Why Zero Trust is a must for strong corporate governance
Long gone are the days of delegating technology and cybersecurity concerns to be addressed solely by the IT department.
With artificial intelligence (AI), post quantum (PQ), and an ever-intensifying threat landscape, senior leadership teams and boards have a duty of care to make the right investments and provide the strategic guidance and oversight to help keep the organization, employees, customers, and other key stakeholders safe.
If that is not enough incentive, federal agencies are continuing efforts to hasten breach disclosures and hold executives liable for security and data privacy incidents. Pursuing an enterprise-wide Zero Trust strategy is critical for strong corporate governance and increasingly a board level priority.
The Current Framework
NIST’s recently released Cybersecurity Framework (CSF) 2.0 reinforces this strategic link between Zero Trust and governance. The renewed CSF provides guidance and examples for adopting Zero Trust and adds “Govern” to the other five key critical framework functions of Identity, Protect, Detect, Respond, and Recover.
While governance was implied in previous CSF iterations, it is now codified to ensure an organization’s strategy is directly linked to cybersecurity roles and responsibilities, informing the business on what it needs to do to address the other five functions. NIST’s focus on governance reinforces that the entire leadership team is in this together and emphasizes the fiduciary responsibilities of the board.
All this focus on governance is key to minimizing business risk and protecting shareholder value, but also puts tremendous pressure on leadership teams to effectively communicate cyber risk to the Board and meet regulatory requirements. This is where Zero Trust comes in.
Setting Organizations Up for Success
Zero Trust is not a product to buy or a box to check. It is a strategic approach to improve cyber resilience that can also serve to increase organization agility, reduce the cost of compliance, decrease IT complexity and total cost of ownership, and of course, strengthen corporate governance.
CISA’s recently released Zero Trust Maturity Model 2.0 provides a roadmap to pursue a Zero Trust strategy with updated guidelines around the five key pillars of Identity, Devices, Networks, Data, and Applications and Workloads. Like the CSF 2.0, governance is front and center in this latest version. CISA’s updated guidelines reinforce that governance of cybersecurity policies, procedures, and processes within and across the five pillars are essential to improving cyber resilience and maintaining regulatory compliance.
While long considered a cybersecurity best practice, pursuing a Zero Trust strategy is now also an express requirement from both NIST and CISA for strong corporate governance – and organizations should consider it a business imperative.