Why Security Fundamentals Are the Most Overlooked Part of Adopting a Zero Trust Strategy
Security fundamentals fail for the same reason most New Year’s fitness goals fail.
Everyone knows what to do. You should eat better, sleep more, and exercise consistently. None of it is controversial or new.
And yet, by February or March, most gym memberships go unused.
Cybersecurity works the same way.
We don’t keep getting breached because attackers are endlessly creative. We get breached because organizations struggle to do the basics, consistently, at scale. And Zero Trust, more than any other security model, exposes just how hard that really is.
That reality was at the center of a recent conversation on The Segment podcast with Ross Haleliuk. Ross is the co-founder and CEO of a stealth-mode cybersecurity startup, the host of the Inside the Network podcast, the author of Cyber for Builders, and the voice behind the Venture and Security newsletter, one of the most consistently clear-eyed perspectives in the industry.
This post explains why Zero Trust security succeeds or fails at the fundamentals, and why that gap is often what determines the true impact of a breach.
The myth of “next-gen” security
Every year, the industry invents new language to describe security innovation.
But as Ross put it, most breaches aren’t the result of novel attack chains or exotic zero-day exploits.
Instead, they’re the result of:
- Default credentials that never got changed
- Assets no one remembered existed
- Exceptions added for convenience and forgotten over time
- Flat networks that allow lateral movement once an attacker gets in
These aren’t cutting-edge failures but rather simple operational ones.
A Zero Trust strategy doesn’t magically eliminate these problems. In fact, it makes them more visible.
Zero Trust forces organizations to confront questions they’ve avoided for years: What do we actually have? Who should be able to talk to what? What happens when something goes wrong?
And that’s precisely why Zero Trust can feel overwhelming.
Why security fundamentals break down at scale
Doing fundamentals well requires three things: commitment, consistency, and time.
Unfortunately, none of those scale naturally inside modern enterprises.
You can’t inventory assets once a year and call it Zero Trust. You can’t review identity permissions once every few quarters and expect containment to work. You can’t apply segmentation policies once and assume they’ll remain valid as environments change.
Fundamentals demand repetition, and repetition is expensive.
It’s far easier to buy a tool than to change how teams operate day after day. And it’s far easier to approve a project than to enforce discipline across engineering, IT, operations, and security simultaneously.
Zero Trust fails when organizations underestimate the operational effort required to sustain it.
Zero Trust is an incentives problem, not a knowledge problem
Security teams are incentivized to reduce risk. Engineering teams are incentivized to ship code. IT teams are incentivized to close tickets quickly. Sales teams are incentivized to close deals.
This is where Zero Trust often breaks down in practice. We like to say that security is everyone’s job. But in reality, security is the only team measured on security outcomes.
Expecting other teams to naturally prioritize Zero Trust controls without aligning incentives is unrealistic.
Policies alone don’t solve this. In fact, they often create more exceptions than enforcement.
Zero Trust succeeds when security teams learn to lead through influence. They build relationships, explain tradeoffs in business terms, and frame controls as enablers instead of blockers.
Measuring success when breaches are inevitable
This also raises the question of how we measure security outcomes inside the business. According to Ross, organizations often aren’t very good at it.
He referenced the unicorn problem thought experiment. You buy a box that lights up if a unicorn is in the room, but it doesn’t light up. Is the box broken, or was there no unicorn? You can’t tell.
If a breach doesn’t happen, was it because your controls worked, or because no one tried hard enough?
Zero Trust doesn’t solve this measurement challenge, but it does reframe it.
The goal of modern cybersecurity isn’t to prevent breaches at all costs but rather to reduce their impact, contain them, and keep the business resilient.
Organizations that invest in fundamentals consistently may still get breached. But when they do, lateral movement is constrained, recovery is faster, reputational damage is lower, and regulatory conversations are more rational.
Proving security ROI makes Zero Trust a business decision
Security ROI is notoriously difficult to quantify, but Ross offered a pragmatic framing that aligns well with Zero Trust thinking:
- If customer trust is tied to revenue, security becomes a sales enabler.
- If downtime threatens operations, security becomes a resilience investment.
- If compliance regulations demands proof, security becomes table stakes.
In each case, Zero Trust is about reducing the effects of a breach when they inevitably happen. This means security ROI isn’t measured by attacks avoided but by business continuity preserved.
Why Zero Trust fundamentals matter more now than ever
Infrastructure is more interconnected than ever. Hybrid environments blur traditional boundaries. Cloud, on-premises, and third-party systems operate as a single extended attack surface.
In this world, complexity compounds risk.
Zero Trust fundamentals — including asset visibility, least-privilege access, segmentation, and continuous verification — aren’t just best practices but survival mechanisms.
Attackers don’t need creativity when organizations give them paths of least resistance. They exploit what’s already there and use AI to make it nearly effortless.
Focusing on fundamentals doesn’t mean rejecting innovation but rather grounding innovation in reality.
And like fitness, the hardest part isn’t knowing what to do but doing it tomorrow. And the day after that. And every day after.
Listen to the full episode of The Segment: A Zero Trust Leadership Podcast on Apple Podcasts, Spotify, or our website.
%20(1).webp)
.webp)
.webp)
