Skip to content

Security leaders must solve the true Zero-trust issue

What is zero trust? A model for more effective security | CSO Online

The true problem security leaders need to solve is being hidden by the increased excitement for and drive for zero trust.

Yes, it makes sense to consider “zero trust” when referring to networks, data, and identities. After all, the amount of information we need to access, keep, and secure is changing dramatically. Our challenge grows as remote and hybrid jobs become more common.

The issue is how the movement toward zero trust interferes with our efforts to link security to commercial outcomes. If we don’t address the underlying problem, our efforts to gain respect and acknowledgment for the important job we’re doing may be limited.

Learning from ‘least privilege’

We used the term “least privilege” often in the late 1990s and early 2000s when identity was at its peak. And almost every time we informed the company that we intended to impose the least privilege, someone would become violently upset with us because we were certainly going to stop them from working.

You see, they heard the word “least” in a negative context before the word “privilege,” which they craved.

Despite the repeated assurances that “you’ll have exactly what you need to complete your work, no more and no less,” you continued to cause unnecessary conflict.

Apply the lesson of trust going forward. Both the employees and ourselves desire to be more confident in each other. It seems strange that our recommendation for them is complete distrust. Once more, we rejected their wish.

Why don’t we trust developers?

We recently had a heated discussion on methods to increase development security without relying on the security team during office hours.

That raised the natural question: “Why don’t we just let the developers have the security tools and use them?”

Jim (not his real name) laughed as he explained every time he suggests it, he’s told, “We can trust developers to do security the right way. They need us to make sure they’re doing it the right way.”

We discussed the conflict this causes and how conflict exhausts individuals while destroying trust.

That’s when Nicole (not her real name) jumped in and said, “Well, there’s your real zero-trust challenge.”

The real zero-trust issue

It’s interesting that the phrase “zero trust” conveys the trusted security in other teams while also eliminating what most people want. Although we are aware that this statement does not apply to everyone, it is brought up constantly enough in conversations to warrant more thought.

Many security leaders are still fighting the perception that they impede advancement. People are less likely to cooperate with us to meet our needs as a group as a result of this.

Building trust inside our business and learning to trust others to take responsibility and action to better secure the information and resources they rely on are challenges we must overcome.

Not “zero trust,” but rather “massive trust” is how it feels.

Flip the script on “zero trust”

We need to consider how we frame our approach while working with others if we want to address our priority problems and produce value more quickly. To avoid communicating that we don’t trust our colleagues, it takes paying close attention to the language and delivery.

Concentrate on the issue that your zero trust initiative addresses. Encourage others to add their knowledge and experience to the solution. And collaborate to create the internal trust you need to accomplish your goals.

You must be trusted to connect to business outcomes, and you must also have the confidence of your partners, coworkers, and other stakeholders in business and technology.


Here at CourseMonster, we know how hard it may be to find the right time and funds for training. We provide effective training programs that enable you to select the training option that best meets the demands of your company.

For more information, please get in touch with one of our course advisers today or contact us at training@coursemonster.com