The human side of zero trust

Seventy-two percent of organizations plan to roll out a zero trust models to mitigate security risk. But zero trust takes more than flipping a switch—if employees don’t buy in to your security strategy, it will not succeed.

ARTICLE | 4m read
November 24, 2020

While the coronavirus pandemic has dominated headlines in 2020, zero trust has been nearly as big a conversation topic within technology circles. The two topics are not unrelated—with massive work from home migrations driven by COVID-19, there’s been a huge expansion in the use of personal devices and an accelerated shift to cloud apps and services. This has stretched the traditional enterprise trust model past its breaking point, and organizations are moving to a Zero Trust model to mitigate risk from highly targeted attacks and combat other rising threats.

There are obvious areas where a zero trust framework benefits the business and IT, including improved access security, reduced risk from malicious insiders, and greater compliance with government or industry regulations. However, not enough attention has been paid to the impact of Zero Trust policy on individual employees. In this article, we’ll take a closer look at the human side of your Zero Trust framework—and how to better empower employees to make smarter security decisions.

of organizations have accelerated zero trust implementation during the COVID-19 pandemic

Source: Enterprise Zero Trust Networking Strategies: Secure Remote Access and Network Segmentation

Why your zero trust model depends on human decisions

In the past, legacy enterprise trust was mostly decided by the organization for the workforce (aside from deciding whether to click on a link or not). When organizations thought about trust, they thought about technology first: trusted enterprise devices, networks, and applications, followed by locations and physical spaces. But many of these legacy enterprise trust assumptions don’t hold true anymore – instead, we see the actions and inactions of the workforce having major implications for trust.

The foundation of zero trust is the belief that all trust must be earned. When it comes to information security, trust is never assumed and never an afterthought. Before an organization entrusts someone with its data, trust must be carefully instantiated, measured and verified to fit the risk tolerance of the organization. And even after implementing a zero trust model, every action and decision must be continuously situationally aware and contextually risk appropriate. In short, the success of your zero trust model depends on answering the question: How do we empower people to consistently make the right choices to maintain appropriate trust?

How to humanize your zero trust model

Because people are essential to optimal trust outcomes, it’s important to humanize your Zero Trust model instead of only relying on security technologies. Here are key points to remember:

  1. People, not technology, make decisions about trust. This makes it vital to educate your employees so they can make good security decisions by assessing copious trust factors (such as “Is this network safe for accessing company data?”). The more your employees understand complex trust relationships, the better they can determine when trust has been earned and when trust is misplaced. 
  2. People interact with and depend on technologies to provide roots of trust and to validate the chain of trust. The latest web application firewalls, endpoint management, and FIDO2 authentication can all help your remote workforce work more securely—but training employees to make good trust decisions is just as important as training them to use these technologies effectively.
  3. People decide what Zero Trust means in each organization. While every Zero Trust model will have certain protocols in common, Zero Trust is more of a philosophy than an instruction manual. It’s up to your IT leadership to design the Zero Trust framework for your enterprise, choosing the multifaceted trust policies and technologies that guide and automate for desired trust outcomes in every context.

Your zero trust framework is an active and shared responsibility

The only constant in security strategy is that situations change. Your organization will hire new employees who must be trained, adopt new devices and workspaces that must be protected, and face expanding threats to your sensitive data. This means your zero trust framework must continuously evolve, making it vital that it is an active and shared responsibility for everyone in your organization.

As a leader in your organization, foster your culture so that it can be expressed and consumed through “culture as code.” Be intentional about creating a company culture that embraces and demonstrates Zero Trust principles. Actively coach employees in security best practices so they can evolve to combat new threats. When everyone has the same understanding of when trust is merited and when trust has been broken, your employees will know how to make strong trust decisions that will protect both themselves and your organization.