Buy-in applies to everyone in the organization, including end users, IT, and leadership, and each group’s buy-in is critical to a Zero Trust program’s success. Without buy-in from leadership, a Zero Trust initiative will never make it off the ground. Without buy-in from users and IT, it will never stay in flight.
Further, buy-in must span the entire Zero Trust journey, from initial investment and adoption through maintaining best practices. In addition, it’s important to understand what you’re up against so you can break down buy-in barriers when they arise. This article will discuss best practices for garnering Zero Trust buy-in and cover common barriers to Zero Trust buy-in and how to overcome them.
Buy-In Best Practices
Start with an Effective Proposal
The proposal can make or break a Zero Trust program. With the right messaging, it can cultivate strong buy-in among leadership that trickles down to end users and spans the entire length of the Zero Trust program. A compelling proposal should include the following elements:
The benefits of Zero Trust security.
Leaders are focused on reaching their goals and supporting their bottom line: orient your proposal around the benefits and impacts of a Zero Trust implementation to keep it relevant to leadership.
While some discussion of the logistics around implementing Zero Trust may likely be necessary for context, focusing too heavily on technical details often detracts from a proposal’s effectiveness.
A proposal without hard numbers lacks context and will quickly lose a leadership audience and be dismissed as unrealistic. Contextualize your proposal with dollars, months and years, percentages, and other hard numbers that can quantify proposed actions and investments.
Cite competitors’ Zero Trust initiatives and their effectiveness to justify your proposal and inspire leadership to remain competitive.
News stories and anecdotes of breaches.
Give examples of real breaches that have occurred — especially those where the victim was similar in size, industry, or security practices to your organization — to underscore the seriousness of your risk.
The most barebones risk formula is risk = likelihood X impact. Use this formula to identify your high-risk threats, then show how Zero Trust would mitigate them.
Offer Strategic Training
A Zero Trust program will almost certainly require some level of training, whether to introduce employees to new initiatives or to teach IT how to manage new tools.
Strategic Training Best Practices
Leverage training documentation.
Training documentation makes information readily available and prevents time-consuming repeat sessions. Training documentation can take the form of:
Written documentation, diagrams, and other collateral can act as helpful reference guides available on demand. Some tool providers offer their own education material — check for any training or certifications they offer before creating your own.
Recorded training sessions.
Record all in-person training sessions. This prevents the instructor from having to repeat sessions and creates another form of on-demand documentation.
Community forums or similar spaces — like a Slack channel for the IT department — allow your team to help one another. This can prevent mistakes, encourage on-the-job learning, and reduce the number of questions that need to escalate to leadership. It also becomes a self-writing repository of common questions and answers over time.
Demonstrate new tools and UIs.
Leverage screenshots, screen recordings, demos, and hands-on workshops to get people comfortable with a new process or a tool’s interface.
Use a variety of training methods.
People learn in different ways. Reach more people and help them better retain information by diversifying training materials and methods: written documents, recorded video, and hands-on demonstrations are great media types to start with.
Explain Zero Trust security’s benefits.
Communicate that adopting Zero Trust best practices helps keep everyone’s identities and data safe and streamlines their day-to-day experience with better, more user-friendly technology. This will help encourage active learning and adoption.
Make it easy to find help.
Make sure employees know where and who to go to for help, and keep those resources easily available and responsive. Also encourage employees to seek help from one another, and consider asking a few well-versed employees to be a point of contact for other employees’ questions to minimize issue escalation.
Take feedback. Incorporate surveys or other means of feedback collection into your training to refine it over time.
Communicate with the Organization
Leaders, stakeholders, IT, and end users should be aware of Zero Trust principles and best practices. Communicate best practices through clear training and documentation, and err on the side of over-communicating; repetition will help people internalize the message.
In addition, leaders and IT should be aware of the Zero Trust program’s trajectory and be kept up to date on implementation progress. This will help retain buy-in and encourage a trickle-down security culture.
Forrester released a Practical Guide to a Zero Trust Implementation, which details how to construct a Zero Trust roadmap that breaks your Zero Trust journey into achievable milestones. Consult this guide to create your own roadmap so that the organization can remain unified around the program’s goals, benchmarks, and progress.
Understand Your Environment and Users
A successful Zero Trust implementation must accommodate your environment and users. However, IT work is often independent and highly focused, and it’s not uncommon for IT teams to fall into a bit of an isolated work pattern.
While this may help with teams’ productivity and focus, it can cause IT teams to lose some context and nuance in their work. These oversights can have drastic consequences.
For example, integrating your collaboration platform into your single sign-on (SSO) solution might not seem like a big deal, but if sales teams don’t receive enough notice, it could cause confusion and lock them out of sales calls.
IT teams should stay informed of departmental developments, understand their users’ needs and level of technology literacy, and be aware of the business day to day.
For in-person workplaces, this can be accomplished through immersion: seeing clients come for on-site visits, noting when team members come in and take breaks, and even water cooler chats offer important context.
In work-from-anywhere environments where your team can’t absorb contextual knowledge from their environment, some structure around inter-departmental communication can help with this. Company-wide meetings, departmental updates, informal remote meetups, and community communication channels can help keep teams in sync.
No matter the work environment, encourage IT to communicate clearly and frequently when it comes to changes, downtime, or required action. Even if the change seems small or the required action seems easy, communicate it anyway.
Cultivate a Security Culture
Culture doesn’t change overnight; however, it’s a significant factor in Zero Trust adoption. In organizations with strong security cultures, everyone understands what they should do and why.
