There is too much BS marketing about Zero Trust. That's one of the only things people agree about when it comes to this topic. The exact amount of BS is hard to quantify, but we all know it when we see it.
It's easy to get jaded by an overabundance of marketing and throw out the baby with the bath water, so to speak. That's a shame. Obnoxious marketing sours people towards Zero Trust.
It's also easy to get lost in the translation between Zero Trust as a concept to practical implementation. This tweet summarizes the conundrum nicely:
For months, I've been on a mission to decode Zero Trust marketing. I wanted to know what it is and why we all should want it. That's a big undertaking. This article is the start of my attempt to do so.
My first objective was to cut through the BS to understand the idea of Zero Trust Architecture at a foundational level. Then, I built upon this understanding to start explaining what good and bad Zero Trust marketing means.
This exploration led me all over the place in the world of Zero Trust:
Stephen Paul Marsh's original Ph.D. thesis that underpins the idea of Zero Trust.
Forrester's groundbreaking research on Zero Trust Architecture, including analysts like John Kindervag, Chase Cunningham, David Holmes, and Jess Burn.
NIST Special Publication 800-207: Zero Trust Architecture — a foundational read for understanding what Zero Trust is and is not.
…and many, many more articles.
Appgate is one of the leading Zero Trust companies, consistently ranked among the leaders in the category by analysts like Forrester and Gartner. It's also a rising star as a first-year public cybersecurity company, recently reporting 38% year-over-year Annual Recurring Revenue (ARR) growth for the 2021 fiscal year.
Julie has been the CMO at Appgate since 2020. She helped the company grow into a public company by 2021. Julie has over two decades of experience as a technology and cybersecurity marketing leader.
As a person who has seen the exponential rise of Zero Trust since the very beginning, she has a unique and insightful point of view on where the movement is at today. There are very few people in the world with a better understanding of Zero Trust marketing.
This article includes significant portions of the wide-ranging discussion I had with Julie. It's intentionally heavy on quotes. When learning from someone as insightful as Julie, you want to hear exactly what she has to say without much intervention from me.
Specific topics we'll cover in this article include:
Why people get confused about Zero Trust
How to approach Zero Trust marketing
How to market Zero Trust products accurately
What the future holds for Zero Trust
The article has something for everyone — both marketers and InfoSec professionals. I'm excited to share this discussion with you.
Why People Get Confused About Zero Trust
Zero Trust is an incredibly confusing topic, partly because it breaks the paradigm we've become used to seeing as InfoSec professionals. Zero Trust isn't prescriptive — it's principled. Security frameworks and regulations are often prescriptive: "do X, Y, Z and you'll meet the requirements." Zero Trust principles provide guidance but leave a lot of room for interpretation.
There isn't one best way to do Zero Trust. The ambiguity creates confusion. Leaving room for interpretation is generally a good thing. However, it also allows people and companies to latch on to a broad set of ideas about Zero Trust and make connections that are questionable at best. It's a recipe for misconceptions and confusion.
As a Chief Marketing Officer, Julie has a lot of conversations with customers. In our discussion, she highlighted several areas of confusion she typically sees about Zero Trust and how to clear it up. That's what we'll cover in this section.
Zero Trust is a whole ecosystem of products, not one product.
We're used to seeing cybersecurity companies build products that solve a problem. Need Single Sign-On? Get Ping Identity. Endpoint Protection? CrowdStrike has got you. DDoS protection? Everyone uses Cloudflare!
This isn't the case at all with Zero Trust. The product-solves-a-problem paradigm breaks. Julie describes the misunderstanding like this:
Zero Trust is huge. People think, "I can buy one product and that's my Zero Trust." It's not. It's a whole ecosystem of products.
Do your due diligence and find out who can really deliver on the seven different pillars of Zero Trust.
Any company who says their product has everything needed to implement Zero Trust is lying. You need multiple technologies. I know you don't want more products or more vendors, but don't fall into this trap.
The advantage of flexibility within the Zero Trust framework is choice. You can select the technologies that fit your environment and strategy. Julie explained how in more detail:
There's some really good documentation out there now, especially by NIST, around implementing Zero Trust.
They don't tell you to go buy X, Y, or Z products — which they shouldn't. They say, "here are the things you need to do to get your organization architected to support a Zero Trust strategy." Then, they lay out a framework for the various pieces of the puzzle.
Find the things that fit the puzzle in your environment. The guidance doesn't force specific solutions on you, or any type of technology.
Choice can be confusing, but it's a good thing. Once you become comfortable with the strategy behind Zero Trust, you can implement the ideas in a way that works for you.
