Between Fires and Futures: Real Conversations for Tech Leaders Navigating What’s Now—and What’s Next

The Zero Trust Illusion: Why Most Organizations Aren’t There Yet with Scott Alldridge

Tonya Turrell

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 50:00

If your organization believes it has “implemented zero trust” but things still feel uncertain beneath the surface, this episode challenges that assumption and reveals why cybersecurity gaps are often rooted in discipline, not tools.

In this conversation, Tonya sits down with Scott Alldridge to unpack what he calls the “zero trust illusion” and why most organizations overestimate their cybersecurity maturity. They break down how breaches often stem from internal gaps, not just external attacks, and why zero trust is a philosophy that must span multiple layers, not a single product or quick fix. 

Scott also shares the highest-leverage actions leaders can take right now, from validating backup and recovery systems to implementing real-time threat monitoring. This conversation reframes cybersecurity as an operational discipline that protects revenue, reduces risk, and ensures long-term business continuity. 

 

In this episode, they explore:

  •  Why IT failures and security breaches often start with unapproved or unmanaged change 
  •  The “zero trust illusion” and why most implementations are incomplete 
  •  What zero trust actually requires across seven layers of security 
  •  Why buying a tool does not equal building a cybersecurity strategy 
  •  The hidden risks of identity gaps, privilege creep, and shadow IT 
  •  Why microsegmentation is critical and often overlooked 
  •  The real-world consequences of small security gaps becoming major breaches 
  •  Why cybersecurity is still treated as a cost center and how that mindset creates risk 
  •  The truth about cyber insurance claims and why many are denied 
  •  How leadership decisions directly impact cybersecurity posture 
  •  The role of operational discipline in preventing and containing breaches 
  •  The two highest-leverage actions organizations should take immediately

 

Important Links:

https://app.technologymatch.com/solutions/zero-trust-microsegmentation

A complimentary e-copy of his Amazon Best Seller VisibleOps Cybersecurity. Text your email address with the words “secure 2026” to 541-359-1269 OR go to https://scottalldridge.com/ and fill out the contact form, noting “secure 2026."

Up to three no-cost Level One penetration tests/scans (for qualified organizations - $2,500 to $10,000 in value) Text your email address with the words “pen test” to 541-359-1269

SPEAKER_01

Welcome to Between Fires and Futures, a podcast about the real work of tech leadership, managing today's chaos while building tomorrow's business. I'm Tanya Terrell, a three-time founder with two successful exits, and the founder and CEO of TechnologyMatch.com. Each week, in this podcast, I talk with the leaders doing the real work: solving for now, building for what's next, and leading through pressure, not perfection. This is the podcast for tech leaders fighting fires today and daring to build the future anyway. Hi everyone, welcome back to Between Fires and Futures. I'm your host, Tanya Turrell, and today we're talking about one of the most talked-about and most misunderstood strategies in cybersecurity. Zero trust. It's everywhere. Vendors claim it, boards reference it, organizations say they've implemented it, but have they, really? My guest today is Scott Aldridge, CEO of IP Services and president of the IT Process Institute. With more than 30 years of experience in IT management and cybersecurity, Scott has helped organizations navigate some of the most complex technical and regulatory environments operating today. From NIST and CMMC to HIPAA and ISO frameworks, his work focuses on strengthening resilience without compromising business performance. Scott is also the co-author of the internationally recognized Visible Ops series with hundreds of thousands of copies sold worldwide, and the author of Visible Ops Cybersecurity, an Amazon bestseller. His approach is rooted in people, process, and technology. And his core belief is simple cybersecurity failure is rarely about tools. It's about discipline. Today we're unpacking what he calls the zero trust illusion, why most organizations believe they're further along than they actually are, and what real operational discipline looks like in practice. Scott, welcome to the show.

SPEAKER_00

Happy to be here. Thanks for having me.

SPEAKER_01

Yeah, I'm excited to dive into this because this is a topic that our audience is always very, very interested in. And I feel like there's never enough information. So really excited to dig into this today. So I know you said nearly 70% of IT failure ties back to unapproved or untested change. Why does change management sit at the heart of cybersecurity?

