{"id":8501,"date":"2026-06-16T09:00:00","date_gmt":"2026-06-16T09:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8501"},"modified":"2026-06-16T09:00:00","modified_gmt":"2026-06-16T09:00:00","slug":"zero-trust-isnt-broken-most-companies-just-do-it-wrong","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8501","title":{"rendered":"Zero trust isn\u2019t broken. Most companies just do it wrong."},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Zero trust is 15 years old, and like many teenagers, it can feel misunderstood and underappreciated.<\/p>\n

The concept of zero trust was first defined by John Kindervag<\/a>, a Forrester analyst at the time, as a strategy to replace the outmoded perimeter security model with a \u201cnever trust, always verify\u201d approach. But going from principle to practice isn\u2019t easy.<\/p>\n

Accenture<\/a> reports that 88% of organizations have encountered significant challenges implementing zero trust. In a recent Gartner<\/a> survey, 35% of respondents who indicated that they either attempted or partially attempted a zero-trust initiative suffered failures that adversely affected their organization. \u201cGartner has observed numerous instances of failed zero-trust initiatives among end users who lacked a strategic and measurable plan,\u201d the report says.<\/p>\n

At last year\u2019s DefCon 33 conference, U.K. security researchers from AmberWolf\u00a0poked holes in zero trust<\/a> by identifying potential vulnerabilities in zero-trust network access (ZTNA) offerings from three vendors. \u201cIt turns out there are no magic ZTNA beans; we\u2019ve got the same old bug classes reimagined for a new technology stack,\u201d said AmberWolf researcher Richard Warren. \u201cRather than zero trust, we\u2019re actually putting a lot of trust into these vendors to process our data securely.\u201d \u00a0<\/p>\n

Morey Haber<\/a>, author and chief security advisor at BeyondTrust, sums up the state of zero trust in 2026 this way: \u201cWe all agree: zero trust is necessary. But it\u2019s been hard to implement.\u201d Haber describes the gap between intention and execution as \u201cmassive\u201d during a Today in Tech episode<\/a> focused on whether zero trust is failing or just misunderstood. \u201cIt doesn\u2019t matter what you read or which framework you follow,\u201d Haber said during the podcast. \u201cThe core issue is that we have a concept with principles and tenets, but not enough guidance on how to implement it.\u201d<\/p>\n

Here are some myths and misconceptions associated with zero trust, as well as tips on how to avoid the pitfalls and successfully implement zero trust.<\/p>\n

Myth: Zero trust is a product<\/h2>\n

Even after 15 years, there is still considerable confusion about what zero trust is. It answers to many definitions\u2014strategy, philosophy, concept, mindset, and architecture.<\/p>\n

Chase Cunningham, <\/em>who bills himself as DrZeroTrust<\/a>, says,\u201dSecurity is not a product, but a combination of strategy, process, and execution. Zero trust is not just an architecture\u2014it\u2019s a mindset. There is no zero-trust product, period.\u201d<\/p>\n

Haber agrees. \u201cYou have vendors claiming to sell \u201czero-trust\u201d products, which is misleading. There\u2019s no such thing as a zero-trust product. Products implement security controls, but they don\u2019t embody zero-trust principles.\u201d<\/p>\n

He cautions, \u201cIf a vendor says, \u2018This remote access solution achieves zero-trust principles,\u2019 that\u2019s great, but I have yet to see one that delivers more than 10%-15% of the required controls.\u201d<\/p>\n

Gartner adds, \u201cThe concept of zero trust is a security approach that organizations adopt to mitigate access risks associated with\u00a0networks, applications,\u00a0and associated data.\u00a0This is frequently overshadowed by vendor marketing, which tends to promise high expectations but often delivers suboptimal results.\u201d<\/p>\n

Myth: Zero trust is a technology<\/h2>\n

George Finney<\/a>, CISO at the University of Texas and author of two books on zero trust, tells Network World<\/em> that zero trust is not a technology; in other words, it\u2019s not micro-segmentation to block lateral movement by attackers; it\u2019s not policy-based identity to control who gets access to enterprise resources. Those are tools and tactics that help implement zero trust.<\/p>\n

Zero trust at its core is a way of thinking about risk that requires breaking down silos among security teams, networking groups, business units, compliance, and risk management functions, according to Finney.<\/p>\n

