Your single source for new lessons on legal technology, e-discovery, and the people innovating behind the scenes.

Building Trust in a Zero Trust World [Security Sandbox Podcast]

McKenna Brown

Subscribe to Security Sandbox

When good tech meets well-trained, empowered employees, your business is more secure. This season, we’re exploring ways to elevate the strongest link in your security chain—people—through creative use of technology, process, and training. In today’s episode, host Amanda Fennell welcomes the return of Zscaler's director of solutions architecture, Thomas Quinlan, and Relativity’s global director of security and IT, Marcin Swiety, to discuss how to build employee trust in your security program.


Amanda Fennell: Welcome to Security Sandbox. I'm Amanda Fennell, chief security officer and chief information officer at Relativity, where we help the legal and compliance world solve complex data problems securely. And that takes a lot of creativity. One of the best things about a sandbox is you can explore and try anything. When good tech meets well-trained, empowered employees, your business is more secure. This season, we're exploring ways to elevate the strongest link in your security chain—people—through creative use of technology, process and training. Grab your shovel, and let's dig in.

In today's episode, our sandbox welcomes back two frequent fliers, with Zscaler's director of solutions architecture, Thomas Quinlan, and Relativity's global director of security and IT, Marcin Swiety, for a spirited conversation on how to build employee trust in your security program at any time from anywhere. How do you roll out an effective and empathetic zero trust program to your company that resonates with your global employee base? So pull up a seat. It's time to have the talk about taking this relationship to the next level of trust.

We should start—exactly—with the world is on fire and what—no, I'm just kidding. Tommy, I'm going to have so much fun with this one. OK, so I thought this would be awesome, to bring you back on because we do want to talk about zero trust.

Thomas Quinlan: Cool.

AF: It's, like, such a buzzword. Everybody's talking about it, right? But it's a little bit like the world—like world peace. It gets utilized so much it's starting to lose its value, and so we want to spend today, like, calibrating a little bit about why it is valuable. And, like, let's not keep just using the word and not thinking about it and not really mulling it over. So I'm going to start with the funnest thing. So...


AF: You and I—we both have a son—Maxwells, right? The Maxwells.

TQ: Yep.

AF: They're both approximately the same ages. How would you explain zero trust to Maxwell?

TQ: Simplest terms for a 6-year-old. Essentially, I'll use the airport analogy. So the airport—you go to the airport, and what's the first thing that you do? You go to security. And security—they essentially stop you, and they check your documents, first and foremost. They make sure you are who you say you are. They check to see that you have a ticket. So they make sure that you have the ability to actually go into the airport, past the security, and then they check your bags. And assuming that you are good to go on all those three things, they let you through. And then as you go through each of the various parts of the airport—let's say you're going to international from Europe—you have to maybe go through another check, but at all along the way, they essentially stop you, make sure you are who you say you are and then check to make sure that you're not doing anything bad. And that's essentially what zero trust is in a...

AF: In a 6-year-old's metaphor, yeah. So requiring all the users to constantly—whether you're in or outside the organization, you have to be authenticated, authorized, and continuously validated. I love that I get to sound professional with it, but you had to say it for a 6-year-old. So this is awesome.


TQ: Exactly. Yes.

AF: So is this—is it the same for you, that you feel like it's just, like, losing the understanding of what it is over time, that people are using the words and they don't know what they're saying?

TQ: It's—yeah, it's definitely a marketing term. There's no question about that. And of course, it differs from vendor to vendor as to the implementation of zero trust. Certain vendors think they do it better than others. I won't mention any names, but you know which one I already worked for, so I'll leave it at that. And essentially, if you look at the term itself, it started out being closely tied with SASE, which is a secure access service edge. And now that has sort of broken down into secure service edge and then WAN edge. So it started out being this semi-nebulous concept that was based on the idea of no longer centralizing your security in the data center but making sure that you're checking identity and context and policy. But now it's even—I guess it's further breaking down into the idea of separating the actual network from security. We're looking more at the network as a layer of abstraction. Like, we don't care how you get to the airport. We don't care if you ride the tram in the airport or the people-mover or whether you walk down the really long hallways. We don't care how you do it, in that sense. We just want to make sure that when you get to a checkpoint, you have the right documents, you're not bringing anything bad and that you're going where you're supposed to go. And that's basically how it boils down.

