The IT community made some incorrect assumptions about risk in 2020. That is to be expected, as all risk assessments rely upon assumptions. However, it is important to ensure that such assumptions are communicated to others and clearly articulated. While it is true that nobody could have foreseen the events of 2020, it would be untrue to say that the types of events that occurred in 2020 were unprecedented. Indeed, the parallels between the COVID-19 pandemic and the influenza pandemic of 1918 are stark. It should be very apparent that something that has happened before can happen again, though it may be after a very long period of time.
Another assumption made was that work was not something employees did, but someplace they were. Many organizations had flirted with remote work or work-from-home (WFH) policies for decades. However, a watershed moment occurred in 2013 when Yahoo! Chief Executive Officer Marissa Mayer banned working from home. Many organizations began considering their own WFH policies and wondered if they were encouraging the culture and performance that they wanted. Much was said about the value of water cooler conversations and unplanned interactions. Across the board, many employees were told they could no longer work from home. After all, some organizations reasoned, if employees were not working in commercial real estate somewhere—even if physically distant from their actual boss or team—how could they be working well, or even at all?
As a result of these cultural assumptions, information security professionals found themselves falling back on older conceptual models of security, such as bastion hosts and segmented networks with firewalls at chokepoints. They made specific infrastructure choices to size their concurrent virtual private network (VPN) capacity to only what was needed. Granted, there were advanced configurations and technologies to enable avant garde applications, but in general, security professionals utilized well-established trusted networks, trusted servers and trusted endpoints. However, circumstances in 2020 required an enormous shift in the way we need to think about security modeling. Now, seemingly overnight, everybody wants to have their zero trust environments deployed as soon as possible. The need is straightforward: with everyone working from home, security architecture must adapt accordingly. No longer is all data in a single trusted place that can be monitored in the manner of Scottish-American industrialist Andrew Carnegie’s old adage, “Put all good eggs in one basket and then watch that basket.”
The eggs have been scattered, as it turns out, and that means not just any basket can be trusted—hence the need for zero trust. Despite the apparent need, I would caution that we cannot go back to the seminal days of information security as the department of “no.” There needs to be a nod toward business objectives to ensure that there is some trust, so as to enable the frictionless technology experiences that everyone wants. Zero trust should not equal zero business. Perhaps a more meaningful target state should be limited trust, so as to securely enable the organization’s strategic objectives. Building these low trust environments means identifying critical products and services an organization offers and connecting them to a set of risk scenarios that will allow us to identify ways we could fail to deliver followed by connecting the technology infrastructures to those scenarios. Completing these steps will yield a to-do list of control checks to help enable a bounded trust model, not a zero business model. More information about this process is available in my 2020 ISACA® article “Achieving Proper Risk Communication.”
Jack Freund, Ph.D., CISA, CRISC, CISM, CGEIT, CDPSE, is head of cyberrisk methodology for VisibleRisk, coauthor of Measuring and Managing Information Risk, 2016 inductee into the Cybersecurity Canon, ISSA Distinguished Fellow, FAIR Institute Fellow, IAPP Fellow of Information Privacy and ISACA’s 2018 John W. Lainhart IV Common Body of Knowledge Award recipient.