This is the second blog in a series about zero trust.

Lack of requisite budget can be a major roadblock when it comes to adding a zero trust model. Why is this so much of a problem? And, how can a SOC team make the C-suite see how zero trust helps the business?

In the first blog in this series, How Zero Trust Can Help Close the Cybersecurity Skills Gap, I examined a poll conducted by Deloitte that identified four obstacles to putting a zero trust framework in place. The biggest challenge was a lack of skilled workers. Luckily, this can be fixed with a carefully selected vendor solution.

The next step is getting the budget you need.

Weighing the Numbers When Choosing a Zero Trust Model

More than a quarter (28.1%) of respondents to Deloitte’s poll said that budget was a problem. Similarly, 45% of participants in a survey conducted during RSA Conference 2020 stated small budgets were their top challenge in being able to try out new tactics like zero trust.

These small budgets appear to be tied to leaders’ doubts about the security budgeting process in general. More than half (55%) of security and technology executives tell PwC that they intended to increase their security budgets in 2021. However, the same percentage of respondents say their employers’ digital security spending didn’t match the most important risks. The same proportion of executives doubted their digital security budgets could provide the best return on investment or handle an attack.

Learn more on zero trust

Finding the Right Approach

These misgivings don’t outright block zero trust. Rather, they invite security leaders to rethink their approach to obtaining their budget.

In order to start on the right foot, security personnel need to speak their language. The C-suite might not understand digital security risk well. Their technical expertise might be limited. They might, therefore, be hesitant to approve a project if they don’t understand what’s being proposed.

Knowing this, security experts might consider reframing their dialogue with executives in terms of business risk. They can specifically speak to how a policy of ‘trust by default’ opens up the possibility of attackers affecting mission-critical operations and profits. They can then set this in contrast to a zero trust model, which supports business objectives.

Next, security leaders can discuss a plan for using a zero trust model. They might consider staying away from changing the entire network over a short period of time. The C-suite wants to make sure that their budget decisions will bring value to the group, after all. A good compromise might be a pilot program for using zero trust within a specific part of the network.

The security team can use that engagement to track what worked and what didn’t, as well as to demonstrate the value of zero trust. If this works, executives might be much more willing to expand zero trust across the whole system.

You can also foster that connection by using benchmarks, visuals and other metrics that are easy to understand from a business perspective. For example, you might demonstrate the time and money saved on not resetting users’ credentials so often because of the implementation of single sign-on (SSO) and other security controls that complement zero trust.

Gaining Support for a Zero Trust Model

You won’t succeed in putting zero trust in place without the requisite budget or support. You have a vested interest in making sure leadership understands what’s going on every step of the way. Speaking the language of business, pilot programs and simple metrics, you can foster a culture of zero trust together with the C-Suite, all while retaining the money you need to fulfill your employer’s security needs.

More from Zero Trust

Zero trust data security: It’s time to make the shift

4 min read - How do you secure something that no longer exists? With the rapid expansion of hybrid-remote work, IoT, APIs and applications, any notion of a network perimeter has effectively been eliminated. Plus, any risk inherent to your tech stack components becomes your risk whether you like it or not. Organizations of all sizes are increasingly vulnerable to breaches as their attack surfaces continue to grow and become more difficult — if not impossible — to define. Add geopolitical and economic instability…

How zero trust changed the course of cybersecurity

4 min read - For decades, the IT industry relied on perimeter security to safeguard critical digital assets. Firewalls and other network-based tools monitored and validated network access. However, the shift towards digital transformation and hybrid cloud infrastructure has made these traditional security methods inadequate. Clearly, the perimeter no longer exists. Then the pandemic turned the gradual digital transition into a sudden scramble. This left many companies struggling to secure vast networks of remote employees accessing systems. Also, we’ve seen an explosion of apps,…

SOAR, SIEM, SASE and zero trust: How they all fit together

4 min read - Cybersecurity in today’s climate is not a linear process. Organizations can’t simply implement a single tool or strategy to be protected from all threats and challenges. Instead, they must implement the right strategies and technologies for the organization’s specific needs and level of accepted risks. However, once the dive into today’s best practices and strategies begins, it’s easy to quickly become overwhelmed with SOAR, SIEM, SASE and Zero Trust —  especially since they almost all start with the letter S.…

Contain breaches and gain visibility with microsegmentation

4 min read - Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces. Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications…