Cloud 101CircleEventsBlog
Join us at CSA's third annual Virtual Zero Trust Summit from November 20 - 21. Register now!

The Hidden Power of Zero Trust Thinking

Published 10/30/2024

The Hidden Power of Zero Trust Thinking

Written by Mark Fishburn and originally published on his website.


1. Daytime Stress and Sleepless Nights

Managing cybersecurity, networks, workloads, and websites can be stressful, especially when many things go bump simultaneously in the middle of the night.

During calmer daytime moments, we rationalize decisions, selecting the right defensive or application architecture, analyzing problems, balancing business and technical requirements, based on logical thinking.


2. Reality Check

When we think we are making logical choices based on facts, brain science tells us that we are actually making emotional decisions.

These emotions are based on what will cause us less stress or risk to our reputation or company. Receiving praise for meeting personal performance indicators is important or maybe we just like the person selling us something.

Later, we look for reasons to justify such decisions based on logic, showing off our smart thinking to look good and be admired. So, what has this got to do with Zero Trust?


3. Why Does Zero Trust Empower Your Thinking?

For those not familiar with Zero Trust, its many aspects are addressed in CSA initiatives & guidelines and also my own website. Implementations of zero Trust feature identity management, authentication and access control, policy management and enforcement, and continual monitoring. However, it’s the empowering principle “Never Trust, Continually Verify” that is the focus here.

As you look at the impact and value of verification, you realize how it replaces overwhelm and burn-out with clear, stress-free decision-making in the following five areas:


Commitment

“Always Verify” Implies

“Trust” Implies

A Commitment to Being Secure

An Expectation That It’s Secure

Competitive Positioning

Cost Center

When you trust somebody or something, you do so with an expectation it’s all going to work out just fine. However, expectation is dangerous. When things don’t work out, you either blame yourself or somebody else for the result not being what you wanted or expected. When you verify, you are implementing your commitment that the processes, the software, the devices, and the people you train will be secure. Clearly there are no guarantees with security, but if things don’t work perfectly, instead of being upset, you are left with your commitment to keep verifying and strengthening your organization’s strengths versus competitors. It’s all part of the journey.


Delegation

“Always Verify” Implies

“Trust” Implies

Managed Delegation of Responsibility

Abdication of Responsibility

Only when your HR department, service provider, software supplier, CPA firm, physical security company, etc., verify in writing that what they have delivered is secure, are you truly delegating, not abdicating, your responsibility. This makes a huge difference to how you operate your security. The topic of supply chain management continues to further develop this since my ISE article last August to show all the steps for providers and software companies to self-verify their products and services.


Integrity and Control

“Always Verify” Implies

“Trust” Implies

Integrity

A Sense of Being Incomplete

Empowering and Proactive

Disempowered, Passive

If you just trust your own internal departments or a third party, then you are left with a sense of being incomplete and uncertain. This is why verification gives you a sense of integrity or, expressed another way, you are whole and complete—and not stressed.

Deploying unverified software can be very passive and is the source of many catastrophic attacks. You are just not in control, yet still liable for any consequences. Properly delegating and verifying supply chains’ internal processes is both empowering and proactive. This is why Zero Trust aligns closely with taking executive responsibility in your organization, helping you contribute and add value to your organization in a new way.


Protection, Conformance, and Competitive Positioning

“Always Verify” Implies

“Trust” Implies

Measurable Written Protection

Uncertain Liability, Accountability

Competitive Positioning

Cost Center

Verification also provides written, measurable protection that is an essential element of the SEC’s requirements to show that you have proper processes in place. It works to the benefit of your organization and your suppliers, effectively creating a paper trail that can be included in your website’s terms and policy statements.

All of this is not just to ward off stress and uncertainty. This whole ethos can enhance your competitive position to those who do not adopt it, but can also position your organization as a leader in protection of your business client/customers. This transforms adoption of Zero Trust from pure defense into a difference-making advantage.


Continuous Monitoring

“Always Verify” Implies

“Trust” Implies

Continuous Monitoring and Auditing

One-Time Monitoring

Verification is not a one off—which is why I prefer my version of the mantra “Never Trust, Continually Verify” to the original.

What or who was authenticated five minutes ago may now be out of policy. In fact, if you are not continually and automatically monitoring all aspects of your risk, then all you are doing is protecting the past! This is, after all, why it’s never over in cybersecurity.


4. Conclusion

You can see why, beyond the mechanics of Identity and Access Management, Policy Enforcement, and microsegmentation, Zero Trust creates clear thinking to reduce stress and acknowledges the emotional aspects of your technical and business decisions.

In terms of the much-discussed stress and burnout, the 5 areas covered here are one element of reducing stress. Other causes are important too:

  • Dealing with 100+ issues, any one of which can disable the organization, is enormously stressful without a process and methodology. Get started here.
  • Using third parties without a methodology to verify the security of the products and services being offered is also extremely stressful. Get started here.

Now you are armed with Zero Trust thinking that you can apply throughout your organization and beyond – not just to your data, networking, and software – and indeed not just to cybersecurity. If you do get it, then I advise taking a deep breath, putting a smile on your face, and getting back to enjoying your job!



Discover more Zero Trust guidance and insights in CSA’s Zero Trust Advancement Center.