Digital Trust versus Zero Trust?

Trust. Such a big concept in five little letters.

In 2019, I collaborated with Palo Alto Networks on a global research project exploring digital trust. In 2020, I worked with Okta on a separate global research project addressing digital trust once more. Both pieces of research yielded fascinating insights.

The research with Okta, in particular, came at a very interesting (and challenging) time in terms of trust. As COVID-19 spread around the world, perceptions of trust were turned upside down almost overnight. As we suddenly questioned our trust in the physical world - the air we breathe and the surfaces we touch - many of us were pushed into trusting much more readily in the digital world so that we could continue to work and connect.

This was true for organisations as much as it was for individuals, with many organisations going through a forced digital transformation. Plans to move more fully to the cloud or to deploy more remote working were actioned in days and weeks, rather than months and years.

The Okta research highlighted the importance of digital trust for organisations and individuals. Findings indicated, for example, that 88% of UK participants were unlikely to purchase from a brand they didn't trust and that 47% permanently stopped using a firm's services after hearing of a data breach. Many respondents were concerned about cyber security threats but unaware of whether their employer had taken proactive security steps.

I've spoken a few times about the importance of trust in the context of security culture. A positive culture is one in which people trust their employer - and their colleagues - and they feel that trust is reciprocated.

Where does Zero Trust come into this?

In a recent cultural assessment for a client, a participant in one of our focus groups commented:

We know that engaging positively with people, building up their self-efficacy and their sense of psychological safety is crucial in a positive security culture. How does this fit with a concept that, in its very name, rejects trust?

On the flip-side, cyber criminals exploit trust in so many of their attacks, from social engineering to identity theft. We have experienced this acutely during the pandemic. The combination of a shift in digital trust, accelerated digital transformation, rapidly changing information and heightened emotions due to COVID-19 created a perfect storm for cyber criminals.

Professor Roderick M. Kramer

The Verizon 2021 Data Breach Investigation Report, for example, highlighted that for cyber criminals phishing is still the top vector (and grew in the last year) and credentials are the most sought-after data. With this in mind, and the increase in remote working, it is hard to argue against the principles of Zero Trust.

Perhaps this is where the problem lies. Not in the principles of Zero Trust - I especially like Paul Simmonds description of Zero Trust as "an architectural state of mind" - but the term itself. Trust is a human concept, with emotional connotations.

Let's say you're a CISO, and you tell all of your colleagues that the organisation is rolling out a Zero Trust approach. To many this won't sound like something that applies to security architecture alone. For most people, arguably, trust is regarded as an emotional state and not something that technology does. And so, "zero trust" sounds like something that applies to people. That the organisation no longer trusts anyone in the organisation. Just as trust begets trust, distrust begets distrust.

The term Zero Trust is also inherently negative, and people generally do not engage with negative messaging. I know many people in the security community agree that we should move perceptions away from security being "the department of 'no'", and yet the term Zero Trust fits very neatly in the department of no's vocabulary.

Dr Frank Luntz

When it comes to cyber security culture, words matter - and trust matters even more.

I don't know what this means for the future of Zero Trust, but I do think it's a conversation worth having.