InfoSec Strategies

John Verry’s 2022 InfoSec Prediction #1: Zero Trust Moves from Buzzword to Reality

Reading Time: 3 minutes

Last Updated on March 3, 2022

zero trust john verry pps

 

 

 

 

To predict the most important cybersecurity trends and changes we’ll face in 2022, host John Verry, Pivot Point Security CISO and Managing Partner, invokes his Nostradamus alter ego on a recent episode of The Virtual CISO Podcast.

“I don’t think it’s that crazy to play Nostradamus if you base your predictions on where we are today,” John contends. His first prediction is that significant numbers of organizations will begin to implement Zero Trust architectures in 2022, due mainly to these three escalating factors in the current cybersecurity environment:

  1. Security awareness training just doesn’t work.
  2. The recent presidential executive order directs federal agencies to move to Zero Trust architectures. And the Cybersecurity & Infrastructure Security Agency (CISA) has already issued supporting guidance.
  3. The traditional “castle and moat” security model is now pitifully outmoded.

Security Awareness Training Doesn’t Work

We all know we’re not supposed to click those suspect links… but sometimes we do. And once can be all it takes to cause a data breach.

“I think we have to acknowledge that security awareness training does not work,” concedes John. “Pivot Point Security has offered security awareness training, and virtually every one of our customers has KnowBe4 or some other product out there. We send out on the order of 10,000 to 15,000 phishing emails each month on behalf of our clients. Once a week we get a summary report, and every time I look at it there are hundreds of people who have clicked on those links.”

One of the cool things about Zero Trust is it assumes from the outset that somebody in the organization will click on a malicious link at any time. But it won’t cause much harm, because outbound network traffic is whitelisted so that malware can’t download. Even if ransomware or other malware does find its way onto a system in a Zero Trust environment, it won’t be able to communicate with its command & control component, and it won’t be able to exfiltrate any data.

Ransomware problem solved. Time-consuming and ineffective user training precluded. What’s not to like?

The Presidential Executive Order and CISA Guidance

Another reason we’ll see more and more real-world Zero Trust implementations starting in 2022 is that US federal government agencies are now mandated to move in that direction—and their countless suppliers are sure to follow.

The Zero Trust mandate starts with the recent presidential executive order 14028 from May 2021, which calls on federal agencies and their suppliers to implement Zero Trust architectures. In line with that, the increasingly influential Cybersecurity & Infrastructure Security Agency (CISA) has already issued parallel guidance, in the form of a Zero Trust Maturity Model “for agencies to reference as they transition towards a Zero Trust architecture.”

The “Castle and Moat” Security Model is Toast

Security awareness training isn’t the only thing in our current security landscape that needs a reboot.

As John points out, Zero Trust architecture is the logical evolutionary leap forward from the traditional “castle and moat” security model that most organizations are currently struggling with, to the delight of hackers.

Back in the day, companies had a network perimeter. Everything outside the firewall/moat was evil; everything inside the firewall was trusted. But as cloud services and work-from-home have become the norm, the “castle with all our data in it” has evaporated, along with the logic of trusting those “inside” the now permeable “castle walls.”

“Really, we’ve gotten to a point where there is no castle, there is no moat and we need a different model,” John points out. “That’s what Zero Trust gives us.”

 

Next Steps

John makes a very compelling argument that Zero Trust is on the docket for many organizations in 2022 and beyond. Is your business among them? If so, what is your ideal Zero Trust timeline and roadmap?

To listen to John’s complete briefing on cybersecurity and privacy trends for 2022, click here.

Want to find out more about Zero Trust? This podcast with John Kindervag, originator of the Zero Trust model, is the perfect place to start: EP#54 – John Kindervag – Trust Is a Vulnerability: 5 Steps on the Path to Zero Trust

vCISO Roadmap ThumbnailConsidering hiring a Virtual Chief Information Officer?

There are many benefits to bringing in outside information security talent into your organization, but it must be done right to realize success.

Download our vCISO Roadmap now!

Back to list

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *