Don’t know much about NISTory

I feel your judgment. But let’s see you come up with a better subject line that ties in NIST Special Publication 800-207.

This bad boy is the polar opposite of the “ducks and bunnies” version of Zero Trust. Weighing in at exactly 50 pages, it’s not for the faint of heart. But I think it’s a really impressive and helpful document – both for security buyers and vendors.

The good news: Unlike pretty much anything else out there, it actually goes deep on explaining what “doing Zero Trust” actually means.

The bad news: It’s very long, dense, and theoretical. (Not great ingredients for a tight sales narrative.)

Since it’s impossible to summarize a 50-page document in an email, I picked my favorite part.

This diagram:

While still pretty deep in the weeds, it puts all of the vendors running around screaming about how they help with Zero Trust in context.

In doing so, it establishes two tiers of Zero Trust vendors:

  • Alpha Dogs: Policy Engine, Policy Administrator, and Policy Enforcement Point

  • Rest of the Pack: All of the other security technologies that provide food for the alpha dogs.

So if I was a security vendor, I might consider creating a kinder, gentler version of this diagram and using it to emphasize where my product fits in.

Best case, I’d explain why I’m an alpha dog Zero Trust product. (I assume these to be things like Zero Trust network access and segmentation, but NIST’s definition is pretty theoretical.)

If I’m not lucky enough to be an alpha dog, I’d position myself as a critical foundation that you should start with to prevent your alpha dog from tripping and falling on its nose.

Yes, this is kind of what I was dinging the Spectra Alliance gang for doing yesterday. But I think the key missing piece is getting really crisp and credible about why you should be first.

-Doug