No Trust Podcast: Building Real-World Zero Trust with Jerry Chapman

In this episode of the No Trust Podcast, Jaye and John sit down with Jerry Chapman — co-founder and CTO of Numberline Security — to unpack what it really takes to make Zero Trust real inside complex enterprises.

Jerry’s story is one of evolution — from a 25-year journey through identity management to becoming one of the most practical voices in the Zero Trust movement. Together with Jason Garbis, Jerry literally wrote the book on how to make Zero Trust work in the enterprise.

From Identity to Zero Trust

Jerry’s background reads like a crash course in how the security world matured.
“I kind of fell into identity about 25 years ago,” he laughs, recalling his early days. “Back then, we called it business enablement. But about ten years ago, I realized identity alone wasn’t enough — I started talking about identity-led security.”

That shift toward an identity-centric model naturally led him down the Zero Trust path. By the time most of the industry was still trying to spell it, Jerry was already teaching it.

“Seven or eight years ago, when I started talking about Zero Trust, people said, ‘What are you talking about?’ Now the conversations have gotten better — and more fun.”

The Book That Made Zero Trust Practical

Co-written with Jason Garbis, Zero Trust Security: An Enterprise Guide became a cornerstone reference for practitioners trying to move from PowerPoint theory to actionable design.

“The goal wasn’t to write another conceptual book,” Jerry explains. “We wanted something you could actually use. We focused heavily on business use cases — how you apply Zero Trust across identity, data, and applications.”

He points readers to the later chapters as a starting point:

“I tell people all the time: start with chapters 17, 18, and 19. They’re about policy models and use cases — the parts that make Zero Trust real for your business.”

Zero Trust as a Program, Not a Project

When asked about the biggest misconceptions still lingering, Jerry doesn’t hesitate.

“It’s not a project. You don’t ‘do’ Zero Trust and stop. You don’t stop your cybersecurity program, right? Threat actors don’t stop. So this is a strategy — a better way to drive a continuous program.”

He cautions that too many organizations still treat Zero Trust as a technology play, when in reality it’s a business and process conversation.

“People jump right to fixing endpoints or networks. But it’s not about the tech — it’s about how process and technology come together to protect the business.”

The Blueprint: Four Phases for Doing It Right

Over years of customer engagements, Jerry and Jason distilled their lessons into what they call the Zero Trust Blueprint— a practical, four-phase model to help organizations plan and measure progress:

1. Readiness and Drivers – Understand your organizational motivation and board-level appetite.

2. Assessment – Determine where you are across people, process, and technology.

3. Strategy & Roadmap – Define desired outcomes and create capability roadmaps tied to business assets and protect surfaces.

4. Metrics & Checkpoints – Continuously measure, iterate, and mature.

“Every organization is somewhere on the path already,” Jerry emphasizes. “You’re not at ground zero. If you’ve got Wi-Fi routers, access points, or any identity controls, you’ve started.”

The point, he says, is to stop waiting for perfect conditions:

“Too many teams delay starting because they think they need A, B, and C in place first. That’s not reality. You can mature in parallel.”

Extending the CISA Model: ZTMM+

Numberline’s framework builds on CISA’s Zero Trust Maturity Model — what they call ZTMM+.

“We found gaps, especially in identity and data,” Jerry explains. “CISA’s model focused heavily on user authentication, but it missed non-person entities — machine identities, service accounts, even agentic AI. So we added that. It’s what we see in real-world assessments.”

This enhanced model connects business assets, protect surfaces, and transaction flows to derive contextual access policies that cut across all five pillars: identity, device, network, workload, and data.

Lessons from the Field

When asked how the blueprint performs in real-world engagements, Jerry is candid:

“It’s working. The assessment phase is eye-opening. Customers suddenly realize they already have capabilities they weren’t using. That’s powerful.”

But he also admits the challenge: metrics.
“Everyone wants ROI, but traditional security metrics don’t fit. You can measure password reset calls dropping after going passwordless — but that’s just one slice. We’re still evolving how to quantify Zero Trust maturity meaningfully.”

His favorite war story involves a legal client convinced Zero Trust would slow them down:

“They said, ‘You’ll just make my life harder.’ But once we went passwordless, they realized we’d actually made it easier. That one change flipped leadership’s entire perception of security.”

Technology, Progress, and the Path Ahead

While the “No Trust” hosts pressed him for what’s missing in the market, Jerry pointed to data and application security as the next frontier.

“Identity, device, and network are strong. But data and applications are still weak spots. Organizations don’t know where data lives, who owns it, or how it’s classified. That’s where the next wave of innovation needs to happen.”

He’s optimistic, though, about the tech finally catching up:

“Real integrated protocols — things like just-in-time access and continuous evaluation — are now actually doable. The technology’s ready. The challenge is coordination.”

Final Thoughts

As the conversation wrapped, Jaye captured what makes Jerry such a powerful voice in the community:

“People like you and Jason are breaking Zero Trust into bite-sized, real-world pieces. You’re showing people it’s not an impossible hill — just a journey you take one step at a time.”

Jerry agrees:

“Every customer teaches us something new. We just want to keep making it better.”

