Digital Business

Adopting a zero trust mindset: best practices from leading IT executives

Apr 25, 2022
APAC Virtual CXO Summit

According to threat intelligence from IBM, Asia Pacific was one of the most attacked markets in the world in 2021, with Japan, Australia, and India bearing the brunt of these threats. Scott Robertson, SVP APAC and Japan at Zscaler, weighs the challenge of this moment for leaders, stating that, “…against this backdrop, it’s more important than ever to entertain new ideas to protect ourselves from these adversaries.”

On Wednesday, April 20, 2022, we hosted the “APAC CXO Summit: Adopting a Zero Trust Mindset.” (View it on-demand here.) Senior IT executives across multiple sectors joined us to share key learnings from their transformation journeys: obstacles to adoption, how to overcome them, implementation best practices, and C-level benchmarks. 

Tata Consultancy Services makes the most of a crisis

Vishwas Joshi, Global Head – Technology Services & Tech Infra Finance Internal IT IS at Tata Consultancy Services (TCS), kicked off the session with insights on driving zero trust adoption during a crisis. He stressed how security rapidly went from an overhead expense to a board room priority.

As everyone is well aware, he pointed out that the pandemic suddenly changed the face of the corporate work environment. Employees were working from home and required access to software-as-a-service (SaaS) applications and other cloud services. This resulted in the dissolution of the enterprise network perimeter. Corporate operations security went from an IT-based operation to an identity-based operation. “Identity defined what you could or could not access and from which devices. The mix of both – and the orchestration around it – helped us immensely in making our decision to adopt a zero trust architecture," Joshi related. 

With IT and security teams on board, the next hurdle was getting CFO support. Joshi, who also manages internal IT finance, focused on tangible business benefits, such as “the impact on brand image, speed to market, scalability, and orchestration of a more intuitive and identity-based solution.” 

As a technology leader in APAC, TCS has the dual responsibility of ensuring their infrastructure is secure and accomplishing the same for their customers. “When you are outsourcing or partnering on the security side, choosing the right partner is very important because supply chain attacks can become the conduit for your infrastructure to get compromised. Selecting a partner is life and death from the enterprise IT perspective. We chose the right partner – Zscaler – and we will continue to work with you.”

Wipro leverages partner knowledge for successful implementation

After 25 years at Wipro, Rohit Adlakha was up for a promotion. Adlakha received a call from his CEO congratulating him on his new CIO role and offering this advice: “The only way to lose your job is if there is an attack on the company.” When Adlakha became CIO, security and risk ascended to a board-level priority. As Chief Digital and Information Officer and Global Head of Wipro HOLMES™ (formerly), Wipro Limited (formerly), he redefined the charter of IT. In doing so, the idea of zero trust germinated.

Despite the board’s support, Adlahka noted that “Every new concept has a lot of resistance internally.” But after a massive cyberattack on a peer company, management wholeheartedly supported the new direction. 

To build organizational confidence and reduce upfront financial impact, Wipro began with a step-based pilot program, involving small groups across multiple geographies and departments. Adlahka summarized key learnings from the pilot program:

  • Overcome the IT mindset challenge by balancing internal and outsourced controls. 
  • Find a dependable partner to scale critical transactions.
  • Lean on your partner’s best practices to ensure a shorter learning curve.
  • Quantify the benefits of reduced cyberattacks and the impact on brand and revenue.

Adlakha recalls a conversation with Zscaler Founder and CEO Jay Chaudhry and how it helped his decision to embark on the zero trust journey. Ultimately, as Adlakha acknowledges, “Cybersecurity is based on trust, and trust starts with human beings. You have to depend on the people you interact with and trust them implicitly before you can let go of your control. Overall, it’s been a fantastic journey, and one of the most successful implementations we’ve done.”

BDO takes the entire organization on a zero trust journey

At BDO, the largest bank in the Philippines, security is a shared responsibility across the organization. Head of IT Infrastructure and Operations Paul John Siy sees security as a quality metric that belongs in every business initiative. 

“As a bank we’re trusted by our clients, and it’s our responsibility to make sure their data and identities are as secure as possible. Everyone at the company understands the importance of security, and our CEO is very supportive of that,” Siy notes. 

Siy pointed out that it was easy to see the ripple effects of this mentality and top-down approach to the bank’s zero trust implementation. 

His team started by defining what they wanted to achieve in the cybersecurity program to ensure safety from both internal and external threats. Next, they established policy-driven strategies, which guided their decision-making about which tools and technology would support these policies. 

The bank’s goal of frictionless and seamless security was measured against two key factors: 

  • Did zero trust make the way they interface with customers simpler and easier? 
  • Did it improve their internal journey?

Throughout this process, communication was key to their success. “C-level technical leaders need to make sure people know what zero trust means, that it’s for them,” he suggested. “Help them understand what you’re trying to achieve. Bring them with you on that journey. It’s not just an IT initiative, it’s an initiative to secure the entire enterprise.” 

Allcargo learns quickly in the face of an attack

Allcargo Logistics, a market leader in the less-than-container load business, was focused on consolidating its data centers when a ransomware incident accelerated its  move toward a zero trust architecture. Chief Information Security Officer Mihirr P. Thaker shared his process of playing cybersecurity catch-up.

“We started from the ground up – from putting all the necessary frameworks in order to taking   steps toward a ‘trust-but-verify’ approach. Security for us is an enabler function to provide assurances to stakeholders,” Thaker explained. The organization’s goal was to reduce as much friction as possible for their customers.

“Zero trust is like eating the elephant – one bite at a time,” he continued. “We took a combination approach, working closely with the infrastructure team to develop our strategy and setting expectations on when to collaborate and when to cooperate.” Using the National Institute of Standards and Technology (NIST) framework of identify, protect, detect, respond, and recover, Thaker and his team assessed the company’s application landscape, infrastructure footprint, and endpoints, which were spread widely across geographies.

Key to their success was agreeing, measuring, and reporting on defined metrics. Simplifying metrics for presentations to board with posture and exposure scores helps ensure that reporting becomes more objective and data-driven over time. 

Lean on best practices and learnings to lead change

Zero trust transformation requires a shift in mindset and skilled leaders to help internal stakeholders navigate uncertainty. At the summit, we explored best practices and benchmarking zero trust in hybrid work environments at TCS and Wipro. BDO showed us a top-down approach to building a zero trust architecture, starting with policy. And Allcargo Logistics inspired us with how quickly they could develop a zero trust architecture from scratch.

With the pandemic forcing work from anywhere, organizations have become more digital in nature and have had to adopt new cyber programs to combat threats and enable business during a period of change. Hearing from these executives helps the Zscaler community plan and prepare actionable steps to adapt their strategy.

What to read next 

Shields up! Why cybersecurity is urgent for every executive and board member, not just the security professional (event takeaways)

With no end in sight for ransomware, experts zero in on solutions 

Join us on Thursday, May 12 for the CXO Summit: C-Suite Zero Trust Fundamentals
8:00 am to 9:00 am PDT, 5:00 pm to 6:00 pm CEST