Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe
  • Twitter
  • Facebook
  • LinkedIn

How to Talk to the Board About Zero Trust

How to Talk to the Board About Zero Trust

Framing zero trust as a cybersecurity strategy for reducing business risk is a surefire way to get your executive leadership to take notice.

It's no secret that CISOs and other cybersecurity leaders struggle to communicate with executive management and boards of directors in a language they can understand. Business leaders naturally want to discuss cybersecurity in business terms. For many infosec leaders, learning how to "speak business" is akin to learning a second language; they're much more comfortable talking in tactical and technical terms. 

But there's more to the story. In my experience, board members and C-level business executives oftentimes allow ego to circumvent common sense. They've risen to their current lofty positions thanks to their unique blend of knowledge, talent and ambition. They're driven to be seen as the smartest person in the room at all times. And some think rules don't apply to them. So, what happens when a cybersecurity leader walks into a board meeting spouting technical jargon unfamiliar to these captains of industry and dares to suggest that their own behavior might be part of the problem? It solidifies a longstanding bias among executive leaders toward viewing cybersecurity as an inhibitor to the business. 

What if you could, instead, frame the discussion as a grand strategy articulated in one simple goal: to stop data breaches. Such framing would enable you to engage business leaders on a strategic level using plain language they can easily understand. Frankly speaking, a data breach is the only IT event that can get a CEO or company president fired. Plus, a data breach is the only cybersecurity event that is non-recoverable: you can never get the data back and you can't turn back the clock so that it's as if the breach never happened. 

A cybersecurity leader who can articulate a practical plan to stop data breaches will get the time and attention of the board.

The principles of zero trust architecture allow you to do just that. It's a new way of thinking about information security that treats trust as a vulnerability. The model was designed to resonate with the highest levels of the organization without necessarily requiring them to make a significant investment in new tools. And, it levels the playing field, immediately derailing any execs who see themselves as "trustier than thou." A cybersecurity strategy that removes trust entirely from digital systems is, in fact, a great equalizer, one that any proponent of "flat" corporate hierarchies ought to be more than happy to embrace.

Zero trust is built upon the idea that security must become ubiquitous throughout the infrastructure. The model is designed to be strategically resonant at the highest levels of any organization. The concepts of zero trust are simple:

  • All resources are accessed in a secure manner, regardless of location.

  • Access control is on a "need-to-know" basis and is strictly enforced.

  • All traffic is inspected and logged.

  • The network is designed from the inside out.

  • The network is designed to verify everything and never trust


While the zero trust model represents a significant divergence from the legacy, moat-and-castle approach to network security, it can be implemented by practitioners using commercial off-the-shelf technology. And it's built upon current cyber best practices and sound cyber hygiene, such as vulnerability management, proactive patching and continuous monitoring, already implemented in most organizations today.  

Boards of directors have a major role to play in shaping the future of cybersecurity strategy. Just as the recent Executive Order issued by the Biden Administration made zero trust a strategic imperative for the U.S., so, too, can boards wield their considerable power to elevate cybersecurity as a strategic business priority. Here are eight ways to start:

Stop seeing cybersecurity as an inhibitor of business. Having your business systems frozen in a ransomware attack is an inhibitor of business. Cybersecurity must be seen as an enabler of the business if we have any hope of reducing risk.


  • Change the incentive structure. Reward everyone for doing the right thing.

  • Give your cybersecurity experts the same amount of time to present as you give to your executive compensation committee.

  • Create a culture of transparency and drop the blame game. The environment you have was most likely created long before these threats existed. Current employees are dealing with years of decisions made by predecessors over which they had no control. The system is organic. Instead of looking to place blame when bad things happen, reward those who are trying to fix the problems before bad things occur.

  • Incentivize and reward those who are earnestly trying to fix the problems. And give them the time and support they need to do so.

  • Demand all CISOs report to the CEO, not to the CIO. This gives executive leadership an unvarnished view of the organization's cyber risk. 

  • Consider increasing the budgets for cybersecurity. If only 5% to 10% of your technology budget is going to cybersecurity, you're probably not doing enough.


Addressing today's cybersecurity challenges requires changing the ways we think about the problem at all levels of the organization. It requires as much commitment on the part of boards of directors and c-suite executives as it does from the rank-and-file admins who work tirelessly and against significant headwinds to protect sensitive data and reduce risk.

John Kindervag, senior vice president of ON2IT, is a guest contributor to the Tenable blog.

Learn more

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try for Free Buy Now
Tenable.io FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.