Skip to main content

Author: Morgan Reece

ZTA – A Jungian Approach

Written by Morgan Reece on . Posted in CyberSecurity, Featured.

In my experience in defining, designing, and implementing Zero Trust Architectures, I have come to the conclusion that every deployment has its own unique personality. What this looks like in practice is that there is an art to ZTA that is not completely understood by most people. One of the first steps/phases in a ZTA ‘journey’ is to identify & understand the protect surface. This requires an in-depth review of your own environment. I look to a quote from 20th Century psychiatrist Carl Jung as a guiding principle.

“Who looks outside, dreams; who looks inside, awakes.” – Carl Jung

Both points of view are necessary. To dream is to perceive the future. It is to understand the journey your security teams needs to travel. To awake, a leader comes to terms and understands where their security team currently succeeds and fails. The dream is to perceive what a full Zero Trust Architecture deployment/implementation would look like in their environment. To some extent, to successfully build a ZTA environment, your first have to ‘dream’ about your ZTA deployment, and then ‘awake’ to the reality of your present situation. I have led a number of teams through the ‘dreaming’ as well as the ‘awaking’ of ZTA. The art of the architecture is when you are able to find the path between what exists and what their ZTA needs to be.

The assessment is critical to the success of a ZTA implementation. The assessment is a snapshot of what the current environment looks like and how it operates. The biggest challenge of the assessment is the number of people that need to be involved to get a clear and realistic picture of the Tactics, Techniques, and Procedures that the IT and Security team follows. Having a holistic view of the operations and architecture is imperative to the successful interview and mapping of the current state of the environment.

Either internal or external, make sure that you have the right people on both sides of the table. To represent the current state, you need to have the people who can answer what the world truly looks like presently, not what the CIO/CISO ‘believe’ to be true. On the other side of the table, you need individuals who are knowledgeable of all aspects of IT as well as how to successfully implement a ZTA environment. Without the proper ZTA knowledge, they will not be able to ask the right questions about the current state and then advise on how to travel the ‘journey’ to ZTA.

Followership v. Leadership

Written by Morgan Reece on . Posted in Leadership.

For those of you who know me, you know that my shelves are filled with books on leadership. The areas of topics range from military leadership to servant leadership, and pretty much everything in between. I have books by team sport coaches, former ministers, psychologist, and business executives. They all have a similar goal in mind, it is to present their perspective on what it takes to get an organization/team/group to follow your instruction and guidance. To essentially, do what you want them to do. The good news is that there are many leadership styles and many books out there explaining on how to execute each of these leadership styles. Every once in a while you will come across in these books how to deal with the individuals on the team. As a leader/manager of a team, you have to make difficult decisions all the time. What project will each team member work on; what person will you hire to be on the team; when is it time for a team member to seek other opportunities.

Over the years, I have held many positions. And most of us have held more positions as subordinates than leaders. What we all know but sometimes have difficulty accepting is that everyone answers to someone. Even CEO’s answer to their chairman and board or shareholders. So why the focus on leadership and not followership. Trust me when I say that followership does not come naturally to all people. There are some who do it quite well, and amazingly enough those people turn out to be some of the best leaders.

So what does it take to be a good follower. I believe that Patrick Lencioni did a great job in his book, The Ideal Team Player, outlining 3 key attributes. Mr. Lencioni says that being humble, hungry, and (people) smart will make you a good team player. I 100% agree. But I think there is a bit more to being a good follower than just those 3 traits.

Able to internalize and apply constructive feedback: We all have blind spots in our lives. In our character and in our work. When our manager provides constructive criticism, what do we do with that? Do we throw it away because it does not align with who we ‘know’ ourselves to be, or do we take it to heart and see how we might improve in that area. Prov 1:7 says that fools despise instruction. We can definitely question the instruction given, but to be a good follower, we should truly evaluate whether or not the instruction/criticism is valid even in the slightest. Then to be able to apply that instruction and actually make that change to your action or habit is critical to growing as an employee or team member.

