How to Write a Zero Trust Proposal 

(And Get Executive Buy-In)

Written by Ashley Gwilliam on April 18, 2023

Share This Article


Contents


Fish or chicken? Organic or regular? Tartar control or whitening? 

Sources estimate the average adult makes around 35,000 decisions every day. For those working in leadership positions, the number may be even higher. The more uncertain the risk-to-reward ratio, the longer we tend to postpone decision-making. 

Unfortunately, misunderstandings among executives regarding the current state of cybersecurity are rampant. Even tech-savvy CEOs may not grasp why their legacy networks became vulnerable after the recent shift toward remote workers using cloud-based services. 

Low angle shot of a group of businesspeople high fiving while standing in their office

CIOs, IT admins, and managed service providers (MSPs) are charged with implementing security provisions to safeguard stakeholder data as effectively as possible. Translation: IT leaders must educate executive leadership on why Zero Trust security frameworks are now essential to long-term success

The best way to ensure the suits truly understand what’s at stake in this wild-wild-west world of data breaching is to draft a compelling proposal. A good Zero Trust proposal will translate ambiguous, technical concepts into clear comprehension that invokes action! 

Are you on the brink of switching your organization’s ol’ “castle-and-moat” security system for Zero Trust Network Architecture (ZTNA)? If so, this article is for you.

Why Create a Zero Trust Proposal? 

Corporate executives are notorious for delaying major budgetary decisions. The bigger and more established the organization, the more likely its CEO will resist change. 

According to a 2019 McKinsey Global Survey, only 20% of corporate managers consistently make “quick decisions” that generate “high-quality” returns. 

The study found that leaders who make decisions quickly are twice as likely to achieve successful results than their laggard counterparts. 

What did their decision-making process look like? The study didn’t reveal the details, but we suspect the top decision-makers had one element in common: gut feelings validated by relevant data points with comprehensive analysis.

how to write a zero trust proposal

In recent years, numerous studies have proven data-driven decision-making to reduce risk, increase agility, and decrease wasteful spending. It’s why startups and small-to-medium-sized enterprises (SMEs) alike are increasingly hiring data scientists

With this in mind, most executives would appreciate an effective Zero Trust proposal that outlines why a security overhaul is an essential action item — not a “nice to have.” Besides helping gain buy-in from key stakeholders, your proposal should provide your IT team with a summarized roadmap to success. 

A solid Zero Trust proposal will summarize the initiative’s objectives, expected benefits, and estimated resources.

6 Elements to Include in Your Zero Trust Proposal 

Before getting started, it’s worth emphasizing that there is no definitive way to write a proposal. Project proposals can range from exceedingly detailed binder presentations (including comprehensive Scope of Works) to simplistic, bullet-point emails. 

However, there are some essential elements worth including. After reading your zero-trust proposal, executive leadership should fully understand:

  • The particular cybersecurity challenges that must be addressed
  • How Zero Trust can solve each of these challenges 
  • Why the organization should take action now (or sooner rather than later)

Here’s what to include to make sure everyone is on board:

1. Define Zero Trust

Zero Trust is becoming the industry-standard security solution, but not everyone knows what it entails. For many CEOs, Zero Trust is nothing more than a buzzword similar to “big data.” Is it a product? A service? Or some type of security toolkit?

For this reason, it’s essential to clarify that Zero Trust is a security framework that utilizes several technologies for limiting network access and safeguarding data.

When an organization’s security network relies on the premise of “trust nothing, verify everything,” employees work only on trusted devices and networks. It also prioritizes mobile device management (MDM), multi-factor authentication (MFA), single sign-on (SSO), microsegmentation, and other attack surface-reduction functionalities. 

Use precise language when defining Zero Trust tools, elements, and concepts. Avoid technical jargon that leadership won’t easily understand and doesn’t need to know. Executives don’t need lessons in software engineering; they require high-level overviews. 

