By Eric Trexler, Senior Vice President of U.S. Public Sector at Palo Alto Networks
The buzz around the concept of zero trust seems to have reached a fever pitch in recent months, with organizations and leaders proudly proclaiming they’ve “zero-trust-ed” this or “zero-trust-ed” that. While perhaps an inevitable byproduct of hype cycles, this adoption of terminology demonstrates a fundamental lack of understanding of the need for zero trust. It’s time to stop and ask ourselves — is this hurting or helping the state of cybersecurity?
What could be the harm? People are excited, so regardless of the level of understanding, that should mean investment in zero trust and a safer cyber landscape, right?
Unfortunately, even though the chatter and excitement are there, the implementation and impact is not. Despite all the enthusiastic rhetoric, there is a distinct lack of evidence of widespread, tangible improvement in our security, efficacy levels or effectiveness, or even elevated protections for our businesses, agencies, data and people.
In fact, the gap between relentless hype around zero trust and practical, effective implementation is emerging as an increasingly prevalent challenge in securing our digital ecosystem.
A major cause of this is the failure to ground zero trust plans in reality, and too often, key business outcomes are left out of the conversation. For years now, stakeholders across industry and government — and even the White House — have endorsed or prescribed zero trust products or technologies, with little to no direction on business objectives, outcomes and a focus on resilience. The 2021 Zero Trust Executive Order heightened this, with industry clamoring for the attention and sales that accompanied it. Directing agencies to do or buy certain things without delving into the practicalities of zero trust scaled to business requirements can serve to create even more confusion. The resulting glut of cybersecurity vendors and tools that have recently emerged are now a major headache. A recent Palo Alto Networks survey found that “too many security vendors” was listed as the top cybersecurity management challenge for 34 percent of respondents. Based on experience, the real number should have been closer to 100 percent. Organizations are simply not that adept at integrating disparate cybersecurity solutions.
Regardless, zero trust is not a verb, it’s not a technology and it’s not a product, but rather a composition of principles. Principles such as least privileged access, continuous validation and a focus on reducing risk to an organization, all of which require engagement not just from the cybersecurity or IT team but the broader organization. Often there are business outcome considerations that cybersecurity and IT teams are not aware of, such as the level of risk posed to certain data, applications or pieces of the business. For example, a company’s sales numbers are important data, but likely not as important as a proprietary product design, formula or technology. Implementing effective cybersecurity requires a multifaceted and deep understanding of the given business’ needs, and today that crucial knowledge is often missing from our conversations about zero trust. In another example related to the government, executive travel schedules and policy objectives may be critical, whereas publicly released information may not be nearly as sensitive.
Hype cycles are not inherently detrimental, but in the evolving cybersecurity landscape, fixations can obscure real solutions to consequential risks. Effective cybersecurity entails a far wider scope than any technology or singular concept. Zero trust principles are holistic and require nuanced knowledge of the business’ core objectives and desired outcomes. As new threats arise in the cybersecurity landscape, instead of touting new arrays of tools, we can leverage the hype around zero trust to promote practical understanding and drive business outcome-centric implementation. That’s how we’ll make progress on zero trust, and that’s how we’ll better secure our world.