The Hidden Power of Zero Trust Thinking
Published 10/30/2024
Written by Mark Fishburn and originally published on his website.
1. Daytime Stress and Sleepless Nights
Managing cybersecurity, networks, workloads, and websites can be stressful, especially when many things go bump simultaneously in the middle of the night.
During calmer daytime moments, we rationalize decisions, selecting the right defensive or application architecture, analyzing problems, balancing business and technical requirements, based on logical thinking.
2. Reality Check
When we think we are making logical choices based on facts, brain science tells us that we are actually making emotional decisions.
These emotions are based on what will cause us less stress or risk to our reputation or company. Receiving praise for meeting personal performance indicators is important or maybe we just like the person selling us something.
Later, we look for reasons to justify such decisions based on logic, showing off our smart thinking to look good and be admired. So, what has this got to do with Zero Trust?
3. Why Does Zero Trust Empower Your Thinking?
For those not familiar with Zero Trust, its many aspects are addressed in CSA initiatives & guidelines and also my own website. Implementations of zero Trust feature identity management, authentication and access control, policy management and enforcement, and continual monitoring. However, it’s the empowering principle “Never Trust, Continually Verify” that is the focus here.
As you look at the impact and value of verification, you realize how it replaces overwhelm and burn-out with clear, stress-free decision-making in the following five areas:
Commitment
“Always Verify” Implies | “Trust” Implies |
A Commitment to Being Secure | An Expectation That It’s Secure |
Competitive Positioning | Cost Center |
When you trust somebody or something, you do so with an expectation it’s all going to work out just fine. However, expectation is dangerous. When things don’t work out, you either blame yourself or somebody else for the result not being what you wanted or expected. When you verify, you are implementing your commitment that the processes, the software, the devices, and the people you train will be secure. Clearly there are no guarantees with security, but if things don’t work perfectly, instead of being upset, you are left with your commitment to keep verifying and strengthening your organization’s strengths versus competitors. It’s all part of the journey.
Delegation
“Always Verify” Implies | “Trust” Implies |
Managed Delegation of Responsibility | Abdication of Responsibility |
Only when your HR department, service provider, software supplier, CPA firm, physical security company, etc., verify in writing that what they have delivered is secure, are you truly delegating, not abdicating, your responsibility. This makes a huge difference to how you operate your security. The topic of supply chain management continues to further develop this since my ISE article last August to show all the steps for providers and software companies to self-verify their products and services.
Integrity and Control
“Always Verify” Implies | “Trust” Implies |
Integrity | A Sense of Being Incomplete |
Empowering and Proactive | Disempowered, Passive |
If you just trust your own internal departments or a third party, then you are left with a sense of being incomplete and uncertain. This is why verification gives you a sense of integrity or, expressed another way, you are whole and complete—and not stressed.
Deploying unverified software can be very passive and is the source of many catastrophic attacks. You are just not in control, yet still liable for any consequences. Properly delegating and verifying supply chains’ internal processes is both empowering and proactive. This is why Zero Trust aligns closely with taking executive responsibility in your organization, helping you contribute and add value to your organization in a new way.
Protection, Conformance, and Competitive Positioning
“Always Verify” Implies | “Trust” Implies |
Measurable Written Protection | Uncertain Liability, Accountability |
Competitive Positioning | Cost Center |
Verification also provides written, measurable protection that is an essential element of the SEC’s requirements to show that you have proper processes in place. It works to the benefit of your organization and your suppliers, effectively creating a paper trail that can be included in your website’s terms and policy statements.
All of this is not just to ward off stress and uncertainty. This whole ethos can enhance your competitive position to those who do not adopt it, but can also position your organization as a leader in protection of your business client/customers. This transforms adoption of Zero Trust from pure defense into a difference-making advantage.
Continuous Monitoring
“Always Verify” Implies | “Trust” Implies |
Continuous Monitoring and Auditing | One-Time Monitoring |
Verification is not a one off—which is why I prefer my version of the mantra “Never Trust, Continually Verify” to the original.
What or who was authenticated five minutes ago may now be out of policy. In fact, if you are not continually and automatically monitoring all aspects of your risk, then all you are doing is protecting the past! This is, after all, why it’s never over in cybersecurity.
4. Conclusion
You can see why, beyond the mechanics of Identity and Access Management, Policy Enforcement, and microsegmentation, Zero Trust creates clear thinking to reduce stress and acknowledges the emotional aspects of your technical and business decisions.
In terms of the much-discussed stress and burnout, the 5 areas covered here are one element of reducing stress. Other causes are important too:
- Dealing with 100+ issues, any one of which can disable the organization, is enormously stressful without a process and methodology. Get started here.
- Using third parties without a methodology to verify the security of the products and services being offered is also extremely stressful. Get started here.
Now you are armed with Zero Trust thinking that you can apply throughout your organization and beyond – not just to your data, networking, and software – and indeed not just to cybersecurity. If you do get it, then I advise taking a deep breath, putting a smile on your face, and getting back to enjoying your job!
Discover more Zero Trust guidance and insights in CSA’s Zero Trust Advancement Center.
Related Resources
Related Articles:
Microsoft Power Pages: Data Exposure Reviewed
Published: 12/09/2024
AI-Enhanced Penetration Testing: Redefining Red Team Operations
Published: 12/06/2024
Systems Analysis for Zero Trust: Understand How Your System Operates
Published: 12/05/2024