Image ep_jhu under a Creative Commons license

Zero Trust

Last week I read in USA Today the conclusions of a report produced by a committee of the US House of Representatives. The report is the result of an investigation carried out following the attack on the US Office of Personnel Management that exposed the personal data of millions of public employees and citizens last year. The 231-page report suggests that, in order to prevent cyber attacks, federal agencies of the United States should establish a system of “zero trust” that considers government employees as big a security threat as any outsider user. More specifically, lawmakers propose all data traffic travelling over governmental agencies’ networks to be considered as threat traffic until authorized by the IT team.

The article did not comment on the reaction of the governmental officials affected by this proposal, though I guess it has not been much applauded…

In my opinion it’s one thing to propose actions like the other measures included in the same report (i.e., paying competitive salaries to attract good computer security experts, putting in place mechanisms to ensure security issues are reported as soon as they are detected, modernizing aging federal computer networks to facilitate the encryption of sensitive information, etc.) and something else for a bunch of politicians to tell you that as a public servant you are as worthy of the trust of the government that employs you as if you were a total stranger.

Additionally, this says very little about the quality of the people management systems of the US government, starting with the protocols they use to select public employees. For what we see it seems they have not paid much attention to the trustworthiness of candidates or, at least, to the trustworthiness of their online behavior…

Some may argue that digital skills are something “modern”, and with many government officials not being “digital natives” they do not know very well how to behave online, so it is very easy for them to screw things up inadvertently. But still, federal agencies could be aware of this risk more than a decade ago, and may have launched training programs aimed at enhancing the digital competence (particularly the digital behavior) of its employees. Yet, considering the situation we face, it seems they have not done it or, if they have done it, they have achieved very poor results.

However, the worst thing of all is the impact such a message can have on the mindset at work of government officials (i.e., their psychological capital) and, subsequently, on their performance.

That message reflects a way of thinking still present in the minds of many business leaders who, even if they don’t say it explicitly, are of the opinion that “think the worst and you won’t be far wrong”. A belief that is terribly pernicious for an organization’s agility, because to succeed in today’s volatile, complex, and uncertain world organizations need more than ever the skills, imagination, relationships and passion of their people. And without a climate of trust this simply will not happen.

If an organization does not trust its people it will move much more slowly than its competitors because everything needs to be supervised, resources go to control and monitoring systems instead of being applied to productive investments, and people don’t dare to experiment, or connect to outsiders to sense what is going on in the organization’s environment.

When they propose a “zero trust” system, American legislators (and business leaders who think in the same line) also forget that the feeling of being trusted encourages people to take risks, open up, share the bad news, and question things, all of which is essential to innovate, learn, and make sense of a changing world.

Three years ago, Ammy J.C. Cuddy, Matthew Kohut and John Neffinger argued it in an article published in the Harvard Business Review titled “Connect, Then Lead”:

In management settings, trust increases information sharing, openness, fluidity, and cooperation. If coworkers can be trusted to do the right thing and live up to their commitments, planning, coordination, and execution are much easier. Trust also facilitates the exchange and acceptance of ideas — it allows people to hear others’ message — and boosts the quantity and quality of the ideas that are produced within an organization.

In short, if an employer does not trust its employees, how can that employer expect its people want to give their best at work?

Just think about it…

Link to Spanish version