How to Sell Your CEO on Zero Trust

Although the average breach results in $149,000 in damages, most small-to-medium-sized business leaders severely underestimate that cost. In fact, in the event of a successful attack, 70% of decision-makers think they’d lose less than $25,000. Over half believe they’d lose $10,000 一 nearly 15 times less than the actual average. Unfortunately, this disconnect often causes the C-suite to deprioritize or underfund security measures. But this is a mistake.

The shift to remote work has exacerbated the prevalence and severity of cyberattacks. The ransom money companies have been forced to pay increased by 300% in 2020, and it’s likely not stopping there. IT experts know that the Zero Trust model is the foundation for a modern security infrastructure that limits these attacks; they just need to get their superiors on board. In this piece, we discuss three steps to presenting in a way that sells your CEO on zero trust and safeguards your organization in the process.

Step 1: Education

It only makes sense that people who don’t spend time immersing themselves in security activities won’t be well-versed in security knowledge and terms. In a survey of over 400 IT professionals, 43.8% of decision-makers (owners or C-level) revealed they are unfamiliar with zero trust. With that in mind, how can they possibly make a sound decision?

While you need to get them up to speed on zero trust, the C-suite doesn’t have time to read a novel. Instead, use bullet points to get information across quickly. Provide examples of zero trust security at work in other companies at a similar stage and size. If you can’t find any, there are plenty of well-known organizations like Google and Amazon diving headfirst into the zero trust approach. Even President Biden has mandated that federal agencies must adopt zero trust by 2024. 

Beyond what other groups are doing, mention that customers will be increasingly interested in your company’s security policies and that zero trust could enhance the selling process. You might also emphasize the fact that zero trust is beneficial whether or not you experience a breach. Not only does it consolidate your security tooling, it also streamlines the employee experience and prepares your company for meeting compliance requirements like CCPA, GDPR, HIPAA, and PCI.

Step 2: Calculate ROI

Let’s face it, C-level executives want to see hard numbers. They want definitive proof that zero trust is a good investment. Oftentimes, that’s hard to prove, but it’s not impossible.

First, think about what you need to make zero trust a reality:

• What tools do you have to pay for that you don’t already have? 
• What is the level of effort to apply and enforce zero trust principles? 
• Will these solutions and processes scale along with your company? 
• How much will zero trust cost your company to implement and every year post-implementation?

Next, calculate your return. Zero trust typically merges several distinct departments and functions, so think about what cost and time savings could come from that. In addition, many companies use less tooling, opting for one platform that performs many zero trust-related tasks. How much savings does that equate to? Also, try to calculate how much time your employees will be saving with adaptive controls like relaxing MFA requirements when users log in from a trusted device and network. 

Then, try to find out how many more deals you could win if you had a more widely recognized approach to security. Customers often feel more comfortable dealing with a company that has its security ducks in a row. And, of course, don’t forget to remind your audience of the true cost of a breach and how much you’d be saving if breaches never happened in the future. Finally, explain that attacks will only worsen over time and that zero trust is the first step toward combating them.

Step 3: Show them your roadmap

Executives want to know that you have a plan and will execute on it. The first step in making a plan is to take stock of your current security protocols and what you’re missing. If you haven’t done a maturity assessment already, now is the time to do so (budget permitting). Results of a zero trust assessment, such as the one offered by Forrester, will make it abundantly clear where your gaps are and where you need to go.

Then, examine other initiatives taking place across the business. How does zero trust fit in? Remember that zero trust isn’t a two or three-day project 一 it takes a significant investment, both in terms of time and money. Ensuring that your company has the means to contribute to a zero trust project is crucial. At the same time, it can be helpful to couple zero trust projects with cloud migrations that are already approved. These disruptive IT changes set the stage for delivering zero trust more effectively and can demonstrate the value of zero trust faster.

After you’ve documented your existing state and put this project in the context of other company objectives, it’s time to determine your goals and timeline. To start, identify tools you already have that can help you achieve zero trust. For instance, let’s say you already have mature cloud workload security. In that case, you might want to start by addressing your more immature identity and access management (IAM) capabilities. List out what you need to get done and assign each of these tasks a priority. Soon enough, a rough timeline will start to take shape. Even if your time horizon is several years, that’s ok. Remember, you’ve already done the prep work of justifying the ROI and educating your stakeholders, so now it’s about assuring them you have a long-term strategy.

Taking Zero Trust to the Next Level 

Once you’ve educated executives on zero trust, highlighted its potential benefits, and clarified your plan, you need to decide on the tools you’ll use on your zero trust journey. Unfortunately, the multitude of options out there makes these choices overwhelming. Luckily, there is one company that’s making zero trust a breeze to implement: JumpCloud.

JumpCloud’s platform simplifies Zero Trust security by allowing you to manage identities, access, and devices under one cloud-based roof. You can employ policy-driven access control, enforce MFA, and configure trusted devices and networks in just a few clicks. As a result, JumpCloud is trusted by over 100,000 organizations worldwide. You, too, can take zero trust to the next level by signing up for JumpCloud Free today. Test drive the full functionality of our platform for up to 10 users and 10 devices, for as long as you need until you scale.