In this Help Net Security interview, Jenn Markey, Advisor to The Entrust Cybersecurity Institute, discusses the increasing adoption of enterprise-wide zero trust strategies in response to evolving cyber threats.
Markey discusses the impact of emerging threats like AI-generated deepfakes and synthetic identity fraud, as well as the challenges Western organizations face in implementing zero-trust frameworks.
Two-thirds of organizations featured in the 2024 State of Zero Trust & Encryption study cited cyber-risk concerns as the main drivers for implementing a zero-trust strategy. How do threats like AI-generated deepfakes and synthetic identity fraud influence this trend?
While our threat landscape continues to intensify in general, AI-generated deepfakes and synthetic identity fraud are adding fuel to the fire. AI-powered attacks simultaneously increase the scale of personalized attacks and reduce the skill level required. Less sophisticated or easy fraud used to account for ~80% of attacks. However, in the last 6 months alone easy fraud has declined to just over 60% of the total with that trend expected to continue.
Improvements in deepfake software make it easy for anyone to create hyper-realistic digital content, including images, audio, and video. Fraudsters are getting so good that they have started to use deepfakes to try and circumvent biometric verification and identification. Generative AI tools also offer a way for fraudsters to generate synthetic identities at scale using AI bots to scrape personal information from social media and other online services. Then there is the emergence of “fraud as a service,” where a highly skilled fraudster offers their services to others.
There is a striking disparity in zero trust adoption rates, with U.S. organizations lagging. This raises the question, why do you think Western entities struggle more with implementing zero-trust frameworks?
I think the intensifying threat landscape, with nation-state attackers particularly focused on Western targets, has forced many cyber teams in these countries to be hyper-reactive, often at the expense of longer-term and more strategic pursuits like zero trust implementation.
As well, I think many Western entities have a more complex and rigid technology infrastructure thanks to a large installed legacy base now operating in some hybrid fashion with a proliferation of certificates often managed by different siloed teams including IT, security, and infrastructure. And this makes it more challenging to pursue an enterprise-wide zero trust strategy.
I also question if senior leaders within some western organizations are paying lip service to the need to adopt an enterprise-wide zero trust strategy. Zero trust is an existential concept somewhat akin to post-quantum (PQ) – everyone knows they need to prepare, just not necessarily today. In our post-Covid world, there are often too many competing priorities in the C-suite coupled with a fragile economic climate that tends to inhibit large-scale investments that do not ensure a significant and near-term financial payback.
Despite increasing senior leadership support for zero trust, many organizations face challenges due to lacking skills and budget. How can companies address these gaps to implement zero-trust strategies?
Again, this calls into question whether senior leadership is paying lip service to CISOs to implement an enterprise-wide zero trust strategy. Afterall, a lack of in-house expertise and adequate budget are both largely within an organization’s control through funding for resources, tools, and training.
So, if a gap exists at the top, help your senior leadership and board make the critical linkage between zero trust and strong corporate governance. An ever-intensifying threat landscape means senior leadership teams and boards have a duty of care to make the right investments and provide the strategic guidance and oversight to help keep the organization and its stakeholders safe. As further motivation to make this strategic link to zero trust, federal agencies are continuing efforts to hasten breach disclosures and hold executives liable for security and data privacy incidents.
Beyond that, it is about sourcing and retaining top tech talent which speaks to the need to build and maintain an inclusive company culture with continuous training and development opportunities for technical teams. Ensuring security teams are inclusive of neurodiverse talent, for example, is important for encouraging the diverse ways of thinking needed to spot and curtail novel AI-powered attack strategies.
What advice would you offer CISOs currently facing challenges in implementing zero-trust frameworks and improving their organization’s cybersecurity posture?
At the outset of the zero trust journey, it can all seem a little daunting – where to start, what to prioritize, which vendor solutions to select, and so on. Identities are usually the largest risk area for an organization, followed by devices, so start there.
Then there is the zero trust encryption paradox. PKI and cryptography are critical components of a zero trust strategy, yet the associated proliferation of certificates may inadvertently add cyber risk. To resolve this paradox, critical early steps on any organization’s zero trust journey are to identify and inventory all cryptographic assets, followed by establishing clear ownership.
Also, CISA’s Zero Trust Maturity Model 2.0 and the recently released NIST Cybersecurity Framework 2.0 both provide useful guidance to navigate an organization’s zero trust journey.
Looking ahead, what trends do you foresee in adopting and evolving zero-trust strategies? How might the landscape of cybersecurity change in the next few years?
With Gen AI advancements we are heading into to a new era of fraud and cyberattacks requiring the cyber defenses of tomorrow to be AI-powered to combat both the scale and speed of attacks.
I also expect to see continued diversity in the type of targets. The explosive growth of ransomware over the past few years highlighted that literally any organization can become a high value target from water treatment to ride sharing to hotels and beyond. And this means that organizations of all shapes and sizes need to get serious about zero trust.
Finally, identity – user and machine – is the lynchpin of zero trust. So, getting digital identity right is critical to global security, stability, and prosperity. Currently, there are very different approaches around the globe from the EU’s pro-regulatory stance with Digital Identity regulation and AI Act to a more pro-innovation approach being led by big tech companies in the US. How this plays out will shape the future of zero trust and cybersecurity for generations to come.