Panel Discussion: Mapping the Zero Trust JourneyMuch Depends on Risk Appetite, Regulatory Requirements, Experts Say
How does one decide the right approach to zero trust, and what are some important considerations to keep in mind? A panel of experts - Chirag Joshi, group head of cybersecurity at a leading financial institution in Sydney; Brett Winterford, regional chief security officer, APJ, Okta; and Jay Hira, director of cyber transformation, EY in Sydney - share their in-depth views.
"Different industry verticals have different regulatory expectations. For example, higher education universities by default have an approach of open trust and open collaboration and sharing. That is what they thrive on. Here, you cannot go full throttle trying to restrict everything," Joshi says. "In such organizations, you need to take a different approach addressing zero trust whereas, in financial institutions because you need to take a risk-based approach, there is almost a heightened expectation of prevention and anomalous detection of activities."
"'One size fits all' will not work for all organizations because of different context, different environment and different business goals. It is important to assess the readiness to achieve zero trust. Who is talking about zero trust? Is it the board asking you questions around zero trust, or is it the security operations lead? These are two separate conversations," Hira says.
Winterford talks about the various challenges faced by organizations taking an identity-centric approach. "Identity and governance are our biggest gaps as they are complex problems to solve. PAM is a massive challenge as well. Another challenge is helping people to break out of the mindset that assessing all these problems will increase friction in user experience," he says.
In a discussion with Information Security Media Group, the panelists also talk about:
- What zero trust means to them;
- How the zero trust approach changes with industry regulatory requirements;
- The challenges involved in an identity-centric zero trust approach.
Winterford is the regional chief security officer for Okta in the Asia-Pacific region and Japan. He advises business and technology leaders on evolving threats and helps them harness advances in identity technology to drive business outcomes and mitigate risk. Prior to Okta, he held a senior security leadership role at Symantec and helmed security research, awareness and education at Commonwealth Bank.
Hira is a cybersecurity strategy and transformation director with more than 15 years of international experience supporting financial services organizations to become more cyber resilient through zero trust adoption to build trust and attract more customers, enabling growth.
Joshi is group head of cybersecurity at AMP, a financial services company in Australia. He is also the author of the worldwide bestselling book "7 Rules to Influence Behaviour and Win at Cyber Security Awareness" and the director of the ISACA Sydney chapter.