Since my book Project Zero Trust came out, I’ve had the privilege of talking to cybersecurity leaders from all over the world. Since the President’s Executive Order on Zero Trust came out, there’s been a real hunger for helpful information on how to be successful at a Zero Trust implementation.
I think the reason that Zero Trust appeals to the President to Boards of Directors is that to be successful at any endeavor, we need a strategy for success. Zero Trust is that strategy when it comes to security.
One of the things that’s surprised me the most was that so many of my CISO peers admitted that they’d tried starting zero trust projects in the past, but that they’ve failed, in some cases multiple times. There were a lot of reasons given – they didn’t know where to start, the politics were too difficult, the projects took too long. The common denominator for these issues weren’t technology. The common denominator was people.
To understand why this is the case, we need start with what the definition of Zero Trust is. John Kindervag, the creator of Zero Trust, says that Zero Trust is a strategy for preventing or containing data breaches by removing the trust relationships we have in digital systems. A strategy is, by definition, a way of organizing a group of people to achieve a common goal.
Leadership guru Peter Drucker is widely credited with creating the phrase, “Culture eats strategy for breakfast.” Drucker’s message is that an organization’s culture is much more powerful in creating success than the individual strategies the executives come up with to drive an organization forward. To be clear, strategy is important. But when an organization values empathy and empowerment, where employees take responsibility for their own results, and where innovation is fostered, the company has a greater chance of success.
When I started at SMU, the 2nd highest ranking person at the University told IT that I should never put a firewall between him and the Internet. In higher education, issues like academic freedom have restricted many universities from adopting security best practices as quickly as they needed to be. Does your organization have a culture that supports Zero Trust?
- Ask whether engineers and administrators empowered to make security decisions.
- Ask what happens when there’s a conflict?
- Find out what the incentives are for supporting security versus maintain the status quo.
To be successful, Zero Trust can’t just be for us security nerds. Everyone in IT needs to be a part of a Zero Trust implementation. A strategy of Zero Trust can help focus engineers and administrator efforts toward removing trust relationships from the systems they manage.
Every successful strategy uses tactics and tools, but ultimately it is the people of an organization that have to employ those tactics and tools effectively to achieve the goal. A system administrator removing unnecessary programs from a default server config to create a hardened server image is an example of Zero Trust. You don’t necessarily need tools to do this activity, but sometimes tools help with scaling this activity up for a whole data center.
It’s easy to be cynical and say that Zero Trust means we don’t trust anything or anyone. This is also a common misconception. The definition of Zero Trust specifically says we need to remove the trust relationships from digital systems, not from our human relationships. In fact, we need to trust our teams to empower them to go out and deliver Zero Trust effectively.
Ironically, trust is one of the keys to a successful Zero Trust journey. In his book, Speed of Trust, Stephen Covey argues that when people don’t trust one another, there is a “trust tax” you pay in terms of lost productivity, efficiency, and delays. Zero Trust is a transformative change that requires years of effort. And as with any long-term initiative, there are risks of the project failing or being abandoned the longer the project takes.
One of the most impactful things that I did in my own Zero Trust journey at SMU was to build lasting relationships with my key stakeholders on campus. There were 10 relationships that were key to getting the support we needed. From the CEO, CFO, CIO, General Council, Chief Risk Officer, Chief Human Resource Officer, Internal Audit, Admissions, Research, and our Chief Compliance Officer. The key for us has been to be totally transparent and honest to build credibility. We never used fear tactics. Ultimately you have conversations with everyone; not based on fear, but on how we can all work together to make everyone more secure.
I like to say that Security is in our DNA. People naturally want to play a role in making sure their communities are secure. The most important part of your strategy of Zero Trust are the people who make it possible.