WEBVTT

1
00:00:00.330 --> 00:00:02.940
Anna Delaney: What is the state
of zero trust in Europe today?

2
00:00:03.060 --> 00:00:06.540
Hello, I'm Anna Delaney for
ISMG. And with me to discuss a

3
00:00:06.540 --> 00:00:09.810
recently published report from
Forrester, 'Zero Trust Comes

4
00:00:09.810 --> 00:00:13.590
Into the Mainstream in Europe'
is senior analyst Tope Olufon.

5
00:00:13.980 --> 00:00:15.810
Tope, thank you very much for
joining us.

6
00:00:16.830 --> 00:00:19.020
Tope Olufon: Thanks a lot for
having me. Really pleased to be

7
00:00:19.020 --> 00:00:19.260
here.

8
00:00:19.890 --> 00:00:21.810
Anna Delaney: So Tope, it would
be really interesting to

9
00:00:21.810 --> 00:00:25.410
understand what data you were
studying for this report. Could

10
00:00:25.410 --> 00:00:29.160
you share a brief overview of
the regions you were assessing

11
00:00:29.160 --> 00:00:29.700
in Europe?

12
00:00:31.200 --> 00:00:33.240
Tope Olufon: So, while, of
course, the report covered the

13
00:00:33.240 --> 00:00:37.020
whole of Europe, seven countries
came up very frequently. In the

14
00:00:37.020 --> 00:00:41.160
EU, we have France and Germany.
And, of course, outside the EU,

15
00:00:41.220 --> 00:00:44.970
we have the U.K. So a lot of
these countries reflect broader

16
00:00:45.150 --> 00:00:48.510
cultural attitudes toward zero
trust in the European continent.

17
00:00:48.750 --> 00:00:51.030
Anna Delaney: So what were the
predominant zero trust trends?

18
00:00:51.030 --> 00:00:53.880
What did you learn about the
state of zero trust in Europe

19
00:00:53.880 --> 00:00:54.360
today?

20
00:00:54.000 --> 00:00:56.779
Tope Olufon: So also, one of the
biggest changes is a lot of

21
00:00:56.838 --> 00:01:00.504
security leaders are reporting
directly to CEOs. So naturally,

22
00:01:00.563 --> 00:01:03.697
you would expect security
prioritization to have, you

23
00:01:03.756 --> 00:01:07.482
know, a bigger piece of the pie,
so to speak. And one big trend

24
00:01:07.541 --> 00:01:10.497
we've seen is public
organizations are leading the

25
00:01:10.557 --> 00:01:13.986
adoption of zero trust in
Europe. So which is a good thing

26
00:01:14.045 --> 00:01:16.825
because zero trust is the
vehicle toward better

27
00:01:16.884 --> 00:01:20.550
information security. Another
thing we have seen is zero trust

28
00:01:20.609 --> 00:01:23.861
is isolated by breaches. And a
lot of the time if these

29
00:01:23.921 --> 00:01:27.646
breaches impact some insurance
premiums, organizations that are

30
00:01:27.705 --> 00:01:31.135
affected by such tends to
prioritize zero trust as opposed

31
00:01:31.194 --> 00:01:34.683
to organizations that have not
yet been breached. So we see

32
00:01:34.742 --> 00:01:38.290
breaches as a driver toward zero
trust adoption, which makes

33
00:01:38.349 --> 00:01:42.133
sense, because a lot of security
leaders see zero trust as a way

34
00:01:42.193 --> 00:01:43.080
to handle risk.

35
00:01:44.310 --> 00:01:46.650
Anna Delaney: Were there any
notable differences between

36
00:01:46.650 --> 00:01:47.310
regions?

37
00:01:48.180 --> 00:01:51.990
Tope Olufon: Not exactly.
However, we found that German

38
00:01:51.990 --> 00:01:56.550
organizations tend to prioritize
it the most. So, and again,

39
00:01:56.550 --> 00:01:59.730
we've also seen that a lot of
German organizations have hybrid

40
00:01:59.730 --> 00:02:03.120
cloud as a strategy. So it makes
a lot of sense that

41
00:02:03.120 --> 00:02:05.820
prioritization of zero trust is
closely followed.

42
00:02:07.020 --> 00:02:09.330
Anna Delaney: Do you have any
indication as to why that is?

