trust. At the time, we made a presentation to the board to do hard drive laptop encryption. This was before any regulatory body told us we had to do this. Our board was incredibly supportive. We told them we can’t simply trust laptop devices; what happens if one of our users leaves the laptop in a taxi or coffee shop?
We did a couple of other things around the same time to build the eventual foundation for Zero Trust. We leveraged an open source network access control technology that started in our dorms and expanded to the rest of the campus. Every device had to go through a registration process. We made sure each device had antivirus protection, that patches were up to date. Nothing could get on the network until it met our requirements. That’s what Zero Trust is about; only allowing traffic on our networks when they have been identified, certified, authenticated, approved, and when that traffic has been inspected up through seven layers to make sure it is clean, and that its behavior is appropriate and within policy.
We also deployed a security event information management (SEIM) solution. People tend to forget that monitoring and visibility are essential aspects of Zero Trust. You need to do forensics, maintain an archive and make sure bad things aren’t happening. You need to be able to have instant response and also go back and do investigations and remediation.
Evolving Challenges
In higher education, one of our challenges is that we are not a simple, homogenous organization. We’re our own ISP, with about 11,000 customers, offering 100% outdoor and indoor wireless coverage for a square mile. At the same time, we’re a research organization that operates high-performance computing. We’re also a mid-size business with the same needs as any mid-size business. We are expanding our online courses, creating on-line master’s degrees, and taking on many challenges that come with digital transformation.
How do you secure all that when you have eight different IT departments, multiple help desks, various campuses, and seven different schools?
We changed our structure several years ago to adopt a shared services model. At one point we were siloed with about 60% in centralized IT and 40% local. Now we are 95% central. One hidden benefit of shared services is that it enabled us to coordinate and orchestrate cybersecurity more effectively and eliminated the finger-pointing that can often take place in distributed IT environments.
We’ve also developed a granular architecture in terms of securing all of our different areas. For example, we have separate networks for the Internet of Things, so devices like cameras, printers and HVAC are isolated.
A Philosophy of Ownership
Another step we took was to split out the security operations center (SOC) from the cybersecurity team to the infrastructure team. This helped to improve service levels, while forcing us to take a more team-based approach. Security is more embedded in every team. Our organizational structure now encourages a Zero Trust philosophy of ownership, and a habit of thinking about security first.
One more important point to understand: Zero Trust is not a one and done. Your network may be Zero Trust on Day One, but as soon as a computer needs to be patched, or a new identity created, you are no longer Zero Trust.
That’s why I think of Zero Trust more as a philosophy than as an architecture. You’re never done, and you always have to be reassessing. You have to do ongoing monitoring and analysis. You have to figure out what people are doing.
For example, back in the late 1990s and early 2000s, many universities used social security numbers as the student ID. Some of those are still sitting on computers somewhere, so you have to make sure that when you upgrade you are finding all the files that can impact privacy and security.
Shaping the Cybersecurity Future
We’ve come a long way since it was feasible that a leading academic institution would even consider allowing unfettered, unsecured access to the internet. Our world is more connected than ever, and people need to trust those connections are safe so they can go about their daily lives. Zero Trust is one of the critical steps in securing that trust.
Cybersecurity leaders must lead by having the right conversations in their organizations. We must leverage solutions that support Zero Trust, not just as an architecture but as a philosophy. We must convey the message that cybersecurity is everyone’s business.
Zero Trust is a means to an end. How we use it will go a long way in shaping the cybersecurity landscape of the future.
George Finney is the Chief Security Officer at Southern Methodist University.