SPEAKER_00

Yeah, thanks for that question. And also I'd like to say I've become a fan of the podcast. I've been listening, so it's been great. So those of you that don't regularly follow or like or five stars, I think it's worth that. Just wanted to give a plug-in and for you. I think it's great what you guys are doing. I appreciate topics and information. So yeah, I think back when we originally did the research around the Visible Ops book in the uh mid-2000s, there were several studies that had come out that 70 to 80% of all IT failure was correlated to some unapproved, unauthorized, untested change. So the working thesis became pretty simple. Let's do a really good job at managing change and we're going to knock a home run out of availability. And there's also a whole bunch of other great, you know, benefactors or features that come out of proper change management. In other words, you have less rework or rest firefighting, you know, responding to things that change, fixing them, user satisfaction goes up. There's just a lot of really good benefits that come out of that. Interestingly enough, as we think about doing proper change management, you really can't do it unless you really know what you have. You can't control what you can't measure, as we say sometimes. So you've got to understand your configurations, that they're in a working, well-known, good, secure state. And then once with that, you can then electrify the fence, as we talked about in the original book, and really lock it down and then vet it through proper change. And then you also need to have good release management practices. So without getting into a bunch of details, there are some basic kind of things that you follow with good change management that organizations should. We do it kind of in the context of the parlance of ITIL, the IT infrastructure library. So do we classify change? Do we have forward schedules of change? You know, there's we have change in biology boards, caps. So that's kind of the original foundational proven best practices that it was in you know, original IT management thinking. As it relates to IT security, though, is some people don't understand the correlation that there really is a correlation. And in my latest book, The Visible Office Cybersecurity that was released, is I use a quip in there that says no security breach ever happens without a change or a need for a change. So interestingly enough, either somebody's been a brute force into some vulnerability that exists, right? They're gonna hack in, they're gonna you know go after passwords or run different algorithms against it, and they're gonna break in. Ultimately, they'll have to make some change in order to garner access. And then the other way is they can socially engineer, fish five somebody, convince them to make a change, and then that gives them, you know, access to systems, data, whatever it is that you're trying to protect in the IT system. So this is a lot what the threat actors do out there. They really are really essentially initiating some form of a change. So back to the basics. We still care in cybersecurity as we do IT best practices. We care a lot about change management. If we know something's in a well-known, you know, working, secure state as a configuration, and we're able to monitor the integrity of that, we know that no changes are happening and we're going to stay in a secure, safe state. So that's kind of how you know change management is still very much at the forefront. It really covers both your ongoing IT operational, you know, kung fu, as we call it sometimes, really good practices to drive high availability and all the good things that come from that I explained earlier. But then also keeping your you know network systems and data secure. Managing change is still a very foundational, critical, best practice.

SPEAKER_01

Yeah, that completely makes sense. And when I was researching for this episode, I came across a IBM, it's IBM's latest breach report, which showed that three-quarters of breaches still involve human error. So when you say change discipline is the root issue, that that just lines up with everything that I was researching in preparation for this. And, you know, I think that's it's interesting because most breaches get framed as or thought about as external attacks. But you're what you're saying is that the vulnerability really starts internally. It's not just a hacker problem, it's a discipline problem.

SPEAKER_00

Yeah, exactly. And you know, those foundational disciplines, you know, around your you know, change management. Again, you can't just do change without having good configuration management. And you really can't have good configuration management and change management without good release practices. So we think about DevOps kind of before DevOps was cool and how it might still kind of relate, you know, doing high rates of change that are very successful and keeping and moving from one proven, known, secure integral state to the next state. That's the way that you provide continual, you know, security around your systems, as well as all the other benefits of managing change effectively.

SPEAKER_01

Yeah, yeah, makes complete sense. I want to get into zero trust too, because this is a word that we have heard thrown around the last several years. And you know, it's it's it's definitely something that my team struggles with when they're tur talking to IT leaders because it's almost like there's no real true agreed-upon definition, although there is an official definition. That's not what's actually happening out in the world. And so, you know, I want to get into this a little bit. When organizations say they've implemented zero trust, what do they really mean? What do they usually mean? And where does that perception break down?

SPEAKER_00

Yeah, I mean, like anything that happens sometimes in the in the world of IT over the last 25 years, there are bandwagons, buzzwords, right? You know, new shiny toy effect vendors are out there really pushing some terminology and often misrepresenting it, quite frankly, not always in a nefarious way, but they're just trying to sell and market and they create a lot of confusion in the place. And we're seeing that with zero trust. You there are organizations out there talking about, you know, buy our tool, it's essentially zero trust in a box. And if you hear that kind of stuff, you know, you need to run because that's just not true. It's not possible. Like any really good framework or methodology of managing systems, it really is the layers. You you're using a methodology that is addressing holistically all the layers and a philosophy. The zero trust is kind of what it says. Don't trust anything. Zero trust, least privilege. And a lot of us are familiar with least privilege, back to even deploying software applications like an accounting system. You don't, you know, in your accounting department, give everybody access to every module, right? Those that are in payroll only get access to payroll. Those that might be in accounts payable, they don't get to the general ledger and they don't get to payroll. This is a least privileged way of thinking. Sometimes I refer to it like the hotel example. You know, you pull up, you're already being watched on camera because you're not really trusted. We don't know who you are. Are you a guest? Are you a visitor? Are you not? You walk in the lobby, you might even see a physical security guard standing there, but you're certainly on camera being watched. You go to the front counter because you're supposed to check in immediately. That's what they're watching you for. You show identification, you verify your identity. They say, Great, this is you. They assign you a room with a key card. That key card lets you into your room, not other guest rooms. You might be able to get in the exercise room or a lounge, but you can't go in the back office room behind the reception counter or the hotel clerk desk counter. You can't go into the maintenance rooms, right? There's controls the whole time you're there for a period of time. You might be there for two nights or one night or whatever it might be. And then, of course, you know, you you check out and your your uh you know, access expires. So this is sometimes the way I use zero trust in a really simple, simple understanding.

