Delivering the zero trust transition

Once upon a time, the job of keeping an organisation safe from cyberattacks was the sole responsibility of its IT department. But since the way firms do business was transformed in 2020 by the mass migration to hybrid working, traditional security models have been turned on their head. 

Firms have been forced to take a more holistic approach and a strategy that had been gaining traction for more than a decade – known as ‘zero trust’ – has now gone mainstream, becoming the de facto IT security model around the world. 

But what exactly does zero trust entail? And how can C-suite leaders ensure that it’s embedded across their entire organisation, at a time when they are under growing pressure to ensure their businesses avoid damaging breaches?

What is zero trust?

While there are various definitions of zero trust, all centre on the principle that access to applications and data should be denied by default, with users having to go through a continuous process of risk-based verification (for instance, through two-factor authentication). ‘Privilege’ should also be limited so users can only access the data they need to do their jobs, while a comprehensive system of security monitoring is implemented across the business. 

“The zero-trust model can present a significant risk mitigation opportunity to the C-suite as it significantly enhances access controls and can drive down the possibility of unauthorised access and potential breaches,” says David Dunn, head of EMEA cybersecurity at FTI Consulting. “As cybersecurity threats increase in sophistication, zero trust offers the dual benefit of going beyond traditional cybersecurity strategies focused on perimeter defence and network security, while also limiting the movement of threat actors who are able to gain entry to systems.” 

While the vast majority of business are now committed to adopting zero trust, implementation can be challenging, taking time and investment, especially if you are working with a legacy IT estate. Organisations need to avoid leaving security gaps when migrating to new systems and processes, while also being ready to deal with issues in legacy applications at a moment’s notice.

As the research firm Forrester noted in a whitepaper last year: “Zero trust is not a product, and it’s not a miracle cure that will eradicate breaches. It requires a concerted effort with significant change management across security, IT and business teams.”

Growing pressure

The pressure on corporate leaders navigating these rapids is intense. Tech consultancy Gartner estimates that at least 50% of C-suite executives will have performance requirements related to cybersecurity risk built into their employment contracts by 2026. And it’s obvious why, given how pivotal they are in embedding a new strategy. 

Leaders first need to ensure they choose the right technologies that will have the biggest and fastest impact. But they need to get buy-in from other teams and stakeholders who will be key to rolling out a zero-trust programme – which can be challenging at a time when the UK economy is stuttering and company finances are under strain. 

Rob Pritchard, a cybersecurity expert and consultant, says the C-suite should stay focused on the long-term benefits and not be fazed by bold marketing claims. “Leaders need to recognise that whilst zero trust has become a bit of a buzzword and there are lots of products and services that claim to support it, it is a description of a more secure way of operating, which when done properly can reduce management overhead and support a modern flexible workforce. 

“There’s not any one approach, but identify where you need additional services or outside support and make sure there is the money to support a proper migration,” Pritchard says.

Leaders should also keep pace with the evolving cyber threat landscape and not just leave it to the IT department. That means maintaining knowledge that enables informed and strategic decisions to be made.

Top down

Educating staff is key. “The C-suite should actively promote and foster a security-led culture from the top down by advocating for awareness programmes and supporting user training at all levels,” says Dunn. “This mindset helps demonstrate the importance of cybersecurity and everyone’s role in protecting the organisation.” 

Leaders should also empower their security teams with the authority and budget to devise and deploy cyber-risk mitigation strategies. And the right personnel must be recruited to bolster existing cybersecurity expertise.

“The human capital resources required in cybersecurity continue to be inadequate,” says Manuel Acosta, a senior director analyst at Gartner. If an organisation doesn’t invest in proper “cyber judgement and confidence”, then it won’t be able to function securely, he says.

It’s vital to remember that adopting a zero-trust approach is not a one-off event; rather a continuous process that needs to be maintained. This means cybersecurity strategy will have to be embedded within business objectives, with progress monitored and systems updated when necessary. 

Acosta says leaders need to establish “measurable outcomes with a long-term programme to improve behaviour”. He says: “Just like adaptive controls, the monitoring across your network and business must be continuous. The change in culture will take time, but driving those small iterations of change and messaging proves realisation.”

