With the development and adoption of new technologies, the threatscape has inevitably widened and prioritising a cyber-resilient workforce and Zero Trust model are key to determining an organisation’s cybersecurity culture. PJ Kirner, CTO and Co-founder at Illumio, discusses security spending and strategy building, as well as developing a robust Zero Trust approach to cybersecurity.
As cyber-risk levels continue to rise, CISOs are under intense pressure to keep the wheels turning while also preparing for inevitable future attacks. Businesses can no longer afford to take their time crafting the perfect long-term security plan before they commit – they need to act proactively now to deal with current threats.
Having a strong and cohesive security foundation is critical for navigating today’s cyber landscape and taking a Zero Trust approach has become a non-negotiable for businesses. Skyrocketing ransomware and cyberattacks paired with remote work and Digital Transformation are pushing organisations to build resilience – and fast. Illumio recently commissioned a study with Forrester Consulting to explore how organisations are using Zero Trust strategies to navigate the current landscape and to understand what their security plans are for 2022.
Zero Trust is one of the most effective approaches in enabling organisations to improve their resilience and take a more proactive approach to security. To be clear, according to Forrester Research, ‘Zero Trust is not one product or platform; it’s a security framework built around the concept of ‘never trust, always verify’ and ‘assuming breach’.
Importantly, the research study also highlighted that micro-segmentation is a critical pillar of any Zero Trust strategy. The study says, ‘Micro-segmentation is fine-grained control of application needs, user access and data repositories. Tools help automate, orchestrate, test and implement granular policy across network security controls’. This control is a cornerstone of security leaders’ approach to tackling ransomware and other threats in 2022.
Security spending and strategy building
The dynamic nature of the cybersecurity landscape often forces businesses to switch focus at the drop of a hat. Rapid changes can leave organisations bewildered, for example, Illumio’s research found that 63% of respondents said their firm was unprepared for the quickened pace of cloud transformation and migration. Consequences of this lack of preparation can include a drop in productivity and create more opportunities for cyberattacks.
This ongoing Digital Transformation continues to impact strategic focus and security spending as firms fight to stay ahead of the curve and anticipate future challenges. For example, 75% of decision-makers switched focus to updating technical reference architectures for cloud security to match rapid cloud migration. In fact, businesses are increasingly prioritising security, as experts forecast the global cybersecurity spending to exceed US$1.75 trillion by 2025.
As part of this prioritisation, more and more businesses are looking to Zero Trust strategies to support cloud migration in order to account for new security gaps and build resilience at scale. However, many enterprises are still in the early stages of implementation, with only 36% having started to deploy their Zero Trust plans. So, while businesses are starting to focus on least privilege security controls, there is still a long way to go in making organisations more resilient to breaches.
And while it’s promising to see that two-thirds of businesses will increase their Zero Trust budget, it’s important to remember to…
Budget incrementally – it doesn’t have to be all or nothing
All too often organisations stall or postpone security progress because of financial cost. Of course, security teams need to advocate for their major projects, but it’s also crucial to make incremental progress now with the resources you have today.
A good place to start is by gaining an understanding of both the communications currently happening in your environments, and the connections that could happen. This will illuminate risky areas and help you prioritise where to implement Zero Trust controls.
Then, focus on securing your riskier and business-critical applications and expand as your budget allows. You can make incremental progress on your strategy rather than trying to tackle everything all at once. Concentrate on developing and implementing Zero Trust plans one step at a time to start building resilience today.
Aside from building business resilience, security leaders believe Zero Trust strategies improve their organisations’ agility and support their overall Digital Transformation. In fact, around half of respondents said micro-segmentation specifically can help them reduce their attack surface and 68% said micro-segmentation enhances security to support expanded remote, work-from-anywhere models.
The barriers to success
There are two main challenges that can hinder Zero Trust progress: a lack of expertise and stakeholder investment.
The current skills shortage means that security expertise is in short supply and internal teams struggle to find the time they need to act on many of their goals. Consequently, 62% of decision-makers chose to implement data centre firewalls instead of micro-segmentation. However, this only led to more problems: the firewalls took too long to deploy, were difficult to scale and exceeded the budget.
Additionally, it’s true that having strong buy-in from stakeholders can advance Zero Trust implementation, but one of the issues is that these stakeholders often view ‘Zero Trust’ and ‘micro-segmentation’ as marketing buzzwords that hold little weight in relation to the larger cybersecurity picture. However, security professionals understand the resilience, flexibility and scalability Zero Trust and micro-segmentation provide and must translate the value and urgency of these strategies to their stakeholders – the integrity of the organisation relies on it.
While skill and resource challenges are important considerations, they should not get in the way of organisations starting their Zero Trust journey. Teams can start small and work their way up, gathering new skills and winning over stakeholders as they go.
Finding simple ways to start segmenting
Like the past few years, 2022 demands that enterprises balance business operations and security in order to prosper. Micro-segmentation solutions need to enable organisations to maintain this fine balance.
Segmentation solutions must provide simple and approachable on-ramps. If they require a system overhaul, you’re going to get stuck at your starting blocks. If they don’t scale, you’re going to get early technical detractors. If they don’t adapt as your network changes, the friction will cause rejection of the solution. And if you don’t have some quick wins to demonstrate to your boss and your board, you never fulfil the strategic goals.
Already, 73% of decision-makers consider Zero Trust and micro-segmentation to be critical technical foundations of their security strategy and we expect this number to continue to grow as understanding of these approaches increases. Security leaders recognise the value of segmenting their networks to isolate a breach by proactively blocking attackers from moving around to access critical data. Understanding its importance, businesses need to start implementing their Zero Trust and micro-segmentation plans now to keep ahead of today’s pervasive threats.
While an organisation spends months planning and developing the perfect long-term security roadmap, the threat actors are still circling and the attacks keep coming. As the saying goes, a good plan today is better than a perfect plan tomorrow. Whatever the next step is in your Zero Trust strategy, prioritise action – push for stronger security now.