The Expert View: Zero Trust Security – Safeguarding Data in a Dynamic World

For years, organisations have operated under the assumption that some areas of their digital infrastructure can be inherently trusted. Zero Trust challenges this by enforcing strict verification and minimising the attack surface to prevent breaches.

Kindervag told an audience of senior cyber security experts that despite increasing adoption, misconceptions remain. Many believe it must be implemented all at once, but he emphasised that organisations should break it into manageable parts. Others assume it is a complex strategy, but Kindervag said it’s actually very simple. Finally, he said many people mistakenly assume Zero Trust is only about identity - but it covers more than that.

 

Addressing Key Challenges

One attendee raised a challenge familiar to many security leaders: budget holders are often keen to know when the cyber security project they are funding will be finished. Kindervag’s response was unequivocal: never. Cybersecurity, he explained, is no longer an optional expense but a permanent operational requirement, much like accounting software or compliance functions.

Instead of positioning security as an endless cost, he suggested reframing the conversation around maturity. Rather than asking when security investments can stop, organisations should focus on improving and maintaining their security maturity, ensuring their defences remain effective as threats evolve.

 

Another common challenge is determining what to protect first. Traditional security approaches focus on attack surfaces, but Kindervag said attack surfaces are infinite, so Zero Trust focuses on ‘protect surfaces’ - specific, identifiable areas of value. The first step in securing these assets is to determine what needs protection. From there, organisations must understand how these assets function, build a bespoke security environment around them, and develop tailored policies to govern access. After that, continuous monitoring and maintenance are essential.

 

Securing ‘radioactive’ data

The discussion also covered data classification. Kindervag noted that existing classification frameworks, such as “Secret” and “Top Secret”, were designed for physical documents and do not translate well to digital data. Instead, he suggested a model categorising data on how it should be protected. Information that is publicly accessible falls into the ‘Public’ category, while data that would be damaging if compromised should be classified as ‘Toxic’. Highly sensitive information, what Kindervag termed ‘radioactive’, requires the highest level of security or, in some cases, controlled disposal.

 

The conversation extended beyond IT security to operational technology (OT) and the Internet of Things (IoT). One attendee asked how Zero Trust applies to environments such as industrial control systems. Kindervag said many OT security models were developed decades ago and a rethink is needed but said Zero Trust principles can still be applied. By securing the systems that control OT devices, organisations can contain potential attack surfaces. He cited his experience implementing Zero Trust across 50 million smart meters, demonstrating its effectiveness in large-scale deployments.

 

Another key aspect of Zero Trust is segmentation, which limits an attacker’s ability to move laterally within a network. Kindervag stressed that while attack methods evolve, the fundamental tactics used by cybercriminals remain the same. Segmentation provides an inherent layer of resilience, ensuring that even if a breach occurs, the damage is contained. Rather than treating segmentation as an optional layer of security, he argued that networks should be segmented by default, preventing attackers from gaining unrestricted access.

 

Making Zero Trust Work in Practice

While the principles of Zero Trust are well established, execution remains a challenge. Kindervag offered practical advice on how organisations can move beyond theory and put Zero Trust into action. The first step, he said, is to secure executive buy-in. It is often easier to explain the concept of Zero Trust to the senior leaders - the ‘grand strategy actors’ - of the organisation and then work out the message for tacticians.

 

He said that, just as US President Joe Biden issued an Executive Order in 2021 calling for Zero Trust in Federal Government IT, so all organisations should issue an executive order for Zero Trust.

Another recommendation was to establish a Zero Trust Center of Excellence, which can break down organisational silos and ensure security policies are applied consistently across departments. Kindervag emphasised the importance of getting started. Organisations must just take the first step.

 

As cybersecurity threats evolve, Zero Trust is increasingly viewed as a necessity. Kindervag’s closing message was clear: security is an ongoing process, not a destination. Organisations that embed Zero Trust into their culture, refine their approach over time, and continually reassess their security maturity will be best positioned to defend against future threats.

---

To learn more, please visit: www.bt.com & www.illumio.com