When it comes to cybersecurity, the EU has a clear message for businesses across the bloc: the rules are getting tougher and time is running out to make sure you comply. 

The Network and Information Security Directive 2 (NIS2) was enacted in January 2023 and will come into effect in October this year, building on previous EU cybersecurity laws known as NIS1. Among the changes, big organisations under the scope of the rules will have to tighten up their security processes and report breaches much more quickly than before or face hefty fines.

A much wider range of entities will also have to comply with the legislation, including for the first time accounting firms, courier services, digital providers, research organisations and many different types of manufacturers. 

‘Compliance sprint’

Overall, NIS2 should benefit businesses and consumers by creating more standardised cybersecurity rules across the bloc. But the relatively short time EU member states have to incorporate the directive into their own laws – just 17 months – is causing headaches for firms that are racing to prepare. 

Many governments are still discussing exactly how the rules will work, with some looking to deviate from each other or go beyond the requirements set out by NIS2. Others, like the Netherlands, have indicated that they may not meet the October deadline for transposition. 

“There is currently a lack of clarity on the exact requirements,” says Giles Pratt, an intellectual property, data and tech partner at law firm Freshfields Bruckhaus Deringer. “Given the lack of national implementation laws, we’re seeing many organisations preparing for a compliance sprint over the summer months.” 

In theory, NIS2 will only apply to big firms in so-called “essential” or “important” sectors, although it will be up to member states how they define those categories. Organisations with more than 50 employees and an annual turnover that exceeds €10m can expect to face tougher standards around governance, incident detection and response, as well as plans for business continuity in the event of a cyberattack. 

However, small and medium-sized businesses that operate within essential or important sectors are also likely to be affected, meaning bigger companies will have to ensure smaller firms in their supply chains are compliant.

For organisations already operating in regulated sectors with advanced cybersecurity systems in place, adapting to the new rules should be straightforward. However, those new to this kind of legislation may need to make “major organisational changes”, says Esther Schagen-van Luit, a principal at the Internet Security Forum.

NIS2 also comes as the EU rolls out other new regulation in areas such as data protection and artificial intelligence, increasing the compliance pressure on organisations’ cybersecurity teams. As such, boards must continue to invest in the resources necessary in order to “avoid burn-out and high staff turnover”, says Schagen-van Luit.

Zero-trust approach

Companies likely to be affected by NIS2 should start by undertaking a comprehensive cybersecurity risk assessment, says David Dunn, head of EMEA cybersecurity at FTI Consulting. “Once vulnerabilities and gaps in their current infrastructure are identified, organisations can enhance cybersecurity measures accordingly, such as adopting advanced threat-detection technologies or improving incident-response capabilities.”

He believes a zero-trust approach can help, as the emphasis on the continuous verification of user identities, devices and systems, aligns with NIS2's focus on ensuring continuous monitoring and assessment of security measures. Zero trust also advocates for granting the minimum level of access necessary for users and systems to perform their functions. 

“This directly addresses NIS2's goal of ensuring that only authorised individuals have access to critical systems and data,” says Dunn.

Philipp Roos, a principal associate at Freshfields Bruckhaus Deringer, argues companies should also closely monitor the legislative process as NIS2 progresses in their own member states. That way they can anticipate potential changes. They should also try to influence the legislative process where they can, via input through industry groups or direct engagement. 

Overall, NIS2 is likely to benefit businesses – but with a flood of new regulation on the horizon, firms must continue to invest in cybersecurity to stay ahead of the curve.  

“Rather than waiting for the ink to dry on local transposition of directives, organisations can anticipate them by continuously investing in their cybersecurity maturity to the extent they feel they are in a defensible position towards a regulator,” says Schagen-van Luit.

Firewalls have long been the standard means of defending network perimeters from malicious external traffic. But in today’s world of clouds, digital transformation and remote working, many organisations are moving away from ‘castle and moat’ network security – and for good reason.

"Once you’re inside the castle you have implicit trust, so you have access to pretty much everything," says Stefaan Hinderyckx, senior vice president for security at NTT. "You can get into any tower, open any door […] you might even be able to steal the crown jewels."

