Where are We Struggling with Zero Trust

#1698251: Where are We Struggling with Zero Trust

Description:	Full Transcript Intro 0:00.000 [David Spark] Everyone seems like they are on board with the principles of zero trust. I mean, even the US government is on board. So, why do we see implementation of zero trust lagging? [Voiceover] You’re listening to Defense in Depth. [David Spark] Welcome to Defense in Depth. My name is David Spark, I’m the producer of the CISO Series. And joining me for this very episode is my co-host, none other than Steve Zalewski. Steve, say hello to the audience. [Steve Zalewski] Hello, audience. [David Spark] That I heard. For those listening, we had audio troubles for me hearing. [Rob Allen] No, no, you had audio problems. You had audio problems. [David Spark] I had audio problems. That was our guest who I will introduce in just a moment, who likes to taunt me. You’ve heard him on the show before too. But hold on, let me mention our sponsor. And that would be ThreatLocker Zero Trust Endpoint Protection Platform. ThreatLocker has been an absolute spectacular sponsor of the CISO Series. We love having them on board. But let’s get to our topic at hand, which is near and dear to pretty much everyone’s heart. I don’t know anyone who is not embracing zero trust at some level here. So, Steve, who’s nodding his head back and forth, let’s sort of set this up. If we could all practice the zero trust that we preach, we’d all be in a much more secure position today. But that just doesn’t happen. Does some of this have to do with the underlying principles of zero trust? Are some just much more difficult to achieve? I think so. Or are some of them letting us down when rubber meets the road? Like when the actual implementation happens. So, Steve, it’s rare we have such agreements in cybersecurity. I mean, this is a big one we’re all kind of on board with. We mostly agree on zero trust. But geez, why are so few getting there? What do you think? [Steve Zalewski] So, when we were at RSA, I heard this over and over, which is why we posted it. But you know what I was thinking over the course of RSA? I go, you know, this sounds an awful lot like going to the dentist and talking about the value of flossing. Everybody agrees flossing is a good idea, yet we have a thousand and one reasons why we don’t floss. And I just was then starting to characterize. You look at the reasons that people are putting up, just like when we talk about why flossing is too hard, even though we all agree it is well worth the time and effort. [David Spark] I would also say we’d all be on board if [Laughter] zero trust was as easy to implement as flossing is, which I can’t say it is exactly. [Steve Zalewski] You know, like I said, it was a good analogy because flossing should be easy. And yet even that, as “easy” as it is, we find reasons. And that’s why I was like it’s like death by a thousand cuts. Zero trust is great. But maybe part of the reasons that we’re having this conversation is here’s the death by a thousand cuts by why we somehow cannot get over the finish line. It’s just a fascinating conversation. [David Spark] All right. To help us with this discussion, someone we’ve had on a bunch of times before with ThreatLocker, actually the chief product officer. And by the way, they are very much into implementing zero trust, and I think they actually have some pretty easy ways to get it implemented. Please, everyone, our sponsored guest. Let’s hear it for none other than Rob Allen. Rob, thank you for joining us. [Rob Allen] Thank you, David. Am I expecting applause to come through now or something? [David Spark] Yes, it will come through. [Rob Allen] Okay, excellent. Yeah. [Steve Zalewski] Assuming the audio works. [Rob Allen] Assuming David’s audio works. Is this problem solvable? 3:30.917 [David Spark] Andrew Wilder, CSO over at Vetcor, said, “Where do I start? First, legacy infrastructure and technical debt that were not designed for continuous authorization or just-in-time access. Second, ‘what keeps me up at night’ real-time complete asset inventory and user inventory. Consider shadow IT and non-human identity explosion. And third, if you were somehow able to solve both of these problems, is how to do both consistent and automated policy enforcement across our hybrid landscapes.” So, I think what Andrew’s saying, Steve, is it’s not as easy as flossing. And Ferenc Spala of Cognizant said, “Many companies still struggle with decade-old problems.” This one I’ve heard a lot. I’m being selective here, but Ferenc responds with, “Still running business critical systems on Windows 2003. Still have hundreds of ‘graveyard accounts.’ Still trying to patch vulnerabilities based on CVSS severity and can’t keep up, and the list goes on. You can’t really do effective zero trust without having your identity access management and identity governance and administration in good shape. Unfortunately, this is an area that is very similar to configuration management database. Everyone has it and everybody knows it’s not really good.” So, Steve, I go back to what I said at the beginning. I think everyone’s on board, but wow, there’s just a history of problems, aren’t there? [Steve Zalewski] There is a history of problems, absolutely. And the ability to solve that history of problems is a lot of what’s being brought up here is I want to move forward, but a lot of what my problems are are things I can’t move forward, like legacy debt. In addition to the explosion of new areas where zero trust as we’ve tried to solve it, it’s now getting around us. And so, it’s squirting out on the side and we’re having to chase the rabbit. [David Spark] Rob, what do you think? When people just say, “I’d like to do zero trust, but man, it’s so complicated, and I got all these other old problems that I’m still managing with.” What’s your response? [Rob Allen] I’m trying to figure out a nice way to put this, but just because something is hard doesn’t mean it should not be done. [David Spark] Well, that is the polite way of saying it. [Rob Allen] I can give you a great number of examples that are of difficult things that were done largely because they were difficult. Not done because they were difficult. I mean, think of men on moon, etc. But to be perfectly honest, if zero trust being difficult was the major stumbling block, then Threatlocker wouldn’t exist because what we do is not easy. And we try and make it easy for our customers, but the actual implementation of these things is not simple. It’s not straightforward. It’s not like flossing. But just because something isn’t easy doesn’t mean it’s not worth doing. [David Spark] Let’s talk about legacy systems that don’t really have this sort of identity management as well-defined as the newer systems, and those become the most difficult to implement zero trust. What’s your response to people dealing with like systems running on Windows 2003? [Rob Allen] Well, there’s two sides to our response to it. We recently, and I mean very recently released a XP and 2003 version, our compatible version of Threatlocker… [David Spark] Wow! [Rob Allen] …which feels really strange to say in the year 2025, but for precisely this reason, which is some customers do have legacy systems. [David Spark] Actually, could you ballpark, like what percentage of your customers have 20-plus-year-old operating systems running environments? [Rob Allen] A very small percentage overall, maybe 5%. [David Spark] Well, that’s still significant. [Rob Allen] Well, the interesting part is some of those organizations might have 20,000, 30,000, 40,000 endpoints, and they’ve got a handful of XP machines or a handful of 2003 servers. So, out of millions and millions and millions of machines that are out there, you might be talking about a couple of hundred. Read rest in the link
More info:	https://cisoseries.com/where-are-we-struggling-with-zero-trust/

