Cybersecurity Today – The Godfather of Zero Trust: A Discussion with John Kindervag

Host: Jim Love
Guest: John Kindervag (“Godfather of Zero Trust”)
Date: September 13, 2025

Episode Overview

Jim Love sits down with John Kindervag, the pioneer behind the Zero Trust cybersecurity model, for a wide-ranging, candid, and opinionated discussion about the history, principles, and misconceptions of Zero Trust. They address why cybersecurity breaches are still rampant, the practical and cultural obstacles to implementation, and how Zero Trust principles can be applied to modern threats—especially as AI and social engineering reshape the field. Throughout, the episode stresses the importance of actionable methodology, not products or platitudes, and the need for leaders to prioritize what truly matters.

Key Discussion Points & Insights

1. Founding Ideas Behind Zero Trust

• Origin Story:

  • Firewalls in the late 90s/early 2000s classified networks by trust levels, with internal networks viewed as fully “trusted,” leading to poor policy on outbound traffic ([01:59], Kindervag).
  • John’s push for outbound rules was dismissed:

    "If somebody gets inside, they can automatically expo all this data. No one will ever know. ... That’s not how the trust model works." ([01:59], Kindervag)

  • The trust model was fundamentally flawed, and John conceived “every interface and every packet should have the same trust level and that trust level should be zero.” ([02:42], Kindervag)

• Institutional Evolution:

  • Forrester Research provided the environment to develop and test these ideas where creative, real-world research was encouraged ([04:13-06:17], Kindervag).
  • The first Zero Trust paper, "No More Chewy Centers," published in 2010 ([08:20-09:14], Kindervag).

2. Zero Trust Is NOT a Product

• Misconceptions:

  • Many treat Zero Trust as a product or checkbox—they “go too big,” try to implement everywhere at once, and fail to grasp foundational concepts.

    "Most people, the big failures are they think it’s a product...and try to do it all at once. That never works." ([10:45], Kindervag)

• Core Concept—Protect Surface:

  • Protect Surface: The actionable inversion of the “attack surface;” a clear, manageable, business-critical element (e.g., ATM systems, SWIFT, DNS at a bank).

    “The secret to zero trust is understanding that it's not about what are the threats, it's not about what is the product, it's about what am I trying to protect.” ([12:33], Kindervag)

  • Build Zero Trust "one protect surface at a time," avoiding the overwhelm and overreach that doom large projects.

3. Getting Business Buy-in & Overcoming Cultural Hurdles

• The ‘Crown Jewels’ Conversation:

  • Many IT people aren’t empowered or equipped to identify what needs protection—leadership must be involved ([13:40–14:06], Kindervag).
  • Over-focus on “availability” (the “CIA triangle” dilemma) leads to myriad “highly available yet compromised” systems ([15:01], Kindervag).

• Culture of Blame & Incentives:

  • Fear of blame leads to risk-averse behavior and policy inertia.

    “Most people are managing their own downside personal risk...instead of managing the upside potential for the organization.” ([23:09], Kindervag)

  • "No one feels confident to try to make things better...I watched an entire financial database exfiltrate live to an adversary...I said let's shut it down. No, I'll get in trouble." ([23:35], Kindervag)

4. Risk vs. Danger Management

• Risk as a Flawed Concept:
  • John argues traditional "risk management" is unworkable—probabilities are incalculable with too many variables.

    "We need to move from risk management to danger management because risk assumes a probabilistic statement that you can't make in cybersecurity." ([17:30], Kindervag)

  • Focus on "danger"—what’s intolerable, not on the impossible calculation of risk ([18:18–20:58], Kindervag).
  • Memorable anecdote: His nephew, Steven Danger, survived a cancer diagnosis with a 2% chance, underscoring the failure of “probability” as a guide for action ([18:56], Kindervag).

5. Zero Trust Implementation: The Five-Step Methodology

• John’s Five Steps:

  1. Define the Protect Surface—What specifically are you protecting? ([33:07], Kindervag)
  2. Map Transaction Flows—How does the system interconnect and work? Use maps; “The wars are lost on bad maps” ([33:28], Kindervag).
  3. Architect—Tailor the solution; don’t blindly deploy products ([34:09], Kindervag).
  4. Define Policies (Kipling Method): Who, what, when, where, why, and how for every access rule ([35:09], Kindervag).
  5. Monitor and Maintain—Pull telemetry, analyze, create “antifragile” systems that learn and strengthen under attack ([36:12], Kindervag).

• Policy Over Product:

  • Products exist to enforce policy; start with what (and why) you protect ([45:39], Kindervag).

6. Proof, Maturity Models & Practical Outcomes

• Demonstrating Success:
  • “First rule of Zero Trust is you don’t talk about it” – the best implementations are quiet; when it works, you don’t hear of breaches.
  • Mature organizations manage progress with a maturity model over their protect surfaces ([21:39], Kindervag).

  • “I get screen captures from people a lot who send me, look at what my zero trust environment just stopped. This big attack was starting and we just stopped it.” ([39:01], Kindervag)

  • Pen testers frequently “couldn’t get in”—a sign of good policy, not just luck or technical barriers ([39:22-40:59], Kindervag).

