Taking Your Zero-Trust Maturity to the Next Level

It’s no secret that zero-trust initiatives are on every IT leader’s mind lately. Most organizations have even taken the first step on their zero-trust journey, with 97 percent of companies reportedly having implemented a zero-trust initiative, or planning to within the next 18 months (OKTA, 2022).

However, those organizations who already have the governance and architecture strategies in place to implement zero-trust policies may be wondering, what’s our next step toward zero-trust maturity?

Ensuring that your organization is well-equipped to implement zero-trust security policies throughout your organization includes more than technologies — there are key roles, and possibly new roles, required to manage and increase your capabilities over time.

In some ways, preparing your organization for zero trust may feel similar to moving your infrastructure from an on-premises data center to the cloud. Digital transformation typically requires cross-functional teams working in multiple disciplines to come together and work toward a common goal, and zero trust is no different.

Using the CISA Zero Trust Maturity Model as a guiding framework, achieving optimal zero-trust implementation requires organizations to fully integrate across pillars with increasing levels of protection.

CISA’s Zero Trust Maturity Model is described in four stages to enable migration:

• Traditional – This includes manual configurations and assignment of attributes, static security policies and coarse dependencies on external systems, along with manual incident response and mitigation processes. Currently, this is the stage at which most organizations find themselves.
  
  
• Initial – This is the stage at which automation is introduced. This includes attribute assignment and configuration of lifecycles, policy decisions and enforcement, and initial cross-pillar solutions with integration of external systems.
  
  
• Advanced – This stage introduces some cross-functional coordination building toward enterprise-wide awareness, with centralized visibility and identity control, some incident response to predefined mitigations and increased detail in dependencies with external systems.
  
  
• Optimal – This final stage of zero-trust implementation features fully automated assigning of attributes to assets and resources, dynamic policies based on automated/observed triggers, alignment with open standards for cross-functional interoperability, and centralized visibility.

As organizations transition toward this optimal stage, they’ll find that their solutions rely more heavily upon automated processes, systems are integrated across pillars, and they become more dynamic in their policy enforcement decisions.

These maturity stages can allow organizations to plan, assess and maintain the investments they need to progress toward zero trust.

So how do you take your organization’s zero-trust maturity to the next level? It starts by defining staff roles within your strategy.

The OMB memorandum published in January 2022 stated that government agencies must identify a zero-trust strategy implementation lead within 30 days of the memorandum’s publication. We found that many private sector organizations opted to nominate their Chief Information Security Operators (CISOs) or senior security leaders to fill the roles quickly.

Unfortunately, we’ve also found that CISOs, especially at larger organizations, tend to be pulled in many different directions within their security practice. With such a large responsibility, it can be difficult to prioritize zero-trust initiatives in addition to all of their other responsibilities, and a CISO in a larger organization may need to delegate this responsibility.

The answer may lie in the creation of a new role: a Zero-Trust Program Manager. A Zero-Trust Program Manager focused solely on implementing zero-trust principles would work across teams to coordinate planning and implementation efforts across operational disciplines.

This role would not only free up the valuable time of the organization’s CISO but also provide accountability for zero-trust initiatives as the organization works toward the optimal level of maturity.

Additionally, it can be extremely helpful to designate a Zero-Trust Lead Architect role. This would be especially valuable when additional technical zero-trust expertise is required. A Zero-Trust Lead Architect, ideally with experience in operations and engineering and a background in application security or identity, would lead automation and integration efforts across CISA pillars.

This technical resource would take the lead collaborating with engineers and architects across IT and security silos, focused on automation and integration. A Zero-Trust Lead Architect could also tackle common zero-trust use cases such as data backup and recovery, securing the hybrid workforce or cloud infrastructure security, to name a few.

However your organization chooses to level up your maturity, staff expertise focused on zero trust is essential to designing, implementing and managing an effective zero-trust strategy.

As most organizations are aware by now, getting to an optimal level of zero-trust implementation will not happen overnight.

With so many technology decisions to be made, ensuring that your organization has the right tools and expertise in place is key to developing these cross-functional capabilities throughout the enterprise.

It all starts with a solid zero-trust strategy. To learn more about successfully implementing a zero-trust strategy, read our latest white paper, Getting Zero-Trust Architecture Right for Security and Governance.

Story by John Candillo, a CDW Field CISO with more than 20 years of security experience, specializing in risk, governance, compliance and IT security strategies