Zero Trust in Practice with Creator John Kindervag and CISO Jared Nussbaum

What happens when the mind behind Zero Trust sits face-to-face with someone putting it to the test every day?

That’s exactly what Illumio brought to the RSAC 2025 stage — a rare, unscripted conversation between John Kindervag, the creator of Zero Trust and Illumio chief evangelist, and Jared Nussbaum, CISO at Ares Management and a seasoned practitioner who’s lived the Zero Trust journey from the inside.

John introduced the model 15 years ago. Jared has spent decades helping global enterprises adopt it, adapt it, and recover from real-world breaches. Together, they unpacked where Zero Trust started, how it’s evolved, and what it takes to make it work in today’s threat landscape.

Here are six key insights from their conversation every security leader should take to heart.

1. Zero Trust is a strategy, not a product

While many vendors try to package Zero Trust as a tool, this isn’t accurate. It’s a strategic shift in how we think about securing digital environments.  

During their conversation, John was clear: “Zero Trust is first and foremost a strategy. It’s something that you do, not something you buy.”  

Jared, speaking from the CISO perspective, agreed. “Anything that helps me get visibility and reduces risk is a win,” he said.  

But he added that Zero Trust has to start with a mindset and a strategy aligned to business outcomes. Before jumping into tools or frameworks, security teams need to understand what they’re protecting and why. This ensures security spending is prioritized appropriately and can win strong buy-in from the board.

“Zero Trust is first and foremost a strategy. It’s something that you do, not something you buy.”

— John Kindervag, creator of Zero Trust

2. Microsegmentation is foundational

For John, segmentation is foundational to Zero Trust. In fact, the second report ever written on Zero Trust was one John wrote 15 years ago, Build Security Into Your Network’s DNA: The Zero Trust Network Architecture.  

In the report, he highlighted the importance of segmentation and centralized management as key components of Zero Trust. He called for creating new ways to segment networks, because they all will need to be segmented.

In the conversation, John emphasized that today’s networks must be segmented by default to prevent attackers from moving laterally once they gain access. “The attackers own it, and you pay the bills,” he said. “Segmentation is the foundation of Zero Trust.”  

Jared illustrated the impact of unsegmented networks with the example of the 2013 Target breach. Attackers gained access through a third-party HVAC vendor and moved into the point-of-sale systems because the proper boundaries weren’t in place.  

“Segmentation done with strong security boundaries gives you visibility and control,” he said. “You can’t stop every attacker from getting in, but you can stop them from getting very far.”

3. Start small with Zero Trust

One of the biggest mistakes John sees is teams trying to roll out Zero Trust across an entire organization all at once.  

“People fail at Zero Trust because they try to do it all at once,” he explained. “You have to start small — one protect surface at a time.”  

His well-known five-step Zero Trust methodology emphasizes building environments that are tailored, manageable, and sustainable:

• Define the protect surface. Identify what needs protection, understanding that the attack surface is constantly evolving. ‍
• Map transaction flows. Gain visibility into communication and traffic flows to determine where security controls are necessary. ‍
• Architect the Zero Trust environment. Once complete visibility is achieved, implement controls tailored for each protect surface.
• ‍Create Zero Trust security policies. Develop granular rules allowing traffic access to resources within the protect surface. ‍
• Monitor and maintain the network. Establish a feedback loop through telemetry, continuously improving security and building a resilient, anti-fragile system.

Nussbaum has seen the same thing play out in practice. “Companies struggle with Zero Trust when they take on too much at once,” he said. “If you start small, align with your business stakeholders, and build incrementally, Zero Trust becomes achievable.”  

He stressed the importance of understanding the environment, defining clear goals, and delivering value early to build momentum. Otherwise, he warns that Zero Trust projects can fall apart quickly and set back an organization’s security posture.

4. Identity isn’t enough

While identity often takes center stage in Zero Trust conversations, John has been challenging this notion from the beginning. “Identity is just one signal,” he said. “It’s always fungible. You need more context to make good decisions.”  

In other words, relying solely on identity introduces risk. This is because it’s still possible for a session to be hijacked or an identity to be misused.

Jared reinforced the need to look beyond user credentials. “You have to continuously verify the user, their device, where they’re working, what they’re accessing, and whether it makes sense,” he said.  

He pointed out that it’s not just about people, either. Workload-to-workload communications must also be verified and controlled. “Without full context, you can’t enforce effective policy.”

AI observability tools like Illumio Insights provide the kind of deep context that modern security demands. They help you gain context into your environments to understand behavior, surface anomalies, and assess risk based on how things are supposed to work versus what’s actually going on.

5. Frame cyber risk in business terms

John described Zero Trust as “the grand strategy of cybersecurity.” He pointed to its growing adoption among governments and enterprises alike.  

In particular, he shared how the strategy resonated even with congressional leaders after the OPM data breach. This was when Zero Trust was identified as the model that could have limited attacker movement and protected national security.

But as Jared pointed out, talking about Zero Trust — or cybersecurity more broadly — matters only if you frame it in terms of business risk.  

“Cyber risk contributes to business risk, but they’re not the same,” he said. “Your board doesn’t care about dwell time or ransomware payloads. They care about downtime, revenue loss, customer impact, and regulatory consequences.”  

For Jared, translating security concerns into business outcomes is what drives buy-in and make security successful across the organization.

“Your board doesn’t care about dwell time or ransomware payloads. They care about downtime, revenue loss, customer impact, and regulatory consequences.”
‍
— Jared Nussbaum, Ares Management CISO

6. Align Zero Trust with your environment

One of the most powerful points John made during the talk was that every Zero Trust environment must be built to fit the organization.  

“Every environment is bespoke,” he said. “You can’t just pull a reference architecture off the shelf and expect it to work. You have to design it based on your protect surface and what the business needs.”

Jared agreed and highlighted the importance of cross-functional collaboration.  

“You can’t do Zero Trust in a silo,” he explained. “You need to bring in infrastructure teams, app developers, business units, even the C-suite. If you don’t align with their priorities and timelines, your program won’t succeed.”  

He emphasized the value of ongoing communication, urging security leaders to “socialize your plans early and often, and adapt them based on feedback from the business.”

Embedding Zero Trust into your strategy

John Kindervag and Jared Nussbaum brought different perspectives to the RSAC stage — one as the originator of Zero Trust, and the other as a practitioner applying it daily. But both agreed on this: Zero Trust is a journey, not a one-time project.

“You’ll be done with Zero Trust when you’re done breathing,” John joked. “This is a strategy for the long haul.”

For security leaders looking to build a more resilient foundation, Zero Trust offers a proven path forward. It starts with strategy, scales with business alignment, and succeeds through visibility, context, and control.

Learn about how more Illumio customers are putting Zero Trust into action at their organizations, or contact us today to talk with one of our Zero Trust experts.