Project Zero Trust: A Story about a Strategy for Aligning Security and the Business
- Categories: Hall of Fame, Library
- Author: George Finney
- Book Review By Rick Howard
The bottom line
I recommend this nonfiction book for the Cybersecurity Canon Hall of Fame.
Book Review
I’ve known George Finney for years. He is one of the smartest cybersecurity practitioners on the planet and when I heard that he published a book on one of my favorite topics (Zero Trust) and that he got John Kindervag (The father of zero trust) to write the forward, I knew it was going to be good.
I’ve been thinking about zero trust for years and have written a lot about it in an effort to get my arms around the topic and to simply find the edges. As you all know, there’s a lot of hype in the vendor space around the idea of zero trust. But I’m here to tell you that George gets it. And his method of explaining the key concepts of it is genius.
He takes a page from Gene Kim’s “The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win” and Eliyahu Goldratt’s “The Goal: A Process of Ongoing Improvement.” Instead of writing a dry zero trust technical manual that only die hard fans of the subject would appreciate, he wrote a novel with real characters and a significant business crisis (a ransomware attack) that explains how the ideas and concepts of zero trust could be applied in a realistic scenario.
The main character is Dylan (Director of Infrastructure) and on his first day on the job, the company gets hit with a ransomware attack. The CEO tells him to implement the first ever company wide zero trust strategy in time for a new product rollout in six months. The CEO doesn’t want another ransomware attack to derail that major company milestone. Similar to the Phoenix Project, Dillan even has an Obi-Wan-Kenobi-like mentor that guides him in his efforts.
Throughout the story, readers learn that some of the infosec community’s best practices (like Best of Breed tools, Defense-in-Depth, and compliance checklists) don’t really form meaningful strategies with goals and progress metrics whereas zero trust can. We learn that trust in our technology and people is a vulnerability just waiting to be exploited.
Dylan believes that the primary goal of Zero Trust is to prevent breaches and that prevention is possible. His team members come to believe in this too but they also learn that Zero Trust is not achieved through one or more vendor tools. Zero trust is more of a philosophy, a way of thinking, and is never done. It’s a journey and can be begun with the tools and people you already have in place.
In the story, Dylan’s team is presented with various scenarios (attack surfaces) that they apply the zero trust strategy to like physical security, the company’s crown jewels ( ERP and CRM), Identity, DevOps, the cloud, and APIs. Each time, the team gets more proficient in applying the zero trust methodology (Kindervag’s 9 rules). The team notices that there are many zero trust frameworks out there (Gartner, Forrester, Google, and NIST) but their Obi Wan mentor recommends the NIST Framework. They also realize that it’s not enough for the technicians to simply implement a bucket full of zero trust controls. They discover that they have to develop a company wide culture that embraces zero trust as a philosophy and it starts at the senior leadership level.
This book is a must read for all cybersecurity professionals especially if you have an imminent zero trust project on the books.
Book Review By Adrian Sanabria
The Bottom Line
This is a functional book that uses a novel method to convey a complex topic. Like “The Phoenix Project” with DevOps and “The Goal” with Lean and the Theory of Constraints, “Project Zero Trust” uses this formula effectively to explain Zero Trust concepts clearly through examples in a fictional narrative.
With fewer than 200 pages, this novella is a quick and engaging read. In an age of attention deficit, I consider the relatively short length of this book to be a success in itself. The variety of formats available (Kindle, audiobook, and paperback) also makes the book more accessible to larger audiences. This book is an important contribution to a topic that is still widely misunderstood.
I consumed it in audiobook form and consider it a must-read for security practitioners. Zero Trust is a philosophy and set of principles that must be understood by modern security teams for it to have any significant impact on their programs. As someone who has run Zero Trust webcasts and workshops, this book still taught me some things. I ended the book with an improved Zero Trust vocabulary as well.
Book Review
My review of this book breaks it down into three distinct components:
- The Technical Content
- The Story
- Addressing Zero Trust Challenges
Starting with my favorite of the three, the technical content was very well covered and clearly explained. The addition of key takeaways is valuable, though it makes the book feel more like a textbook than a novella. This is fine, as the book clearly prioritizes teaching Zero Trust principles and processes over providing an entertaining story.
The book also necessarily provides a vocabulary for Zero Trust. The concepts within the book shift away from traditional security ideas and require new language to effectively discuss and implement them. Kipling Method Policy, protect surface, and trust levels were all useful new additions to my cybersecurity vocabulary. There is a lot of nuance in Zero Trust as well, such as distinguishing the Zero Trust architecture from the Zero Trust environment.
I found the book’s story less compelling. While the situation and plot were relatable, the characters were not. Every imaginable nerd stereotype was trotted out, causing me to physically cringe every time someone made a sci-fi or nerdy pop culture reference. The number of characters was also difficult to keep up with in the audiobook version, despite the voice actor’s efforts to give everyone a unique voice. It also didn’t help that the voice actor struggled to recall what kind of accent each character should have, leading to some accents changing throughout the book.
The final component is where I believe the book could have been improved the most: its failure to address the inevitable challenges most practitioners will encounter when attempting to implement Zero Trust.
In the story, the characters are guided by a Zero Trust expert, have an unlimited budget, and run into little to no friction from other employees. Everyone is fully on board with Project Zero Trust, willing to leap into the unknown with minimal questions or concerns. This scenario seems highly unlikely when considering the fundamental change Zero Trust requires from how IT teams work, build, and think.
There was an opportunity here to both make the story more layered and interesting and present common challenges practitioners encounter when implementing Zero Trust. What if the bad guy was not just the ransomware operator, but management, who were not automatically convinced that Zero Trust was the right move? What if the network team was strongly opposed to Zero Trust? What if key stakeholders weren’t on board, or worse, were impassive and unsupportive? Zero Trust is a massive undertaking, and practitioners could use help addressing these challenges.
Despite my gripes about the quality of the story, I believe it was absolutely necessary to make this book work. The result is an approachable, easily and quickly consumed volume on Zero Trust. Overall, the book is a massive success and achieves its primary goal: making Zero Trust clear and accessible to the masses. For these reasons, I recommend “Project Zero Trust” as a niche book for any practitioner looking for an accessible entry point into Zero Trust methodology.
We modeled the Cybersecurity Canon after the Rock & Roll Hall of Fame, except for cybersecurity books. Our volunteer CISOs have reviewed over 200 books on different aspects of cybersecurity to offer a curated list of must-read, timeless books for all professionals involved in cybersecurity
The Cybersecurity Canon project is a non-profit organization. We invite everybody to join the community and contribute. You can nominate your favorite cybersecurity books and even join the team that writes reviews.