SPEAKER_01

That's a great analogy. I love it. I've never heard it put that way.

SPEAKER_00

Yeah, and and so that's really the the bottom line. We're really using this least privileged idea of only giving people access to those things they absolutely need access to and on a necessary, you know, approved basis on policy, potentially or procedure, or even just-in-time access kind of thing. And so that's really what we're doing. We're doing it all the way up to the edge. And we know that the edge is the end user these days, it's not just some device out there. So that's kind of what we're doing. So there's that, again, shiny toy syndrome that's out there where there's confusion around what zero trust is. The other thing that I see out there with the vendor space really talking about what we call zero trust network access, ZTNA. A lot of people misinterpret you know, zero trust network access as they've deployed zero trust throughout their organization or every layer. The way Zero Trust, of course, was released in 2010 timeframe, um, and then slowly started to get a little bit of adoption around a few things, particularly around the network access. So that became kind of the buzz over the last four or five years, where you know, all the big players, you know, Cisco, Fortinet, a lot of them all have some kind of a ZTNA solution. Gotta understand that's just basically replacing a VPN to your network access, which is great because they're using better protocols and better methods to be able to secure that connection than even traditional VPNs, which do have weaknesses and flaws in them more commonly. But that's only one piece. So, really, zero trust is broken down into seven layers. If you really want to go to the latest. So, at one point it was debated five layers, but really these days it's seven. So, the first layer we're looking at that we're gonna look at is identity. And identity and access management is super, super important. And part of the reason of that piece is because we still know that 70, the latest, the Verizon report back in 2025, their latest version, 74 or 5% of all security breaches star at the end user at the access layer. So we're gonna do identity and we're gonna make sure that we're not just using traditional MFA methods where you have what we call centralized authentication. So I put in a request and then that central place sends me a code or it sends me an email or whatever. That's all actually not a best practice. And that's not a true zero trust strategy. You really need what we call verified credential access, meaning that you want decentralized, and usually crypto keys are being shared with continual communication to know that your identity and access management is actually only trusting you for what it should be trusting you to access data systems, workloads, et cetera, for that period of time. And then we get to devices, right? The internet of things, right? How do we trust those devices? How do we know that that particular device should be accessing whatever it might be accessing in your systems, your network, your data, your applications? We get into the network layer and we get into the application layer, as I was kind of describing about the accounting. And then for in that case, often it's really network segmentation, but really we get into micro segmentation, which is kind of one of the harder parts to do. But we're not just doing seg, you know, segmentation, which a lot of people have been doing for years, where we have a, you know, maybe it's an operations network that's you know uh segmented by the network and the switches and the firewall layer three from like some other part of the network where an application is. That's one thing. But to be able to micro segment basically is down to the workload and application. Example would be we've got Mike and Karen out there in, you know, East Coast that needs to access something on the West Coast and it's only in operations. So they only should be able to be, you know, those particular applications within the operations network. We can actually, with micro-segmentation, control by application workload their access specifically to just those applications or workloads that they're supposed to touch, and then even tie it to a point in time so it would expire. So that's the idea of applications, micro-segmentations. We get into data security, which is the other layer, infrastructure. Of course, that's the broader thing is you know, being able to look at how are we doing least privilege, even to access and even sometimes physical access. And then lastly, is visibility and analytics. So, just in summary, to make it simple, I talked a lot there. I we're taking zero trust are looking at these pillars, these foundational pillars of your overall, you know, you know, topology, your overall network systems and applications, starting with identity, then moving to your devices, then moving to your networks, then moving to your applications, then your data, then your infrastructure. And then lastly, creating visibility and analytics that are real time to all of those systems. So that's the deep dive. That's the five-minute lesson on zero trust.

SPEAKER_01

You're all experts now, kind of on what it's the best lesson that you know, this is this is a term that we've struggled with because it you never know what people are really talking about. You know, as our team talks to IT leaders and information security leaders day in and day out. And, you know, one of the things they hear and I I've probably listened to hundreds, if not thousands, of recordings of these calls that we've done zero trust. And it usually means they've bought something, which is not zero trust, right? Like it so I think it's just as important to talk about what zero trust is not. But that those seven layers make it really clear because one of the things that I notated when when I was researching this episode was I think it was Gartner. Gartner predicts that most organizations will claim zero trust in the next few years, but implementation is still partial or fragmented. I was gonna ask you about that. Now I want to test my my new expertise based on this awesome lesson you just gave me. And so if it's partial or fragmented, that means they're just meeting some of those seven layers, not all of them. Is that the illusion that you're talking about?