Description:

Full Transcript
Intro
0:00.000

[David Spark] Everyone seems like they are on board with the principles of zero trust. I mean, even the US government is on board. So, why do we see implementation of zero trust lagging?

[Voiceover] You’re listening to Defense in Depth.

[David Spark] Welcome to Defense in Depth. My name is David Spark, I’m the producer of the CISO Series. And joining me for this very episode is my co-host, none other than Steve Zalewski. Steve, say hello to the audience.

[Steve Zalewski] Hello, audience.

[David Spark] That I heard. For those listening, we had audio troubles for me hearing.

[Rob Allen] No, no, you had audio problems. You had audio problems.

[David Spark] I had audio problems. That was our guest who I will introduce in just a moment, who likes to taunt me. You’ve heard him on the show before too. But hold on, let me mention our sponsor. And that would be ThreatLocker Zero Trust Endpoint Protection Platform. ThreatLocker has been an absolute spectacular sponsor of the CISO Series. We love having them on board. But let’s get to our topic at hand, which is near and dear to pretty much everyone’s heart.

I don’t know anyone who is not embracing zero trust at some level here. So, Steve, who’s nodding his head back and forth, let’s sort of set this up. If we could all practice the zero trust that we preach, we’d all be in a much more secure position today. But that just doesn’t happen. Does some of this have to do with the underlying principles of zero trust? Are some just much more difficult to achieve? I think so. Or are some of them letting us down when rubber meets the road?

Like when the actual implementation happens. So, Steve, it’s rare we have such agreements in cybersecurity. I mean, this is a big one we’re all kind of on board with. We mostly agree on zero trust. But geez, why are so few getting there? What do you think?

[Steve Zalewski] So, when we were at RSA, I heard this over and over, which is why we posted it. But you know what I was thinking over the course of RSA? I go, you know, this sounds an awful lot like going to the dentist and talking about the value of flossing. Everybody agrees flossing is a good idea, yet we have a thousand and one reasons why we don’t floss. And I just was then starting to characterize. You look at the reasons that people are putting up, just like when we talk about why flossing is too hard, even though we all agree it is well worth the time and effort.

[David Spark] I would also say we’d all be on board if [Laughter] zero trust was as easy to implement as flossing is, which I can’t say it is exactly.

[Steve Zalewski] You know, like I said, it was a good analogy because flossing should be easy. And yet even that, as “easy” as it is, we find reasons. And that’s why I was like it’s like death by a thousand cuts. Zero trust is great. But maybe part of the reasons that we’re having this conversation is here’s the death by a thousand cuts by why we somehow cannot get over the finish line. It’s just a fascinating conversation.

