The Value of Education to Zero Trust Transformation
This article is part of a series that explores zero trust, cyber resiliency and similar topics.
Over the past year or so, I’ve discovered the secret weapon that IT leaders of various U.S. government entities have deployed as they implement zero trust architectures. Their first step has been to create a comprehensive educational pathway for their workers. This is because no one can implement zero trust alone.
Zero trust: Only education can move you forward
Nothing is more transformative to an organization than education, and the only way you’re going to move to zero trust is to create a solid education program. It’s important to realize this because both the private and public sector have generally adopted a piecemeal, make-do-and-mend approach to education and training, rather than use it as a strategic, culture-changing tool. That needs to change.
It’s hard to tell which phrases have been (mis)used more, lately: zero trust or digital transformation. It is important to realize, though, that as any organization—small or large— adopts a zero-trust strategy, it will have to change its overall culture with a training program that simultaneously activates multiple focus areas within the IT organization.
A zero trust level set
Thousands of articles, blogs and videos have been created about zero trust, from Google’s pioneering zero trust model to DISA’s Thunderdome. With all of the events over the last 18 months, we’ve finally killed off the idea of the traditional network perimeter, and it’s time to move to a more sophisticated model.
So, at this point, we should all assume that everyone is connecting to sensitive networks from Starbucks, and we need a zero-trust architecture to bring us to the next security level. I’ve found that the best way to look at zero trust is to realize that it’s a collection of procedures, techniques and technologies. I’ve found that you can start by focusing on the six elements: data and log aggregation and visibility; security analytics, such as that provided by security information and event management; continuous diagnostics and mitigation; user entity and behavioral analytics; security automation and orchestration; and governance, risk and compliance.
These aren’t all of the elements found in zero trust, by any means. I’ve lately been hearing about the need to focus on data tagging, for example. But these six elements offer a fairly a good beginning to understanding the different technologies that are important to a zero-trust strategy.
Instead of discussing the foundational elements of a zero-trust architecture or strategy, I’d like to focus on what it means to prepare an organization to move to a zero-trust stance. After all, you could argue that zero trust is simply a collection of tactics meant to implement effective risk management.
Essential steps for zero trust transformation
Organizations need to move beyond tactical education and adopt authoritative, customizable education pathways. By authoritative, I mean the educational program should be derived from a critical mass of working subject matter experts and not just a discrete group of well-intentioned individuals.
A solid educational program needs to determine each step a learner must take along the way. Only then can both manager and employee implement zero trust effectively. In addition, the educational approach should be hands-on and practical. We all know that comparatively few individuals become effective security workers or zero trust implementers by simply reading about concepts. Practical labs and exercises are a step in the right direction. But we need programs that take a context-heavy, apprenticeship-based approach to education and training. If zero trust is a strategy, then the only way we can inculcate strategic thinking in people is to educate them on the job, not send them off to week-long or semester-long security camps.
I also recommend using the latest technologies through so-called hackathon capture-the-flag events. Simulations are all well and good, but, we need learning that demonstrates solid progress from learners and provides customized, real-time enhancements to help the workforce to learn.
Lastly, assessments are critical. Even the most effective programs are likely to fail if learners aren’t properly assessed. Even students at West Point, Harvard and Cambridge can fall asleep during class. Assessments need to be comprehensive, practical and context-specific. Most importantly, they need to be relevant, repeatable and fair. Learning is much like parenting: you can trust the person to learn much the same way you can trust your well-trained child. But, like a good parent, you always need to verify.
It’s already been established that effective security begins from the top down, and that you start with policy. I’ve seen this in organizations as large as AstraZeneca and as small as a few managed service provider companies I’ve been working with over the last year or so. But the organizations that make real strides towards a zero trust risk management approach are the ones that prioritize education.
James Stanger is the chief technology evangelist at CompTIA, a member of several advisory boards across the IT industry, and a member of AFCEA’s Zero Trust Strategies Subcommittee.