How to win at cyber by influencing people

Editor’s note: A version of the following article originally appeared on Dark Reading.

Knowing you would like to implement zero trust and implementing it are two different things. That’s at least in part because zero trust is not a single solution one can install and walk away from. Rather, it is an approach to IT and security that emphasizes validating every connection, whether it is user to app, app to app, or process to process. Zscaler does this by obscuring the attack surface, preventing lateral movement, and evaluating access to resources on a per-request basis.

In short, never trust, always verify. 

Many of the challenges associated with a large initiative like zero trust are not technical issues, but rather relate to driving change. There are significant interpersonal and organizational components to adopting this approach that must be carefully considered. Over the course of my career I – most recently as CTO for GE and Synchrony Financial – I had the opportunity to work on many “big word projects” ranging from AI to cloud, and of course, zero trust. What follows are some of my top tips for ensuring you win at cyber by influencing key stakeholders within your organization. 

How to win at cyber in five easy steps

1. Organizational Partnership

Zero trust is a team sport. Successfully executing a zero trust transformation requires understanding all the personas involved and aligning on intended outcomes. 

• The CTO is focused on the infrastructure: design, maintenance, configuration, execution & tech strategy
• The CISO knows and owns the security strategy, security execution, and monitoring.
• The ClO is focused on the technologies and applications of the organization, overseeing the people and process aspect of transformation and day-to-day operations
• The risk leader confirms the technology group is covering all the risks to the organization and end consumer

Bringing the CTO and CISO together on a common goal of zero trust and then inviting the Risk Leader along on the journey is a huge step in your success. Establishing a rhythm of these leaders with the CIO brings it all together. These roles might be slightly different in your organization, but understanding each stakeholder’s role and connecting them before the project begins is key.

2. Communication and Board Level Metrics

Once key leaders are aligned behind your zero trust initiative, you need the backing of your board. This won’t be accomplished by lengthy, wonky discussions of the underlying technology you hope to implement. Instead, boards want to understand your organization’s risk exposure, and how you intend to manage it. 

The ability to demonstrate a comprehensive risk score is a powerful asset for establishing a baseline and reporting on progress over the course of what is likely to be a multi-step, multi-pronged zero trust deployment journey. Once you’ve established this score, continue to revisit it along each phase of your initiative to demonstrate maturity backed by real-world data from your environment.

3. Phased Deployment Plan

At Zscaler, we like to say the elephant of zero trust is best eaten one bite at a time. It’s no accident we speak about zero trust as a journey, one that rarely unfolds along a straight line. Transformation initiatives often begin in response to a stimulus – implementing a VPN replacement or incorporating a new acquisition into existing IT systems, for example – and then maturing over time. 

One thing is critical, though: developing a plan that incorporates individual use cases into an overarching strategy for deployment. The sample plan I’ve created below almost certainly won’t map perfectly to your organization’s needs, but it is an example of a phased deployment that takes care to avoid the feeling of needing to “accomplish” zero trust overnight.

4. Pragmatic Technical Deliverables

Throughout my career I have encountered a number of CXOs with impeccable strategic instincts who nevertheless struggle to translate them into pragmatic deliverables. When we’re dealing with complex, sometimes nebulous concepts like AI, the cloud, or zero trust, it’s easy to get lost in the weeds. 

It’s critical that tactical actions like a VPN replacement are framed in terms of the business problems they solve. I return to the VPN example because it is a perfect illustration of enhancing security and the user experience, making it a model IT solution for a business issue. Users become more productive and benefit from a smoother experience, the opportunity for lateral movement is reduced, and cost savings are likely to accrue.

5. Fix the basics

It may sound simple, but it’s a critical point that I have often seen overlooked. You must tackle the low-hanging fruit, or threat actors will do it for you. So, what are the basics? Phishing not only remains the number one threat vector facing most organizations, it’s also only solvable by creating a culture of security within your organization. I don’t mean in terms of high-tech solutions, but by fostering basic cybersecurity literacy organization wide. With the advent of AI-assisted pretext creation, this will only become more critical in the near future. 

Zero trust is a mature approach that will uplevel your organization’s security. If you haven’t yet started out or if you are simply looking for a more complete implementation, I hope you find this advice useful. If you are interested in learning more, I encourage you to watch my complete presentation below.

What to read next

When technology isn’t the problem: The psychology of IT transformation

The secret behind a successful zero trust project is no secret at all; it’s the human element