In other words, assuming everything inside the network should be trusted makes a breach all but inevitable. "We’re now moving to what’s called an ‘airport’ model," Hinderyckx explains. "When you go to an airport, you have a passport and a boarding pass." The former proves your identity and allows you to move through increasingly sensitive areas of the airport; the latter ensures you’re only able to board one plane.

This airport model is the foundation of zero trust, which rests on three principles: never trust, always validate and assume breach. It’s more of a philosophy than a technology. But that doesn't mean it's easy to adopt – quite the opposite.

Firstly, there’s the need to move from a traditional VPN with point-to-point connectivity to zero-trust network access. Implementing security service edge, which places all security controls in the cloud, is the next step. Typically you’ll also want to add a software-defined wide area network or SD-WAN to the mix, as well as a managed detection and response system, and potentially several other identity and data protection solutions. 

Zero-trust projects can therefore become overly complicated and costly if they’re not managed properly. They also take time. "You can't do it over a weekend," says Hinderyckx. "You typically do it over months or even years."

Change management

Success often rests on the board’s understanding of zero trust – in particular the ‘three Cs’ of change management, complexity and cost that often define whether the project succeeds or not. "Everything starts at the board level because [zero trust] has to be driven from the top down," says Hinderyckx.

Failure to take this top-down approach can mean "you end up going down the path of […] addressing minor problems here and there, rather than in a strategic, tactical way," says Joe Bombagi, EMEA director of SASE systems engineering at Palo Alto Networks.

A roadmap and strategic vision for the project can help to keep it on course and clearly articulate its value. "End-users will see some changes depending on the technology and the application mix, etc," says Hinderyckx. "So communication around what zero trust is, why everyone has to be on-boarded and why it matters for the company is really important. That’s why I say it’s not just an IT project; it’s really about change management because some of the changes are pretty profound."

Indeed, almost everyone in the organisation will likely be affected by the shift to zero trust, which can span infrastructure, network security, data security, app security, legacy IT assets and other critical areas of the business. 

Often, according to Bombagi, organisations struggle to grasp how deeply it will affect their operations. "How are you going to make sure that those traditional silos of network people here, security people there […] are all working together? That often ends up being a bigger challenge in the transformation than [implementing] the technology." 

Complexity

Zero-trust projects often involve multiple vendors. "Large organisations will typically combine an identity solution with an XDR [extended detection and response] solution and a SASE [secure access service edge] solution," says Hinderyckx. "And that’s not even touching on things like data security and encryption, which are further down the road."

CSOs are sometimes concerned about whether they can achieve a consistent approach to zero trust across the business. "You can end up with this weird mish-mash of technologies [over time], all attempting something related to zero trust […] but fundamentally failing because they’re not consistent," says Bombagi.

In the initial stages of a zero-trust journey, the complexity of an organisation’s network can also increase rather than diminish. "For example, if you have a flat network, one of the first things to do is to introduce segmentation," says Bombagi. "But introducing segmentation increases complexity because you can no longer have any endpoint talking to any other server. So things may get worse before they get better."

To manage all this complexity, organisations need expertise from multiple domains 24/7. "That’s why the managed SASE partnership we’ve set up with Palo Alto is so relevant for our large clients," Hinderyckx explains. "Even the biggest banks understand that they can no longer do all of this themselves. We have developed a unique end-to-end managed solution coupling single vendor SASE from Palo Alto with advanced managed LAN capability to reduce complexity. This improves our clients’ business continuity and operational efficiency by applying state-of-the-art AI and automation and offering this on a global scale."

Cost

IT budgets are finite and on paper a zero-trust initiative may seem expensive. But there's a cost advantage of moving towards zero trust. "It might look like a very expensive multi-million dollar project, and often it is. However the return on security investment is quite significant,” says Hinderyckx.

For example, moving from multiprotocol label switching (MPLS) – a switching mechanism used in wide area networks that can have steep bandwidth costs – to SD-WAN can unlock significant savings. "With SD-WAN you leverage the internet," says Hinderyckx, so there’s no need for the dedicated lines and infrastructure engineers associated with MPLS.

SASE solutions also converge network security, SD-WAN and autonomous digital experience management into a single, cloud-delivered service, thereby consolidating the number of security vendors an organisation needs to employ. Palo Alto’s Prisma SASE solution, for instance, covers many of the security controls needed to achieve zero trust. This helps to "reduce complexity, reduce costs, but also increase your security posture because you get a single view of what's going on," says Hinderyckx.

