History is littered with examples of unsuccessful “solve-all” cybersecurity solutions, recently including various Advanced Threat Protection technologies that promised to “catch all the bad guys” from China, Russia, and Ukraine. However, after two years of significant spending on detect-and-respond tools, the end results were limited adoption, increased complexity and little impact on the rate of cyberattacks, which instead grew in both number and severity during the Covid-19 pandemic.
This means public and private sector security leaders will need to cut through the hype and set realistic expectations for zero trust: The executive order is just the beginning of a cybersecurity journey that will demand years of continuous, iterative change. Moreover, while the order isn’t targeting the private sector, transformative initiatives of this nature will inevitably spur changes that extend beyond the government, impacting security vendors and enterprises.
If your business hasn’t already started to apply zero trust principals, this is a good time to understand the issues you’ll likely face with widely adopting the approach. Some companies — particularly smaller organizations — don’t necessarily have the resources to re-architect their networks to comply with a zero trust approach or the budgets needed to do so across their entire ecosystem. In addition, early adopters have learned that as zero trust scales upwards, it introduces policy granularity issues that are difficult to manage and challenging to maintain. Consequently, many security leaders haven’t found a clear path forward for zero trust and are burning dollars and time trying to figure it out.
Because zero trust’s verification and access standards are inherently restrictive, security leaders should proceed with caution before considering a wide deployment. Beyond risking additional friction with employees and existing customers, zero trust may yet introduce another layer of network technology that demands additional management and creates more complex policies while adding little actual security value.
A pragmatic approach to zero trust starts with full visibility of the attack surface
Security leaders should first identify which elements in their networks actually require zero trust protection to minimize deployment issues. This step, in context to zero trust, is referred to among cybersecurity professionals as “identifying the protect surface.” It’s helpful to visualize this as a building with multiple doors, hallways and valuable items inside, each potentially guarded by a separate identity-verifying security lock. Practically speaking, what needs to be individually locked down with this level of security? What doesn’t?
Most organizations won’t need to lock down every element across an entire network, but rather only their most critical assets, data and applications. The next step will be designing a zero trust architecture with comprehensive visibility and understanding of the existing network topology; this will help determine the necessary configurations and policies to facilitate an effective zero trust framework.
Even though zero trust isn’t a silver bullet, organizations should use this moment of increased public interest as an opportunity to mature their network security management capabilities. Given the gravity of today’s cybersecurity threats, security leaders should be laser-focused on adopting more proactive, scalable and systematic measures without adding more network or process complexity. A smart solution will be capable of spanning hybrid and multi-cloud environments while increasing security teams’ efficiency for threat prioritization and remediation.
While zero trust has some merits and may, over time, help both the public and private sectors transform their security, it’s unwise to rely or invest heavily on cybersecurity solutions that have not yet proven themselves at scale. At this critical moment in history, organizations must use their limited resources to zero in on what actually matters: Using advanced tools to proactively prevent the next wave of cyberattacks from doing more damage than the last wave.
Originally published in the Forbes Tech Council