Implementing a Zero Trust model is becoming a leading security strategy for organizations across the globe, but it requires fundamental shifts in mindset and major transitions in the deployment, use, and management of security technologies.
When mapping your Zero Trust ecosystem, it’s critical that security leaders develop a strong partnership with the CIO and IT team to initiate effective change that properly secures the company. Let’s take a closer look at some key pointers on working with IT to foster a successful Zero Trust implementation.
How to Gain IT Team Buy-in for Zero Trust
It may seem like a daunting task at first, but there are several ways to alleviate any hesitation and gain the support you need to implement a Zero Trust security model. Depending on the size, scale of legacy infrastructure, and the maturity of your organization, the path to Zero Trust can vary greatly and the outcome more than warrants the journey.
The good news is, you don’t have to start from scratch. You can work with existing security capabilities while you implement strategic change over time. Here are four steps to getting the IT team on board that will improve efficiency and execution during your Zero Trust implementation.
Step 1: Drive a Culture of Adaptability, Resilience, and Inclusion
The journey of a Zero Trust implementation requires an open mind, patience, and a lot of teamwork! Start by creating a security-first mindset across your organization. That means investing in relationships and security awareness programs that educate and inspire members from all facets of the organization. You need to build confidence and show the value of how implementing a Zero Trust model will measurably reduce risk to the business. It’s critical for CISOs to gain board-level support so that the security and IT teams have the executive support, resources, and budget needed to make security a top initiative.
When working with the IT team, creating an inclusive environment and relationship is extremely important to develop a mutual understanding and respect throughout the project. From the start of a Zero Trust implementation, there should be an open dialogue where security and IT work together to align common goals, agree on priorities, and include each other throughout the decision-making process.
CISOs and CIOs have an obligation and desire to make sure the company stays protected, but they also need to get their teams on board to interact, engage, and challenge each other in order to produce more efficiencies and better outcomes. Naturally, not every day will be perfect, but having an inclusive dynamic across teams will allow more room for possibility and growth during a transition to Zero Trust.
Step 2: Outline Reasonable Expectations
When implementing a Zero Trust model, CISOs must work with CIOs to layout reasonable expectations around competing priorities, skillset alignments, and establishing the roles and responsibilities with Zero Trust initiatives.
Depending on your organization, Zero Trust may take a year to several years to implement. During that time, IT may have competing priorities throughout the journey. Managing expectations and communicating effectively will help both teams create more reasonable timelines and project deliverables. Security and IT stakeholders need to possess a sense of empathy throughout the entire process to appreciate each other’s challenges and understand each other’s roadmaps, because competing projects may require a pivot on certain initiatives and timeframes.
Although a balance and awareness of priorities are important, it is also necessary to continually strive to push Zero Trust implementation initiatives forward in order to reduce risk to the business more quickly. To help with this, CISOs can work with CIOs to better promote a sense of urgency relating to cybersecurity initiatives. Essentially, security teams cannot implement Zero Trust components all by themselves. They need IT to assist with deploying agents and software, pushing controls, staying on top of vulnerabilities and patches, and much more. Together, security and IT stakeholders should reinforce the value of Zero Trust to the everyday practitioners such as developers and engineers.
Cybersecurity teams cannot silo major decisions on how to go about implementing Zero Trust because the IT team may not have the skillsets that are required.
Many people are new to legitimately implementing a Zero Trust model throughout an organization. With any significant changes, the IT team needs to have the bandwidth and knowledge to work with new concepts or processes and support the software and hardware that are put in place to align with a Zero Trust architecture. Security must work with IT to understand what is possible in-house, what needs to be outsourced, and if there is budget available for those requirements.
Roles and Responsibilities
Another expectation to address early on in the planning phase is agreeing upon roles and responsibilities that come along with new or re-established processes and technologies. When you are developing your Zero Trust ecosystem, you must work with IT to clearly define who is doing what and discuss the admin roles around each component.
Step 3: Explain How IT Can Benefit from Zero Trust
Implementing a Zero Trust model is not just beneficial for security, but it also creates process efficiencies that benefit IT and makes their jobs easier in the long run. Here are several examples that you can communicate to IT team members.
Security and IT stakeholders both share a common goal to protect the business as much as possible. Reducing risk is an obvious benefit, but you can look at this at a more granule level. Breaches are extremely costly and resource intensive to mitigate for all teams involved.
With any compromised system, there is a ton of work behind the scenes that IT has to do such as pulling the machine out of service, deploying a replacement, changing processes, and more. Lessening the potential for a breach, goes hand-in hand with saving time, money, and resources for the IT team.
