Where CISOs are getting quick zero-trust wins today to save tomorrow’s budgets
Check out the on-demand sessions from the Low-Code/No-Code Summit to learn how to successfully innovate and achieve efficiency by upskilling and scaling citizen developers. Watch now.
To shield their budgets from further cuts, CISOs are going after quick wins to prove the value of spending on zero trust. It’s clear tech stacks need to be consolidated and strengthened to protect multicloud infrastructure and get endpoint sprawl under control. The more complex and legacy-based the infrastructure, the longer it can take to get a zero-trust win.
Using third-party data as guardrails
Showing how spending on zero trust protects revenue is a common strategy supported by guardrails, or upper- and lower-limit spending ranges validated using third-party research firms’ data. CISOs quote Gartner, Forrester and IDC data when defining the absolute lowest their spending can go, hoping to protect their budgets. Forrester’s 2023 Security and Risk Planning guide is one of the sources CISOs rely on to define guardrails and defend their spending.
The planning guide shows that on-premises spending in data-loss prevention (DLP), security user behavior analytics, and standalone secure web gateways (SWG) is dropping, giving CISOs the data they need to shift spending to cloud-based platforms that consolidate these features.
Where CISOs are finding quick wins
Security and IT teams are working overtime to get quick wins and protect their budgets before the end of the year. Saving their budgets will provide funding for new automated apps and tools that will help them scale and get in control of security more next year. Many realize that if they can show results from baseline zero-trust projects, the larger and more complex projects like microsegmentation and software supply chain security will stay funded.
Intelligent Security Summit
Learn the critical role of AI & ML in cybersecurity and industry specific case studies on December 8. Register for your free pass today.
>>Don’t miss our new special issue: Zero trust: The new security paradigm.<<
Here are the quick wins that CISOs and their teams are going after to protect their budgets and prove the value of zero trust to CEOs and boards scrutinizing enterprise spending:
Enabling multifactor authentication (MFA) first is a common quick win. Considered by many CISOs as the quick win that delivers measurable results, MFA is a cornerstone of many organizations’ zero-trust strategies. Forrester notes that enterprises need to aim high when it comes to MFA implementations and add a what-you-are (biometric), what-you-do (behavioral biometric), or what-you-have (token) factor to what-you-know (password or PIN code) legacy single-factor authentication implementations.
Andrew Hewitt, a senior analyst at Forrester and author of the report, The Future of Endpoint Management, told VentureBeat that when clients ask how to get started, he says, “The best place to start is always around enforcing multifactor authentication. This can go a long way toward ensuring that enterprise data is safe. From there, it’s enrolling devices and maintaining a solid compliance standard with the unified endpoint management (UEM) tool.”
Update and audit configurations of cloud-based email security suites. CISOs tell VentureBeat they are leaning on their email security vendors to improve anti-phishing technologies and better zero-trust-based control of suspect URLs and attachment scanning. Leading vendors are using computer vision to identify suspect URLs they quarantine and then destroy.
CISOs are getting quick wins in this area by moving to cloud-based email security suites that provide email hygiene capabilities. According to Gartner, 70% of email security suites are cloud-based.
They’re also taking advantage of the vendor consolidation happening in this space, along with market leaders improving their endpoint detection and response (EDR) integration. “Consider email-focused security orchestration automation and response (SOAR) tools, such as M-SOAR, or extended detection and response (XDR) that encompasses email security. This will help you automate and improve the response to email attacks,” wrote Paul Furtado, VP analyst at Gartner, in the research note How to Prepare for Ransomware Attacks [subscription required].
Doubling down on training and development is a quick win that increases zero-trust expertise. It’s encouraging to see organizations opting to pay for training and certifications to retain their IT and cybersecurity experts. Scaling up every IT and security team member with zero-trust expertise helps overcome the roadblocks that can slow down implementation projects.
For example, LinkedIn has over 1,200 cybersecurity courses available today. In addition, there are 76 courses focused on zero trust and 139 on practical cybersecurity steps that can be taken immediately to secure systems and platforms.
