Expert Speak
The Chief Zero Trust Officer: A New Role for a New Era of Cybersecurity
Written by John Engates, Field CTO at Cloudflare
Over the last few years, the topic of cyber security has moved from the IT department to the board room. The current climate of geopolitical and economic uncertainty has made the threat of cyber attacks all the more pressing, with businesses of all sizes and across all industries feeling the impact. From the potential for a crippling ransomware attack to a data breach that could compromise sensitive consumer information, the risks are real and potentially catastrophic. Organizations are recognizing the need for better resilience and preparation regarding cybersecurity. It is not enough to simply react to attacks as they happen; companies must proactively prepare for the inevitable in their approach to cybersecurity.
The security approach that has gained the most traction in recent years is the concept of Zero Trust. The basic principle behind Zero Trust is simple: don’t trust anything; verify everything. The impetus for a modern Zero Trust architecture is that traditional perimeter-based (castle-and-moat) security models are no longer sufficient in today’s digitally distributed landscape. Organizations must adopt a holistic approach to security based on verifying the identity and trustworthiness of all users, devices, and systems that access their networks and data.
Zero Trust has been on the radar of business leaders and board members for some time now. However, Zero Trust is no longer just a concept being discussed; it’s now a mandate. With remote or hybrid work now the norm and cyber-attacks continuing to escalate, businesses realize they must take a fundamentally different approach to security. But as with any significant shift in strategy, implementation can be challenging, and efforts can sometimes stall. Although many firms have begun implementing Zero Trust methods and technologies, only some have fully implemented them throughout the organization. For many large companies, this is the current status of their Zero Trust initiatives – stuck in the implementation phase.
But what if there was a missing piece in the cybersecurity puzzle that could change everything? Enter the role of “Chief Zero Trust Officer” (CZTO) – a new position that we believe will become increasingly common in large organizations over the next year. The idea of companies potentially creating the role of Chief Zero Trust Officer evolved from conversations last year between Cloudflare’s Field CTO team members and US federal government agencies. A similar job function was first noted in the White House memorandum directing federal agencies to “move toward Zero Trust cybersecurity principles” and requiring agencies “designate and identify a Zero Trust strategy implementation lead for their organization” within 30 days. In government, a role like this is often called a “czar,” but the title “chief” is more appropriate within a business.
Large organizations need strong leaders to efficiently get things done. Businesses assign the ultimate leadership responsibility to people with titles that begin with the word chief, such as Chief Executive Officer (CEO) or Chief Financial Officer (CFO). These positions exist to provide direction, set strategy, make critical decisions, and manage day-to-day operations and they are often accountable to the board for overall performance and success.
An old saying goes, “When everyone is responsible, no one is responsible.” As we consider the challenges in implementing Zero Trust within an enterprise, it appears that a lack of clear leadership and accountability is a significant issue. The question remains, who *exactly* is responsible for driving the adoption and execution of Zero Trust within the organization?
Large enterprises need a single person responsible for driving the Zero Trust journey. This leader should be empowered with a clear mandate and have a singular focus: getting the enterprise to Zero Trust. This is where the idea of the Chief Zero Trust Officer was born. “Chief Zero Trust Officer” may seem like just a title, but it holds a lot of weight. It commands attention and can overcome many obstacles to Zero Trust.
Implementing Zero Trust can be hindered by various technological challenges. Understanding and implementing the complex architecture of some vendors can take time, demand extensive training, or require a professional services engagement to acquire the necessary expertise. Identifying and verifying users and devices in a Zero Trust environment can also be a challenge. It requires an accurate inventory of the organization’s user base, groups they’re a part of, and their applications and devices.
On the organizational side, coordination between different teams is crucial for effectively implementing Zero Trust. Breaking down the silos between IT, cybersecurity, and networking groups, establishing clear communication channels, and regular meetings between team members can help achieve a cohesive security strategy. General resistance to change can also be a significant obstacle. Leaders should use techniques such as leading by example, transparent communication, and involving employees in the change process to mitigate it. Proactively addressing concerns, providing support, and creating employee training opportunities can also help ease the transition.
But why does an organization need a CZTO? Is another C-level role essential? Why not assign someone already managing security within the CISO organization? Of course, these are all valid questions. Think about it this way – companies should assign the title based on the level of strategic importance to the company. So, whether it’s Chief Zero Trust Officer, Head of Zero Trust, VP of Zero Trust, or something else, the title must command attention and come with the power to break down silos and cut through bureaucracy.
New C-level titles aren’t without precedent. In recent years, we’ve seen the emergence of titles such as Chief Digital Transformation Officer, Chief eXperience Officer, Chief Customer Officer, and Chief Data Scientist. The Chief Zero Trust Officer title is likely not even a permanent role. What’s crucial is that the person holding the role has the authority and vision to drive the Zero Trust initiative forward, with the support of company leadership and the board of directors.
Getting to Zero Trust security is now a mandate for many companies, as the traditional perimeter-based security model is no longer enough to protect against today’s sophisticated threats. To navigate the technical and organizational challenges that come with Zero Trust implementation, the leadership of a CZTO is crucial. The CZTO will lead the Zero Trust initiative, align teams and break down barriers to achieve a smooth rollout. The role of CZTO in the C-suite emphasizes the importance of Zero Trust in the company. It ensures that the Zero Trust initiative is given the necessary attention and resources to succeed. Organizations that appoint a CZTO now will be the ones that come out on top in the future.
