The human side of zero trust

In the past, legacy enterprise trust was mostly decided by the organization for the workforce (aside from deciding whether to click on a link or not). When organizations thought about trust, they thought about technology first: trusted enterprise devices, networks, and applications, followed by locations and physical spaces. But many of these legacy enterprise trust assumptions don’t hold true anymore – instead, we see the actions and inactions of the workforce having major implications for trust.

The foundation of zero trust is the belief that all trust must be earned. When it comes to information security, trust is never assumed and never an afterthought. Before an organization entrusts someone with its data, trust must be carefully instantiated, measured and verified to fit the risk tolerance of the organization. And even after implementing a zero trust model, every action and decision must be continuously situationally aware and contextually risk appropriate. In short, the success of your zero trust model depends on answering the question: How do we empower people to consistently make the right choices to maintain appropriate trust?

Because people are essential to optimal trust outcomes, it’s important to humanize your Zero Trust model instead of only relying on security technologies. Here are key points to remember:

1. People, not technology, make decisions about trust. This makes it vital to educate your employees so they can make good security decisions by assessing copious trust factors (such as “Is this network safe for accessing company data?”). The more your employees understand complex trust relationships, the better they can determine when trust has been earned and when trust is misplaced. 
2. People interact with and depend on technologies to provide roots of trust and to validate the chain of trust. The latest web application firewalls, endpoint management, and FIDO2 authentication can all help your remote workforce work more securely—but training employees to make good trust decisions is just as important as training them to use these technologies effectively.
3. People decide what Zero Trust means in each organization. While every Zero Trust model will have certain protocols in common, Zero Trust is more of a philosophy than an instruction manual. It’s up to your IT leadership to design the Zero Trust framework for your enterprise, choosing the multifaceted trust policies and technologies that guide and automate for desired trust outcomes in every context.
   

The only constant in security strategy is that situations change. Your organization will hire new employees who must be trained, adopt new devices and workspaces that must be protected, and face expanding threats to your sensitive data. This means your zero trust framework must continuously evolve, making it vital that it is an active and shared responsibility for everyone in your organization.

As a leader in your organization, foster your culture so that it can be expressed and consumed through “culture as code.” Be intentional about creating a company culture that embraces and demonstrates Zero Trust principles. Actively coach employees in security best practices so they can evolve to combat new threats. When everyone has the same understanding of when trust is merited and when trust has been broken, your employees will know how to make strong trust decisions that will protect both themselves and your organization.