SPEAKER_00

100%, yeah. And that's exactly right. They're, you know, they'll they'll replace or displace some portion or a tool that might have some zero trust element into it, which is great. But again, that's one tool. It sometimes even one tool won't address all of the layers. And I joke a little bit in my book, a fool with a tool is still a fool. So that's really important that we don't just get foolishly, you know, lured into thinking that we're addressing some ZTNA, you know, on identity and access, and feel like our network is good. There's a lot more layers to get into, a lot more of those pillars that have to be addressed. And it's of course a continual improvement. That's kind of that last pillar, really, is visibility and analyzing where you're at, how you improve. I think that's important. Yeah. Yeah. Zero trust is, you know, what there's a principle in Zero Trust, too, that that I would like to bring up that's really important because it gets to some of the really foundational things that might be even more traditional in MSP world versus MSSP world, for example. And that is assume breach. In the Zero Trust model, that's one of the biggest principles that's breached initially. You must assume breach. Well, if the unthinkable thing happens, we're gonna talk in first about what is your backup plan, well, how are your backups working? How's your restoration plans working? What's your incident management plans? We're gonna talk a lot about these things. And the first thing in backups, are they immutable? Genuinely. Everybody, oh, we're streaming them off, we're using this or Veeam, and they just assume. And I think it's encrypted in some cases, and a lot it is, not in all cases. The other thing is that there's this little bit of foolishness to think that you can't unencrypt encrypted stuff, and you can. Certainly, as we look at Q Day and post-quantum cryptography that's coming, a lot of the threat actors now are just garnering data. They're streaming data to store it. They don't care about cracking it because they know when Q Day comes in three, four years, they'll be able to break a lot of that encryption that exists out there. You really have to have post-quantum encryption in place, and and it's not to scare people, but it is a reality. So, this idea about RPO and RTO that we've talked about forever, right? Recovery point objective and recovery time. How what point in time do we want to go? Can we lose four hours of data? Can we lose an hour worth of data? Can we lose a day's worth of data? And then how, you know, how fast can we go? That's the point time. And then how fast can we restore that data? Is it gonna take us 24 hours, 48 hours, 72 hours? Where are we gonna stand it up at? You know, what is our true business continuity plan? So these are all really important factors that have been around forever, and a lot of people have checked the box in the spirit of compliance or whatever, have a policy, a procedure. They do have something going on, but they're really not drilling down to make sure it's truly air gap from their network, untouchable, truly immutable, and that's being scanned for you know various malware and ransomware before it's getting put away to an unreachable point of your network. So I'm beating on that drum pretty hard, but uh, you can't, you know, just take backups for granted again, just because there's some shiny toy that says it's doing it. Or honestly, you know, the idea of zero trust, you know, always you know, always verify, trust but verify, as we say in security. So if your IT team is saying we're all good, we have a cool tool that's working, I I would make sure that those are being tested. You only know those instant plans, those restore plans really work.

SPEAKER_01

Yeah, yeah. It's making sense why you called it for an illusion now, because I think you know what what we see is that there is there's comfort in checking that box, right? We did it. And so like people stay a little comfortable inside of that illusion. And I'm also wondering, because I relate this to like nutrition, I'm teaching my son, my son is trying to be healthier with his eating habits. And, you know, he'll look at a box of something that is organic and he thinks it's healthy. And I'm like, that's marketing. That is marketing. So, how much of this is a marketing narrative problem around zero trust?

SPEAKER_00

Yeah, very much. And I think that's what you're seeing. You know, everybody's trying to claim some element of zero trust, and they're not looking at it as really a comprehensive, you know, philosophical position, but then also really making sure that it is a leadership-first initiative. And, you know, it really does need to start at that layer. The organization, if they're going to adopt it, you you don't just adopt one piece. You really got to adopt that you're gonna go after all of the layers, all of the elements, so that you truly have a comprehensive, you know, full strategy to increase and enhance your cybersecurity posture. And I think it's getting pretty good. Matter of fact, I was just reading a paper today that came up from the White House. They're now got a new declaration that came out two or three days ago around cybersecurity for all businesses and and the government. And you know what's named in there? Pretty, pretty right in the middle of it, zero trust. So most of your government entities and agencies are all honing in on zero trust. And they aren't saying just zero trust in one area, right? They want you to take on the whole, you know, zero trust platform, which would address all those seven pillars I described.

SPEAKER_01

Right. No, that makes complete sense. So what I'm hearing is zero trust is a discipline, it's not a product. Like we can't treat it as a product. So what happens when organizations treat it like a product?

