Recently, at an event with a bunch of other CISOs, the topic of zero trust arose as it always does, but the primary questions I heard asked around the room focused on technology: “What do you use for your VPN?” “What type of internet filtering?” “Do you microsegment your network?” In my mind, though, these are not the questions we should be asking. There are much bigger questions to ask first.
We all know that the legacy “castle-and-moat” security architecture is history. If you have a hybrid environment, both on-prem and in the cloud, you need modern technology. The network perimeter is rapidly vanishing; users are everywhere, and your apps, data, and workloads no longer reside only in the data center. So, you need to be moving toward a zero trust ecosystem–something most companies are already doing to some degree, whether they realize it or not. After discussing these few key points, most CISOs acknowledged they were already on the zero trust journey and missing a key element.
To transition fully to zero trust, that essential missing component is a clear strategy. Strategy should drive technology, not the other way around.
Get help to build and justify your zero trust strategy and investment
Keep it simple! The more complex you go, the less buy-in you will see. At NOV, we decided to base our strategy on the zero trust security model. The framework establishes security competencies across key areas: data, networks, people, workloads, devices, visibility and analytics, and automation and orchestration. Every large organization needs its own turnkey zero trust strategy, based on its own business ecosystem, transaction and data flows, and so on.
A more granular look at the zero trust security model helped us determine which capabilities we were lacking in each area and ways to fill those gaps so that we could build an NOV-specific zero trust strategy. And, equally important, it helped us to justify investments in zero trust internally.
Think outside the box
Why? Implementing security controls at a large global enterprise is a monumental task, to say the least. This is why all CISOs have a cyber risk register - not all controls will be implemented as advertised. Don’t get me wrong, security controls are necessary and vital, we just need to pivot to keep up with the hybrid world. I recommend aligning to the NIST cybersecurity framework, but also managing your controls using an Information Security Management System (ISMS) and making zero trust your “North Star.”
In his book, Think Again - The Power of Knowing What You Don’t Know, Adam Grant states “Thinking like a scientist involves more than just reacting with an open mind. It means being actively open-minded." Therefore, your zero trust strategy should be simple and fluid: a living document. You will run into legacy-minded thinking, but don’t let that stop you. Show them how to “think like a scientist.” Simply put, no matter what they tell you, no single technology or vendor is going to address all aspects of zero trust.
Regarding your technology stack, I urge you to examine your current capabilities for each of the seven elements competency areas. If your systems provide those required capabilities, great. But, if not, it’s time for out-of-the-box thinking. To help get you started, I recommend reading Adam Grant’s book.
The right questions to ask
So, instead of asking for technology recommendations, we CISOs should first be asking longer-term strategy questions, of ourselves and others. Questions like: “What is your zero trust strategy?” “How did you develop it?” “What are your goals?”
Focus your efforts on nailing down and clearly articulating your strategy. Doing so will help highlight the technologies and solutions that fit your needs today and in the future. Having a strategy will narrow your technology search significantly and help you justify the technology your organization needs to succeed on its zero trust journey. Ultimately, you will see that your zero trust journey is an easier path to risk reduction.
In the spirit of sharing, I hope to soon publish the steps we took on our strategy. In the meantime, feel free to reach out to me on Linkedin. I look forward to hearing about your journey into zero trust.
To learn more about NOV’s own zero trust journey, you can also read the case study about how Zscaler is helping us to meet our business goals and why Zscaler is one of the critical vendors in our zero trust strategy.