Open Comments, hosted by The Open Group
Welcome to Open Comments hosted by The Open Group*, where we’ll discuss things openly with our guests from a variety of backgrounds and from different walks of life. Through this podcast, we hope to give you an inside look into a variety of topics with an equal mix of humor and candor.
In this series so far, we have touched on the following topics: Healthcare, HR, Diversity + Access to Technology, Cybersecurity, and lots more. We hope you enjoy our show and look forward to bringing more topics into the fold. Let’s get started!
*The Open Group is a global consortium that enables the achievement of business objectives through technology standards and open source initiatives by fostering a culture of collaboration, inclusivity, and mutual respect among our diverse group of 900+ memberships. Our Membership includes customers, systems and solutions suppliers, tool vendors, integrators, academics, and consultants across multiple industries.
Disclaimer: The Open Comments Podcast (hosted by The Open Group) is presented purely for informational and educational purposes only. The views and opinions expressed by the hosts and the guests are their own and are not intended to harm or offend any group, organization, company, individual, anyone, or anything.
Host: Ash – CDMP- Certified Copywriter (CMP) – CDMA, Marketing Specialist, joined The Open Group in 2020, initially working in the Certification Team as a Certification Services Agent, before moving into the Marketing Team where he now works on marketing collateral, SEO (Search Engine Optimization), and produces/hosts The Open Group, Open Comments Podcast. .
Open Comments, hosted by The Open Group
Open Comments S2: Ep. 10 - Beyond Security and Zero Trust with John Linford
The ground under cybersecurity is always moving, but the smartest teams aren’t chasing shiny tools—they’re changing how they think. We sit down with John Linford, Forum Director of the Security Portfolio at The Open Group, to revisit zero trust, quantitative risk, and the education efforts that turn strategy into daily behavior. What’s different since we first decoded zero trust? A lot: AI is now a core variable on both sides of the fight, boards demand cyber risk in dollars, and supply chain assurance has become the backbone of resilience.
We unpack zero trust as a mindset shift that rejects quick-fix products and leans into continuous verification, least privilege, and measurable progress. John explains how organizations are adopting CRQ and The Open FAIR™ Body of Knowledge to translate likelihood and loss into language the board already understands, making security decisions comparable to finance and operations. We also talk about the rise of role-based security education, with new standards for security roles and glossaries that help every employee—from engineering to procurement—know what “secure” looks like in their day-to-day work.
From AI governance and data protection to SBOMs, secure-by-design practices, and trustworthy technology providers, we explore how open standards and reference models guide real-world implementation. You’ll hear where The Open Group is headed next: evolving the Zero Trust Reference Model, integrating security risk into enterprise risk management, and expanding the dependability framework that ties architecture and assurance together. If you care about scaling security without the hype, this conversation offers clear patterns, practical language, and concrete next steps.
Listen to the previous episode with John Linford from Season 1 here.
Copyright © The Open Group 2023-2025. All rights reserved.
Welcome back to Open Comments with me, Ash. In today's episode, we'll be revisiting one of our most listened to conversations, episode 13, Decoding Security and Zero Trust, with John Linford, Director of the Security Portfolio at the Open Group.
SPEAKER_01:Hello Ash.
SPEAKER_00:Thank you for joining us again, John. How are you doing?
SPEAKER_01:Doing well and joining from our Houston Summit this year, and what a great vibe. What awesome productivity this week. That's great. How have we found the summit so far? Fantastic. Lots of good cross-conversations, chats with the Architecture Forum, Healthcare Forum, some conversations with their Open Footprint Forum. The OSDU had so much going on. And yeah, just everybody's here to work. It's great.
SPEAKER_00:Perfect. When we first spoke, John helped us unpack what zero trust really means and why quantitative risk analysis and continuous learning are vital for modern security. Since then, the threat landscape has continued to evolve, and so has the conversation. In this revisit episode, we'll explore what's changed, what's stayed the same, and what's next for the future of secure, trusted systems. Now, in the original episode, John, you emphasized the role of quantitative risk analysis, the shift towards zero trust, and the importance of ongoing learning. From your vantage point today, which of those focus areas has shifted the most and how?