SPEAKER_00

Yeah, so you got gaps, right? So you you you now think that you've got one thing going on and you you don't, you know, one particular area that's fully covered, identity access management, as I say, is the popular one. So we're using ZTNA, so we're good, but they really aren't micro-segmenting their application. So if a threat actor does find a way in, then their ability to go east to west, as we say inside a network, right? You know, and a lot of times breaches, the average breach discovery is like 180 days. So their threat actors are patient. They'll sit, they'll watch, they'll see, they'll find, they'll move laterally, they'll find ways to elevate privilege, they'll do all the good hacker things that they do, right? And they've got all kinds of tools to do it and automate it these days, the threat of AI, which is a whole nother thing. I don't know if we're gonna talk about that later, but I'm happy to jump into that right now because the other thing is zero-trusting what we call NHIs, non-human interfaces. And we all have these that operate in our networks and our systems. APIs, for example, an application you know, call is a non human interface. How do we know that we're trusting who's accessing that API and it's not doing nefarious things? And then when we think about the idea of beyond this generative AI world that we're in right now, and over the next two years, we're gonna move to a Very much an agentic, an agent-based AI, which is coming on. We read about it, hear about it in the news every day. They're going to be very, very intelligent. One of them is going to speak to another. We'll get, I think, get into that at some point, maybe more.

SPEAKER_01

But that's why we're doing a two-part series. Just, you know, we're gonna we're gonna air this episode, and then a week later, we're gonna air the one around AI and cybersecurity because it's it's so necessary.

SPEAKER_00

A lot to talk about there, and zero trust is very applicable, is the point here as we think about you know, AI issues and threats.

SPEAKER_01

Yeah. So you mentioned zero trust in a box. That sounds like a really dangerous narrative. But but it's a seductive thought, right? Like one product problem solved.

SPEAKER_00

Yeah, it sells comfort versus capability, right? Oh, like, oh, yay, we're doing zero trust. Yeah, I've heard that's important, right? So then, you know, the IT or IT securities, you know, out there are all a little bit, you know, enamored. Again, I keep saying over and over, this shiny Toy Syndrome, right? And we think that this tool somehow is gonna magically do everything. I mean, you can buy the gym equipment, but you can't, you know, but you can buy the gym membership, right? You can buy the equipment, but you can't buy the membership. I guess that's one analogy that you kind of like, you still have to do the work, right? Whatever you do. So it's just like zero trust, you got to do the work, right? The dangerous part is when leadership believes that somehow the problem is solved because a product was purchased. And that that's an issue because you know, back at the farm, as we say, right, identity sprawl is existing, privilege creep is happening, shadow IT is going on, things are plugged in the network, people have no clue about, and the internet of things that are happening. So again, these create huge operational gaps, and every gap is a potential, you know, attack surface that a threat actor can exploit.

SPEAKER_01

Yeah. The seven pillars that you outlined were so helpful. That's literally the best education I've got in cybersecurity. So thank you for that. Yeah. Um, if someone can't address all seven right now, what are the foundational pillars that they should start with?

SPEAKER_00

Yeah, I think, you know, we talk a little bit about how identity and access management, a lot of organizations have made big leaps and bounds on that because most of these, again, breaches start at the end user and somewhere around their access and identity and privileges. But there's something called role-based access, um, you know, RBAC, as we call it. That's really important that you understand who has access to what, where, and when, and it's controlled at just that layer. Um, asset visibility, knowing what are all your assets. And ITIL speak, the IT infrastructure, we talk about the configuration management database. It's called the CMDB. It holds all the assets in your organization. And you can actually, you know, hold all your maintenance contracts, you can look at ticket history. There's a lot, so there's a lot of pieces. So, one of the big important pieces, I think, is really just understanding your assets, knowing that you've captured all of them and you have visibility to all of them. You again can't control what you can't measure, you don't can't control what you don't know about. So if there are things connected to your network or assets you don't really have control of, that's a big issue. And of course, third parties start to play into that because some of the assets are managed. We think about the OT world, the operational technology world, you know, whether that's a hospital room that has all kinds of machines going on, or you're in manufacturing and you've got you know CNC machines plugged in, or even in agriculture. You got big combines out there in fields. Believe it or not, they're all connected to the internet. Cellular may be, but they're all potential entry points for threat actors. So that's really important. So, yeah, where do we start? Asset visibility. Know what all your assets are, get them documented, contained. If you don't really have control of that, that's a big piece. Identity and access management, super important because it's right where most of the threats come from. And again, a lot of organizations have made, you know, really big leaps and bounds on that area, but there's a lot that haven't. You're still using old methodologies that are very easy to work around or to do man-in-the-middle attacks or hijack or whatever they do. And then containment on the network. That's also, you know, flat networks. You know, a lot of people shake their head about, oh, we've been segmenting networks forever. But sometimes in some of the things we've been in, so you start realizing they segmented like two networks when they should have segmented like 20 net parts of their network. So there's still a lot of work to do in organizations there where they think they've checked the box on just regular network segmentation, let alone micro segmentation. But I think that that's important. Network containment's important. And then I would also probably say number four, back to where I started with operational discipline, right? Are is your configurations, are they patched? We know that 80-some percent of all breaches that get by a device is an unpatched or a uh a not up-to-date patched device or system application. So again, is everything patched? Is your patch management in really good shape? Are you doing it? Can you validate it? Do you have good configuration controls? And then change management, right? Because every time we introduce some kind of an update, we're introducing change. So are we following the rigor, the basic, as I say, football analogy, blocking and tackling, the upfront hard work that has to be done around change management? Again, configuration and your patching and your change. Really, really important. They're not flashy things, but they're super foundational.

