Zero-trust Doesn’t Mean Zero Trust, but Confidence in the Trust — Cintas CISO

Jacob Lorz, VP, Information Technology and CISO at Cintas, speaks with Todd Foley, Lydonia Chief Digital Officer and CISO, in a video interview about navigating the evolving cybersecurity landscape, the future of cybersecurity, the approach to zero-trust, leveraging automation, and common cybersecurity misconceptions.

A dynamic regulatory environment is a great peer to cybersecurity, says Lorz. To keep up with the regulatory changes, Cintas establishes solid relationships with compliance teams, he adds.

Apart from that, Lorz affirms attending conferences, webinars, and events to self-educate and stay abreast of the new changes. Beyond that, he prefers going for third-party assessments, as they help identify gap areas where processes need to be beefed up.

Regarding evidence gathering, Lorz recommends leveraging automated processes, which eliminates the need to repeatedly ask for the same evidence every quarter. When it is time to present to a regulatory body, everything is readily available.

However, Lorz states that Cintas still has manual processes in play, but the goal with the growing division is to make those simpler, more effective, and more automated.

When asked for his take on the future of cybersecurity, Lorz reiterates, “We will continue to invest in increased automation.” Running successful cybersecurity programs requires bringing order to a persistently chaotic environment by employing the right people, processes, and technology. Then, one must bring confidence to that order, and it is best done through automated verification, validation techniques, automated controls, and response, he adds.

“The future of the cybersecurity industry is going to be interesting to watch over the next 3, 5, 10 years as we move into that post-quantum world,” says Lorz. Unsure of how it will impact the current practices, he notes that there will be certain technology changes, particularly considering the information confidentiality.

Additionally, Lorz says, “The automation component will continue to grow, and threat actors will continue to change their tactics.” Staying updated with resources like the MITRE ATT&CK framework is crucial for anticipating their next moves and understanding real-world APT activities, he adds.

Highlighting the approach to zero-trust, Lorz states that he considers it incremental and not significant in cybersecurity programs. He asserts that zero-trust as a principle is built around identity.

“Zero-trust doesn’t necessarily mean zero trust, but confidence in the trust,” says Lorz. He stresses that the identity receiving access to a resource is the one he intends to authorize. This requires continuous validation throughout the process.

Adding on, Lorz says, access is initially granted, but it is also reverified at key points in the middle of the chain, which resembles zero trust for him. Delving deeper, he opines that the five pillars of zero trust, as outlined by NIST, all fundamentally tie back to identity.

According to Lorz, implementing zero trust is not easy, especially for organizations with existing technology infrastructures or those that were not originally built in the cloud. Adapting to this model requires reworking certain processes and making significant architectural changes, he adds.

One common pitfall is the assumption that zero trust must be implemented all at once. In reality, it can be approached in phases. He quotes the saying, “How do you eat an elephant? One bite at a time.” By taking incremental steps, organizations can gradually transition toward a zero-trust framework in a manageable and effective way.

Sharing nuggets of advice for those starting in cybersecurity, Lorz says, “It’s going back to your foundations, going back to the basics.” Apart from that, reviewing the CIS Top 18 is a great starting point, he affirms.

Moreover, to understand potential threats, conducting a thorough risk assessment is essential, both internally and for third-party vendors, says Lorz. This involves evaluating the attack surface, security perimeter, and overall cybersecurity posture to determine which aspects require improvements.

There are also free resources available, such as at the Cybersecurity and Infrastructure Security Agency (CISA), which offers vulnerability assessments of the attack surface and provides valuable feedback on how to strengthen defenses.

Summing up, Lorz suggests the approach of understanding the risk, doing the assessments, and then dealing with the highest risks that demand the lowest efforts, first. Getting low-hanging fruits minimizes opportunities for threat actors to exploit those opportunities.

Along these lines, says Lorz, if someone is intentional about building a cybersecurity program, they must collaborate with third-party partners. Thereafter, they need to secure and invest in the right technology, and people, and then build the program components.

Sharing one cybersecurity habit, he mentions never walking out of the house without locking the front door, and walking away from the computer screen only after locking it. Describing cybersecurity in three words, Lorz says, it is essential, dynamic, and evolving.

Wrapping up, he points out the biggest misconceptions people have about cybersecurity. Lorz states, “The biggest misconception is that it’s an IT-only thought. It’s an IT-only responsibility.” He clarifies that cybersecurity is a collective responsibility of everyone within the organization.

“It is the responsibility of everyone to have a security-first mindset,” says Lorz. Concluding, he states that as cybersecurity is frequently reported in the news, people are more aware now. They realize how cybersecurity threats can personally affect them if they don’t take the right precautions.