7. Microsegmentation, Social Engineering, and Modern Threats

• Example:
  • Massive breaches (e.g., Target, 2013) were failures of segmentation, policy, and incentives, not singular technology ([24:49-25:46], Kindervag).
  • "Microsegmentation" (fine-grained network segmentation) is a core technical enabler of Zero Trust ([42:19], Kindervag).
  • Social engineering attacks (e.g., by Scattered Spider) succeed because compromised users have unnecessary or excessive access ([41:51], Kindervag).

    “There shouldn’t be a policy in place that allows Jim Love, who’s an IT manager, to have access to the financial database...” ([42:20], Kindervag)

8. AI, OT, and the Future

• AI + Zero Trust:
  • AI will be a powerful tool for "monitor and maintain" (step five)—faster anomaly detection, better operational feedback ([46:05], Kindervag).
  • Treat AI repositories as critical protect surfaces and define their policies accordingly; more things are unknown than known about AI ([46:33], Kindervag).
    • Recommendation: George Schumann, “Rise of the Machines” for Zero Trust in the AI age ([46:36], Kindervag).
  • As models proliferate, treat their security as immutable—open models are “out there in the world; they're not going back” ([49:19], Kindervag).

9. Leadership, Decision-Making & Commander's Intent

• Making Decisions:
  • Many organizations lack leaders willing to make decisions—either paralyzed by complexity or by a blame culture.

    “Making decisions takes courage. So you have to have the courage to analyze...and then have the courage to make that decision.” ([54:55], Kindervag)

  • “Commander's Intent”—borrowed from military doctrine—should inform cybersecurity; leaders set clear, actionable goals, not micromanaged tactics ([55:38–57:19], Kindervag).

10. Advice for Teams Starting (or Stuck) on Zero Trust

• Start Anywhere:
  • You don’t need prerequisites. Begin with small, unimportant systems and progress to critical ones—the “learn, practice, crown jewels” approach ([49:36–50:24], Kindervag).
• Persevere and Learn:
  • Don't get discouraged by early challenges; most give up too soon.
  • “When they're in the military, they never give up. They learn from failure. They adapt, they overcome.” ([50:52], Kindervag)

Notable Quotes & Memorable Moments

• The Harsh Truth About Breaches:

  “If there is a data breach in your organization, you allowed it to happen. All bad things happen inside of an allow rule. ... You have bad policies in place and you allowed it to happen.”
  — John Kindervag ([00:02], repeated at [24:17])

• Zero Trust’s Core Ethos:

  “There should be no trust model. ... every interface and every packet should have the same trust level and that trust level should be zero.”
  — John Kindervag ([02:42])

• Why Zero Trust Is Often Done Poorly:

  “Zero Trust is like Fight Club. The first rule is you don’t talk about it, right? ... The people who do it well don’t talk about it.”
  — John Kindervag ([10:36])

• Danger > Risk:

  “We need to move from risk management to danger management ... The impossible happens all the time.”
  — John Kindervag ([17:30])

• The Antifragile Security Model:

  "We're building anti-fragile systems. We're going beyond resilience, which is the big buzzword ... anti-fragile systems respond to a stressor and adapt and get better and better."
  — John Kindervag ([36:12])

• On Leadership:

  “Making decisions takes courage. ... If you're not incentivized to allow that courage to come out, then you will make no decisions at all.”
  — John Kindervag ([54:55])

Timestamps for Important Segments

• History of Zero Trust & Firewall Policies: [01:59]–[03:56]
• Forrester Research and Academic Obstacles: [04:13]–[06:17]
• First Zero Trust Paper & “No More Chewy Centers”: [08:20]–[09:14]
• Protect Surface Concept: [10:45]–[13:11]
• Overemphasis on Availability/CIA Triangle: [14:27]–[15:56]
• Danger over Risk: [17:30]–[21:08]
• Maturity Model & Prioritizing Protect Surfaces: [21:39]–[23:33]
• Failure to Stop Target Breach—Cultural & Policy Lessons: [24:49]–[25:46]
• Five-Step Methodology in Depth: [32:41]–[37:39]
• Proving Success & Policy Failures in Pen Testing: [39:01]–[41:01]
• Social Engineering & Microsegmentation: [41:51]–[44:25]
• Applying Zero Trust to AI Systems: [46:05]–[48:09]
• Advice to Leaders on Starting/Fixing Zero Trust Programs: [49:36]–[50:24]
• Cultural, Psychological & Leadership Barriers: [50:33]–[55:38]
• Commander's Intent in Cybersecurity: [55:38]–[57:19]
• Zero Trust’s Enduring Applicability and Future: [57:32]–[59:06]

Conclusion

The conversation with John Kindervag is direct, myth-busting, sometimes provocative, but always practical. Zero Trust, far from being a product or marketing label, is a methodical approach centered on understanding and protecting what actually matters, through manageable and measurable means. The role of leadership—in both risking real decisions and creating a culture that enables adaptation and learning from failure—is paramount. As new threats like AI and advanced social engineering emerge, the core of Zero Trust remains unchanged: map what matters, know how it flows and interacts, set (and enforce) strong policies, and learn as you go.

Final advice: Start now, start small, practice, and never give up.