Last Updated on January 18, 2024
By now you’ve probably heard about Zero Trust, an alternative model for cybersecurity implementations that is currently being hailed as “the answer” to keeping sensitive data safe.
But how does Zero Trust relate to comprehensive cybersecurity frameworks like CMMC, NIST 800-171, FedRAMP, ISO 27001, SOC 2, etc.? Many organizations have invested considerable time and resources achieving compliance with these models and implementing dozens of corresponding controls. Does Zero Trust align with all of that? Or render it obsolete?
To cover Zero Trust from every angle, a recent episode of The Virtual CISO Podcast features none other than John Kindervag, Senior Vice President of Cybersecurity Strategy at ON2IT Cybersecurity, and the man who first conceived of Zero Trust. Hosting the show is John Verry, Pivot Point Security CISO and Managing Partner.
Zero Trust streamlines cyber compliance
“We use Zero Trust as a way to simplify making somebody ISO 27001 compliant,” John states. “One of the reports I wrote for Forrester was about how you could simplify cybersecurity for government agencies, which had to do NIST 800-53 at the time, by leveraging Zero Trust and applying these ideas to all of those policies.”
John continues: “If you look at all the policy constructs, whether it’s HIPAA, HITRUST, SOC 2, blah blah blah… all these tactical controls. Well, we can bring them into the [Zero Trust] strategy, and map them so that you just do one thing, and it covers a whole bunch of technical things. So, yeah, [Zero Trust] becomes the strategy, and it is designed to be strategically resonant to the highest levels of any organization.”
Zero Trust now has the “seal of approval”
“I’ve given presentations to boards of directors, CEOs, chief risk officers, chief legal officers, chief manufacturing officers, generals, admirals, heads of various government agencies around the world, and they all get the strategic idea. And then [depending on] what they do, where their value is, the change the incentive structure and say, ‘It’s okay to do this.’ Because this is still considered new to a lot of the operators, the people who are doing the job, and they’re afraid of doing anything different because they might get in trouble, right? So, if they have the right incentives to say, ‘Yeah, you won’t get in trouble for doing this.’ This is what President Biden has done for me. He’s changed the incentive structure, so that you can’t get in trouble for doing Zero Trust,” John observes.
“If somebody wants to go to management right now and say, ‘Hey, I think we should move to Zero Trust,’ this is not a matter of [going] out on a ledge and adopting something that’s a fantastic sounding idea,” agrees John Verry. “This is, ‘Hey, here is who’s behind me right now.’ I think you’re at a point now where, if you’re listening to this, and you’re thinking, ‘Oh, that would never fly…’ Bullshit. Because I don’t know any board member or CxO right now who, with that level of support behind something, … wouldn’t look at this and go, ‘Okay, let’s talk about it.’”
Want to quickly get up to speed on Zero Trust and start conceptualizing how it could work in your organization? This podcast with Zero Trust originator John Kindervag is ideal for your needs.
To hear this episode all the way through, subscribe to The Virtual CISO Podcast on Apple Podcasts, Spotify, or our website.