BylinesGovernance & ComplianceIdentity & Access

Fifteen Years Later, Zero Trust Is Still About One Thing: Good Policy

Because Cybersecurity Isn't a Technology Problem But Rather a Policy Issue

When I first started talking about Zero Trust, people told me I was insane.

Seriously. I was called a “nutter.” Told it would never work. That no one in their right mind would adopt a model that challenged the core assumption networks were built on: trust.

But I couldn’t let the idea go. Not because I set out to start a movement—I didn’t. I just thought the existing firewall policies were dumb.

Back then, I worked with firewalls that automatically assigned trust to interfaces. If traffic was coming from the “trusted” side of the network, it was allowed. No rules needed. I was a penetration tester at the time, and I knew how dangerous that was. And when I said we shouldn’t trust networks by default, I faced pushback from my client, my company, and even the firewall vendor.

But I kept asking the question: Why were we building digital infrastructure on something as vague and meaningless as “trust”?

That question became the seed of Zero Trust. And years later, the industry—from Singapore to Sydney, Tokyo to Mumbai—is still catching up.

Good Cybersecurity Is Good Policy

One of the biggest misconceptions I still see today is that cybersecurity is a technology problem. It’s not. It’s a policy problem.

People assume the hard part is finding the right tools, but in reality, most cybersecurity incidents stem from bad policy. I like to say, “All bad things happen inside an Allow Rule.” Technologies like firewalls or endpoint protection are there to enforce policy. If the policy is wrong, no tool will save you.

The security graph, a concept that’s been around for over 15 years but is still new to many, is a powerful example. It stores data about assets and traffic in a non-linear way, unlike traditional, linear rule bases. This difference matters a lot when you’re trying to build, manage, or troubleshoot policy.

I once spoke with the CSO of a major bank about his first day on the job. He was asked to approve a firewall rule change but wasn’t sure what to do. So, he looked at the existing policy. The first rule? “Any-any allow.” Literally: allow all traffic from any source to any destination. Their multi-million-pound firewall was doing absolutely nothing. No one knew.

That’s the danger of linear policy engines; there’s no context, no visibility. You’re just hoping the right rule kicks in. But with a graph-based policy model, you can visualise what’s happening: what traffic is being allowed, what’s being blocked, and what needs attention.

One of our clients in Asia recently told me, “Why can’t everyone just use Illumio’s policy engine?” And honestly, I ask myself that sometimes too.

Because at the end of the day, if something bad happens inside an organisation, it’s not just a technical failure — it’s a policy failure. Something was allowed when it shouldn’t have been.

Visibility Is Everything

If Zero Trust seems like it suddenly exploded recently, it didn’t. You’re just now seeing the tip of the iceberg.
It was already taking hold quietly, especially in government circles, after breaches like Target in 2013 and the U.S. Office of Personnel Management in 2015. But companies didn’t want to admit they were adopting it.

I’d ask to do a case study, and their PR teams would say, “We can’t let people know we’re doing Zero Trust. It makes us look vulnerable.”

Then came President Biden’s 2021 executive order mandating Zero Trust for all U.S. federal agencies. Overnight, a quiet movement became a national priority.

And for me, that was a turning point. Zero Trust wasn’t just a technical concept anymore; it became public policy.
Asia-Pacific governments and organisations, too, are beginning to follow suit — from data localisation rules to increased regulatory focus on digital resilience. Zero Trust is becoming the logical foundation.

Zero Trust Is a Strategy, Not a Shopping List

Too many organisations get lost in frameworks and buzzwords. They hear about pillars and reference models and think they need to buy a new tool for each one.
That’s not how this works.

I always come back to the five-step model, documented in the NSTAC report and built into many government guides today:

  1. Define the protect surface.

  2. Map the traffic.

  3. Build a Zero Trust architecture.

  4. Create policy.

  5. Monitor and maintain.

It’s not about doing identity first, then devices, then apps. It’s not a maturity journey. You break it into protected surfaces—small, high-value areas of the business—and build from there.

Ask the right first question: What are we protecting?

Leadership Makes or Breaks Zero Trust

I’ve had CISOs tell me, “We’ll never do Zero Trust here.” And then the CEO gets on board, and suddenly it’s happening.

Everything changes with leadership.

Cybersecurity isn’t a quarterly line item; it’s operational DNA. It’s the thing that keeps the business alive. If the system goes down, the bank doesn’t open. The supply chain halts. The hospital cancels surgeries.

And yet so many organisations across APAC still treat it like a tactical decision. It’s not. Zero Trust works when leadership sees it as strategic, not reactive.

Zero Trust Isn’t Trendy, It’s Necessary

I’ve been shouting this for nearly 20 years: trust is not a security concept. It’s a human emotion. And in cybersecurity, it has no place.

What we’re building is not just about compliance. It’s not about chasing the latest breach. It’s about building something resilient; something that can withstand failure, compromise, and complexity.

That’s what Zero Trust really is: operational anti-fragility, by design.

If we want to stop reacting and start protecting what really matters, we have to treat cybersecurity as a policy problem first.

Technology doesn’t solve policy failures. Good policy does.

And that’s what Zero Trust has always been about.

John Kindervag

Chief Evangelist at Illumio | John is considered one of the world’s foremost cybersecurity experts. With over 25 years of experience as a practitioner and industry analyst, he is best known for creating the revolutionary Zero Trust Model of Cybersecurity. As Chief Evangelist at Illumio, John Kindervag is responsible for accelerating awareness and adoption of Zero Trust Segmentation.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *