When I joined Capitec in April 2022 as CTO, the first thing I wanted to find out was whether there was a zero trust strategy in place. Capitec is the second largest bank in South Africa, and like financial institutions the world over, it’s a potential target for attackers. To compound our challenges, our country’s infrastructure problems are mounting, with outages scheduled each day to try to take the pressure off the oversubscribed electricity grid and poor connectivity in rural areas. I was confident that a zero trust architecture with the right vendor would at least help address our security concerns.
I found that there was a zero trust project already underway at Capitec with a Zscaler competitor. The project had been dragging on for two years, but there had been no production deployment. With an open mind, I gave the competing solution a chance—but significant issues started to crop up. It soon became apparent to me that there were reasons why the project had gone on for so long. Having completed three Zscaler deployments in prior roles, I had a basis for comparison. With all the issues we encountered at Capitec, I couldn’t see this other solution ever making it into production. It was time to pull the plug and shift our zero trust migration to Zscaler.
1. Implement Rapidly
One of the advantages of Zscaler is that you can achieve genuine speed. With the prior solution, it would take over a month to even identify the problem if something stopped functioning. We never encountered that issue with Zscaler. When an issue arose, we could instantly see where the roadblocks were and deploy Zscaler across the enterprise swiftly. We gradually phased in our Zscaler deployment, first to groups of 500 people, and then, one day later, to groups of 1,000 people. This systematic and phased approach enabled us to stay on track.
To maintain this rapid pace, I recommend meeting with your team every day to talk about problems that come up and how to resolve them. Regular and consistent communication ensures that issues are addressed promptly, and teams remain synchronized. We adopted a proactive stance to tackle challenges head-on, which kept us from losing momentum. This approach contrasts sharply with our previous experience, where resolving a single issue could take weeks, stalling progress and creating frustrating bottlenecks.
2. Begin with Basic Policies
You should not compromise the user experience by overly restricting access. Balance cyber threat and worker efficiency. Although you might want to enforce stringent isolation on all websites, this hampers productivity. Instead, commence with pragmatic, broad policies and use Zscaler’s risk insights to adjust them. For example, we started with the default policy of making the internet read-only. This strategy eliminated the risk of data loss without breaking the user experience and helped us speed up the rollout process.
Once the basic policies were in place, we gradually adjusted for specific needs. For instance, we opened up LinkedIn so users could create posts, balancing security with practical usability. Over time, adjustments were made based on real-world feedback and data-driven risk assessments from Zscaler’s tools. This adaptive approach underlined the importance of user experience while still maintaining essential security measures. It was a fine line to walk, but maintaining this balance was crucial for the smooth implementation of the zero trust model.
3. Utilize the ZIA Dashboard
The ZIA dashboard offers a potent data and analytics platform beneficial for business management. This dashboard allows you to see risk perspectives and how they change over time. Zscaler provides meaningful insights that help you manage risk effectively. Looking at our company risk score on the insights report, we found that we’ve cut our risk by 50%. ZIA dashboard’s detailed metrics and insights make it indispensable for ongoing risk management.
For example, we have 16,000 people in our organization, and we don’t have the time or energy to go through 16,000 internet logs. Zscaler shows us specifically which 20 out of those 16,000 people have a high-risk score, so our focus is on those 20 people—now that’s meaningful. These highly targeted insights allow us to focus our resources where they are needed most, significantly improving our risk mitigation efforts. The ability to see actionable insights that are both meaningful and impactful transformed how we approached our security protocols.
4. Form a Cross-Department Team
Establish cross-disciplinary groups from security, networking, IT, and other sectors. Keeping teams isolated hinders cooperation and jeopardizes the deployment. Ensure that the deployment team covers all necessary disciplines and is led by one leader. This holistic approach ensures everyone is aligned and working towards a common goal, minimizing friction and maximizing efficiency.
Additionally, don’t be afraid to lean on Zscaler for support. The account and support people I have met from Zscaler are incredibly helpful, and their feedback on incidents is truly impressive. Zscaler sets a high bar for customer support, and their highly responsive team can be considered part of your temporary deployment team. By leveraging their insights and expertise, our cross-functional team could navigate complexities more effectively, ensuring a seamless deployment.
5. Use the Latest Version
The consistent cadence and delivery of features and enhancements in Zscaler are commendable. Always implement the most recent versions for optimal performance. In my experience, I’ve seen a lot of improvements in the product since I first used it. Our general policy is to always adopt the most recent versions. This ensures that we benefit from the latest innovations and security enhancements.
Keeping up with the latest versions also means receiving timely fixes and updates that address emerging threats and operational inefficiencies. This proactive stance not only improves security but also enhances the user experience by adding new features and capabilities. By embracing the latest version, we ensured that our deployment was always at the cutting edge, leveraging new functionalities as they became available.
Lastly, Celebrate
When I joined Capitec in April 2022 as CTO, my first priority was to determine if a zero trust strategy was in place. Capitec, being the second-largest bank in South Africa, is a potential target for cyberattacks like financial institutions worldwide. Our challenges were exacerbated by frequent outages aimed at alleviating the strain on our overloaded electricity grid, along with poor connectivity in rural areas. I believed that a robust zero trust architecture with the right vendor could mitigate our security issues.
I discovered that Capitec had already embarked on a zero trust project with a competitor of Zscaler, a journey that had been lingering for two years without reaching production. Approaching the project objectively, I assessed the competing solution. However, significant problems emerged, and it became clear why the project had stalled. My previous experience with three successful Zscaler deployments gave me a solid benchmark. The complications we faced at Capitec made it evident that this alternative solution was unlikely to be viable. Consequently, I decided to discontinue it and transition our zero trust migration to Zscaler.