SPEAKER_01:Honestly, all of the areas have shifted. There's been good progress in the adoption and embracing of quantitative risk methodologies. Zero trust is definitely becoming more widespread. And of course, the importance of learning is just it cannot be understated. Now, on the topic of zero trust, we're seeing more and more organizations moving toward adoption to implementation. Really importantly, we're seeing that they're embracing zero trust as a mindset shift, a change to fundamentally how you think about security, how security integrates across your business. And we're seeing good movement away from the previous misconception that you could just buy a product or a series of products or work with a single vendor to get it done. So we're we're seeing really good progress in understanding that you can supplement what you have presently to move toward zero trust, which is it's still not an end state. You're still never going to be 100% secure. Uh but with that zero trust shift, you can accept that and actually still progress to being more secure tomorrow than you are today. Um on the CRQ side, on the cyber risk modification side, uh, we're seeing more and more organizations having conversations trying to quantify risk in dollars and cents and pounds and uh or euros or yen or pick your currency. Um, we're seeing more and more boards want to be able to have risk discussions in currency figures that they're already used to. And we're seeing this increased importance of risk globally now, especially in things like the EU cybersecurity and resilience acts. So we're seeing just sort of growing acceptance around the world that you have to have these risk conversations. And if you're going to do them, you need to do it consistently. And quantitative approaches allow that to actually happen. Uh on the education side, we're seeing more and more organizations actually implement and embrace educational programs. Uh, more and more organizations are beginning to accept that security education is important no matter what job you're doing in the company. Uh, the security forum is really leaning into that actually with one of our newer uh projects in the forum, one of the new standards that we'll be releasing, uh, which is around security roles and an accompanying glossary. And part of that standard is going to connect into what are your security-related tasks, whether you are in a security-specific role, whether you are in a role that really doesn't have any security-specific tasks, but what do you still need to know from a security point of view, or whether you're one of the lucky ones that has some security tasks, but a lot of what you do isn't actually directly for the security team. So yeah, we at the security forum are really leaning into that education aspect as well.
SPEAKER_00:That's great. And since our initial conversation, what external factors, things like new regulations, changes in the threat landscape, industry consolidation, or even geopolitical shifts have surprised you most in how they've reshaped the cybersecurity strategies for the adoption of zero trust.
SPEAKER_01:I mean, we can't talk about new trends and not mention AI. So we're we're hitting the buzzwords early. Um, it we're seeing more and more organizations using AI across just about everything that we do. So the importance of data security has made a comeback in a big way. Uh organizations need to know what data these AI are accessing, how they're using them, where they're sending those data. Um, and we're seeing threat actors, of course, being some of the earliest adopters of new technology, like AI. So you can't, in good conscience, not think about AI as a as an organization when you know that the people attacking you are also going to be using it. Um one of the other really interesting ones, though, has been increased recognition of the importance of your supply chain. So, since we last spoke, there's been a number of really big security breaches that have happened. And we've now got organizations looking back at who are my business partners, who are their business partners, who are their business partners, business partners going out to you know, nth-tier subsuppliers and really starting to think about things like bills and materials, software and hardware bills and materials, so that you know what is going into your product, what you are purchasing and incorporating into your own IT stack, um, and the threats and the vulnerabilities that might be introduced at any point from original get the materials out of the ground to you incorporating it or you sending it to your own customers. Um, you know, it's great to see that that recognition, but that supply chain vector also has increasing sophistication where those attacks might come in, how they might manifest, and how attackers might be able to move and advance. Um the positive spin, I suppose, of some of these large breaches. I mean, recently we've had the Jaguar Land Rover breach, we've had the attacks on Marks and Spencer's. Um the world is still on its toes and is even more desperate now for good security practices. So I I suppose it's reassuring that people aren't, I guess, getting sick of wanting more security.
SPEAKER_00:And reflecting on your own journey in what pause. Oh my gosh, put a frog in my throat. Thank you. And reflecting on your own journey, in what ways has your role or perspective on security and zero trust evolved over time?
SPEAKER_01:Um, I mean, I guess I'll go back to that previous point. Organizations want security. Uh, they want to understand how they can better integrate security. Security teams are still lacking resources. Um, they still don't have the funding, the time that they want or really need to be able to do their jobs as well as they can. There's still this misconception that when a security breach happens, it is solely the security team's fault. When, as we said at the beginning, security is part of everyone's job. Um, to get security right, you've got to have everybody on board and working together. So my perspective on that hasn't necessarily changed, but we have seen more acceptance of this fact that security is part of everybody's job. Security is a team's board, whether you think you have a security touching role or not. You you can still be the reason that a threat actor gets in and gets your data, gets your customers' personal information. Um, or if you're you know one of the lucky few working in critical infrastructure, could cause massive implications for even national security concerns. Um, so my perspective on that is it's been good to see that being embraced and accepted. Um of the other areas, though, that's really sort of expanded my perspective has been with our Assured Dependability Workgroup. And the work that is going on in that work group to bring together the Open Group TOGAF standard, which of course is well known all over the world, hundreds of thousands of implementers and adopters, but using the TOGAF ADM to bring in a security aspect into your architecture design early on, and now excitingly bringing in a customer-centric point of view into that approach and methodology. So that new work has been really eye-opening in seeing how we can facilitate better collaboration in the open group and bring together professionals that may have otherwise not been able to interact or wouldn't have known about each other in the same organization. Uh, and then, of course, finally, I mentioned supply chain before, but just the increase and increasing importance of modern supply chain security, working with vendors and suppliers that have uh advanced supply chain security practices in place, preferably those that have uh supported the Open Trusted Technology Provider Standard and Certification Program from the Open Trusted Technology Forum. Um, but just seeing this global acceptance and acknowledgement of the threat landscapes even more complicated than we thought just a few years ago.