Expert Speak
Shadow IT – Is It Really a Problem?
Personally, I love shadow IT—most employees do. But is it a problem? Let’s explore.
Wondering what shadow IT is? Shadow IT refers to the use of software and hardware tools or services by employees without the knowledge of the organization’s IT department.
The use of shadow IT tools has been a topic of discussion for years, with each company having its stance. Using these tools is often more about personal preference than anything else, and the same applies to how companies handle them. Most people lean toward shadow IT because official IT software tools often do not offer features that cater to individual preferences.
Some commonly used tools that fall under shadow IT include project management tools like Trello and Notion, messenger apps like WhatsApp, and file transfer apps like WeTransfer and Dropbox. The common factor? They’re all easy to access and use. However, with the rise of GenAI, everyone’s new shadow IT tool is ChatGPT.
The problems
I’m sure you already know the main issues that make companies dislike shadow IT tools: privacy and security.
Let’s look at ChatGPT. The use of ChatGPT isn’t regulated in most organizations, and many companies are still at a crossroads regarding GenAI tools. There’s a risk of employees unintentionally sharing sensitive information, leading to data leaks. This could include intellectual property, like code used to build applications, or personal information such as phone number, email address, house address, and more.
Whatever the sensitive information may be, it’s not safe to share it with tools like ChatGPT. Threat actors are constantly trying to breach systems, especially widely used tools like ChatGPT, where there’s much to gain. There’s still an obvious vulnerability here despite companies providing best practices to employees.
Another problem with shadow IT tools is that they restrict collaboration. If one team member uses a cool, new project management app to track progress and others use a different tool, it’s difficult to stay on the same page. For example, design and development teams often work together on the same project, such as designing web pages.
If the design team uses one project management tool and the development team another, how can they collaborate and work in sync to meet deadlines? It creates unnecessary friction. This is why organizations provide the same, approved project management tools for everyone. While using different tools might boost individual productivity, it can cause productivity issues within the project as a whole.
From a financial standpoint, companies pay for business tools that their employees use. If employees start using free online tools instead, the money spent on approved tools for a user who uses a shadow IT tool instead becomes a loss for the company.
Additionally, when organizations approve software solutions, those tools are vetted by a team of professionals and comply with the laws and regulations that the company must follow. However, we can’t be sure those tools are compliant when employees download apps on an ad-hoc basis, and employees usually don’t check for these things when they download or use shadow IT apps.
The good
Shadow IT tools are awesome. We all agree on that. The tools organizations give us, or approve, are often outdated. They’ve been around in the tech landscape for years (for good reasons, of course), but as technology advances, we don’t want to be tied to old tools that lack new features, which could make our work easier.
Restricting access to apps doesn’t feel great. We all work differently and have unique preferences. Using shadow IT tools that we like makes us feel more productive, and empowered, and allows for individuality in the workplace. When we use tools we love, we tend to be more efficient compared to when we’re stuck using approved, traditional tools that may lack the features we need.
The verdict
Shadow IT comes with many advantages, and dismissing it solely because of the risks isn’t wise. If we think about it, all tools carry some degree of risk. It’s up to us to be educated and understand how to use them securely and efficiently while benefiting the team and the company we work for. Shadow IT tools might benefit you individually, but what’s more important is to look at the bigger picture and ensure that your teamwork doesn’t get affected because of this.
Speaking of the financial loss that a company incurs while giving out tools that an employee may not need, what can be done instead is that organizations can avoid giving all the tools that an employee might need. Even if it’s a tool that employees may need regularly, us a request-based system so that employees reach out to get a paid tool by the company only if they need it and want to use it. This eliminates the unnecessary cost incurred by the company when an employee is provided with paid tools by default but chooses to use a shadow IT tool instead.
At first glance, shadow IT might seem like a problem, but with employee education and empowerment, it doesn’t have to be. Restricting shadow IT tools is easy, but educating employees is key.
ManageEngine is a company that believes in employee-driven innovation and encourages its employees to be aware of secure cybersecurity practices while allowing room for individuality. To learn more about ManageEngine and its offerings that allow you to have a secure and efficient IT infrastructure, click here.
Cyber Security
How to Decrease the Burden of Authentication Requirements
Written by Roman Cuprik, Content Writer at ESET (more…)
Cyber Security
Skills Gap Exposes Organisations to Risks
Written by Rob Rashotte, Vice President, Global Training & Technical Field Enablement at Fortinet (more…)
-
Cyber Security7 days ago
Tenable Urges Organisations to Reimagine Cybersecurity at GITEX 2024
-
Cyber Security7 days ago
Check Point Software to Emphasise its Prevention-First Approach to Cyber Security
-
GITEX1 week ago
OPSWAT to Showcase its Mobile Critical Infrastructure Protection Lab at GITEX 2024
-
GITEX1 week ago
Fortinet to Focus on Digital Transformation with Advanced Security at GITEX 2024
-
GITEX1 week ago
Snowflake to Demo its AI Data Cloud at GITEX 2024
-
GITEX7 days ago
Sophos to Highlight Advanced MDR Capabilities at GITEX Global 2024
-
Critical Communications3 days ago
Hytera to Show Off 4G and 5G Body Cameras for Law Enforcement at GITEX GLOBAL 2024
-
Artificial Intelligence6 days ago
Dataiku Launches LLM Guard Services to Control Generative AI Rollouts