BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Why We Need People-Defined Cybersecurity

Forbes Technology Council

Barry Field is CEO of Appgate, a secure access company making life safer for users and harder for adversaries with Zero Trust solutions.

Zero trust has become a huge buzzword in the cybersecurity industry. At the last in-person RSA Conference two years ago, the number of vendors claiming to have zero-trust solutions had grown 50%. When we reconvene at that event in San Francisco this June, that number will probably be significantly higher.

Nearly every cybersecurity company out there claims to have a zero-trust solution, so how can you cut through the noise? What exactly is zero trust? What is it not?

Gartner summarizes it nicely: “Zero trust is a misnomer; it does not mean ‘no trust’ but zero implicit trust and use of risk-appropriate, explicit trust.”

When an organization makes the shift toward a zero-trust model, it adopts the doctrine to never automatically trust anyone or anything coming from either inside or outside its perimeter. Instead, the organization defines policies that determine what—and when—a user or device can access specific resources. And, importantly, those policies are not static, meaning they are not just enforced at the time of access but continuously monitored throughout the course of every interaction.

Zero trust is a philosophy, not a technology tool that your IT team can install once and then move on. This philosophy requires a culture shift, which will have a massive positive impact on your organization’s security posture and your productivity.

Why is zero trust so important?

You might be thinking—but I trust my team implicitly, and shouldn’t a successful organization be built on trust?

Well, yes. And no. Because people are human, and they make mistakes.

A zero-trust security architecture wouldn’t trust me, as my company’s CEO, any more than anyone else. It creates a level playing field with a consistent security policy structure. To achieve your zero-trust objectives, you must invest in creating a shared and intentional culture of security that empowers everyone in the organization.

This is especially necessary as digital modernization has transformed organizations’ traditional IT architectures and their technology environments evolve from legacy, static systems and applications to dynamic, cloud-native, distributed solutions. The traditional firewall-based security perimeter no longer exists. Now, the perimeter is people—wherever they work and on whatever device they use to connect to their organization’s network and resources.

Consider these numbers. Ninety-four percent of organizations are extensive or moderate users of public cloud, according to ESG. By the end of this year, about 75% of enterprise organizations using cloud infrastructure as a service (IaaS) will adopt a deliberate multicloud strategy, up from 49% in 2017. IDC estimates there will be close to 56 billion connected devices worldwide by 2025. These factors significantly expand organizations’ potential attack surface, leaving them more exposed to a growing volume of cyberthreats.

As these issues reshape the way people work and increasingly sophisticated threat actors look for inevitable human error and system gaps to exploit, a zero-trust security model can help organizations support security that is people-defined rather than perimeter-based.

Where to begin?

Embracing a zero-trust philosophy is a huge cultural shift, but it’s certainly not insurmountable. There’s a maturity curve, and every journey begins with a single step. The important thing is to get started. Here are some tips for setting you on your way.

1. Don’t try to go it alone. The first step is to learn as much as you can—connect with peer organizations in your industry to glean their lessons learned. Engage with industry organizations like the Cloud Security Alliance and consult with analyst firms like Forrester and Gartner that have covered the zero trust network access (ZTNA) space extensively and can connect you with the technology providers that can help guide you on your journey.

2. Take stock. Before you can protect your network and resources, you need to understand what you’re protecting. Conduct an audit of your network components, IT infrastructure, cybersecurity tools and applications. Determine where they reside, who manages them and what your highest-value assets are.

3. Get buy-in. A successful zero-trust strategy implementation requires buy-in from executive leadership—change must come from the top-down. Provide your leadership with a comprehensive overview of the ramifications of a security breach, including lost productivity, financial cost and reputation damage, as well as a clear description of the benefits that would be achieved through shifting to zero trust—including improved data protection, reduced risk, greater agility and enhanced productivity

4. Make a plan—but know that there is no finish line. You don’t need to—and shouldn’t—try to tackle everything at once. Start with defining policies around your most critical infrastructure and high-value assets. Consult guidance like the National Institute of Standards and Technology’s (NIST) Special Publication 800-207 and the Cybersecurity & Infrastructure Security Agency’s (CISA) Zero Trust Maturity Model for roadmaps that will help break your journey into more manageable pieces. It’s also important to understand there is no end point; your zero-trust program will continue to evolve as your business priorities evolve.

5. Focus on user education every step of the way. Zero-trust security is not just about technology. To be successful, organizations must educate their employees on why this shift is so important and the role they can play in helping to improve enterprise-wide security. When people are empowered and feel invested in the process, they can serve as a human firewall. Strive to make cybersecurity education less of a task to be checked off and something that engages and motivates your people to feel like they are part of the solution.

Reaping The Benefits Of People-Defined Security

A zero-trust security journey doesn’t have an end point; organizations must continually evolve their strategies and policies as they change and grow.

By embracing this people-defined security model, organizations can reduce their business risk, accelerate technology modernization, support compliance requirements, streamline long-term planning and improve the end-user experience with seamless, secure access. Moving toward a zero-trust architecture will enable organizations to develop a unified policy model that will flex as their business needs and IT infrastructures evolve—while supporting the way people work today.


Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?


Follow me on Twitter or LinkedInCheck out my website