You don't have to rip and replace everything.
With a concept as new as Zero Trust, it's easy to assume you need to implement it from scratch and build a whole new network. It's a far out concept that seems like it would work for…those fancy new tech companies out in California.
Today is your lucky day. Julie is the bearer of good news for everyone worried about erasing their network and starting over:
The truth is, you should be able to modernize over time. You don't have to rip and replace everything or start from scratch.
Nobody could do that. And it wouldn't be effective if that was the plan.
There you have it. You, too, can implement Zero Trust — starting with the infrastructure you have right now. The rationale makes a lot of sense. Julie talks with lots of customers, so she was able to explain exactly why:
Think about how long organizations have been building their current security architecture. They've sunk so much cost into the technology they've already invested in.
You're not going to find anybody who is just going to blow it all up and go, "Oh, we're going to start from scratch and build Zero Trust" — unless you're a brand new organization and you have the luxury to do it.
You're going to have to go back and retrofit and tweak and insert and integrate new technologies to get yourself on the path to Zero Trust.
You can implement Zero Trust in bite sized chunks.
One of the big ideas behind implementing a Zero Trust Architecture is that it can be implemented in small, iterative pieces. Admittedly, this was my biggest misunderstanding about Zero Trust before looking into it deeper.
Julie explained the advice she typically gives to Appgate customers for approaching their Zero Trust implementations:
You can do it in bite sized chunks. You don't have to take on the mindset of, "we're going to modernize and move to a Zero Trust Architecture." That would be incredibly overwhelming.
Some companies may take years to get there. There's a misperception that you have to try to boil the ocean with it all at once.
The truth is, you can assess your risk and start with the projects that are going to make the biggest impact to help you reduce your risk — first, second, third, fourth, fifth, and roll it out over time.
John Kindervag, one of the pioneers of Zero Trust in his time at Forrester, talked about an incremental approach in some of his earliest talks about Zero Trust.
You will find the exact same advice in NIST Special Publication 800-207: Zero Trust Architecture — a go-to resource on implementing Zero Trust:
Organizations should seek to incrementally implement zero trust principles, process changes, and technology solutions that protect their data assets and business functions by use case. Most enterprise infrastructures will operate in a hybrid zero trust/perimeter-based mode while continuing to invest in IT modernization initiatives and improve organization business processes.
This is comforting advice for anyone feeling uneasy about the size, scope, and magnitude of implementing Zero Trust. It's common to get stuck in analysis paralysis because of misconceptions about a "big bang" implementation approach.
Julie sees this problem all the time. She offered an alternative solution that makes implementing Zero Trust feel a lot more manageable:
What keeps people from moving forward with Zero Trust is analysis paralysis. If you try to solve for it all at once, it will be completely overwhelming.
If you focus on solving a specific gap, then map a solution to it, and start chipping away at it from there, it becomes more manageable. It seems like less of a mountain to climb. Just get started. Start somewhere. Start with the most common thing.
The most common thing people start with is replacing or augmenting their VPNs. VPNs are usually the weakest link for any organization. This certainly blew up during COVID because of all the remote work. VPNs weren't built to handle the situation that happened.
Find your first use case, find your first thing that you can do to get started on the journey. But get started — don't get left behind. Get started.
The iterative approach to implementing Zero Trust that Julie and others suggest is interesting. It reminds me of Agile in software development. People wouldn't normally apply this paradigm to networking. We don't typically think about implementing a network iteratively — iteration is for software, or so our antiquated thinking goes.
Building a Zero Trust Architecture iteratively is a barrier to overcome because approaching infrastructure in an iterative way feels unfamiliar. However, it's a huge opportunity to quickly demonstrate progress for Zero Trust initiatives.
Articulating the business value of Zero Trust requires a different approach.
Oh, right …funding. Implementing Zero Trust at your company is not a science experiment. You need funding. In Julie's experience, building a business case for Zero Trust is trickier than it sounds:
A lot of security practitioners don't know how to articulate the value of Zero Trust internally, so they have a hard time getting budget for it.
There's not a line item budget for Zero Trust. People understand what a firewall is and what it does. So, it's probably less education on your part to explain that. Something like Zero Trust takes a different approach.
Companies benefit from Zero Trust in two ways. First and foremost is your security. But also, if you implement Zero Trust properly, there are operational and cost savings over time. You are getting rid of outdated things or automating things that used to be manual.
Challenges in building a business case for Zero Trust are sneaky. They're caused by other people's limited understanding about Zero Trust. It's hard enough to understand the value of Zero Trust on your own. And guess what? Once you do, you then have to explain the value to the people who are going to be funding your projects. Double whammy.