2. Summarize the Benefits 

Unlike other initiatives competing for attention, the rewards of Zero Trust implementation most often outweigh any perceived risks. Not only will Zero Trust tighten security for the entire organization — by limiting access to data with privileged access management and heightened security measures — but it will also enhance threat response times. 

Identity and access management (IAM) solutions allow admins to lock down devices, user identities, and access to company resources at the push of a button. Quick troubleshooting combined with limited permissions reduces the likelihood of attackers moving laterally within the organization. 

So, the IT department won’t need to implement additional on-premises infrastructure to ensure everyone is working on trusted devices and networks. Alternatively, if your organization already uses an on-prem network, emphasize the benefits of shifting to cloud infrastructure over time.

zero trust security implementation

3. Discuss the State of Cybercrime

According to Interpol, cybercrime is growing at a breakneck pace. New trends keep emerging, and cyber criminals keep becoming more agile. They exploit new technologies, customize their attacks, and cooperate to the peril of organizations of all sizes. 

Recently, cybercriminal gangs like REvil have accessed, encrypted, and held sensitive data for hundreds of thousands of dollars in ransom. Many gangs have moved beyond two-factor authentication to focus on remote access technology. This makes ransomware attackers a real threat to any company that, for instance, relies on remote workers.

Others are creating ransomware software and distributing it to criminals in what is referred to as ransomware-as-a-service, affecting 42% of large organizations and 33% of SMEs globally. Paint a picture of a familiar scenario that needs immediate attention. Once leaders see how your plan fits into the big picture, they’ll be more willing to devote resources. 

4. Calculate Your Organization’s Risk (Cost of Breach)

The average cost of a cybersecurity breach is $4.24 million. The most affected industries are healthcare, finance, pharmaceutical, technology, and energy, respectively. 

Business leaders need to know what’s at stake should a breach occur. To determine the potential costs of a data breach for your specific organization, consider:

  • Direct costs: What actions would the organization take post-breach? Outsourced forensic investigation, possible fines, and victim compensation are all possibilities. 
  • Indirect costs: Indirect costs relate to the time it takes to cover losses from the breach. Organizations may incur revenue loss due to system downtime and even the revenue consequences of reputational damage.

Essentially, illustrate that it’s cheaper to prevent a cyberattack than repair its damages with real numbers relevant to your organization.

writing a zero trust proposal

5. Outline the Project Scope

This section of the proposal lists the goals you plan to achieve. The step-by-step process can enlist objectives such as adopting MFA and SSO as upgrades.

Fun fact: it takes 2 to 3 years to transition to a complete Zero Trust framework, on average. So, don’t bite off more than your department can chew. 

Break the project objectives into smaller timeline milestones with an emphasis on the ones that will provide the most bang for your buck. 

Your project schedule will pave the way for allocating necessary resources, making hiring decisions, and more. It will also provide information about your executive’s roles in the continuous rollout of Zero Trust elements and infrastructure updates. 

6. Include a Competitor Analysis 

According to a recent study of more than 1,000 IT professionals, more than 50% of SMEs are planning or already working on a Zero Trust security program. 

They want to ensure their organizations remain safe amid the growth of trends such as remote work and Bring Your Own Device (BYOD). Discuss what your competitors are doing in terms of security. If they are already working on a Zero Trust approach, highlight the competitive edge they have over your organization.  

The Ideal Approach to Zero Trust

Adopting Zero Trust involves considerable mindset shifts amongst IT team members, executive leadership, and key stakeholders. A strongly written proposal is the perfect first step to getting everyone on board. 

After reading your document, leadership should be able to explain Zero Trust in a casual conversation, recall its risk-to-reward ratio, and understand what needs to happen first.

If you’re ready to adopt a Zero Trust security program, start here.

Ashley Gwilliam

Ashley Gwilliam is a Content Writer for JumpCloud. After graduating with a degree in print-journalism, Ashley’s storytelling skills took her from on-camera acting to interviewing NBA basketball players to ghostwriting for CEOs. Today she writes about tech, startups, and remote work. In her analog life, she is on a quest to find the world's best tacos.

Continue Learning with our Newsletter