Reset administrative access privileges for endpoints, apps and systems to only current admins. CISOs often inherit legacy tech stacks with administrative privileges that haven’t been reset in years. As a result, former employees, contractors, and current and past vendors’ support teams often have systems access. CISOs need to start by seeing who still has access privileges defined in identity access management (IAM) and privileged access management (PAM) systems. This is core to closing the trust gaps across the tech stack and reducing the threat of an insider attack.
Security teams need to start by deleting all access privileges for expired accounts, then having all identity-related activity audited and tracked in real time. Kapil Raina, vice president of zero-trust marketing at CrowdStrike, told VentureBeat that it’s a good idea to “audit and identify all credentials (human and machine) to identify attack paths, such as from shadow admin privileges, and either automatically or manually adjust privileges.”
Likewise, Furtado writes that it is best to “remove users’ local administrative privileges on endpoints and limit access to the most sensitive business applications, including email, to prevent account compromise.”
Increase the frequency of vulnerability scans and use the data to quantify risk better. Vulnerability management suites aren’t used to their full potential as organizations scan, patch and re-scan to see if the patches solved a vulnerability. Use vulnerability management suites to define and then quantify a risk management program instead. Vulnerability management’s scanning data helps produce risk-quantification analysis that senior management and the board needs to see to believe cybersecurity spending is paying off.
For example, a current vulnerability management suite will identify hundreds to thousands of vulnerabilities across a network. Instead of turning those alerts off or dialing down their sensitivity, double down on more scans and use the data to show how zero-trust investments are helping to minimize risk.
The most effective vulnerability management systems are integrated with MFA, patching systems and microsegmentation that reduces the risk of patching exceptions leading to a breach.
Consider upgrading to an endpoint protection platform that can deliver and enforce least-privileged access while tracking endpoint health, configurations and intrusion attempts. Enforcing least-privileged access by endpoint, performing microsegmentation and enabling MFA by an endpoint are a few reasons organizations need to consider upgrading their endpoint protection platforms (EPP). In addition, cloud-based endpoint protection platforms track current device health, configuration, and if there are any agents that conflict with each other while also thwarting breaches and intrusion.
Forrester’s Future Of Endpoint Management report, mentioned earlier, covers self-healing endpoints; an area CISOs continue to budget for. Hewitt told VentureBeat that “most self-healing firmware is embedded directly into the OEM hardware. It’s worth asking about this in up-front procurement conversations when negotiating new terms for endpoints. What kinds of security are embedded in hardware? Which players are there? What additional management benefits can we accrue?”
Absolute Software, Akamai, BlackBerry, Cisco, Ivanti, Malwarebytes, McAfee, Microsoft 365, Qualys, SentinelOne, Tanium, Trend Micro, Webroot and many others have endpoints that can autonomously self-heal themselves.
Deploy risk-based conditional access across all endpoints and assets. Risk-based access is enabled within least-privileged access sessions for applications, endpoints or systems based on the device type, device settings, location and observed anomalous behaviors, combined with dozens of other attributes. Cybersecurity vendors use machine learning (ML) algorithms to calculate real-time risk scores. “This ensures MFA (multifactor authentication) is triggered only when risk levels change – ensuring protection without loss of user productivity,” CrowdStrike’s Raina told VentureBeat.
Defending budgets with risk quantification
What’s behind these zero-trust quick wins that CISOs are prioritizing is the need to quantify how each reduces risk and removes potential roadblocks their organizations face trying to grow their business. CISOs who can show how current cybersecurity spending is defending revenue — while earning customers’ trust — is exactly what CEOs and boards need to know. That’s the goal many IT and security teams are aiming for. Capturing enough data to show zero trust reduces risk, averts intrusions and breaches, and protects revenue streams. Often, zero-trust budgets are a single percentage of total sales, making the investment well worth it to protect customers and revenue.
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.