SPEAKER_00:And switching gears to advice and insight, with the benefit of hindsight, what's one piece of advice you'd now give to a younger version of yourself, someone just beginning to engage in cybersecurity, risk analysis, or zero trust? What would that advice be?
SPEAKER_01:Stick with it, keep at it. Um we we don't have enough security professionals, just full stop. So if you stick with it, if you stay hungry and interested in learning, there's gonna be a spot for you. Um you might not know exactly what it's gonna look like, you don't know how it's going to evolve or progress, but that's one of the reasons the security industry is so interesting. It changes every day. Um, you know, otherwise, continue advocacy. If if you're interested in the security space, you think it needs to be more important, don't be afraid to go have those conversations. Talk to the businesses, the organizations, the vendors, the customers, and continue to advocate for improving their own security as well. Um and then, you know, one that's been part of sort of my mindset my whole life, really, but definitely would be younger to a for a younger version of myself, relevant to a younger version of myself, is don't be afraid to be the one who asks dumb or naive questions. Um, lean on the experts, learn from the experts, respect everything that the experts are doing, um, but question the base assumptions. Being the person who comes in and asks, why are we doing it like this? And not accepting that it is because we have always done it like this is one of the best ways that you can learn more about the thought process for how we got to where we are today and improve past that or completely pivot our approach to something in place of something better.
SPEAKER_00:Perfect. And as we look forward to 2026 and beyond, what are you most excited about within the forum?
SPEAKER_01:Oh gosh, there's so much going on across the security forum, open trusted technology forum, and the Sure Dependability Work Group. Um, I mean, the security forum, it's going to be the publication and continued evolution of our new security roles and glossary standard. Um, the first snapshots of the first four parts of that document series should be coming out any day now if it's not already released when this podcast goes live. Uh we've got more work, more content already in the works for that standard. And we're really looking forward to seeing how we can work with organizations like uh NIST and their National Institute for Cybersecurity Education to continue to advance this field. Um, we're hard at work on the next version of the Zero Trust Reference Model. So continuing to evolve that and supporting guidance that we have planned around it, really building out the capabilities and architectural building blocks that we already have within it. We have a new project going around integrating security risk with broader enterprise risk management practices. So, again, bringing that quantitative aspect in, leaning on it and getting security at the seat with the rest of the other risks that the organization already deals with and is good at dealing with, but really ensuring security or that organizations have a holistic view of all of the risks that they're having to deal with. Um, and then of course, on the risk continuing evolution of our open fair standard in the body of knowledge, uh, looking at how we're incorporating that CRQ aspect into threat modeling guidance, uh, continuing to build out our mathematics guide and getting more into how you know those calculations actually work and can be applied more broadly. Um we are hard at work on some translations of some of our forum content as well, which is really cool. So being able to get our content into the native languages of so many other practitioners outside of just the English-speaking countries is going to be huge for advancing uptick and adoption of our content. Um on the open trusted technology forum side, we're hard at work on actually some really big changes to that standard. We're going far beyond the current scope, which is focused on mitigating malicious tank and counterfeit from entering your supply chain. And we're starting to look at other areas to ensure that the products you're delivering, selling to your customers, to your downstream vendors are secure in and of themselves as well, embracing things like secure by design, secure by default practices. But then also looking at just some general good supply chain practices to ensure you're able to deliver the products that you're developing when and how and where you say you're going to deliver them, regardless of geopolitical complications, regardless of single source or sole source considerations in your sub-suppliers and sub-subsubsub suppliers, and really bringing all of that together so that an organization with one of those certifications for their product, you know that you can trust the products that you are buying or integrating into what you're selling. And then last but by no means least, getting out the next version of our open dependability through assuredness framework from our assured dependability work group and really seeing just how far that standard can go to bring together not just the security portfolio, so security forum, open trusted technology forum, and assured dependability work group, but now also bringing in our architecture forum and seeing where else in the open group the standard might be really valuable and applicable to improve their design considerations.
SPEAKER_00:Thank you so much, John. It's always a pleasure having you back on Open Comments. Thank you for sharing your insights and helping us see how far the conversation around zero trust and security has come and where it's heading next. For our listeners, you can revisit our original conversation, episode 13, Decoding Security and Zero Trust on BuzzSprout or wherever you get your podcasts. If you enjoyed this episode, please subscribe, share, and join us again for more open conversations that shape the future of enterprise and technology. Stay safe and happy listening. Until next time, I'm Ash, and this has been Open Comments.