It’s critical that organizations leverage tools and technologies that enable automation and orchestration across the enterprise to increase positive command and control of the infrastructure. This is a vital piece to Forrester’s extended Zero Trust ecosystem.
Plus, if you can implement automation appropriately throughout your technology and processes, this will lead to huge efficiency gain for the IT team. You can improve things like user onboarding, streamlining rules and responsibilities, removing unnecessary admin rights and privileges, and more.
For example, LogRhythm’s CSO, James Carder, successfully implemented a Zero Trust model which measurably improved various operations that IT relied on:
“We identified that 60% of our IT tickets were based on moves, adds, and changes related to employees’ users and their roles. Using ADP as the single source of truth and automating the provisioning, deprovisioning, and changing of users and roles, we’ve eliminated this workload from our IT department.” – James Carder
Manage BYOD Issues
Developing a Zero Trust ecosystem allows security and IT to better handle bring your own device (BYOD) issues. Especially with a remote workforce, employees may break the rules and policies that stakeholders have put in place when accessing sensitive information on certain hardware or applications. Creating a Zero Trust strategy helps leaders get more granular about what applications are available to certain employees, ensure that people aren’t using their home machines to do work, and verify that the hardware procured by the organization is being used by legitimate employees.
Implementing a Zero Trust architecture helps to flatten out the technology stack, normalizing and centralizing the way you look at application and hardware challenges that IT faces.
You can do things like eliminate independent VPN controllers, appliances, and clients, to reduce work with endpoint management. Each platform requires IT’s support, maintenance, policy creation, and more. Ultimately, streamlining technology helps to lessen the attack surface and reduce the burden on IT.
Reduce Dependencies and Maintenance Costs
Reducing dependencies, maintenance costs, and licensing on software such as VPNs or corporate perimeter firewalls can help subsidize the cost for more effective technologies that will improve IT operations.
CIOs often get measured on process efficiency and standardization that reduces overall cost for the business. When implementing Zero Trust components, you may have to invest upfront in some technologies before pulling back on outdated legacy infrastructure, but it is possible to reduce overall costs and enable revenue growth for the future.
Implementing a Zero Trust model also helps IT with compliance assessments. Auditors will have a clearer picture of the data architecture and flow diagrams, which can save time throughout the auditing process.
Step 4: Create a Shared Project Plan with IT Stakeholders
From the beginning of your Zero Trust implementation, security and IT should work together to come up with a robust project plan and roadmap. Your timeline, initiatives, and priorities will depend on the size, complexity, and maturity of your organization.
LogRhythm’s CIO, Rex Young, also suggests that organization’s looking to implement a Zero Trust model should “challenge the people or software they are partnering with to produce a lot of the roadmaps and project plans.”
Not all IT teams are experts in deploying Zero Trust, but the vendors you are partnering with can bring a lot of insight to the table. Security and IT can hold vendors accountable to assist with project planning and to ensure reasonable expectations are outlined. Ask questions like:
- What does the implementation process look like?
- What are the key risks moving forward?
- Knowing our business model and company size, how long will implementation take?
- What kind of resources will we need to get the job done?
Implementing a Zero Trust model takes substantial planning, budgeting, delegating, and persuading stakeholders before any project can start. Security and IT should collaborate and get aligned really quickly if you want to have a faster turnaround on your journey to Zero Trust.
To save your valuable time, LogRhythm put together a package of templates to help you create, delegate, and manage your Zero Trust project initiatives and deliverables.
Get Started with Your Zero Trust Implementation
Completely transforming your technology infrastructure does not happen overnight. Implementing a Zero Trust model will require significant time and patience. You’ll need to gauge your Zero Trust security, unwind the tangled mess associated with an established legacy network, and understand the risk to the business before you can develop a new security model.
You will also face unique challenges along the way as an organization where you will have to reassess your project plans and timelines. LogRhythm started its journey to Zero Trust back in 2018 and encountered numerous roadblocks such as budget being pulled, people shortages, and even a global pandemic. Ultimately, the strong relationship between security and IT helped stakeholders to move the project forward as efficiently as possible, despite all of the obstacles.
If you’re interested in learning more about solidifying your Zero Trust strategy, tune into this webinar featuring James Carder and Forrester Analyst, David Holmes. It will provide a lot of insight on how to formulate your Zero Trust ecosystem. You will also hear firsthand from Carder on the lessons he learned while implementing Zero Trust at LogRhythm.