Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
Member Portal
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
Member Portal
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog

The Hidden Power of Zero Trust Thinking

Published 10/30/2024

Home
Industry Insights
The Hidden Power of Zero Trust Thinking

Written by Mark Fishburn and originally published on his website.


1. Daytime Stress and Sleepless Nights

Managing cybersecurity, networks, workloads, and websites can be stressful, especially when many things go bump simultaneously in the middle of the night.

During calmer daytime moments, we rationalize decisions, selecting the right defensive or application architecture, analyzing problems, balancing business and technical requirements, based on logical thinking.


2. Reality Check

When we think we are making logical choices based on facts, brain science tells us that we are actually making emotional decisions.

These emotions are based on what will cause us less stress or risk to our reputation or company. Receiving praise for meeting personal performance indicators is important or maybe we just like the person selling us something.

Later, we look for reasons to justify such decisions based on logic, showing off our smart thinking to look good and be admired. So, what has this got to do with Zero Trust?


3. Why Does Zero Trust Empower Your Thinking?

For those not familiar with Zero Trust, its many aspects are addressed in CSA initiatives & guidelines and also my own website. Implementations of zero Trust feature identity management, authentication and access control, policy management and enforcement, and continual monitoring. However, it’s the empowering principle “Never Trust, Continually Verify” that is the focus here.

As you look at the impact and value of verification, you realize how it replaces overwhelm and burn-out with clear, stress-free decision-making in the following five areas:


Commitment

“Always Verify” Implies

“Trust” Implies

A Commitment to Being Secure

An Expectation That It’s Secure

Competitive Positioning

Cost Center

When you trust somebody or something, you do so with an expectation it’s all going to work out just fine. However, expectation is dangerous. When things don’t work out, you either blame yourself or somebody else for the result not being what you wanted or expected. When you verify, you are implementing your commitment that the processes, the software, the devices, and the people you train will be secure. Clearly there are no guarantees with security, but if things don’t work perfectly, instead of being upset, you are left with your commitment to keep verifying and strengthening your organization’s strengths versus competitors. It’s all part of the journey.


Delegation

“Always Verify” Implies

“Trust” Implies

Managed Delegation of Responsibility

Abdication of Responsibility

Only when your HR department, service provider, software supplier, CPA firm, physical security company, etc., verify in writing that what they have delivered is secure, are you truly delegating, not abdicating, your responsibility. This makes a huge difference to how you operate your security. The topic of supply chain management continues to further develop this since my ISE article last August to show all the steps for providers and software companies to self-verify their products and services.


Integrity and Control

“Always Verify” Implies

“Trust” Implies

Integrity

A Sense of Being Incomplete

Empowering and Proactive

Disempowered, Passive

If you just trust your own internal departments or a third party, then you are left with a sense of being incomplete and uncertain. This is why verification gives you a sense of integrity or, expressed another way, you are whole and complete—and not stressed.

Deploying unverified software can be very passive and is the source of many catastrophic attacks. You are just not in control, yet still liable for any consequences. Properly delegating and verifying supply chains’ internal processes is both empowering and proactive. This is why Zero Trust aligns closely with taking executive responsibility in your organization, helping you contribute and add value to your organization in a new way.


Protection, Conformance, and Competitive Positioning

“Always Verify” Implies

“Trust” Implies

Measurable Written Protection

Uncertain Liability, Accountability

Competitive Positioning

Cost Center

Verification also provides written, measurable protection that is an essential element of the SEC’s requirements to show that you have proper processes in place. It works to the benefit of your organization and your suppliers, effectively creating a paper trail that can be included in your website’s terms and policy statements.

All of this is not just to ward off stress and uncertainty. This whole ethos can enhance your competitive position to those who do not adopt it, but can also position your organization as a leader in protection of your business client/customers. This transforms adoption of Zero Trust from pure defense into a difference-making advantage.


Continuous Monitoring

“Always Verify” Implies

“Trust” Implies

Continuous Monitoring and Auditing

One-Time Monitoring

Verification is not a one off—which is why I prefer my version of the mantra “Never Trust, Continually Verify” to the original.

What or who was authenticated five minutes ago may now be out of policy. In fact, if you are not continually and automatically monitoring all aspects of your risk, then all you are doing is protecting the past! This is, after all, why it’s never over in cybersecurity.


4. Conclusion

You can see why, beyond the mechanics of Identity and Access Management, Policy Enforcement, and microsegmentation, Zero Trust creates clear thinking to reduce stress and acknowledges the emotional aspects of your technical and business decisions.

In terms of the much-discussed stress and burnout, the 5 areas covered here are one element of reducing stress. Other causes are important too:

  • Dealing with 100+ issues, any one of which can disable the organization, is enormously stressful without a process and methodology. Get started here.
  • Using third parties without a methodology to verify the security of the products and services being offered is also extremely stressful. Get started here.

Now you are armed with Zero Trust thinking that you can apply throughout your organization and beyond – not just to your data, networking, and software – and indeed not just to cybersecurity. If you do get it, then I advise taking a deep breath, putting a smile on your face, and getting back to enjoying your job!


Discover more Zero Trust guidance and insights in CSA’s Zero Trust Advancement Center.

Continuous Assurance MetricsEnhancing cloud security strategyInnovating from the cloud Zero Trust

Share this content on your favorite social network today!

Future Cloud
Related Resources
Certificate of Competence in Zero Trust (CCZT)
The industry's first Zero Trust certificate program.
AI Organizational Responsibilities
A blueprint for enterprises to secure AI development and deployment.
AI Safety Initiative
Addressing present and future challenges of AI safety and security.
Latest from CSA
Explore Benefits of CSA Corporate Membership
Map the Transaction Flows for Zero Trust
Advance AI Risk Management
Secure your cloud data with Zero Trust Training
Related Articles:
What 2024’s SaaS Breaches Mean for 2025 Cybersecurity

Published: 12/03/2024

Legacy MFT Solutions Might Not Look Broken, But They Are

Published: 12/03/2024

Defining Identities, Accounts, and the Challenge of Privilege Sprawl

Published: 12/02/2024

Readiness Assessments: A Crucial Part of Your SOC Engagement

Published: 12/02/2024