Does Your Board Have Zero Trust?

As financial firms continue to grapple with security concerns relating to their staff working from home during the coronavirus pandemic, an approach called Zero-Trust Architecture (ZTA)—which was already gaining traction prior to the outbreak—is emerging as a potential solution to some enterprise-wide security challenges.

ZTA essentially locks down sensitive systems and data, removing any notion of inherent trust in a user or device trying to access them simply by virtue of being on a company’s network. But while the Covid-19 outbreak is a perfect proving ground for ZTA, its adoption is being driven by other factors—and increasingly, this is coming from the top, rather than being driven by business lines clamoring for management sponsorship.

• READ MORE: Coronavirus has heightened the need for IT and data security, exposing areas for potential improvement. One option is to lock down sensitive areas using a practice called Zero-Trust Architecture, which offers a host of benefits, but brings with it some practical challenges that firms need to get used to. Click here to read Max’s deep-dive feature into ZTA.

Some believe the impetus for a sudden focus on tighter controls at banks is board members concerned about personal liability for any data breaches that occur on their watch. And while perhaps cynical, that’s not necessarily a bad thing if it motivates senior management to look closely at the issue and drive greater security across the business.

“There is definitely a bigger push from the top these days, definitely driven by regulations, but also by boards recognizing that security is a central business component,” says Grigoriy Milis, CTO of RFA, a provider of IT services to hedge funds and asset managers. “Once they realized that, it became easier for IT to push it up the agenda. IT departments have been trying, but because it’s seen as a cost … it was not met with board approval in the way that IT wanted.”

In other cases, banks—as they start to describe themselves in the language of fintechs—have begun appointing seasoned technology executives to their boards, who bring knowledge of issues such as IT security that board members from a purely business background may be unaware of.

“I think a lot of people have probably heard the ZTA buzzword, but may not fully understand what it means,” says an enterprise security executive at one large North American bank. “For example, management wants to know that their firm has security in place, but may not think they need to know the exact details.”

Scott Rose, a computer scientist at the National Institute of Standards and Technology (NIST), says ZTA is currently gaining ground because of a confluence of supply and demand: namely that technology is now sufficient to handle its requirements, while Covid and high-profile data breaches have focused executives’ minds on IT security more than in the past. “The complexity of enterprises has also changed. Whereas everything used to be internal, using firms’ own datacenters, with managed software and cloud providers, a lot of that has changed where your perimeter is, and how you protect that,” Rose says.

Because of the urgency to adopt ZTA, and the fact that many firms are still questioning where they should start, Forrester Research created the Forrester Certification Program to familiarize market participants with the main principles of ZTA, create standards, and unite the industry around a harmonized approach.

“We’ve had CEOs, board members, network engineers, and technology professionals take the certification. The aim is to be at the executive level, to get their thinking standardized,” says Dr. Chase Cunningham, principal analyst for security and risk at Forrester. The on-demand program comprises about 20 modules made up of videos and written materials, and can be completed in two days, or over a couple of weeks.

At the end of the day, ZTA isn’t a technology issue; it’s a business issue that requires senior executives to understand technology to solve it. So, says Milis, IT departments need to articulate the solution in terms of its business impact.

“IT has been explaining this in terms of what it is trying to accomplish, such as ZTA and greater security,” he says. “But IT staff need to explain it in terms of the business outcome: it’s not about securing data; it’s about minimizing liability, and avoiding fines. The board doesn’t care what technology you use—they care about what you are trying to accomplish.”