.png)
7 Practical Tips for CISOs Building Zero Trust from Netskope CISO Neil Thacker
As we wrap up Season 2 of The Segment: A Zero Trust Leadership Podcast, it's exciting to look back at the conversations I’ve had with some of the industry’s leading experts. Each has provided a unique perspective on how organizations can adapt to today's ever-changing threat landscape.
For this final episode, I had the privilege of sitting with Neil Thacker, EMEA chief information security officer (CISO) at Netskope. Neil offers a wealth of experience on how to build a resilient Zero Trust framework. During our discussion, he shared seven tips that can help security leaders and CISOs navigate the road to Zero Trust.
1. Look beyond the traditional perimeter
Neil started out in the cybersecurity industry in the 1990s working on a service desk helping people connect securely to the internet. He quickly moved into technical and consultant roles before transitioning to executive leadership.
Neil recalled the early days of his career when securing the perimeter was the focus of every security team. Back then, the goal was to protect the organization's network and assets from external threats.
But times have changed. Today, relying on such a perimeter gives a false sense of security.
“The perimeter has dissolved,” Neil said. “We saw this happening even before we called it cloud. Organizations were moving data and operations to external servers, and securing those connections became more important than ever.”
Today, in a world where employees work remotely and data is scattered across hybrid, multi-cloud environments, the idea of a traditional network perimeter is outdated. This new way of networking increased complexity, and with it came the exponential increase in breaches and ransomware attacks.
Neil said CISOs should embrace this new reality by shifting focus from defending fixed boundaries to securing access points wherever they are. Don’t just lock the doors of the network — lock every device, every app, and every traffic flow that isn’t necessary for the business. The sooner your team embraces the borderless world, the sooner you’ll be ready for modern cyber threats.
2. Make risk management your north star
Rather than spreading your resources thin, Neil emphasized focusing on risk. In today’s threat landscape, protecting everything equally is not only impractical — it’s impossible. The key is to understand what matters most to your organization.
“In a perfect world, you can protect all the data your organization transacts with on a daily basis. But that’s not realistic,” he said. “It’s all about risk prioritization. Where are your biggest risks coming from?”
According to Neil, the most successful security strategies zero in on critical assets and high-risk areas. He encouraged CISOs to ask tough questions: What data is most critical to the business? What happens if you lose access to it? What’s the financial or reputational impact? These answers should drive security efforts.
3. Don't let your Zero Trust strategy focus solely on identity
While verifying users’ identities is crucial, a Zero Trust approach should go much further, explained Neil. He warned against placing too much emphasis on identity alone which he thinks many CISOs tend to do.
Instead, Neil suggested a broader view that incorporates signals such as device posture, location, and activity patterns.
“Identity is just one part of the equation,” he explained. “You also need to consider the device, the location, and the context behind the access request.”
To enhance your Zero Trust model, he recommended taking a multi-layered approach. Ensure your security decisions are based on multiple signals, rather than just identity. A device’s health, location, and the sensitivity of the data being accessed are all equally important in determining whether to grant access.
4. Let security follow the data
Neil insisted that data should always remain the priority in any Zero Trust model. With users, devices, and applications connecting from everywhere, security must follow the data. This ensures it’s protected no matter where it goes.
“You can’t rely on just securing the network anymore,” Neil said. “You need to protect the data wherever it travels.” This means applying security controls that move with the data across all environments.
It’s not just about monitoring who accesses the data but how that data is used and where it flows. Data-centric security ensures that no matter where your data ends up — whether in the cloud, on an endpoint, or in a partner’s network — it’s covered by consistent security policies.
5. Consolidate your security stack for efficiency
Neil believes a key challenge for many CISOs isn’t just about defending against threats but about managing complexity. Too many security tools can create more headaches than solutions. Neil advised security leaders to streamline their security stacks by consolidating tools where possible.
“There’s a sweet spot when it comes to the number of security tools,” he noted. “If you can get your stack down to under 10, you’re in a much more manageable place.”
Juggling dozens of systems can lead to gaps in visibility and security or overlapping functionality. Neil emphasized integrating fewer, more effective tools that do more in a single platform. By simplifying your stack, you’ll reduce complexity, save costs, and have a clearer picture of your organization’s security posture.
6. Add time to your security calculations
Neil believes an often-overlooked aspect of Zero Trust is time. Understanding when data is accessed can be just as important as understanding who is accessing it.
“When you're building out Zero Trust, you want to consider time because data has its own life cycle,” he explained.
Neil used the example of merger and acquisitions (M&A) activities that make some data assets highly confidential during a certain point in time. After a point in time, that data is no longer as confidential.
“Understanding how time affects data and its security needs must be part of your Zero Trust strategy considerations,” he said.
In other words, consider time as another security signal. For example, set controls that block sensitive data from being accessed after hours, or flag access requests that fall outside typical usage patterns. Time-based anomalies can be a strong indicator of malicious activity or a compromised account.
7. Align Zero Trust with business goals
A Zero Trust strategy must serve the business — not just the IT department. Neil highlighted the importance of communicating with business leaders in their language. This means focusing on how security supports growth and business continuity, not just the technical details of your security plan.
“I've seen value in having discussions that focus less on the technical side,” Neil mentioned. “For the board, it’s not about how many systems we path or how many incidents we’ve had. It was ultimately about how we’re supporting the business and helping the business move forward.”
When presenting Zero Trust strategies to the board or executives, frame it in terms of business value. How will Zero Trust protect key revenue streams? How will it secure intellectual property and customer data? By aligning your security efforts with business priorities, you’ll get the buy-in from leadership that you need to successfully build Zero Trust across the company.
.webp)
Listen, subscribe, and review The Segment: A Zero Trust Leadership Podcast
As Neil’s experience building Zero Trust at Netskope shows, Zero Trust isn’t a “set it and forget it” approach. It’s a mindset and a continuous process of learning, improving, and scaling.
Want to learn more? Listen to the full episode on our website, Apple Podcasts, Spotify, or wherever you get your podcasts. You can also read the full transcript of the episode.
