ZTNA DNA: Building a Zero Trust Culture that Enables Secure Modernisation

In the modern security landscape, no single solution can rival zero trust for relevance or proliferation across industry leading enterprises. Much, however, is still misunderstood about how to reach maturity in a zero trust framework, and why creating an enabling culture is the only way to do so.

To contextualise the way zero trust has been propelled into the mainstream consciousness, as much as a cybersecurity framework can be, in May of 2021, the President of the United States, Joe Biden, issued a mandate dictating that all federal agencies, such as the FBI, would have to align with Zero Trust architecture.

For the country that averaged both the highest cost per cyber-attack ($17.36 million), and the highest percentage of cyber-espionage incidents (54% of global cyber-espionage incidents), the quality of their cybersecurity framework was almost certainly a top priority.
The affect that had was to further legitimise what those in the cybersecurity industry already knew – zero trust is here to stay. And when something has cemented itself into the fabric of modern working models, the modern employee is going to have a large part to play in its overall success. To do that, culture will play pivotal role…

Zero Magic Bullets

One thing any organisation must know from the outset is that zero trust will not address all your vulnerabilities overnight. It’s not a plug and play solution, it’s a framework that requires concerted effort and only remains successful over time with deliberate and continuous learning. Bob Kalka, VP of Technical Sales at IBM Security, even goes as far as to exclude a philosophical view from his breakdown of ZTNA and Cybersecurity because it varies so much based on preferences, objectives, and unique requirements that it’s not possible to espouse a one-size-fits-all approach. What he does mention, along with various other voices on the topic, is that the human aspect of zero trust is critical to making a success of your modernised security strategy.

For Zero Trust to truly work, a cultural shift needs to occur as much as a technological shift… [It] should not be about distrusting employees – it is about empowering them.

David Gochenaur,
Senior Director of Cyber Security at Ensono

Zero Progress Without People

While zero trust is the de facto security solution for most leading businesses, it’s not because achieving heightened security in this framework is easy; it’s because once you’ve undergone the necessary changes, it’s effective. The most demanding, only due to variability, is creating a zero-trust culture within your workforce.

Staff awareness is paramount, because teams that aren’t aware of the aims of a framework won’t be prepared to be productive within it. Least privileged access, for example, is useful and effective as a building block of zero trust, but it requires buy-in just like all user-centric facets of the framework.

Achieving the requisite level of awareness requires some cultural nous. Different teams, and the people within those teams, have different preferences when it comes to learning. With zero trust, pragmatism is necessary when delivering outcomes. It’s not worth your time developing a single method for educating an entire company if that single method is only effective for 65% of those taking it in. For the team at Ada Health, a focused over-communication approach addressed the human variability factor in their efforts as much as possible, delivering zero trust education via Slack groups, emails, and virtual learning sessions.

This awareness also has a profound impact on productivity. Aligning the workforce to a zero trust security framework by espousing the benefits of doing so creates a communal pull in the same direction. Not to mentioned that zero trust segmentation efficiencies translate into freeing up nearly 40 hours per week.

Much like transformation projects running most smoothly with both executive and staff buy-in, zero trust works best when the most vulnerable assets within your organisation, the people, are actively aware of the threats they are mitigating and the purpose of the shift in enterprise security behaviour.

Zero Secrets in Security & Data

You can tell non-security staff about the value of zero trust until you’re blue in the face, but your cultural shift won’t reach its potential until you’ve opened lines of communication up between your security and data teams and the rest of your enterprise. As the custodians of enterprise security, they also need to be on the forefront of awareness initiatives. The resulting additional buy-in from other technical staff, especially, is a massive boost, as reportedly only 3% of developers currently see security as their responsibility.

Transparency from data and security teams doesn’t only help with staff buy-in across the different business units. It’s also incredibly useful for managing up. George Finney, Chief Security Officer at Southern Methodist University (SMU) and a prolific cybersecurity speaker in the US, says that the key relationships he built with the CIO and CFO at SMU were key to getting the buy-in and funding to implement what he believed was the best possible approach to zero trust. In reference to those relationships, he asserts that “The key for us has been to be totally transparent and honest,” and his focus, from the start, was fostering a culture around zero trust that made all departments part of a collective philosophy.

Zero Trust Is Only Getting More Important

In our soon-to-be-published 2023 CIO & CISO Hybrid Priority Report, it became clear that securing the hybrid workforce was a top priority. Over half of all respondents agreed it was important for the next year of enterprise development. But given that our respondent spread was split 30.9% CISO and 69.1% CIO, it’s also apparent that enterprise leaders across the board are aware of the urgent need to build a secure hybrid workspace before making it flexible or functional, let alone mature.

Cultivating a zero trust culture, then, should be near the top of the agenda for those C-suite executives who are yet to fully realise their security strategy’s potential. It’s also important to remember that while zero trust as a concept was theorised in 1994, the philosophy as it’s being applied to enterprise security has only become mainstream over the last three years. This has been brought on by mass migration to hybrid cloud to accommodate hybrid work at the start of the pandemic.

All this is to say, the technology that enables zero trust is still maturing, making the effect of a cultural buy-in all the more essential. A workforce that’s aware, not only of the threats, but also of the value of the philosophy they’re being asked to adopt, is as powerful an asset as any infrastructure you can invest in.

Discover the Priorities of CIOs and CISOs the World Over in Our 2023 Survey Report

The future of hybrid work is on the minds of CIOs and CISOs across the world. As modernisation efforts become business critical across innovation and security, the way you set up your business to accelerate could be the difference between success and difficult conversations with the board.

We surveyed hundreds of CIOs and CISOs globally to discover where their priorities lie for 2023 and beyond. Find out what they had to say in our full report, available free now.