THE HIDDEN POWER OF
This page based on the article published Feb 2024 – click here – and will continue to be developed here.
Daytime Stress and Sleepless Nights
Managing cybersecurity, networks, workloads, and websites can be stressful especially when many things go bump simultaneously in the middle of the night. During calmer daytime moments, we rationalize decisions, selecting the right defensive or application architecture, analyzing problems, balancing business and technical requirements, based on logical thinking.
Reality Check
However, when we think we are making logical choices based on facts, brain science tells us that we are actually making emotional decisions. These are based on what will cause us less stress or risk to our reputation or company. Receiving praise for meeting personal performance indicators is important or maybe we just like the person selling us something.
After that, we look for reasons to justify such decisions based on logic, showing off our smart thinking to look good and be admired. So, what has this got to do with Zero Trust?
Why Does Zero Trust Empower Your Thinking?
For those not familiar with Zero Trust, please see cybyr.com/zt. The empowering principle that is relevant here is “Never Trust, Continually Verify.” As you look at the impact and value of verification, you realize how it creates clear, stress-free decision-making in the following five areas:
1
COMMITMENT
| “Always Verify” Implies | “Trust” Implies |
| A Commitment to Being Secure | An Expectation That It’s Secure |
When you trust somebody or something you do so with an expectation it’s all going to work out just fine. However, expectation is dangerous. When things don’t work out, you either blame yourself or somebody else for the result not being what you wanted or expected. When you verify, you are implementing your commitment that the processes, the software, the devices, and the people you train will be secure. Clearly there are no guarantees with security, but if things don’t work perfectly, instead of being upset, you are left with your commitment to keep verifying. It’s all part of the journey.
2
DELEGATION
| “Always Verify” Implies | “Trust” Implies |
| Managed Delegation of Responsibility | Abdication of Responsibility |
Only when your HR department, your service provider, software supplier, CPA firm, your physical security company, etc., verify in writing that what they have delivered is secure ,are you truly delegating not abdicating your responsibility. This makes a huge difference to how you operate your security. I have further developed this since my ISE article last August (at cybyr.com/delegation) to show all the steps for providers and software companies to self-verify their products and services.
3
INTEGRITY AND CONTROL
| “Always Verify” Implies | “Trust” Implies |
| Integrity | A Sense of Being Incomplete |
| Empowering and Proactive | Disempowered, Passive |
If you just trust your own internal departments or a third party, then you are left with a sense of being incomplete. This is why verification gives you a sense of integrity or, expressed another way, you are whole and complete—and not stressed.
Deploying unverified software can be very passive and is the source of many catastrophic attacks. You are just not in control yet still liable for any consequences. Properly delegating and verifying supply chains’ internal processes is both empowering and proactive. This is why Zero Trust aligns closely with how you can take an executive responsibility in your organization, helping you contribute and add value to your organization in a new way.
4
PROTECTION, CONFORMANCE, COMPETITIVE POSITIONING
| “Always Verify” Implies | “Trust” Implies |
| Measurable Written Protection | Uncertain Liability, Accountability |
| Competitive Positioning | Cost Center |
Verification also provides written, measurable protection that is an essential element of the SEC’s requirements to show that you have proper processes in place. It works to the benefit of your organization and your suppliers, effectively creating a paper trail that can be included in your website’s terms and policy statements.
All of this is not just to ward off stress and uncertainty. This whole ethos can enhance your competitive position to those who do not adopt it, but also to create your organization as a leader in protection of your business client/customers. This transforms adoption of Zero Trust from pure defense into a difference-making advantage.
5
CONTINUOUS MONITORING
| “Always Verify” Implies | “Trust” Implies |
| Continuous Monitoring and Auditing | One-Time Monitoring |
Verification is not a one off—which is why I prefer my version of the mantra “Never Trust, Continually Verify” to the original.
What or who was authenticated five minutes ago may now be out of policy. In fact, if you are not coninutally and automatically monitoring all aspects of your risk then all you are doing is protecting the past! This is, after all, why it’s never over in cybersecurity.
FINAL WORD
You can see why that beyond the mechanics of Identity and Access Management, Policy Enforcement and microsegmentation, Zero Trust creates clear thinking to reduce the stress and acknowledges the emotional aspects of your technical and business decisions.
Now you are armed with thinking that you can apply throught your organization and beyond – not just your data, networking and software – and indeed not just to cybersecurity. If you do get it, then I advise taking a deep breath, putting a smile on your face, and getting back to enjoying your job!