Heading into 2024, the conversation is no longer about what the Zero Trust model is, or whether it’s necessary. Zero Trust has already been codified by the President’s NSTAC Subcommittee on Zero Trust, where I was a member, a briefer, and one of the authors of the NSTAC Zero Trust Report to the President. The document is authoritative, meaning the conversation can now shift towards adoption.
Zero Trust inhibitors
The number one inhibitor of Zero Trust adoption is that it’s easier to do nothing. If an organization doesn’t have the correct incentives in place, people won’t act due to fear or due to the challenging nature of driving organization-wide changes. Leading through change is difficult when there is no blueprint to follow.
People are fearful of being blamed, and that fear often slows necessary progress. A client told me a couple of weeks ago that one “oopsie” destroys a thousand “atta boys.” If there's a chance an individual’s proposed change will cause a negative outcome, they'll hesitate to act out of fear of getting in trouble.
This way of thinking leads people to assume that it’s better to do nothing—even if nothing leads to a devastating outcome. In the world of cybersecurity, the act of doing nothing out of pure laziness or fear is actually a decision. It’s not actually “doing nothing.”
The recent 23andMe data breach illustrates why strong security practices are needed for all data. Enabling two-factor authentication reduces the risk of getting hacked by 99%. It was only after the incident that the company required their customers to enable 2FA. Proper security measures in place beforehand might have prevented this kind of cybersecurity attack.
The lesson from this is that all good security has to be properly incentivized from the top down through policy and leadership. Otherwise, organizations are less likely to act until they’ve personally been the victim of a data breach.
Top-down implementation
Incentives need to be put in place from the top-down, which is what President Biden's executive order and the OMB guidelines have done for the US federal government. In terms of governmental sectors, the US is incentivizing and building more robust security practices around a Zero Trust strategy better than anyone else in the world.
By the end of Fiscal Year 2024, US governmental agencies are expected to:
- Establish and implement a Zero Trust architecture
- Adopt multi-factor authentication (MFA) for all users and devices
- Segment networks and applications
- Enhance data protection and encryption
- Improve threat visibility and response capabilities
These actions will strengthen the government’s defenses against more advanced and persistent threat campaigns. The measures should also work in a trickle-down effect, encouraging organizations to adopt similar standards.
We’re in the midst of a global movement. When governments take action, organizations follow. Due to the change in incentives around adoption, we’re seeing organizations build more and more Zero Trust environments. Gartner predicts that by 2025, 60% of organizations will embrace Zero Trust as a starting point for security.
Global players
On a global scale, everybody takes the lead from what the US does in a cybersecurity context. The US federal government is the world’s largest buyer of cybersecurity technologies and the world’s largest employer of cybersecurity personnel.
Several other governments worldwide have implemented, or are considering implementing, Zero Trust mandates for their respective organizations.
The European Union’s N1S2 directive emphasizes adopting Zero Trust principles to protect critical infrastructure and data. Australia has also stated their aim to develop a whole-of-government Zero Trust culture in their latest cybersecurity strategy.
The Netherlands is another big advocate of Zero Trust. One of the reasons they’ve been an early adopter is due to the similarities between Zero Trust and their dike systems. A dike is designed to protect a piece of land. It aligns with the five-step model in their perspective because you need to first figure out what you need to protect, understand how the river flows, build dikes around the protection surface, implement policy allowing water flow, and lastly continue to monitor it.
During the first speech I gave in the Netherlands, I used the example of the story, The Little Dutch Boy. It’s a tale about paying attention to small problems. A young boy notices a leak and plugs the hole with his finger to stop it. Another leak springs up and he continues to plug the leaks until he runs out of fingers. After I told that story, people came up to me and told me that it was a ridiculous story because the Dutch would fix the problem immediately. In this sense, their way of thinking aligns perfectly with the Zero Trust model.
Even governments and cultures that don’t inherently subscribe to this way of thinking find Zero Trust easy to adopt because it’s incremental. I’ve laid out a five-step model on how to do it. It’s an extremely approachable model that’s very hard to go wrong.
Adopting Zero Trust
Zero Trust was designed to be simple and easy for anyone with basic networking and cybersecurity skills. There's no new skill set needed, though Cloud Security Alliance offers a Certificate of Competence in Zero Trust to meet the rising demand for interest in Zero Trust.
The biggest problem I anticipate regarding Zero Trust adoption is organizations trying to do it too quickly. This model is meant to be followed incrementally, as laid out in section 2.1.1 of the NSTAC Report. Everybody in the US federal government is mandated to have a list of high-value assets. If you don’t know what you need to protect, you cannot effectively safeguard it.
Too often, organizations make uninformed decisions when investing in security technologies. They lack an understanding of what their crown jewels are, and hope that throwing money at the problem will simply make it go away.
This is why step one of the Zero Trust model lists the most relevant protect surfaces and step two maps transaction flows. These two parts of the process are highly intertwined and allow for complete visibility into an organization’s critical assets and how they interact. Organizations should rank their relevant protect surfaces and go from there.
Security platforms such as Cerby work to protect these nonstandard apps with a Zero Trust mindset. This approach, combined with the simplicity of the Zero Trust Model, makes it easily accessible for organizations to strengthen their cybersecurity posture.
Moving towards the same North Star
Because of the way the world works and its highly interconnected nature, every country has the opportunity to strongly influence their own population and their own organizations. Therefore, each organization must take the first step. It doesn’t really matter what that is, just begin somewhere. The cybersecurity realm is a bit like a middle school dance in that way. Everybody is lined up against the wall; things look pretty bleak until, finally, somebody has enough guts to get up and dance. By the end, everybody is dancing.
The US has already started to dance. Every government agency has a Zero Trust management office, and they’re all generally implementing Zero Trust strategies based on their ability to dedicate resources.
Now, the biggest thing happening in the Zero Trust ecosystem is that everybody is moving in the same direction. Some are going at a slower pace, but the important thing is that it’s in the same direction. I’ve had people ask me, “Aren’t you frustrated with the state of things?” And I’m not, because we’ve all essentially got the same North Star, which is a hugely productive accomplishment.
Momentum is a property of physics, and a body in motion tends to stay in motion. The hard part was getting everything moving. Some days, I felt like I was pushing the rock up the hill, and it would come back every day, and I’d have to push it up again. We’ve gotten almost to the pinnacle of the hill, and now the rock is slowly starting to roll down and gain momentum. I don’t think the Zero Trust momentum is going to stop.