The notion of Zero Trust – never trust, but always verify – has been gaining momentum for more than a decade. With so much of our lives and businesses rooted in the digital world, there is more sensitive data at risk and subsequently more large-scale cyberattacks and security breaches than ever before. The movement to incorporate remote work capabilities in a post-COVID world has only added to the fear of vulnerability. As a result, we’re seeing an increased shift to Zero Trust among organizations of all sizes.
By Andy Sobotta, Chief Information Security Officer, Bridgestone Americas
However, as a cybersecurity professional who is part of a large corporation, I know that I am not able to operate in isolation. I cannot simply change protocol and security methods, as there are many decision-makers and stakeholders who need to be brought on board to make needed investments in people, processes, and technology to create a Zero Trust culture.
Check Out CISO MAG’s November Issue: Zero Trust, IAM & PAM: The New Cocktail for Mitigating Security Risks
In my role as CISO at Bridgestone Americas, I am responsible for leading information security and compliance strategy across the organization. We have more than 40,000 employees in eight countries, with additional offices throughout Latin America and the Caribbean. Zero Trust is a step we undoubtedly have to take to protect such a sprawling enterprise, but it’s also our size that makes this undertaking a bit daunting. So, we have taken several initial steps to make this transition a success.
By sharing our approach to implementing Zero Trust at Bridgestone, my hope is that you can use these insights to more effectively shape your own strategy and garner better buy-in. In my experience, the key is to invest the time to understand the business’s priorities and challenges instead of asking them to understand technology jargon.
Laying the Groundwork
To grasp why change is needed, stakeholders first need to understand the threat. Those not actively involved in cybersecurity often have a false sense of security. There are passwords and verifications required when they work, so it appears that documents and files are protected. Since I’m always looking for ways to make things more interesting, let’s take a look at the risks of traditional network access by using a wine cellar as an example.
In traditional network security, you can only access the wine cellar if you are given a key. If you have a key, you can access the entire cellar and all the wine (data). However, keyholders can be duped into allowing someone else to use their key, or they can be pickpocketed and the key stolen. Even those who are authorized to have a key might not have good intentions, copying their key to give others access, or taking wine that isn’t theirs to enjoy. You know, the good stuff.
Hopefully, this or some other metaphor helps stakeholders understand how their data is not quite as secure as they thought. Then, you can delve into why it matters. Most people comprehend the risk of unauthorized access to sensitive information but quantifying it will make your message more impactful. The 2017 Data Breach Study, conducted by Ponemon Institute and sponsored by IBM, found that the global average cost of a data breach is $3.62 million, and the average size of data breaches increased from the year prior by 1.8 percent to more than 24,000 records. Translation: a key in the wrong hands can mean a significant loss, a total wipeout of the cellar, or even result in someone changing the locks and holding your wine library hostage. A breach can be a devastating scenario for a business, and we can’t trust these old-fashioned keys.
As you lay the groundwork for a cybersecurity overhaul, be prepared for the name Zero Trust not to resonate well with people. It suggests that employees, and even executives, cannot be trusted; everyone is a potential threat. Certainly, that is the idea of it and exactly why Zero Trust works. However, renaming the process for your organization, or even avoiding a designated term altogether, may help you achieve more positive results.
It’s also important to help stakeholders understand that if they want the flexibility to work from any location, we need a new level of security. We need to devise a way to make the wine more accessible to the authorized people, but just as safe.
What Change Looks Like
Once stakeholders comprehend the need for change, we can then move on to explaining how things will change.
Going forward, every user must be authenticated, authorized, and continuously validated for security configuration. Translation: we’re replacing keys with a keypad. You can only get a code once you’ve proven your identity, and that code is specific to you for that visit. When you’re done, so is that code.
With Zero Trust, it’s important to minimize the impact should a breach occur. Translation: your code won’t give you access to the entire cellar, just to what you need. Don’t drink whites? You’ll only see the reds when you enter.
Zero Trust architecture requires continuous monitoring and validating that the user and their device have the right privileges. Translation: when you visit the cellar, the wine cellar manager is going to keep tabs on your visit to make sure wine selection is occurring as it should.
Achieving That Change
With a better understanding of the “why” and the “what,” you can delve into the “how.” In our world, it is natural to want to explain everything that will need to happen, at a technical level, to implement Zero Trust. I advise against this. Stakeholders are primarily concerned with how the change will affect them and their business process and how long it will take.
With an organization as large as Bridgestone, explaining the “how” is a massive undertaking, but it is in our interest to invest the time and energy to outline the pertinent process touchpoints for each group, whether segmented geographically or by business unit. This encourages acceptance and limits disruptions that individuals had not anticipated because of a lack of clarity.
Initiating the Change
In information security, we want to jump right in, but this is a process that warrants patience and planning.
Naturally, not every organization is as attuned to extensive processes. This is why I encourage companies to tailor the Zero Trust conversation and implementation to their organization’s culture. Zero Trust requires a thoughtful approach and widespread buy-in to protect your most precious data. Since technology is constantly developing, the Zero Trust model is not a final destination, but if you frame it right from the outset, you are more likely to achieve that most important of qualities along your journey – trust.
About the Author
Andy Sobotta is Bridgestone’s Chief Information Security Officer (CISO). Sobotta is responsible for overseeing the protection of the company’s information technology assets, ensuring robust IT security architecture, operations, and compliance throughout the Americas. Sobotta has more than 20 years of experience as an information security executive, including nearly 10 years in the automotive industry. He most recently served as Chief Information Security Officer at Sensata Technologies, Inc., after four years as Senior Director of Global Information Security with Procter & Gamble. Andy also served as Chief Information Security Officer for Elavon/US Bank and was Chief Information Security Officer for Volkswagen of America.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.