Chun Park wasn't a normal celebrity. He was what was known as a walkie-talkie on the MarchFit app. Many of the content creators on the MarchFit network didn't say anything; they just filmed themselves walking or running in lots of different kinds of locations. Often, people at home walking on their desk treadmills were doing other things, like working or talking on the phone, so they just wanted to see some pretty background scenes. The walkie-talkies took a different approach: they would narrate their walks. And these narrated videos were some of the most popular because people would purposefully take a break during the day to go for a walk with someone they enjoyed being with. Chun's voice and calming demeanor were like a mix between Bob Ross and Fred Rogers.

Chun was a retired farmer from Jintai District in China who had taught himself English over the Internet. His children had been successful, and he had moved to the mountains. He joined MarchFit three years ago and took two walks per day through the countryside, once in the morning and once in the afternoon. People thought he was much more like Snow White the way animals would walk right up to him and eat out of his hands.

“Today is a special day, friends,” Chun said, beginning his walk on a gravel path, birds singing in the distance. “Security has been very important to me in my life. I know it's important to you, too. MarchFit didn't ask me to say anything, but I've seen how many changes they've made recently. I'm honored to be a part of such a team. If you tap on the information tab, there's some helpful information about protecting your account you should look at.”

Inside the MarchFit headquarters, Dylan checked his tie in the bathroom mirror. He was in the washroom outside the executive briefing center (EBC). He had put on his interview suit mostly because it was the only suit that he owned. He came out, and Vic's assistant waved him into the conference room.

The room was full of people that he recognized from TV. They also served on the board of directors for MarchFit. The man sitting next to Vic owned a football team. The woman sitting between Kim and Donna was a technology CEO who was on this month's cover of Wired. And he was pretty sure the man at the end of the room sitting by Kofi was a former congressman.

They sat through the financial auditor's presentation. Dylan noticed the former congressman starting to fall asleep, but then it was his turn to speak. As he stood up, his presentation appeared on the video wall behind him without him having to do anything.

“When Noor asked me to brief the board on the status of Project Zero Trust, I was a little nervous.” Dylan paused, and several board members laughed. As Dylan looked around the room, everyone was leaning forward, eyes focused on him. “Let's face it, I'm still nervous.” That got even more laughs. “I was skeptical at first about Zero Trust. But now that we've been doing it, I can say that we've made one of the best strategic decisions we could have made. That's what Zero Trust is—a strategy for aligning security and the business.”

Dylan paused, waiting for any questions. Hearing none, he advanced his PowerPoint slide to the next screen. The only thing on the slide was a number: $6,343,261.

“Zero Trust is about aligning security and the business, that's actually the first step. Over the last several months, I've spent time talking with Donna, our department heads, and other leaders getting to know how our business operates. Partly as a response to our recent breach, we know how much it cost to respond to the malware and get back up and running.”

“Isn't six million dollars a little low?” Vic asked. “I thought our total cost was much higher.”

“That is correct, Vic,” Dylan answered. “It costs us about six million dollars for every hour we're down.” There was an audible gasp in the room.

“I thought that our revenue was fixed,” one of the board members said. “We lost some monthly subscriptions, but that didn't impact us that much.”

“Revenue did take a dip,” said Donna. “But all of our costs were still there. We kept our stores open and we continued to pay our content creators even though no one was watching.”

“And we know the impact to our brand was also significant,” Kofi added. “I assume that's included in this number as well.”

Dylan nodded. “From the ransomware incident, we know that it took about thirty-six hours before we were operational,” Dylan said.

“You're saying that the real cost of this breach was over two hundred million?” Vic asked.

“Yes,” Noor said. “But the real headline here is that this is currently the minimum loss we can expect for any future incident. And we have a high degree of certainty that some kind of cyberattack will happen again.”

