IBM CISO Perspective: Zero Trust Changes Security From Something You Do to Something You Have

IBM CISO Perspective: Zero Trust Changes Security From Something You Do to Something You Have

As the chief information security officer (CISO) for IBM, I’m often asked by peers and colleagues, “What do you think of Zero Trust?”


Or, perhaps more often, “What strategies are you using to keep IBM protected?”  


First, many vendors in the security industry are looking at zero trust security from the wrong perspective. Security isn’t something you can just ‘do.’ Sure, you may be able to buy security tools or products. As a security professional, you might have a lot of experience at adjusting firewall or provisioning policies, or have specialized training to investigate incidents. While these things can be helpful in applying security to your organization’s business practices, they are not really advancing the business in a secure way.


That is an important distinction and provides the basis of our view of zero trust . Zero trust isn’t something you can buy or implement. It’s a philosophy and a strategy. And to be frank, at IBM, we wouldn’t even characterize zero trust as a security strategy. It’s an IT strategy done securely.  


Cloud First — More than an IT Strategy


Consider this. For the last several years, our IT strategy has followed a simple rule: cloud first. Everything we build or buy — from our marketing tools to our developer technology to our collaboration applications — is delivered as a service or is available to be hosted on our public cloud. This strategy addresses two critical business objectives:  


Enabling end-user productivity. First and foremost, end-user productivity is paramount. We need to connect our employees to the tools they need in the most fluid and cost-effective way possible. Moving everything to the cloud allows us to provide a consistent and seamless experienc ..