The first pillar of zero trust, as defined by Kindervag, is identifying the highest-priority protect surfaces in the organization. Kindervag says that unless the organization has a clear understanding of what the crown jewels are, there\u2019s no way a zero-trust project can be successful. Kindevag adds that IT doesn\u2019t necessarily know what those high-value protect surfaces are, but business leaders do, and that\u2019s where a zero-trust initiative should start.<\/p>\n

The second pillar of zero trust is to map transaction flows associated with those mission-critical protect surfaces. Again, this requires coordination and collaboration with teams running key enterprise applications. This is particularly important in today\u2019s multi-cloud environments, where a specific business process can span on-prem, edge, cloud, containers, microservices, etc.<\/p>\n

\u201cIt\u2019s not a technology issue at the end of the day that makes it hard,\u201d Finney says. It\u2019s people issues, cultural issues, and politics. He recommends that organizations think holistically about securing sensitive data across all attack surfaces, including endpoints, remote users, IoT devices, LLMs, AI agents, etc.<\/p>\n

Gartner adds, \u201cIt is not\u00a0a product or technology-focused exercise but rather a methodology driven by the\u00a0organization\u2019s\u00a0overall objective and priorities.\u201d<\/p>\n

Myth: Zero trust is expensive \u00a0<\/h2>\n

Finney says zero trust does not have to break the bank. \u201cA lot of folks think it\u2019s going to be too expensive, but it doesn\u2019t have to be,\u201d he adds. Here are key steps on the road to zero trust that don\u2019t involve buying anything.<\/strong><\/p>\n

Identifying high-value protect surfaces. <\/strong>This requires thinking like an attacker and pinpointing the assets that an attacker is most likely to consider valuable. Finney adds, \u201cIn a given protect surface, you might have multiple controls that all have to be working together to remove those trust relationships.\u201d \u00a0<\/p>\n

Creating a zero-trust team<\/strong>. Finney says most organizations already have governance, risk management, and compliance teams that can be brought into a comprehensive zero-trust task force that includes security and networking groups. Gartner adds, \u201cA zero-trust strategy must be initiated at the executive level and integrated across all departments and teams.\u201d<\/p>\n

Education. <\/strong>Education is critical, says Finney. \u201cIt\u2019s helping folks see the big picture. It gets people out of their silos.\u201dFinney adds that a major challenge is political, having to deal with a fragmented organization in which many stakeholders are dismissive of security because it\u2019s not what they\u2019re measured on. For example, application developers who are under the gun to get software out the door aren\u2019t necessarily incentivized to bake security into their processes. \u00a0<\/strong><\/p>\n

Creating a strategy. <\/strong>\u201cWhen I talk to boards of directors, they understand that to be successful in any part of the business, you need to have a strategy. That resonates from the top,\u201d says Finney. <\/strong><\/p>\n

In its analysis of why zero-trust initiatives fail, Gartner says, \u201cThe lack of a business-aligned strategic plan has led to ineffective governance, miscommunication, poor risk management, minimal budget allocation, poor execution of the organizational security objectives, and inefficient use of limited resources.\u201d<\/p>\n

Defining an architecture: <\/strong>Every organization is different, so there is no boilerplate architecture that can be applied everywhere. Organizations need to write a specific architecture that fits their business needs, their level of risk tolerance, their specific vertical industry, and their unique technology infrastructure.<\/p>\n

Setting and applying policies. <\/strong>Again, there is no line item associated with writing access control and identity management policies. \u00a0<\/p>\n

Leveraging existing tools.<\/strong> It\u2019s important to realize that nobody is starting from zero.<\/p>\n

Most organizations already have multi-factor authentication or single sign-on in place, they already have identity management, network management, web application firewalls, etc. The key is to integrate and align existing technology and identify gaps where new tools might be needed.<\/p>\n

Speaking to AmberWolf\u2019s point that attackers can always find bugs in vendor software, zero-trust advocates counter that zero trust implies defense in depth. So, even if there\u2019s a flaw that allows an attacker to gain end-user credentials and access the network, there will be multiple security controls in place, such as incident detection, micro-segmentation, monitoring of end-user sessions, and controls that prevent access to and exfiltration of sensitive data.<\/p>\n

Myth: Zero trust is difficult to implement<\/h2>\n

Zero trust doesn\u2019t have to be hard to implement if organizations follow widely disseminated guidance provided by NIST<\/a>, numerous books, webinars, podcasts, experts, consultants, and more.<\/p>\n

Finney recommends starting small and showing quick wins. Zero trust can\u2019t be implemented all at once across a large organization; it requires a targeted, methodical strategy.<\/p>\n

