The Resurgence of Zero Trust

Image credit: iStockphoto/ktsimage

Trust is implicit in how APAC companies work. There is the unspoken employer-employee trust, and there is trust between customers and their providers. It is why this relationship becomes strained (or broken) when there is a breach, a hack, or a compromise.

Forrester has the term Zero Trust. It is already mainstream in Europe and the U.S., but not in the Asia Pacific, according to the report “How To Implement Zero Trust Security In Asia Pacific.” We talked to one of the authors, Jinan Budge, a principal analyst at Forrester, on the key conclusions.

With companies looking for flexibility and agility after the pandemic, to what extent is Zero Trust becoming important?

Budge: The pandemic has introduced a revolution in how we work, with organizations having to quickly adapt to allow their employees to work remotely and accelerate cloud adoption. In this business disruption, where we no longer have employees accessing on-premises apps on enterprise computers, traditional approaches become ineffective.

In your report, you noted that APAC companies previously took a laid back approach to Zero Trust. How has this changed?

Budge: While companies in APAC generally take a laid-back mentality, often waiting and watching what their peers are doing, as the conversation about and adoption of Zero Trust increases, this laid-back mentality is moving. The pandemic, especially in some geographies or industries where security hasn’t been on the agenda, has allowed CISOs to engage with senior executives and get well-needed support and funding. We expect this laid-back approach to Zero Trust adoption to change over 2021, catching up with our global peers.

What are the challenges for CISOs in implementing Zero Trust? What do they overlook or miss?

Budge: Typically, the challenges associated with Zero Trust come from the lack of understanding and failure to get stakeholder support and visibility. The challenges we hear about are not technological. CISOs need to market Zero Trust to other parts of the business: Identify who your stakeholders are, what role they play in your Zero Trust program, what their needs and concerns are, and what benefits Zero Trust provides them. Communicate these benefits to garner support from your stakeholders and address any concerns they raise about Zero Trust.

What is the best approach to Zero Trust based on global success stories?

Budge: Implementing Zero Trust in the Asia Pacific today requires more upfront planning than it does in other regions that began adopting it earlier and have many more pioneers to learn from. You need to:

  • Create a detailed Zero Trust roadmap
  • Bring the strategy and roadmap to the board
  • Communicate and sell the business value of Zero Trust
  • Watch the market closely and validate vendor claims
  • Take stakeholder concerns seriously
  • Aim for full adoption within two years

How can CISOs rationalize their investments for Zero Trust?

Budge: In the current climate of budget cuts, yet security and privacy remaining a critical priority, business leaders must be prepared to address security as a priority with potentially less funding.

Security is prevalent with “Expense in Depth” — many security technologies are deployed at different parts of the network. The acquisition cost of all these things is extremely high; the resource costs to manage and maintain them is also high. Using Zero Trust helps you be strategic, examine your controls, and decide which ones you actually need based on your actual threat profile.

It will also help you move towards interoperability in an ecosystem, and sometimes that could mean utilizing more integrated solutions.

As mentioned in the report, APAC companies are founded on trust. Zero Trust takes the opposite approach. How can CISOs build the right culture from top to bottom?

Budge: CISOs need to understand that culture change is a journey, not a miracle. They need to allocate as much time and potential resources to nurture a culture of change to facilitate adoption.

First and foremost, know that you will always be in the murky world of the techie until you can demonstrate business alignment. It means prioritizing and mastering the skills of storytelling, sales, and politics. You will need these to promote your agenda, get buy-in, and achieve your goals — because the only projects that will survive and thrive are those that deliver demonstrable benefits across the business.

There are many vendors out there talking about Zero Trust. Can you suggest how CISOs can rationalize the different claims and find the right solutions/vendors?

Budge: Unfortunately, we’ve heard a lot of frustration in the Asia Pacific and globally with vendors touting their solutions as Zero Trust gospel. This is especially frustrating in our region, where there is a healthy skepticism of buzzwords and vendor claims. Fortunately, vendors here are listening to this feedback. They are bringing Zero Trust to market in a way that’s objective and helpful in building Zero Trust momentum, for example, by utilizing independent experts and real-life examples instead of marketing collateral. To help themselves, CISOs and security teams need to validate vendor claims by understanding the Zero Trust model, its components, and the control mapping framework.

This article is part of a CDOTrends eGuide. You can download the entire copy here.

Image credit: iStockphoto/ktsimage