The ‘Godfather of Zero Trust’, John Kindervag, discusses fixing the incentive structure around cybersecurity and zero trust segmentation.
Zero trust is an approach to cybersecurity that centres on the idea that organisations should trust nothing inside or outside its network and that everything needs to be verified and secured.
Since the concept was first created in 2009 by then-Forrester analyst John Kindervag, zero trust has seen a boom of interest in the cybersecurity world. A decade and a half later, zero trust architecture is heralded by cybersecurity experts as a must-have security strategy in the modern threat landscape, and the concept has become a multibillion-dollar market.
Since developing the concept, Kindervag has become known industry-wide as ‘The Godfather of Zero Trust’. In 2021, he was named as CISO Mag’s Cybersecurity Person of the Year. In the same year, Kindervag was named to former US president Joe Biden’s National Security Telecommunications Advisory Committee.
Image: John Kindervag
Today, he holds the position of chief evangelist at US cloud computing security company Illumio, where he continues to promote the increased adoption of the zero-trust approach.
“I guess you could say my role is fundamentally helping companies to modernise and implement new tech and security strategies,” says Kindervag. “A lot of what I do is helping to bring the strategic side of zero trust to the forefront.
On a day-to-day level, he says his mission is to empower organisations to accelerate zero-trust adoption by “putting segmentation at the forefront of their strategy”.
“One of the main reasons I joined Illumio was because its zero trust segmentation (ZTS) technology makes it fundamentally easier and quicker for businesses to adopt zero trust. It aligns with my five-step deployment model that I advocate for widely, and for me, was the best and most natural fit to continue to evangelise zero trust and get people to move forwards.”
Here, Kindervag discusses some major trends of the threat landscape and how zero trust can help organisations defend against modern-day security challenges.
What are some of the biggest challenges you’re facing in the current IT landscape, and how are you addressing them?
One of the biggest challenges is the persistent misconceptions around zero trust. Organisations often mistakenly believe zero trust is a tactical initiative or a tool you can implement, or that it requires a complete overhaul of infrastructure which simply isn’t true.
Many also continue to delay their deployment of zero trust. At its core, this challenge is a human problem: people often lack the urgency or clear incentives to take the right actions. Organisations need to realise that real transformation comes from adopting a mindset of resilience and a culture of proactive security.
To address this, I’m working to shift the narrative from “why bother?” to “why wait?”. This includes advancing discussions on critical topics like risk management, leadership accountability and collaboration across cybersecurity. I want to simplify people’s perceptions of zero trust by emphasising achievable steps and focusing on progress over perfection.
‘Zero trust isn’t about getting everything right from the outset but about making meaningful progress’
What are your thoughts on digital transformation in a broad sense within your industry? How are you addressing it in your work?
Digital transformation means different things to different organisations, but at its core, it’s about using technology to create new opportunities and efficiencies. These efforts are only sustainable when underpinned by robust security. Like building a house on sand, transformation efforts are vulnerable without a secure foundation. And this is where zero trust, and more specifically, zero trust segmentation are critical.
Digital transformation often leads to the erosion of perimeter defences and the expansion of the attack surface. ZTS limits the impact of such attacks by ensuring that should attackers get in, they are unable to move throughout the network. It provides a robust security framework for all transformation initiatives, from cloud migration to IT/OT convergence.
It also ensures that security isn’t just a safeguard but an enabler of innovation. In fact, research conducted by ESG shows that organisations that have adopted ZTS as part of their zero trust strategy accelerate more digital and cloud transformation projects than those that haven’t.
What big tech trends do you believe are changing the world and your industry specifically? Which of these trends are you most excited about and why?
AI is undoubtedly one of the most transformative technologies of our time, with immense potential to enhance cybersecurity. Within the zero-trust framework, AI is accelerating key processes like labelling environments and implementing day-one policies to make security measures faster and more efficient.
Beyond security, AI is reshaping how we interact with the world in ways that are both thrilling and unpredictable. To me, the leap from early computing to today’s AI capabilities is staggering. I only have to look at my AI-powered, gravity defying, pool-cleaning robot, to see how far we’ve come.
However, it’s important that we don’t get too caught up in the rush to adopt AI. Its rapid evolution presents both opportunities and risks, and predicting its long-term impact is impossible. But in cybersecurity, AI is clear in helping us stay one step ahead of attackers, making it an indispensable tool in our arsenal.
What are your thoughts on how we can address the security challenges currently facing your industry?
The first step is fixing the incentive structure around security. Organisations fail to act because leadership does not prioritise security. Security needs to become a top-down mandate driven by executives who understand its critical importance. This will help remove people’s fear that doing something different might get them in trouble. You can’t get in trouble if your leader tells you to do it. Initiatives like the presidential executive order in the US have demonstrated that when leadership mandates action, progress follows.
Second, we need to see a major rethink in our approach to risk management. Traditional approaches focus on probabilities, which leads to complacency. Instead, we need to adopt a danger-management mindset that emphasises addressing immediate threats proactively and decisively.
Finally, coming back to zero trust, we need to move beyond talking and start implementing. Far too much time has been spent arguing over definitions and striving for perfection. Zero trust isn’t about getting everything right from the outset but about making meaningful progress. Start small, protect your most critical assets, and build from there. The key is to act decisively and embrace the journey.
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.
