Building Business Trust in the Dark Forest of the Internet

Originally published by CXO REvolutionaries.

Written by Sam Curry, VP & CISO, Zscaler.

“The universe is a dark forest. Every civilization is an armed hunter stalking through the trees like a ghost, gently pushing aside branches that block the path and trying to tread without sound.” - Cixin Liu, The Dark Forest

“Where are they?" - Enrico Fermi, The Great Silence

I had the pleasure of speaking to peers and friends at an Evanta event last week in Chicago, and I used the opportunity to discuss how to build trust at the executive level regarding zero trust strategy. I enjoyed the contrast between building business trust and reducing digital trust, of course, but I also emphasized what I think is a more important point: the biggest problem in cybersecurity remains the gap between the function and the rest of the business. That deserves a little more attention before going deeper into the notion of a “Dark Forest” and why we need to progressively remove trust on the internet as we continue to expand our digital capabilities.

If you look at my LinkedIn profile, you’ll see some lengthy tenures, sure. But one in particular that is less than eight months. Most of us don’t like to talk about our failures, but I think they are actually the most important things to share. Simply put, I failed in that job because I was too busy being the CISO and not spending enough time being a C-level person. All of my peers knew that I was the smartest cyber person in the room, so I should have shut up and let them take part in the cyber risk problems. Instead, I could have jumped in and proved I was their business contact for everything else.

Leadership and problem-solving teams depend on and are fueled by trust. This is what I call “business trust.” I read a book years ago called The Trust Equation (it’s really a proportionality and not an equation by the way) that pointed out that trust demands credibility, reliability, intimacy, and alignment. (You can read about the factors here, although alignment is called out as 1/self-orientation.) In other words, to succeed and reduce risk, CISOs need to do what I didn’t: they have to be general business people, not cyber geeks, first.

This is hard. Looking at my background, you may realize why it was difficult for me. I am a CTO more at home with a whiteboard than a PowerPoint presentation. You want me to become a storyteller, not the architect, and pound the table yelling “risk, risk, risk?” Ouch. Yes. That’s what has to happen.

Back to the presentation in Chicago. I started with an analogy some of you may know: the Dark Forest. The opening quote is from a book of that name. I’ll set it off textually, so you can skip it if you already know the analogy:

Enrico Fermi first asked the question of where all the aliens are, but Frank Drake quantized the fact that the universe and the Milky Way should be resounding with the clamor of alien intelligence. So why isn’t it? Answers have been hypothesized for years from civilizations reaching a point of mutual nuclear annihilation to aliens turning to virtual worlds instead of deep space and most recently to even AI taking over, although they too might be heard. The most ominous, though, is that the first civilizations to make it to interstellar levels of colonization decide to wipe out rivals and hunt young civilizations, which means that the forest is quiet because there are predators. We Humans should therefore not be broadcasting into the galaxy as we have been for 100 years noisily because we are in fact in a dangerous Dark Forest.

I actually used this analogy once with a board because the CEO and CFO were physicists, but everyone understood it. I then made the connection: the internet is a Dark Forest. To my surprise, light bulbs went off around the boardroom. This is how I approached the subject of zero trust then, and I used it again in Chicago last week as an example of how to make the connection. We have for decades sought to connect everything because Metcalfe’s law has made it a necessity. Doing so provided an exponential return in value.

However, there’s a dark corollary to Metcalfe, which is that risk rises proportionally to value too. As we connect ourselves to more resources, we increase the odds of encountering brigands lurking in the shadows. We must approach the internet quietly, aware that malicious forces are also on the prowl. This is accomplished through zero trust. This means not connecting everything but instead taking a minimalist approach, optimizing connectivity by authorizing and enabling only necessary connections and nothing more.

And the key, in the middle of the presentation, was in fact not to talk about risk. Of course, risk is present. Everyone understood that from the story and the fact that I am the CISO in the room. The rest of the presentation was given in the secret language of the C-level: revenue, cost, margin, employee efficiency, customer satisfaction, and strategy. It’s those words, not risk, that will build business trust.

Zero trust is absolutely a means of managing IT risk, but it is more than that. It can also be a vehicle for CISOs to bridge the critical gap between cybersecurity and the business. If we are to command a seat at the head table, articulating risk will be the path to get there. It is by building trust and displaying business acumen that we, as CISOs, will be best positioned to lead our organizations through the Dark Forest of today’s internet.