An Insider’s Perspective: Taking Zero Trust From Strategy to Execution

Over the past six years, the world witnessed what bad cyber actors can do to undermine U.S. confidence in our digital ecosystem. In 2016, cyber was used in an attempt to influence world elections. In 2020-2021, insidious efforts discovered in updated software allowed cyber spies to infiltrate hundreds of thousands of systems—shutting down gas and food pipelines.

Resulting from a host of these mounting threats, on May 12, 2021, Executive Order 14028 on Improving the Nation’s Cybersecurity called for federal agencies to execute aggressive plans to advance toward a zero-trust architecture.

This year, Billington CyberSecurity convened senior public and private cyber experts at five meetings to hash out a picture of what organizations should consider when building and sustaining a zero-trust cybersecurity ecosystem.

Most of the actions were nontechnical, focusing instead on integrating the work of the chief information security officer (CISO) to an organization’s mission and developing frequent communication campaigns and repeatable fire drills.

Today’s technology makes zero trust a reality, but organizations still tinker with the intrinsic parts; those little but important things that people often forget when busy managing security operations centers or incorporating new technologies.

These five key areas can help build an effective continual trust verification environment that prioritizes prevention and is prepared to identify and respond should bad actors intrude:

1. Having a strong understanding of the trusted security perimeter you are protecting.
2. Tightly integrating cybersecurity programs with your organization’s mission.
3. Gaining the trust and active participation of your organization’s leadership.
4. Prioritizing decision-making on reducing risks that could affect your organization’s primary business functions.
5. Focusing on bad actor detection and prevention but having a well-exercised plan to respond and mitigate when bad things happen.

Having a Strong Understanding of Your Trusted Security Perimeter

Within this key area, focus on the four parts that make up your trusted security perimeter. Understanding the environment you are protecting includes knowing not only the parts but how they interact and change. This gets even more complicated as organizations tie business networks to operational networks.

• Actors: Those people or personas attempting to access your system. These actors could have multiple attributes and roles that could affect and change their actions, both as they attempt to access and then work within your trusted perimeter. For example, a daily user could change jobs, thus altering the places and types of data they need to access. An actor’s actions could also indicate their access must be more closely monitored, such as when patterns of activity suggest actions do not reflect normal behavior.
• Network: The network includes the hardware, wires and assets that communicate, store and interact with each other in your environment, including the computer systems and mobile devices communicating with the trusted security perimeter.
• System: The software and associated workflow and control rules to allow your trusted security perimeter to get the mission done and to protect it. This includes applications, workflow processes, administrative rules and controls and support software.
• Service: The applied use of your trusted security perimeter includes direct mission use and support mission use—the what, why and how that your trusted security perimeter is supposed to accomplish.

Tight Integration Between Cybersecurity and Mission

Experts highlight disconnects between an organization’s IT and cybersecurity programs and the organization’s mission. Two big reasons for this: Either the overall organization lacked knowledge of IT or cybersecurity and thus left the security decision-making to those who did, or the IT/cybersecurity staff was treated like a part of the organizational infrastructure and thus never got a full understanding of how they fit within what the organization was trying to achieve.

Chief information officers (CIOs) and CISOs must prioritize closing this knowledge gap to ensure technology decisions align with organizational priorities. Tighter integration and understanding also would lead to better operational and enforceable rules, more focused cybersecurity education for the workforce and a more alert workforce to understand when they are confronted with an adversary’s attempts to fool them.

To better align the mission with cybersecurity, frequent cyber communication campaigns are needed and could include daily cyber hygiene messages, establishment of a strong help desk, an active campaign to explain cyber issues and identified cyber threats and consistent messaging about upcoming security changes linked to available training.

Additionally, the CIO and/or CISO should create campaigns to educate the cybersecurity workforce on how efforts tie into the greater organizational mission. This requires CIO or CISO involvement in the senior boardrooms, field trips for techies to observe organization mission at work and frequent engagements between system users and system administrators highlighting common system frustrations, describing new cybersecurity efforts and making time for both sides to get to know each other better.

Gaining Buy-In and Active Support From Organizational Leadership

Too often, a CISO is left to make cybersecurity decisions in a vacuum, causing a host of potential issues such as poor program funding, ill-supported and unsuccessful implementations of technical programs that do not match organizational need, and confusion and disruptions when a cyber incident does occur.

CISOs should actively consider hyping their programs to garner attention and active participation from their organizations’ managers. Educating executives about major cyber events is one way to seek engagement and ultimately buy-in. Finding a way to elevate the CISO to sit within the decision-making leadership mechanism, where the CISO can consistently translate the role of cybersecurity on mission impact, is another strong move. Lastly, getting active involvement of senior leadership in cyber intrusion exercises with follow-up actions is a great way to garner buy-in and continued support.

Focus on Reducing Risks Tied to Your Organization’s Key Mission Areas

Prioritizing all needed cybersecurity work is paramount for success. Network defenders must focus on protecting things that directly relate to an organization’s primary mission. Of course, the perfect goal is to create an environment with zero risks, but that is almost impossible due to limited resources and the ubiquitous need for organizations to interact digitally with an ever-increasing connected world. A prioritization scheme focused on protecting that which is most important in accomplishing an organization’s mission and keeping it going if bad things happen is needed.

To accomplish this, CISOs should pick a strategy and stick with it; any strategy is better than none. Two strategies include an identity persona-based management effort and a strategy focused on protecting data. The identity management plan focuses on centering your defense on understanding who was accessing your system and managing that access. The data-based strategy started with understanding the organization’s data holdings, these holdings’ value and setting up active perimeters to protect them accordingly.

Each has positive and negative aspects in terms of priority, and of course, both are needed to effectively build out a zero-trust framework. The important thing is to pick a single strategy that works best with your organization’s mission and to stick with it.

Focus on Detection and Prevention, but Have a Well-Practiced Plan for Response and Mitigation Should Bad Things Happen

Despite all efforts to prevent bad guys from entering and abusing your trusted security perimeter, inevitably, their efforts will succeed, and you will be left to figure out how to mitigate their success. It is necessary to build a strong intrusion management and mitigation plan and to practice it regularly to make it stronger and to allow those who will be a part of this plan to exercise their roles.

Some key thoughts in building the plan include:

• Ensure the plan has a means to communicate should the system be limited due to the attack.
• Include active participation by all those who will need to be a part of the response, including senior leadership.
• Build in a program to first understand the intrusion—its scale, its likely intention, its functions, etc.—so you can include facts that can help make important operational decisions during the event.
• Make sure it tests the backup systems should intruders incapacitate your active network.
• Make sure to hold regular situation briefings.
• Practice, hot-wash, update and practice again to work out the kinks and have a strong idea of what to do when bad things are discovered.
• Ensure all primary players have backups included in the practice runs.
• Most importantly, cybersecurity professionals must look beyond the technology and focus on leveraging mission engagement to help them make better decisions about what and how to protect.

Thomas K. Billington is founder and CEO of Billington CyberSecurity and the host of the 13th Annual Billington CyberSecurity Summit on September 7-9, 2022, at the Washington Convention Center. Since its founding in 2010, his company has produced dozens of cybersecurity events featuring hundreds of experts and educating more than 10,000 attendees across the United States and the world.

This article is the result of five meetings in 2022, convened by Billington CyberSecurity and sponsored by Marsh, to delve into zero trust, a key theme of many of the 125+ speakers participating in the 40 sessions at 13th Annual Billington CyberSecurity Summit. Register to attend the 13th Annual Billington CyberSecurity Summit.

Reprinted in its entirety with permission from Thomas K. Billington and Billington CyberSecurity.