Seventy-two percent of organizations plan to roll out a zero trust models to mitigate security risk. But zero trust takes more than flipping a switch—if employees don’t buy in to your security strategy, it will not succeed.
ARTICLE | 4m read
November 24, 2020
While the coronavirus pandemic has dominated headlines in 2020, zero trust has been nearly as big a conversation topic within technology circles. The two topics are not unrelated—with massive work from home migrations driven by COVID-19, there’s been a huge expansion in the use of personal devices and an accelerated shift to cloud apps and services. This has stretched the traditional enterprise trust model past its breaking point, and organizations are moving to a Zero Trust model to mitigate risk from highly targeted attacks and combat other rising threats.
There are obvious areas where a zero trust framework benefits the business and IT, including improved access security, reduced risk from malicious insiders, and greater compliance with government or industry regulations. However, not enough attention has been paid to the impact of Zero Trust policy on individual employees. In this article, we’ll take a closer look at the human side of your Zero Trust framework—and how to better empower employees to make smarter security decisions.
In the past, legacy enterprise trust was mostly decided by the organization for the workforce (aside from deciding whether to click on a link or not). When organizations thought about trust, they thought about technology first: trusted enterprise devices, networks, and applications, followed by locations and physical spaces. But many of these legacy enterprise trust assumptions don’t hold true anymore – instead, we see the actions and inactions of the workforce having major implications for trust.
The foundation of zero trust is the belief that all trust must be earned. When it comes to information security, trust is never assumed and never an afterthought. Before an organization entrusts someone with its data, trust must be carefully instantiated, measured and verified to fit the risk tolerance of the organization. And even after implementing a zero trust model, every action and decision must be continuously situationally aware and contextually risk appropriate. In short, the success of your zero trust model depends on answering the question: How do we empower people to consistently make the right choices to maintain appropriate trust?
Because people are essential to optimal trust outcomes, it’s important to humanize your Zero Trust model instead of only relying on security technologies. Here are key points to remember:
The only constant in security strategy is that situations change. Your organization will hire new employees who must be trained, adopt new devices and workspaces that must be protected, and face expanding threats to your sensitive data. This means your zero trust framework must continuously evolve, making it vital that it is an active and shared responsibility for everyone in your organization.
As a leader in your organization, foster your culture so that it can be expressed and consumed through “culture as code.” Be intentional about creating a company culture that embraces and demonstrates Zero Trust principles. Actively coach employees in security best practices so they can evolve to combat new threats. When everyone has the same understanding of when trust is merited and when trust has been broken, your employees will know how to make strong trust decisions that will protect both themselves and your organization.