43
00:02:10.860 --> 00:02:15.060
Tope Olufon: I wouldn't say
there any specific reasons. But,

44
00:02:16.140 --> 00:02:18.240
you know, a lot of German
organizations are going through

45
00:02:18.240 --> 00:02:21.450
digital transformation process.
And with things like hybrid

46
00:02:21.450 --> 00:02:24.240
working exploding and remote
working, you know, been the

47
00:02:24.240 --> 00:02:27.330
mainstay since the pandemic. It
makes a lot of sense that

48
00:02:27.330 --> 00:02:29.910
organizations will look to
something that handles the

49
00:02:29.910 --> 00:02:33.090
unique security challenges of a
distributed workforce.

50
00:02:34.020 --> 00:02:36.600
Anna Delaney: Now, as I
understand the last report that

51
00:02:36.600 --> 00:02:40.320
Forrester published on zero
trust was in 2020. So what

52
00:02:40.320 --> 00:02:43.170
changes have you observed since
that last report?

53
00:02:44.200 --> 00:02:47.230
Tope Olufon: Organizations have
stopped asking why and what, so

54
00:02:47.260 --> 00:02:51.130
they've moved from that. And now
they're focused on how. So no

55
00:02:51.130 --> 00:02:54.100
one is asking if they need zero
trust, what zero trust is,

56
00:02:54.370 --> 00:02:57.790
they're asking us how can we go
ahead and start a zero trust

57
00:02:57.790 --> 00:03:00.190
journey because they have seen
the value. So right now,

58
00:03:00.190 --> 00:03:02.440
organizations are no longer
wondering about the value.

59
00:03:02.500 --> 00:03:05.470
They're wondering about how to
go around implementing and

60
00:03:05.470 --> 00:03:06.460
extracting the value?

61
00:03:08.280 --> 00:03:11.619
Anna Delaney: Where do you see
zero trust initiatives often

62
00:03:11.693 --> 00:03:12.510
fail, Tope?

63
00:03:12.000 --> 00:03:15.810
Tope Olufon: It typically feels
when organizations do it as a

64
00:03:15.810 --> 00:03:18.720
big bang approach. So there
tends to be an all or nothing

65
00:03:18.720 --> 00:03:22.620
approach. And it doesn't really
work like that. Zero trust is a

66
00:03:22.620 --> 00:03:26.220
journey. It's a transformative
process. So I typically

67
00:03:26.220 --> 00:03:30.630
recommend organizations to start
small, and build on it. But if

68
00:03:30.630 --> 00:03:34.140
you try to do zero trust as one
big giant zero trust project, it

69
00:03:34.140 --> 00:03:37.920
tends to fail. But when it's
tied to business initiatives and

70
00:03:37.920 --> 00:03:41.130
translatable to real business
objectives, then you have a high

71
00:03:41.130 --> 00:03:42.060
chance of success.

72
00:03:43.110 --> 00:03:44.580
Anna Delaney: So you mentioned
earlier that what they struggle

73
00:03:44.580 --> 00:03:47.640
with is how to start the
journey. Where do you recommend

74
00:03:47.670 --> 00:03:50.610
starting the journey? And could
you share some examples?

75
00:03:51.320 --> 00:03:53.120
Tope Olufon: It really depends
on the maturity of an

76
00:03:53.120 --> 00:03:56.240
organization. First, I typically
say organization starts with

77
00:03:56.240 --> 00:04:00.320
IAM, and that's identity and
access management. So because a

78
00:04:00.320 --> 00:04:04.580
lot of the time it reviews other
issues in the organization that

79
00:04:04.580 --> 00:04:07.940
you would want to fix. And zero
trust, again, is about building

80
00:04:07.940 --> 00:04:11.180
an entire security. So zero
trust is not for zero trust,

81
00:04:11.180 --> 00:04:15.320
it's the improved security. And
IAM is a very good vehicle to

82
00:04:15.320 --> 00:04:16.040
introduce that.

83
00:04:17.790 --> 00:04:19.950
Anna Delaney: So the report
mentioned some cultural and

84
00:04:19.950 --> 00:04:24.060
regulatory roadblocks that EU
security leaders face. Can you

85
00:04:24.060 --> 00:04:25.320
expand on some of these?