AF: So Marcin, we've gone through our zero trust journey, and we don't want to name any names—Zscaler, whatever. It's same, right? There's a reason we're so close. But in going through that, did you feel like you had to build trust with the employees about the usage of it? I mean, it's a global thing for you. So, you know, rolling this out, we have employees in Germany, and privacy is such a concern in Poland, et cetera. Like, what did you do to get in front of that, and how did you keep the trust there?

Marcin Swiety: Yeah, that's a pretty interesting thing to see. Surprisingly, we actually needed trust to be successful with rolling out solutions like this and in previous as well. When we were thinking about DLP back in the day, that was also the case. The trust, we tremendously used over how we wanted to—you know, to ship it out and to make sure that our employees are actually understanding what we want to achieve in the end. So, yeah, the trust was really important to roll out something that we call zero trust, and zero trust strategy actually used it quite a lot. But the reality of this is, you know, with zero trust, that's basically a space for, you know, strategy where everybody can verify, you know, the other—each other's intent and fit for the action and fit for the access, fit for the specific, you know, channel. So when we are thinking about it in this terms, we actually equipped our employees with the ability to verify what we want to do, how we were going to use it, what is the intention. So we actually kind of approach it with, you know—we use trust because we are Calder7. We are trusted partners in our company. But we actually still allowed each employee in every other region that we operate in to kind of look and see, what is the intention, how they can verify what we are doing is actually what we are trying to do. And that is actually something that will improve each other's lives and operational capabilities along the whole company. So that's a pretty interesting realization, that trust was needed to roll out zero trust.

AF: It's the...

MS: That's meta.

AF: I know it's the paradox. But, Tommy, what's the most common way that you see this play out whenever you see companies that adopt it? Do you think there is a more positive way to frame something like zero trust with that relationship? Or is there a lot of times it's, like, regulation, financial, et cetera—just do it, this is the way it is?

TQ: I think the companies that are successful at it do it similar to how it was just described—essentially, preparing people because it is a shift in the way of working. It's a shift in the way of thinking about how people access things. So people are used to doing things a certain way because we've done them that way for 30 years. Everybody is used to a VPN. It might be always on. It might be something they have to connect. But they're changing how they're going to work. They're no longer going to have blanket access to a network. They're no longer going to have the capability to sort of figure out where something might be if they think they deserve access to it and kind of poke around. All of that goes away. The other thing a lot of people tend to worry about when they start this journey is the concept of privacy. How do I maintain the privacy that I'm so used to or think that I deserve while still being able to access what it is that I'm supposed to get? And that's a very region-specific thing as well because we have differing requirements for privacy, data privacy in different parts of the world. I'm obviously technically not in Europe anymore. But we still follow GDPR. So how we handle data in Europe differs from how we handle it in the United States, for example. So we have to take those things into account. Privacy laws differ in Germany from France, for example—just within Europe. And so you have to, essentially, provide employees the preparation. You have to trust them. They have to trust you to be able to say that we're going to do TLS or SSL inspection, for example. But we're going to do it in this manner. We're not going to be looking at your banking. We're not going to look at your health care. We don't really care. What we're trying to do is, essentially, stop threats. And so as with any organization, you'll have your acceptable use policy, all of the things that you have to have in place to be able to do that. But sometimes, it does take some explaining.

AF: OK. So this is, like, kind of a fun topic. We're going to rabbit hole for a second. So here we go. I've always found this intriguing. But for as much as I definitely feel like security doesn't have to be this Big Brother dynamic, et cetera, I do have this backbone to me. And I don't know if this is just the way it's always been for us. But I have this backbone of, it's a company-owned and managed device. Stop using it for your banking, like, if you don't want your banking monitored. Like, you shouldn't be using it for that. So I always have that as my first go-to of, like, why are you using it that for that? And the second part is, like you said, why would we care? We're not malicious intent, like, behind what we're doing. We're security. We have a positive intent. We're trying to protect the fortress—right? Or in this case, no longer a walled fortress. So I've always struggled with that one. But I'm just—I'm always confused about the inspection of traffic, right? So if we don't inspect the traffic, and if we don't unencrypt it and so on, then malware goes through there freely.

