Building A Better Zero Trust Culture Starts With Debunking The Myths Around Trust

The term Zero Trust is everywhere in conversations around cybersecurity, from boardroom slides, project plans, and strategy documents, to architectures and technical designs. As Zero Trust Network Access (ZTNA) moves from tech jargon to mainstream lingo in Australian public sector organisations, an unexpected side effect has arisen: discomfort. The term “Zero Trust” just… sounds harsh. For many staff, it can feel like a vote of no confidence in their integrity or professionalism. But, herein lies the misconception. Let’s unpack what Zero Trust really means, why the confusion exists, and how staff play an essential role in creating a secure digital culture.

What Zero Trust Actually Is...And What It Isn’t

Zero Trust isn’t a judgement of someone’s loyalty, values, security clearance, or intentions. It means not blindly trusting digital transactions and systems, even when the person using them is highly trusted. The core principle of Zero Trust is that every user, device, and digital request is continuously verified because the greatest vulnerabilities in today’s hyper-connected world come from the security assumptions that are made within them.

Consider a well-intentioned, long-serving staff member. They have a spotless record and always follow security protocols. But what happens if their laptop picks up malware or is compromised? Suddenly, every action from that device, regardless of how well intentioned, could be a risk. Without Zero Trust controls, one click could inadvertently expose sensitive data within an entire network – VPNs can do little to protect at this stage. The role of Zero Trust, however, is to protect the organisation, its people and its data against these evolving threats, which can have nothing to do with staff behaviour or integrity.

Zero Trust: A “Defensible Modern Architecture” for Our Times

The Australian Cyber Security Centre (ACSC) describes Zero Trust as “a fundamental building block in creating a modern defensible architecture.” Instead of relying on a perimeter firewall and blind trust within it, Zero Trust builds verification and segmentation into every step of a digital transaction. This is typically visible to staff as the interactions from their endpoint to the applications they use.

This approach doesn’t diminish the user’s role in these digital transactions. In fact, it should do the opposite. Staff, who understand why continuous verification is essential, become partners in security. In practice, this leads to faster, more reliable access, including for more than 120,000 educators and administrators at the Victorian Department of Education. With fewer connectivity issues and smoother lesson delivery, this has led to better outcomes for more than 680,000 Victorian students. Likewise, at Northern Beaches Council in Sydney, mobile and field workers have seen simpler, consistent access with fewer logins and reduced disruption to everyday work, allowing them to better service their local community.

Zero Trust Culture: Trusting People, Not Systems

Without context and leadership, the continuous verification of Zero Trust may lead to a perception among staff that they are not inherently trusted. However, a healthy Zero Trust culture is never about being suspicious of staff. It’s about creating an environment where everyone has the knowledge and tools to keep digital interactions secure. Protected transactions enable access from anywhere. When this is done well, staff notice the benefits in their day-to-day workflows such as quicker paths into the tools they need and fewer support requests for access problems – just as the Victorian Department of Education and Northern Beaches Council do. Empowered, informed staff normalise verification and help prevent breaches early.

How leaders can support cultural change for Zero Trust:

• Lead with clarity and purpose: Explain that Zero Trust protects people and services by verifying digital activity. Frame changes in terms of safer, simpler work.
• Design for minimal friction: Prioritise user experience so secure access feels seamless (e.g., fewer VPN dependencies, intelligent access to only the apps people need). Good UX builds trust in the model.
• Make it practical and role-based: Provide guidance aligned to how staff work day to day – clear, role-specific access policies, simple steps for device health, and intuitive pathways to the apps they use most.
• Co-create policies with staff: Involve frontline teams and champions in shaping access rules, testing changes and giving feedback before broad rollout. Shared ownership reduces resistance.
• Communicate early and often: Use transparent updates for what’s changing, why, and how it benefits staff. Pair announcements with short “how-to” resources and quick-win tips.
• Invest in targeted enablement: Run brief, scenario-based sessions on topics like phishing resistance, secure collaboration, and working securely from anywhere. Keep training lightweight and practical.
• Measure what matters: Track user-centric metrics – login success rates, access times to key apps, reduction in connectivity-related tickets – and share improvements with teams.
• Support managers to model behaviours: Equip leaders to reinforce secure-by-default practices in team routines (e.g., verifying device health, just-in-time access) and celebrate positive outcomes.
• Build feedback loops: Provide fast channels to report access pain points, respond visibly, and close the loop with fixes. Visible responsiveness strengthens confidence in the change.

Building Security on Trust, But The Right Kind of Trust

Zero Trust is a foundational cybersecurity approach built for the modern workplace, where people, devices, and applications are in constant motion. Its focus is always on digital trustworthiness, not doubting staff character. By cultivating a Zero Trust culture, organisations like those in the Australian public sector can create environments that are both highly secure and empowering for staff. When we challenge misconceptions and clarify the intent, staff become the champions of Zero Trust, driving better outcomes for everyone.