Zero Trust Model is not something that will generate accolades from shareholders, but the absence of a robust security approach increases the likelihood of damaging financial losses
Summary
Microsoft recently announced a Zero Trust Deployment Center as an offshoot of its Zero Trust Security Model. This center is intended to provide support to customers wrestling with the myriad challenges that have arisen from the accelerated digital transformations of the past several months.
The Zero Trust model incorporates several foundational principles top performing companies adopt, including, “instead of assuming everything behind the corporate firewall is safe, the Zero Trust model assumes breach and verifies each request as though it originates from an open network.”
In Microsoft’s words, "“never trust, always verify.”
Report
Analysis
At a time when the vast majority of ransomware attacks go undetected by companies and 91% of attacks don’t generate alerts, the Zero Trust security model offers a management systems-level approach that is characteristic of better cyber governance. The principle of ‘assuming breach’ is more reflective of a reality where the vast majority of breaches go completely undetected.
It is also more fit-for-purpose for the future economy in which a well-executed digital transformation is a difference maker in terms of market performance. We are not saying that ‘Zero Trust’ is the gold standard or the only avenue to a strong cyber posture, but it is a good example of an effective management-systems-based approach to better corporate security.
Like the secure-by-design security philosophy, the adoption of Zero Trust is not something that will be discussed on a CEO’s quarterly financial results call, or garner accolades in the financial press. But a posture of absence of a strong security foundation, in which growth and cost considerations are always prioritized over security, will increase the likelihood of loss-making events that WILL generate unwanted headlines and negative reactions from investors.
Consider ISS World or Pitney Bowes. It is safe to assume that shareholders of neither company were clamoring for details from the C-suites on their security approaches, philosophies or even objective data on how well or poorly each company was protecting its most valuable asset (technology). But when devastating ransomware attacks laid bare the security weaknesses of both companies, it was already too late for shareholders and the C-suites. Shareholders are left holding the bag: 3 months post-breach, ISS World’s share price was down 16%* relative to regional peers while PBI was down 19%*. Both companies have yet to recover.
*As of September 30, 2020