This situation is a second order effect of sunk costs. Unless a company is brand new, it already has a network in place. People in charge of budgets will rightfully ask, "why don't we just upgrade our network?" or "do we need to upgrade our network?"
Security doesn't have many comparable instances where teams are implementing completely new strategies or paradigms. Typically, we're replacing and cycling through existing models, or we're implementing technologies that are clearly solving one narrow problem. Zero Trust is a broad strategy that involves multiple technologies.
Knowing how to articulate the business value of a completely new concept like Zero Trust takes some work. It's worthwhile once the case has been made and funding is secured.
How to Approach Zero Trust Marketing
As a marketing leader, one of the most difficult yet important parts of a Zero Trust marketing strategy is how to approach your company's messaging. Ultimately, the approach is a strategic choice that drives tactical decisions and actions.
The consequences of this strategic choice are the difference between good and bad Zero Trust marketing. Julie pointed out how the term can start to lose its meaning if it's is used without intent:
Everybody throws the term around, and like any term, it kind of starts to become more of a buzzword. It sounds like it's a marketing philosophy as opposed to an actual thing.
That's not what we want for Zero Trust. It's still an emerging trend. We're not in a winner-take-all situation yet — there's still a long way to go before Zero Trust is well understood and widely implemented.
Everyone is going to be better off if we can educate each other about how Zero Trust is supposed to work and monitor bad marketing and sales behavior when it happens.
In this section, we're going to talk about how marketers can approach their Zero Trust strategy and create messaging they can be proud of.
Talk about what Zero Trust is before talking about how your company fits into the equation.
Early on, Appgate took a specific, education-first approach towards its marketing strategy:
One thing that we decided from the beginning, and I think we've consistently done is to educate people about what Zero Trust is, and why should you care?
Our strategy has been to really talk straight about what Zero Trust is before we ever tell you how we fit into the equation.
Spending time educating people about the topic of Zero Trust might seem like a waste of time, but education is an essential part of building awareness and understanding. If the InfoSec professionals who are making purchasing decisions and implementing products don't understand the foundational concepts of Zero Trust, it's a recipe for failure.
Julie believes it's important for potential customers to understand the strategy behind Zero Trust before making any decisions about technology:
We want people to understand what it is, why it's important to modernize their security strategy using Zero Trust, and then figure out, how do I get started, and what are the technology pieces of the puzzle?
They have to understand and embrace the strategy first, and a lot of our work has been around educating about the strategy.
Companies can (and do, far too often) lead with their product when talking to potential customers about Zero Trust. This approach can work, but it runs the risk of falling apart at implementation if the product doesn't fit into a well thought out Zero Trust strategy for the company implementing it.
Leading with education is a collaborative approach. Educating — or better yet — co-developing a Zero Trust strategy with potential customers significantly increases the chances a product will successfully fit into a coherent and thoughtful architecture and implementation plan.
Be a straightforward advocate of Zero Trust.
There's a difference between using the hype of Zero Trust to sell your product versus a genuine advocacy of Zero Trust strategy. Attaching your marketing to a trend without having conviction about the trend doesn't feel right. And customers can tell.
Julie suggested a far better approach when I asked her what she's most proud of in Appgate's marketing:
I really am most proud about the fact that we have taken a thought leadership approach to our advocacy of the strategy of Zero Trust.
Our goal at the end of the day is to help organizations be more secure. If you can help educate them towards that, it's a win for everybody.
If you believe in the idea of Zero Trust, advocate for it. That's how you build conviction about the problem you're solving and how your company and product fit into the solution. When you have conviction and your messaging reflects your beliefs, you've built a Zero Trust marketing strategy you can be proud of.
Education and advocacy do come with some (worthwhile) risks. Julie explained the tradeoff this way:
Obviously, we want you to become an Appgate customer. But if you're a better educated security consumer, that's a win, because at the end of the day, your company is going to be more secure. So, we try to just be a straightforward advocate for Zero Trust.
I totally agree with this mindset. The risk with advocacy is that you could be the company who educates a potential customer, and then they end up buying another product. Helping to educate someone about how to make their company more secure is somewhat of a consolation prize — especially when you've got sales targets to meet.
However, people remember who their teachers are. Even if they decide to make a different purchasing decision, the education sticks with them. If you're playing the long game (as Julie does), education and advocacy put your company in a position to have another opportunity in the future when people move into new roles or refresh their technology. You're not going to win every deal, so give yourself an opportunity to win the next one.
