Why Zero Trust Matters

This week we welcome our friend and colleague Matt Chiodi to the blog. Matt has over two decades of security leadership experience and is currently the Chief Trust Officer at Cerby. He’s an expert on Zero Trust, and we’re glad to have him as a guest contributor to our blog.

Zero Trust is a set of principles that assumes a breach is likely to occur and that no data, application, asset, or service should be trusted by default. IBM Security found in a 2021 study that when appropriately implemented, Zero Trust can reduce the cost of security breaches by 43%. Zero Trust is a proactive security strategy that helps organizations protect their data and applications by verifying the identity of users, devices, and applications and monitoring their behavior.

The traditional approach to cybersecurity, which assumes that assets and applications inside a network are trusted because they belong to the company, is no longer working. The number of publicly disclosed breaches in 2022 exceeded 4,100, making it clear that the old approach is no longer effective. The problem with the traditional approach is that it focuses on building a wall around the network. This doesn’t work since most employees work in hybrid environments where traditional controls cannot be applied. Today’s attackers are also using sophisticated techniques to bypass these walls and gain access to the network.

One of the critical benefits of Zero Trust is that it can be highly effective when applied correctly. However, there are some situations where it may not be the best approach. For example, with employees, Zero Trust can be counterproductive. Research from cybersecurity company Cerby found in their latest report, State of Employee Trust, that 60% of employees said applications being blocked negatively affected how they felt about their company. To gain employee trust, security and IT teams need to revisit many security tools used in most enterprises.

An overreliance on enforcement-based controls, such as blocking, banning, and denying employee use of employee-preferred applications, can erode employee trust. These measures can negatively impact employee satisfaction and productivity, as they impede their ability to do their job efficiently. Moreover, if employees feel their employer doesn’t trust them, it can negatively affect employee engagement and morale. An interesting finding from the Cerby report found that if empowered to choose the applications they use for work, 39% of employees said they would be willing to take a 20% cut in pay. This finding sheds light on what many employers fail to realize: applications are intimately tied to how people get their work done and their job satisfaction level.

One can use a combination of Zero Trust principles and enrollment-based controls to achieve the best of both worlds. Enrollment-based controls take a different approach and incentivize employees to make security-conscious decisions by providing them with tools and processes that help them work more efficiently and productively. With this approach, security and IT teams can create an environment with something in it for both the employee and employer.

The bottom line is clear for leaders who want to build high-performance organizations for shareholders and employees: Zero Trust is only for applications and data, not employees. Organizational leaders must take tangible steps to build trust daily if they want the highest quality products, continuous improvement, and innovation.

Matt Chiodi has over two decades of security leadership experience and is currently the Chief Trust Officer at Cerby. Prior to Cerby, he was the Chief Security Officer of Cloud at Palo Alto Networks. Chiodi is a frequent blogger, podcaster, and speaker at industry events such as RSA. He is also on faculty at IANS Research.