Zero Trust

I'm making a proposal for a new working group.

I've read a lot of whitepapers, books, etc., on Zero Trust, and they all make a lot of promises. In the past, perimeter defense made sense, and we pushed it to the business. Today, we have a lot of smart people, organizations, and a whole industry promising that ZT is the way to go. And again, it does sound very reasonable and we are pushing for its implementation (or adoption).

Security professionals face the business and make promises with very little data to substantiate their optimism that we are making the right choice this time. All the reasons we typically state are very generic, and there is little guidance to support the community to make it more concrete. Skeptical and cyber-aware businesses can raise many questions that are very difficult to answer. The main argument ends up being, "Everyone else is doing it." 

The working group's objective would be to take the main value statements and provide the community guidance on how to investigate these in their own context and present a more relevant business case.

For example, a typical value is around "operational resilience." The promise is that ZT will make an organization more resilient. But what does that really mean? The working group would research and provide guidance to the community on how to possibly assess current "operational resilience" and what it could look like with a ZT implementation. All guidance would be general but comprehensive enough to be applicable to any industry, organization size, etc. Preferably, the guidance should include ideas actually to measure the promised value. The community member can take from the guidance ideas on what might be applicable to it and ignore the rest.

This working group could build upon the current draft research "Communicating the Business Value of Zero Trust," which lists generally perceived business value.  This is a good start, but I believe the community needs more guidance to make the business value more defensible. It needs to stand up against a skeptical evaluator. 

Do you believe such research would be useful to the community? 

I'm looking forward to all your comments.

Thank you

Osama Salah

Interesting thoughts.  The ZT9 workgroup is contemplating what research to develop once the Communicating the Business Value of ZT document is released. Are you interested in joining that subgroup to actively participate in those discussions. There's also a ZT9 Zero Trust architecture, Implementation & Maturity Model sub-community where you can cross-post and further elaborate on this thread that we can add you to as well.

I'm making a proposal for a new working group.

I've read a lot of whitepapers, books, etc., on Zero Trust, and they all make a lot of promises. In the past, perimeter defense made sense, and we pushed it to the business. Today, we have a lot of smart people, organizations, and a whole industry promising that ZT is the way to go. And again, it does sound very reasonable and we are pushing for its implementation (or adoption).

Security professionals face the business and make promises with very little data to substantiate their optimism that we are making the right choice this time. All the reasons we typically state are very generic, and there is little guidance to support the community to make it more concrete. Skeptical and cyber-aware businesses can raise many questions that are very difficult to answer. The main argument ends up being, "Everyone else is doing it." 

The working group's objective would be to take the main value statements and provide the community guidance on how to investigate these in their own context and present a more relevant business case.

For example, a typical value is around "operational resilience." The promise is that ZT will make an organization more resilient. But what does that really mean? The working group would research and provide guidance to the community on how to possibly assess current "operational resilience" and what it could look like with a ZT implementation. All guidance would be general but comprehensive enough to be applicable to any industry, organization size, etc. Preferably, the guidance should include ideas actually to measure the promised value. The community member can take from the guidance ideas on what might be applicable to it and ignore the rest.

This working group could build upon the current draft research "Communicating the Business Value of Zero Trust," which lists generally perceived business value.  This is a good start, but I believe the community needs more guidance to make the business value more defensible. It needs to stand up against a skeptical evaluator. 

Do you believe such research would be useful to the community? 

I'm looking forward to all your comments.

Thank you

Osama Salah