Where Am I With Zero Trust? The Ciso's Reality

Charmaine Valmonte, Chief Information Security Officer, Aboitiz.

Charmaine Valmonte, Chief Information Security Officer, Aboitiz.

By failing to prepare, you are preparing to fail.” ― Benjamin Franklin. Cybersecurity has been a top priority for most organizations for the past decade. A large portion of an organization’s operational budget is spent on state-ofthe-art technologies as a means to protect the business from the threats of a cyber attack. However, technology is not the definitive solution to eliminate or reduce the risk; a disruption causing major losses can happen if the process and people are excluded from the equation.

The transformed cybersecurity professional expects a cyber attack to happen anytime and come from anywhere. Today’s CISO must accept that the organization will continue to transform. The perimeters we’ve since built for the organization cannot contain or protect today’s evolving environment.

Zero Trust, defined by the National Institute of Standards and Technology in its Special Publication 800-207, states that “Zero Trust presents a shift from a location-centric model to a data-centric approach for fine-grained security controls between users, systems, data and assets that change over time”. What does this mean to a CISO who has spent the last decade creating perimeters to protect the organization? Where do we start? The answer will depend on where we are in the Zero Trust maturity Model against the CISO’s Cybersecurity Roadmap. A careful review of what you have in place against this model is a good starting point.

Implementing Zero Trust involves a careful inventory of your organization’s identities, devices, environment, applications, and data. Zero Trust is not simply about implementing technological solutions to protect the organization. A clear understanding of the business and its transformation strategies is likewise important. This is especially true for hybrid organizations that will continually transition toward a cloud or service-enabled environment.

The Cybersecurity and Infrastructure Security Agency, Cyber Division in its Pre-decisional Draft of the Zero Trust Maturity Model, Version 1.0, June 2021, presented a high-level view of the Zero Trust Maturity Model across each maturity stage.

An organization’s security controls can be mapped into this recommended model regardless of its architecture. We must understand where our organization truly stands in each of the pillars as prescribed. The maturity levels are summarized as follows.

Traditional - manually configured systems and policies, siloed point solutions that require a manual incident response, mitigation, and deployment.

Advanced - semi-automated, cross-pillar coordination, centralized identities, controls, visibility, and automation with the capability to deploy predefined mitigations and controls.

Implementing Zero Trust Involves A Careful Inventory Of Your Organization’s Identities, Devices, Environment, Applications, And Data

Optimal - fully automated with dynamic least-privilege access, interoperable across pillars with centralized and orchestrated visibility.

As the business continues to transform, the CISO must understand the who and what identities access what data and where.

Is multi-factor authentication a standard across the workforce to include its 3rd party providers? Does the CISO have a clear inventory of the organization’s data across all environments? Is there a clear inventory of all systems and workloads across the enterprise? As we journey through this model, we may realize that the security program can be at different levels in each of these pillars. Understanding where we are in this maturity model allows us to build the requisite controls to support and protect the organization and its business objectives.