unknown

Yeah.

SPEAKER_01

Yeah, that's helpful. Which pillar do you think is most neglected?

SPEAKER_00

Probably micro-segmentation, because it's one of the hardest things to do, quite frankly. It's it takes a lot uh to deploy the right kind of solution that has the ability to do that. And one of the one of the challenges that organizations have is they already have a lot of infrastructure, obviously, that they've invested. They've matured over some time to some level. They feel pretty good about it. And then in order to introduce micro-segmentation, some of the traditional solutions require you to go touch everything and reconfigure all of the you know design architecture of your re-engineering, you're having to touch a whole bunch of stuff, introduce new elements, maybe even new hardware, whatever. So that's a real challenging one. Some of the stuff that we work with, um, we actually can do right over the top of the existing without having to any forklift upgrading. It actually can stand up TLS networks, which is a very high security protocol, high-level, very quantum protected cryptography, and it'll stand it up real time just to allow access to a particular segment of the network, a workload or application or a system right over. And it can be done orchestrated by policy. So it can be set up and and actually delivered as a service to make it one of the hardest things to do in Zero Trust, actually pretty easy to do. Within 90 days in most organizations, you can have a pretty rock solid micro-segmentation strategy rolled out and not have to touch and forklift all your other existing infrastructure that exists. That's a really important thing and a hard thing to do.

SPEAKER_01

Yeah. Yeah, it makes complete sense. And I think, you know, I think IT leaders delay action because they assume disruption. So does implementing zero trust require ripping out infrastructure, or is that just another misconception?

SPEAKER_00

Yeah, in most cases, no. I can't say in every case, because you might have certain things that are old protocols or old encryption or whatever. But yeah, and generally speaking, no, uh most of the layers can be addressed more by the process side initially, which will help take a big chunk out of it and then come back and look for ways to implement solutions that don't have to disrupt everything or do port. And then lastly, there are some pieces that are going to take some work. And there's going to be that as we talk about friction sometimes, you know, how much friction do we create by implementing a security tool or solution? And there are elements where there can create some friction. So you want to be careful about it. But once you get the culture and leaderships behind it, it becomes very important. It's friction that's worth taking on because the leapfrog of your cybersecurity posture is huge. And in today's landscape, with all the threats going on, businesses, if you're not doing it, it's just a matter of time. So you're going to have to or you get breached.

SPEAKER_01

Yeah. Where do you think most organizations get stuck when they're trying to move from you know intention to execution?

SPEAKER_00

Yeah, I think that's a really, really good question. I think there are two key things there. One is leadership support, and that's a pretty broad thing because they'll say that we need to do what we need to do, but then when it comes time to actually budget it, there tends to not be the budget there, and there's constraints, and somebody's faced with, you know, man, I've got my staff that's tired and you know, maybe stressed, overworked, has to be on call too much. I just want to hire another person, and I'm being told by the CFO, I'm either going to hire that person or I can deploy that new solution or that tool or work on a zero trust strategy because there's going to be cost involved no matter what it is. And so this is the big thing. So the leadership is big, big L, all the way up to the boardroom, because they need to be caring about cybersecurity to layer and a level that they have not. There's still very much lacking lots of studies and reports, all saying you can't just have somebody who kind of knows technology or used to be a CIO on your board anymore. That's not good enough. You need deep expertise in cyber on your board. So it goes all the way up there. But then if you're just in a business that your executive team is really the board, right? You're the owners or whatever might be the presidents, you've got to support the initiatives. And that means you're going to have to think about cybersecurity in what I would call a paradigm shift because forever we've talked about IT as a, you know, I've joked I sat in the CFO's office one time talking about a new solution that they really wanted proposed on. And he looked at it, looked at it and finally said, Do you hear the whistling sound in my office? He starts looking around. I'm like, no. He goes, Yeah, that's the suck of IT spin going out the window because I keep my mind and money and money on IT, and I feel like it, and IT's not done itself a lot of favors, tends to be over budget, not on time, on projects, getting them done. So we shot ourselves in the foot. But this person, this perception that IT spin, even though it's running businesses that they wouldn't even exist, somehow is looked at as something. So we got to do a paradigm shift. We need to look at is revenue assurance, not IT expense or or cybersecurity expense. And the other thing is in the last two years, average about 40% of all insurance claims on cyber have been denied because they're getting super smart. If you don't have active threat monitoring and active certain controls and placing the fine print on your policy, and we review policies and we see it all the time, they're not going to make the they're not going to pay your claim. So you can't just rely on insurance like you could three or four years ago. That landscape has changed as well. So leadership is the first answer. It's really important, and it's a broad answer because it covers a lot there. The other piece that I think people get stuck on in implementing it is trying to overcomplicate it. You know, progress over perfection, as we say. So pick one of the pillars one at a time, and just do them really, really well with good project management, good implementation, being smart about how it's going to apply in your particular configuration. And don't be a fool with the tool, right? Don't just go buy some tool and then somehow backfill and think it's going to fit into a couple of pillars. You need to be very strategic and intentional and smart about how you're going to take each pillar on and apply the right solution set to really drive that zero trust thinking.

