John Kindervag on What Security Leaders Are Still Missing About Zero Trust

John Kindervag didn’t set out to create a movement. He just thought the firewall was dumb.

Back then, the particular firewalls he worked with assigned trust levels to each interface. If you were going from the “trusted” side of the network to the “untrusted” side, you didn’t even need a rule.  

John, then a penetration tester, knew exactly how dangerous that was. And when he spoke up, he caught heat from the client, his company, and the firewall vendor.

But he couldn’t shake the idea: Why were we building networks on something as vague (and frankly, meaningless) as “trust”?

That question launched what we now call Zero Trust. And decades later, John, now the Chief Evangelist at Illumio, is still tearing down outdated assumptions and pushing the cybersecurity industry to think differently.

In this blog post, we’ll break down the wisdom from John's recent conversation with Dr. Chase Cunningham on the No Trust podcast, From Theory to Practice: The Zero Trust Journey with John Kindervag and Dr. Chase Cunningham, where he shared the key Zero Trust principles he sees security leaders still missing.  

No more chewy centers: the birth of Zero Trust

When John joined Forrester, he finally had the space to explore this big idea, and the company’s analyst training encouraged it.

“They wrote our job description on the whiteboard,” he said. “‘Think big thoughts.’ So I said, I want to study trust in digital systems.”

That led to two years of primary research, including conversations with the Jericho Forum (who originally opposed Zero Trust), prototype architectures, and endless poking from industry experts trying to break the concept.

But none could.

Eventually, John published his groundbreaking paper, No More Chewy Centers, introducing Zero Trust. A follow-up paper, Build Security Into Your Network’s DNA: The Zero Trust Network Architecture, laid out a vision that emphasized segmentation, a concept John has long seen as core to Zero Trust.

“To protect a surface, you need segmentation,” he said. “That’s why I’m at Illumio now.”

The visibility iceberg

If Zero Trust feels like it suddenly burst onto the scene a few years ago, John says you’re just seeing the tip of the iceberg.

“People think it got reignited in 2021, but it’s always been there,” he explained. “You just didn’t have visibility.”

He points to the 2013 Target breach and the 2015 OPM breach as critical moments that put Zero Trust on the radar of U.S. government agencies.  

Behind the scenes, adoption started snowballing, especially in federal circles. But companies were nervous to admit it.

“When I asked to do case studies, the legal and PR teams said no,” he said. “‘We don’t want people to know we’re doing Zero Trust. That could make us a target.’”

That all changed with President Biden’s 2021 executive order mandating Zero Trust for federal agencies. Suddenly, what had been a quiet movement gained public momentum.

“I don’t follow threats anymore”

One of John’s most counterintuitive beliefs is that he doesn’t track threats.

“I don’t study the latest malware or attack campaigns,” he said. “Because in a well-designed Zero Trust environment, they don’t matter.”

Why? Because Zero Trust assumes breaches are inevitable and builds controls around protecting what matters instead of chasing every alert.

“There’s no policy in a Zero Trust environment that allows an unknown resource from the internet to drop an unknown payload on your protected surface,” he explained.

I don’t study the latest malware or attack campaigns because in a well-designed Zero Trust environment, they don’t matter.

The protocols attackers use haven’t changed. And the same basic attack vectors, like phishing links or bad passwords, still dominate.

“Attackers are still using the same tools from 20 years ago,” he said. “This isn’t the kinetic world. In cyber, they’re still stuck inside the same TCP/IP rails.”

Instead of chasing threat intel, John focuses on enforceable policies and protect surfaces.

Zero Trust isn’t necessarily about reacting faster. It’s about removing the attacker’s options in the first place.

Forget the pillars: following the 5-step model for Zero Trust

One reason so many Zero Trust efforts stall is because organizations try to follow rigid frameworks filled with buzzwords and pillars. John says it’s time to simplify.

“I use the five-step model. Always. Start with the protect surface, not a product list,” he encouraged.

The five steps, outlined in government publications like the NSTAC Report to the President on Zero Trust and Trusted Identity Management, include:

1. Define the protect surface
2. Map transaction flows
3. Build a Zero Trust architecture
4. Create policy
5. Monitor and maintain

John warns against trying to tackle Zero Trust all at once or thinking it’s a linear maturity journey.

“People think, ‘We’ll do all of identity first, then devices, then network,’” he said. “You’ll never accomplish anything that way.”

Instead, he recommends teams break the project into protect surfaces which are small, high-value chunks of your network that can be secured end to end.

And always start with the most important question: What are we protecting?

Zero Trust is a leadership imperative

When asked how to keep Zero Trust momentum going, John offered a simple truth: “Get leadership buy-in. Everything changes when they’re on board.”

That’s what turns misaligned incentives into alignment.

“I’ve had so many people tell me, ‘We’ll never do Zero Trust here.’ And then the CEO says we’re doing it, and suddenly it’s happening.”

The only way to shift the mindset from short-term security purchases to long-term strategy? Make it a leadership priority.

“Cybersecurity isn’t a quarterly budget item,” John said. “It’s the thing that runs your business.” Or as he put it bluntly, “If the computer goes down, the planes don’t fly.”

Cybersecurity isn’t a quarterly budget item. It’s the thing that runs your business.

Zero Trust: not trendy or optional

Zero Trust has gone mainstream. You see it in government mandates, vendor campaigns, and flashy whitepapers. But most of it misses the point.

What John Kindervag is sharing, and has been for nearly 20 years, isn’t a product pitch or a marketing framework. It’s a mindset shift. One that forces organizations to stop reacting and start architecting. One that’s rooted in real strategy, not fear-based spending.

In a world of constant attacks, overlapping tools, and pressure to move fast, John’s voice is a grounding one. It reminds us that cybersecurity isn’t about following trends — it’s about protecting what matters most.

That’s exactly why Zero Trust isn’t optional anymore. It’s operational anti-fragility, by design.

Want to hear more podcasts from Zero Trust leaders like John? Subscribe to our award-winning podcast The Segment: A Zero Trust Leadership Podcast.