By VMware Director, Information Security Strategy Craig Savage and VMware Senior Program Manager Eddie Eriksson
This is the second in a blog series on Beyond Zero Trust
Born of necessity
After a few notable events in the industry, VMware identified a need to enhance our existing Zero Trust-based security in key areas, such as the vendor supply chain and partner/employee access.
Rather than tackle each issue in a piecemeal manner, we decided to address the risks head-on by creating a comprehensive program that would augment our existing security initiatives—and ensure any known threats were again sufficiently mitigated.
We call this program Beyond Zero Trust, an apt name as we needed to take our Zero Trust efforts to the next level. It enabled our organization to have a structured and powerful way of fulfilling security objectives. Instead of many decentralized projects under divergent interests, a centralized approach is implemented that enables the following:
- Clear definition of overall success
- Means of sharing resources
- Path to manage conflict
- Visibility of risks
- Management of interdependencies
- Consolidated stakeholder feedback
- Formalized procedures
- Alignment of resources, budget and goals
Get with the program
Like a project, a program defines what needs to be done, how it is done (approach), who will do it (resources), and how much funding is needed to be successful.
Typically, a program sponsor defines the scope. In our case, that person re-examined VMware risks and we focused on the rescored higher risks. Our sponsor then worked with the Project Management Office (PMO) to identify a program manager to best define projects in a discrete way so that they are aligned with specific risks. That person oversaw that project managers (PMs), whose domain or company experience ideally matched with the intended outcome, were then assigned. The PMs worked with functional managers to free up and commit their resources and facilitate a weekly call to ensure resources are completing milestones according to the scope and objectives of each project.
The importance of being earnest
There is a lot more to consider when spinning up a Beyond Zero Trust cybersecurity program, and some of it requires discussion of hard truths.
For instance, it is imperative your team develop a solid (but flexible) document that outlines which stakeholders are considered responsible, accountable, consulted, and/or informed (known as a RACI matrix). RACI ensures every stakeholder is on the same page regardless of the task at hand, and that they are crystal clear as to the role they play.
Once your RACI document is created, other factors must be considered:
- Identify the key stakeholders and influencers. How will you find the right people and convince them to buy into the program. Once in, how will you ensure they are up to speed on all the changes.
- Determine what the recruiting/hiring environment is like. Is your team able to hire the skillsets needed in the required timeframe, or do you have the budget to contract a professional services team instead?
- Decide which is more important, meeting committed deadlines or delivering high-quality implementations? The latter is ultimately more important to ensure a high compliance rate with affected stakeholders. Similarly, honestly assess the impact—good and bad—on the team members. Forcing a Beyond Zero Trust program on an uncooperative stakeholder threatens the program’s very existence.
- Ensure there are established communication processes in place, backed by appropriate resources.
Want to know more? Give us a call.
Introducing a new security program from scratch is a considered undertaking. That’s why we encourage you to contact your account team to schedule a briefing with us. No sales pitch, no marketing. Just straightforward peer conversations revolving around your company’s unique requirements.
For more background on Zero Trust, check out these blogs on the topic. For other questions, contact [email protected].
Check out the other blogs in this series:
The importance of steering and audit committees
VMware on VMware blogs are written by IT subject matter experts sharing stories about our digital transformation using VMware products and services in a global production environment. To learn more about how VMware IT uses VMware products and technology to solve critical challenges, visit our microsite, read our blogs and IT Performance Annual Report and follow us on SoundCloud, Twitter and YouTube . All VMware trademarks and registered marks (including logos and icons) referenced in the document remain the property of VMware.
