Adopt a Zero Trust security model
What is Zero Trust?
- Zero Trust is a security model aimed at improving security across an organization’s technology landscape. It relies on a continuous verification process to ensure that only authorized users can access sensitive information or resources.
- Zero Trust works to reduce the risk of data breaches by limiting information access to only those who need it.
Why is Zero Trust important?
Zero Trust is important because it helps protect an organization’s networks, applications, and data from potential intrusions. It helps reduce the attack surface and protect your systems from compromise.
Zero trust security frameworks are becoming increasingly necessary for organizations for several reasons. With the pandemic resulting in remote work, perimeter-based approaches to security were weakened by the increased network footprint and the need to authenticate external users. Additionally, supply-chain security has become a significant concern following numerous attacks that had devastating effects on thousands of companies.
It’s important to know that there is now regulatory pressure to implement Zero Trust following President Joe Biden’s 2021 Executive Order on Improving the Nation’s Cybersecurity which requires federal agencies to adhere to this framework. This will likely create a domino effect on other government agencies in the future and put pressure on organizations wanting to provide services to the US government.
Considerations for Zero Trust
To accommodate Zero Trust, organizations need to create a culture where cybersecurity is treated as an essential part of the enterprise. Additionally, decision-makers should be briefed on the latest security threats and best practices to ensure they can make informed decisions. This means that security should be discussed at the board level, that a CISO role should be established and given the authority to drive cybersecurity initiatives from the top. The implications of implementing Zero Trust and its impact on your users must be carefully considered to address their concerns about their own privacy being invaded.
Assess the impact of regulatory changes
Changes in regulatory requirements, such as government policies or changes imposed by industry authorities, can be viewed either as a compliance burden or as help in preventing future security incidents.
With ever-increasing government-enacted regulatory changes, organizations should be leveraging them as opportunities to improve their security practices rather than simply treating them as a compliance burden. Whether for an industry-specific regulation such as PCI DSS v4.0 for the payment sector and ELDs in transportation, or for privacy compliance obligations like the Quebec Personal Information Protection Act (Law 25), the Personal Information Protection & Electronic Documents Act (PIPEDA – Canada ), and the California Consumer Privacy Act (CCPA), organizations should take advantage of these regulations to ensure their security practices remain up to date and are tailored to their specific needs.
Start by:
- Identifying your compliance obligations
- Aligning your compliance strategy to the organization’s overall business strategy
- Ensuring that you track and communicate progress
Address the talent shortage
Organizations must also look for creative solutions and alternatives to fill talent gaps. Consider scholarships, apprenticeships, and training programs to develop cybersecurity talent in-house. Additionally, organizations should look for ways to leverage existing talent. For example, consider cross-training existing IT personnel on cybersecurity to help them understand its importance within the organization. Finally, look to your technology partners for help.
The cybersecurity workforce has reached an all-time high, with an estimated 4.7 million professionals, but there’s still a global shortage of 3.4 million workers in this field, according to the 2022 (ISC)2 Cybersecurity Workforce Study.
Engage the entire organization with cybersecurity awareness
At ISAAC, we take cybersecurity very seriously and extend it across the organization.
People are often the weakest link when it comes to security, so at ISAAC, our entire team is kept informed and educated. We also use the Terranova platform to simulate phishing attacks to train everyone in security awareness.
The human factor
39% of Canadian respondents consider careless or unaware employees as their top vulnerability to a cyber attack.
Our IT Security and Marketing teams collaborate on a yearly cybersecurity campaign during Cybersecurity month in October. At ISAAC, we are determined to keep all of our team members informed and educated to ensure our security posture is as strong as possible.
About the author
Joe Russo, Vice President IT & Security
Joe Russo, VP IT & Security at ISAAC, is an IT Executive with over 20 years’ experience leading IT teams in multinational environments and various sectors: banking, pharma, transportation and technology services. He has held senior leadership roles in Switzerland at Morgan Stanley and the Bank for International Settlements, and then in Montreal at McKesson Canada, Syntax and CN Rail. His experience in aligning IT strategy with corporate strategy makes him a strong transformational leader who excels at overcoming technical, cross-cultural and organizational challenges to solve business challenges. Joe holds a MSc in Information Technology & Management from Sheffield University, completed the Mini-MBA program at McGill University and holds CISSP, CRISC and CIPM certifications.
