How to Build a Zero Trust Culture
Zero trust. What term could sound less like you trust your team? Maybe that just about every security conference kicks off with some version of, “People are your greatest risk to security.”
These are dangerous turns of phrase. Yes, humans have a high probability of being exploited. But that’s not how you should introduce any new concept.
Part of the problem is that zero trust implies someone is saying no. That it’s very top-down. Relies heavily on the stick of job insecurity, with no carrot.
In actuality, zero trust culture must emphasize that security is everyone’s job. But that is extra challenging since only about 3% of developers see it as their responsibility — and when organizations of all sizes habitually try to save money by outsourcing security.
So how do you move past PowerPoints and rapid-answer compliance checklists that people promptly forget after clicking? In order to fully embrace the zero trust approach to security, you will need to create a culture that supports it.
Where Are Your Security Risks?
Like all cultural changes, a zero-trust culture starts with a conversation around where the security risks lie, according to Victoria Guilloit, a partner at Privacy Culture consulting.
On a February PrivSec Global panel, Guilloit said that achieving compliance is about driving behavioral change, first via the strong networks that a C-level security or data-protection officer cultivates. These potential bottlenecks need to find a way to make security personal, so that each colleague understands the impact on them.
And these relationships have to be continuous because they need to keep up with technology and culture in constant flux. A change of leadership, or a change in the tools or platform your organization uses, could shift a whole department’s mindset.
Suddenly team members could be working longer hours and sending emails from home, which could alter the whole security and privacy landscape. Besides, these are red flags for employee burnout, which is a whole other risk.
You need everyone on board early, because zero trust culture is about answering: How can everyone recognize data and security breach incidents?
“What’s really important is what’s being delivered, and to whom,” Guilloit said. Each audience has specific requirements — human resources, finance, legal and product all have different subcultures and legal frameworks that demand different training.
“You have to make connections with departments to best figure out how to give your awareness, education and training,” she said. “Some people react really well to a virtual classroom, versus some would prefer their manager teach them, versus some will want to watch a video.”
It’s not if a security or data breach will happen, but when. That’s why it’s essential that incident management is part of the zero-trust culture. Postmortems should be as important as the prevention and incidents themselves. They should be moments of transparency that amplify lessons.
A postmortem is an important mechanism for continuous learning and improvement in incident response. But that doesn’t mean it’s just those engineers on call who should care.
One trick Guilloit offered to help organizations test their whole security and compliance process early on is to reach out to a department and ask for data back. This can test not only if that department responds quickly to a potential breach, but the overall incident-reporting process.
“When an incident was caught, was it reported right away or did they wait for their manager to get back from holiday?” she asked.
It’s a pretty powerful way to advocate for change.
How a Shared Services Model Can Help
For George Finney, chief security officer at Southern Methodist University, zero trust culture isn’t about individuals but the packets attached to them through their devices and internal networks.
It’s about getting everyone involved in breaking the bad habits that increase risk, but that doesn’t mean you leave people to do it themselves. Technology has a big role to play.
“For years, we have all been saying that security is everyone’s job,” Finney wrote in an article for Palo Alto Networks’ Security Roundtable. “Zero trust forces you to put that culture in place, to get everyone involved in recognizing that he or she has a vested interest in securing a role in their community.”
He accomplished this at his 11,000-person university by adopting a shared service organization (SSO) model. An SSO differs from traditional centralized control in that each team gets more control over where it directs its security budget. This enables:
- Service-level agreements that set expectations.
- Cost control and cost reduction.
- Easier relocation of resources in response to area needs.
- An ability to organize architecture around different service areas.
On the SMU campus, an SSO enables the university to maintain separate networks for HVAC, cameras and printers, instead of a need to allocate security to each individual department or to control centrally.
A shared services model, Finney wrote, “enabled us to coordinate and orchestrate cybersecurity more effectively and eliminated the finger-pointing that can often take place in distributed IT environments.”
Can Zero Trust Drive Flexible Work?
For Ada Health and its 300-person team, adopting zero trust meant cross-channel, repeated communication around the benefits of the strategy, like how a focus on zero trust authentication enabled the company to continue to work remotely.
