When companies shifted to a work-from-anywhere (WFA) model, legacy networking and security systems were quickly strained to meet the demands of the new requirements. As a result, CISOs assumed risks they would never have tolerated before. IT teams bolstered VPN capacity to support the new load, but with a troubling new risk: enabling remote access for all employees introduced unknown cyberattack vectors.\nAt the same time, companies had to cope with the pandemic\u2019s effect on the business\u2019s bottom line\u2014and that often meant repurposing IT budgets to revenue-generating initiatives. To regain their budgets, influence, and headcount, CISOs must change their mindset to focus on business needs. IT security can no longer be about controlling the network perimeter. It must shift to strategic planning that answers the question, \u201cHow do I enable the business?\u201d\nTo be successful, IT must align enterprise security with company goals. IT must now consider: the business\u2019s core competencies; the business needs that drive its success; company direction; and IT\u2019s own governance and compliance responsibilities. (Pro tip: That last one shouldn\u2019t include sustaining legacy networks.)\nIT: gatekeeper or guide?\nIT security has traditionally enjoyed a less-than-favorable reputation as \u201cThe Department of No.\u201d IT\u2019s role in protecting the business meant it often had to get in the way: \u201cNo, you can\u2019t adopt that cloud SaaS.\u201d \u201cNo, you can\u2019t move the database offsite.\u201d \u201cNo, you can\u2019t work remotely.\u201d IT\u2019s priority was to maintain the status quo. Anything that could rock the boat was out of scope, and they were often the gatekeepers for process deployment.\nWhy? IT typically gets little attention from employees, until those employees need something or a disaster occurs. Then IT gets everyone\u2019s (not always welcome) attention. That\u2019s a lot of pressure and provides at least some understandable rationale for IT\u2019s traditionally conservative approach.\nIf the pandemic has shown us anything, it\u2019s that IT can adapt quickly if they have to\u2014especially when there is a clear need to move beyond the status quo. Legacy solutions (in this case, VPNs) weren\u2019t equipped to handle a massive change in how employees did business. So new solutions were found and implemented\u2014such as a zero trust architecture.\nIn responding to a crisis as dramatic as the recent pandemic, IT had to focus on enabling business objectives. They needed to be guides that led the company to a better solution. That required assessing change by asking new questions:\n\nDoes a solution incur (or perpetuate) technical debt? Technical solutions often get implemented to answer an immediate need and employ the quickest methods to achieve that goal\u2014perhaps building on legacy infrastructure because it\u2019s \u201ceasy.\u201d But does this convenient solution create bigger problems by limiting future growth, scalability, or flexibility?\nHow long until the solution produces value? Integrating new solutions with legacy systems can often add complexity and result in long waits for ROI (if it ever arrives). Does that delayed value still outweigh the costs associated with scrapping legacy dependencies?\nHow long until the solution improves productivity? Bolting new systems over old ones often results in a Rube-Goldberg contraption of login, access, and security protocols. What is the time frame for getting users up and running on complex processes?\n\nThe new CISO mission: enable business growth\nChange is hard, and enterprise CISOs must work with CIOs to lead the charge. It can be difficult to know where to start. How do you redesign legacy systems that have powered a company for years, if not decades?\u00a0\nOne path forward is a cloud-delivered zero trust architecture\u2014offering CISOs a manageable (and navigable) way to enable digital transformation. A zero trust architecture is a connectivity architecture that changes the nature of application access by removing the requirement for a \u201ctrusted network.\u201d Instead, users gain access to applications based on defined policies that consider user identity and context. As a result, everyone is challenged and only allowed access to what they need for true least-privileged access. This offers levels of visibility and control that were previously unimaginable.\nIt provides CISOs and CIOs with a platform to enable enterprise growth. For example, a CISO for a Fortune-500-company led his enterprise\u2019s transition from legacy castle-and-moat security to a zero trust architecture. In his words, a zero trust architecture allowed his security teams to go from \u201cthe department of no\u201d to \u201cthe department of know.\u201d Rather than being the group that traditionally says, \u201cYou can\u2019t do that, it\u2019s not secure,\u201d his IT department can now say, \u201cWe can do that, and with the information we\u2019ve gained, we can also enable these other things as well!\u201d\nThe CISO had been tasked with finding a better approach to remote access as the company expanded its mobile workforce and adopted a \u201ccloud-first\u201d strategy\u2014legacy remote access systems were too rigid and slow to handle the change. His cloud-first zero trust approach enabled his company to become more agile and more flexible.\nConvincing company execs to invest in a zero trust architecture was challenging. But the CISO emphasized three value propositions to evangelize zero trust internally:\n\nBetter security, performance, management, and cost-efficiency: The company\u2019s old VPNs routed traffic indirectly\u2014incurring latency, complicating administration, increasing MPLS costs, and (greatly) extending attack surface. A zero trust architecture connects a user directly to a target resource rather than the network, reducing the attack surface and optimizing routing.\nDeployment speed: VPNs cannot be set up quickly. VPN deployment requires extensive capacity planning, making it difficult to enable a quick pivot to remote access. By contrast, cloud-based zero trust architectures are designed to scale. Deployment is quick: install a simple agent on the user\u2019s access device; place connectors in the application environments; and integrate user context from an IAM system to inform granular access policies.\nTraffic visibility: a cloud-delivered zero trust architecture offers comprehensive, central administration and provides IT leaders with complete visibility into user activity.\n\nThe CISO leveraged the Zscaler Zero Trust Exchange to roll out a zero trust solution to department heads as part of a pilot program. They were soon inundated with requests to make it available to the whole company. Their immediate challenge became processing paperwork fast enough to accommodate demand!\nTheir security is now invisible to users. Users connect directly to whatever authorized assets and applications they need to be productive without first getting access to a network. Using a\u00a0 zero trust architecture has also greatly improved user experience compared to their legacy VPN: it is faster, easier to use, and increases performance, no matter whether the resource is in the data center or the cloud.\nTransformation enables business value\nAs recent events have shown, IT teams must adapt legacy environments to changing needs. Cloud-first digital strategies drive corresponding security transformation since network-centric systems often can\u2019t accommodate the change gracefully or cost-effectively. A zero trust architecture can enhance business growth by providing secure, seamless user access to authorized applications across any environment, location, or device, therefore enabling new workflows and accelerating digital transformation.\nA cloud-enabled zero trust architecture minimizes the risk of adopting digital transformation strategies and keeps access options viable even as security budgets shrink and corporate budgets tighten. By eliminating the need to expand expensive security stacks and costly MPLS backhaul, zero trust allows companies to take advantage of new technology and remain agile in order to scale for the future. And by providing comprehensive visibility as well as flexible, secure application access, a zero trust architecture allows IT security to empower, rather than impede, business transformation.\nClick here to read more about how a zero trust architecture can help speed business transformation goals.