They also feel a sense of accountability: security is everyone’s responsibility. Demonstrate these values in training and in practice, make sure security awareness training includes communication around risk, and assign training to everyone — not even leaders should be exempt.
Demonstrate the Usability Wins
Zero Trust offers user-friendly benefits at the leadership, IT, and user level. For leaders, IT can configure conditional access policies to allow them to skip multi-factor authentication (MFA) in secure locations, for example. Users, too, benefit from easier authentication and reduced password usage, among other advantages.
For IT, a Zero Trust architecture provides improved visibility and reporting, more intuitive controls, and more reliable security — all of which make IT’s job easier. Additional wins include the ability to manage Bring-Your-Own-Device (BYOD) environments with mobile device management (MDM) tools, unifying operations across work-from-anywhere environments, and cutting down on helpdesk tickets by reducing friction. Learn more in Does BYOD Fit Into a Zero Trust Security Strategy?
Common Barriers to Buy-In
Zero Trust Misconceptions or Skepticism
Users often misunderstand “Zero Trust” to mean that they are not trusted, which can create resistance or resentment toward a Zero Trust program, hindering user adoption.
Similarly, IT teams and leadership sometimes assume Zero Trust is just a buzzword or a problem for Fortune 500 companies rather than small and medium-sized enterprises (SMEs). However, this is far from the truth: SMEs are targeted at almost the same rate as large companies, and Zero Trust is critical to protecting them.
Solved: Clear Communication and Training
Being aware of these common misconceptions can help you tailor your training and communication to address them head-on. Check out the blog, The Top 5 Zero Trust Myths, Clarified, for inspiration on messaging around clarifying misconceptions.
Shadow IT is a significant barrier to adoption: users turn to alternative solutions when the Zero Trust resources they’ve been given can’t do what they need them to.
Shadow IT breaks down IT environments with rogue elements that multiply, disperse, and circumvent prescribed systems — all outside of your team’s visibility and control.
Aside from the security risks of unmanaged accounts inputting and accessing corporate data, these shadow resources can wreak havoc on identity and access management (IAM) and directory systems with multiple identities, siloed data in a shadow resource, and conflicting user data.
Solved: Prevent Where Possible
While shadow IT isn’t always preventable, it can be minimized with:
Shadow IT awareness training
Many employees don’t understand what shadow IT is or its security consequences. Shadow IT awareness training should be part of your organization’s larger security awareness program.
Open communication with IT
Users are more likely to turn to outside sources when they can’t easily obtain help or make requests. Clarify the process for making requests or sending feedback to IT, and ensure IT is able to deliver timely responses and review feedback regularly.
Focus on the employee experience
Make sure the IT stack accomplishes what departments and users need it to — and that they do so fairly seamlessly. Both the absence of tool functionality and complicated or high-friction tools can lead users and departments to seek alternative solutions.
Keep a pulse on what’s working and what isn’t by conducting surveys and keeping IT communication channels open, easily accessible, and responsive.
Solved: Eliminate or Legitimize When It Occurs
While shadow IT prevention is important, it’s not effective on its own. Shadow IT is essentially guaranteed to occur in an organization. Thus, just like cyber threats, IT teams must assume shadow IT will occur and plan for the when, not the if.
When shadow resources don’t comply with IT or compliance requirements, stop their usage — either by communicating with users or blocking access. However, note that these resources were likely solving a real business problem; talk with users and departments to determine what needs the shadow resource fulfilled to find alternative compliant solutions for them.
When shadow resources add value and can comply with IT requirements, legitimize them by merging their identities with your IAM tool or directory, streamlining licensing costs, and developing best practices for their usage.
Technology Literacy and Adoption
Unfamiliarity with Zero Trust tools and processes or a resistance to change can create barriers to adoption. While a refusal to incorporate Zero Trust practices is a clear roadblock, the lack of literacy around Zero Trust — whether at the leader, IT, or employee level — creates barriers that are just as challenging to overcome.
End users that struggle to adopt Zero Trust practices tend to cause frequent errors and circumvention, both of which work against a smooth Zero Trust rollout.
IT teams without sufficient certification and training around Zero Trust security and its supporting technology can’t properly uphold and manage a Zero Trust architecture, causing breakdowns over time.
Solved: Implement Training and a Security Culture
Fortunately, this challenge can be largely addressed with clear and effective training. In addition, cultivating a culture of security will help people internalize and retain Zero Trust messages and best practices.
Solved: Demonstrate the Benefits of Adoption
In addition to training and cultivating the right culture, make sure users, leadership, and IT understand the benefits of Zero Trust:
Users have a more seamless experience while trusting their personal data is adequately protected.
Leadership experience the same usability wins that end users do. In addition, they’re adopting a security program that’s more competitive and effective against breaches, improving overall business viability and protecting their bottom line.
IT personnel enjoy similar usability wins from the administrative side: from better visibility to easier-to-use tools, they’ll experience a more streamlined day to day with Zero Trust. In addition, Zero Trust training is a chance to hone their skills in technology that’s becoming more and more popular among businesses, making them more competitive from a personal career standpoint.
Simplify Zero Trust Security
Over-complication is the antithesis of easy adoption. To further explore how you can streamline your Zero Trust initiative for users, IT, and leadership, visit JumpCloud’s Zero Trust resource library — a space dedicated to providing IT professionals the tools they need to keep security clear, straightforward, and achievable.