“To combat confusion, I prefer the mental model offered by ‘intentional trust’ over ‘zero trust.’ Laziness in communication and terminology leads to laziness in thinking — a luxury cybersecurity professionals cannot afford.”
Adam Bricker, Executive Director of the Carolina Cyber Center at Montreat College
What leaders communicate about zero trust is just as important as how they communicate. There are too many variables at play to take this truth lightly.
“Words matter,” he said. “And how we communicate trust — or a lack of trust — to those in our organizations impacts how people react to and receive the cyber practices and processes we’re advocating for.
”We all process information differently, see the world differently and come to work with varied levels of understanding that influence our behaviors and why we do the things we do.
“One of the first principles of cybersecurity is that cybersecurity is primarily a human problem and, therefore, it’s a human endeavor,” Bricker said. “People configure these systems, people click on the links, people decide to share data, people go dark on insider threats.”
Among the core principles guiding his work is the belief that his job, and the job of other security professionals, is to get people to act. “Confusing the people we serve doesn’t help them,” Bricker said. “Exciting them without unduly inducing fear … that can help!”
He shared how communicators, both inside and outside the security shop, can invite more people into conversations around zero trust.
Properly Frame the Conversation Around Trust
- Zero trust is really a question of intentional trust.
- It’s about earning trust with individuals, intentional trust between systems and intentional trust between third parties.
- For example, by default, access to systems and data is denied, and users must earn trust again and again.
Takeaway: “It’s not because I don’t trust you,” Bricker said. “I just have rules of officially tolerated conduct. And as long as you meet those, we can trust each other.”
Consider Mental Models
“Mental models are how we understand the world,” said Shane Parrish, a former cybersecurity expert at Canada’s top intelligence agency and a champion of self-improvement strategies. “Not only do they shape what we think and how we understand, but they shape the connections and opportunities that we see.”
Bricker is a proponent of using mental models to change behaviors by providing a shared understanding of cybersecurity basics and desired outcomes. For example, the mental model of an economist is to change behaviors — such as where to invest and importing and exporting — based on the velocity of money, he said.
The mental model of cybersecurity is similar to that of an economist, Bricker explained. “I’m trying to change the end user’s behavior based on the velocity of something (money, in the case of economists). In this case it’s the velocity of trust. So we have these two seemingly opposing ideas.”
Takeaway: “If we can establish the mental model that says, ‘It’s about intentional trust, and that intentional trust is just like [a] relationship.’ … It’s not like you get it once and you always have it. Intentional trust is earned all the time.”
The words zero trust don’t help create the right mental model of what’s actually happening and why it’s happening. The focus is on intentional trust.
Take Small Steps
For security professionals, one way to shape the conversation and to influence positive behaviors is by talking about zero trust in small steps.
For example, what is the best thing we can do now to secure X? That might be a wastewater treatment facility, a web portal or a system storing sensitive employee data. Keep it simple and boil it down to one thing that non-security professionals can invest in as a next step.
Takeaway: “The first step of 1,000 miles starts with one step,” Bricker said. “So think about the human dimensions of change. Get them on that one step. Reward them for that one step and continue to
move on.”
Author Stephen Covey teaches us that organizations move at the velocity of trust, which ties back to the earlier notes on intentional trust. The faster and more seamlessly people can prove they are who
they say they are, the quicker transactions can take place and mission operations can move forward. But core to this work is how well organizations communicate the reasoning, value and impact of zero trust to the workforce.
“When the complexity of your problem exceeds the sophistication of your solution, your best bet is to invest in people,” Bricker said.
This article is an excerpt from GovLoop’s guide “Why (Zero) Trust Matters at Work: And How to Foster It.”