Forrester’s security and risk analyst team has been advocating a Zero Trust information security framework for over a decade. With the latest executive order signed by the Joe Biden administration advocating a Zero Trust approach, companies doing business with the US government, as well as those who are looking for the gold standard when it comes to cybersecurity, will need to quickly get up to speed on the requirements.

Forrester’s Zero Trust Model for information security allows businesses to develop robust prevention, detection and incident-response capabilities. The executive order on improving the nation’s cybersecurity, which was signed by the US federal government in May, has validated the model. While the order represents big changes for the US government and its suppliers, Forrester believes other organisations should expect to feel repercussions as well.

Zero Trust is the way to go

Forrester believes security leaders are best placed to respond to the increasingly sophisticated attacks, addressed in the executive order, with a Zero Trust Model.

It describes this as “a fundamental transformation of corporate security from a failed perimeter-centric approach to one that is data centric”.

The company says not only will this approach protect organisations, but it will allow them to boost customer experience, implement new systems of engagement and develop a more competitive digital ecosystem.

In the executive overview of the Forrester Zero Trust Security Playbook, the firm further points out that today, your firm’s competitive differentiation relies on its ability to use digital technologies to win, serve and retain customers. A digital business has no perimeter; it lives everywhere your customers connect and everywhere employees and partners interact with your data and services.

As part of its Zero Trust Model, Forrester advises security teams to redesign networks into secure micro-perimeters. Other suggestions include the use of obfuscation to bolster data security; the minimising of risks associated with an abundance of user privileges; and to use analytics and automation to significantly improve detection and security responsiveness.

Forrester says that perimeter-based approaches to security earned security leaders the unfortunate reputation of “paranoid custodians”, where they perceived any access into the company perimeter — no matter the reason — as opening a door, or a connection with the entire organisational network.

However, in a Zero Trust network, where both data and apps are secured in enclaves, or micro-perimeters, security professionals can quickly and easily support new services by offering granular privileges and data protection that won’t restrict business and employee productivity.

With Zero Trust, security leaders can take a proactive role, helping CIOs and business leaders adopt digital technologies to create new sources of value for customers and increase the firm’s operational agility.

Software bill of materials

The executive order addresses other issues, too. In a blog post addressing the executive order, Forrester analysts point out that the US federal government’s procurement processes are “rigid, antiquated, and glacial”, explaining that the new executive order will attempt to address this. One of the major areas of impact is the software bill of materials.

Forrester notes that since 2018, there has been a concerted effort from the US department of commerce to drive transparency into the procurement process and to help organisations understand what’s in the software they build, buy and use. This is answered in the executive order, which includes a requirement that products provide a software bill of materials (SBOM).

Forrester explains this is comparable to the list of ingredients on food packaging.

SBOM allows organisations to easily see if the products they use and build contain any components with critical vulnerabilities. When researchers discover new vulnerabilities in open-source or other software components, security teams can quickly review SBOMs, determine which products have those components, and prioritise remediation.

Forrester says it expects software composition analysis, vulnerability management and third-party risk management vendors to integrate SBOM into their offerings going forward.

With the accelerating adoption of digital, the evolution of technology, and ongoing developments in software and applications, Forrester analysts expect their ambit to expand as enterprises and organisations look to them for guidance in executing their cybersecurity strategies and implementing the Zero Trust security model.

Forrester has been helping organisations meet the challenges of delivering deep insights into how people interact with technology, how their behaviours and expectations change, and how companies should respond. Our Technographics data, based on rolling, annual, global demand-side (not supplier-led) research surveys, provides a wealth of information on which business leaders can rely for dependable, forward-looking advice.

Chief information security officers looking for help to complete the transformation from an operational leader to a business leader can contact Joan Osterloh, Forrester’s authorised research partner for South Africa, for more information on how to adopt the Zero Trust Model in their organisation.