Security or Useability: Overcoming the CISO Paradox

Among the longstanding challenges that information security leaders have grappled with for years, one stands out: the difficulty of balancing user experience and security. The traditional tug-of-war between ease of access to business-critical applications and resources and robust protection from hackers has never been easy. 

Until now. 

The unprecedented demands that the events of 2020/21 have placed on IT and security teams have tested their flexibility, inventiveness and resolve. But they’ve also had a silver lining. Across industries — particularly in those that are highly regulated or have trended towards early adoption of cloud technologies — interest and investments in Zero Trust security initiatives are at an all-time high. 

We surveyed more than 600 security decision-makers across North America, Asia-Pacific (APAC), and Europe, the Middle East and Africa (EMEA) for our recent 2021 State of Zero Trust Security report and discovered that 90% of organisations are currently working on Zero Trust implementation projects or plan to start one in the near future. Despite Zero Trust being coined as a network security concept by Forrester in 2010 (and conceived even earlier by the Jericho Forum), in 2019 only 16% of organisations had begun this journey. By this time last year, 41% of organisations were working on Zero Trust initiatives and this shift has accelerated along with the remote working and cloud transformation programmes observed in response to the pandemic. The shift was particularly dramatic in EMEA, where only 18% of organisations had Zero Trust agendas in 2020 and 90% had planned or begun one this year.

For most global organisations, making the shift from legacy perimeter-based security methodologies (in which internal networks are “trusted” and external ones are “untrusted”) to a modern Zero Trust-based approach (in which identity is the new perimeter and users are secured individually so that they’re able to access the resources they need regardless of the location, device or network from which they’re connecting) isn’t simple or easy. 

But pandemic response, combined with the need to support remote work is pushing growing numbers of organisations to accelerate Zero Trust adoption. As they do so, they’re seeing added benefits — enhanced flexibility for users who want to continue working remotely at least some of the time, and less friction for employees who increasingly depend on seamless access to cloud resources if they’re to remain productive in the modern digital business landscape. This trend has the potential to end the battle between usability and security – once and for all.

A key example here is the combined use of Single Sign-On (SSO) and adaptive Multi-Factor Authentication (MFA). SSO enables user access to multiple resources once authenticated. This is convenient for the user but, when used by itself,  SSO inherently increases risk as an attacker could likewise use that access if compromised. So, the authentication must be protected with MFA to ensure security. 

By making that MFA ‘adaptive’, access can be readily granted to lower risk resources, with unusual or higher risk access attempts prompting a step up authentication challenge. Adaptive, context-based access policies reduce friction for users by prompting for MFA less frequently but ensuring security when it matters.

Why Zero Trust is Essential Today

There’s widespread agreement that the cyberthreat landscape has grown more menacing over the past year. According to data collected by the U.S. Federal Trade Commission, identity-based attacks skyrocketed. Credential abuse led to nearly 90% of web application breaches and successful phishing attempts were involved in more than a third of all data breaches — a significant increase over previous years. 

Coupled with the widespread shift towards remote work adoption, the growth in identity-based attacks have made adopting new security approaches a necessity. Most security leaders are also working with larger budgets: more than three-quarters of organisations have increased their planned spending on Zero Trust security initiatives despite the financial hardships of the past year. This gives leaders the runway they need to accelerate their adoption of technologies like context- and risk-based access policy enforcement and passwordless authentication that dramatically reduce friction and improve user experience at the same time they strengthen security.

By definition, Zero Trust is an approach to security that ensures that the right people have the right level of access to the right resources in the right contexts, and that that access is re-assessed continuously — all without adding friction for users. To build a security architecture that achieves this aim, organisations must mature their approach to identity and access management, since identity is the cornerstone of Zero Trust. As organisations implement Zero Trust architectures, they tend to progress through several relatively consistent stages of maturity.

Zero Trust Maturity Curve

It’s important to note that the technologies adopted by organisations that are further along the Zero Trust maturity curve are those that not only provide more robust and consistent protection for greater numbers of users accessing more and more resources, but also include key capabilities that both simplify management and improve end users’ experience. By pushing organisations to increase their identity and access management maturity, 2020’s events have also helped security leaders understand what they need to do to – finally – reconcile the need for security with that for flexibility and ease-of-access.

Zero Trust is Here to Stay

The shifts that were set in motion in 2020 will be with us for the long haul. Even as some employees return to the office or work in a hybrid fashion, remote work will remain far more popular and widespread than it was in 2019. And the necessity of having secure and frictionless access to cloud resources as well as a diverse and distributed set of IT assets will only become more foundational for business success. We’ll never go back to yesterday’s perimeter-bound networks.

As a result, it’s a safe bet that adoption of technologies like passwordless and biometric authentication will continue to climb. Even today, we’re already leading large numbers of organisations across diverse industries to move forward with passwordless authentication initiatives. As many as 50% of global financial services companies have already implemented high assurance authentication factors. And among Global 2000 organisations overall, use of passwordless access will spike from 9% to 41% by the end of 2022.

Passwords are brittle, of course, and maintaining Active Directory on-premises with few cloud integrations creates friction for users and administrative overhead for IT and security teams alike. Modernising with a Zero Trust-based, identity-driven approach creates a win for all stakeholders: the organisation will mitigate today’s greatest risks at the same time that users enjoy seamless experiences and security teams exercise more granular visibility and control. This is why industry analysts, government agencies and regulatory bodies are all increasingly calling for Zero Trust’s large-scale adoption. 

Where does your organisation stand on the Zero Trust Maturity Curve? Try our free assessment tool to find out. Or read the full State of Zero Trust Security report to learn more about how making identity the new perimeter is enabling today’s distributed workforces to be more productive while meeting heightened regulatory requirements and mitigating more severe cyber risks.

For more information on why identity is key to building trust and empowering your remote employees, click here.