A team of researchers at Forrester contends that by focusing on zero-trust initiatives as the economy stymies this year, security teams can defend against cyberattacks – and wind up spending much less money on new tools.
Forrester expects that in 2023 security budgets will stay tight, leading to less spending on best-of-breed security products, while other departments that security teams depend on, such as administration and governance, will likely also face budget cuts of their own.
That’s why security pros need to get creative. In a report published on December 21, a team of 14 Forrester analysts said that embracing zero-trust principles during an economic downturn can potentially yield the following benefits:
- Enhance security and audit experiences without requiring new tools.
Well-documented and well-written policy has become a security and compliance enabler for organizations. It sets expectations and acts as a roadmap for auditors and employees. If security teams advance their capabilities here, they will create less work to demonstrate compliance, give clearer guidance for internal stakeholders, and experience fewer painful audits.
- Facilitate cost cutting across the business.
Forrester’s report on using zero-trust to kill the employee password found that several large U.S.-based organizations in different verticals allocate more than $1 million annually for password-related support costs alone. Implementing automated identity and access management (IAM) can dramatically reduce the friction associated with passwords – as well as the costs – and serves as one example of zero-trust principles leading to a business benefit.
- Build influence within the rest of the C-suite.
In normal circumstances, implementation of zero-trust often falls to the IT department, but with IT budgets strapped, there’s an opportunity for the security team to step in. The researchers said gaining favor with the CIO and other C-suite executives during tight budget times can help security pros increase influence in the organization and show commitment to the company’s success.
Implementing zero-trust, can offer both enhanced security and cost savings, said John Yun, vice president of product strategy at ColorTokens. Yun said the initial deployment of zero-trust often includes mapping of existing servers, applications and users. In this phase, Yun said organizations often find redundant servers and applications they can consolidate for improved efficiency and security. The same goes for users. Yun said by identifying and grouping user access, accounts that are redundant or no longer needed can be eliminated for security benefits, but also cost savings in licenses and subscriptions.
“For organizations embarking on zero-trust, extending the security coverage to remote users will likely be in the future,” Yun said. “If organizations tackle zero-trust with this in mind, and partner with a unified zero-trust segmentation provider, they can...extend their security to remote users."
Darren Guccione, co-founder and CEO at KeeperSecurity, added that the foundational tenets of zero-trust ensure people only have access to what they need. Guccione said this can reduce risks associated with layoffs and disgruntled employees, as they may not be able to download information about customers, backups, source code or whatever else they want to hurt the company.
“Properly implemented, zero-trust also reduces overall risk,” Guccione said. “When things are uncertain, and employees may be coming and going (voluntarily or not), the risk of compromise or new employee mistake is drastically reduced when they aren’t given a proverbial loaded gun. Zero-trust requires a clear understanding, an all-or-nothing mindset, and a firm commitment by all levels of an organization. Lack of support is a top stumbling block cited by organizations struggling with adoption.”