Get Your C-Suite Onboard: The Ultimate Pitch for Your Zero Trust Microsegmentation Project

Author

Bob Palmer

Read Time

7 Minutes

Last Updated

Jun 3, 2024

table of contents

In today’s blog, I’d like to share some practical lessons we’ve learned from hands-on experience, assisting hundreds of organizations with their microsegmentation implementations. Specifically, I’ll discuss what we’ve observed about how security teams can better communicate the benefits of their zero trust microsegmentation project to their business leadership. I’ll also talk about how we’ve optimized the implementation workflow and the reporting in our solution to help our clients prove the value of their zero trust initiative to their C-suite and board of directors. 

What are you guys doing back there all day?

As a security leader, it’s not just about implementing a zero-trust project. You must also articulate its value to your peers, the C-suite, and perhaps the board of directors. It’s your responsibility to communicate the progress and benefits as they accrue. If you don’t do that well in the first place, you won’t get the budget approval you need for your project. And if you don’t continue to communicate as you materialize security benefits, you won’t get the ongoing support you need for future phases. Here are some lessons we’ve learned from supporting our clients as they progress toward implementing a zero-trust architecture. 

I need a translator, please 

CISOs face a significant challenge in their role. They may report to various executives, such as the CIO, CEO, or even the CFO. They are often given a limited time slot, perhaps once per quarter, at the end of an already overrun board of directors meeting, to present the value of their initiatives. This gives them only a few minutes to communicate the value of their zero trust initiative effectively.  

The CIO is (or should be) already aligned with your technical vision. He or she is at your side and understands the technical aspects of the business requirements you’re trying to satisfy. But the other stakeholders speak in business language, not technical language. They don’t care how many endpoint agents you’ve installed or how many zero-trust traffic policies you’ve successfully configured. They want to understand the business outcomes of the cyber initiatives you’re asking them to fund.  

One of the people I spoke with to prepare this blog was the CISO of a multi-billion-dollar pharmaceutical company. He told me that he almost always got the budget he asked for from the board because he described his cybersecurity strategy and in-flight initiatives in business terms. He spoke to the CEO and the board in language that was relevant to them and showed the organization in a good light to regulators and other stakeholders.   

It’s not enough to say that microsegmentation stops the lateral movement of malware and ransomware. That’s an important function of the solution, but the benefits of microsegmentation must be communicated in business terms, especially about enabling continuity, resilience, and shareholder value and associating them with a timeframe. As we’ve been told by clients in the office of the CISO or heads of infrastructure, that’s the language the CEO and the board of directors want to hear.   

Explain ‘why’, not ‘how’ 

Here’s how the pharma CISO explained it to me. This seems obvious and simple when you hear it, but we seem to fall into the same trap repeatedly. As technologists, we’re experts in the how. Solving technical problems is the way we’re oriented. But business outcomes are focused on the why. We must get out of our comfort zones and communicate using a different lens when discussing our cybersecurity plans and programs.  

Here’s an example from real life. These are all true statements. Our constituents in our client base evaluated and ultimately selected our solution to do these very things:  

  • Our microsegmentation plan will stop the lateral movement of malware and ransomware.
  • We’ll establish granular micro-perimeters around our computing assets and resources. 
  • We will set up zero trust policies to control traffic and access to resources. 

The problem is that these facts are not ultimately interesting to the executive team. However, when appended with business outcomes, they make profound sense. 

  • Our microsegmentation plan is designed to reduce the lateral movement of malware and ransomware, giving us valuable time to mount appropriate cyber defense using our existing investments in cybersecurity.  
  • We’ll establish granular micro-perimeters around our computing assets and resources, to ensure business continuity and resilience and file more accurate 8K reports quickly and accurately. 
  • We will set up zero trust policies controlling traffic and access to resources, enabling critical business processes to operate even when cyberattacks wreak havoc.

 What is interesting to them is to have the ability to file an accurate (and not generic) 8-K within 4 days about the material impact of a cyberattack. What’s interesting is preventing interruption of their digital operations…or not having to get Bitcoin to pay a ransom. What’s interesting is that by using microsegmentation, they can design their digital operations so the inevitable breach will not become a crisis.   

Our clients who have been successful in getting their cyber initiatives funded have framed the solution in these terms, both in their initial budget justification and in their ongoing updates to their stakeholders. This is step one in successfully communicating the value of your cyber security initiative to your stakeholders.  

No one really wants to pay for insurance until after the storm 

Another communication challenge is that the CFO and the board are predisposed to view cybersecurity only as a cost. It’s human nature not to want to pay for insurance until after the storm has hit. After all, not investing in a cyber defense initiative is a pure bottom-line benefit for every quarter that you don’t have a material impact from an attack.  

