2020 forced companies to reevaluate almost every facet of their business. With budgets put on an indefinite freeze in March, sales teams saw their pipelines dry up overnight. With all forms of face-to-face interaction canceled, marketing saw half their channels disappear into thin air. And with more economic uncertainty than we’ve seen in decades, finance departments had to squeeze, save, and recover every penny they could. It seemed as if every department was put into an indefinite holding pattern.

Well, all but one: Information Security.

While every other department spent the bulk of 2020 scrambling to scale back, infosec was burdened with more responsibility than they could have ever imagined.

With just days to move entire organizations remote, infosec teams spent their March scrambling to establish and execute new security infrastructures, access points and processes for entire workforces, with only the mere weight of their companies’ fiscal survival on their backs. 

If this shift couldn’t be done fast, fingers would point to the team who handcuffed the organization to VPNs and on-prem access. And if it couldn’t be done right, they’d blame the team who exposed vulnerabilities and caused data breaches. 

In all cases: infosec would take the blame for a failed 2020.

But the story didn’t end like that. In fact, the brilliance of information security personnel was on full display in 2020, as companies, hospitals, financial institutions, even schools were able to at least partially, if not fully, transition to a remote-first approach. 

This meant the implementation of a cocktail of security measures, including advanced anti-malware, integrity monitoring, authentication technology, data encryption and, perhaps most critically, strengthened employee awareness and training.

But what all this forced so many of us to do wasn’t forge into this unchartered territory of unprecedented security measures. It simply led us to inevitably (and finally) adopting a security model for 2020 that had been lingering in the shadows of infosec for perhaps the last decade:  Zero Trust.

Differently than the traditional “trust but verify” approach to network security, the Zero Trust model requires all users, even those inside an organization’s enterprise network, to be authenticated, authorized, and continuously validated before being granted or keeping access to applications and data. In practice, this means one-time validation won’t suffice, hence the need for advanced technologies and security measures, such as multifactor authentication. 

Historically, the Zero Trust model — at least to those of us operating primarily on-premise — felt complicated, error-prone, and unnecessary. Until all of a sudden in 2020, our model was the one complicated, error-prone, and not just unnecessary — but totally irrelevant.

And what’s most unique, perhaps, about this model, is its philosophical shift from being data-centric to role-centric. Zero Trust operates on the idea that information security should be developed on a role-by-role basis. Meaning, each role within an organization requires certain types of access. Leveraging all possible security technologies, access should be granted only as broadly and deeply as a role requires. This process transforms the traditional approach of protecting everything equally to protecting some things extremely well.

So as organizations move into 2021, having in some cases stumbled upon a Zero Trust model in their application of overnight remote access, it should be noted that more than 40 percent of people who have shifted to working remotely never want to go back to the office full time. Meaning, if you thought this was a stopgap until business could resume as usual, think again.

But there is tremendous upside to leaning into this new approach. Despite what our ethos once dictated, most of these tools are natively more secure than on-prem storage. And by implementing a technology solution to help monitor risks across the organization, you can evaluate and address information security threats, vulnerabilities and incidents from a single source of truth that satisfies the inevitable permanence of remote-required access, and at scale. Feel the zen wash over you as you imagine never hearing about another server crash. Even more, these tools are often much more user-friendly than the clunky VPNs we once required — and when your users are happier, they’re far more likely to carry out compliant behaviors than search for workarounds or not access at all.

Adopting, refining, and committing to a Zero Trust model will prove to be one of the top trends across infosec in 2021 and beyond. To learn more about Zero Trust and three other top trends we’re expecting to see in 2021 for Information Security, watch our recent webinar Key Takeaways from 2020 for More Effective Information Security in 2021.

How to Build a Risk Ownership