Security

Designed by Committee? How Committees Actually Empower Beyond Zero Trust 

By VMware Director, Information Security Strategy, Craig Savage and VMware Senior Program Manager Eddie Eriksson 

This is the third in a blog series on Beyond Zero Trust 

When it comes to implementing a Beyond Zero Trust initiative, leadership (steering) and governance (audit) committees are key to a program’s success. They can serve to resolve roadblocks, crossbusiness-unit conflicts, budget or resource deficits, ensure that the program status and pace is meeting expectations, and make management, resource or budget adjustments as needed.

How we steer the ship 

Sailing ship

An executive steering committee is essential for a large cybersecurity program, such as Beyond Zero Trust (BZT), as it will ensure that: 

  • Task blocks are removed 
  • Appropriate resources are always provided 
  • Multiyear funding is available 
  • A finite set of leaders that can approve scope changes is consistently in place 
  • Momentum is always maintained and nothing ‘dies on the vine’ 
  • Feedback on high-level positioning of the program itself   

VMware is nonhierarchical, and that helped accelerate the adoption of both Beyond Zero Trust and an associated steering committee. The committee was key in guaranteeing cross-functional work happened in a coordinated manner. Teams knew leaders were committed to the success of the program, and thus prioritized the project work (sometimes at the expense of day-to-day activities) to ensure their commitments were met. 

Since introducing Beyond Zero Trust, our steering committee is an invaluable component, especially with several high-impact projects that we knew would directly affect employees, such as requiring managed devices to access corporate resources. Getting both steering committee and principal engineer feedback/approval in advance was a tremendous help. We knew were empowered to continue moving forward, a factor that eliminated arbitrary or subjective disagreements.  

The benefits of being audited 

man with clipboard

Like many companies, the audit committee at VMware has a voice on the board of directors. After the SolarWinds incident in 2020 heightened awareness of how a serious breach can devastate a software company’s reputation and share price, the audit committee took a keen interest in the success of our BZT efforts. 

Realizing a majority of IT, InfoSec and R&D resources were already inundated with high-priority work, the audit committee wanted to ensure that critical, high and medium cyber risks be addressed within a reasonable timeframe.  

This involved creating service-level agreements (SLAs) for the numerous projects addressing these risks, as well as establishing guidelines for date slippages. For timing purposes, all first-time date extensions now require VP approval. A second date slippage requires an SVP approval, and a third slippage requires a face-to-face SVP explanation to the audit committee. 

These SLA time periods give the InfoSec project management organization (PMO) tremendous leverage in enabling other business units to quickly provide resources and resolve roadblocks as needed—a vital component in the success of the program. See Fig. 1. 

SLA running track infographic
Figure 1–Service-level agreement time periods.

F

At the same time, it was made crystal clear to all stakeholders that program ownership remains with the BZT program leadership, not the audit committee. This means key decisions, resource allocations, and budgets are a joint decision between the InfoSec, CIO, and R&D engineering teams. 

Want to know more? Give us a call 

Introducing a new security program from scratch is a considerable undertaking. That’s why we encourage you to contact your account team to schedule a 1:1 briefing with us. No sales pitch, no marketing. Just straightforward peer conversations revolving around your company’s unique requirements. 

For more background on Zero Trust, check out these blogs on the topic, as well as our BZT fundamentals blog and the series introduction For other questions, contact [email protected]

.

VMware on VMware blogs are written by IT subject matter experts sharing stories about our digital transformation using VMware products and services in a global production environment. To learn more about how VMware IT uses VMware products and technology to solve critical challenges, visit our microsite, read our blogs and IT Performance Annual Report and follow us on SoundCloud,Twitter and YouTube . All VMware trademarks and registered marks (including logos and icons) referenced in the document remain the property of VMware.