Dylan advanced to the next slide, which had a list of the different projects that the Zero Trust team had launched over the last several months. There was a timeline labeled “Recovery Timeline” in the center of the screen with thirty-six different hour-long increments. Each Zero Trust project had lines of different thicknesses connected to different segments of the timeline; some were one or two hours, others were six or eight hours wide.

“The focus of Project Zero Trust has been to contain a breach or other incident to the smallest impact possible. After careful analysis of these projects, we've shown how we can reduce the time it will take to recover from an incident from a minimum of thirty-six hours down to eight hours.”

The group continued to ask Dylan questions, each bringing up the part of the business most important to them. Dylan stayed after the meeting was over, the executives slowly filing out as he continued to field questions from board members who were curious about different aspects of MarchFit's technology. Looking at his watch, Dylan realized he was late for a debrief with Vic.

Dylan knew the way to Vic's office, but the path was completely different. He was pretty sure new walls had been put up for different meeting areas. There was now a robot security guard patrolling the hallways. It beeped happily as Dylan passed it going into Olivia's old office.

He knocked on the door, then entered. The room had been completely transformed. The carpet had been updated with one large rug dominating one side of the room. The walls had been updated from drywall to a single slab of a stone that Dylan couldn't recognize. There was a wall full of TVs playing different news channels, all on mute. And apparently they had added a real fireplace.

Vic gestured for Dylan to sit at one of the three sofas arranged around three sides of a low coffee table. “You've been putting in new budget requests for new security projects,” Vic began. “Even though I told you we needed to focus on the new product launch.”

“I've tried to show the business case for each request we've made.” Dylan started to respond, but Vic waved him to stop.

“You were right to make those requests, Dylan. I didn't see the big picture when we first talked. But there was a big picture, and those requests helped me see it. Security is one of our core values. Olivia was right to launch Project Zero Trust. I'm starting to see how your strategy is paying off.”

“We've made a lot of progress already,” Dylan confirmed. “We're on track to complete most of our projects before the product launch in a few weeks.”

“That's why I wanted to chat with you. We're going to highlight some of our security enhancements as a part of the launch. We have to acknowledge we've had setbacks. But our competitors are facing similar challenges. We want to set ourselves apart from them based on our commitment to security.”

“That's a wonderful idea. I'd love to be able to talk about what we've done on Project Zero Trust. But I'm not sure how much I'm allowed to share,” Dylan admitted.

“I love that idea. We can have you work with our product marketing team to have you speak at some conferences. I want you to share the whole story, both the good and the bad. We need to rebuild trust with our clients. What else can we do to show our commitment?”

“We were actually just talking about cloud security. The Cloud Security Alliance has a registry of companies that have gone through a certification process to show they have the right security controls for the cloud. We could start working on that, but I don't think it will be ready in time for the launch.”

“I don't know if it has felt that way for the last couple of months, Dylan, but you've got my full support. Some people say you need support at the top to make security happen. Others say it's better to have grassroots support. You've got both here. I'm actually a little excited to see what happens at your tabletop exercise,” Vic said, standing up and extending his hand to Dylan. “You ready?”

“We're getting there.” Dylan stood up and shook Vic's hand.

It took several minutes to walk downstairs, but Dylan was pretty sure that Zero Trust Central, or ZTC as Harmony referred to the basement conference room, didn't have disco lights the last time he was there. And there was some strange electronic big band music playing softly in the background. But the whole team was back together for the first time in what felt like weeks. Rose walked up to Dylan and offered a red Solo cup. He wasn't sure what was in it, so he gave it a sniff before taking a sip. “It's too bad we never applied the Zero Trust principles to our security awareness training,” Dylan said, thinking about the upcoming tabletop exercise.

“What are you talking about?” Rose said. “Of course I applied the Zero Trust methodology to security awareness. The protect surface is people. The transaction flow is the life cycle of the employee from the interview process to the day they leave the company or retire. Sorry, I thought this was obvious.”

“No, go on!” Dylan exclaimed.

