Zero Trust: The Paradox Helping CISOs Enable Their Business

As we reflect on the first half of 2024, it seems to me that two defining features so far have been a litany of significant cyber attacks on companies across every sector, and widespread adoption of AI tools as businesses seek to innovate. At the heart of this storm of cyber threats is the CISO, looking to guide their business safely through potential dangers. 

Last month, Netskope undertook research examining how CISOs view their role and asking how they’re approaching these challenges. 

Why CISOs like zero trust

As businesses are increasingly digitised, our research showed that modern CISOs want to become enablers and facilitators rather than just protectors; they want to give their businesses the agility to adapt and innovate while remaining secure. 

Attitudes among CISOs toward zero trust principles are already very supportive. A majority agree that zero trust enables companies to move faster (59%), encourage innovation (58%), increase flexibility (58%), and improve decision-making (55%). Similarly, 55% of CISOs believe a zero trust approach enables them to balance conflicting priorities better. 

Looking ahead, CISOs go so far as to point to the adoption of a zero trust approach as the single most significant factor in companies becoming more open and flexible over the next two years. 

Explaining the paradox at the heart of zero trust

CISOs know well that no single security model is a silver bullet on its own, and zero trust is no different. But it’s clear that CISO expectations of zero trust are consistently positive—and this is spreading to their fellow C-suites who have high hopes for zero trust’s potential impact. 

Alas, the zero trust philosophy does not appear to be well understood by the wider business leadership—despite their familiarity with the term. While 58% of CISOs report that their executive team is asking them to pursue a zero trust approach, almost as many (51%) state that their executive team or board doesn’t actually understand what this means. Zero trust is simple to visualise but is more nuanced in execution. Concepts of zero trust (and zero friction) are important only in terms of what they provide—risk mitigation and business enablement.

While a zero trust approach sounds rigid in theory, paradoxically, in practice it helps companies achieve greater agility—perhaps explaining its widespread appeal. Zero trust principles introduce more controls and reduce access to the corporate network and applications. Counterintuitively, rather than adding friction and slowing the enterprise, the principles actually increase flexibility and speed. Building policies around an extensive range of contextual signals offers granular control, which strikes the right balance between staying secure and getting work done and improves confidence in decision-making—key priorities for business leaders in today’s fast-moving world. 

In other words, the paradox of zero trust is that the ultimate closed environment creates the most open, agile, and innovative business.

Implementing zero trust

Excitement for the zero trust model can sometimes get ahead of what most security professionals and their companies are doing in practice. Our research found that fewer than half of respondents globally (44%) operate with zero trust principles today—although a further 38% say they plan to adopt zero trust soon. A zero trust strategy requires tools that supply signals and context to achieve the granular visibility and control necessary for creating policies that provide the right access by the right people to the right resources at the right times for the right reasons. It’s impossible to securely deliver the true value of zero trust if you are still operating on dated legacy tech or strategy.  

When CISOs are asked by fellow C-suites about zero trust they need to remember their goal: to be business enablers. They must elevate the conversation around zero trust from being a tactical discussion of specific tools and policies to becoming a strategic discussion about their company’s security posture. With that bigger strategic picture in place and the buy-in from across the C-suite, a well-informed CISO can lead the conversation on how that posture can enable business operations.

Trust brings growth

Zero trust is the latest in a long parade of infosec buzz phrases, and like many before it has gathered traction among non-technical senior stakeholders who are aware of the need for security, but unaware of how to achieve it. It’s an opportunity for CISOs to use this interest as a springboard to participate in high-level conversations about business growth. 

The CISOs who can answer questions of “How do we enable this business case securely?” and define how they are helping their C-suite peers acquire new revenues, drive efficiencies, and navigate regulatory requirements will be recognised as valuable contributors at the highest levels.

For more actionable insights to help dispel common myths surrounding zero trust implementation, register for my upcoming webinar Zero Trust: Perceptions, Adoption, Ambitions, and Approach on August 28.