“A cybersecurity expert was asked by a CEO how many security people to hire to protect the company. The expert asked, ‘how many employees do you have?’ The CEO answered, ‘we employ 10,000 people.’ The expert replied, ‘then you need to hire 10,000 cybersecurity people. One to stand behind each employee and tell the employee whether it is safe to click on something or not.”
While I don’t know the source for the pearl of wisdom above, it’s been circulating for a long time and sets the stage for what I’m about to say.
Let’s get real about cybersecurity
We live in a society where cybersecurity, like IT, is an ongoing cost to be managed. We need better solutions today, not a year from now. And we solve problems like this by applying automation and technology at scale instead of hiring one security expert to stand behind each employee. So...what can you do?
About that August meeting at the White House
On August 25, 2021, United States President Joe Biden met with executives from technology companies, financial institutions, academia, and others. The attendee list at the White House gathering included the CEOs of Alphabet, Amazon, Apple, IBM, and Microsoft and the heads of major financial institutions including JP Morgan Chase, Bank of America, TIAA, and U.S. Bancorp. Notably, no critical infrastructure representation was present.
The White House took the approach of “ask instead of mandate,” reflecting the belief that the American private sector has more authority and influence than the Federal Government to drive change. This is in keeping with the National Security Memorandum issued on July 28, 2021, that listed voluntary cybersecurity goals that clearly set out White House expectations for owners and operators of critical infrastructure and what they should do to protect their sensitive data and address data breaches and ransomware attacks.
After the meeting, Amazon, Google, IBM, and Microsoft announced new initiatives to strengthen cybersecurity and help close the skills gap.
Haven’t we heard this before?
Yes, we have. Calls to strengthen cybersecurity in the public and private sectors are not new. Nor is the call to train many more people for roles in cybersecurity. While calling for action is great (and we collectively need to act) how many times do we need to hear the call before we really act?
It’s not the size of the budget, it’s what you do with it
Perhaps the most important thing the Biden administration did for cybersecurity happened on May 12, 2021, when the President issued the Executive Order (EO) on Improving the Nation’s Cybersecurity (14028). Section 3 of that order (Modernizing Federal Government Cybersecurity) states, “The Federal Government must adopt security best practices; advance toward Zero Trust Architecture” and within 60 days of the date of the order, the head of each agency shall develop a plan to implement zero trust architecture.
The solution is zero trust – but what does that mean?
Yes, zero trust is the solution. The trouble is that when you start to read about it, you run into an alphabet soup of concepts: network security, network perimeter, security strategy, security posture, user access, user identity, user credentials, authentication, access control, access management, multi-factor authentication, least-privileged access, granular access, limiting permissions, network segmentation, micro-segmentation, security model, smart firewalls, no firewalls, endpoint security, app security, with/without VPN, limiting lateral movement, and on, and on, and on (seriously, this is a shortened list). And while you can drill down into detailed (and sometimes confusing) explanations, zero trust comes down to a few basic ideas:
- Assume that a breach of your systems is inevitable (or has already occurred)
- Constantly limit access to only what a user (or an application) needs to do their job
- Look constantly for anomalous and/or malicious activity everywhere
Another way to think about the zero trust approach is to think of every packet of information flowing in your system having its own “cybersecurity guard” standing behind it. That guard verifies the packet upon entry into your system and escorts the packet from source to destination, without allowing anyone else to see or touch the packet, and not allowing that packet to make any unexpected side trips. Inspecting and tracking each data packet in a zero trust network is far more scalable (and far more cost-effective) than hiring a security expert to look over the shoulder of every employee and watch for vulnerabilities.
Stephen Kovac, the Vice President of Global Government and Head of Corporate Compliance of Zscaler, advocates for a FedRAMP-authorized zero trust security model, and in combination with the updated TIC 3.0 guidance and a Secure Access Service Edge (SASE), asserts that agencies can focus on a single initiative – cloud security adoption and digital transformation and learn from one another on the journey.
One additional piece of that journey is the critical infrastructure itself. At the core of it is operational technology (OT), and, increasingly, the industrial internet of things (IIoT), which are the brains behind our nation’s grids, nuclear reactors, and fuel pipelines. The convergence of these systems with IT brings efficiency and intelligence, but also expands the attack surface. Zero trust solutions need to cover this exponentially expanded digital realm where automation reigns and human users are typically left out of the data stream.
To dive deeper into zero trust, the Cybersecurity and Infrastructure Security Agency (CISA) Zero Trust Maturity Model assists agencies as they implement zero trust architectures and build out their zero trust roadmap. The document defines the foundation and pillars of zero trust. Another good source of information on zero trust principles is NIST. At Zscaler, we’ve been living the Zero Trust life for over 10 years.
Figure 1: CISA’s Zero Trust Maturity Model is built on a framework inspired by The American Council for Technology (ACT) and Industry Advisory Council (IAC) “Zero Trust Cybersecurity Current Trends,” 2019.
Zscaler makes zero trust easy to understand and easy to deploy. We’re ready to help you apply zero trust strategy to your security architecture and then help you build and deploy a zero trust environment.
And did I mention that zero trust, compared to legacy approaches, often boosts your user experience and lowers your cybersecurity TCO? Did that get your attention?
What to read next
The Colonial Pipeline Cyberattack and The Executive Order: A CISO’s Perspective
Ransomware, Critical Infrastructure, Executive Orders, Oh My… (podcast)