OK, you did it! You created a zero-trust solution that allows your clients to work from anywhere. It is the borderless approach to security that protects assets no matter where they might end up. It works when data is being accessed at the office and from behind that big, fancy corporate firewall. It works when users are at a coffee shop connected to public Wi-Fi. It even protects assets when your users are working from home.
Your solution is GREAT!
It does all of this without turning the users’ daily work into a snail parade (as in, it protects them without slowing down everything or making them jump through an extra 33 steps to prove they are who they say they are). You’ve achieved Zero-Trust Eutopia.
Coming up with your zero-trust framework had its challenges. You overcame legacy systems. You came up with a way to map out the “protect surfaces” and data flows that your clients use every day. You even figured out how to implement micro-segmentation.
Little did you know, you are about to face your biggest challenge yet: Convincing people to invest the effort and money to implement your new solution. Your clients, your prospects, AND the people who work for you are all going to make it near impossible to roll out zero trust.
Why?
Because you, like many IT and security people, focus on rules. You are talking to people about something that isn’t. Security is about protecting yourself, your business, or your family.
How can you help them understand that they need to invest in security? Do you educate them on risk? They’ve been doing the same thing for the last 15 years and haven’t had an issue. So how do you get people to invest in zero trust, a completely new philosophy?
Show, Don’t Tell
You could just tell them that they have to change, but that will make you the bad guy. Your name will be the one they mumble under their breath each time they have to type in a token off their phone or reenter a password to gain additional access to the network.
How do you get them to change without just telling them they have to? You start by showing them.
This is where penetration testing comes in.
In my experience, showing a prospect, a client, or a team member EXACTLY what an attacker would get to when they click on a malicious link creates an AHA moment. That moment is the perfect opportunity for you to ask the question, “Should we address this?”
With that question and the knowledge of how easy it is for an attacker to gain access to their current system, people are ready to start the change process.
By adding this step, I’m finding that the same users who didn’t want to turn on multifactor authentication a couple months ago, are willing to invest in zero trust today.
