No Trust Podcast: Origins, Evolution, and the Realities of Zero Trust — with John Kindervag & Dr. Zero Trust

In this episode of No Trust, hosts Jaye Tillson and John Spiegel sit down with John Kindervag (the creator of Zero Trust) and Chase Cunningham (Dr. Zero Trust) to talk about where Zero Trust came from, how it’s evolved, and why it’s become a global security standard.

The conversation covers the strategy’s early days, pivotal adoption moments, and why cultural and leadership buy-in matter just as much as the technical architecture.

Highlights from the Conversation

How It All Started

John Kindervag traces the genesis of Zero Trust to frustrations with the Cisco PIX firewall’s “trusted/untrusted” interface model. Its default rules assumed inside networks were inherently trusted — something Kindervag knew attackers could exploit. This led to his push to “eliminate trust from digital systems” and view it as a human emotion that doesn’t belong in network design.

From Concept to Framework

At Forrester, Kindervag spent two years researching trust models, building prototypes, and stress-testing the idea with vendors and practitioners. The first paper, No More Chewy Centers, was followed by Build Security into Your Network’s DNA, which introduced the architectural approach — including segmentation (now called microsegmentation) and the concept of protect surfaces.

Enter Dr. Zero Trust

Chase Cunningham met Kindervag while working in DC. Kindervag saw potential, recruited him to Forrester, and encouraged him to develop his own contributions — notably the ZTX framework, which provided a “Rosetta Stone” for mapping Zero Trust concepts to technologies and use cases.

Evolution & Endurance

Both agree that Zero Trust’s staying power comes from its strategic validity. Like Sun Tzu’s principles, the core concepts remain relevant because they address fundamental realities of threats and risk, regardless of new technologies or trends.

Pivotal Moments in Adoption

• 2013 Target data breach — put segmentation and Zero Trust on the US government’s radar.

• 2016 OPM breach — led to congressional recommendations for Zero Trust adoption across federal agencies.

• 2021 US Executive Order — gave organizations explicit top-cover to talk about and implement Zero Trust.

Mindset Shift: Product to Mission

Kindervag emphasizes moving from product-focused to mission-focused thinking. The five-step model (Define protect surface, Map transaction flows, Build architecture, Define policy, Monitor & maintain) keeps projects achievable and aligned with protecting what matters most.

Cultural & Leadership Buy-in

Zero Trust is not just a technical initiative. Without leadership alignment and the right incentive structures, efforts stall. Chase notes that translation into business context — not just security jargon — is what enables global adoption.

Sustaining Investment

Because “if you do your job right, nothing happens,” security ROI is hard to prove. Both stress the importance of showing cost savings by eliminating wasteful spending (“expense in depth”) and maintaining leadership engagement over the long term.

Why You Should Listen

If you’ve ever wondered how Zero Trust started, why it’s still relevant after 15 years, and how to turn it from a buzzword into a sustainable strategy, this episode is full of first-hand history, tactical advice, and straight talk from the people who shaped the movement.

🎧 Listen to the full episode here: No Trust Podcast – Kindervag & Cunningham Origins Episode

Full Transcript (Cleaned & Readable)

Jaye Tillson: Welcome to another episode of No Trust. I’m here with my co-host John Spiegel, and today we’re joined by two of the most influential figures in Zero Trust: John Kindervag, who created the concept, and Chase Cunningham, better known as Dr. Zero Trust.

John, where did Zero Trust come from? What gaps in traditional security drove you to create it?

John Kindervag: It started with installing Cisco PIX firewalls. They had “trusted” and “untrusted” interfaces with different default policy rules. Inside-to-outside traffic didn’t require rules — which was ridiculous. Attackers could exfiltrate data easily. I realized trust is a human emotion with no place in digital systems. That was the seed for Zero Trust.

John Spiegel: Then you joined Forrester and developed the idea further. What was that process like?

Kindervag: At Forrester, I was told to “think big thoughts.” I spent two years doing primary research, building prototypes, and validating the concept with vendors and practitioners. We published No More Chewy Centers, then Build Security into Your Network’s DNA, which laid out the architecture — including segmentation and protect surfaces.

Jaye Tillson: Chase, how did you get involved?

Chase Cunningham: Because of John. He recruited me to Forrester, encouraged me to look at Zero Trust from a red teamer’s perspective, and I developed the ZTX framework — a way to map strategy to technologies and use cases. The “Dr. Zero Trust” brand actually started as a joke and stuck.

John Kindervag: I first met Chase in DC. He was quiet, just out of the military, but articulate. I saw his potential immediately.

Jaye Tillson: How has Zero Trust evolved with changes in the threat landscape?

Cunningham: The fact it still applies is proof of its strength as a strategy. It’s like Sun Tzu — it addresses the fundamentals, so it remains relevant.

Kindervag: I agree. For practitioners with mature Zero Trust, the specific threats matter less. In a well-designed environment, there’s no policy allowing unknown resources to drop unknown payloads into protect surfaces.

Jaye Tillson: What reignited interest in Zero Trust recently?

Kindervag: It never went away. Key moments were the 2013 Target breach, the 2016 OPM breach, and the 2021 Executive Order — which made it easier to talk about publicly.

Cunningham: The second phase was translating it into business context and making it global. I’m going to Taiwan to talk about it; John’s headed to a NATO conference in Helsinki.

John Spiegel: How do you shift organizations from product focus to strategy?

Kindervag: Use the five-step model and focus on protect surfaces. Break the work into small chunks instead of trying to “do all of identity first” or following pillars sequentially.

Jaye Tillson: How do you get cultural and leadership buy-in?

Cunningham: By translating it into business terms leaders understand.
Kindervag: And by aligning incentives. When leadership says “we’re doing this,” resistance disappears.

John Spiegel: How do you sustain investment over time?

Cunningham: Show savings by cutting waste — “expense in depth.”
Kindervag: And reframe from “risk management” to “danger management.” There’s a 100% chance you’re under attack; whether it succeeds is up to you.

Jaye Tillson: We’re nearly out of time. Chase, you’ll be at RSA raising money for a veterans’ charity. Target is $10,000 this year, with some fun challenges involved. We’ll share the link so listeners can contribute.

Thanks to you both for joining us — and we’ll have you back for part two.