CIO Insights

From "Department of NO” to "Department of KNOW”

How CISOs can enable business transformation with ZTNA

This post originally appeared on LinkedIn, September 10, 2020.

COVID-19 changed business operations for everyone. Employees shifted to a work-from-anywhere (WFA) model, and that strained legacy networking and security systems. CISOs assumed risks they would never have tolerated before. IT teams bolstered VPN capacity to support the new load, but with a troubling new risk: enabling remote access for all employees introduced new cyber attack vectors. 

At the same time, companies had to cope with the pandemic’s effect on the business’ bottom line—and that often meant repurposing IT budgets to revenue-generating initiatives. To regain their budgets, their influence, and their headcount, CISOs must change their mindset to focus on business needs. IT security can no longer be about controlling the network perimeter. It must shift to strategic planning that answers the question “How do I enable the business?”

To succeed in a COVID-19 world and beyond, IT must align enterprise security with company goals. IT must now consider the business’ core competencies, the business needs that drive its success, the business’ direction, and IT’s own governance and compliance responsibilities. (Pro tip: That last one shouldn’t include sustaining legacy networks.)
 

IT: Gatekeeper or guide?

IT security has traditionally enjoyed a less-than-favorable reputation as “The Department of No.” IT’s role in protecting the business meant it often had to get in the way: “No, you can’t adopt that cloud SaaS.” “No, you can’t move the database offsite.” “No, you can’t work remotely.” IT’s priority was to maintain the status quo. Anything that could rock the boat was out of scope, and they were often the gatekeepers for process deployment.

Why? IT typically gets little attention from employees...until those employees need something. Or a disaster occurs. Then IT gets everyone’s (not-always-welcome) attention. That’s a lot of pressure, and provides at least some understandable rationale for IT’s traditionally-conservative approach.

If the pandemic has shown us anything, it’s that IT can adapt quickly if they have to—especially when there is a clear need to move beyond the status quo. Legacy solutions (in this case, VPNs) weren’t equipped to handle a massive change in how employees did business. So new solutions were found and implemented—such as Zero Trust Network Access (ZTNA). 

In responding to a crisis as dramatic as the recent pandemic, IT had to focus on enabling business objectives. They needed to be guides that led the company to a better solution. That required assessing change by asking new questions:

  • Does a solution incur (or perpetuate) technical debt? Technical solutions often get implemented to answer an immediate need and employ the quickest methods to achieve that goal—perhaps building on legacy infrastructure because it’s “easy.” But does this convenient solution create bigger problems by limiting future growth, scalability, or flexibility?
     
  • How long until the solution produces value? Often, integrating new solutions with legacy systems can add complexity and result in long waits for ROI (if it even arrives). Does that delayed value still outweigh the costs associated with scrapping legacy dependencies?
     
  • How long until the solution improves productivity? Bolting new systems on top of old ones often results in a Rube-Goldberg contraption of login, access, and security protocols. What is the time frame for getting users up and running on complex processes?
     

The new CISO mission: Enable business growth

Change is hard, and enterprise CISOs must work with CIOs to lead the charge. It can be difficult to even know where to start. How do you redesign legacy systems that have powered a company for years, if not decades?  

One path forward is cloud-delivered ZTNA—offering CISOs a manageable (and navigable) path to digital transformation. ZTNA is a connectivity architecture that changes the nature of application access by removing the requirement for a “trusted network.” Users gain access to applications based on defined policies that consider user identity and context. Everyone is challenged and only allowed access to what they need, for true least-privilege access. This offers previously-unimaginable levels of visibility and control.

ZTNA provides CISOs and CIOs with a platform to enable enterprise growth. A colleague of mine, the CISO for a Fortune-500-company, led his enterprise’s transition from legacy castle-and-moat security to ZTNA. In his words, ZTNA allowed his security teams to go from “the department of no” to “the department of know.” Rather than being the group that traditionally says, “You can’t do that, it’s not secure,” his IT department can now say, “We can do that, and with the information we’ve gained, we can also enable these other things as well!” 

My CISO colleague had been tasked with finding a better approach to remote access as the company expanded their mobile workforce and adopted a “cloud-first” strategy—legacy remote access systems were too rigid and slow to handle the change. His cloud-first ZTNA approach enabled his company to become more agile and more flexible.

Convincing company execs to invest in ZTNA was challenging. But the CISO emphasized three value propositions to evangelize ZTNA internally:

  • Better security, performance, management, cost-efficiency: The company’s old VPNs routed traffic indirectly—incurring latency, complicating administration, increasing MPLS costs, and (greatly) extending attack surface. ZTNA connects a user directly to a target resource, rather than the network, reducing attack surface and optimizing routing.
     
  • Deployment speed: VPNs cannot be set up quickly. VPN deployment requires extensive capacity planning, making them a difficult option for enabling a quick pivot to remote access. By contrast, cloud-based ZTNA is designed to scale. Deployment is quick: install a simple agent on the user’s access device, place connectors in the application environments, and integrate user context from an IAM system to inform granular access policies.
     
  • Traffic visibility: Cloud-delivered ZTNA offers comprehensive, central administration and provides IT leaders with complete visibility into user activity. 

My CISO colleague leveraged the Zscaler Zero Trust Exchange to roll out a ZTNA solution to department heads, as part of a pilot program. He was soon inundated with requests to make it available to the whole company. His immediate challenge became processing paperwork fast enough to accommodate demand! 

Their security is now invisible to users. Users connect directly to whatever authorized assets and applications they need to be productive, without having to first get access to a network. For my CISO colleague and his company, ZTNA has also greatly improved user experience compared to their legacy VPN: ZTNA is faster, easier to use, and increases performance, no matter whether the resource is in the datacenter or the cloud.
 

Transformation enables business value

As recent events have shown, IT teams must adapt legacy environments to changing needs. Cloud-first digital strategies drive corresponding security transformation, since network-centric systems often can’t accommodate the change gracefully or cost-effectively. ZTNA can enhance business growth by providing secure, seamless user access to authorized applications across any environment, any location, any device—enabling new workflows and accelerating digital transformation.

A cloud-enabled ZTNA approach minimizes the risk of adopting digital transformation strategies and keeps access options viable even as security budgets shrink and corporate budgets tighten. By eliminating the need to expand expensive security stacks and costly MPLS backhaul, ZTNA allows companies to take advantage of new technology and remain agile in order to scale for the future. And by providing comprehensive visibility and flexible, secure application access, ZTNA allows IT security to empower, rather than impede, business transformation.
 


Lisa Lorenzin is the Director of Transformation Strategy at Zscaler

Stay up to date with the latest digital transformation tips and news.

By clicking the submit button, you are agreeing to our privacy policy.