![\"The](\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/03\/4444-steps.jpg\")
<\/p>\n<\/p>\n
I recently visited the Fl\u00f8rli stairs in Lysefjorden, Norway, near where my grandfather spent his childhood, and looked up at 4,444 wooden steps stretching toward the top of a plateau through a steep, tree-covered hillside. It\u2019s an old maintenance stairway used by workers at the turn of the century who were building a hydroelectric plant. The workers who climbed those stairs ascended from sea level to a height of 2,428 feet, often with 50-kilogram bags of concrete on their backs. It\u2019s hard to imagine how they managed the task, but as I thought about what it takes to tackle such a thing daily, I realized it reflects a lesson that applies to those of us working to improve cybersecurity, particularly through deploying Zero Trust architectures. Just like climbing the Fl\u00f8rli stairs, reaching the top of the Zero Trust learning curve is accomplished one step at a time. <\/span><\/p>\n When I first started talking about Zero Trust, many people didn\u2019t understand what it is or why they should deploy it. The principles of Zero Trust didn\u2019t match what they were familiar with, and it took time to convince people that we needed to practice cybersecurity in a new way, since the way we\u2019d approached cybersecurity before wasn\u2019t working.\u00a0<\/span><\/p>\n Now that more people understand <\/span>what Zero Trust is about<\/span><\/a>, I\u2019m more likely to hear the objection that deploying it sounds overwhelming and people aren\u2019t sure where to start. The thing I fight against now is doing nothing. It\u2019s easier to keep things the way they are, easier not to start climbing those wooden stairs.\u00a0<\/span><\/p>\n I\u2019ll be honest. When I went to Lysefjorden, I went up 10 steps and said, \u201cOkay, I\u2019m done with this.\u201d I didn\u2019t need to reach the top to check that off my bucket list, so I didn\u2019t keep going. The problem is that, for the workers who had to climb those stairs, reaching the top wasn\u2019t about a bucket list. It was about doing the job they needed to do with the buckets they were carrying.\u00a0<\/span><\/p>\n In cybersecurity, in a threat environment that\u2019s constantly escalating, we can\u2019t settle for keeping things the way they are. Organizations have to find a way to reach the top of those stairs.\u00a0<\/span><\/p>\n <\/p>\n I have worked in Zero Trust environments for well over a decade. I used to think that we should start deploying Zero Trust with the most sensitive data an organization needs to protect because those things are the most important. Experience now tells me that thinking was wrong, and we need to change it.\u00a0<\/span><\/p>\n Deploying Zero Trust environments is based upon the concept of <\/span>protect surfaces<\/span><\/a>, the smallest possible reduction of the attack surface. A protect surface contains a single <\/span>DAAS element<\/span><\/a> (Data, Assets, Applications and Services), and these vary as far as how sensitive or critical they are.\u00a0<\/span><\/p>\n The trouble with starting with the most sensitive protect surfaces is that they\u2019re often too fragile and many people don\u2019t know how they work. Starting there with Zero Trust frequently results in failures. Too often, when this happens, organizations blame these failures on Zero Trust. In fact, the problem is that no one in the organization has experience building Zero Trust environments.\u00a0<\/span><\/p>\n To gain that experience, you have to follow the Zero Trust learning curve.<\/span><\/p>\n <\/p>\n To start out deploying Zero Trust environments, an organization should consider two axes. The first is the sensitivity or criticality of the protect surface, and the second is the time you\u2019re spending on the Zero Trust journey. Ideally, that second axis will stretch out for as long as your organization exists.\u00a0<\/span><\/p>\n The first protect surfaces to work on are what I call learning protect surfaces. You need to start with a low sensitivity environment because you have to give people the ability to fail without retribution. Lab and testing environments are ideal for learning, but pretty much anything can work if it\u2019s low criticality. You could even practice on the web page that has the specials for this week in the cafeteria.\u00a0<\/span><\/p>\n Once you\u2019re comfortable with the basic concepts of Zero Trust environments, you can move on to the practice protect surfaces. These are a little more sensitive, a little more critical, but they\u2019re not the \u201ccrown jewels\u201d of your organization. Remember you get to Zero Trust the same way you get to Carnegie Hall: \u201cPractice, practice, practice.\u201d\u00a0<\/span><\/p>\n This way, before you touch the most sensitive protect surfaces in your environment, you\u2019ve practiced and gained confidence in the mindset of Zero Trust. This is the peak of the Zero Trust learning curve.\u00a0<\/span><\/p>\n Once you\u2019ve protected your high-value assets, it\u2019s smooth sailing going forward. From there, you can focus on less important assets, the secondary and tertiary protect surfaces. Eventually, you\u2019ll end up in a place where you don\u2019t have anything left that\u2019s important enough to go into a Zero Trust environment.\u00a0<\/span><\/p>\n <\/p>\n Zero Trust is a strategy that\u2019s decoupled from technology. While technologies may adapt and change and you may need to update your environments as they do, the conceptual and strategic parts of Zero Trust won\u2019t ever change. Once you follow the Zero Trust learning curve, you\u2019ll be in a good position to continue protecting your organization using this mindset for as long as your organization exists.\u00a0<\/span><\/p>\n No matter how daunting deploying Zero Trust may seem at first, my experience tells me that taking the right approach to the Zero Trust learning curve gets most organizations up to speed very quickly. One client told me, \u201cWe spent more time arguing about Zero Trust than we did deploying the first Zero Trust environment.\u201d\u00a0<\/span><\/p>\n Don\u2019t be one of the organizations that never start the journey because they don\u2019t figure out how to take the first step. Besides, when I think of what we do in cybersecurity and IT, it\u2019s a lot easier than carrying 50-kilogram bags of concrete on your back, 4,444 steps, up to the top of a mountain.\u00a0<\/span><\/p>\nWe Need to Change How We Approach Deploying Zero Trust<\/b><\/h5>\n
Following the Zero Trust Learning Curve<\/b><\/h5>\n
![\"The](\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/03\/Zero-Trust-Learning-Curve.png\")
<\/p>\nThe Zero Trust Journey Lasts a Lifetime<\/b><\/h5>\n