86
00:04:25.930 --> 00:04:29.020
Tope Olufon: At the heart of
zero trust, there's data and

87
00:04:29.350 --> 00:04:32.530
data sovereignty and data
privacy is a very big topic in

88
00:04:32.530 --> 00:04:36.820
Europe. So in other regions,
these roadblocks might not be so

89
00:04:36.820 --> 00:04:40.870
evident. But, for example, where
the data to power zero trust is

90
00:04:40.870 --> 00:04:44.260
stored is a very significant
question. And it's something

91
00:04:44.260 --> 00:04:48.010
security leaders need to answer
to avoid roadblocks down the

92
00:04:48.010 --> 00:04:51.670
road. Also, from the cultural
aspects, zero trust involves a

93
00:04:51.670 --> 00:04:55.540
lot of monitoring. And some
organizations and cultures may

94
00:04:55.540 --> 00:04:58.300
not be very friendly toward
that. So being able to

95
00:04:58.330 --> 00:05:01.660
articulate what you're using the
data for, how it's processed and

96
00:05:01.660 --> 00:05:05.320
how you maintain employee
privacy is very important in

97
00:05:05.770 --> 00:05:07.750
making effective zero trust.

98
00:05:09.029 --> 00:05:11.429
Anna Delaney: What do you see is
critical components of a zero

99
00:05:11.429 --> 00:05:12.479
trust strategy?

100
00:05:13.800 --> 00:05:16.530
Tope Olufon: I'll typically say
tied to business objectives.

101
00:05:16.530 --> 00:05:21.060
That's what tends to fail, and
break it down, tried to improve

102
00:05:21.060 --> 00:05:25.320
the experience. I'm going to use
the example of improved identity

103
00:05:25.320 --> 00:05:29.640
and access management. If you
say IAM is good, yes, we know.

104
00:05:29.880 --> 00:05:33.090
But if you cannot tie it to
business objectives, it tends to

105
00:05:33.300 --> 00:05:36.540
fail because security leaders
think that it concerns to

106
00:05:36.540 --> 00:05:39.060
security people, when speaking
to business people who

107
00:05:39.060 --> 00:05:42.600
understand business objectives,
but saying IAM would improve

108
00:05:42.690 --> 00:05:45.150
better and faster customer
onboarding, because you have

109
00:05:45.150 --> 00:05:48.930
used the modern authentication
flow is a good way to position

110
00:05:48.930 --> 00:05:52.290
yourself. That way, it's no
longer a security for security

111
00:05:52.290 --> 00:05:55.860
sake, it's security for aligning
yourself with business

112
00:05:55.860 --> 00:05:56.640
objectives.

113
00:05:57.660 --> 00:05:59.670
Anna Delaney: What are the
missteps you see organizations

114
00:05:59.670 --> 00:06:02.610
make when it comes to IAM
implementation?

115
00:06:04.050 --> 00:06:06.870
Tope Olufon: Again, the whole
big bang approach. Do a maturity

116
00:06:06.870 --> 00:06:11.280
assessment, figure out where you
are, and then build on it. But

117
00:06:11.280 --> 00:06:14.610
if you're trying to leapfrog
entire processes, say your

118
00:06:14.610 --> 00:06:19.200
organization doesn't even have a
central authentication system.

119
00:06:19.740 --> 00:06:22.650
But then you're trying to jump
to passwordless authentication,

120
00:06:22.770 --> 00:06:25.860
you have failed somewhere. It's
possible, but I wouldn't

121
00:06:25.860 --> 00:06:29.580
recommend it. So be realistic
with your outcomes and build on

122
00:06:29.580 --> 00:06:32.580
it. Again, you don't need, you
don't always need perfect

123
00:06:32.580 --> 00:06:36.210
security. But start, do not let
perfect be the enemy of good.

124
00:06:36.600 --> 00:06:40.230
Anna Delaney: Yeah. The title of
your report talks about zero

125
00:06:40.230 --> 00:06:43.290
trust becoming mainstream. What
trends do you foresee over the

126
00:06:43.290 --> 00:06:45.270
next year or so in this space?

