How the 5-Person Security Team at Spokane Teachers Credit Union Achieves Big Zero Trust Wins

Greg Mitchell’s small five-person team at Spokane Teachers Credit Union (STCU) has achieved what many large financial institutions only dream of. They’ve reached over 90% segmentation enforcement as part of their Zero Trust strategy.

What makes STCU’s story so compelling is not just the numbers but the team’s mindset.

During our conversation on the latest episode of The Segment podcast, Greg shared the five lessons he and his team have learned during their Zero Trust implementation.  

We discussed how lean teams can turn segmentation into a business priority, build resilience step by step, and strengthen relationships across the organization along the way.

1. Make cybersecurity a business initiative

Too often, we hear that security has to “support” the business. Greg sees it differently.

“We kind of changed the lens,” he said. “This is just as important as those business initiatives. It became another initiative we track quarterly with leadership buy-in.”

That framing matters. When Zero Trust initiatives like segmentation are treated as core business projects, it gets the same attention, resources, and momentum as revenue-driving initiatives.  

It also sends a powerful message across the company: cybersecurity is not optional.

2. For early wins, small orgs should start (very) small

Common Zero Trust wisdom is to start your journey by securing your organization’s most critical assets. This shows early progress, garners board-level buy-in, and locks down the data, applications, and resources the business relies on most.

But for a regional credit union like STCU, any mistake or misstep can be catastrophic. That’s why Greg chose a slightly different starting point for Zero Trust.

“You want small wins, so start with smaller applications first,” he advised. “Build a playbook, gain confidence, and then take on the more critical, complex applications.”

Greg's approach worked. STCU avoided early roadblocks and instead built credibility, trust, and repeatable processes.  

Progress compounded until they reached 90% enforcement. As Greg put it, even moving an app from 100% exposed to 40% protected is progress. Every increment matters, especially in a small organization.

You want small wins, so start with smaller applications first. Build a playbook, gain confidence, and then take on the more critical, complex applications.

3. Build relationships, not just rules

For many organizations, Zero Trust is often seen as purely technical. But Greg highlighted an unexpected business benefit: stronger cross-functional collaboration.

“The biggest benefit we found is just a little bit more relationship building amongst peers,” he said. “We trained teams on how to view blocks and do some self-service. It wasn’t about doing this all behind closed doors. It was about partnership.”

That transparency turned what could have been a source of friction into a bridge between IT and the business. It also means that Greg’s small five-person team gets support from the rest of the organization, which makes everyone’s job that much easier.

4. Practice and test the “assume breach” mindset

Greg also shared how STCU tests its resilience through quarterly disaster recovery exercises and third-party penetration tests.

“Disaster recovery, disaster recovery, disaster recovery,” he emphasized. “It’s not the fun stuff, but it’s important. You find gaps, and then you fix them.”

This aligns with a theme I’m starting to find across the cyber industry: cyber resilience isn’t just a strategy but a lifestyle.  

You don’t set it and forget it. You rehearse it until it’s second nature. And that goes for the entire organization, not just the security team.

5. Make leadership buy-in your force multiplier

At every turn, Greg credited leadership.

“My hat’s off to our director,” he said. “When leaders say it’s a priority, it becomes a priority for the next person to implement.”

This top-down commitment empowered Greg’s lean team to balance their Zero Trust journey alongside other IT and business priorities without sacrificing productivity.

STCU’s next step is extending Zero Trust into its Microsoft Azure environment. The playbook will remain the same: involve the right architects early, align the technology with business goals, and scale what’s already working.

Big Zero Trust lessons from a small team

For leaders at smaller organizations wondering if Zero Trust is too complex, too costly, or too disruptive, STCU proves otherwise. With the right mindset, even lean teams can deliver enterprise-grade resilience.

Greg put it best: “Zero Trust is a mindset. You don’t have to break the bank. Use what you have, get leadership buy-in, and keep going. There is always more you can do.”

Hören Sie sich unser vollständiges Gespräch auf The Segment: A Zero Trust Leadership Podcast an Apfel, Spotify (Englisch), or our website.