Embracing Zero Trust, Little by Little

Zero trust is an important security architecture to protect your business from cyber threats. But how complex is it to implement it correctly? And what message does it send to employees when you say, “never trust, always verify”? Is there a better way?

The National Security Agency (NSA) recently released an information sheet, “Embracing a Zero Trust Security Model” explaining the principles and listing benefits of zero trust. Following up on that just this month, the Biden administration issued an executive order for improving cybersecurity for the United States government, which includes zero trust. Plenty of security vendors are offering their “zero trust solution” because it seems like the thing to do.

It is.

But zero trust isn’t solved with one product or service. As the NSA said, it’s a “continually maturing roadmap.”

What else did they say, what does the executive order cover, and why might you experience hurdles implementing zero trust architecture with your workforce? Let’s delve in.

NSA Guidance on Zero Trust

Zero trust isn’t a solution you simply buy out-of-the-box, or off-the-shelf from a vendor. A good security architecture takes time and effort. That’s why the NSA called it a “continually maturing roadmap.” And as such, you’ll need a plan to follow, good leaders to step up as guides, and a way to keep everyone on the path.

At a high level, these are the guidelines from the NSA:

1. Adopt a zero trust mindset: be aware, be wary, and be prepared for a disaster that may have happened yesterday.
2. Embrace zero trust guiding principles: never trust, always verify, assume you’ve already been breached, and verify, verify, verify.
3. Leverage zero trust design concepts: define a solution that identifies critical data/assets/applications/services (DAAS), protect the most critical DAAS, define access control, and gain full visibility in logs and monitoring.

The executive order came out after the NSA guidance. It’s directed at government entities to increase their cybersecurity, but the private sector should take note. In addition to guidance on implementing zero trust, it also includes the following:

• Incident reporting by IT contractors
• Security requirements for software contractors
• Encryption, MFA, EDR (end-point detection and response) by agencies
• Cyber incident review board
• FedRAMP cloud security modernization
• IoT security labeling program
•  CISA incident response “playbooks”
• Government-wide log retention/analysis policy

That’s quite the list. It helps paint the picture of the breadth of the security landscape.

OpenVPN solutions help enforce zero trust access. We understand that perimeter security is obsolete, managing lateral movement is a must, unifying access authorization matters, and you want to protect your users, not just your business data. 

Zero trust is not a one-solution fix.

And part of the solution is embedded in your workforce culture.

Fostering Trust and a Positive Workplace Culture

By definition, zero trust means untrustworthy. Employees, however, want to be trusted. They need it. Trust creates the foundation of a healthy workplace. And it sets the business up for growth. Trust ties into both an employee’s wellbeing and the company’s success.

Implementing zero trust architecture could actually harm feelings of trust. It’s all in how you shape your message. First, take a moment to think about what helps and hurts organizational trust, overall.

Here are a few examples of activities that foster workplace trust. These are backed by studies, linked:

• Open and frequent communication.
• Formalized HR policies and procedures.
• Employee autonomy over their work.
• Introduction of initiatives to involve employees.

In contrast, a study on trust in the workplace noted particular situations that created mistrust:

• Restricting access to paid overtime.
• Restricting access to training.
• Increasing workload.
• Reorganizing jobs or work.

Implementing zero trust architecture can send the message that it’s hard to trust employees with precious company data. You don’t trust them; they won’t trust you. Without their trust, you can’t get buy-in. You can’t get compliance. When you lose trust, you also hurt performance.

Instead, try adjusting the message:

Change “zero trust” —> “building digital trust.”

Frame your security initiative positively. Positive framing is a successful strategy in many different areas. Consider employee reviews: it’s important to include many positives before diving into an area needing improvement. You’ll get a better response. The framing effect taps into people’s natural tendency to decide on options presented in a positive light. In psychology, it’s tied into how we frame decisions. And it’s related to risk aversion. We tend to avoid risk when the decision is presented positively. And surprisingly, when it’s presented negatively, we actually seek risks.

You’re building digital trust, rather than implementing zero trust. How do you do it? Harvard Business Review published an article outlining ways to earn employees’ trust. We can take some of their strategies and apply them to our plan for building digital trust.

Make a Connection

Trust is built on personal connection. Don’t implement zero trust as a top-down approach coming from one or a few in the organization. Your CIO or CISO may not have a personal relationship with the entire workforce. And, unfortunately, the higher up in an organization someone’s role is, the lower their perceived trustworthiness, because they seem less reliant on others.

Lean on personal relationships to help build digital trust. Deliver the message through more meaningful conversations: face-to-face, personal emails, one-on-one meetings, even in small team channels in Slack.

Be Transparent & Truthful

What is the current status of your organization’s cybersecurity strategies? Have you experienced any breaches? Do you have plans in place? Share as much as you can about where you are currently and where you plan to be in the future. Transparency also requires telling the truth, which may include sharing details about a past breach or that the current state of your cybersecurity isn’t strong. Yet.

Encourage Rather Than Command

Building digital trust doesn’t need to be a top-down commandment. This relates to making a connection. Can you ask for employees to contribute to the plan and offer suggestions for your strategy? If employees feel they’re a part of the ideation, that’s empowering — and everyone can be more successful. A good strategy can balance the expectations from management with a crowdsourced feel: set clear expectations and grant autonomy as much as possible.

Take Blame but Give Credit

When things go well, great bosses highlight the success of their team; when things go poorly, they take on the blame for losses. This can apply to building digital trust as well by sharing a different message than what we often hear in cybersecurity. How often do you see content about how employees are the greatest risk? While this, statistically, proves to be true (think phishing emails leading to ransomware problems), the blame doesn’t fall solely on employees. Instead, give credit to those who actively foster good digital trust, and accept blame as a company when you fall short.

Conclusion

Cybersecurity threats are real. They also make for flashy headlines. They inundate industry news threads. There’s a lot of messages out there about how companies of all sizes are at risk and that it’s not a matter of if, but when.

It’s easy to have a mindset focused on the risks, because the risks are very real. 

But the term “zero trust” doesn’t create a positive connotation for employees. “Trust no one” might have worked in the X-Files episodes from our TV days past, but spreading that message across the organization doesn’t foster a positive workplace culture. That doesn’t mean you should avoid implementing zero trust architecture — far from it. Instead, create an internal marketing plan. Focus on “building digital trust.” This changes the implementation from one that focuses on employees posing a risk to the business, to one that emphasizes how crucial employees are to creating strong security.

Your plan should still cover all of the important areas of zero trust architecture, but the messaging is different. Think of it as internal marketing for your security hygiene.