“Saving Face” as a CISO: Let Zero Trust accelerate change
Jun 23, 2021
With the delayed 2020 Summer Olympic Games in Tokyo coming up in a few weeks, I started to reflect on my past work experiences in the “Land of the Rising Sun.”
In 2014, I was in Yokohama and Tokyo. With extensive experience traveling and assimilating into different cultures, I found Japan a complex world of business rituals, meeting protocols, translators, and negotiation playbooks.
Over four months, I led a sizable outsourcing contract negotiation (“quick,” by Japanese standards). In Japan, senior executives talk very little. Team members hammer out a contract while you courteously and silently smile at your senior counterpart strategically positioned at the opposite end of the negotiating table.
After we struck a deal, I met separately with my counterpart in a private room for a concluding tea ceremony. Here, through a translator, we both re-negotiated the terms of the deal on the fly. After two hours, we reached an amicable agreement.
Later that evening, I asked my translator and team if this was a common process? (Yes, it is.) They explained many of the fascinating idiosyncrasies of Japanese culture. One of Japanese society’s most essential and crucial cultural pillars is “saving face” (mentsu wo tamotsu).
How does this relate to leading cybersecurity experts and the global community of CISOs? CISOs have been fighting a front-line battle against increasingly sophisticated cyber attacks and threats deployed by independents, cooperative cells, and nation-state actors for the last few years. The result has been massive data leaks, a staggering rise in ransomware, and security configuration mistakes that led to media headlines.
The old and the new
Pragmatic CISOs responded by building bigger perimeter walls that include DDOS protection, cross-scripting protection, Email inspection, detonation chambers, surface area reduction, and a growing variety of complex devices. A wholesale shift to cloud computing has frustrated security teams by making the perimeter more fluid, difficult to define, and hard to manage.
Some CISOs focused on securing network workloads: “Let’s segment the network, increase monitoring tools, add a SIEM, password vaults, identity tools, firewalls, and web application firewalls.” The goal was to prevent unwanted access and lateral movement.
Data protection became the next focus, using classification schemes, crown jewel protection, encryption, and data loss prevention technologies. If there was still an appetite for more cyber protection spending, attention moved to applications with secure coding practices, health assessments, increased logging, and two-factor authentication access technologies.
Obtaining security funding is a hard road, with hours of education, justification, planning, and execution strategy. Boards and executive teams ask, “Is there any end to the rate and pace of cyber funding?” Cyber funding can cause tension by seemingly diverting resources away from much-needed “strategic” priorities—despite ample evidence of existing cyber threats.
The COVID-19 pandemic supercharged every organization’s digital agenda with drastic immediacy. Technology teams hurriedly delivered work-from-home strategies at scale and rushed new capabilities forward to adapt to this new forced reality. Most companies expanded their brittle VPN remote access capabilities. Virtual infrastructures were overwhelmed and challenged. Cyber teams were so focused on short-term immediate crucial needs, which included operational stability and employee productivity, they hardly realized the profound shift occurring within their industry.
I first noticed (and brought to my organization’s attention) Zero Trust Architectures (ZTA) about 24 months ago. I felt it was a game-changing technology. Since then, ZTA has garnered a cult-like status, with a meaning that seems to be shapeshifting. A lot of vendors are jumping on the bandwagon.
What is really happening?
Cloud-consumed Zero Trust
I first met Zscaler CEO Jay Chaudhry when I was a Global CIO for a large financial institution. He sat in my office and explained Zscaler’s vision and roadmap. It made sense and resonated with a video I had just shot a week earlier, where I articulated the following wish list:
- A modern workplace that provided secure access from anywhere, with rock-solid user connectivity and a superior productivity-based experience for our highly distributed mobile workforce
- An adaptable security fabric—a fancy term for an environment that was change-friendly, flexible, but secure against threats and data exfiltration
- An intelligent network edge that provides secure connectivity for users, branch offices, and headquarters no matter where connections began and terminated
Like many leaders in large organizations, I had just started to chip away at our legacy application portfolio: A collection of highly inefficient workhorse platforms that were (unfortunately) architected in another era. I knew that LAN and SD-WAN investments would have a short shelf life. Instead, I implemented a zero-trust-based cloud security solution: Zscaler Private Access (ZPA). It allowed me to retire numerous firewalls that didn’t inspect any traffic and expensive Web Application Firewalls (WAFs) that attempted to protect legacy apps through a complicated collection of inflexible and nested rules.
Many companies experience an unproductive turf war between cybersecurity professionals and network engineers as they deal with rapid cloud adoption, remote users, and the pandemic. This fractious relationship often escapes the attention of senior management, who then must choose between two seemingly competing methodologies.
There are many acronyms to support each path forward. Did you use Cloud Security Posture Management (CSPM) or Cloud Infrastructure Entitlement Management (CIEM)? Have you configured a cloud resource to ensure compliance and abide by strong security requirements and posture, or do your identities have wide-ranging, unused, liberal, risky, and inappropriate permissions granted that pose a risk to our organization?
In short, should we secure the infrastructure (configuration) OR should we secure through access (identity)?
Let’s do both
ZTAs can bridge the gap between these camps. Zero Trust is all about using identity and contextual policy.
What does that mean? It means you can scrap the clunky and vulnerable VPN infrastructure and connect the right (i.e., authorized) user to the right application. ZTA does NOT connect the user to the network and thereby eliminates lateral movement reducing threats and risk. These restricted connections can be between users and apps, IoT devices and data lakes, users and financial models, apps and apps, etc.
ZTA is like Star Trek’s cloaking device: your network is hidden, and attackers can’t attack what they can’t see. ZTAs make the attack surface area disappear. Apps become invisible.
Not all organizations have a cloud-native, cloud-only footprint, however. One of my biggest hurdles was, “What do I use for my legacy data center assets?”
Over the last decade, Zscaler has built a cloud-based Zero Trust security platform: the Zero Trust Exchange. ZPA and Private Service Edge (PSE) drop Zero Trust capability right into your data center and provide a front end for your rigid and inflexible legacy apps.
Large organizations can now connect consumers seamlessly to authorized apps instead of the corporate network. Apps become invisible with no surface area to attack. A cloud-based proxy architecture is used to hold, examine, and enforce security policies across all traffic and access.
Zero Trust Architectures allows you to retire costly telco and VPN services while simplifying and retiring network segment tools such as firewalls and WAFs. In some organizations, IT executives could self-fund their Zero Trust journey using an accretive business case and the chance to offer back much-needed operational run-rate savings.
Let’s return to Japan: After making efforts to secure funding, present a compelling argument, and deliver adequate cyber protection, can CIOs and CISOs react quickly to the sea-change within their industry? Or will they try to “save face” and remain on their hard-fought investment path that is rapidly becoming obsolete? Many senior IT executives can use this shift to align their cyber architecture transformation direction with HR-driven initiatives to deliver a better work-from-home experience. Some are diverting real estate footprint reduction savings to fund secure digital transformation that delivers a safer, more reliable, and enhanced remote access experience.
Others are ignoring the change and hoping that Zero Trust is a buzzword that will go away. Look at what Zscaler is doing in this space, pay attention to the organizations like Microsoft, IBM, Splunk, and others partnering with Zscaler. Pay attention to the customers moving to ZTA. There is real momentum and substance to Zero Trust. In a recent survey, 82% of CISOs stated that they are accelerating their investments in ZTA over the next 12 months.
Is it time you took a deeper look at ZTA? Challenge your security investments and have tough conversations about changing your current strategy. Remember, “saving face” is not an option!