No Trust Podcast: A Conversation with the Godfather of Zero Trust — John Kindervag

When the creator of a security philosophy joins your podcast, you know you’re in for a masterclass. In this episode of No Trust, part of the Zero Trust Forum, hosts Jaye Tillson and John Spiegel sit down with none other than John Kindervag— the man who coined Zero Trust during his time at Forrester Research.

Kindervag’s journey spans from conceptualizing Zero Trust before it was cool, to seeing it become a strategic pillar for governments and enterprises worldwide. This episode isn’t just about definitions — it’s about why change is hard, how to overcome resistance, and why Zero Trust is more about protecting what matters than chasing shiny tools.

Highlights from the Conversation

From Pizza Toppings to Protect Surfaces

The episode opens with a lighthearted (but surprisingly passionate) debate about pineapple on pizza — a metaphor for evolving your thinking. Just like taste buds, security mindsets need to adapt. Kindervag likens the evolution of Zero Trust adoption to the slow burn of new ideas in culture — change is uncomfortable, but inevitable.

Why Change Stalls — and How to Unstick It

Kindervag emphasizes that most Zero Trust projects fail because they start too big. His advice? Break it down into small, manageable protect surfaces — iteratively securing one at a time. Trying to defend everything means you defend nothing.

“He who tries to defend everything, defends nothing.” — Frederick the Great, via John Kindervag

It’s Not Just the C-Suite

One surprising takeaway: resistance to Zero Trust often comes from the technical ranks, not leadership. While executives understand the business case, some engineers cling to vendor-specific dogma or fear being accountable for new approaches. Kindervag shares a UK workshop story where senior leaders embraced Zero Trust instantly — once they understood the “why.”

Strategic Advantages Beyond Security

Zero Trust isn’t just about stopping breaches. Kindervag outlines business benefits:

• Lower CapEx and OpEx through tool consolidation.

• Fewer (and easier) audits — sometimes even zero audit findings.

• Reduced breach costs compared to legal fees.

• Stronger alignment to compliance mandates.

Ransomware and Cyber Insurance

In a provocative segment, Kindervag asks: Would ransomware exist without cyber insurance? He shares insider stories of attackers leveraging stolen insurance policies to set their ransom demands — a chilling look at how incentives drive attacker behavior.

Debunking the Myths

Kindervag dismantles common misconceptions:

• Myth: Zero Trust is “all or nothing.”
  Reality: Focus only on assets worth protecting. If the cost to secure it outweighs its value, it doesn’t belong in your Zero Trust environment.

• Myth: Only mature organizations can implement Zero Trust.
  Reality: It’s for any organization that has data or assets worth protecting.

Focus on Outcomes, Not Products

Zero Trust is not a rip-and-replace mandate. The real “product” is your policy, and tools exist only to enforce that policy. Without the right policy, your firewall is just “a box with cables.”

Why You Should Listen

This episode blends humor, war stories, and practical advice from someone who’s spent 15 years refining a model that’s now a global security standard. Whether you’re a seasoned CISO, a network engineer, or just Zero Trust-curious, you’ll walk away understanding:

• Why incremental change beats big-bang rollouts.

• How to sell Zero Trust internally — even to skeptics.

• The real business case behind the buzzword.

🎧 Listen to the full episode here: https://on.soundcloud.com/xcdoA12CShUKDn9bQZ

Full Transcript (Cleaned & Readable)

Jaye Tillson: Welcome to another episode of No Trust. It’s been a while since we recorded, but we’re kicking off a new Zero Trust series with none other than the godfather of Zero Trust himself, John Kindervag. John, for anyone who’s been living under a rock, can you share a bit about who you are and why you’re called the godfather of Zero Trust?

John Kindervag: Sure. I’m the Chief Evangelist for Illumio, which focuses on microsegmentation and visibility to build Zero Trust environments. I created Zero Trust while at Forrester Research — wrote the first papers on it before anyone else picked it up. And yes, “godfather” is a much better title than some of the early nicknames I got.

I’ve been traveling a lot — even gave a talk at Bletchley Park recently, which was on my bucket list. But before we dive in, I do have a quibble with you, Jay.

Jaye Tillson: Let me guess — pineapple on pizza?

John Kindervag: Exactly. First, someone from Britain, who eats bangers and mash, shouldn’t judge anyone else’s pizza toppings. Second, you can put anything on pizza — people put fish on pizza! Pineapple is great. In fact, I once created a cheeseburger pizza for a workshop at a big pizza chain, and they actually put it on the menu for a while.

