Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
February 8, 2023
Getting ready to implement Zero Trust (ZT) isn’t quite as simple as some vendors would have you believe. If someone excludes the program development aspect of ZT, that’s a sign you should be careful. While many point solutions for specific problems exist, there is no out-of-the-box, end-to-end solution that will write policies, align business needs and socialize your ZT program. There isn’t even a vendor with a multi-vendor Policy Decision Point as outlined in the NIST 800-207 Zero Trust Architecture.
There is, however, a method that you can implement to assist you with making decisions about ZT and, most importantly, reduce risk.
Risk reduction is the at the heart of all we do as security professionals and it’s why we’re always looking for a new security approach to protect our assets. If left undetected, risk can leave an organization exposed and prone to compromise. Risk management helps us get there by documenting, discovering, calculating, evaluating, measuring and communicating risk. It also drives compliance and creates a need for remediation solutions. Applying Zero Trust principles makes all this happen in real time.
Risk management is an excellent method for knowing exactly where your problems are and what solutions (technical or administrative) will help you reduce risk exposure to acceptable levels. If you don’t track or understand your biggest risks, you’re fumbling in the dark and likely implementing solutions to close gaps while still unaware if you have the right priorities – “firefighting.”
Ultimately, risk management will improve your ZT implementation through risk discovery and measurement. We’ll start with the socialization of risk management and Zero Trust within your organization and end with some ideas on how risk management can help you be successful with designing and implementing a ZT program.
Have you ever presented something to your leadership team and seen vacant stares, yawns or a generally uninterested audience? This was your chance to discuss Zero Trust concepts, and it fell flat. Or you might have a board member who’s “technical” and assumes they already know everything you have to say. Let’s flip the script. Wouldn’t a discussion about how the implementation of processes and technology will reduce risk, close policy and compliance exceptions, speed up audit preparation and protect legacy systems be better? In addition, the proposal improves the client (employee) experience and allows them to have the flexibility to leverage the platform of their choice from anywhere at any time.
Risk management is a balance, and while increasing flexibility may reduce organizational risk related to recruiting and retaining top talent, it may increase the chance of compromise. We see major shifts that support this prediction, with COVID-19 driving organizations to figure out how to be flexible and still keep risk tolerance within assigned limits. A Zero Trust approach enables flexibility while reducing risk.
Identifying and communicating risk is a very important aspect of our jobs. Providing vague or ineffective communications can lead to marginalization and possible reputational damage. Documenting and measuring things like insider threats, risks from operational technology (OT) or the internet of things (IoT), third parties, application vulnerabilities, etc., and how a ZT approach can help will greatly reduce those risks and assist with getting the company-wide cybersecurity risk level within tolerable limits. Risk management is complex, and there are multiple ways to approach it. If it was easy, you’d be doing it already (and so would everyone else).
Risk management is a foundational control, but unfortunately, it’s also one of the lowest maturity-rated capabilities that we see when delivering our security strategy assessments (SSA). The average on a five-point maturity scale is barely in the “limited” range, meaning that the risk program is partially formalized, reactive and just getting started, as shown in Figure 1.
The lowest observed 15 capabilities as defined by Optiv’s SSA are listed below in Figure 2. Risk management comes in at lucky number 13. Several other poor-performing capabilities in this chart would also benefit from a Zero Trust approach.
There are many documented risk management approaches and methodologies and each of them have their strengths. Choosing the right one is part of the journey, but one thing to remember above all else: be transparent. The consumers of the information you collect regarding risks will want to be aware of a few things and should also agree to the chosen approach.
The last thing you want is to forge ahead with a great risk management approach only to have a senior leader reject an assigned risk or question some aspect of the risk calculation process used. Here are a few tips for establishing a risk management approach:
As risks are identified and mitigation is being designed, be sure to build in NIST core tenants of ZT as outlined in Figure 3.
The core tenants of ZT provide a way to think about access and controls to help guide the design of the controls assigned. Well-defined controls begin with policies and framework alignment. This helps establish the “how” you will need to create sound and effective organizational controls. Risk identification and treatment will help you institute mitigation actions, and those efforts will easily fall into your overall ZT strategy.
A GRC program with a risk management component and workflows will make life much easier than trying to do everything in spreadsheets. In addition, your review of new business approaches and applications should include ZT-related requirements and show how the initial risk can be reduced by ensuring new business projects are implementing ZT-compatible systems and applications.
Your third-party risk management (TPRM) approach should include ZT “enablers” or requirements that drive the core tenants of ZT and ensure third party solutions (people, processes and technology) align with your strategy. Figure 4 shows how risk managers view business solutions through a ZT lens when assessing system designs.
Risk management complements a ZT strategy and vice versa. Remember to keep stakeholders engaged in the process, as there should be no surprises. In Figure 5, the benefits of a ZT approach are highlighted in red. But as mentioned previously, a balance must be maintained, and having a cyber risk management approach will enable you to articulate how and why risk was reduced.
Optiv Security: Secure greatness.®
Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.
Let us know what you need, and we will have an Optiv professional contact you shortly.