No Trust Podcast: Navigating the Zero Trust Landscape with Jason Garbis

In this episode of the No Trust Podcast, hosts Jaye Tillson and John Spiegel welcome back Jason Garbis, co-founder of Numberline Security, author, and longtime contributor to the Cloud Security Alliance. Jason has been shaping how organizations think about Zero Trust for more than a decade, from leading the CSA’s Software Defined Perimeter working group to building consulting frameworks that help enterprises put Zero Trust into practice.

The discussion explores maturity models, misconceptions, security by design, and how to move from theory to execution without falling into common traps.

Cutting Through the Buzzwords

Zero Trust has become a loaded term in security marketing, but Jason argues the philosophy remains sound. “What’s the alternative?” he asks. While vendors and analysts often amplify the hype, Zero Trust distills decades of industry best practices. The challenge for organizations is to look beyond tools and treat Zero Trust as strategy, culture, and process, not just a technology purchase.

Misconceptions and Lessons from the Field

Jason highlights two common pitfalls:

• Analysis Paralysis → A large manufacturer spent 18 months designing an elaborate Zero Trust architecture with a 30-person team, but never delivered value. When business pressures mounted, the project was cut.

• Tool Obsession → Teams that focus on shiny new technologies without enabling access policies for actual users and applications fail to translate capability into business impact.

By contrast, successful organizations tie Zero Trust directly to outcomes: faster user onboarding, reduced compliance costs, smoother M&A integration, and more efficient operations.

Evolving the Maturity Model: IZTMM+

Numberline Security has built its own framework, IZTMM+, by extending CISA’s Zero Trust Maturity Model. Key enhancements include:

• Adding functions such as secure internet access, SSO, DLP, and data lifecycle management.

• Clarifying definitions and maturity progressions for more than 30 functions.

• Providing digital toolkits and workshops that foster collaboration across IT, security, and business teams.

Rather than a check-the-box assessment, IZTMM+ sparks conversation between application owners, data stewards, and security leaders—driving alignment and shared ownership.

The Zero Trust Blueprint: Four Phases to Progress

To move beyond theory, Jason and his team developed the Zero Trust Blueprint, a four-step approach designed to deliver results in weeks, not years:

1. Assessment – maturity model plus organizational readiness.

2. Strategy – a short vision statement and steering committee.

3. Roadmap – mapping access policies (“recipes”) to the capabilities (“ingredients”) required.

4. Execution – enabling concrete policies tied to business needs.

Jason prefers this framing to the common “journey” metaphor. “Journeys have an end,” he explains. “Zero Trust is more like learning a language or martial art—you’re never done, you just keep practicing and improving.”

Security by Design and Business Alignment

For Zero Trust to stick, it must extend beyond IT and security. Jason encourages leaders to involve application owners, process owners, data owners, and even procurement teams early in the conversation.

By framing Zero Trust as an enabler—supporting geographic expansion, automating compliance, or accelerating M&A—security leaders can gain support from across the business. “It’s about enabling good things to happen, not just preventing bad things,” Jason says.

Measuring Maturity and Speaking the Right Language

Quantifying risk reduction is notoriously difficult. Jason recommends using proxies such as MFA adoption rates, reduced SOC workload, faster onboarding, or fewer compliance reporting hours. But the real key is translating outcomes into business language—productivity for operations, reduced insurance premiums for finance, brand protection for marketing.

As John points out, “You have to meet leaders in their comfort zone, not yours.”

Closing Notes and Lighter Moments

On a personal note, Jason shared that his go-to meal is grilled summer vegetables, and his favorite travel destination is Ireland, where he worked for years with an Irish software company.

The hosts closed by thanking Jason for his contributions to the Zero Trust community and hinting at a future episode with Jason and his co-author Jerry Chapman, now CTO at Numberline Security.

✅ Takeaway: Zero Trust isn’t a one-time project or technology purchase. It’s an ongoing practice—measured by outcomes, driven by governance, and enabled through collaboration across the business.

Listen here - https://on.soundcloud.com/sFKhh7wr1rklpNU2oc

Full Transcript

(Edited for clarity and readability, no timestamps)

Jaye Tillson:
Hello everyone and welcome to another episode of the No Trust Podcast. Today we’re diving into a topic that’s often misunderstood—maturity models and what “security by design” really means. Our guest is someone who’s been on the show before, a longtime contributor to the Zero Trust community, and co-founder of Numberline Security: Jason Garbis. Jason, we’re excited to have you back. For those who haven’t heard your previous episodes, could you give us a quick overview of who you are and what you’ve been working on?

Jason Garbis:
Thanks, Jaye and John, it’s great to be here. I’ve been active in what we now call the Zero Trust ecosystem for many years. For over a decade I’ve been involved with the Cloud Security Alliance, first leading the Software Defined Perimeter working group, which we later rechartered to focus on Zero Trust. That’s been a rewarding volunteer role.

On the professional side, I spent years with vendors before founding Numberline Security about two and a half years ago. We focus entirely on consulting and advisory services for enterprises building Zero Trust strategies. It’s been a privilege to both help and learn from clients across industries.

Jaye Tillson:
I want to thank you personally for your work in this space. I remember meeting you at RSA with Jerry Chapman, when you signed your book for me. Your presentations and writing have really helped me understand Zero Trust more deeply and inspired John and me to start this podcast.

