With siloed organizations and a widespread lack of cyber awareness, the country needs to go back to basics for ZTN success.
Although the term “zero trust” may appear to be negative, the fact is that trusting any element of an IT landscape is not the right approach. Cyberattacks are no longer just about losing crucial data or experiencing protracted disruptions: they have taken on a new dimension in terms of impact, and every organization should be thinking about how to improve its security on a regular basis.
Internal threats are clearly the root cause of the majority of cyberattacks in today’s world. They can be targeted or intentional, or they can be due to negligence or a lack of awareness, but organizations cannot afford to take any chances.
Yes, it will take time, effort, and money, but considering the risks associated with compromised security frameworks, adopting zero trust principles will undoubtedly be worthwhile.
In India, implementing a zero trust network can be a massive affair. According to Sugeesh Subrahmanian, Associate Director, IT Services & Cloud Infrastructure Services, Speridian Technologies: “Instead of looking at the pinnacle we may need to reach back. I will advise every CIO/CISO to focus on little, consistent efforts toward reaching zero trust networking one day.”
Every staff a stakeholder
According to Radhakrishnan Pillai, CIO, SRL Laboratories, zero trust architecture requires organizations to continuously monitor and validate that users and their devices have the right privileges and attributes. It also requires enforcement of policy that incorporates risk of the user and device, along with compliance or other requirements to consider prior to permitting the transaction. “One-time validation simply will not will not suffice, because threats and user attributes are all subject to changes,” he said.
This means we have to rethink our approach, and if we place the users and data at the center of the strategy, we can abstract away some complexity, and have security that follows the user and the data wherever they exist.
Added Amit Shah, CEO, TAS Technologies: “Modern security landscapes change frequently, and the explosion of third-party vendors, evolving technologies, and a continually expanding mine-field of regulations challenge organizations.” Therefore, managing cyber risks across the enterprise is harder than ever, so some key risk management action components must always be top-of-mind:
- Development of robust policies and tools to assess vendor risks
- Identification of emergent risks, such as new regulations with business impact
- Identification of internal weaknesses such as lack of two-factor authentication
- Mitigation of IT risks, possibly through training programs or new policies and internal controls
- Testing of the overall security posture
- Documentation of vendor risk management and security for regulatory examinations or to appease prospective customers
Against this backdrop, it is critical for organizations to employ a Risk Management Process. Identify and assess risks, then choose a mitigation strategy and continually monitor internal controls to align with risk control, said Shah. “Keep in mind, re-assessment, new testing, and ongoing mitigation should always play a prominent role in any risk management initiative. However, with the help of analytics, collaboration/communication/issue management tools, and third-party risk management frameworks, smart and successful organizations will continue to hold their own in the battle to manage IT risk and maintain cybersecurity across the enterprise.”
It is clear that cybersecurity risk management is no longer just the job of IT: everyone in the organization has a role to play. Often siloed, employees and business unit leaders have viewed risk management from their business standpoints, but they now must gain a holistic perspective to address risk in a comprehensive and consistent manner.
Only then will organizations be successful in adopting zero trust and all its requisite controls, supervision, protections and responses.
Moving forward
According to Ramesh C.R, CEO, Safezone Secure Solutions, in the pre-pandemic days, CIOs had a tough time convincing management to allocate a separate budget for data protection. However, this has changed over the past two years.
The myth that cybersecurity vigilance is meant only for large organizations has been put to pasture. Today even a small restaurant chain taking up orders via smart devices is exposed to great cybersecurity threats similar to those faced by larger organizations. “Thus I feel that cybersecurity or zero trust for that matter is not an individual responsibility. It has to be a part and parcel of any organization in India. I feel we are in a phase of customization. Every single sector discusses different cybersecurity threats. So the Indian channel community should be smart enough to provide tailored solutions for every single account,” he concluded.
Finally, we need to remember that, with the rise of cloud computing, remote-working and rapid application development, IT teams no longer control many of the systems, networks and devices that an organization deploys. It is now even more important to consider cybersecurity in terms of users, devices and processes as a singular entity to protect. They can no longer be decoupled and treated separately. This can be best thought of by abstracting away infrastructure and systems, and elevating cybersecurity to center around the data and users who work on that data.