There are plenty of good reasons why companies should implement cybersecurity, but today we’re focusing on growth. Your business is likely already looking at different approaches and options for more robust security. The options may all sound good. However, it’s the price tags that have many hitting the pause button. Now there’s a way to look at the Return on Investment (ROI) for cybersecurity, and it leverages a free model that also helps with business growth.
In 2021, the Cybersecurity and Infrastructure Security Agency (CISA) released its Cloud Security Technical Reference Architecture and Zero Trust Maturity Model for Zero Trust Architecture (ZTA), the tenants of which have been mandated within the federal space as NIST SP 800-207. This is progressive guidance for the federal government, which normally lags behind private industry. So, coming out with a free model is worth taking note of, particularly because in business, ZTA offers a competitive advantage that can directly lead to growth.
Laying the foundations of Zero Trust Architecture
CISA’s model was designed as a roadmap to assist government agencies as they implement more rigorous cybersecurity—but the approach, and the guidelines, are free and can be used by any organization.
ZTA follows the philosophy of never trusting a device, source, or user—always verifying. The model uses least privilege per-request access decisions for information systems and services, requiring all users to be authenticated, authorized, and continuously validated before being given access to applications and data.
ZTA has caused a lot of buzz. At the end of the day, it’s a concept, not a plan of action. What IS valuable is that it’s a crawl-walk-run mindset. Organizations make iterative changes, investing in controls over time. For those worried about change and costs, ZTA feels like a more comfortable pace to adapt and evolve.
Importantly, for our growth-minded purposes, ZTA helps align cybersecurity to your organization’s structure and business goals. You really need to understand how your business operates, in order to implement ZTA properly. And anytime you're working on business processes becomes an opportunity for business growth.
Business growth in the age of cybersecurity
From a business standpoint, all data is not created equal. The general information found on your website, for example, doesn’t need to be protected with the same controls as client data, employee personally identifiable information (PII), engineering plans, or proprietary formulas. ZTA understands this and uses the most protective (and most expensive) controls where it matters. The result is an initial cost saving that keeps necessary cybersecurity within reach and affordable for most companies.
ZTA also recognizes that thinking things through and implementing security correctly right from the get-go saves money and that protection is far cheaper than the clean-up following a breach. Through our experience, we know that investments in security reduce risk, and that can translate to saving on cyber insurance and business insurance. We also know that the process of thinking through ZTA logic helps drive transformation and modernization that many companies need to compete in an evolved marketplace that goes well beyond cybersecurity.
Many will recognize that the business moves involved with ZTA are the very same ones needed for company growth. And with ZTA and cybersecurity well in hand, you’ll enjoy a competitive advantage over those in the industry who continue to delay or have already experienced a cybersecurity incident. We believe that business will soon involve disclosing your system security plan, a SOC 2 Type 2 report, a compliance score, or a 3rd party certification verifying compliance against a given framework to vendors and other stakeholders. Once again, being an early adopter will be an advantage.
Implementing Zero Trust Architecture
Implementing ZTA involves answering some thorny questions.
The first question is, “What are you trying to protect?” Getting the answer is an exercise along the lines of putting together a business or strategic plan for your organization or your division. You’ll need to identify the sensitive data areas and related workflows. If your organization hasn't been actively looking at and labeling its data assets, this can be a challenging hurdle.
Once you’ve identified what needs to be protected, ask yourself, “How do we want to protect it?” and “What are the requirements we want in place to access this data and these workloads?” That’s an easier task and with those answers in hand, you’ll be ready to look at tools or solutions.
Companies tend to want to jump ahead, past the strategic parts of ZTA. Don’t be swayed by marketing or tempted by a sales pitch. You’ll—need to put in the work to understand your situation and security needs before you can truly evaluate potential security solutions.
Of course, it’s tempting to turn the whole project over to a software solution that says it's ZTA compliant. The risk is that you’ll get a cookie-cutter solution that doesn’t fit your structure or culture and therefore is difficult to implement and maintain. The challenge is not technical but rather cultural—it’s your employees who will need to follow the policies and training, and respond to security incidents—so it needs to fit just right.
There’s a final question for ZTA which is “What’s our budget?” It’s maybe the thorniest question because money is always a consideration. ZTA offers some flexibility regarding spending during the planning stages. Since you’ve already prioritized the data that needs to be protected and determined how you want to protect it, you may not have to spend a huge amount all at once to get everything done immediately. A good ZTA implementation strategy allows you to plan ahead and build up your security profile over a span of time, making it more affordable. Of course, ZTA is also iterative. As soon as you implement new security controls, you should reevaluate your profile and plan to enhance again.
ZTA success comes down to your risk tolerance. What level of risk are you willing to accept? Realizing the business benefits of ZTA can boost your ROI. So, what’s at risk, you ask? The confidence and trust of your employees and customers. If you choose to move slowly and therefore experience a breach, you’ll have to justify not having proper security to all of your shareholders. On the other hand, if you move forward quickly, you’ll be able to talk to stakeholders about your brand’s commitment to data protection.
A final word of advice on ZTA
Regardless of the model you follow, cybersecurity is about policy; it’s about procedure; it’s about people; in addition, of course, to technology. It is time-consuming and expensive. It only makes sense to make a good business plan to execute it. At our critical moment in time, when new attacks and increasingly sophisticated schemes crop up every day, it’s critically important to get started. Knowledge about implementing ZTA is available from the government for free. Use this resource to protect what’s valuable and grow the business you have.