Why should IT departments implement zero trust?

People & LeadershipProcess ManagementSecurity & GRC+6 more
1.7k views5 Comments
CEO in Software, 11 - 50 employees
Regardless of whether it's a corporate security plan, a data categorization plan, edge strategy, or better automation on a factory floor, zero trust—and security in general—only work if the C-suite supports the expectation of what security should accomplish and how it fits into corporate governance and planning. The biggest problem I've seen is with organizations that take zero trust to mean “I get to watch everything that you do.” That's not what it means to me. It’s a shared responsibility. As humans in the supply chain—for anything in technology but certainly for security—we are victims of our own behavior and assumptions on a daily basis. Whether it's security or the process for building a server, the reason there is DevOps, the reason there are written processes is because of humans. It's that simple.
2 2 Replies
CTO in Software, 11 - 50 employees

Zero trust means I want my people to do the best thing possible, but I need to verify what they do because there are malicious actors out there. It’s a protection point on what activity is done.

4
CIO in Education, 1,001 - 5,000 employees

Gartner’s analyst just said everybody's doing zero trust, but we're never going to be able to do that because our network is just not in a good place to do so. It's not unified, so zero trust doesn't even present itself as an option. We're left with either split tunneling via VPN or VDI, neither of which is an elegant solution.

2
CTO in Software, 11 - 50 employees
Zero trust is more important now than ever as part of digital transformation and digital resiliency. It's not about slapping your hands. Zero trust does not mean I don't trust my employees. It means I have zero security wherever they are: They're in a coffee shop on public WiFi and I need to protect them. It's not that they're malicious. Too many people think the security team assumes they’re malicious, that's not true. They protect you against attacks you're not aware of. Maybe they haven't done a great job of communicating it, but zero trust means: I trust my employees implicitly and I don't trust the environment explicitly.
3
C-Suite in Construction, 51 - 200 employees
Due to the more than ever increasing number of devices that need access to the system whether from within or remotely
2

Content you might like

How soon do your new employees get security awareness training?

Awareness & TrainingRisk ManagementSecurity Strategy & Roadmap

First day on the job10%

Sometime during their first week52%

Sometime during their first month26%

2-3 months after their hiring date6%

It depends on their role/level3%

Other (explain in the comments section)1%


299 PARTICIPANTS
1.2k views

Does anyone have any guidance, tips, and/or templates to share to help establish Identity Access Management governance as a part of an overarching Identity Governance and Administration program?

Process ManagementIdentity & Access Management (IAM)
2.1k views2 Upvotes1 Comment

Does your org consider API security a high priority?

Security Strategy & RoadmapThreat & Vulnerability ManagementRisk Management

API security is our top priority8%

Very high48%

High34%

Medium9%

Low1%

API security is not at all a priority for us1%


101 PARTICIPANTS
819 views

How do you keep a team motivated in absence of leadership?

People & Leadership
Read More Comments
40.9k views29 Upvotes21 Comments

Would anyone be willing to share best practices about how their organization deals with ensuring Cookie Compliance, specifically to GDPR rules? Where should this sort of compliance review sit in an organization? The particular issue we have is who should review new web deployments that use cookies and to make the decisions on whether Cookies are Strictly Necessary or Functionality Cookies. For example is a Cookie required for a Live Chat to work Functionality or Strictly Necessary? Our Security team does not consider taking on these compliance reviews as their domain, as Cookie Compliance is not an internal security matter and the Data Protection team has a limited interest as the GDPR rules around Cookies apply in case of any Cookie being used by a website, whether or not it contains personal data. 

Security & GRCRegulatory Compliance
610 views1 Comment