John Spiegel:
Let’s kick off with a buzzword question. Zero Trust has been heavily marketed. Can you peel back the reality of it? And how does it tie to software defined perimeter, which often gets mentioned in the same breath?

Jason Garbis:
Zero Trust has been overhyped, though maybe AI has taken the crown now. That’s not all bad—it allows us to move past the marketing noise and focus on actually applying the principles.

There’s always this “self-licking ice cream cone of misery” around industry trends, as Chase Cunningham calls it: analysts name a trend, vendors rush to claim it, enterprises create projects around it, funding follows, and vendors pile in. We’ve seen the same with Zero Trust. But the underlying philosophy is solid. Nobody’s saying Zero Trust is wrong—it’s just imperfect, like any strategy. Still, it reflects the accumulated best practices of the past 20 years. This is the way forward.

Jaye Tillson:
What are the biggest misconceptions you see? Are people starting to understand it better now than a few years ago?

Jason Garbis:
The biggest misconception is that Zero Trust is something you can buy. Technology helps, but success depends far more on people, processes, and culture. You can take the tools you already have and make meaningful progress by applying Zero Trust principles. But if you only buy technology without addressing process or culture, you’ll fail.

John Spiegel:
You’ve worked with a lot of customers. Can you share examples of both success and failure?

Jason Garbis:
Sure. One large manufacturer built a 30-person team that spent a year and a half designing an elaborate Zero Trust architecture. But they never delivered value to the business. When the company hit a rough quarter, that team was cut. It became a “science project” with no connection to real outcomes.

By contrast, organizations that succeed tie Zero Trust to business value—things like faster onboarding, reducing compliance costs, or enabling new business models. Too often teams focus on shiny tools or academic maturity models without enabling actual access policies for users, apps, and data.

Jaye Tillson:
At Numberline you’ve built your own maturity model, IZTMM+. Tell us about that.

Jason Garbis:
We reviewed existing models—DoD, CISA, vendor frameworks—and saw gaps. We liked CISA’s model because it elevated governance, but it also missed critical areas like secure internet access, SSO, DLP, and data lifecycle management. So we created IZTMM+ to address those gaps, define functions more clearly, and provide practical maturity progressions.

We built digital toolkits and a consulting framework around it. Workshops with clients often bring 20–30 people from across IT, security, and business teams together. That cross-team conversation is one of the biggest values—it sparks alignment rather than being a checkbox exercise.

Jaye Tillson:
If people want to learn more, where should they go?

Jason Garbis:
Visit numberlinesecurity.com, or connect with me or Jerry Chapman, who recently joined as our CTO, on LinkedIn.

Jaye Tillson:
When people start down the Zero Trust path, what’s the best first step?

Jason Garbis:
We built the Zero Trust Blueprint, a four-phase approach designed for progress in weeks, not years:

1. Assessment – maturity model plus organizational readiness (we even have a free online tool).

2. Strategy – a short written vision and steering committee.

3. Roadmap – mapping access policies (“recipes”) to required capabilities (“ingredients”).

4. Execution – actually enabling access policies tied to business needs.

I prefer this to the “journey” metaphor, which implies an end. Zero Trust is more like learning a language or martial art—you’re never done, you just keep practicing and improving.

John Spiegel:
What about embedding Zero Trust outside of IT and security—COOs, CFOs, business leaders?

Jason Garbis:
Most initiatives start in security, with IT close behind. But the best programs bring in application, process, and data owners early. It’s critical to cast Zero Trust as an enabler: reducing compliance burden, supporting geographic expansion, or making M&A integration smoother.

One client, a pharmaceutical firm, tied Zero Trust to their European expansion. Framing it as a way to cut compliance costs and automate security made it a business conversation, not just a security one.

John Spiegel:
And procurement? They’re often key players in tool decisions.

Jason Garbis:
Good point. Right now, procurement teams lack good ways to objectively evaluate vendor viability and long-term fit. SOC 2 and insurance-driven scans exist, but they’re limited. As an industry, we need to help procurement measure vendor security posture more reliably.

Jaye Tillson:
How do you measure maturity and prove to leadership that Zero Trust reduces risk?

Jason Garbis:
It’s very organization-specific. Some require ROI models or dashboards, others don’t. What matters is setting expectations upfront.

While risk modeling is hard to quantify, there are useful proxies: higher MFA coverage, reduced SOC workload, faster onboarding, or fewer compliance reporting hours. And you have to translate results into the language of business—productivity gains, compliance savings, or brand protection.

John Spiegel:
That’s key—speaking in business terms. Finance may care about cyber insurance, marketing about brand reputation, operations about efficiency. Tailor the conversation to their priorities.

Jaye Tillson:
Exactly. That’s how you get buy-in. We’re running out of time, so let’s close with a couple of fun questions. Jason, what’s one thing you’d eat any night of the week?

Jason Garbis:
Right now, with summer produce, grilled vegetables from the farmers market or my garden. I could eat those every day.

John Spiegel:
Nice. I did zucchini on the grill last night—simple and amazing.

Jaye Tillson:
And favorite travel destination?

Jason Garbis:
Ireland. I worked for an Irish company for years and got to travel there often. It’s beautiful, friendly, everyone speaks English, and the beer is great.

Jaye Tillson:
That’s a great pick—I only went recently myself and loved it too. Jason, thanks for joining us. We’d love to have you and Jerry on together next time.

Jason Garbis:
Thanks, this has been great.