Here's a burning question I proposed to an audience I was presenting to at the recent Zenith Live '24 conference:

Why does everybody seem to support threat-centric security conceptually, but few practice it operationally?

To address this challenge, I joined a cross-functional team to pilot the "Zscaler MITRE ATT&CK MAPPING Program," which maps Zscaler products, engines, controls, etc., against the scoring rubric from the Center for Threat-Informed Defense, a non-profit, operated by MITRE Engenuity. With a healthy dose of creative conflict and dialectical decision-making, we set out to become experts in choice architecture, or the design of different ways in which choices and their impacts can be presented to decision makers like you. We did this because there are trade-offs in every cybersecurity decision.

We mulled over the realities of the status quo in cybersecurity. As an industry, we are getting better, but we're still stuck in this same cyclonic confluence of unmitigated risk and tactical reactivity by necessity.

Accepting ‌responsibility for change is a noble cause, but is challenging and slow-going. Regardless, we chartered a path armed with a mission and design goal I've been championing for years: "No material or significant event that would impact my shareholders, stakeholders or my customers, and doing that with the lowest cost and least amount of friction."

In this article, you'll learn how you can ATT&CK (i.e., manage) risk and strengthen your security posture using a threat-centric mindset. The starting point, as you may have guessed, is zero trust architecture. Implementing effective zero trust strategies requires deep visibility and a comprehensive understanding of real-world attack scenarios. This is where the MITRE ATT&CK framework comes into play.