“Like we talked about in the beginning, it's more effective to secure something at the beginning, so we start with new hire orientation. But then we're rebuilding all of our IT or HR training to intentionally include elements of cybersecurity, from learning Excel to how to be a good manager. Creating policy is all about customizing the user's experience, so we offer several different tracks for security-specific training as well, based on different roles in the organization. Do you want to see our training plan?”

“Uh, heck yes. That sounds amazing,” Dylan said, thinking about the implications. “But we should start the meeting.” The rest of the room had gone quiet listening to them talk. Harmony had joined the Zoom call and the SOC team manager, Luis, and Chris were both on the call. Peter Liu and Noor joined a few seconds later as Harmony admitted people into the meeting from the waiting room.

“Let's get started. We've only got a week left before the tabletop exercise. We'll review the scenario at the end, but I wanted to start with logistics first.” Dylan paused for a moment, waiting for any questions. “I wanted to start with the invitation list. I'd love to invite everyone in the company, but our biggest conference room is only big enough for about sixty people, and that's standing room only.”

“Why don't we do the meeting virtually?” Brent asked.

“We find that when the people participating are all in the same room, the conversation is much more dynamic,” Chris said. “There are fewer distractions from other work and it simulates a bit of the tension from the real thing.”

“Particularly since that conference room is also the same place we had our first briefing about the ransomware campaign almost six months ago,” Noor added.

“Let's record the tabletop, but most people probably won't want to watch the whole thing,” Rose said. “We can edit it down and make the most important parts into a training video.”

“I think that's a great idea,” Dylan said. “We'll have a Zoom option, but that group will just be for observers. Vic wants to be there in person. We should invite Olivia, Kofi, Donna, and Kim at a minimum for the in-person event. Who else should we invite?”

“Agent Smecker should be there, if he's not busy with something else,” Rose said, smiling slightly.

“Our moderator will facilitate the tabletop,” Chris said. “He'll be coordinating with Peter, your security consultant, to perform the actual penetration testing. Luis will be monitoring the SOC and will raise an alarm if the SOC sees anything.”

“What happens if they don't see anything?” Peter asked.

“We'll keep going with the scenario, following the prompts, and see how far you can get. We'll take down all our notes and use those as next steps for improving our visibility and controls,” Dylan said.

“One point of warning,” Chris said. “We want to be able to simulate a real-world scenario. Sometimes things happen in the real world that can impact your incident response. So you should also be prepared for some key personnel to have unexpected family emergencies and have to step away. Everyone should have a backup that's ready to step in.”

Rose was standing in front of a large video camera perched on a tall tripod. There was a fuzzy microphone hanging above her and a green screen just behind her. The room she was in had been designed as a training lab with rows of computers where people would go for training. Since most of the workforce at MarchFit was still working remotely, they had removed the first three rows of desks and created a virtual studio. There were still several rows of desks at the back of the room that had been spread out for socially distanced in-person training.

Fiona, the production manager, came into the room, peering through the camera lens to check the image. There were a number of people already in the Zoom session. She gave a thumbs-up to Rose and said, “Whenever you're ready.” She pressed the record button in Zoom and stepped back to watch Rose.

“Collaboration is the most important thing we do here at MarchFit,” Rose said. “And it's more important than ever that we work together securely. We've got a number of different collaboration tools we support, from Slack to Microsoft Teams, but your departments may also use their own specialized collaboration tools.”

The screen displaying the chat window started to scroll with different people commenting about the tools they use in their departments, from software issue tracking to project management software.

“One of the best ways to remind us to be secure is to think about the people we're protecting.” Rose displayed a MarchFit promotional video on mute so she could continue talking. “It's easy to forget we're protecting real people. We encourage you to take some of the pictures of our users and print them to remind ourselves who we are protecting.” Several clapping icons appeared over the pictures of the people on the call and several more wrote encouraging messages in the chat window.

