Join us tomorrow for "Hacking Burnout"

Super Cyber Fridays!
Join us TOMORROW, Friday [08-15-25], for "Hacking Burnout"

Hacking Burnout

Join us Friday, August 15, 2025, for “Hacking Burnout: An hour of critical thinking about how security teams gets overwhelmed and how to manage it.”

It all begins at 1 PM ET/10 AM PT tomorrow with guests Jonathan Waldrop, former CISO, The Weather Company, and Terry O'Daniel, former CISO, Amplitude. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Defense in Depth
Where are We Struggling with Zero Trust

Where are We Struggling with Zero Trust

Everyone seems like they are on board with the principles of zero trust. So why do we see implementation lagging?

Check out this post by Steve Zalewski for the discussion that is the basis of our conversation on this week’s episode co-hosted by David Spark, the producer of CISO Series, and Steve Zalewski. Joining them is their sponsored guest, Rob Allen, chief product officer, ThreatLocker.

Listen to the full episode here.

Legacy infrastructure creates the biggest hurdles

Zero trust implementations crumble under the weight of outdated systems and accumulated technical debt. "Where do I start? First, legacy infra and technical debt that were not designed for continuous auth or JIT access," explains Andrew Wilder, CSO at Vetcor.

The challenge extends beyond just old technology. Organizations lack visibility into their current assets. Wilder notes that maintaining "real-time complete asset inventory and user inventory" becomes nearly impossible when considering shadow IT and the explosion of non-human identities. Ferenc Spala from Cognizant highlighted the reality that organizations face: "Many companies still struggle with decade-old problems," including business-critical systems running on Windows 2003 and hundreds of dormant accounts that create security gaps.

More marketing than methodology

The zero trust concept has evolved into something far removed from its original security framework, creating confusion across the industry. "I've noticed some leaders wear zero trust like a personality, not a framework," observes Steve Tout from Identient. The term has become more about corporate positioning than practical implementation.

This confusion stems from a fundamental lack of standardization. Indus Khaitan from Redblock searched for clear zero trust definitions after returning to cybersecurity and found troubling results, saying, "I looked into what exactly constitutes a zero trust architecture… and couldn't find a clear, comprehensive answer. Zero trust? Nothing that definitive. Just vibes."

Implementation complexity makes zero trust a Sisyphean task

Zero trust requires orchestrating multiple complex security disciplines simultaneously, creating implementation challenges that can overwhelm even experienced teams. Greg Notch, CSO at Expel, describes the original intent as "a set of concepts and strategies marrying network boundaries, strong identity, device trust, and authorization." All of these are still challenging to implement individually, let alone in concert.

The scope becomes staggering when organizations realize the full extent of what needs to change. Eduardo R. Ortiz from Techtronic Industries breaks down the challenge: "The scope: it is massive. It touches every user, device, application, data point." Zero trust initiatives require not just technical changes. These represent significant business investments and organizational transformations aimed at integrating diverse technologies across legacy systems.

Don't ignore human factors

The gap between zero trust policy and practical implementation often widens due to poor user experience design. This can set both security and users up for failure. Ezra Ortiz with Peraton, captures this disconnect perfectly, saying, "The policy is easy. The design, integration, cost, user experience, and maintenance are the issues." Organizations pile on security layers, tokens, complex passwords, frequent rotations, multi-factor authentication, without considering the cumulative burden on users.

This approach backfires when overworked IT staff struggle to maintain systems. Frustrated users WILL find workarounds. As Ortiz points out, the end result is predictable: security failures get blamed on "simple human error caused by design" rather than addressing the underlying problems that created the poor user experience in the first place.

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Huge thanks to our sponsor, ThreatLocker

ThreatLocker

Subscribe
Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.

LIVE!
Cyber Security Headlines - Week in Review

LIVE! Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Steve Zalewski, co-host, Defense in Depth.

Thanks to our Cyber Security Headlines sponsor, Vanta

Vanta

Cyber chatter from around the web...
Jump in on these conversations

“Day to day as a Cybersecurity Engineer: what’s the reality?” (More here)

“How do you keep up to date with Cyber Security?” (More here)

“How are people securing payment portals without a big IT team?” (More here)

Coming Up On Super Cyber Friday...
Coming up in the weeks ahead on Super Cyber Friday we have:

  • [08-15-25] Hacking Burnout

  • [08-22-25] Hacking Tabletop Exercises

  • [08-29-25] No Show

 Save your spot and register for them all now!

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.