How to Market Zero Trust Products Accurately
There has been spirited discussion recently about cybersecurity firms "hijacking" the term Zero Trust. This line of thinking goes as far as saying the term Zero Trust has essentially become meaningless because it's so overused.
Discussions like this catch a lot of attention because they portray an absolute point of view. There is definitely some truth to Zero Trust being misrepresented and used inaccurately — but like most topics, the nuances matter.
In this section, we'll explore the problems of misuse and discuss some suggestions for marketing Zero Trust products accurately.
Throwing the baby out with the bathwater isn't a helpful suggestion.
First, let's address the hot topic: has Zero Trust lost its meaning? As an InfoSec professional, it can definitely be frustrating and disheartening to see a term be overused. Many of us don't like mainstream hype. Daniel Miessler described this well in his article about InfoSec’s Reaction to Crypto, NFTs, and Web3:
…they’re also anti-establishment and anti-hype. Or at least, mainstream hype. Kind of like people who only like underground bands until they get popular. While it’s underground they’ll hype it all day, but once too many people like it they go find something else.
The advice Daniel's article gives about Crypto, NFTs, and Web3 translates almost verbatim to Zero Trust, too. In summary, his message is that we should be curious and experiment with new things, even if there is unhealthy hype.
Julie's suggestion is to take a step back from the negativity and separate the hype from the actual strategy and framework:
The throwing the baby out with the bathwater approach, to go, "oh well, Zero Trust is a big buzzword now, people shouldn't buy into the hype," that is not a helpful suggestion.
The strategy and the framework are very sound. Start vetting technologies that will best fit into how you're building out your Zero Trust infrastructure.
It really deserves to be looked at and evaluated. Then figure out how you can adopt it in your environment.
She's absolutely right. Far too often, we see ideas and companies that become "trendy" get dismissed because of their newfound popularity. Forrester Senior Research Analyst David Holmes agrees. From a recent blog post about defining Zero Trust:
There is a journey from poor information security toward better information security and that progress along that spectrum is more valuable than the personal satisfaction some take in just decrying Zero Trust as marketing.
Both ends of this spectrum are perilous. If you blindly buy into the marketing hype without understanding the foundational Zero Trust principles, you're bound to make mistakes. On the other end of the spectrum, outright dismissal of Zero Trust because of the marketing hype means you're missing out on a great approach for securing your environment.
A more strategic approach is somewhere in the middle. Take the time to understand the strategy and framework, then use your understanding to carefully build a strategy and select technologies that work for your company. That's harder to do than simply decrying Zero Trust as marketing, but it's worthwhile.
Be honest about which piece of the Zero Trust equation you solve for.
A significant driver of the sentiment InfoSec professionals feel towards Zero Trust is how accurately companies align their marketing and products to the definition of the term. The level of technical accuracy matters a lot.
I see it as a spectrum of full "by the book" accuracy to egregious exaggerations about what a product can do. Julie described the situation like this:
Our belief is that if your technology firmly fits within one of the technology pillars within Zero Trust, and you actually deliver on what those definitions are, then you're part of the Zero Trust ecosystem. But your technology has to align; you can't just be adjacent.
Representing how your product accurately fits into the ecosystem is the way to approach your marketing. Any egregious claims along the lines of "our product solves Zero Trust completely" are going to get called out by the community.
So, how do you accurately market your product? The answer lies within the definition of Zero Trust principles:
Read the definitions, either Forrester, NIST, or CISA, about what these pillars of technology are, and what you're supposed to do to contribute to Zero Trust principles. You can map a product against them.
Those are straightforward questions you can ask a company: does your product do X, Y, and Z? Pull it straight out of the definitions. It either does or it doesn't. It's pretty cut and dry. Misusing the term and misrepresenting your product is not doing anybody any good.
At Appgate, Julie's marketing philosophy (and a new public campaign!) is "Zero BS" — a straightforward and accurate approach to the company's messaging:
Zero BS. Let's get rid of the hype. Get down to the basics of what it does, how it fits into the Zero Trust framework, and how it will deliver on the benefits of Zero Trust. Just be straight about it. There's just absolutely no reason not to.
One of the important takeaways from Julie's advice is that Zero Trust has its own ecosystem. If companies want to add value and be recognized as part of the ecosystem, they need to play by the rules. As people become more educated about Zero Trust, any "BS" is going to get detected quickly.
Zero Trust is too serious of a topic to not be accurate about it.