TQ: Correct. Correct.

AF: Like, it can just go wherever it wants. And the airport analogy, that is, never scanning or opening that suitcase to find out what's inside of it. It is going through, and we're not going to check it. That's not acceptable in a security environment. We have to know what it is. So I've always wondered, how do you really, like—I don't know. This is for both of you. How do you explain that in a way that isn't going to make people feel like it's invasive? Do you also lean back on the, it's a company-owned and managed device? Or is the expectation different? I mean, you were in Europe, and Marcin you're still there. Is the expectation in Europe different? Is it, don't open my suitcase?

MS: Pretty much, yes. Pretty much, we hear that question a lot. But on the other end, we really operate in a space where a lot of us really see the benefit of being protected. And we see that, you know, on a normal-life basis, especially with the analogy of an airport. We are actually OK with somebody opening our suitcase because we know that the same person will open another 100 suitcases that will go into my airplane. And we are OK with that. And we actually appreciate it at times. And we can show that in many ways. So framing the conversation that way is, actually, something that helped me to not go into that argument that you just used, to—you know, this is our corporate device. You shouldn't be doing personal stuff there...

AF: Yeah. I feel like we lose the argument as soon as we say that. Like, I think we lose employee trust, but, yeah.

MS: Yeah. Yeah. Yeah, but ultimately, there is something that is pretty neat about this is it's, you know, the same about protecting our fortress, as you mentioned, Amanda. But it's also about protecting every employee. Inherently, none of the employees wants to bring any risk to the company. They feel like they are participating in this global, you know, effort under a joint vision and the same, and sharing the same goal. And nobody wants to disturb that with some, you know, malicious things going on that they didn't even know about, might not even know about, because I don't think anybody in the company actually would want to bring any harm. So if you spin that, that this is protecting as much of the company as the employees, this is actually creating a very neat discussion and dialogue that is actually far from how you use this computer. It's about how you, you know, make sure that nobody gets, you know, in harm's way of what we want to achieve. And that's pretty cool.

TQ: So I guess it depends on where you are, how the conversation starts. So in the United States, the expectation of privacy is that you don't have it at work, whereas in Europe, it's pretty much the opposite. You do have it at work. And so you have to be able to do one or the other, depending on where you are. And so you want to look for a zero trust solution that can provide the ability to do both—turn it on and then selectively turn it off by category, or turn it off and turn it on by category, potentially.

AF: So for the trust dynamic, I do think we should have had, like, a buzzer that buzzed every time we used the word trust in this episode. Like, that would have been awesome and not annoying at all. But yay—in building this, it's easy to break. So are there experiences when you're doing this methodology that you do break trust and you have to go back and you have to fix it? And I guess it's for both of you because Marcin, to start us off, like, yeah, we hadn't done testing in a very specific situation, and we had to go back and redeploy. We had to pull back, go back and test that one, make sure it didn't happen because it broke one of those fundamental things that our employees need in the CIA—availability. They couldn't access the stuff. So we had to go back and fix it. But that, you know, we didn't test.

MS: (Laughter) Yeah, that's true. And how we actually go on about it, as Amanda mentioned, we go back, and we look at things that we could have changed, you know, to make it more predictable in the rollout. But in reality, you know, this actually overused the trust that we had because it's supposed to be swift and easy rollout, but we haven't tested some parts of it. And the reality—how you do that when you are in a relationship, you basically use, you use transparency, and you say that something didn't work, and we will try once again, and let's, you know, let's keep tight, and let's, you know, establish better comms channels, and let's do this together. And this is the theme that we used. We are not doing this in a vacuum. We can...

AF: This is when it becomes more a podcast about dating.

MS: Oh, yeah.

AF: All right, let's talk about it, Marcin. So transparency, talk it through—you sound like a great person to be involved with.

