Zero Trust or Digital Confidence?

Zero Trust often gets misunderstood as a concept. After all, the term is almost as oxymoronic as the phrase ‘Jumbo Shrimp.’ The phrase Zero Trust has such a negative connotation that it can be somewhat off-putting, if not downright hostile. The wider cybersecurity industry has fully embraced Zero Trust, more in the industry are advocating for it, and more organizations moving towards adopting it. Could it be time to rebrand the concept to be more inviting to those it impacts most?

What is so Bad About Zero Trust?

John Kindervag, credited with coining the term, said: “Trust is a human emotion that refers to the level of confidence someone has in something, but it’s a vulnerability and an exploit in a digital system.” He added, “So, for folks trying to move to a Zero Trust environment, step one is to eliminate the word ‘trust’ from your vocabulary as it relates to digital systems. Trust is binary; it is on or off. Think about using the term ‘confidence’ instead. Confidence can exist on a continuum. It’s an important distinction.”

This literal turn-of-phrase is a powerful idea coming from the expression’s originator. Whether seen as a human emotion, or a vulnerability in a digital system, it would seem that trust is a fragile specter.

What is Digital Confidence?

By contrast, the term digital confidence gets perceived more positively. Digital confidence is the feeling imparted to your organization’s patrons whenever they interact with the organization’s platform. This can include the employees as well as the clients. It ensures total assurance that mobile and web applications are engaged with the most secure experience for your customers.

Always Remember the Human Element

While Zero Trust has become a default security approach for many organizations, they must remember the human element of cyber security. A proper security architecture should always incorporate the human element. It is the engine that runs the business. In many cases, employees are the first to report suspicious behavior, such as a phishing email or some other manipulative ploy. A zero-trust architecture would include a streamlined reporting mechanism, making it easy to alert the security team that the organization is on an attacker’s radar. Most of the time, a phishing campaign will target the complete list of publicly exposed email addresses, and there will probably be more than one attempt to entice a person to click a malicious link.

With many organizations leaning on security tools and automated options to lead execution and strategy, these systems sometimes can lack agility, and the ability to cover emerging trends and shifting requirements. Human behavior is a vital component of digital confidence. Although technology and security professionals understand the value of security, including identity and access management, and multi-factor authentication, our non-security colleagues often operate with limited security knowledge. For example, they may often assume that their systems are secure, which may lead to harmful or negligent actions, resulting in unintentional consequences. Well-trained employees are the best defense to deter social engineering attacks, and this defense is nurtured through transparent actions by the security team. If the employees understand what the systems can and cannot do, it increases the likelihood that they will be active partners in keeping the organization safe.

The Philosophy of Zero Trust to Better Digital Confidence

Every organization will interpret Zero Trust principles in ways that work best for them. The IDSA’s 2021 Trends in Securing Digital Identities reported that 93% of IT security experts felt Zero Trust is strategic to securing their organizations, and 97% agreed identity is a foundational piece of Zero Trust. These agreements must be considered in tandem, recognizing that security solutions are not static entities supporting both current and future application needs. Organizations also need to contemplate all possible risks.

Many companies are planning to invest in identity-focused security in the years ahead, and flexibility will be necessary in terms of better digital confidence. For instance, when implementing a multi-factor authentication solution, not only must it be technically frictionless, but its implementation must be as transparent as possible. Just as trust is hard to build and easy to damage, confidence propagates through transparency.

Just as the object of Zero Trust was to improve the user experience, digital confidence should do the same while also promoting greater productivity. Digital confidence can increase certitude across the entire digital estate, integrating verification and controls across security pillars, monitoring your security posture with robust governance, and using automation to simplify and strengthen that posture.

Conclusion
Security has often been viewed as a hindrance in many organizations. The cynic will complain that it inconveniences the many to protect against the few. And whereas, a security zealot may love the alienating ring of the phrase zero trust, it is hard to deny its lack of allure.

Zero Trust is dead. Long live Digital Confidence. Some would argue that this change is merely crafty wordsmithing. However, when we think of rebranding a product to make it more attractive to a broader audience, this tactic may be precisely what is needed to sell the digital confidence solution concept to a security-averse audience. And as C-Level executives always prefer more potent words like ‘confidence’ rather than ‘zero’, why not cater to their tastes? Put even more bluntly, which sounds better to you, ’buy two and get 50% off’ or ‘buy one, get one free’?

Joanna can be reached at LinkedIn or at Bora Design.