Monday, April 15, 2024

The importance of security training in the zero trust era


Momentum for zero trust migration is accelerating across the cybersecurity community. It was a fundamental component of the Biden Administration’s 2023 National Security Strategy. Nearly 90% of global organizations have already started implementing basic aspects of a zero trust security model. And in Forrester’s 2024 predictions report, analysts forecast that dedicated roles with “zero trust” in the title are expected to double over the next year.

This is because the need for zero trust authentication has never been clearer. Conventional network security approaches are increasingly vulnerable in today’s cloud enterprise environment, where post-pandemic digital transformations, software supply chains, remote work models and bring-your-own-device policies have widened the attack surface. Cloud-based cyberattacks increased by nearly 50 percent in 2022. Meanwhile, more than 10 million people were impacted by supply chain attacks over the same year.

A zero trust mindset strays away from ineffective network perimeter-based security controls, instead layering defenses from the inside out to strengthen safeguards around business-critical data. It prioritizes continuous verification over implicit trust, delivering enhanced protection through granular user authentication, principle of least privilege, data segmentation, and ongoing monitoring. By following zero trust principles, organizations can drive a dynamic security posture that transcends legacy limitations to secure sensitive information regardless of user location or network access point.

However, it’s important to remember that implementing an effective zero trust framework in 2024 will introduce heightened complexity due to the requirement for additional policies, workflows, and maintenance tasks. Organizations must position their IT employees — many of whom began their careers in the traditional network security era — to facilitate data-centric zero trust implementation. That starts with ensuring they are trained on the fundamental pillars of CISA’s Zero Trust Maturity Model — identity, devices, network, data, and applications/workloads. In addition, silos must be broken down across functional security teams to prevent bottlenecks that hinder zero trust’s effectiveness.

Skill-based Security Training

Adopting a new security model without the right transitional measures can negatively impact security posture. Personalized upskilling and reskilling training programs on zero trust policies are critical to successfully executing zero trust implementation. These trainings help fill any underlying skill gaps within security teams, ensuring they have a firm understanding of the processes and technologies that are table stakes to zero trust, such as identity and access management (IAM) solutions, multi-factor authentication, micro-segmentation, endpoint security, cloud security, and SIEM tools. The actionable guidance aligns their expertise to the unique needs of the organization’s security environment, enabling them to continuously monitor threats against high-value data no matter where it resides. 

From a financial perspective, skill-based training can help alleviate cost concerns associated with zero trust implementation. A 2023 Beyond Identity study found that the average cost for organizations to switch from their current policies to zero trust exceeded $656,000. Skill-based training programs can be tailored to focus on leveraging current infrastructure like switches, routers, next-gen firewalls, IDS, IPS, WAF, sandboxes, encryption, PKI and proxies, among others, for reconfiguring and validating security architectures for zero trust implementation. This knowledge also enables security teams to identify, analyze, and comprehend deficiencies in existing solutions that could disrupt zero trust workflows – mitigating the risk of problems arising in the future.   

Organizational User Awareness Training

For zero trust to move the needle, it must become a cultural priority across every level of the enterprise. It requires a security-first mindset that extends beyond IT staff and security analysts alone, acknowledging that everyone plays a role in defending the organization’s sensitive data across multi-cloud environments. User awareness training programs that fuse cloud security and zero trust principles are critical in this context, arming non-technical employees with the knowledge and resources they need to not only adjust to a zero trust environment, but also work efficiently within it. The simplified instruction helps demystify the technical aspects of security, providing a foundation for employees to become active participants in the zero trust model and for organizations to establish strength in numbers across departments.

Achieving a state of zero trust is a continuous journey, and navigating its complexities requires more than just throwing technology at the challenge. Integrating targeted security trainings and comprehensive user awareness programs is key to creating a winning formula. It’s not just about having the right technologies in place; it’s about transforming cyber defense from a siloed function into a shared and skill-centric responsibility.

Image credit: Olivier26/

Ryan Chapman is a SANS Certified Instructor and author of the new SANS ransomware course FOR528: Ransomware for Incident Responders.

Read more

Local News