“We have some security controls that we put around all our tools, like Single Sign On, or SSO, or multifactor authentication. So if your app doesn't have that enabled, let us know. These help us protect the applications, but they also give us auditing in case something does happen. Today, we'll be focusing on how to get the most out of Slack and Teams specifically, but before we dive in on how to use them, there are several security best practices that we should all be aware of for any application we use.”

Fiona cleared her throat, “One of the comments in chat asked if it's okay to use text messages as your MFA?”

“Great question,” Rose said. “The short answer is that SMS messages for MFA aren't as secure as other options. The long answer is that the bad guys do this thing called SIM-jacking. They can call your phone company pretending to be you and say that they've just bought a new phone. They have your account transferred to the SIM card that they put in a burner phone. So then, all the MFA messages you were getting via text to your phone go straight to the bad guy.”

The chat window started to scroll faster than Rose could read the comments.

“There are two other things that you should know in general before we dive in further. First, we should never trust that our tools are completely secure. And second, we should plan for things to go wrong. You guys probably know this already, but we never share passwords on Slack or Teams. Because we don't trust these systems, we don't want to put sensitive info out there that could be exposed. We have other secure systems for sharing sensitive data.”

“What about contractors?” Fiona asked

“I'm glad you asked,” Rose said. “Sometimes we will need to give our contractors access to some of our collaboration tools. This is a necessary part of the business. But we don't have to set those accounts up to last forever. For guest access, we should always set the accounts to expire after a short period of time, like a week or a month. We can always renew the account if we need to. But we've seen from experience that if we set a guest account up to last forever, we'll invariably forget to shut it down once the contractor leaves. And this is a great way for the bad guys to get in.”

In the ZTC, Dylan, Harmony, Brent, and Nigel were listening in to an intel briefing from an analyst working for their industry Information Security Advisory Council (ISAC). Harmony pressed the mute button on her laptop. “I can't believe that we didn't join this ISAC years ago. This is some of the best information we've gotten,” she said.

“I thought it was going to cost a lot more to become a member,” Dylan admitted. “But it's just a few thousand dollars per year. We've only been a part of the ISAC for a few days now, but just seeing all of the emails in the discussion list makes me think this was the best investment we've made in a while.”

“Did you see that one with the IP addresses of some Russian threat actors who were targeting several large retail organizations?” Nigel asked.

“Yes. I've blocked them at our firewalls,” Harmony said. “But we can start incorporating some of their threat feeds to do that automatically. But I bet there's a way to validate those feeds instead of trusting them blindly. I'll have to look into that.”

“I'll have to tell Boris about the threat actors who are targeting organizations that use our underlying tech stack,” Nigel said. “Now that we know more about what they're targeting, we can do something about it.”

“Careful with how we share info,” Dylan reminded him. “We've got to follow their classification system for sharing, even inside MarchFit,” he said, looking at Brent.

“Why is everyone looking at me?” Brent said, chuckling.

Isabelle was standing next to Rose in front of the green screen. Fiona shared the screen on her laptop, showing a slide deck that read “Project Management 101.” The training was developed for managers, but Isabelle hoped to make this a recurring training through HR. The head of HR, Mia Wallace, and several of her staff were in the room at one of the back tables, watching in person.

“Okay, before we get started with the training, we're going to do something new,” Isabelle said. “It's called the security minute. We're going to talk about a security issue for the first sixty seconds of each meeting we have from now on. We encourage you to do this in your team gatherings or project briefings, whatever feels most appropriate. Don't worry—we'll email you all several topics you can bring up each week.”

The group of HR staff at the back of the room began taking notes.

“The security minute for this week is about passwords,” Rose continued. “By a show of hands, how many of you reuse your passwords on multiple sites?” Nearly half of the people in the Zoom raised their hands. All of the HR staff raised their hands. “I'm going to tell you all a secret,” Rose said, “I don't actually know any of my passwords. We recommend using a password vault. This can store your passwords across multiple devices. But the best part is that it can create a random super long password that's unique for every site you visit. And we want to encourage people to have sites remember your password. This can be a great way of helping you recognize when you've clicked on a phishing site that is trying to steal your password, because it won't already be remembered by your device. Remember, if you don't know your password, you can't give it away.”