SPEAKER_01

Yeah. Yeah. I I I want to dive into the, you know, cybersecurity treated as a cost center piece because this is something we hear all the time. And maybe that made sense, I don't know, 15, 20 years ago, but it blows my mind that people still think this way, especially after COVID. Like that should have been the wake-up call that you know, technology is business continuity. Like that that really should have been our wake-up call. So why today in 2026 is cybersecurity still treated like a call center instead of operational discipline at the board level?

unknown

Yeah.

SPEAKER_01

It's a real frustration.

SPEAKER_00

Yes. It is a real challenge. I mean, I think a lot of it is that it's just flat expensive to do, right? The right cybersecurity experts that, you know, you to hire them, right? That the the right representation that you need to have on your team to do it effectively, it does take a lot of expertise. You just can't, you know, rely on the fact that one guy knows IT, and I think a lot of it's education. So that's where I'm the heart I'm getting to. We just assume that we've had, you know, Mike and Sarah on the team forever. They're super smart, they've done a great job. We've never really been breached. And, you know, IT is working pretty well. It's not perfect, but it's doing all right. Why on earth would I need to spend more money? Plus, you know, Mike and Sarah are super smart, so they're telling me that you know the cyber's pretty, you know, they're not in too bad a shape on their side on our cybersecurity. And that's just a misinformation. Sometimes that comes out of you know self-protectionism for our positions or our roles because they kind of sense that we're supposed to. I can say, well, I guess we're supposed to be cyber experts. So they check a few things, maybe deployed one tool, and now they're convincing the business we're all good. So I think that's a big, that's a big deal that I think the other thing is that you know, just like IT, it's invisible, right? Cybersecure is not tangible, you can't touch it, you can't feel it. And I think it's human nature to say, well, you know, it's it's because it's you know invisible, it's not reality. And so we don't really need to worry about it too much until you do, until you show up and you can't access your systems, right? And so with that, the ROI is very hard to quantify. You know, what is the return on investment? How do we qualify? We work with APIs, we work with budgets and return on investment on everything we make. So, how do you do an ROI when it comes to cybersecurity? Well, you have to have some hard conversations that most people think are unrealistic. Like, what if we showed up and nobody could do any of their jobs at all because everything was frozen? That would never really happen at that level. I don't think it would. Well, actually, it does. And you know, and you'd think in the news with all the stuff we're seeing, right? People would be like, Yeah, of course they understand, but they don't. So, again, back to that idea, it's not revenue generating. I gotta make payroll next quarter. Why would I invest in cyber this quarter, right? They just don't see the connection of those two. And I think the other thing is that the you know, industry is a little bit, and and this is a hard one because there's truth to it. So, how do you communicate this effectively when you're trying not to be guilty of the FUD, the fear, uncertainty, and doubt? And that's what the industry loves to do is sell on fear, right? And what can happen, the big thing. And so I think there becomes a little bit of a roll of the eyes of disbelief, right? You know, I've been hearing about this for you know 10 years now, cyber threats in the last five years, yeah, a lot of them, but we've never been breached, and they keep telling me I'm gonna get breached because they're looking at every business now. Well, you can believe it or not, believe it, right? We talk about managing by fact and not by belief. If you really want to study the facts, the facts are not on your side. So that's another big deal is that we sell a lot of fear, and then people don't believe the fear, but the fear is real. The facts back up, right? That that really is, you know, is what it is. So that's kind of the idea. If and what's interesting, and I'll end with this point, is that you know, when you come into a company that has you know suffered a breach and they're through the trauma of the initial breach, now they're getting ready to really do get serious about their cyber because they ignored it and rolled their eyes before for all the points I just named. It is amazing. The boards, the presidents, the VPs, the everybody's ready to spend money now, baby. And it's a you know, it's gonna cost a lot more money at that point to do it because you're trying to swallow a whole bunch of solutions and a whole bunch of you know areas that you need to increase your posture on. So the wallet opens up, right? And so it's really interesting. We can only study that, like, oh, interesting. Everybody that's been breached that didn't spend the money, now they've been breached, they're all spending the money. So that's that's the other piece I would end with. Yeah.

