Zero Trust at 15: The Strategy That Refused To Become a Product

15 years ago, while working as an analyst at Forrester Research, I introduced the zero trust security model. At the time, cybersecurity professionals still relied on the flawed idea that they could trust everything inside the network. But real-world breaches told a different story: attackers were exploiting a broken trust model, bypassing defenses with ease, and then moving laterally to their objectives.

From the beginning, zero trust was never a tool or a feature; it was a strategy. It remains the world’s only cybersecurity strategy. You don’t buy it; you build it. And it rests on one core principle: never trust, always verify.

Over the years, vendors have tried to package and sell it. But zero trust isn’t a SKU. It’s a way of designing systems that contain threats and limit damage the moment an attack begins. It aligns defenses with how adversaries actually operate, rather than with outdated assumptions about secure perimeters.

The adoption journey, however, can feel daunting. That’s why I often use the image of the wooden staircase in Sunnfjord, Norway, near where my grandfather was born. It’s the longest staircase in the world, with 4,444 steps carved into the mountainside by workers who hauled concrete and steel for a hydroelectric plant more than a century ago. No one climbed all those steps in a single stride; they took them one at a time. 

Zero trust works the same way. You don’t start with your most sensitive assets. You begin with lower-value systems, learn, practice, and then apply what you’ve mastered to your crown jewels. Incremental, iterative, and non-disruptive progress is what makes zero trust practical and achievable.

Segmentation, Not Identity, Is the Foundation

Some try to recast zero trust as an identity-first model. Identity matters; it is consumed by policy in zero trust environments, but it’s not the tactical foundation. Segmentation is. Without segmentation, you can’t isolate sensitive data, applications, assets, and services (i.e., DAAS elements) into Protect Surfaces. And without Protect Surfaces, you can’t enforce meaningful policy. Segmentation is what turns zero trust from concept into architecture.

The Five-Step Model

The first step in implementing zero trust is defining the Protect Surface by identifying the DAAS elements that matter most. DAAS is an acronym I created to help people understand what to put into a Protect Surface: Data, Applications, Assets, and Service. From there, organizations map transaction flows to understand how data moves and where to place controls. Next comes architecting from the inside out, building security around each Protect Surface rather than the perimeter. Write policy by following the Kipling Method (i.e., who, what, when, where, why, and how) so that every decision becomes an explicit allow or deny. Finally, monitor and maintain the system, utilizing telemetry to continually improve and adapt.

Debunking Common Misconceptions

The biggest roadblock to successfully implementing a zero trust strategy is misunderstanding. Leaders think zero trust is a product, and teams believe it’s a project. It’s neither. It’s an ongoing process of refinement and reinforcement.

Another common mistake is trying to do everything at once. Zero trust is built one Protect Surface at a time. If you try to cover the entire environment in one move, complexity overwhelms progress.

Too often, organizations also cling to outdated models or treat zero trust as a compliance checkbox. Even when technical teams understand the strategy, programs usually stall without strong leadership. Incentives determine outcomes.

 As Charlie Munger, Warren Buffett’s longtime partner at Berkshire Hathaway, famously said, “Show me the incentive and I’ll show you the outcome.” When executives set the right priorities and tie them to business goals, zero trust succeeds. Without that leadership, most efforts fail to move past the talking stage.

Finally, don’t treat cybersecurity as a probability exercise. Risk equations can’t capture the reality of modern threats. The internet provides attackers with constant proximity to your systems, and they already possess the necessary tools and skills to strike. That makes attacks imminent, not hypothetical. The better lens is a danger, not a risk. Just as parents don’t calculate the odds of a child being electrocuted before covering outlets, organizations shouldn’t delay protecting obvious vulnerabilities.

Why Zero Trust Endures

Zero trust is a strategy that’s not tied to any one technology. It adapts to AI, quantum threats, and hyper-connected environments. It scales with automation. It thrives on visibility.

Most importantly, it forces the right question: What are we trying to protect? That question shifts the focus from vague notions of perimeter defense to asset-centric security. It turns policy into enforceable controls. And it gives defenders the advantage — because attackers can’t exploit what they can’t reach.

Looking Ahead

Today’s threats move at machine speed, so defenses must as well. Controls can’t wait for human response. They must act automatically because containment must be instantaneous.

AI gives attackers new capabilities, but it also offers defenders powerful tools. Visualization, behavioral analytics, and real-time enforcement aren’t optional; they’re essential. Only a machine can defeat another machine, and automation makes that possible.

In this post-perimeter, post-human world, zero trust provides the framework for resilience. It stops breaches, renders other attacks ineffective, and ensures organizations can withstand what comes next.

Zero trust began as a challenge to flawed assumptions. Today, it has become the foundation of modern cybersecurity. Its strength lies not in technology but in the clarity of its principles. If you’ve already begun the journey, stay on course. If you haven’t, now is the time to start. Trust is a vulnerability, and eliminating it is your strongest defense.