A Former White House CIO on Why Zero Trust Must Be Designed for How People Actually Work

At the White House, even something as simple as a music playlist could become a security risk.

During my conversation with former White House CIO Theresa Payton on a recent episode of The Segment podcast, she shared how President George W. Bush used an iPod Shuffle to share music with his daughters. The problem was that updating the playlist automatically broadcast it publicly.  

What looked like a harmless feature created a potential exposure.

The solution wasn’t to lock the device down or restrict how it could be used. Instead, Theresa’s team designed invisible protections around the user. As she explained, they had to “allow him to live his life while creating safety nets around him that were pretty much invisible.”

That story captures something fundamental about cybersecurity today.

We’ve spent years designing security around systems, controls, and compliance requirements. Meanwhile, attackers have focused on people. They study behavior and exploit friction. They look for gaps between how security is designed and how it’s actually used.

If Zero Trust is going to deliver real outcomes, it has to start with the human user story as the foundation.

The math doesn’t math. And that’s the problem.

Theresa sees major issues with the state of cybersecurity today.

She pointed to a stark imbalance: we’re spending roughly $240 billion on cybersecurity, while cybercrime losses are expected to reach $10.5 trillion this year.

Her reaction was simple: “The math doesn’t math.”

That gap highlights a deeper issue. The industry isn’t short on tools, frameworks, or funding. It’s short on outcomes.

A big part of that comes down to how we’ve approached compliance. Frameworks are necessary, and regulations are important. But they’ve unintentionally shaped how organizations think about security.

As Theresa put it, these frameworks are “incredibly well intentioned but might be the worst thing that ever happened to us.”

Why? Because they encourage a checklist mindset.

Organizations focus on meeting requirements instead of reducing risk. And attackers take advantage of that. They understand the controls and know where the gaps are. As a result, they can simply reverse engineer the system.

This is where Zero Trust has been misunderstood.

It isn’t about meeting a standard but about continuously validating trust and limiting exposure. Compliance might tell you what’s required, but Zero Trust forces you to ask what’s actually effective.

Security is still designed for buyers, not users

Theresa also addressed another industry issue hiding in plain sight: most security solutions are built for the buyer, not the user.

Theresa described how vendors often see the purchaser as the primary customer, not the people actually using the technology day to day.

That distinction is critical. When security is designed around procurement instead of usage, it creates friction. And friction leads to workarounds.

We’ve all seen it. Password policies that are too complex. Controls that slow down workflows. Systems that require users to think like security experts just to get their job done.

Theresa summed it up with a familiar scenario. When people find out you work in security, they don’t thank you for complex controls. They tell you everything they hate about them.

That disconnect is more than a usability problem. It’s a security problem.

If users are working around controls, those controls aren’t protecting anything.

Zero Trust changes that by shifting the focus from restriction to enablement. It’s about making the secure path the easiest path.

Designing for people changes how Zero Trust works

So what does it actually mean to design security around people? Theresa’s advice was refreshingly simple: observe.

“Sit in your call centers, sit at client sites, and listen,” she said. “You’ll learn so much about what isn’t working.”

That insight is often overlooked in cybersecurity.

We spend time modeling threats and building controls but not enough time understanding how those controls interact with real workflows.

When you start observing, patterns emerge:

• Where users experience friction
• Where processes break down
• Where people create workarounds

Those signals are the foundation for better design. And this is where Zero Trust becomes practical.

Instead of applying broad, static controls, you can enforce policies based on how systems and users actually interact. You can apply least privilege with precision and reduce exposure without slowing people down.

Segmentation plays a key role here.

By understanding communication patterns between systems, you can limit unnecessary connections. If something is compromised, it can’t move freely. The blast radius is contained.

That’s how Zero Trust delivers real outcomes. Not by blocking everything but by controlling what matters.

AI makes the human problem impossible to ignore

If the industry could ignore this gap before, it can’t anymore. AI is forcing the issue.

Theresa described AI as “your most privileged access and your most worrisome insider threat.”

AI systems have access to data, workflows, and decisions at scale. They operate faster than humans. And in many cases, they’re deployed with limited oversight.

That creates a new kind of risk, not just about misuse but about visibility and control.

Theresa raised key questions every organization should be asking:

• Do you have immutable logs of what AI is doing?
• Can you verify how it reached a decision?
• Do you have governance that includes a voice for the customer?

These are Zero Trust questions.

They come back to the same principles: verify continuously, limit access, and monitor behavior.

And they reinforce the need for visibility.

Without understanding how AI interacts with your environment, you can’t enforce trust boundaries, detect anomalies, or contain risk.

The next frontier: data and quantum risk

Beyond AI, Theresa sees another challenge on the horizon: quantum computing.

She highlighted that many organizations still haven’t fully addressed the lifecycle of their data.

Not all data has the same value. Some becomes irrelevant quickly while others remain sensitive for years or has value indefinitely.

In a post-quantum world, that distinction matters. If data is stolen today and decrypted later, the impact is still real.

Theresa put it clearly: organizations need to understand “the true shelf life of data and its value over time.”

That requires a deeper approach to data classification, access control, and architecture.

It also reinforces the importance of Zero Trust.

If you limit access, monitor usage, and control communication paths, you reduce the likelihood of large-scale exposure. Even if data is compromised, its impact is contained.

What security leaders should do in response

The good news is that you don’t need to start over. You just need to shift focus.  

Here’s what Theresa recommended:

• Treat compliance as a baseline, not a goal. It should provide structure, but it doesn’t guarantee resilience against modern threats. ‍
• Invest in understanding how your users actually work. Take the time to observe, listen, and identify friction. ‍
• Prioritize visibility. You need to see how systems communicate and how data flows. ‍
• Enforce intelligently. Use segmentation to apply least privilege where it matters most. This will limit lateral movement and contain breaches early.

These aren’t new ideas, but they need to be applied together. That’s where Zero Trust becomes real.

Why doing more of the same won’t fix cybersecurity

Cybersecurity is at a turning point. AI is accelerating attacks. Quantum is reshaping risk. And the gap between spending and outcomes continues to widen.

We can’t close that gap by doing more of the same.

Theresa made an important point. Progress won’t happen at the speed of machines. It’ll happen at the speed of trust and shared learning.

That means organizations need to rethink how they design security, and not just what they deploy.

Zero Trust provides a path forward, but only if it’s implemented with the right mindset. That mindset starts with prioritizing how people will actually use it.

If security doesn’t work for the user, it doesn’t work at all. And if we don’t fix that now, the gap between what we spend and what we protect will only continue to grow.

Listen to the full episode of The Segment: A Zero Trust Leadership Podcast on Apple Podcasts, Spotify, or our website.