Compliance is the bar, not the ceiling: Insights from Chase Cunningham (DrZeroTrust)

In the current landscape, chasing a one-size-fits-all "Zero Trust Certified" solution is a fool’s errand. Instead, experts like Dr. Chase Cunningham —known in the community as Dr. Zero Trust—advocate for a practical, operational approach to cybersecurity.

In a recent episode of the Zero Trust Journey podcast, Chase delivered a no-nonsense rundown of actionable insights for organizations of all sizes. Here’s a deep dive into his key recommendations for building a resilient #ZeroTrust framework.

1. Start with a Comprehensive Asset Inventory

Know What’s on Your Network: Chase stresses that the foundation of any effective Zero Trust strategy begins with knowing exactly what’s running on your network. A meticulous asset inventory is crucial. Without it, you’re flying blind.

Action Step:

• Conduct an in-depth audit of all hardware, software, and network connections.
• Use automated discovery tools to maintain an up-to-date inventory.

2. Embrace Full-Scale Red Teaming

Move Beyond Pen Tests: While traditional penetration testing has its place, Chase argues that only a full-fledged red team exercise can reveal the true vulnerabilities of your network.

Action Step:

• Engage a red team to simulate real-world adversary behavior.
• Establish clear parameters and, if possible, propose a performance-based guarantee (e.g., if the red team finds no gaps, a portion of the contract is refunded).

3. Focus on Operational Security Over Compliance

Compliance Is the Floor, Not the Ceiling: Rather than merely checking boxes on a compliance checklist, zero trust should be about effective, continuous defense. Chase reminds us that compliance is just the starting point—not the end goal.

Action Step:

• Design security controls based on actual threat scenarios, not just regulatory requirements.
• Regularly test and adjust these controls to ensure they are effective against emerging threats.

4. Optimize Your Security Portfolio

Portfolio vs. Platform: Chase recommends that organizations—especially small and mid-sized businesses—should favor a portfolio of integrated, best-of-breed solutions over a monolithic security platform.

Action Step:

• Evaluate current security tools to identify redundancies (for example, one cruise line dramatically reduced their security suite from nearly 60 solutions to a streamlined 11–12).
• Prioritize solutions that offer strong API integrations and can interoperate seamlessly.

5. Simplify Micro Segmentation

Scaling Micro Segmentation: Once considered an incredibly complex endeavor, micro segmentation is now more accessible thanks to advances like ZTNA and policy engines. However, Chase cautions against over-segmentation.

Action Step:

• Implement segmentation gradually, ensuring each layer of control is manageable.
• Start with the most critical assets and expand as you gain confidence in your controls.

6. Prioritize Cost-Effective Strategies for Small Businesses

Security for Every Organization: Chase is passionate about making robust security accessible to small businesses, which are often prime targets despite their limited budgets.

Action Step:

• Assess your organization’s real security needs; avoid enterprise-scale solutions if you don’t have the scale.
• Consider cost-effective alternatives, such as using Chromebooks or browser isolation techniques, to reduce risks without overextending resources.

7. Adopt an Attacker’s Mindset

Think Like the Adversary: Chase emphasizes that a truly effective security strategy comes from understanding how attackers operate. He compares red teaming to training for a street fight—practicing against unpredictable real-world scenarios is essential.

Action Step:

• Regularly simulate attack scenarios to challenge your security posture.
• Use the lessons learned from these simulations to adjust and improve your defenses continually.

8. Debunk the Vendor Hype

Don’t Fall for Buzzwords: There is no “Zero Trust Certified Product,” and vendors claiming otherwise are often overselling a concept that requires a strategic approach rather than a quick fix.

Action Step:

• Critically evaluate vendor claims and prioritize solutions that demonstrate real, practical benefits.
• Focus on building an ecosystem of tools that align with your unique operational needs rather than chasing industry buzzwords.

Learn from Other Zero Trust Thought Leaders

Chase emphasizes the importance of staying informed and learning from the pioneers in the field. Here are some thought leaders and resources to follow for additional insights:

• John Kindervag : Often credited as the founder of the Zero Trust model, his work lays the groundwork for modern Zero Trust strategies.
• Jason Garbis : Known for his contributions to the Zero Trust Maturity Model (ZTMM), Jason offers deep insights into the practical application of Zero Trust principles.
• Forrester Analysts: Regular publications from Forrester provide research-based perspectives and strategic guidance on Zero Trust implementation.
• Razi R. O'Reilly's Zero Trust Book: A comprehensive resource that offers in-depth strategies and guidance for building a Zero Trust framework.
• Cloud Security Alliance : Their reference materials are invaluable for understanding modern cyber defense frameworks and best practices in Zero Trust.

Final Thoughts

Zero Trust isn’t a destination—it’s an ongoing journey that requires constant evaluation, adaptation, and a willingness to challenge the status quo. As Chase Cunningham makes clear, effective Zero Trust starts with understanding your environment, testing it rigorously through red teaming, and making informed, cost-effective decisions that directly address your organization’s threat landscape.

By embracing these actionable insights, organizations can strip away unnecessary complexity, achieve tangible ROI, and build a security posture that stands up to today’s ever-changing cyber threats.