MS: No—oh, that's—I think that's a mis-assumption. But... (laughter) but, you know, that's something that is actually very, very similar. You know, you have to open up at some point that something has not worked, and we need to kind of go through it together. So what we did, we increased the, like, we shortened the distance. We created some space where everybody that was involved in that, meaning, you know, security team and IT team, rolling this out, adjusting policies, making sure that everything is operating as it should be, with folks that we are shipping this to. So we kind of moved from a pilot group to a testing group to a space where we can proactively disable or enable some parts of it to see what is actually might be the case. And the reality, that actually was the only thing that we were missing in the beginning, kind of this kind of communication channel and the transparency to test and to establish that shorter distance of communication. But sometimes you do that, right? And especially in the fast-paced world, as we have in the tech space specifically, sometimes you will see those bumps. And we all kind of praise these, you know, fail fast, you know, approaches, but when we actually fail, sometimes we forget that, actually, that was intention. We have to be very quick. We have to be very agile. And sometimes that means that we will not get everything right. And the reality is you have to acknowledge that. You have to overcorrect at some points. Sometimes, you know, be a little bit more on the space on creating that trust again. And let's move forward and focus on the next thing.

TQ: Agreed.

AF: The relationship dynamic there, I guess, is one that's interesting. One thing I've found that has been the most useful for the way that we built the whole program here has been, like, communicating ahead of time—a lot. There's a lot of, like, we focus so much on, like, preventative. That goes for the employees as well. We try to prevent any of that feeling of, you know, we're not being transparent. So we'd rather, like, broadcast things early on, which I also do with Sharif. I broadcast way early on when something's going to be a problem in a few months. But that's what we do, is we look for things that are anomalous behavior, right? This is a thing today; it will be a bigger thing later. And so we try to get in front of it. But I do like this idea. So I guess this idea of things not working the same—they'd be different. We're doing something different, so by nature, something will be different. We change the variables. I think this is something that, where the idea of the tech and the humans come together. And the way that I look at it this way is that I truly do look at people and performance evaluations to understand how they deal with change. Do they thrive? Do they struggle? Do they maintain? What is the way that they handle change? And I would feel like this is a big shift for a lot of human beings to move into this realm and to think about this access to everything differently. Do you think that humans rise to the occasion here and thrive? Or do they always just kind of maintain when you're getting through this experience? Or do they all struggle?

TQ: I'd say most of them thrive, to be honest. They—it obviously is an adjustment for most people to make. But once they make the adjustment, I think it's a much more straightforward method of doing things. It's how we should operate. And we've operated in the method that we've operated in for 30 years or whatever because we didn't have a better way. But now we have a better way. And I think people are always hesitant when it comes to change, but I think when they get through it and they adapt to the new way of working, that they thrive because it is easier. It's a better user experience. It's better for the IT team. It's better for IT leadership, et cetera.

AF: Marcin, what do you think? I feel like a lot of people start out with a little—it's the change curve, right?

MS: Yeah.

AF: They at first they're, like—they're in denial. Why are you doing this? Like, there's this, it's a relationship breakup.

TQ: Five stages of grief.

AF: Yeah, it is. They go through these things. But in the change, there's a moment when you make a decision, and you say, I can do this. I'm going to own moving forward in this. And then it's like a down on the rollercoaster. Then everything is great, and they get positive, and they affect other people. But I do think the majority of the people we've worked with rolling things out, such as zero trust—and even all the way back, whenever we were first rolling things out four or five years ago—the beginning was a little bit of a struggle. I think a lot of people struggled, and maybe they're getting a better muscle now, though. Like, they kind of roll a little bit more with the punches these days.

MS: I'm not sure that's the correct looking at this. I think that the culture is key. Maybe the, you know, repeated exercise of doing similar things, similar changes, repeating them the same, you know, upfront communication, establishing trust, using the trust, being clear of intention—that probably helped, you know, to build the culture. But I think that on average, people experience that, of course, you know, anxiety at the beginning. But through that exercises, through availability of the intent and an explanation and even the tech detail sometimes —you know, explaining to tech folks how the tech actually works and what it's intended to do is actually making that period of the anxiety very, very short because people in this space, they look for information, for more justification why we do this, and if that information is available and clear and understandable, that shortens the time. It's still there, right? People still, you know, don't resist the change per se, but they are pretty anxious about the, you know, immediate term, you know, transition. So yeah, I think that's the culture that's the key.

AF: Man, that sounds like an outright, like, disagreement with your boss, by the way. Like, it's an outright Amanda, you're wrong.

MS: Of course. Of course.