“Isn't this just like how airline attendants go over the safety information at the beginning of each flight?” Isabelle asked like they had rehearsed.

“Yes, it's exactly like that,” Rose confirmed. “We're giving out information that may or may not be new to people. But the real message we're sending with the security minute is that in the culture of our organization, we want our teams to know that we value security. We value it so much that it's the first thing we talk about. And our goal will be that it's the first thing that everyone in our organization does.”

“Now let's talk about my favorite subject—projects,” Isabelle said. “Security should also be the first thing we think about in our projects. For some larger projects, we'll have someone from IT designated to be the security liaison for a project. Smaller projects should designate someone for this role, like a deputy.”

“For this training,” Rose continued, “we're going to have a case study as the project we'll be managing. We're going to plan for a hypothetical MarchFit developer conference.”

“That might actually happen someday,” Isabelle confirmed.

“And we'll be extra prepared by having done this already,” Rose said. “But the first thing we're going to do is what we call a premortem. Most people wait till the end of a project to think about what went wrong. We're going to flip that and talk about what might go wrong. Then we'll talk about what we're going to do about it. And then plan for it.”

Dylan walked into the training studio. Mia and some of her staff were talking quietly at their table, so Dylan sat down at one of the other tables. Isabelle and Rose thanked the audience for attending their class, then came over to talk with Dylan about the tabletop exercise.

As Dylan was about to start talking, Mia walked up to the table.

“Great class,” Mia said. “This is one of the best ones you've put together. And I love how you're working security into your training.”

“Thank you!” Rose and Isabelle said at the same time.

“I've been thinking about our security awareness training,” Mia said.

“I know. We're building a whole new awareness program,” Rose said.

“Have you thought about how you measure how much people are changing? How their habits are changing over time?” Mia asked.

“We have some quizzes that we're building,” Rose said. “And we're measuring engagement.”

“I'm wondering if you might be interested in incorporating your security training into our wellness program?” Mia asked. “We know that fifty percent of all human behavior is based on habits. Our wellness program is about changing behaviors. It seems to me that our security training should be focused on changing bad habits in exactly the same way.”

“That makes sense,” Dylan said.

“And as a part of the wellness program, there's already a core group of people who participate in every activity,” Mia said. “If we can change our employee security habits, that could have a big impact. And we can measure behavior change for security just like we measure other behavior changes with our wellness program.”

Brent and Nigel were standing in front of the EBC's espresso machine while it automatically ground the beans before making a perfect cappuccino. Brent picked it up and breathed in the aroma. Sighing, he added a single spoonful of sugar to the cup and began stirring slowly. Nigel picked up his own cup and turned to see a young IT guy in a green polo shirt standing at the door of the EBC looking in. When Nigel made eye contact, the guy knocked on the door to the EBC, then waved to the two of them. Brent shrugged and walked over to open the door, holding his coffee gingerly in his other hand.

“I think that's Simon, the new guy from the help desk,” Nigel said, peering into the grinder as he brewed his own cup. Brent opened the door without saying anything.

“Are you guys supposed to be in here?” Simon asked.

“Our cards let us in,” Brent answered.

The guy looked around, “Can I get a cup of coffee too?”

“Does your card work?” Nigel asked. Simon swiped his card, and it beeped at him in annoyance and flashed red, indicating that he did not, in fact, have access.

“Come on, guys. I'm dying for some caffeine,” Simon begged.

“Just one cup,” Nigel said protectively. “But we're not letting you tailgate around with us into the data center because we're coffee chums.”