There’s a story about an old-school life insurance salesman who consistently was the top salesman in the company. He’d go to the meeting at the prospective client’s kitchen table, and before he got out the insurance proposals, he’d take out a miniature, perfectly crafted little coffin in shiny black lacquer, with tiny brass handrails and a white satin lining, and he would just set it out on the table. He’d never refer to it, he would just go through the proposals with the couple. The whole time they were discussing the terms of the insurance proposal, they’d be looking at that coffin, which made the inevitable need for life insurance very real to them on a visceral level.   

Now, I’m not suggesting we bring a coffin to the board of directors’ meeting! But the moral of the story is that we, as technologists, must communicate the value of the investment in cyber defense in an understandable and meaningful way to our stakeholders if we expect them to fund our projects.  

Show me the money!

So how do we do that? To communicate meaningfully with stakeholders and especially with the budget approvers, we have to be like Jerry Maguire and show them the money! We need to use validated facts and statistics to help quantify the financial impact of cyberattacks, such as ransoms paid, the number of days that digital operations are disrupted, fines for non-compliance with regulatory bodies, etc. Relating these industry statistics to your organization is key to communicating this. These are some of the metrics that our clients have used to make their stakeholder communications relevant: 

  • Ransom avoidance 
  • Increased insurance premiums 
  • Avoiding SEC filings for material impact 
  • Compliance fines 
  • Contractual fines due to loss of customer data 
  • Interruption of digital business operations 
  • Reputational cost 

Using even conservative estimates, you can show that these potential losses exceed the cost of your proposed cybersecurity initiative. You will then be able to calculate an estimated payback period and ROI. This was the method my CISO source used to get his initiatives funded.  

Resources are available, such as Statista (www.statista.com), where you can find verified statistics that pertain to your industry. Below is an example of the healthcare vertical. These stats can help you quantify the number of attacks, average ransoms paid, average time of operational disruption, etc.  

There are other publicly available sources for comparable breach impact estimates. Last summer, the SEC adopted rules that require public companies to promptly disclose material cybersecurity incidents on Form 8-K and detailed information regarding their cybersecurity risk management and governance annually on Form 10-K.  Publicly traded companies are now required to report any cybersecurity incident they determine to be material within four business days. You can find this information on the SEC’s EDGAR website: https://www.sec.gov/edgar/searchedgar/companysearch 

This works in two ways: it gives you another driver in the “show them the money” category to help justify your initiative, and, since it’s all public information, it gives you situational awareness of material incidents that affected your peer companies. As you may be aware, some recent examples of filings include Dropbox, Microsoft, and Okta.  

Another parameter that our clients have told us is important to their stakeholders is the time factor. When you build your proposal, business leaders want to see:  

  • What kind of attacks your initiative will prevent,  
  • What the potential impact of those attacks would be,  
  • How much budget you are asking for to increase your security posture,  
  • and by WHEN you believe these benefits will accrue.  

Specifying the timeframe is very important. One thing we have learned is that showing immediate security gains in the first days and weeks of the project helps build stakeholder confidence. Waiting many months to show value just won’t cut it.  

Here at ColorTokens, we’ve optimized the workflow of our solution to help our clients show compelling early successes to their stakeholders. The idea is to grab all the low-hanging fruit immediately instead of waiting many months for a big bang of zero trust enforcement. We start with enterprise-wide controls to block risky ports, secure external internet flows, and then internal flows and administrator access controls. Then, we continue with application-specific zero trust controls to progress to your final security goal. By configuring our implementation workflow to show immediate security gains, we’ve tried to make our clients’ lives easier by helping them overcome their cybersecurity initiatives’ institutional and cultural challenges.  

Here’s an example from an actual customer case study. In the first 60 days, we were able to measure an improvement by reduction in attack surface and blast radius for 650 assets. In the development environment, 96 assets got to low risk, and 26 to medium; in the QA environment, 111 assets got to low risk, and in the production environment, 351 assets got to low risk. From there, they progressively improved their security posture with application-specific controls.   

If there’s no picture, it didn’t happen

Showing this kind of improvement right from your project’s start builds your stakeholders’ confidence. But the C-suite and the board want to see the progress graphically, in an easy-to-consume way. To help with this, we’ve created dashboards and reports to make it much easier for our clients to communicate the success of their microsegmentation projects.  

We’ll be by your side on your journey 

At ColorTokens, we understand that our customers have their own internal customers, and we’ve learned how to support them in their journey to zero trust architecture.  

And, like the faithful dog Toto in The Wizard of Oz, we’ll be there by your side all the way. We can provide support and implementation consulting so you can avoid the flying monkeys and follow the Zero Trust Road to the Emerald City of Breach Readiness. Let’s get started today!