John Kindervag Shares Zero Trust's Origin Story

We’re back with another season of The Segment: A Zero Trust Leadership podcast! After concluding our first season with industry heavy-hitters like former Forrester Analyst Chase Cunningham, Southern Methodist University CSO and best-selling author George Finney, and Microsoft’s Corporate VP of Security Business Development Ann Johnson, our first season landed us in the top 15% of all podcasts and won us a 2023 MarCom Gold award for best industry-focused podcast series.

We’re so proud of how our first go at podcasting turned out. And we owe it all to listeners (and readers) like you!

Back by popular demand, we’re proud to kick off our second season with even more Zero Trust anecdotes and cybersecurity perspectives from a lineup of some of the industry’s foremost CISOs, CTOs, and cyber architects.  

To start us off, I sat down with the Godfather of Zero Trust himself and Illumio’s Chief Evangelist, John Kindervag. In this recap of our conversation, learn how John’s idea of Zero Trust originated, his early research into Zero Trust best practices, and his advice for organizations on their Zero Trust journey.

About John Kindervag: The creator of Zero Trust

John’s a man who needs no introduction in the world of Zero Trust. However, for those unfamiliar, here’s a quick look at his impressive and rather expansive resume.  

With over 25 years of experience as a practitioner and industry analyst, John Kindervag is considered one of the world’s foremost cybersecurity experts, best known for creating the revolutionary Zero Trust Model of cybersecurity while at Forrester Research over a decade ago.

In 2021, John was named to the U.S. President’s National Security Telecommunications Advisory Committee (NSTAC) Zero Trust Sub-Committee and was a primary author of the NSTAC Zero Trust report that was delivered to the President. That same year, he was named CISO Magazine’s Cybersecurity Person of the Year.  

Today, as Chief Evangelist at Illumio, John is responsible for accelerating awareness and driving adoption of Zero Trust Segmentation across industries.  

How did Zero Trust get its start?

For John, the entire Zero Trust framework stems from combatting or curbing the traditional Trust model implicit in the early days of firewall technology.  

Like John says, “Starting the process of installing firewalls really led to Zero Trust because in firewall technology, there was a concept of a Trust model where the Internet was on the untrusted interface and the interface going to the internal network was trusted. And because of that trust relationship, you didn't need a policy statement to move traffic from the internal or trusted network into the external or untrusted network.”

John saw this and thought: “This is insane! People are going to exfiltrate data out of here. And [organizations] said, ‘No, they won't. You can't....’ And I said all trust interfaces, all interfaces should have the same trust and it should be zero. And that's really where Zero Trust comes from. It’s just a pushback against how we were building firewalls which affected policy and there was no reason for it.”

In that same vein, Zero Trust essentially stems from challenging popular belief at the time. John saw that there was a way to do cybersecurity better than the status quo. As John says, “You need to validate the things that everybody's saying and see if they're true. I was the only person asking, ‘What's the definition of Trust?’ and that's a really hard thing to define.”  

Zero Trust experimentation and research

Despite having created one of the industry’s most notable frameworks, John brings so much humility to our conversation. I asked him if he ever expected Zero Trust to take off in the way that it did.  

His response? “My expectation was pretty low. I think you realize in that role [as an analyst], you're just trying to get an idea out there that maybe will percolate. I didn't think that this Zero Trust stuff was going to take off the way it did. It certainly wasn't catching on fire early on, but then... I realized, wow, there's more people reading this and listening to this and now wanting to talk about it than I realized.”

The slower uptick upfront also afforded him more time to experiment with and refine the framework. “I liked that the uptick was slow because for a while I was the only person doing it. So I got to make all the mistakes myself and then write about those mistakes and tell you what they were going to be so you don't have to do them [yourself]. And I thought that was a valuable thing for someone in my position to do,” Kindervag explained.  

The biggest Zero Trust mistakes

One of my favorite questions to ask our guests is, “What do organizations get wrong on their Zero Trust journeys?”

According to John, “The biggest mistake that I saw was to go too big, too fast. Everybody is now trying to do it all at once for their entire organization.”

Additionally, John shared, people can make the concept of Zero Trust sound more daunting than it is which can lead to slower (and ultimately less successful) adoption.  

“I think a lot of people make it sound more difficult than it is and make it more complex,” John said. “It's very simple, right? There are four design principles and there's a five-step model to do it... It's designed to be very, very simple....”  

John’s biggest advice for naysayers? “Just go out and do it... This is experiential. Our whole business is experiential.”  

The more organizations can put one foot in front of the other when advancing on their Zero Trust objectives, the farther along they’ll be on their cyber resilience journey.  

Listen, subscribe, and review The Segment: A Zero Trust Podcast

Want to hear my full discussion with John? Listen to this week’s episode on Apple Podcasts, Spotify, or wherever you get your podcasts. You can also read a full transcript of the episode.

We’ll be back with more Zero Trust insights soon!