Since the software at Ada — an artificial-intelligence-driven health assessment tool — is considered a Class 2 medical device, one of the biggest impetus for the move to zero trust was a need for stronger documentation, logging and audit trails to meet European medical device regulations.
Most people working in tech were already familiar with the concept via BeyondCorp, Google’s implementation of the zero-trust model, so they rather expected the eventual implementation. Still, the Ada leadership still took care to over-communicate across a mix of Slack, email and ask-me-anything events.
“Each time, we’d be sharing the positives and benefits around it, and trying to dispel some assumptions in lightweight ways, like ‘No, zero trust doesn’t mean we don’t trust you,’” Dan Ashby, director of quality services at Ada, told The New Stack.
“Zero-trust network access essentially replaces the traditional access and VPN methods. The way it works is that after you authenticate into your work device, your connections to the business services you use are secured while the non-business applications you use for personal reasons remain directly routed to the internet, preserving your privacy.”
This is something, he said, the organization took special care to communicate, especially for the few non-tech staff members who thought zero trust actually meant that the Ada Health’s leaders didn’t trust anyone.
Since Ada was implementing its zero-trust model through Cloudflare, it was able to directly leverage that communication and documentation in communicating to staff members, Ashby said, “which really helped them understand their worries were undue.”
What Does Collaborative Governance Mean?
Governance is usually a too-loosely defined role that sees enterprises losing millions due to avoidable data leaks and security breaches, according to Rakshith Rao, CEO of Apiwiz, an API management platform.
In the telecommunications industry, he has witnessed breaches several times. In response, he was appointed to an underfunded center of excellence, whose sole task was to come up with governance rules. But, just like COVID regulations, no one really follows them anymore, due to a lack of cultural commitment, understanding and enforcement.
“When we talk about governance, we should be talking about collaborative governance delivered by a platform, not people,” Rao said. “You cannot govern thousands of APIs by doing a manual review.”
The platform-based approach to governance means using technology to enforce rules, potentially across an organization and even partnerships, so you don’t have to worry — too much — about human behavior.
Of course, following the example of Netflix, another option is to create guardrails, not gates.
“Gates” refer to the blockers traditionally set up by security teams in between each step of a continuous delivery pipeline. The cybersecurity team could instead provide a set of “guardrails”: trusted assets, like images, serverless services, APIs, configuration settings, that restrict but don’t eliminate developer choices and allow the security team to monitor for vulnerabilities.
“That’s what zero trust is about,” Finney wrote, “only allowing traffic on our networks when they have been identified, certified, authenticated, approved, and when that traffic has been inspected up through seven layers to make sure it is clean, and that its behavior is appropriate and within policy.”
Is Zero Trust Right for Your Use Case?
“Technology on its own will never solve any problem,” noted Glen Hymers, head of data privacy and compliance for the cabinet office of the U.K. government, at the same PrivSec Global panel in February.
“Culture is the solution because with tech the same issues happen over and over again,” he said, warning that “we are moving from a need-to-know to a need-to-share culture,” which means our focus must be on human habits.
Google Docs are a great example of how widespread adoption can just happen when you make things simple to share. While business plans allow for control of who a document can be shared with, there’s no way to automatically control what’s being shared in those docs.
Similarly, if you don’t have a formal process in place for dealing with new hires or departures, your company probably isn’t aware of how much onboarding or offboarding employees are getting.
“If you’ve moved around an organization over the years, my god, you have access to just about everything,” Hymers said. This is an example where technology facilitates too much access and can actually increase risk.
We should pursue a culture of understanding and of sharing information — while still treating personal data as sacrosanct, he said.
Creating a fully zero trust organization, he said, could end up hampering work by creating too much ownership, resulting in top-down control and workflow bottlenecks.
He advised focusing first and foremost on the scariest thing keeping the CEO up at night.
Define your priorities before making the leap to fully zero trust. In the end, that means opening up the often very siloed security and data departments with transparency. And when things go wrong, it’s essential to detect it quickly, resolve the issue, and to spread the information of what happened.
And repeatedly emphasize the human reasoning for the change, as Ashby advised from his organization’s experience: “There was an underlying theme from the messaging — security and protecting people, their devices and our data.”