Success With Zero Trust Lives And Dies By Executive Support
Forrester originated the Zero Trust Model over a decade ago and defines Zero Trust as:
An information security model that denies access to applications and data by default. Threat prevention is achieved by only granting access to networks and workloads utilizing policy informed by continuous, contextual, risk-based verification across users and their associated devices. Zero Trust advocates these three core principles: All entities are untrusted by default, least privilege access is enforced, and comprehensive security monitoring is implemented.
We help our clients better understand and get value out of Zero Trust every day. One of the questions we’re frequently asked is, “How do we gain executive support for implementing Zero Trust?” Your ability to engage and win over your executive team and key stakeholders is key to a successful program.
One client, SaskPower, told its Zero Trust story through a case study we released this past week: How Security And Enterprise Architecture Collaborated To Bring Zero Trust To SaskPower. SaskPower spent years understanding, collaborating on, and designing Zero Trust principles into its security program. In the full report, we explain how and what it took internally to make it happen.
These process improvements led to:
- Zero Trust principles being woven into companywide security enhancements. SaskPower integrated security enhancements across the company into its yearly goals and objectives for the next fiscal year. In the risk management section of its annual report, 2021 to 2022, SaskPower called out the security enhancements and practices implemented at the company. Infusing Zero Trust principles throughout this priority took executive buy-in to the next level and tied the success of the security program to the success of each part of the business.
- Executive commitment to regular cybersecurity risk assessments and mitigation plans. SaskPower committed to repeating the risk assessment that helped launch its Zero Trust journey at a regular cadence. As the security program progresses, the company expects the recommendations from the risk assessment to become more targeted and quantified risk to the organization to decrease.
- Executive commitment to quantifying and improving security maturity. The enterprise architecture and enterprise security teams built an information security maturity assessment to evaluate progress on three key areas over time: governance, coverage, and sophistication.
To read how SaskPower accomplished this, check out the full report here.
I’d like to give a huge thank you to the team at SaskPower for their incredible work and willingness to share their Zero Trust journey with others.
Get in touch if you have any questions or comments. I’d love to hear from you. Forrester clients who want help with their own Zero Trust journey can schedule a guidance session or inquiry.