Consistency via a simple model and durable capabilities
A modern organization is complex and composed of many different specialized roles— business strategy, technology deployment and operation, financial performance, regulatory requirements, and so on. To keep everyone working in the same direction, it’s critical to provide a simple model that everyone can quickly understand, including a set of durable capabilities we can count on to stay consistent over time.
Creating this consistency early accelerates Zero Trust adoption and the value it brings—increased business agility and resilience to cyberattacks. This consistency reduces internal friction between teams, which holds back both business agility and security integration.
Because a Zero Trust transformation affects all aspects of security, it’s worthwhile to take a fresh look at security and revisit the core basic outcomes of the discipline. Information security is very similar to other security and safety disciplines as they all focus on these key outcomes:
- Prevent bad things from happening as much as possible
- Respond: Manage when bad things do happen to minimize damage and rapidly get back to normal
- Learn from those experiences to improve prevention and response
For information security, these outcomes are expanded into a more detailed life cycle in the National Institute of Standards and Technology (NIST) Cybersecurity Framework of Identify, Protect, Detect, Respond, Recover, and Govern. This life cycle provides an excellent guide on the outcomes of security but still needs to be translated into the capabilities that security teams use to make those happen. Establishing a clear set of durable capabilities from security that stay consistent across technology and other changes is important both to guide security teams and to create a common language that allows technology, business, and security teams to work together.
We chose to use The Open Group’s initial Zero Trust Reference Model because it is a well-vetted, industry standard-driven approach that meets this need. This model is both simple and comprehensive, providing a clear picture of what to expect that makes sense to everyone, from business leaders to technologists and security practitioners.
Operations – a word with many meanings
You may note that the word operations and its variations are used in different ways in this series. This is because these similar terms are used across business, technology, and security teams in these different ways. See the Disambiguation – operations, operational, operating model, and so on section in Chapter 6, How to Scope, Size, and Start Zero Trust for a full reference of these terms and how they are used.
Now that we understand how critically important it is to have a simple model that is understood throughout the organization, let’s discuss this Zero Trust model.