Hi all,
I've joined this group upon the recommendation of Erik Johnson, and I'm looking forward to working with all of you and contributing to the community.
I've posted the below on the ZT community, and I'm cross-posting for wider reach. I would love to hear your feedback.
I'm making a proposal for a new working group.
I've read a lot of whitepapers, books, etc., on Zero Trust, and they all make a lot of promises. In the past, perimeter defense made sense, and we pushed it to the business. Today, we have a lot of smart people, organizations, and a whole industry promising that ZT is the way to go. And again, it does sound very reasonable and we are pushing for its implementation (or adoption).
Security professionals face the business and make promises with very little data to substantiate their optimism that we are making the right choice this time. All the reasons we typically state are very generic, and there is little guidance to support the community to make it more concrete. Skeptical and cyber-aware businesses can raise many questions that are very difficult to answer. The main argument ends up being, "Everyone else is doing it."
The working group's objective would be to take the main value statements and provide the community guidance on how to investigate these in their own context and present a more relevant business case.
For example, a typical value is around "operational resilience." The promise is that ZT will make an organization more resilient. But what does that really mean? The working group would research and provide guidance to the community on how to possibly assess current "operational resilience" and what it could look like with a ZT implementation. All guidance would be general but comprehensive enough to be applicable to any industry, organization size, etc. Preferably, the guidance should include ideas actually to measure the promised value. The community member can take from the guidance ideas on what might be applicable to it and ignore the rest.
This working group could build upon the current draft research "Communicating the Business Value of Zero Trust," which lists generally perceived business value. This is a good start, but I believe the community needs more guidance to make the business value more defensible. It needs to stand up against a skeptical evaluator.
Do you believe such research would be useful to the community?
I'm looking forward to all your comments.
Thank you
Osama Salah
------------------------------
Osama Salah
CSA UAE Chapter
------------------------------