Security Think Tank: Zero trust is not the answer to all your problems

I can barely open my inbox these days without the words zero trust appearing. Opinions of it as an information risk methodology vary, and for good reason. You are effectively classifying your employees in a way that they may not find edifying or complimentary. Many people say this is the price you pay for robust security and, clearly, there are a heck of a lot of products relying on you believing that too.

I feel what you gain in security, you may lose in demotivated people and increased staff churn and low morale. If you want a good example, look at your average call centre.

There are certain applications for zero trust that have been in place for years already, I am thinking about parts of the nuclear and finance industries, for instance. The convoluted user needs here make zero trust a very attractive proposition and effectively make the security team’s life a lot easier.

However, the trend toward zero trust in a range of business areas as a kind of blanket solution seems more like giving up entirely on risk management and taking the path of least resistance – user be damned.

As you can imagine, this is not something I would ever propose and there are several reasons for this, some of them relating to security, and some to leadership:

• It feels too much like an extension of the “stupid users” trope we have been trying to shake off for years – they can’t be trusted, eye-rolling ensues, and so on.
• It feels like an extension of “security says no” – see above.
• Staff retention is cheaper than recruitment. When you have good staff, you want them engaged, enabled and growing. Most importantly, you need them to stay. Inappropriate use of zero trust will totally stymie this.
• Innovation comes when the work environment is not restrictive. Although zero trust may not affect some people in terms of their ability to conjure greater efficiencies, good ideas and new thinking, many will be affected.
• Security will always be seen as a challenge by those who seek to break it. Yes, this will limit the opportunity, but the challenge will remain at the same time as everything else being limited.

I am prepared to have a debate about zero trust and its applications – so far, I remain unconvinced that it is the best we can come up with. Businesses already display a “hands off, keep away” approach to security as they would prefer to buy a solution that they can imagine will solve all their problems, rather than get involved (yes, I know I am generalising).

I feel widescale application of zero trust will merely legitimise this approach and the users will lose out, quickly followed by the businesses themselves. We are in danger of abandoning culture and education entirely in a belief that the technology will save us.

The first danger there is that we know organisations are less than great at maintenance – you only have to look at WannaCry and NotPetya to see that. Even when a new patch is issued, there are still those that don’t bother to use it. And human error is still the biggest factor in breaches and incidents. An authorised human error is still human error.