Basic Training. Understanding the Fundamentals of Beyond Zero Trust 

By VMware Director, Information Security Strategy Craig Savage and VMware Senior Program Manager Eddie Eriksson 

This is the second in a blog series on Beyond Zero Trust 

Born of necessity 

After a few notable events in the industry, VMware identified a need to enhance our existing Zero Trust-based security in key areas, such as the vendor supply chain and partner/employee access. 

Rather than tackle each issue in a piecemeal manner, we decided to address the risks head-on by creating a comprehensive program that would augment our existing security initiatives—and ensure any known threats were again sufficiently mitigated.  

We call this program Beyond Zero Trust, an apt name as we needed to take our Zero Trust efforts to the next level. It enabled our organization to have a structured and powerful way of fulfilling security objectives. Instead of many decentralized projects under divergent interests, a centralized approach is implemented that enables the following: 

  1. Clear definition of overall success  
  1. Means of sharing resources 
  1. Path to manage conflict 
  1. Visibility of risks 
  1. Management of interdependencies 
  1. Consolidated stakeholder feedback 
  1. Formalized procedures 
  1. Alignment of resources, budget and goals 

Get with the program 

Blackboard with questions

Like a project, a program defines what needs to be done, how it is done (approach), who will do it (resources), and how much funding is needed to be successful.   

Typically, a program sponsor defines the scope. In our case, that person re-examined VMware risks and we focused on the rescored higher risks. Our sponsor then worked with the Project Management Office (PMO) to identify a program manager to best define projects in a discrete way so that they are aligned with specific risks. That person oversaw that project managers (PMs), whose domain or company experience ideally matched with the intended outcome, were then assigned. The PMs worked with functional managers to free up and commit their resources and facilitate a weekly call to ensure resources are completing milestones according to the scope and objectives of each project.   

The importance of being earnest 

Runner in blocks

There is a lot more to consider when spinning up a Beyond Zero Trust cybersecurity program, and some of it requires discussion of hard truths.  

For instance, it is imperative your team develop a solid (but flexible) document that outlines which stakeholders are considered responsible, accountable, consulted, and/or informed (known as a RACI matrix). RACI ensures every stakeholder is on the same page regardless of the task at hand, and that they are crystal clear as to the role they play. 

Once your RACI document is created, other factors must be considered: 

  • Identify the key stakeholders and influencers. How will you find the right people and convince them to buy into the program. Once in, how will you ensure they are up to speed on all the changes. 
  • Determine what the recruiting/hiring environment is like. Is your team able to hire the skillsets needed in the required timeframe, or do you have the budget to contract a professional services team instead? 
  • Decide which is more important, meeting committed deadlines or delivering high-quality implementations? The latter is ultimately more important to ensure a high compliance rate with affected stakeholders. Similarly, honestly assess the impact—good and bad—on the team members. Forcing a Beyond Zero Trust program on an uncooperative stakeholder threatens the program’s very existence.  
  • Ensure there are established communication processes in place, backed by appropriate resources. 

Want to know more? Give us a call

Dial phone

Introducing a new security program from scratch is a considered undertaking. That’s why we encourage you to contact your account team to schedule a briefing with us. No sales pitch, no marketing. Just straightforward peer conversations revolving around your company’s unique requirements. 

For more background on Zero Trust, check out these blogs on the topic. For other questions, contact

Check out the other blogs in this series:

BZT series introduction

The importance of steering and audit committees

VMware on VMware blogs are written by IT subject matter experts sharing stories about our digital transformation using VMware products and services in a global production environment. To learn more about how VMware IT uses VMware products and technology to solve critical challenges, visit our microsite, read our blogs and IT Performance Annual Report and follow us on SoundCloud, Twitter and  YouTube . All VMware trademarks and registered marks (including logos and icons) referenced in the document remain the property of VMware. 


One comment has been added so far

Leave a Reply

Your email address will not be published. Required fields are marked *