When businesses transitioned to a Work From Anywhere (WFA) model, existing network and security systems were quickly strained to meet the demands of the new requirements. As a result, CISOs took on risks they would never have tolerated before. IT teams have beefed up VPN capacity to handle the new load, but with a troubling new risk: enabling remote access for all employees introduced unknown cyber attack vectors.
At the same time, businesses have had to contend with the effects of the pandemic on business bottom lines, which often involved reallocating IT budgets to revenue-generating initiatives. To regain their budgets, influence and workforce, CISOs must change their mindset to focus on the needs of the business. IT security can no longer be about controlling the perimeter of the network. It must move on to a strategic planning that answers the question “How do I activate the business?” “
To be successful, IT needs to align business security with business goals. IT must now take into account: the key skills of the company; the needs of the business that contribute to its success; business management; and its own governance and compliance responsibilities. (Pro tip: The latter shouldn’t include legacy network maintenance.)
Computing: doorman or guide?
Computer security has always enjoyed an unfavorable reputation as “the no department”. IT’s role in protecting the business meant that it often had to get in the way: “No, you cannot adopt this SaaS cloud. “”No, you cannot move the database offsite. “”No, you cannot work remotely. “The priority of the IT department was to maintain the status quo. Anything that could tip the boat was out of reach, and they were often the guardians for process deployment.
Why? IT typically receives little attention from employees, until those employees need something or a disaster occurs. Then, IT attracts everyone’s attention (not always welcome). That’s a lot of pressure and at least provides an understandable rationale for the traditionally conservative approach to IT.
If the pandemic has shown us anything, it’s that IT can adapt quickly if necessary, especially when there is a clear need to move beyond the status quo. Legacy solutions (in this case VPNs) were not equipped to handle a massive change in the way employees did business. New solutions have therefore been found and implemented, such as a zero trust architecture.
In response to a crisis as dramatic as the recent pandemic, IT has had to focus on achieving business goals. They had to be guides which led the company to a better solution. This required evaluating the change by asking new questions:
- Does a solution result in (or perpetuate) technical debt? Technical solutions are often implemented to meet an immediate need and use the fastest methods to achieve that goal, perhaps building on existing infrastructure because it is “easy”. But does this practical solution create bigger problems by limiting future growth, scalability, or flexibility?
- How long before the solution produces value? Integrating new solutions with existing systems can often add complexity and lead to long waits for ROI (if it ever happens). Does this deferred value always outweigh the costs associated with removing inherited dependencies?
- How long before the solution improves productivity? Bolting new systems onto old ones often results in a Rube-Goldberg contraption of connection, access and security protocols. What is the timeframe for users to be operational on complex processes?
The new mission of the CISO: to enable the growth of the company
Change is difficult and corporate CISOs must work with CIOs to lead the charge. It can be difficult to know where to start. How do you redesign the legacy systems that have powered a business for years, if not decades?
One way forward is a cloud-delivered zero-trust architecture, providing CISOs with a manageable (and navigable) way to enable digital transformation. A zero-trust architecture is a connectivity architecture that changes the nature of application access by removing the requirement for a “trusted network”. Instead, users access applications based on defined policies that take into account the identity and context of the user. As a result, everyone is challenged and only has access to what they need for true, least privileged access. This provides levels of visibility and control that were previously unimaginable.
It provides CISOs and CIOs with a platform to enable business growth. For example, an CISO at a Fortune-500 company led his company’s transition from security inherited from castles and moats to zero-trust architecture. In his words, a zero-trust architecture has allowed his security teams to move from “the department of no“To the” department of know. “Rather than being the group that traditionally says, ‘You can’t do this, it’s not secure,’ their IT department can now say, ‘We can do that, and with the information we got, we can activate these other things as well! “
The CISO was tasked with finding a better approach to remote access as the company increased its mobile workforce and adopted a ‘cloud first’ strategy: legacy remote access systems were too rigid and slow to handle the change. His cloud-based zero-trust approach has allowed his business to become more agile and flexible.
Convincing business leaders to invest in a zero trust architecture was a challenge. But the CISO focused on three value propositions to evangelize zero trust internally:
- Improved safety, performance, manageability and profitability: The company’s legacy VPNs routed traffic indirectly, resulting in latency, complicating administration, increasing MPLS costs, and (dramatically) extending the attack surface. A zero trust architecture connects a user directly to a target resource rather than the network, reducing the attack surface and optimizing routing.
- Deployment speed: VPNs cannot be set up quickly. VPN deployment requires extensive capacity planning, making it difficult to enable a quick hub to remote access. In contrast, cloud-based zero trust architectures are designed to scale. Deployment is quick: install a simple agent on the user’s access device; place connectors in application environments; and integrate the user context of an IAM system to inform granular access policies.
- Traffic visibility: A zero-trust, cloud-delivered architecture provides complete central administration and gives IT managers complete visibility into user activity.
The CISO leveraged the Zscaler Zero Trust Exchange to deploy a zero trust solution to managers as part of a pilot program. They were soon inundated with requests to make it available to the entire company. Their immediate challenge was to process the documents fast enough to meet demand!
Their security is now invisible to users. Users connect directly to all the authorized assets and applications they need to be productive without first gaining access to a network. Using a Zero Trust architecture has also dramatically improved the user experience over their old VPN – it’s faster, easier to use, and increases performance whether the resource is in the data center or in the the cloud.
Transformation creates business value
As recent events have shown, IT teams must adapt existing environments to changing needs. Cloud-centric digital strategies drive a corresponding security transformation, as network-centric systems often cannot adapt to change elegantly or cost-effectively. A zero-trust architecture can enhance business growth by providing secure and transparent user access to authorized applications in any environment, location or device, enabling new workflows and accelerating digital transformation.
A cloud-based zero-trust architecture minimizes the risk of adopting digital transformation strategies and keeps access options viable even as security budgets shrink and business budgets tighten. By eliminating the need to extend costly security stacks and expensive MPLS backhaul, zero trust enables organizations to take advantage of new technologies and remain agile to adapt to the future. And by providing complete visibility as well as flexible and secure access to applications, a zero-trust architecture enables IT security to help, rather than hinder, business transformation.
Click here to learn more about how a zero trust architecture can help accelerate business transformation goals.
Copyright © 2021 IDG Communications, Inc.