As the threat landscape increases and businesses look for competitive advantages in digital-based initiatives, cybersecurity is recognized as a business imperative, enabler and foundational in maintaining trust with customers. But in those organizations where this is yet to be acknowledged, CISOs may struggle to sell the additional benefits that a cyber strategy with zero trust principles and frameworks can bring - including the enablement of the people and organizational policies around hybrid working, safe digital transformation, better overall business continuity, agility and resilience, and the simplification of a consistent user experience.
Businesses often push back on security initiatives out of fear that the controls being implemented will make things more complicated for the business or affect user experience. However, zero trust is an option that can improve this, all while providing the right key controls needed to safeguard a modern enterprise.
As a result, it’s up to CISOs to pitch its many benefits to the C-suite and bring business leaders through the organizational change process. It is critical that organizational leaders from all departments (not just technology) understand why zero trust is more than just security—it’s a critical business imperative.
Heng Mok is CISO for AJP at Zscaler.
Pitching to the CEO (and senior executives)
When pitching zero trust to the CEO, it’s important for CISOs to approach this from a number of angles. The security strategy perspective is central to the pitch, however, in order to sell the bigger picture, it's also critical to outline and educate on the operational and commercial benefits of zero trust and how it can feed positively into other organizational strategies, such as technology and business unit strategies along with shared services such as people, culture and finance.
Business conversations around the benefits should be commercially focused and in the context of the business to explicitly outline how a zero trust architecture aligns with the CEO’s and executive team’s key business performance indicators and goals. Here, it is critical to communicate those benefits to gain the endorsement and buy-in needed before pitching to the board.
CISOs should not be constrained with identifying the best delivery vehicles to fund their cyber initiatives, whether it is a business initiative, technology initiative or part of a dedicated cyber program. Zero trust initiatives can be incorporated into network simplification programs that organizations already have in place to enable operational efficiencies and reduce technical debt - from hardware lifecycle management to optimization of staffing on higher value technology tasks. Due to this, the zero trust initiatives can improve the business value and help meet the goals around maintaining costs, driving broader efficiencies and complementing the selection of strategic platforms the business has already invested in.
In terms of the impact on capital and operational expenditure, the deployment of zero trust can help the cyber team capitalize on two major benefits. Firstly, the team is able to hire the best staff as a result of an inherent operating model focused on high-value security tasks such as policy optimization, rather than lower-value tasks such as patch management. From a threat perspective, the zero trust architecture allows organizations to be more business agile in terms of meeting future business needs, as well complementing and integrating into existing controls. This provides control harmonization for an organization to obtain the most value from its security control investments.
Selling the overall vision of having synergies in one area and business benefits in another, outlining the delivery vehicle and funding options while highlighting the value of technology simplification and risk reduction is key.
Pitching to the board
The board is not operationally focused, their goal is to ensure that management is competent and executing based on the right strategic business outcomes. In terms of cyber, the board and audit and risk committee is focused on ensuring that the business is operating within risk tolerance and appetite and has the right controls in place to maintain this appetite in a sustainable manner. Here, the focus for the CISO in pitching zero trust concepts to the board should pivot around two key pillars: education and governance.
The education piece might include a general awareness piece on zero trust, looking at recent real-world breaches overlaid by the ways that a zero trust architecture and controls work to reduce risk at a macro level. Outlining the continual threat landscape in simple business terms that will resonate with those who don’t have technical backgrounds as part of an ongoing awareness campaign will work to educate the board on the value of cyber in building trust. At the same time, it demonstrates proactiveness from management instead of reacting to a situation.
The governance piece should include Key Risk Indicators demonstrating the effectiveness of the controls in managing operational risk utilizing both quantitative and qualitative risk methods.
CISOs generally have one chance to build confidence with their board, and that should happen in the first pitch. To be successful, the pitch should first go through the appropriate management stage gates to ensure the executive team is supportive and understands why zero trust is necessary. Here, it is crucial to discuss the overall idea in business language, contextualizing and conceptualizing the technology in ways that the group understands based on their knowledge of the industry.
Conclusion
While ensuring the CEO and board pitches are successful, another critical part of the puzzle is backing from the key business stakeholders and executives. Understanding different business needs across the organization's sectors and being able to apply a security lens on top of that is a key mechanism for driving value.
Successfully scaling security across an organization requires support from many different leaders. Building up champions in different business areas is critical for scaling and amplifying the security voice. Maintaining those relationships, demonstrating metrics and providing them with information and transparency solidifies the culture of the organization collectively understanding why it matters and what its value is.
Zero trust offers a range of significant benefits that make it an unmissable business imperative to executive leaders and the board. Aside from the well-known security aspects, through deploying zero trust, organizations can have an improved employee experience, safely undergo digital transformation and enhance business capabilities which influence stronger performance and enable better overall business outcomes as a result.
