Successfully implementing a zero trust architecture can oftentimes be a challenge for organizations, especially when there is a lack of buy-in at the executive level. To help clear that kind of hurdle, Federal officials say the secret sauce is developing a zero trust business case.
During a Jan. 27 webinar hosted by ATARC, Federal officials explained that zero trust is as much of a cultural pivot as it is technical.
“One of the core aspects of any kind of zero trust, just education … is talking about the evolution into zero trust capabilities within your environment being something that you need to put forth in the terms of a business case,” Martin Stanley, the strategic technology branch chief, Office of the Chief Technology Officer at the Cybersecurity and Infrastructure Security Agency (CISA), said.
“Thinking about it from the perspective of putting a business case together, I think that’s probably the best thing to do,” he added. “And if you don’t know how to do that, I think that’s probably a good time to find someone within the organization that does.”
Stanley explained that the business case doesn’t need to be “over the top.” Rather, he said, a good place to start is to outline what kind of investments are needed and what the gain would be to the organization. Including numbers will make the business case “even better,” he said.
Grant Dasher, an identity and access management expert at CISA, said he is also familiar with the challenges of funding zero trust efforts, but stressed there are ways to find a solution.
“If you can get executive consensus that a particular step is the right thing to do, there’s usually ways to make progress,” Dasher said, adding, “you know, once you have that business case and you have the necessary level of executive support to move forward.”
To gain buy-in from the executive level, Beau Houser, the chief information security officer at the U.S. Census Bureau, recommended that Federal agencies tie zero trust to their cloud transition goals.
“Cloud service providers are building more and more zero trust capabilities natively into their cloud services, and then third-party vendors are also making their services more cloud-native as well,” Houser explained. “So, as you transition to the cloud, make sure you enable some of the zero trust capabilities as part of that.”