Jaye Tillson: I respect you on cybersecurity, John, but you’re just wrong on pineapple.

John Spiegel: Jay, you’ve got to evolve. If we stuck to your thinking, we’d still be riding horses, no trains, no planes, no digital — and no Zero Trust.

Jaye Tillson: Fine, let’s talk about evolution. You created Zero Trust about 15 years ago. Why did it take so long to gain traction, and what was the original driver?

John Kindervag: In tech terms, 15 years isn’t that long. Change is slow because people resist it. Chick-fil-A took three years just to get employees to say “my pleasure” instead of “you’re welcome.” Early on, the slow uptake was a blessing — I got to be the only one doing it, learning from mistakes, and documenting best practices for others.

One key lesson came from a big restaurant chain. Someone removed an old server without knowing it was critical to the point-of-sale system, taking down 4,000 restaurants worldwide. That’s why “mapping the transaction flows” is step two of the five-step model — you can’t protect what you don’t understand.

Jaye Tillson: And we still don’t document our networks well.

John Kindervag: Exactly. There’s no “owner’s manual” for IT environments. Many people don’t even understand the basics — OSI model, TCP, how networks and servers work. Some think there are no networks or servers in the cloud! This lack of understanding makes it hard to keep systems running securely.

John Spiegel: And the internet itself is fragile, built on trust that things like BGP are configured right.

John Kindervag: Right. And BGP doesn’t respect borders. You might violate GDPR without knowing it because traffic takes the fastest route, not the most compliant one.

John Spiegel: So how do you keep Zero Trust from stalling, especially in brownfield environments?

John Kindervag: Start small. Focus on a single protect surface at a time. Incremental, iterative, non-disruptive work is key. You can’t protect everything — Frederick the Great said, “He who tries to defend everything, defends nothing.”

Jaye Tillson: But a lot of CISOs still budget for perimeter tools.

John Kindervag: Old habits and vendor incentives. Edge security is easier to sell. Vendors want to close deals, not necessarily secure your org. Leaders need to align incentives to protect critical data and assets — otherwise, people will do nothing rather than risk being blamed for a change.

Jaye Tillson: So fear of change is a big barrier.

John Kindervag: Yes, and not just at the C-suite. In fact, executives often get it once you explain the business case. I’ve had mid-level technical staff walk out of workshops because it didn’t align with their vendor’s approach — only to come running back when the managing director endorsed Zero Trust.

John Spiegel: What are the strategic advantages of embracing Zero Trust?

John Kindervag: Lower CapEx and OpEx, fewer data breaches, lower legal costs, and — surprisingly — easier audits. One client had zero audit findings after adopting Zero Trust, which they’d never experienced before.

Jaye Tillson: You also brought up cyber insurance before.

John Kindervag: Yes — and here’s a provocative thought: would ransomware exist without cyber insurance? Attackers now look for your policy during breaches and demand the maximum payout it allows. Cyber insurance may have optimized ransomware as a business.

John Spiegel: That’s a chilling thought.

John Kindervag: And some companies measure their cyber posture by whether their insurance premiums went down — which is absurd.

Jaye Tillson: Let’s tackle myths. First, Zero Trust is “all or nothing.”

John Kindervag: Wrong. You only protect assets worth protecting. If securing it costs more than it’s worth, don’t include it.

Jaye Tillson: Second, it’s only for mature organizations.

John Kindervag: Also wrong. It’s for any organization with sensitive data or assets. It’s about protecting what matters, not about your maturity level.

John Spiegel: And it’s not about ripping and replacing everything.

John Kindervag: Exactly. Focus on policy. Products enforce policy, but without the right policy, that firewall is just a box with cables.

Jaye Tillson: Before we wrap, what do you love and dislike about conferences?

John Kindervag: I dislike the travel but love the people. Speaking at Bletchley Park, meeting leaders and innovators — that’s what keeps me going. I’ve even had someone thank me on a flight for their job as a Zero Trust architect. That’s humbling.

Jaye Tillson: And that’s why we do this podcast — to spread the word.

John Kindervag: My challenge to the next generation: care about the outcome, not just the tech. Focus on the business objectives.

John Spiegel: John, thanks for your time. Always a great conversation.

John Kindervag: Thanks, and good luck in Vegas — and stay out of jail.