Brent shrugged, and Simon walked into the room over to where Nigel was standing. Nigel stepped out of the way so Simon could make his own cup. Simon stood there for a moment while thinking about all his choices and then pressed the button for an Americano. He had forgotten to put the mug underneath, and the coffee started dripping before he realized. He started making the coffee over again.

“I can't believe it, but I just had to help a person change their password. They couldn't figure out the portal, so I walked over in person.”

Nigel and Brent stood side by side drinking their coffees. “Why'd they need to change their password?” Brent asked.

“Oh, they clicked on a phishing link. They realized they had done it, and called to let us know. But you know what they say: People are the weakest link.”

“Uh-oh,” Nigel said.

“What?” Simon asked.

“We don't say that around Brent,” Nigel said.

“People aren't the weakest link,” Brent corrected. “People are the only link.”

“But I thought we are doing Zero Trust? We shouldn't trust anyone, right?”

“That's not what Zero Trust is,” Brent said. “I thought the same way you do. But Zero Trust requires us to work as a team. We can't be a team without trusting each other. Zero Trust isn't about individuals; it's about packets. We have to trust each other to do our jobs, but we don't have to trust the packets that are attached to that individual through the devices and networks that are the lifeblood of our organization.”

“I didn't realize that. I just heard that almost all breaches are caused by people or human error,” Simon said.

“Believing something is true makes it true,” Nigel said. “It happens so often, there's actually a name for it. It's called the Pygmalion effect. Our beliefs about people influence our actions; our actions impact what other people believe about themselves; and their actions reinforce our beliefs. The most important part of being successful at something is believing that it's possible.” Nigel sipped his coffee thoughtfully.

Simon just blinked for several seconds. He had not been expecting a philosophical discussion. He picked up his Americano and took a drink while he thought about that.

“Zero Trust isn't about being cynical,” Brent explained. “Cynicism is a shortcut so you don't have to think critically about anything because it's all bad. Zero Trust is about finding where trust relationships are inside a system and surgically removing trust without breaking the system. That takes a lot of understanding of how the business works. That takes a deep understanding of technology. And we have to apply our knowledge while trusting the team we're working for,” Brent said. “We've all worked with security guys who liked to bang their hands on their desk and explain why we can't do things. We've got to be better than that. Zero Trust helps us say yes. When we know we can remove trust from services, we can do things we wouldn't have been able to do before. If we say no, people just go someplace else to solve their problem, and that creates shadow IT, and we can't help secure something we don't know about. Because we help people do things instead of saying no, all the shadow IT out there is coming back in, and we're making it secure too.”

Dylan sat down at the conference room table late to the meeting. He had gotten used to working remotely, and travel time between meetings was one of the biggest annoyances of coming back to the office. Noor was speaking, but Dylan looked around the room at some of the IT staff that he hadn't had a chance to work with. They all had their laptops out and some were clicking or tapping on their keyboards. Another annoyance for in-person meetings that he had forgotten about. Dylan looked at the stickers on the different engineers’ laptops. Among the various technology or science fiction stickers, he kept seeing different versions of stickers with the number zero on them.

Dylan realized each sticker corresponded to one of the protect surfaces that the Project Zero Trust team had defined several months ago. Some of the engineers had multiple stickers. Dylan realized they were publicly displaying all the protect surfaces that they were responsible for protecting.

He also noticed that Harmony had the most stickers out of everyone in the room. He'd have to ask her where she was getting them.

He private messaged her on his laptop. It turned out that each team created their own sticker after prodding by Harmony. One of the guys was married to a graphic designer and had created theirs to look like WWII bomber nose art. Some had flames or shields. Some were text based and read “PZT DNS Squadron.” The identity team had a superhero with a lowercase “i” on his chest with a zero for the dot over it. It seemed like their team had grown from just the six of them to the whole company before he realized it.