127
00:06:45.930 --> 00:06:48.540
Tope Olufon: As organizations
mature, it's going to stop

128
00:06:48.540 --> 00:06:51.270
shifting the question of how but
how they can mature on the

129
00:06:51.270 --> 00:06:55.590
journey. Some organizations
might say, already have a

130
00:06:55.590 --> 00:06:58.680
halfway toward zero trust, but
didn't exactly know what it's

131
00:06:58.680 --> 00:07:01.740
called. So organizations are
going to start looking and

132
00:07:01.740 --> 00:07:04.200
benchmarking themselves saying,
"Okay, this is where we are,

133
00:07:04.200 --> 00:07:05.880
this is where we're trying to
be." So they're going to be

134
00:07:05.880 --> 00:07:09.000
different maturity skills. And
as organizations grow and

135
00:07:09.000 --> 00:07:12.330
mature, zero trust
interoperability will become the

136
00:07:12.330 --> 00:07:13.260
next topic.

137
00:07:14.700 --> 00:07:17.790
Anna Delaney: Do you see similar
movement within the vendor

138
00:07:17.790 --> 00:07:23.430
community? Have they matured as
a community to respond to

139
00:07:23.490 --> 00:07:24.750
organizations' needs?

140
00:07:24.840 --> 00:07:28.440
Tope Olufon: Yes, a lot of
vendors have very specific zero

141
00:07:28.440 --> 00:07:31.290
trust offerings. Of course, like
with any technology, there's a

142
00:07:31.290 --> 00:07:34.620
lot of marketing balls, and
people slapped the term zero

143
00:07:34.620 --> 00:07:38.520
trust on everything. But we're
beginning to see vendors become

144
00:07:38.520 --> 00:07:42.450
more realistic and practical
with their claims. Because as

145
00:07:42.450 --> 00:07:46.110
security leaders have a better
understanding of what it is, it

146
00:07:46.110 --> 00:07:48.600
becomes very important for
vendors to have products that

147
00:07:48.600 --> 00:07:51.960
meet specific needs, as opposed
to just slapping zero trust on,

148
00:07:51.960 --> 00:07:53.670
well, everything, because of
brand name.

149
00:07:54.210 --> 00:07:57.000
Anna Delaney: Finally, what
practical steps can you offer to

150
00:07:57.030 --> 00:08:00.480
EU leaders to steer their
organizations to zero trust

151
00:08:00.480 --> 00:08:01.290
security?

152
00:08:01.930 --> 00:08:03.970
Tope Olufon: As mentioned
earlier, one of the biggest

153
00:08:03.970 --> 00:08:08.920
roadblocks we tend to see is
that security leaders in Europe

154
00:08:08.950 --> 00:08:11.980
face the data collection
constraints. So start with

155
00:08:11.980 --> 00:08:15.700
building a use case for your
data. What are you collecting?

156
00:08:15.730 --> 00:08:18.580
How I collect it? Where am I
going to use it? In the reports,

157
00:08:18.580 --> 00:08:21.700
we provide a sample use cases
that are aligned with the MITRE

158
00:08:21.700 --> 00:08:25.450
framework on how to communicate
your data collection needs.

159
00:08:25.780 --> 00:08:28.720
That's where you can allay
everyone's fears, address their

160
00:08:28.720 --> 00:08:32.290
concerns. And basically let
leadership know that you're not

161
00:08:32.290 --> 00:08:34.540
collecting the data for
collection sake, the data will

162
00:08:34.540 --> 00:08:38.260
be processed carefully, the data
be stored appropriately. And I'm

163
00:08:38.260 --> 00:08:41.770
going to be practical here. If
an European organization, try to

164
00:08:41.770 --> 00:08:45.760
make sure your data stays in
Europe. If you cannot make sure

165
00:08:45.760 --> 00:08:48.370
you have appropriate controls
for transferring it outside.

166
00:08:48.580 --> 00:08:51.520
Because data sovereignty is a
very big topic and we expect it

167
00:08:51.520 --> 00:08:54.580
to get bigger. So you just need
to be practical and realistic

168
00:08:54.580 --> 00:08:55.870
when addressing these concerns.

169
00:08:57.130 --> 00:08:59.080
Anna Delaney: Excellent. Well,
Tope, this has been very helpful

170
00:08:59.080 --> 00:09:01.090
and informative. Thank you so
much for your time.

171
00:09:01.330 --> 00:09:01.780
Tope Olufon: Thank you.

172
00:09:02.860 --> 00:09:05.530
Anna Delaney: I've been speaking
with Tope Olupfon of Forrester.

173
00:09:05.740 --> 00:09:07.630
For ISMG, I'm Anna Delaney.