Why Zero Trust Succeeds when Strategic Leadership is Present
Idenhaus attended the Cybersecurity and Privacy conference hosted by EDUCAUSE in Bellevue, Washington earlier this month. Focused on higher education, the conference facilitated sessions from university leaders and cybersecurity vendors across the country, sharing knowledge ranging from recent technology implementations and challenges in a post-pandemic world to innovations affecting the future of the education industry.
Albert Veysel Erdag, the University of Arkansas in Little Rock’s CISO, led a session on implementing Zero Trust, and how it requires technical, architectural, and cultural changes to be successful. He emphasized that, today, security leaders still need technical knowledge, but also must develop soft skills to be effective moving forward. What type of soft skills? Strategic leadership alignment, change management, and communication to name a few.
We’ve heard it before, and we’ll hear it again…. Zero Trust. It’s the “hype” word in the industry, and many are asking… what does that even mean? Erdag started with a definition,
“Zero Trust provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege, per-request access decisions in information systems and services in the face of a network viewed as compromised. Whereas Zero Trust Architecture is an enterprise’s cybersecurity plan that utilizes Zero Trust concepts and encompasses component relationships, workflow planning, and access policies. Therefore, a Zero Trust Enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a Zero Trust Architecture plan.”
So what are the obstacles for a security leader looking to create a Zero Trust Enterprise? Resistance to change within the organization, slowed business processes, and additional cost are the first that come to mind. This means Zero Trust is not a technology choice, but a strategic pivot in the culture of the organization’s strategy. Here’s where those soft skills come into play.
Erdag emphasized, “Your ability to show strong leadership skills are vital to a successful implementation.” Specifically, strategic management and intentional leadership practices will be the most effective methods when designing and implementing a successful Zero Trust solution. Focus on a human-centered approach, leadership alignment, accountability, and communication to effectively manage the cultural change necessary for success.”
Security leaders must increase their storytelling capabilities to sway influence. You might not need to buy new technology but simply use existing features and devices in a different way. Perhaps all you need to do is reconfigure what you already have. This is where a good strategy can make all the difference and potentially save your organization millions on the backend.
He compared Zero Trust to the aviation industry. There is an arrival area where, technically, anyone can show up in the airport with a boarding pass. However, to check a bag, you often need to show valid ID; and then to pass security, you must show a valid boarding pass with matching ID. Finally, to board the plane, your boarding pass is needed again. This security process is not reserved for passengers. Think about airline staff, restaurants and shops behind security, maintenance and cleaning crew. Each of these groups must pass through security each time they enter the airport. While the process itself might look different from passengers, even pilots are checked to enter the boarding area and the plane itself. Throughout the building, there are cameras and sensors. On the plane, there’s a flight marshal and a black box. The aviation industry is a great example of security measures that could be mimicked in an organization’s Zero Trust Architecture.
The questions to ask are:
- Would these security measures exist if it weren’t for the mandated top-down regulations in place? Probably not. Going through security slows us down, and very few “like” it. But it’s a necessary component to ensure the safety of all.
- Would it be possible to implement and maintain these security measures without the entire airport working together? Again, probably not. Each step of the security process is one small portion of the overall security program.
Here’s where a security leader’s ability to tell the greater story of why, align leadership for a top-down approach, and gain buy-in from all stakeholders matter. When crafting your strategy to become a Zero Trust Enterprise, you must also account for your organization’s culture. Teamwork makes the dreamwork. Yes, you as a security leader need to know the technology, but you also have to be an influential spearhead that can effectively lead change.
If you’re looking for a place to start, or need a refresh of your current security plans, then talk to Idenhaus. We’re the experts, here to help you stay on top of everything cybersecurity. Contact us today to get started with a new cybersecurity road.