AF: This is so awesome. Of course I am. It's one of those things that I've always despised whenever people ask this question. And you can just be honest. If you're like, I don't know, Amanda. Like, leave me alone. And it's fine. You both can do this, though. A few years ago—I got to build this up now, right? I'm going to build the foundation, right? So a few years ago—like, five or so—it was all, like, disruption was the thing, and this was the edgy thing to say in security and stuff. And then, you know, we go through different ideas. And nowadays, privacy is the new security, and there's different trends, if you will. Zero trust came around quite some time ago. This is not that new. It's a little bit like cloud adoption—just takes time for people to be comfortable and accept the fact that, you know, there's NIST guidelines. There's frameworks. People know what they're doing. And eventually, it'll get to the point where people are like, this is the requirement a lot of times because it just makes sense. This is the reality. You should be going through all those steps in the airport, and you should be doing all of those things whenever you have something you need to protect. That is the asset. What's coming after zero trust? This is the magic eight ball, which, by the way, I have one. Hold on. I actually have, like, a magic eight ball right here. But what comes after zero trust? Tommy, I feel so bad to make you go first, but I feel like you have to. I mean, you think about this at night. This is how you go to sleep. Oh, my gosh, what am I doing next? What's going to happen?

TQ: So I think from a zero trust perspective, let's start there and figure out what's going to come next. Like, zero trust almost becomes—I wouldn't say commodified because that's not the right word, but it becomes part of the plumbing. It essentially disappears into how we do things. So if we—let's say we look at a two-year timeframe. So right now, we currently have hard-wired internet communications everywhere. We have physical devices. We hybrid work most of the time because a lot of people obviously start going back to the office, things like that. And so we have this shift that's occurring, to your point, going on right now. And so when we look at it in two years, what is it going to look like? Two years, we're going to have much more 5G. I mean, Elon Musk just deployed Starlink to an entire country in the space of a few days. And so the ability to connect pretty much anywhere with anything is going to become the norm. And then we're going to start seeing things have their own connections. So the idea of random things in your house just having connections, that sort of thing—it's all going to—did you want to say something?

AF: I do. Like...


AF: So this is a thing, though. So before you go any further because, like, I think you've hit upon something, though, is that if this is the movement—because we are hybrid and we have a lot more remote and all these things that took place that will be the remnants of the pandemic—I think that the experience is going to be the driver behind a lot of this. And so when you mentioned this connection of things and the connectivity, that's really all people are looking for in their homes, much less in their work. It's about the experience. So I think that security is going to twist into such a user experience. Like, our last episode, we ended up talking about how it was so much like marketing these days to be in security. That's what it is to have a security awareness program. It's marketing 101. Now I think you have—you stumbled upon episode 2, which is that it's about user experience.

TQ: Exactly. And that's essentially where I was going because you have this—no, no, no. That's fine. It's perfect. And that's what we had to start thinking about, is what does it look like when I am working? What does it look like when I can connect just as easily from the Maldives as I can from my house in London kind of thing? And then suddenly it becomes security is an enabler, as opposed to a blocker. So for a long time, we had these big boxes. We had to stick them in the data center. Everybody's traffic had to go through them. Things got really slow, and it became very difficult to troubleshoot that huge stack with various different things from various different vendors and various different operating systems in various different ways of reporting, et cetera, et cetera, et cetera. Now we have the cloud. We have security in the cloud, and we have user experience as the No. 1 thing that people are looking at. And this is becoming even more of a thing. Like, digital experience monitoring is the new term, essentially. How do we troubleshoot user experience? How do we examine what the user sees when the user is not on our network? How do we look at what the refrigerator is doing to communicate with the grocery store? How do we examine that? Should we examine it? What are the security implications?

AF: Not if it's over FTP, we can’t.


TQ: Yeah, no, definitely not. That protocol is going away as fast as I can do anything about that. But effectively, what does my workforce look like in the future when I can just as easily work from anywhere? How do I help someone who is somewhere else. Like, my employees currently, they just work from anywhere, and I don't really care where they work from because as long as they have an internet connection, they can work from anywhere, and they often do. My colleague from southern Europe took a trip to Turkey, and he was working in Turkey. And if he hadn't told me, I never would have known. And that's the sort of thing, but we have to start looking at activities, actions rather than threats in the strictest sense. Obviously, threats will never go away, and we have to be aware of them, and we have to understand how they interact with people and devices. But starting to look at behavioral analytics—is this 4.7 gigabyte download on a Friday afternoon within the norm for that person? Or is it so odd that we have to call a giant meeting kind of thing?

