From ‘Department of No’ to ‘Department of Know’

When companies shifted to a work-from-anywhere (WFA) model, legacy networking and security systems were quickly strained to meet the demands of the new requirements. As a result, CISOs assumed risks they would never have tolerated before. IT teams bolstered VPN capacity to support the new load, but with a troubling new risk: enabling remote access for all employees introduced unknown cyberattack vectors.

At the same time, companies had to cope with the pandemic’s effect on the business’s bottom line—and that often meant repurposing IT budgets to revenue-generating initiatives. To regain their budgets, influence, and headcount, CISOs must change their mindset to focus on business needs. IT security can no longer be about controlling the network perimeter. It must shift to strategic planning that answers the question, “How do I enable the business?”

To be successful, IT must align enterprise security with company goals. IT must now consider: the business’s core competencies; the business needs that drive its success; company direction; and IT’s own governance and compliance responsibilities. (Pro tip: That last one shouldn’t include sustaining legacy networks.)

IT: gatekeeper or guide?

IT security has traditionally enjoyed a less-than-favorable reputation as “The Department of No.” IT’s role in protecting the business meant it often had to get in the way: “No, you can’t adopt that cloud SaaS.” “No, you can’t move the database offsite.” “No, you can’t work remotely.” IT’s priority was to maintain the status quo. Anything that could rock the boat was out of scope, and they were often the gatekeepers for process deployment.

Why? IT typically gets little attention from employees, until those employees need something or a disaster occurs. Then IT gets everyone’s (not always welcome) attention. That’s a lot of pressure and provides at least some understandable rationale for IT’s traditionally conservative approach.

If the pandemic has shown us anything, it’s that IT can adapt quickly if they have to—especially when there is a clear need to move beyond the status quo. Legacy solutions (in this case, VPNs) weren’t equipped to handle a massive change in how employees did business. So new solutions were found and implemented—such as a zero trust architecture.

In responding to a crisis as dramatic as the recent pandemic, IT had to focus on enabling business objectives. They needed to be guides that led the company to a better solution. That required assessing change by asking new questions:

• Does a solution incur (or perpetuate) technical debt? Technical solutions often get implemented to answer an immediate need and employ the quickest methods to achieve that goal—perhaps building on legacy infrastructure because it’s “easy.” But does this convenient solution create bigger problems by limiting future growth, scalability, or flexibility?
• How long until the solution produces value? Integrating new solutions with legacy systems can often add complexity and result in long waits for ROI (if it ever arrives). Does that delayed value still outweigh the costs associated with scrapping legacy dependencies?
• How long until the solution improves productivity? Bolting new systems over old ones often results in a Rube-Goldberg contraption of login, access, and security protocols. What is the time frame for getting users up and running on complex processes?

The new CISO mission: enable business growth

Change is hard, and enterprise CISOs must work with CIOs to lead the charge. It can be difficult to know where to start. How do you redesign legacy systems that have powered a company for years, if not decades? 

One path forward is a cloud-delivered zero trust architecture—offering CISOs a manageable (and navigable) way to enable digital transformation. A zero trust architecture is a connectivity architecture that changes the nature of application access by removing the requirement for a “trusted network.” Instead, users gain access to applications based on defined policies that consider user identity and context. As a result, everyone is challenged and only allowed access to what they need for true least-privileged access. This offers levels of visibility and control that were previously unimaginable.

It provides CISOs and CIOs with a platform to enable enterprise growth. For example, a CISO for a Fortune-500-company led his enterprise’s transition from legacy castle-and-moat security to a zero trust architecture. In his words, a zero trust architecture allowed his security teams to go from “the department of no” to “the department of know.” Rather than being the group that traditionally says, “You can’t do that, it’s not secure,” his IT department can now say, “We can do that, and with the information we’ve gained, we can also enable these other things as well!”

The CISO had been tasked with finding a better approach to remote access as the company expanded its mobile workforce and adopted a “cloud-first” strategy—legacy remote access systems were too rigid and slow to handle the change. His cloud-first zero trust approach enabled his company to become more agile and more flexible.

Convincing company execs to invest in a zero trust architecture was challenging. But the CISO emphasized three value propositions to evangelize zero trust internally:

• Better security, performance, management, and cost-efficiency: The company’s old VPNs routed traffic indirectly—incurring latency, complicating administration, increasing MPLS costs, and (greatly) extending attack surface. A zero trust architecture connects a user directly to a target resource rather than the network, reducing the attack surface and optimizing routing.
• Deployment speed: VPNs cannot be set up quickly. VPN deployment requires extensive capacity planning, making it difficult to enable a quick pivot to remote access. By contrast, cloud-based zero trust architectures are designed to scale. Deployment is quick: install a simple agent on the user’s access device; place connectors in the application environments; and integrate user context from an IAM system to inform granular access policies.
• Traffic visibility: a cloud-delivered zero trust architecture offers comprehensive, central administration and provides IT leaders with complete visibility into user activity.

The CISO leveraged the Zscaler Zero Trust Exchange to roll out a zero trust solution to department heads as part of a pilot program. They were soon inundated with requests to make it available to the whole company. Their immediate challenge became processing paperwork fast enough to accommodate demand!

Their security is now invisible to users. Users connect directly to whatever authorized assets and applications they need to be productive without first getting access to a network. Using a  zero trust architecture has also greatly improved user experience compared to their legacy VPN: it is faster, easier to use, and increases performance, no matter whether the resource is in the data center or the cloud.

Transformation enables business value

As recent events have shown, IT teams must adapt legacy environments to changing needs. Cloud-first digital strategies drive corresponding security transformation since network-centric systems often can’t accommodate the change gracefully or cost-effectively. A zero trust architecture can enhance business growth by providing secure, seamless user access to authorized applications across any environment, location, or device, therefore enabling new workflows and accelerating digital transformation.

A cloud-enabled zero trust architecture minimizes the risk of adopting digital transformation strategies and keeps access options viable even as security budgets shrink and corporate budgets tighten. By eliminating the need to expand expensive security stacks and costly MPLS backhaul, zero trust allows companies to take advantage of new technology and remain agile in order to scale for the future. And by providing comprehensive visibility as well as flexible, secure application access, a zero trust architecture allows IT security to empower, rather than impede, business transformation.

Click here to read more about how a zero trust architecture can help speed business transformation goals.