5 Questions with a Zero Trust Expert
Organizations are dragging their feet on zero trust, despite its benefits in today's cybersecurity landscape.
Zero trust may be the flossing of the cybersecurity world; everyone agrees that it's healthy, but not nearly enough people are actually doing it.
A recent Cisco report bears this out. In a survey, the firm found that nearly 90 percent of organizations have started implementing some of the principles of zero trust, but just a woefully small number of them -- 2 percent -- have reached zero trust "maturity."
As cybersecurity expert Sami Laiho acknowledges, the obstacles that are keeping companies from fully embracing zero trust are a mixture of perception and practicality. For IT teams needing guidance in overcoming those hurdles, Laiho is hosting a two-day virtual seminar next month titled "Deploying Zero Trust in the Real World." We caught up with him ahead of his seminar to get his thoughts on just how important zero trust is today, and what's stopping organizations from going all-in.
1. What's new or different about today's threat landscape that makes zero trust more of a necessity than a nice-to-have?
Nowadays, malicious code mostly gets into company networks through unpatched border devices. Patching everything is a difficult job as bigger companies have around 20,000 patches a year to install. We can't rely on border controls, so we need to start treating our internal networks as if they are just as friendly/hostile as the public Internet.
2. Why do you think more organizations haven't implemented MFA (multifactor authentication) wherever they can? It should be a no-brainer, right?
It's just about reluctance to change. Doing things differently or making them more "difficult" is always challenging. But, yes, it is a requirement for every environment.
3. In your seminar abstract, you say "zero trust" is the "worst name in the history of IT." Can you explain what's inaccurate or not ideal about it -- and what should it be really called, in your opinion?
"Zero trust" sounds like we are implementing these controls because we don't trust the user. These controls, when correctly implemented, allow users to work as securely and efficiently whether they are at Starbucks or the company office. I would rather call it "Secure Access," "Full Usability" or "Access Anywhere."
4. It seems like more businesses are entertaining the use of generative AI in their daily operations, if they're not already using it. Do you think this helps or hinders IT security pros?
It helps in automating the detection of malicious access and false positives, but at the same time it allows the attacker to achieve more scale and more targeted attacks.
5. For IT pros who want to go zero trust but are getting pushback from their C-suite for whatever reason, how would you recommend they approach the conversation?
Talk about changing the environment to allow access from anywhere, rather than talking about making access harder. Security is only 25 percent technology and 75 percent psychology.