Several minutes later, Dylan was waiting at the elevator to go downstairs. It had been a long day, and he closed his eyes for a moment and imagined taking a nap. His reverie was short lived as he heard the click of a pair of heels next to him and smelled lilacs. He opened his eyes to see Isabelle standing next to him. They rode the elevator downstairs in silence. They left the elevator and began to walk toward the exit.

“I've been meaning to thank you, Dylan,” she said, stopping just before the door.

“Thank me?” Dylan asked as he stopped to face her. “Did I do something right for a change?” he asked jokingly.

“Oh, no,” she explained. “It's not any one thing. It's more like what you didn't do. I got my start as a project manager in manufacturing. I knew Olivia from those days and she brought me on to help build out our capacity for making our own treadmills. After that, I stayed around and became the head of the project management office.”

“Oh, I had no idea,” Dylan admitted. “That's really interesting, but I'm still not sure why you're thanking me.” Several people came and went past them, so they both moved a little more out of the way of the flow of traffic.

“All our IT project managers were tied up when we started Project Zero Trust. That meant I was the only one not working on the recovery efforts, which is why I began working with you.”

“Sounds just like how I got pulled into Zero Trust,” Dylan said.

“I didn't know the first thing about IT, so it was a pretty steep learning curve for me. Anyway, I wanted to thank you because you never made me feel bad for not knowing some of the acronyms or jargon you guys were using,” she said. “That really made me feel like I was part of the team.”

“You're welcome,” Dylan said. “You were a really important part of the team! We couldn't have accomplished so much without you,” Dylan said. They opened the door to the sun setting over the horizon as they walked to their cars.

Several hours later, Rose was with Agent Smecker, sitting at the table in a hotel room, with men in suits walking past them in hurried steps. There was a knock at the door and everyone froze in place. They all turned toward the door in unison. “Pizza,” said a voice from outside the room. The nearest agent propped open the door and the delivery kid took a step back when he saw all the people in the room.

“You're not going to make me wear a wire, are you?” Rose asked jokingly after the kid had gone.

“Of course we are,” Agent Smecker answered, handing her what looked like a pen but actually concealed a microphone in the tip. She slid it inside the pocket of the blazer she was wearing and tapped the mic a couple times. The tech across from them gave her a thumbs-up, then went back to typing.

Rose looked at the bank of laptops spread across the large welcoming table where the flower arrangement would have been in the lobby of the suite. The flowers had been placed on the floor. In their place there were twenty-four different camera views of the coffee shop across from the street where Rose would meet 3nc0r3. She recognized the tall agent wearing a black leather jacket who had just left the room sitting by the front window of the café.

“Do you want to go over the script again?” Smecker asked.

“Get him to confirm transfer of the money,” she said. “Make him admit as much as possible. But don't sound like I'm getting him to admit anything. I'll start small, like I was wondering if this little glitch I saw was really him. And then I'll build up his ego by talking about how everyone at the office treats him like the bogeyman whenever something goes wrong. I'll try and sound disgruntled while I'm doing it.”

“That's him,” the tech said as a young man rounded the corner and went inside the shop. Almost everyone in the room stood up right at that exact moment.

“All right, time to go,” Rose said, smiling, and grabbed her purse to leave.

Key Takeaways

Success with Zero Trust starts with creating a supportive culture.

A culture of security starts at the top. But trust with business leaders is earned. Security teams shouldn't simply ask for an unlimited budget and expect to get everything they ask for. Over the last several chapters, there were also numerous cases where the team used existing tools to solve their challenges without new budget requests. The team also wrote multiple business justifications for the different projects that were necessary to achieve MarchFit's goals. This is where a strategy of Zero Trust can help. Zero Trust helps define the big picture, and each business case should be aligned with this overall strategy. This helps connect the dots for leadership on how to achieve the overall goal of containing cyber incidents.

