Zero Trust is Not a Vibe, it’s a Strategy – Let’s Go Back to Basics
Posted on April 24, 2025
By Tania Postil
As I prep for my upcoming speech at the ISACA Malta Biennale—where sharp minds meet under sunny skies—I want to revisit the basics of something we throw around a lot: Zero Trust.
Before I get dramatic on stage (that’s coming, I promise), let’s strip it down.
What is Zero Trust really? Where did it come from? And why is everyone talking about it like it’s a new religion for cybersecurity?
Spoiler: it kind of is.
Zero Trust: The Philosophy That Trusts No One (Not Even You)
Zero Trust isn’t about distrusting your team—it’s about facing a harsh reality: the old perimeter-based security model is broken.
Today’s work happens from coffee shops. Your data is scattered across clouds. And third-party vendors, interns, even contractors, often have access to your most sensitive assets.
Zero Trust starts with one simple truth:
No user, no device, and no system is inherently trustworthy—not even if it’s inside the network.
So, what do we do instead? We verify everything, minimize access, and assume breach. Always.
The Holy Trinity of Zero Trust
- Verify Explicitly
This means checking far more than a username and password. Think device posture, location, time of access, behavior anomalies—every interaction gets interrogated. - Use Least Privilege Access
Access is given based on the task, not the title. You get the key to just one door—and only for as long as you need it. - Assume Breach
Design your system as if attackers are already inside. Segment aggressively. Monitor relentlessly. And make lateral movement nearly impossible.
Enter NIST: The Bureaucratic Hero We Needed
In 2020, the U.S. National Institute of Standards and Technology (NIST) released SP 800-207, a landmark framework that gave Zero Trust formal structure.
NIST translated these principles into seven tenets, emphasizing adaptive access, continuous monitoring, and session-level validation. It became the official playbook for what Zero Trust should actually look like.
Zero Trust in 2025: Are We There Yet?
According to a 2024 Cybersecurity Insiders survey:
- 71% of organizations claim they’ve adopted Zero Trust
- Only 21% have fully implemented the core principles
- And 57% still use VPNs as their main remote access tool
Yikes.
Too many organizations treat Zero Trust like a checkbox or a product rollout. Some think enabling MFA and buying a fancy new tool gets them across the finish line.
Spoiler (again): Zero Trust isn’t a tool—it’s a shift in mindset, architecture, and culture.
You don’t “do” Zero Trust once. You live it.
Why I’m Writing This Now
Because I’ll soon be standing on stage at the ISACA Malta Biennale, talking to a room full of smart, sharp professionals—many of whom think they’re doing Zero Trust.
And maybe they are.
Or maybe… they just renamed their VPN and sprinkled on some SSO.
Either way, in the next part of this series, we’re going deeper:
We’ll look at the tools that quietly break Zero Trust—even when they’re meant to support it. And more importantly, we’ll talk about how to actually build it right.
Spoiler: real Zero Trust isn’t a product or a checkbox.
It’s a mindset shift.
Coming Soon:
Part II – “Zero Trust: From Buzzwords to Reality – The Tools That Break It, and How to Get It Right”