Listen to the Full Episode

🎧 No Trust Podcast – Building Real-World Zero Trust with Jerry Chapman

Full Transcript

(Edited for clarity and readability, no timestamps)

Jaye Tillson:
Hello everyone, and welcome to another episode of the No Trust Podcast. Today we have a guest whose journey and thinking I deeply respect — Jerry Chapman, co-founder and CTO at Numberline Security. Jerry, thanks for being here.

Jerry Chapman:
Thanks, Jaye and John. It’s great to be here.

John Spiegel:
Jerry, you’ve got an interesting background — 25+ years in identity, then shifting into Zero Trust. Can you share a bit of how your story unfolded?

Jerry Chapman:
Sure. I kind of fell into identity about 25 years ago. Back then, it was often framed as “business enablement” — making sure people had the right access without friction. Over time, I realized that identity in isolation only takes you so far. You need context, policy, continuous evaluation. So I gradually shifted toward more holistic security architectures, and that’s what eventually led me to Zero Trust.

Seven or eight years ago, I started speaking more publicly about Zero Trust. At the time, most people didn’t understand what I meant. Now, the conversations are deeper, more grounded — it’s fun to see how much the field has evolved.

Jaye Tillson:
Before you joined Numberline, you worked with Jason Garbis. Together you wrote Zero Trust Security: An Enterprise Guide. What motivated you to write it, and what makes it different?

Jerry Chapman:
Jason and I wanted to bridge the gap between theory and implementation. There were already a lot of conceptual books out there. We aimed to build something you could carry into real engagements — with use cases, policy models, guidance on how to think about application, data, identity, and architecture in a grounded way.

One thing I always tell people: skip ahead to chapters 17, 18, and 19 if you want the parts you can use today — those cover policy models, practical patterns, and decision frameworks you can apply right away.

John Spiegel:
What’s one of the biggest misconceptions you still see about Zero Trust?

Jerry Chapman:
That it’s a project you get “done.” It’s not. Threat actors don’t stop, infrastructure changes, business evolves. Zero Trust has to be a continuous program.

Another misconception is treating it as a technology problem. Yes, tools matter — but people, process, governance, business alignment are the real heavy lifting. You can’t just slap on a product and claim Zero Trust.

Jaye Tillson:
You and Jason formalized a framework you call the Zero Trust Blueprint, with four phases. Walk us through that.

Jerry Chapman:
Absolutely. Over years of doing assessments and implementations, we distilled a repeatable model:

1. Readiness & Drivers — Understand the motivations, constraints, executive appetite, risk context.

2. Assessment — Where are you now across people, processes, and technology? What gaps, risks, and strengths do you already have?

3. Strategy & Roadmap — Set the vision, define the guardrails, and map capabilities (ingredients) to policies (recipes).

4. Execution & Metrics — Launch policies tied to business outcomes, then measure, iterate, mature.

An important point: many organizations think they need to wait until everything is ready. But you can run phases in parallel and iterate. Progress is more important than perfection.

John Spiegel:
You also extended the CISA Zero Trust Maturity Model into what you call ZTMM+. What enhancements did you add, and why?

Jerry Chapman:
The CISA model is solid, especially around governance, identity, device, networks. But we found holes in how it handles non-person entities — service accounts, machine identities, IoT, APIs.

So ZTMM+ adds clarity around those gaps and formalizes elements like data lifecycle, application security, just-in-time access, and continuous evaluation. It connects business assets and protect surfaces to policy domains more explicitly.

Jaye Tillson:
From the field — what are the common surprises during assessments? What do clients often underestimate?

Jerry Chapman:
One surprising thing: clients often already have capabilities they weren’t using — like conditional access features, identity federation, microsegmentation underutilized. The assessment phase helps surface latent power.

Another surprise: metrics. Everybody wants ROI or proof, but maturity measurement is hard. What you can measure are proxies — MFA adoption rates, reduction in privileged access groups, faster onboarding, lower help desk calls. But being honest about what you can and can’t prove up front is critical.

I’d love to share one story: a legal client was nervous that Zero Trust would make things more complex. After going passwordless and simplifying policy, they realized workflows became easier, not harder. That shift was transformative in how leadership viewed security.

John Spiegel:
What do you see as the least mature pillar today — the one most organizations struggle with?

Jerry Chapman:
Data and application security. Identity, device, and network are more mature now. But many organizations don’t fully know where all their data lives, who owns it, how it’s classified or accessed. Application security (APIs, microservices) is evolving fast but many gaps remain.

We see that as the next frontier: tying the context of identity and device into data and application flows in meaningful real time.

Jaye Tillson:
Let’s shift gears a little — human side. What’s your go-to meal, and where’s your favorite place to travel?

Jerry Chapman:
Give me something spicy. Mexican food is my jam — anything with heat, flavor.

As for travel, I’d pick Japan — the culture, food, tech, landscapes all fascinate me. Though I confess I’m not getting into cold water anytime soon.

John Spiegel:
Nice picks. Before we go, any final thoughts you want to leave the audience with?

Jerry Chapman:
Yes. Every customer teaches you something new. The journey of Zero Trust is never over — but the step you take today could change perceptions, reduce risk, and build trust incrementally. Keep doing the work, iterate, and don’t wait for perfect conditions.

Jaye Tillson:
Jerry, thank you so much. I really appreciate your thoughtful perspective, your stories, and your clarity. We’d love to bring you and Jason together for a future episode.

Jerry Chapman:
Thank you both. I’m honored to be here.