AF: Look, it's whenever the new episode of Boba Fett came out and they had to download, and it was Wednesday night, but, yeah.

TQ: Yeah. But, I mean, that digital experience monitoring is going to play a much larger part in what we...

AF: Did you trademark that yet, digital experience monitoring?

TQ: I'm sure someone has.

AF: Damn.

TQ: So there's a—it's not a coincidence that I know about this because certain vendors have these products perhaps.

AF: Duh, duh, duh.

TQ: Exactly. So yes.

AF: Well, so, Marcin, what were you thinking? So—and you can't just say I was totally going to say user experience.


MS: I was going to say FTP is good. (Laughter) No, no. I think that, you know, you got something that I was pondering. I remember when I was selling security, you know, putting security as enabler instead of blocker, that was really, you know, something that I tried to use. But it's really it when you look at this in a bigger lens. I remember, like, 10 years ago, five years ago, something like that, security trainings used to say, don't use, you know, coffee shop Wi-Fi connection. Or when you're in a hotel, make sure that you're establishing a VPN always. And I remember people coming to me if I am there or that way connecting to the internet, I cannot use VPN because it's being blocked by the hotel or some other networks. And things are not working as it should. But I want to be protected. So should I use or should I not use? Should I find some co-working space when I'm in a different city? And right now, what we use, what we are using, you know, in everyday lives and I think in hybrid and remote, we're actually treating the connection, the connectivity, just as a channel. And that's—we don't really need to care other than, you know, having a notification that tells us this is not a secure network because something, you know, problematic going on. But other than that, the digital experience, as you frame, is also, like, kind of enabling us to use those different places and not really, really, you know, looking very, very thoroughly if that's a secured connection or not. Because we can actually make sure that it's secured and verify it before we actually allow for a user to access our corporate systems.

AF: Well, you've made it easy for me, both of you today, in terms of how to sum up some of the stuff that really comes to the forefront of the conversation. I mean, the first one is that it's like a dating relationship for implementing zero trust. But you do need to have that trust between the program and your employees. And if you don't have transparent communications ahead of time and really put something in the bank of the relationship to pull on whenever something might go wrong, it may go wrong. And then you'll have nothing to rely on. So you have to shift those employees' mindset to change the perspective on how, why or where they work, even if it's in Turkey. So there's all of these—this is, like, my big one, I can feel. The second one, I'll go back to the airport security because framing zero trust and the access that's given to the employees as those layers of the authentication and verification and so on, you have to keep that trust. And you have to keep things secure as we move through the process and consistently verifying this information. But it has to be seamless. And this goes to the third one. That user experience, I think, is absolutely everything. And security, I think it's where people like us and the three of us are probably the most successful is that we have always thought that security is an enabler. We're there not to block, we're there to help the business be successful but also for that experience, to have the employees with us along the journey. They're not there as somebody that we can't trust. We can trust them once they've been authenticated, once they've been verified and gone through the process. But yeah, I think that user experience probably the biggest one that we're going to be looking at a lot in the security space in the years ahead. All these things are great. It's great if you do good security. But was it painful to deal with? Because we're not going to buy it then. I did come across an Einstein quote for trust. If we end with a quote, by the way, I thought this was a good one. It's such a simple one, right? I know. But, you know, Relativity, I always look at Einstein quotes. “Whoever is careless with the truth in small matters cannot be trusted with important matters.” I feel like that's the foundation of security. You have to have integrity and trust for the smallest of things, and then you realize when people can be built on for the larger. But I love that idea. But I will say, at the end of the day, it's been a joy to have you two on again. And I thank you for flying Air "Security Sandbox."

MS: Thank you.

TQ: Likewise. Thank you for having me.

AF: Thanks for digging into these topics with us today. We hope you got some valuable insights from the episode. Please share your comments. Give us a rating. We'd love to hear from you.

Follow Along with Security Sandbox by Subscribing to The Relativity Blog

McKenna Brown is a member of the marketing team at Relativity, specializing in content development.