Skip navigation
Duo Blog
Admin Login

Categories & Archive

Industry News
Sydney Lai

Unpacking Zero Trust: Buzzword or Game Changer?

This article is part of a series of posts produced by the Duo interns, highlighting their experiences and the projects they worked on this summer. And be sure to check out our open internship positions.

To most college students, Duo Mobile is a huge pain! I have to log in to my account AND authenticate on my phone? Is this really necessary? In the past, my answer to this loaded question would have been no. However, becoming a Duonaut and joining our Product Marketing Management (PMM) team has completely transformed my mindset on the importance of Duo and cybersecurity as a whole.

For example, security is just like exercise! You may not like it very much in the moment, but it enables you to stay healthy and strong. Throughout my journey as a PMM intern, I’ve had the opportunity to learn all about security.

In particular, I’ve been unpacking zero trust – one of security’s hottest topics at the moment. Just like Duo to college students, zero trust is a controversial concept that is seen by some as a marketing ploy vendors use. However, I’ve learned that it can provide tremendous value to those who choose to implement it.

What is zero trust?

Hearing the term “zero trust” for the first time threw me for a loop. For me, it wasn’t an intuitive concept that I was able to grasp right away. This is the case for many people

In a nutshell, zero trust is a strategic approach to security that centers on the concept of eliminating trust from an organization’s environment. To break it down further, there are three pillars of zero trust:

  1. Never assume trust

  2. Always verify

  3. Apply least privileged access

Now that business needs and attacks are evolving rapidly, implementing a zero-trust security approach has become more relevant than ever.

For instance, organizations can achieve capabilities like improved remote and return-to-office worker productivity through zero trust. Given that we’ve passed the peak of the pandemic, it’s no surprise that 36.2% of respondents from a pulse survey that we conducted chose this as their top expected outcome from adopting a zero-trust strategy. With this in mind, I assumed that everyone would be clamoring for a taste of it.

A graphic showing the expected outcomes of implementing zero trust. The outcomes are as follows: Improved remote and return-to-office worker productivity (36.2%), protection against evolving threats (27.7%), enhanced visibility of devices accessing the network (14.9%), increased adoption of cloud infrastructure and applications (14.9%), meeting compliance mandates (4.35), and response to third-party supply-chain risks (2.1%).
The top expected outcomes after adopting a zero-trust strategy

The controversy surrounding zero trust

Although many organizations have already jumped on the zero-trust bandwagon, there are still many skeptics. This was a key finding from my research on what people are saying about zero trust.

I learned that the confusion regarding zero trust fueled skepticism. One source of confusion stems from pinpointing what zero trust is. Since it’s a complex concept, it means different things to different people. People see it as segmentation, or ZTNA, or endpoint security, or firewall, or identity.

Another source of confusion is learning how to achieve mature implementation of zero trust. Remember, it’s a security architecture or concept, not a product you can buy, so organizations find it difficult to get started.

In other words, zero trust can be compared to the Star Wars franchise: there are some people who haven’t seen a single movie and, at the same time, diehard fans that can’t come to a consensus on which movie to start on.

And the cherry on top? A deep dive into Reddit (shoutout to r/cybersecurity) demonstrated that skeptics believe that vendors have ruined zero trust.

Screenshot of four reddit comments. The first reads,
Comments from r/cybersecurity about zero trust

To sum it up, they believe that zero trust has been turned into a buzzword, insinuating that it’s all bark and no bite.

However, I argue otherwise. Moving towards a zero-trust strategy can be a game changer for organizations, because it enables them to strike the right balance between security and usability. With a “frustrate attackers, not users” philosophy, zero trust can empower individuals of an organization to play an integral role in maintaining security without friction. All in all, worker productivity can be improved as problems that arise from traditional security models are avoided.

A fresh take on zero trust messaging

We can reduce skepticism by refreshing messaging. First, it’s imperative that we address anyone who’s confused about zero trust by answering the following questions:

  • Who should be implementing zero trust?

  • What is zero trust?

  • When should an organization implement zero trust?

  • Why should an organization implement zero trust?

  • How should an organization implement zero trust?

Answering these questions can help limit confusion while alleviating concerns that zero trust is an evil scheme for vendors to gain profit. We want to help organizations secure their business in a manner that’s forward-thinking and user-friendly at the same time.

Next, we need to ensure that our messaging is concise and straightforward. Being repetitive and long-winded can lead to our audience losing interest in our messaging (I felt this way when scrolling through a few vendors’ messaging). Furthermore, condensing messaging means that it will be easier for our audience to digest information. Knowing that zero trust is confusing to many, this should help consumers understand it faster and better.

Navigating zero trust as a PMM intern

To learn and understand zero trust on a deep level, I did a lot of reading and spent hours discussing with other two-thirds of what we like to call our team – the Zero Trust Trinity. As veteran PMMs and cybersecurity experts, my teammates not only broke down the technical side zero trust for me, but also shed light on how I could do the same for a general audience.

Three women on a webex video call.
The Zero Trust Trinity: Megha Mehta, Sandy Hawke, and Sydney Lai (me)

With their guidance and wisdom, I’ve had the opportunity to create messaging to educate people about zero trust by writing copy for ad banners and creating decks that supports our sales processes. At the beginning of my internship, I was devoted to learning all about zero trust, and now I can finally play a part in educating others – a full circle moment for me.

Overall, my journey as a PMM intern at Duo Security has been a roller coaster ride. There’s ups and downs, but the thrill never ends. Learning about zero trust was and continues to be challenging for me, and it’s something that I welcome with open arms. Knowing that I can apply my knowledge and make a positive impact is what I love about being part of Duo. There may still be Duo and zero trust skeptics out there, but (hopefully) the work that I and other PMMs do will change their minds.