OK, you did it! You created a zero-trust solution that allows your clients to work from anywhere. It is the borderless approach to security that protects assets no matter where they might end up. It works when data is being accessed at the office and from behind that big, fancy corporate firewall. It works when users are at a coffee shop connected to public Wi-Fi. It even protects assets when your users are working from home.
Your solution is GREAT!
It does all of this without turning the users’ daily work into a snail parade (as in, it protects them without slowing down everything or making them jump through an extra 33 steps to prove they are who they say they are). You’ve achieved Zero-Trust Eutopia.
Coming up with your zero-trust framework had its challenges. You overcame legacy systems. You came up with a way to map out the “”protect surfaces”” and data flows that your clients use every day. You even figured out how to implement micro-segmentation.
Little did you know, you are about to face your biggest challenge yet: Convincing people to invest the effort and money to implement your new solution. Your clients, your prospects, AND the people who work for you are all going to make it near impossible to roll out zero trust.
Why?
Because you, like many IT and security people, focus on rules. You are talking to people about something that isn’t. Security is about protecting yourself, your business, or your family.
How can you help them understand that they need to invest in security? Do you educate them on risk? They’ve been doing the same thing for the last 15 years and haven’t had an issue. So how do you get people to invest in zero trust, a completely new philosophy?
Show, Don’t Tell
You could just tell them that they have to change, but that will make you the bad guy. Your name will be the one they mumble under their breath each time they have to type in a token off their phone or reenter a password to gain additional access to the network.
How do you get them to change without just telling them they have to? You start by showing them.
This is where penetration testing comes in.
In my experience, showing a prospect, a client, or a team member EXACTLY what an attacker would get to when they click on a malicious link creates an AHA moment. That moment is the perfect opportunity for you to ask the question, “”Should we address this?””
With that question and the knowledge of how easy it is for an attacker to gain access to their current system, people are ready to start the change process.
By adding this step, I’m finding that the same users who didn’t want to turn on multifactor authentication a couple months ago, are willing to invest in zero trust today.
Introducing Pen Testing
I know what you are thinking: How do I get my clients to invest in a penetration test? What type of penetration test do I need? How do I do this without the client asking, “”Why didn’t you do this sooner?””
Here’s what I’ve found works: Start with a simple conversation to introduce the concept. “”We’ve seen a major uptick in attacks directed at abusing user rights. How does this happen? The attacker phishes the user. Once the attacker has access, they use the user’s account to cause all sorts of problems inside the network like deploying ransomware, exfiltrating data, and stealing protected health information.””
The client will ask, “”OK, what should we do?””
Suggest a penetration test: “”I’d suggest we find out what will happen when one of your users gets phished. This will allow us to then come up with a strategy.””
Note that the dialogue doesn’t start by telling them there’s a problem and that they should get a penetration test, or that they need to invest in better security. Part of creating an AHA moment is going through the discovery process with your client or prospect.
I’ve found it to works best to focus on key individuals in human resources, the C-suite, accounting, and salespeople. Why? Two reasons:
- They have the highest chance of being phished due to the nature of their work and their externally facing profile.
- When they are phished in a non-zero-trust environment, attackers are able to gain access to more information and do more damage than the typical user.
I’ve also found that you don’t really need to focus on social engineering. If you want to figure out if they would get phished, there are a number of tools for simulated phishing out there. What you need to drive home is educating your clients and prospects on what happens after a phishing attack—when an attacker gets in, what they’ll see, and how much sensitive information (credentials, SSNs, credit card numbers, and proprietary data) they’ll have access to.
After you complete the pen test, show them the results. When you show them how an attacker would get access to their passwords, SSNs, credit cards, and more, they will listen. Now is your chance to ask, “”Should we fix this?”” They’ll most definitely say, “”YES!”” You now have a client who is ready to make a change and understands that this change is necessary.
One last warning: Have your zero-trust framework ready and tested before you start getting them engaged. If they learn about what they should be doing and you have no way to implement, you’ve just sold a value-add service for someone else (likely a competitor).
Your client may ask, “”Why didn’t you show us this sooner?”” The answer is easy: The threatscape keeps changing, and you are changing your tools and tactics with it. I like to mention this right up front: “”When we do this penetration test, we are going to find issues. Our goal is to find and address them before a hacker does.””
The next time you start telling someone about the risks of cybersecurity, ask yourself: “”How can I show them?””
BRUCE MCCULLY is chief security officer for Galactic Advisors. After building a successful $8.5 million MSP, he sold it and launched Galactic Advisors with a mission to help protect a million people. He is a true believer that security is a culture and until we flip the script, our businesses and those of our clients are at risk.
