Why Worry About Zero Trust?

Stephen Nardone

By 2026, organizations prioritizing their security investments via a continuous threat exposure management program will suffer two-thirds fewer breaches.* Zero Trust is all about keeping threat and risk in check. As threats emerge, they give rise to potential risks, and if unaddressed, these risks can culminate in breaches or compromises. This progression is essentially inevitable.

The transition from a traditional brick-and-mortar organization to a remote work or hybrid environment has introduced significant threats and risks that have now become our new normal. Unfortunately, gaps in business continuity planning and the challenges associated with extending corporate cybersecurity protocols to untrusted networks have resulted in unchecked vulnerabilities.

Changing the way we do business, where employees connect from, what devices they use, how they access critical business systems, and how they behave in relation to social engineering all have significant impact on security risk management and the potential for compromise.

Various factors contribute to the evolving security landscape, such as changes in how we conduct business, the locations from which employees connect, the devices they utilize, their methods of accessing critical business systems, and even their susceptibility to social engineering tactics. All these aspects collectively wield substantial influence over security risk management and the potential for security breaches.

We find ourselves at a crucial juncture in the execution of cybersecurity programs. Organizations are now insisting on a comprehensive framework encompassing architecture, technology, processes, and policies that align with the principles of Zero Trust.

What Is Zero Trust?

Simply put, Zero Trust is a cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly and must be continually evaluated. It establishes the policy that no identity, no system, and no process is allowed to connect to an organizational resource without passing the required policy checks for identification, authentication, and authorization.

The policy applies regardless of either the title or role of individuals, and regardless of physical or logical location (whether outside or inside of a perceived perimeter). Zero Trust is a marathon, not a sprint. It provides a set of guiding principles that can then be translated into architecture to meet an organization’s specific threat and risk needs.

How to Achieve Zero Trust

Organizations need to define and document what is required to understand and achieve a level of a Zero Trust Architecture and establish a timetable for implementation. Each step is essential to the process and must be accomplished for all business functional units (BFU) and organizations required to achieve a level of Zero Trust. Key stakeholders need to collaborate to establish a roadmap that includes evaluating existing technology, process, and policy to define a path forward including:

• Baseline the level of understanding of Zero Trust across all necessary BFUs
• Provide knowledge transfer to ensure all BFUs are at the same baseline
• Define the level of sponsorship and participation required by the BFUs to achieve Zero Trust objectives
• Identify and prioritize the business and security risks and their impact to achieve Zero Trust objectives
• Develop and present detailed findings to all BFUs and stakeholders

Organizations that invest in development of a Zero Trust Architecture will be better prepared to cost-effectively manage the never-ending cybersecurity threats that surface daily. Reach out to your Connection Account Team to learn more about Zero Trust Architecture and the solutions we provide.

Stephen Nardone, CISSP, is Director of Security Practice at Connection with over 38 years of experience in both the government side and the commercial side of the security business.