Zero Trust Done Right - The Backstory

As with many projects, this one started as a last-minute conversation about what would make a great audience session.

Not the kind where someone gets on stage and talks about how amazing their product is—you know the one: “It slices, it dices, and if you buy now we’ll throw in this special risk reduction tool.” We wanted something different. Something honest. Something that people sitting in the audience would immediately recognize because they had lived through it themselves.

About thirteen minutes into the conversation, one of us said, “What if we tell epic fail Zero Trust stories?” The idea landed immediately. We hear those stories all the time. In fact, if we’re being honest, we’ve lived quite a few of them ourselves in our past lives as IT and security leaders on the frontlines. Anyone who has been responsible for production systems and real users knows what that feels like. There are late nights, difficult tradeoffs, and architecture decisions that look clean on a whiteboard but behave very differently once they collide with real networks, real applications, and real people.

The idea excited us because telling those stories meant speaking from the heart. Instead of presenting theory or marketing slides, we would share the lessons we learned the hard way. If we did it right, we could help the next generation of security leaders avoid some of the same mistakes and struggles that shaped our own careers.

The conversation kept going. What was supposed to be a quick thirty-minute meeting turned into ninety minutes of classic watercooler talk. One story led to another as we swapped war stories about Zero Trust initiatives that stalled, architectures that collapsed under operational pressure, and moments where a well-intentioned security control accidentally broke the business it was meant to protect. By the end of that discussion it was obvious we were onto something bigger than a conference talk.

What is became is the genesis of Zero Trust Done Right.

As we left that meeting, something stuck with us. The stories we had been trading back and forth weren’t unique to our careers. They were the kinds of lessons that get shared quietly between practitioners—over coffee at conferences, in hallway conversations after a talk, or during late-night troubleshooting sessions when someone says, “Let me tell you about the time we tried that.”

Those moments are how many of us learned this profession. Someone a few steps ahead in their career shares a hard-earned lesson, and suddenly a problem that once took years to understand becomes clear in a few minutes. Over time those conversations shape how we think about architecture, leadership, and risk. The cybersecurity community has always worked that way—people learning from each other’s successes and failures.

That realization is what pushed the idea of a talk into something larger. Instead of letting those stories remain scattered across hallway conversations and conference panels, we decided to write them down. Zero Trust Done Right became our attempt to capture those lessons and give something back to the community that has given all of us so much.

That felt especially important because of where the industry is right now.

Over the past few years, Zero Trust has become one of the most widely discussed ideas in cybersecurity. At the same time, it has become one of the most misunderstood. In some organizations it has turned into a shopping list of tools. In others it has become a buzzword attached to existing security projects. Meanwhile, many security teams quietly struggle with the same uncomfortable question: we invested in the technology… so why doesn’t our environment actually behave differently?

That disconnect the disconnect we address in the book…. And its why we state clearly, Zero Trust isn’t primarily a technology project. It’s a leadership journey.

Implementing Zero Trust means guiding an organization through change. It requires aligning security, infrastructure, application teams, and business leaders around a different way of thinking about trust and access. It means navigating legacy systems, competing priorities, and the very real pressure not to disrupt the business while trying to make it safer.

In other words, running a Zero Trust initiative looks a lot more like leading a complex transformation than deploying a piece of software.

That’s the part most books skip.

Zero Trust Done Right is really a guide for leaders who are responsible for making Zero Trust work inside real organizations. It explores how to start the journey, how to prioritize what matters, how to gain support from leadership, and how to avoid the traps that cause so many initiatives to stall. It talks about how to balance risk reduction with operational reality, and how to deliver meaningful progress without breaking the business along the way.

The stories in the book come directly from the experiences of practitioners who have been through this journey. Some are funny in hindsight. Others are painful reminders of how complex modern environments really are. There are stories about organizations that tried to segment everything at once and discovered just how interconnected their systems actually were. There are stories about teams that invested heavily in tools before clearly defining who should have access to what. And there are stories about leaders who approached the challenge thoughtfully, focused on incremental progress, and gradually transformed how their organizations handled trust.

The lessons that emerge from those stories are practical and hard-earned. Again and again, the same themes appear. Progress matters more than perfection. Architecture matters more than individual product choices. And perhaps most importantly, security initiatives succeed when they enable the business to operate safely rather than creating friction the organization cannot tolerate.

At its core, Zero Trust is not about creating a world where breaches never happen. Anyone who has spent time in security knows that is unrealistic. The real goal is building environments where breaches are contained. When identity, segmentation, and access decisions are designed carefully, the compromise of a single system or account does not automatically cascade into a catastrophic failure. Good architecture reduces the blast radius of mistakes, vulnerabilities, and attacks.

Writing Zero Trust Done Right was our attempt to capture the kinds of conversations that usually happen informally between practitioners. The lessons that get shared over coffee at conferences, in hallway discussions after presentations, or late at night when security leaders compare notes about what actually worked and what didn’t.

If you are responsible for security architecture, identity strategy, or leading a Zero Trust initiative inside your organization, this book was written for you. It is the collection of lessons we wish someone had handed us earlier in our careers—before the outages, before the failed pilots, and before the long nights trying to unwind architectural decisions that seemed reasonable at the time.

If any part of this story sounds familiar, you will probably recognize pieces of your own journey in these pages.

And if you are about to start a Zero Trust initiative at your company, our hope is that the stories and lessons inside will help you move faster, avoid a few traps, and lead the journey with greater confidence.

You can find Zero Trust Done Right on Amazon here - https://www.amazon.com/Zero-Trust-Done-Right-Practitioners/dp/B0GQKCN4TN And if you are attending RSAC, at the end of the month, we are excited to announce the book will be in the RSAC bookstore. Better yet, if you see us in the hallways, give us a high five and tell us your zero trust story from the trenches.