The preferred approach is to start with those high-value protect surfaces and apply tools that support the overall architecture in a coordinated, consistent, managed, and monitored fashion. \u00a0<\/p>\n

\u201cAn overall strategy can deploy different tactics,\u201d Finney says. \u201cYou want to think about what will have the biggest impact on your organization today.\u201d He says organizations need to make informed data-driven decisions based on logs, metrics, and other data, while factoring in an analysis of what attackers are doing vs. the specific vulnerabilities and weak points in the organization\u2019s defenses.<\/p>\n

Gartner states: \u201cNarrowing the scope of initiatives or projects within the zero-trust program is essential for attaining a zero-trust posture within practical and reasonable timeframes.\u00a0Organizations define overly expansive future target states by incorporating an excessive number of systems, applications, use cases, or datasets in the initial phase\u2014or by proposing overly intricate and granular policy sets. They will encounter scalability and cost challenges, along with extended project timelines.\u201d<\/p>\n

Myth: AI breaks ZTNA<\/h2>\n

Enterprises are racing to deploy generative AI and unleash semi-autonomous AI agents. This new world of black box large language models (LLM) and non-human identities (NHI) raises concerns that zero trust is an outdated strategy that\u2019s not up to the challenge.<\/p>\n

Leading zero-trust proponents are pushing back, however, arguing that the core principles still apply. \u201cWith AI, zero trust is more important than ever,\u201d says Finney. \u201cZero trust is a strategy; we don\u2019t change the strategy because AI came out. AI proves how important that strategy is.\u201d<\/p>\n

\u201cAI is not magic,\u201d he adds. \u201cWe secure it the same way we secure everything else. We integrate it into the tech stack and monitor it.\u201d<\/p>\n

Kindervag, currently chief evangelist at Illumio, concurs. \u201cAI doesn\u2019t change the fundamentals of zero trust. It reinforces them. Zero trust is the strategy that allows you to safely embrace AI. Without strict segmentation, policy enforcement, and control over data flows, AI becomes another soft and chewy center waiting to be exploited.\u201d He adds, \u201cYou don\u2019t need a new security strategy for AI. You just need to apply the right one. That\u2019s zero trust.\u201d<\/p>\n

Myth: There\u2019s no way to measure success<\/h2>\n

Any project that seeks support from the board and C-suite, needs to be able to justify itself through some sort of metrics. Zero trust is no exception, but how do you measure \u201cnot getting hacked?\u201d<\/p>\n

Gartner says teams should use outcome-driven metrics that link zero-trust initiatives directly to business objectives.\u201cIt\u2019s crucial to focus on schedule adherence, cost discipline, and control effectiveness,\u201d says Gartner. \u201cFocus on outcomes like reduced breach incidents, improved compliance rates, and enhanced operational efficiency. Additionally, identify\u00a0specific risks, such as lateral movement, data breaches, account takeovers, and insider threats, which are essential to drive value, and\u00a0organizations can better justify investments and drive continuous improvement.\u201d<\/p>\n

Myth: Zero-trust projects have a completion date<\/h2>\n

Zero trust is more about the journey than the destination,\u201d Finney says. He points out that organizations are constantly growing and changing. At the same time, attackers are evolving. \u201cZero trust is a strategy. You\u2019re never done with a strategy,\u201d he adds.<\/p>\n

Kindervag\u2019s final pillar of zero trust is to monitor and maintain. In other words, organizations need to be actively monitoring to make sure that access control policies are not being violated. And the zero-trust implementation needs to keep pace with changing business needs.<\/p>\n

And since zero trust calls for organizations to focus on the highest value protect surfaces first, there are always additional protect surfaces that can be added under the zero-trust umbrella.<\/p>\n

When Finney looks back on how things have evolved over the past 15 years, he is encouraged by the fact that tools have improved dramatically. Teams can now apply AI and machine learning to functions like anomaly detection or incident detection and response. And there are now ways to automate tasks like networking monitoring or policy enforcement.<\/p>\n

\u201cOverall, I\u2019m feeling guardedly optimistic,\u201d Finney says, \u201cbut the work is not done. We need to continue to make strides.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Zero trust is 15 years old, and like many teenagers, it can feel misunderstood and underappreciated. The concept of zero trust was first defined by John Kindervag, a Forrester analyst at the time, as a strategy to replace the outmoded perimeter security model with a \u201cnever trust, always verify\u201d approach. But going from principle to […]<\/p>\n","protected":false},"author":0,"featured_media":8502,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8501","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8501"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8501"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8501\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8502"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8501"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8501"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8501"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}