Respect for others: If you don’t like people, or think that you are the smartest person in the room (see humble from Lencioni), then you will be bringing in conflict and strife to your team/department. Respect is seen in many different ways in a group dynamic. Deference to others ideas is probably where I see it most. Lack of respect stifles collaboration and group brainstorming. It is that respect for others that allows someone to ‘take a back’ seat when appropriate. If an individual is humble but he has no respect for others, then all they do is take up space. They are not contributing because they believe that they don’t have anything to contribute, and they don’t believe that the others in the group are worth their time and effort to work with. In this situation, I am not sure why they are still on the team.

Alignment with vision: One of the first things I do with a new manager is to work with them to outline what their team does. This takes the form of a team charter which includes a mission statement, a vision statement, and the team operational scope. The scope will include the SOP and key deliverables. We will spend a number of sessions going through this charter to make sure that they truly believe the charter reflects the team and its activities. The vision statement is that long range view for what the team needs to strive. An employee’s view on the mission determines many things, most notably how diligent their work effort. This is critical. It would be like an individual on a rowing team being out of sync. You may get to your destination, but it will require more effort and more time. As a leader, you should be ‘selling’ your team on the vision. And depending on how good a salesman you are or how good the vision is, will determine how much buy-in you get from your team.

These 3 elements of being a follower will determine a number of things about the team. Growth/development, collaboration, and effectiveness/performance.

The next question is how to make sure that you get these type of people on your team. That is a topic for another day.

Identity is not the new Perimeter!

Written by Morgan Reece on . Posted in CyberSecurity.

A few years ago, we all were bombarded by marketing campaigns from identity management (IDM) software vendors stating that the “Identity is the new Perimeter.” While that sounds good and sells well to CISOs and CIOs, it is a little simplistic and misleading. I believe that identity is just a small part of what can be considered the “new security perimeter.”

We know that the weakest link in the cybersecurity chain for any company is its users.  Attackers know that they can socially engineer users and get them to divulge credentials or download malware from compromised websites. IT security teams continue to deploy protection software to prevent users and systems from being harmed from mistakes made by users. For many organizations, a significant percentage of the IT security budget is dedicated to simply trying to protect the company from human error.   

The reality is that the “new perimeter” is comprised of a holistic view that combines identity, system or device, network, applications, and data.  If you focus on just one—or even a few—of  these pillars, it can provide a false sense of security. You may successfully monitor and protect the pillar or pillars you’re paying attention to and still end up compromised. If any aspect of this holistic “perimeter” is exploited, the attacker has a fairly easy path to a full-blown breach where all aspects are compromised.

Too many CISOs define their cybersecurity strategy by checking boxes for regulatory requirements of the different agencies that audit their environment. While compliance to regulatory frameworks like Sarbanes-Oxley (SOX), Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI-DSS), and other mandates is required and can be expensive if not adhered to, the simple fact is that compliance is not security.  Chasing regulatory checklists is not a strategy, but a recipe for disaster leading to a breach. 

Holistic or aggregate security considers a broader view of the environment when defining the cybersecurity strategy and selecting tools and processes. Aggregate security focuses on making sure that protections of each object (identity, system, data, application, etc.) are integrated with the others.  For example, when strange or malicious behavior is detected on the network, that is a red flag that should impact the system, identity, data, and application security posture. 

The push for a holistic approach is also evident in merger and acquisition activity in the security industry. There has been a movement in recent years to try and integrate different layers of security.  We have seen vendors buy up smaller point solution vendors and roll everything together so they can say they have a “holistic” security solution.  The challenge, however, is in successfully and seamlessly integrating the different solutions. Do they really share information across each layer or application to provide a robust security platform?  Success in this area is few and far between. 

The latest trend in security frameworks is secure access service edge (SASE) and zero trust architecture (ZTA).  I am a huge advocate of both these movements and see great promise in these new innovations.  But neither will solve the silo solution that I am seeing if the security teams are not able to integrate their solutions to take advantage of shared information across all the pillars.  Having an aggregate security mindset is critical to delivering a full-scoped solution. 

Identity is not the new perimeter. It is one facet of a comprehensive security posture. The new perimeter is not a perimeter at all but a mindset that views aggregate security across all pillars of the environment.