No Trust Podcast: Zero Trust Myths, Wins, and the Road Ahead — with John Kindervag & Dr. Zero Trust

In this second part of a two-episode conversation, John Kindervag (creator of Zero Trust) and Chase Cunningham (Dr. Zero Trust) rejoin hosts Jaye Tillson and John Spiegel to talk about implementing Zero Trust in the real world — what actually happens in the field, the roadblocks, and how to get meaningful wins early. They tackle everything from organizational incentives to vendor hype, quick wins, AI’s impact, and what Zero Trust might look like by 2030.

PODCAST

John Spiegel

8/15/20254 min read

In this second part of a two-episode conversation, John Kindervag (creator of Zero Trust) and Chase Cunningham (Dr. Zero Trust) rejoin hosts Jaye Tillson and John Spiegel to talk about implementing Zero Trust in the real world — what actually happens in the field, the roadblocks, and how to get meaningful wins early.

They tackle everything from organizational incentives to vendor hype, quick wins, AI’s impact, and what Zero Trust might look like by 2030.

Highlights from the Conversation
Why Leaders Stall Zero Trust

Both Kindervag and Cunningham agree: the biggest blockers are leadership and incentives. Too many organizations:

  • Start with products instead of identifying what they need to protect.

  • Treat Zero Trust as a one-time project instead of an ongoing journey.

  • Avoid taking action for fear of making mistakes — and because they aren’t rewarded for making the organization better.

“Show me the incentives, and I’ll show you the outcome.” — John Kindervag

The Compliance & Fine Illusion

Fines and compliance requirements don’t significantly change behavior. For large companies, penalties are a cost of doing business — often smaller than everyday operating expenses. For smaller organizations, they can be crippling, but the stick isn’t “sticky” enough to drive universal change.

Vendors: Help or Hinderance?

Vendors spread awareness of Zero Trust — even if their messaging isn’t perfect. While some misrepresent it as a product, their marketing can still prompt organizations to investigate and adopt the strategy.

Frameworks & Maturity Models

NIST 800-207, CISA, and other frameworks are references, not commandments. The best practitioners adapt them to their environment rather than following them rigidly.

Quick Wins to Show Progress

To maintain momentum and funding, the group recommends:

  • IAM improvements and multi-factor authentication.

  • Browser isolation for high-risk users.

  • Small, focused protect surfaces with quick, high-maturity results.

  • Think “remodel one bathroom” rather than “rebuild the whole house.”

AI’s Role

Despite the hype, most “AI” is still machine learning. Used correctly, it can help with scale, pattern recognition, and surfacing anomalies. But beware of marketing promises — and focus on specific, well-governed use cases.

Zero Trust in 2030

Kindervag doesn’t predict the details, but sees it becoming a global security strategy standard. Cunningham notes the growing adoption by the DoD and international governments — and points out that laggards will simply fail while others succeed.

Best Analogy of the Day

Beyond Cunningham’s famous “gazelles” metaphor, Kindervag offers the Finnish reindeer defense: form a tight circle so attackers can’t penetrate — the Zero Trust equivalent of protecting your most critical assets at the center.

Myth They Want to Kill

Both agree:
There is no single “Zero Trust product.”
It’s a strategy and architecture, supported by products tailored to your specific protect surfaces.

Why You Should Listen

This episode strips away marketing fluff and gets into the practical realities — how to get started, keep momentum, deal with leadership roadblocks, and use Zero Trust to genuinely reduce risk. If you want to move beyond theory into actual implementation, this is a must-listen.

🎧 Listen to the full episode here: No Trust Podcast – Kindervag & Cunningham Episode

Full Transcript (Cleaned & Readable)

Jaye Tillson: Welcome to another episode of No Trust. Today we’re joined again by John Kindervag and Chase Cunningham (Dr. Zero Trust) to continue our conversation from last time. We want to focus on implementation — what’s really happening in the field. John, what are the top blockers security leaders face when adopting Zero Trust?

John Kindervag: We still see the same issues:

  1. Product-first thinking — buying tools without deciding what to protect.

  2. Treating it like a project instead of a journey. People complain they’re “never done” with Zero Trust — but you’re only done when the organization is dead.

  3. And frankly, laziness. Some think it’ll be hard, but often it’s easier than they expect. I’ve seen teams argue longer than it would take to build the first Zero Trust environment.

Jaye Tillson: Chase, same question — what’s holding organizations back?

Chase Cunningham: Leadership. I interviewed for a CISO role where they loved the “Dr. Zero Trust” brand — but when I showed them the actual plan, they balked. It’s like a January 1st gym membership: everyone’s excited until they realize results take work. Many quit early — and that’s fine. The slow gazelles get eaten first.

John Spiegel: John, you mentioned “project vs. journey.” How do leaders make that mindset shift?

Kindervag: It’s about incentives. Right now, people are rewarded for avoiding blame, not for making the organization better. “One oopsie negates a thousand attaboys.” Leaders must set a strategic vision from the top — board, CEO, generals in the military. Too many confuse tactics with strategy.

Jaye Tillson: Historically, companies raised security just enough to pass an audit. Now fines are an incentive too. Is that effective?

Cunningham: Not really. For big companies, fines are a rounding error. Marriott spent more on toilet paper than their breach fine. The stick isn’t big enough.

Jaye Tillson: What about vendors? Help or hindrance?

Kindervag: Vendors make the tech that enables Zero Trust. Some messaging is wrong, but even bad publicity spreads awareness. The key is finding mission-driven vendor teams.

John Spiegel: Thoughts on frameworks like NIST 800-207, CISA, etc.?

Cunningham: They’re references, not commandments. Use them to guide thinking — then adapt to your company.
Kindervag: Agreed. The successful people think creatively about how it fits their environment.

Jaye Tillson: Any examples of quick Zero Trust wins?

Cunningham: Identity & access management, MFA, browser isolation for risky users — fast and visible.
Kindervag: Focus on one protect surface and achieve high maturity quickly — like remodeling one bathroom instead of the whole house. I’ve done it in hours for emergencies.

John Spiegel: Let’s talk AI. Help or hinder?

Cunningham: Most AI is still ML. It’s useful at scale and in SOCs, but understand the marketing hype.
Kindervag: The gift of AI is speed. It can surface anomalies you didn’t know to look for.

Jaye Tillson: What does Zero Trust look like in 2030?

Kindervag: No idea — but collaboration is key.
Cunningham: It’s becoming the international standard. Those who get it will succeed; others will fail.

Kindervag: And skip the gazelle strategy — be like Finnish reindeer, forming a tight circle to protect the most critical assets.

Jaye Tillson: One myth you wish would die?

Both: That there’s a “Zero Trust product.” It’s a strategy, supported by products tailored to your protect surfaces.