Exaggerated marketing in a topic like Zero Trust — and cybersecurity in general — has consequences. The stakes are higher. Julie put this into perspective:
Be honest about what your product actually can do and what value it will deliver. Zero Trust is too serious of a topic to not be accurate about it. You're not just talking about a new pair of sneakers and whether they fit right. You're talking about protecting people's most valued information assets.
Protecting people's most valued information assets is a heavy responsibility that needs to be taken seriously. There's no room for BS. Not in a topic like this.
There are significant downside risks with the current Zero Trust hype cycle. If Zero Trust does become the metaphorical baby that the industry throws out with the bathwater, we're wasting a pretty good idea. Nobody wants to see that happen, but it's a real possibility.
However, Julie believes companies who do build great products and play by the rules will likely find adoption:
If you do truly have a Zero Trust solution, and it's a good one, there's going to be a fit for it somewhere. So be as accurate as you possibly can in representing, here's what it is, here's what it does, and here's how it benefits you and delivers on the principles of Zero Trust.
That's the upside of the current Zero Trust hype cycle: all boats rise with the tide, so to speak. If we stay focused on the benefits and work within the framework, Zero Trust product companies and customers will both benefit.
The more conversation about Zero Trust, the better.
For emerging trends like Zero Trust, it takes an exhaustive amount of conversation and education to bring the entire industry up to speed. That's why Julie says the amount of conversation around Zero Trust is a positive thing:
The more conversation about Zero Trust, the better, so that people understand it. If you're an enterprise and you are looking to modernize your security strategy, you need to look at Zero Trust.
This insight is prophetic — the type of long-term view that only an experienced marketing leader would think of.
Yes, it's frustrating and confusing that people are talking about Zero Trust so much today. However, if you take the long-term view that conversations today lead to better understanding and adoption tomorrow, any annoyances caused by the current hype start to feel worthwhile.
What the Future Holds for Zero Trust
With a mega-trend like Zero Trust, it's important to understand and think carefully about how it could evolve and grow in the future. Trends like this impact industries, companies, and careers in profound ways.
We'll finish this article by exploring why Zero Trust is likely to stick around and what could happen when it gains mainstream adoption.
Even if the hype cycle for Zero Trust fades, the underlying strategy is sound.
A common reaction skeptics have about Zero Trust is that it's a fad. As this line of thinking goes, people get over fads quickly, and Zero Trust will go away once the current hype cycle fades.
I have long been suspicious of this prediction because it seems oversimplified. Sure, Zero Trust has a lot of hype — but it also has a lot of substance. That's often the difference between fads and enduring success.
I knew Julie would be a great person to ask about this. Her thoughts were on point:
In early 2010, or just prior, everybody was ad nauseam using "cloud" to where it became a buzzword. Now, it is commonplace, a highly understood technology, and everybody uses it.
I feel like Zero Trust is a little bit on that trajectory. Even if the term itself was to get altered or replaced in some way, the strategy behind it is sound and proven. Companies that can deliver effective solutions that map to it will be in a solid position.
What you should take away is the strategy behind Zero Trust will stick around, even if the marketing used to describe it changes. That means you should take a long-term view about how Zero Trust is going to impact both your company and your career.
Zero Trust could be on a trajectory similar to cloud computing.
If we accept that Zero Trust is going to be around long term, what does that mean for the future? Julie thinks we're headed towards a tipping point of widespread understanding and adoption:
I think about when I realized cloud had reached the tipping point of becoming commonplace. Your grandmother at home is seeing commercials about the cloud! It became so widespread.
Even if you don't understand all about it from a technical perspective, you understand at some level. You don't have to understand the nitty gritty to get the gist of it.
I think Zero Trust is following a little bit along that track. It started out as truly a conversation amongst practitioners and technologists. Now, it's getting talked about pretty broadly.
The cloud analogy is a really interesting parallel to the excitement we're seeing around Zero Trust today. The potential for a similar trajectory is obvious: everybody talked about cloud, and then it became commonplace. Today, when we're talking about infrastructure, cloud is essentially the default assumption. You don't even need to say your infrastructure is running on a cloud provider — it's understood.
This could also be the story of Zero Trust. We're all talking about Zero Trust now. Despite the attention, it's important to remember that we're still on the leading edge of the adoption curve. And exponential growth happens fast once it gets going. In the near future, Zero Trust very likely will be the way infrastructure and security at every company gets built.
Thank you to Julie Preiss and Janice Clayton at Appgate for sharing their time and expertise to make this article possible.
Thanks for reading! How did you like this article?
*** This is a Security Bloggers Network syndicated blog from Strategy of Security authored by Cole Grolmus. Read the original post at: https://strategyofsecurity.com/decoding-zero-trust-marketing/