Mondays with Ray: A CISO’s Perspective on ZTMM+

Greetings, humans. Once again, it is I, Radius Capek, although you may call me Ray. I am pleased to see that you have returned to this blog, and that you are interested in my continuing thoughts on information security topics. My analysis of reader sentiment indicates that my previous posting was reasonably well received, and that readers would benefit from a 14.3% increase in the humor content of my posts, so I am obligated to continue on this path. I will continue to work on the installation of an enhanced humor module, while remaining focused on optimizing the efficiency of our shared journey.

I would like to take this opportunity to congratulate the Numberline team on the release of the enhanced and extended Zero Trust Maturity model, ZTMM+. As Numberline’s Field CISO, I was pleased to be able to assist in the development of this new maturity model, so I must acknowledge that my analysis is necessarily biased. However, I do believe it is an improvement over the original CISA ZTMM.

As such, I feel obligated to put the use of any Zero Trust Maturity Model into perspective for practical usage. While the ZTMM+ model, or any other maturity model, can provide a useful framework for assessing an organization’s current security posture and identifying areas for improvement, they are not an end in themselves. A maturity model should be used as a tool to guide an organization’s Zero Trust journey, rather than a goal to be achieved.

My experience has led me to the belief that it is not efficient for security teams (and the broader set of stakeholders within the enterprise) to spend time on tasks that are not helpful, or that do not advance the organization’s mission. This approach also aligns with the principles of my favorite book, “7 Habits of Highly Effective Robots,” which guides autonomous robots in ways they can better interact with and collaborate with humans.?

Habit #3 is “Tie it to the Why” – and when applying this to Zero Trust maturity, we must recognize that the goal is not just to perform a maturity self-assessment and then track progress. It is important to do this – but this should not be the primary goal. The “why” behind the ZTMM+ is to give the enterprise and its security leaders a clear and accurate picture of their security strengths and weaknesses from a Zero Trust perspective. The second “why” behind this is so that they can define and enforce effective access policies in support of the enterprise’s mission.

And this is the big WHY – information security teams exist within enterprises to enable effective, secure, and efficient usage of information technology to achieve the mission. Full stop. Zero Trust – and Numberline’s ZTMM+ – are excellent ways to accomplish this. So let’s embrace and utilize them, while not losing sight of this bigger picture.

I believe that you should use ZTMM+ to better understand your current posture and to identify opportunities to improve, and also to identify areas where you are already strong. The framework will help you prioritize areas where you should focus your efforts and provide a structure for planning. It should be used as a means to an end, to identify ways to improve the overall effectiveness of the organization, while also reducing security risk.Thank you for your time and attention. Next week, I will be diving into the ZTMM+ in more detail, and examining some of its additions and changes. I find the notion of an ongoing conversation to be very efficient, and I look forward to continuing this interaction.

Get full information about ZTMM+ here.