[David Spark] All right. To help us with this discussion, someone we’ve had on a bunch of times before with ThreatLocker, actually the chief product officer. And by the way, they are very much into implementing zero trust, and I think they actually have some pretty easy ways to get it implemented. Please, everyone, our sponsored guest. Let’s hear it for none other than Rob Allen. Rob, thank you for joining us.

[Rob Allen] Thank you, David. Am I expecting applause to come through now or something?

[David Spark] Yes, it will come through.

[Rob Allen] Okay, excellent. Yeah.

[Steve Zalewski] Assuming the audio works.

[Rob Allen] Assuming David’s audio works.

Is this problem solvable?
3:30.917

[David Spark] Andrew Wilder, CSO over at Vetcor, said, “Where do I start? First, legacy infrastructure and technical debt that were not designed for continuous authorization or just-in-time access. Second, ‘what keeps me up at night’ real-time complete asset inventory and user inventory. Consider shadow IT and non-human identity explosion. And third, if you were somehow able to solve both of these problems, is how to do both consistent and automated policy enforcement across our hybrid landscapes.” So, I think what Andrew’s saying, Steve, is it’s not as easy as flossing. And Ferenc Spala of Cognizant said, “Many companies still struggle with decade-old problems.” This one I’ve heard a lot.

I’m being selective here, but Ferenc responds with, “Still running business critical systems on Windows 2003. Still have hundreds of ‘graveyard accounts.’ Still trying to patch vulnerabilities based on CVSS severity and can’t keep up, and the list goes on. You can’t really do effective zero trust without having your identity access management and identity governance and administration in good shape. Unfortunately, this is an area that is very similar to configuration management database. Everyone has it and everybody knows it’s not really good.” So, Steve, I go back to what I said at the beginning. I think everyone’s on board, but wow, there’s just a history of problems, aren’t there?

[Steve Zalewski] There is a history of problems, absolutely. And the ability to solve that history of problems is a lot of what’s being brought up here is I want to move forward, but a lot of what my problems are are things I can’t move forward, like legacy debt. In addition to the explosion of new areas where zero trust as we’ve tried to solve it, it’s now getting around us. And so, it’s squirting out on the side and we’re having to chase the rabbit.

[David Spark] Rob, what do you think? When people just say, “I’d like to do zero trust, but man, it’s so complicated, and I got all these other old problems that I’m still managing with.” What’s your response?

[Rob Allen] I’m trying to figure out a nice way to put this, but just because something is hard doesn’t mean it should not be done.

[David Spark] Well, that is the polite way of saying it.

[Rob Allen] I can give you a great number of examples that are of difficult things that were done largely because they were difficult. Not done because they were difficult. I mean, think of men on moon, etc. But to be perfectly honest, if zero trust being difficult was the major stumbling block, then Threatlocker wouldn’t exist because what we do is not easy. And we try and make it easy for our customers, but the actual implementation of these things is not simple. It’s not straightforward. It’s not like flossing. But just because something isn’t easy doesn’t mean it’s not worth doing.

[David Spark] Let’s talk about legacy systems that don’t really have this sort of identity management as well-defined as the newer systems, and those become the most difficult to implement zero trust. What’s your response to people dealing with like systems running on Windows 2003?

[Rob Allen] Well, there’s two sides to our response to it. We recently, and I mean very recently released a XP and 2003 version, our compatible version of Threatlocker…

[David Spark] Wow!

[Rob Allen] …which feels really strange to say in the year 2025, but for precisely this reason, which is some customers do have legacy systems.

[David Spark] Actually, could you ballpark, like what percentage of your customers have 20-plus-year-old operating systems running environments?

[Rob Allen] A very small percentage overall, maybe 5%.

[David Spark] Well, that’s still significant.

[Rob Allen] Well, the interesting part is some of those organizations might have 20,000, 30,000, 40,000 endpoints, and they’ve got a handful of XP machines or a handful of 2003 servers. So, out of millions and millions and millions of machines that are out there, you might be talking about a couple of hundred.

Read rest in the link

More info:

https://cisoseries.com/where-are-we-struggling-with-zero-trust/

Date added	Aug. 17, 2025, 12:42 a.m.
Source	cisoseries
Subjects	PodCasts / Webcast / Webinar / eSummit / Virtual Event etc. Security Management/Strategic Security/ROI/ROSI - CISO and Higher Level Zero-Trust / Zero Trust Security / Zero Trust Models / Zero Trust Network Access / ZTNA