How to Win at Cyber by Influencing People

COMMENTARY

Knowing you would like to implement zero trust and actually implementing it are two different things. That's at least in part because zero trust is not a single solution one can install and walk away from. Rather, it's an approach to IT and security that emphasizes validating every connection, whether it's user to app, app to app, or process to process. The advantages are clear though: a reduced attack surface; lateral movement across a network by attackers is prevented; and each and every access to any corporate resource is granted on a per-request basis.

In short: Never trust, always verify.  

Many of the challenges associated with a large initiative like zero trust are not technical issues, but rather relate to driving change. There are significant interpersonal and organizational components to adopting this approach that must be carefully considered. Over the course of my career — most recently as chief technical officer (CTO) for GE and Synchrony Financial — I had the opportunity to work on many "big word projects," including AI, cloud, and of course, zero trust. What follows are some of my top tips for ensuring you win at cyber by influencing key stakeholders within your organization.  

How to Win at Cyber in Five Easy Steps

1. Organizational Partnership 

Zero trust is a team sport. Successfully executing a zero-trust transformation requires understanding all the personas involved and aligning on intended outcomes.  

Bringing the CTO and CISO together on a common goal of zero trust and then inviting the risk leader along on the journey is a huge step in your success. Establishing a rhythm of these leaders with the CIO brings it all together. These roles might be slightly different in your organization, but understanding each stakeholder's role and connecting them before the project begins is key. 

2. Communication and Board-Level Metrics 

Once key leaders are aligned behind your zero-trust initiative, you need the backing of your board. This won't be accomplished by lengthy, wonky discussions of the underlying technology you hope to implement. Instead, boards want to understand your organization's risk exposure, and how you intend to manage it.  

The ability to demonstrate a comprehensive risk score is a powerful asset for establishing a baseline and reporting on progress over the course of what is likely to be a multistep, multipronged zero-trust deployment journey. Once you've established this score, continue to revisit it along each phase of your initiative to demonstrate maturity backed by real-world data from your environment. 

3. Phased Deployment Plan 

It's no accident we speak about zero trust as a journey, one that rarely unfolds along a straight line. Transformation initiatives often begin in response to a stimulus — implementing a VPN replacement or incorporating a new acquisition into existing IT systems, for example — and then maturing over time.  

One thing is critical, though: Develop a plan that incorporates individual use cases into an overarching strategy for deployment. A phased deployment allows stakeholders to avoid the feeling of needing to "accomplish" zero trust overnight. The first project will doubtless be the most difficult; it gets easier from there. 

4. Pragmatic Technical Deliverables 

Throughout my career I have encountered a number of CIOs with impeccable strategic instincts who nevertheless struggle to translate them into pragmatic deliverables. When we're dealing with complex, sometimes nebulous concepts like AI, the cloud, or zero trust, it's easy to get lost in the weeds.  

It's critical that tactical actions like a VPN replacement are framed in terms of the business problems they solve. I return to the VPN example because it is a perfect illustration of enhancing security and the user experience, making it a model IT solution for a business issue. Users become more productive and benefit from a smoother experience, the opportunity for lateral movement is reduced, and cost savings are likely to accrue. 

5. Fix the Basics 

It may sound simple, but it's a critical point that I have often seen overlooked. Tackle the low-hanging fruit, or threat actors will do it for you. So, what are the basics? Phishing not only remains the number one threat vector facing most organizations, it's also only solvable by creating a culture of security within your organization. I don't mean in terms of high-tech solutions, but by fostering basic cybersecurity literacy organization wide. With the advent of AI-assisted pretext creation, this will only become more critical in the near future.  

Zero trust is a mature approach that will up-level your organization's security. If you haven't yet started out or if you are simply looking for a more complete implementation, I hope you find this advice useful. 

Don't miss the latest Dark Reading Confidential podcast, where we talk about NIST's post-quantum cryptography standards and what comes next for cybersecurity practitioners. Guests from General Dynamics Information Technology (GDIT) and Carnegie Mellon University break it all down. Listen now!