Between 2017 and 2022 I was fortunate to be the leader responsible for the strategy and execution of Zero Trust initiatives at Adobe and Cisco. In my role of running enterprise Security for both companies (of course not at the same time).
As the executive leading the organization, Zero Trust was only one of many initiatives our teams were responsible for. In both companies I was blessed to have excellent leaders who actually did the hard work. Of course leading teams that really delivered in creative ways.
Rolling out Zero Trust at scale to a combined total of over 150,000 users, 500,000 devices, and 3,000 applications is no easy feat.
At Adobe, our initial deployment took around seven months, leveraging Okta, VMware (now Omnissa), and F5. Cisco, on the other hand, implemented DUO for its approach. In 2019, Adobe further advanced its strategy by partnering with Banyan Security (now part of SonicWall).
Later, I joined Banyan Security as Chief Security Officer (CSO), leading all aspects of IT and Security. This gave me firsthand insight into how our customers were implementing Zero Trust in their own organizations. (I even wrote a blog about what it’s like to be a CSO at a Zero Trust startup.)
With experience at both the strategic and execution levels, I’ve shaped vision, made critical decisions, and tackled real-world implementation challenges. I’ve distilled my top five lessons on delivering Zero Trust since 2017.
Let’s roll…
The Definition of Zero Trust
Between 2018-2023 it seemed like every vendor was a Zero Trust vendor, you could ask 20 people to define Zero Trust and you’d get 25 different answers. So the first thing we learned during my time at Adobe was anytime we presented or discussed the topic we would start by framing what we meant by it.
Running a business, reducing costs while reducing risk
At the end of the day the important thing to keep in mind is we’re running a business. Too many security professionals over rotate on the discipline (e.g. DLP) and focus on what I’d consider a“jobs worth” stance. When security adds friction it slows everyone down, costs more and becomes bureaucratic.
Our approach to Zero Trust delivered measurable benefits—at Adobe, they identified 18 advantages across security, user experience, and cost.
This shift enabled:
Security applied in the background
We collect a lot of data right? Usually our SIEM data is only used when shit hits the fan, something not looking right then the team jumps right in. However, that data and our systems can be leveraged pro-actively to prevent bad outcomes. In an ideal world remove the friction from your users and use the data then only ask them to step up or take action when the data suggests something isn't right. What did this look like? One example - hide authentication steps until the data suggests something doesn't look right…always used a Mac, but now logging in with a Windows device? Step up the authentication. One time we say the username and password was correct but the second factor failed many times and the device was different. Take action based on user behavior analytics.
Change is hard
Especially for old school security professionals
A lot of people in my team and other security teams often revert to what they know’s kept them in good stead over the years. In the case of Zero Trust and the thought that users could access internal applications without the need for VPN caused concern. The idea that someone can compromise a laptop and then blindly access internal resources is of course a concern; that was just one example. However, our architecture included other controls that reduced risks like this.
Another fun fact was at Cisco it was a little awkward telling people how VPN’s and Firewalls are dying out - there are product teams and IT staff whose careers are based on these technologies.
So, in both cases it’s vital to spend a huge amount of time on helping the organization evolve - don't ignore the human element. Don't take for granted everyone will understand your plan or even be onboard. I’ll never forget that not only some people never “got it” but they actively tried to sabotage our efforts.
It doesn't have to break the bank
Back at Adobe in 2017 we would read about Google’s Beyond Corp and their approach to Zero Trust - it was a huge undertaking and overhaul and very impressive. But we didn't have Google money, nor years to make sweeping changes.
So our plan had to be creative and result in a big business impact without spending big dollars. We leveraged a lot of existing investments, existing teams and actually managed to deliver a result without seeking additional funding.
In 2017, we assigned a dedicated team member to lead the effort, optimized spending in key areas, and rolled out our initial Zero Trust deployment, all for under $240,000. In just seven months, Adobe transformed how 40,000 users accessed critical applications, secured 80,000 devices, and protected 2,000 applications, laying the foundation for its Zero Trust strategy.
Here’s what Adobe got for their money:
- 80% reduction in service desk tickets related to password resets
- No more VPN for employees
- A passwordless experience for 30,000 users
- No network-level access when connecting to internal applications
Conclusion
Delivering Zero Trust in these iconic companies was only one of many initiatives my organizations led. However, it's very rare we get to improve security while improving user experience; that's what we did.
I’ve spent hours on stage, in interviews and writing about this stuff - it was a huge privilege and I’d say I’ve learned way more than five things…so stay tuned.
If you need help with your Zero Trust strategy or execution reach out to the team via sales@909Cyber.com
.svg)
.svg){kind=icon}