Zero trust is also the cornerstone of digital transformation, which can unlock further cost efficiencies. "There's no digital transformation without cybersecurity," says Hinderyckx. "And you can't really deploy cybersecurity correctly in a digital transformation project without going zero trust, because otherwise you’re stuck with all the legacy [security] technologies that have been added [over the years]."

All of which means the discussion around zero trust has now moved from "what is it and why should I bother?” to “when can we start doing it?”.

A major cybersecurity breach is every business leader's worst nightmare. One hacker or rogue employee can compromise sensitive data, disrupt operations and trigger huge fines and reputational damage. To avoid this scenario, organisations need to invest in strong cybersecurity measures. But where should that investment be targeted?

Figuring out the ‘return on security investment’ or ROSI is one way of ensuring that funds flow toward the most effective solutions. Essentially, you weigh the cost of a solution against the reduction in risk exposure it delivers. In simple terms, this allows you to see how much bang for your buck you’ll get from a particular tool or service.

But while the cost of a solution is easy enough to calculate, its impact on an organisation’s so-called ‘security posture’ is harder to pin down. It can be tricky to calculate potential losses from future security incidents, for example. Some benefits, like improved brand reputation, are equally hard to quantify.

“Measuring the ROSI is challenging due to the qualitative nature of security benefits and the difficulty in measuring potential losses,” says Eli Fégaly, chief security officer at Vizrt, which provides real-time graphics and live production solutions for content creators. “However, this is a necessary task to justify security budgets.”

This task can be approached in several ways. Data on the frequency, severity and financial cost of past breaches can be used to predict future impacts, for example. This information can then be weighed against the cost of a solution designed to reduce them. 

“You need to ensure you detail the financial, reputational and business impact of any incidents that do occur,” says Sabastian Hague, defensive content lead at Hack The Box, an online cybersecurity training platform. “This includes downtime, share prices and the customer view of the business. By doing this after a breach, you’re better placed to identify where improvement and investment are needed.”

Businesses should also use a combination of qualitative and quantitative metrics to identify the gains from deploying a particular solution. “These metrics may include improved incident detection, better resource allocation, enhanced user experience, compliance with relevant regulations and reduction in operational costs,” Hague says.

Generally speaking, the highest ROSI will be found in areas where organisations face the greatest unmanaged security risks. But senior leaders shouldn’t fixate on the financial return on investments designed to address these risks.

“It can be helpful to think of ROSI as ‘cyber cost justification’. Robust cybersecurity strategies will ensure that any investments made to mitigate cyber risk are the right choice for the business, and not necessarily those options perceived to provide the greatest return on investment," says Lorenzo Grillo, managing director with Alvarez & Marsal Disputes and Investigations and leader of the firm’s European and Middle East Global Cyber Risk Services.

Securing zero-trust investment

Zero-trust security, which focuses on least privilege access and continuous verification, is widely recognised as the best means of securing a network today. However, it’s often seen as costly to implement.

To ensure a good ROSI, businesses need to tailor zero-trust strategies to their unique needs and priorities. “For example, a business might focus on strengthening endpoint systems through measures like requiring multiple forms of authentication and implementing advanced endpoint detection and response software,” says Hague. 

“Safeguarding data could also be a priority, achieved through mechanisms such as data loss prevention tools and robust encryption to prevent unauthorised access or data leaks.”

Well-defined KPIs can help to justify the cost of these tools. “These might include metrics showing a decrease in security incidents, faster detection and response to threats, monitoring of normal user behaviour and network traffic, and adherence to security policies,” says Hague. “Security assessments and audits play a vital role here in evaluating the effectiveness of the zero-trust controls in place.”

Indeed, regular risk assessments and audits are essential for staying ahead of evolving security threats. “Cyber-risk management should be treated as an ongoing ‘live’ project,” says Grillo. “Any time there is a change to the threat landscape or to a company’s applications, processes or projects, the cyber risk should be re-evaluated to check if any business assets are now exposed to a higher – and unacceptable – level of cyber risk.”