Gone are the days of delegating technology and cybersecurity concerns to be solved solely by the IT department. With artificial intelligence (AI), post-quantum (PQ), and an intensifying threat landscape, senior leadership teams and boards must make the right investments and provide strategic guidance to help keep the organization, employees, customers, and other key stakeholders safe. If that’s not enough incentive, federal agencies are continuing efforts to accelerate breach disclosures and hold executives liable for security and data privacy incidents. This is why pursuing an enterprise-wide Zero Trust strategy is critical for strong corporate governance and increasingly a board-level priority.
Reinforcing this strategic link between Zero Trust and governance is NIST’s recently released Cybersecurity Framework (CSF) 2.0. The renewed CSF provides guidance and examples for adopting Zero Trust and adds “Govern” to the other five key critical framework functions of Identify, Protect, Detect, Respond, and Recover. While governance was implied in earlier CSF iterations, it is now codified to ensure an organization’s strategy is directly linked to cybersecurity roles and responsibilities, informing the business what it needs to do to address the other five functions. NIST’s focus on governance reinforces that the entire leadership team is in this together and really calls out the fiduciary responsibilities of the board.
All this focus on governance is key to minimizing business risk and protecting shareholder value, but also puts tremendous pressure on leadership teams to effectively communicate cyber risks to their board and meet regulatory requirements. This is where Zero Trust comes in.
Zero Trust is not a product to buy or a box to check. As an executive officer or director, you should understand it’s a strategic approach. Zero Trust improves cyber resilience and can also serve to increase an organization’s agility, reduce cost of compliance, decrease IT complexity and total cost of ownership, and of course strengthen corporate governance. CISA’s Zero Trust Maturity Model 2.0 provides a roadmap to pursue a Zero Trust strategy with updated guidelines around the five key pillars of Identity, Devices, Networks, Data, and Applications and Workloads. Like the CSF 2.0, governance is front and center in this latest version. CISA’s updated guidelines reinforce that governance of cybersecurity policies, procedures, and processes within and across the five pillars is essential to improving cyber resilience and maintaining regulatory compliance.
So, there you have it. While long considered a cybersecurity best practice, pursuing a Zero Trust strategy is now also an express requirement from both NIST and CISA for strong corporate governance.
