Presented by Zscaler

---

As a product of 1990s Australian culture, a distinct message has stuck with me: An advertisement from 1994 which stated simply, “you’ll never never know, if you never never go.” It refers to the vastness that is the Australian Outback, which is often called the Never Never—something so expansive and intimidating that one cannot comprehend it unless they explore it. And if they do, they tend to either change forever or never come back.

This vastness applies to cybersecurity and IT in general: the exponential growth of information has led to an exponential growth of risk (of getting compromised, of having data stolen, etc.). Fully grasping the scope of risk becomes increasingly difficult, given the sheer number of risk vectors. And as enterprises accumulate more systems, services and functions, the amplification of information from system outputs like logs and traces eventually leads to paralysis.

This can leave an organization unable to act on risk mitigation—waiting for an audit, regulation or (sadly) a breach merely to address the topic, much less solve it. All other things being equal, risk is generally proportional to complexity, meaning the “outback” of risk only gets worse the longer it is left unaddressed. (It’s no surprise that McKinsey projects the damage from cyberattacks will approach $10.5 trillion by 2025.)

Understanding risk across the great IT expanse

This idea of getting IT running and letting legacy risk lie, with the only real objective being to “keep the lights on,” has left large swaths of infrastructure and technology within the reach of bad actors. Merely keeping things running, without looking to new functions and opportunities, will provide a wealth of new avenues for cybercrime growth for a long time to come.

Often, long-forgotten services offer attackers the sweetest, juiciest attack paths—if you don’t know that an application, set of applications or other service exists, you’d better believe someone will find it. It’s a fundamental truth in the zero trust world that if you have a service running that you don’t know about, you should treat it as already compromised.

Navigating the Never Never with zero trust

Zero trust isn’t just a buzzword: it provides fine-grained insight into access along all points in an enterprise. An effective zero trust deployment not only delivers controls, but also enables visibility into exactly what is being controlled. The zero trust environment provides a trail map for the outback, whether you “lift and shift” or implement a new architecture altogether.

Zero trust states that nothing is allowed without first going through:

1. Identification of the initiator, their context and where they are going
2. Application of controls, which can include risk scoring, malicious content analysis, data protection, inspection and more, but at a minimum includes an authorization decision based on business need
3. Enforcement of policy and connectivity via approved paths and conditions
4. An audit trail for real-time correlation, post-event forensics and accountability

 From there, an enterprise would know:

• Initiator details (user, workload, thing, etc.)
• Destination details (application, location, service, function, etc.)
• The types of content being processed (intellectual property, malicious content, etc.)
• Path information and metrics; success or failure and quality of access

Employing zero trust for granular control provides your enterprise with incredibly specific insight into where to “go.” Then, rather than cope with the aforementioned paralysis, you can leverage this knowledge in two distinct ways:

1. The things you know: You can make some broad cuts into who or what has access. For instance, should the entire company have access to the financial system? Broad controls like this can quickly have a large impact.
2. The things you don’t know: Here, leveraging the output of the zero trust service with an empowered business AI that acts based on your business requirements will help you make the most effective decisions for your enterprise.

Enterprise benefits of zero trust in the IT outback

A zero trust approach brings numerous benefits, including:

Reduced risk

Risk reduction is the biggest impact of comprehensive, contextual visibility into services. Visibility allows IT to put proper controls in place for exposed services, determine whether they are needed and whether they have the correct entitlements, and provide identity-based controls.

Financial optimizations

Strategic finance, purchasing and negotiation are powerful tools for any enterprise. However, most have recurring bills for redundant and overlapping components, hardware, software and services. Teasing apart this environment will highlight the redundancy and waste, not only saving money on deduplication, but also informing a more conscious, lean-forward negotiation and purchasing strategy.

Business optimizations

Complexity is costly. Simplifying processes reduces operational costs, waste (in the classic sense), power consumption, troubleshooting time for support issues, and points of failure in IT. Naturally, venturing into the risky Never Never will also let you address risk directly, enabling efficient risk reduction measures, lower insurance costs and the reduced likelihood and impact of cyber incidents.

Future-proofing and design

The world runs on data. Companies and services act based upon the information and analytics in front of them, so focusing on a data-first architecture—and removing extraneous legacy structures—will ensure future readiness and usability. Thus, understanding available data as well as how to present and optimize it, and then leveraging tools like large language models (LLMs) to drive informed decisions, will be the status quo. Critically, this requires not just information, but accurate information. We’ll look at this in depth in an upcoming post.

Competitive agility

Optimizations and enhancements, driven by data and data analytics, rely on accurate data. So, accurate insights to your enterprise ecosystem will help you take informed steps to stay competitive. Control and insight of infrastructure means faster adoption of new technologies, easier integration of third-party code and tools, faster iteration and deployment of first-party code, and more flexibility in IT and R&D. This frees up resources from technical and security debt and enables both security as a competitive advantage and investment in more of the in-market features and development that matter to end users and customers.

Environmental, social and governance (ESG) responsibility

Done correctly, IT efficiencies aren’t just niceties that reduce financial costs, but also directly correlate to a lighter carbon footprint, improving the literal environment we all call home and the living conditions of people all over the world. Identifying services and solutions that are no longer needed, or introducing optimization, is a core ESG responsibility in direct pursuit of achieving ESG goals.

You’ll never never know, if you never never go

Insight, content, visibility and—ultimately—knowledge set enterprises up for success in a modern world. Adding to, encouraging and even allowing the cyber risk Never Never is no longer acceptable. Whilst “going and knowing” may cause some palpitations, it is the responsibility of every organization to get out of its comfort zone and become informed, and ultimately decisive.

To see how Zscaler is helping its customers reduce business risk, improve user productivity and reduce cost and complexity, visit zscaler.com/platform/zero-trust-exchange.

---

Sponsored articles are content produced by a company that is either paying for the post or has a business relationship with VentureBeat, and they’re always clearly marked. For more information, contact [email protected].