George Finney, CISO at The University of Texas System and author of Project Zero Trust, asserts Zero Trust isn’t just a strategy, it’s the “only strategy when it comes to cybersecurity.”
Like all good researchers, we went straight to Reddit to see what people were really saying about Zero Trust. Turns out, a lot of teams were over it. They were tired of gatekeepers who slowed everyone down. Sure, plenty of Redditors could riff on principles like least privilege, but most were focused on what they already knew, not the bigger picture that makes Zero Trust not only work, but actually work seamlessly for teams shipping code under tight deadlines.
What Zero Trust is (and isn’t)
George sets the record straight on Zero Trust, tackling the most common misconceptions.
Zero Trust isn’t about not trusting people. Collaboration still matters. John Kindervaag, the creator of Zero Trust, describes it as “a strategy for preventing or containing breaches by removing the trust relationships we have in digital systems.” Listen to John Kindervaag break down Zero Trust principles in 60 seconds.
It’s not a product you can buy. There’s no one-size-fits-all architecture. Zero Trust is a strategy, not a tool. If a vendor tells you they “do Zero Trust,” the real question is: how will they integrate, secure data, and prove they’re trustworthy?
Least privilege is the how, Zero Trust is the what. Least privilege, separation of duties, and role-based access control are just building blocks. Zero Trust is the strategy that defines the desired end state.
The four Zero Trust design principles outlined in Project Zero Trust are simple, but powerful.
“Define business outcomes.
Design from the inside out. Start with data.
Determine who or what needs access.
Inspect and log all traffic.”
You may already be asking “What can go wrong?” But what must go right? Security teams often use threat modeling to anticipate failures. Zero Trust requires teams to model the critical business success path: the systems, access, and safeguards that have to stay intact no matter what.
Yes, Zero Trust can feel painful. But that’s a design problem, not a strategy problem. If Zero Trust makes one team the bottleneck for every permission request, the issue isn’t Zero Trust, it’s poor automation and governance. Good Zero Trust reduces friction.
Zero Trust and AI are inseparable. George uses a restaurant analogy: you have ingredients (data), recipes (models), system components (kitchen equipment), and end users (diners). You need to protect the ingredients, recipes, and different parts of the system. And diners should probably be kept out of the kitchen. If you think about AI this way, George says, it can help your focus on “securing trust relationships where different systems interact.”
About George Finney
George Finney is the Chief Information Security Officer at the University of Texas System, Co-Chair of the CSO Strategic Advisory AI Safety Committee at the Cloud Security Alliance, and Founder of Well Aware Security. He is the author of multiple books, including:
Project Zero Trust: A Story About a Strategy for Aligning Security and the Business (Cybersecurity Canon Hall of Fame winner)
Well Aware: Master the Nine Cybersecurity Habits to Protect Your Future
George’s books skip the jargon and focus on stories. You might just find yourself rethinking Zero Trust and how it can help your team ship faster while keeping your organization and customers safe.