When it comes to security awareness training, people are the protect surface. All employees have a life cycle, from when they are interviewing to when they leave the organization or retire. Your culture is defined by the expectations, processes, behaviors, and rituals that your organization puts into practice every day. These can all be influenced by training and reinforced by policies. But security awareness should also be progressive so that employees continue to learn and grow as they progress in their careers. Training messages should be tailored and customized based on specific roles inside the organization as well.

There are many different ways today to help teams collaborate. Tools like SharePoint, Slack, and other apps enable teams that are spread out all over the world to share and innovate much more quickly than in the past. These tools also require us to continually adapt the way we as individuals apply security to all these new and different types of tools. Sometimes this means we have to change our behaviors to better fit our circumstances.

Fifty percent of all human behaviors are based on habits. To have a chance at improving our security outcomes, we need to make critical security behaviors into a habit. To measure behavior change, we should also examine our cybersecurity habits. Creating habits as a group using techniques like the security minute can help teams embrace a strong culture of cybersecurity.

Cybersecurity is often scary for individuals. It's technically challenging, and there are very real consequences for not getting it right. We need to help everyone on our teams build an identity so that they believe they are capable of playing a role in security. Zero Trust requires us to be proactive in order to prevent bad things from happening. This can involve work, so following Zero Trust principles can feel easy when we make that work into a habit.

We don't need to get everyone involved on day one to be successful. Research from David Centola and his colleagues at the University of Pennsylvania indicates that to create long-term sustainable change, we only need twenty-five percent of a group to adopt new behaviors for the group as a whole to change their collective behaviors (https://penntoday.upenn.edu/news/damon-centola-tipping-point-large-scale-social-change). And by partnering with HR and their wellness program, a big percentage of this goal is already within reach of many organizations.

It is essential to create a culture that embraces Zero Trust. This means broadening the conversation. When we talk about cybersecurity (and Zero Trust specifically), we bring everyone in: all of IT, finance, human resources, legal, risk, and even the board. The first question our business leaders ask about Zero Trust is: “What do you mean, we can't trust?” To be successful in running an organization, we need trust. Trust is the currency of business.

We trust people, not packets.

There's also a trap to Zero Trust. One of the most common mistakes that people make when they are on their Zero Trust journey is that we shouldn't trust people. Trusting people is the most critical thing that we can do to enable success on a Zero Trust journey. Zero Trust focuses on removing trust relationships from digital systems because trust is what threat actors exploit to obtain unauthorized access.

Trust is also what makes all human relationships possible and it's what makes businesses operate.

In security, and particularly with Zero Trust, it's easy to fall into the trap of cynicism. If we don't trust anything, then we don't have to apply any effort to analyzing situations. But when working with others we need to build trust in order to accomplish our goals. Project Zero Trust requires building a coalition of many different groups within an organization, from IT to HR, legal, finance, risk, and audit.

In his book Speed of Trust (Simon and Schuster, 2006), Stephen Covey argues that we need to have high trust at the same time that we apply analysis in order to have good judgment. If we never trust but only have skepticism of those around us, we're left with indecision and we can make no progress. The absence of trust can actually be a tax on organizations that slows progress and keeps individuals and organizations from reaching their full potential. When security teams are cynical, the organization suffers.

Our secret motto in security is “people are the weakest link.” If we believe this, we're setting ourselves up for failure—first, because the statement is wrong and, second, because of the way it changes the way we act. People are the largest attack surface in our organizations. It's more accurate to say that people are the only link in the chain when it comes to security.

In the 1960s, Harvard psychologist Robert Rosenthal described an effect where expectations led subjects in an experiment to turn those expectations into reality. He partnered with an elementary school principal, Lenore Jacobson, and together they told teachers at the school that the worst-performing students were actually the best and that the best performers were the worst (Rosenthal & Jacobson (1968), Pygmalion in the Classroom, Urban Review 3(1): 16–20). At the end of the year, they tested the students again, and the students who the teachers believed were the best (but had actually been the worst) had outperformed their classmates. If we persist in believing that people are the weakest link, then we will make that belief into reality.