SPEAKER_01

Yeah, no, it's so good. And I want to circle back to something you alluded to earlier, and that's the the significant percentage of cyber insurance claims that are denied. Uh, because there's definitely the thought we're covered, like that we're covered assumption. And you're saying they may not be as protected as they think.

SPEAKER_00

Not at all. There's studies, it's all the way from you know 15 to 20 percent on some of the ones I've read all the way up to like 42 or 43 percent on some of the other stuff I've read out there. So you can go Google that, work on that, find out what denied claims are. But even at 20 or 30 percent, you really want to risk that? I mean, that that's kind of crazy. And the expense of you know being down, that's what people don't understand, is a pittance compared to actually, you know, investing in your cybersecurity program on a regular ongoing basis. If you're down, I often tell the story about the MGM breach we all heard about two years ago, right? I mean, number one, let's just start with this. They have SOX, they have Knox, they have all the cyber experts, they're a billion dollar corporation, they got all the good, amazing stuff. Yet somebody went on LinkedIn, found one of their network administrators that said they worked for MGM, had their name and their email address, they called into the call center, got the call first of the call center to actually reset their password. They used the preset password to go to some ransomware groups they worked with and elevate their privileges, and went in and ranch for locked up the whole network and took them down for 24 days, froze them up, cost them right at$100 million. Then about year or two years later, just closed about six or eight months ago, they just settled for$49 million for the class action lawsuit for the disclosed uh exfiltrated data that came out of that. So one phone call, right? I mean, it's just as simple. You know, one phone call cost that organization$150 billion. Well, people roll their eyes, well, they're big, they're a target, they're a casino. I'm telling you, I could tell you a story after strike about a uh a finance company in California that had a new printer installed, and the, you know, they were using uh an outsourced, or I'm sorry, one of their techs and their department went and set it up and he left the password admin 123. They left it exposed because he misconfigured it. It was exposed to the internet. They, of course, scanned the network, found the vulnerability, hopped on that, was very clearly went through the network, was able to breach the back end of the email server. A lot of people don't think about the back end of their Office 365 tenants. They're watching copies of all emails between the CEO and the CFO using AI to sound just like them, then author a spoofed email right from the CEO to the CFO, ask him to send a$180,000 check to a new vendor that they were using as a finance company. And that company, and the other thing, if you look at the studies, uh usually a company that suffers a serious breach within six months can go out of business. Yeah, 40%. That's a lot. So this particular company, of course, down the road within three or four months, because of reputation damage and all the issues, they ended up having to merge with another finance company. They somehow stayed alive, but through merger. Point being is that as simple as just installing a printer, which we wouldn't think that much about, not following good process and good cyber practices exposes you to who knows what, you know, the littlest hole in your network, these threat actors know how to exploit those. So I could go on and on about that, but that's a that's the reality of where the industry is at, right? From the littlest company that's uh you know under a million dollars a year to a multi-billion organization, you know, they they'll get you.

SPEAKER_01

Yeah. Wow. No, this is so eye-opening. And it's so I want to end with if someone listening today feels exposed, what's the calm first move? Like what should they stop doing, or what's the highest leverage action? What can they like bite off and handle this quarter?

SPEAKER_00

Yeah, I would there's probably two things, honestly, just coming at it. And and I would say first, I talked about it, spoke to earlier. You really need to understand your backup and restoration and your business continuity plans. What do those look like? What is your recovery point objective? What how much data can you lose? Really focus on that. Talk to the business, do your due diligence, understand if we need to be four hours a day, two days, three days, maybe you can survive. I don't know. That data that you can lose. And then how fast will it take you to restore, right? Can you get restored? You know, what you have to be back up within hours? Can it be days? So you need to really understand that, then have plans, make sure you've got the right solutions in place. Are they regularly tested? You know, you're so that's really important, or work with an expert that does that stuff all the time. That's the first thing, because that's around Sumbreach. So if the unthinkable ransomware, you know, comes into your network and everybody shows up and the whole network's down, you can genuinely look at it and say, yep, we're not gonna pay a dime because we know we already have a plan. It's an ouch. It's an ouch because we know we're gonna be down for 24 hours, but we know our plan works, we've tested it, and we can be back up within 24 hours. And we're not gonna pay the 50 Bitcoin that they're asking for, or whatever it might be. So that's the first practical thing. Don't just assume because you bought some tool, again, fool with the tool can still be a fool, that your backups are good because you heard they were encrypted or you understand them to be encrypted. They need to be immutable and air gapped and scanned. Really important stuff. And then you marry that to your restoration backup plans and your business continuity. Okay, that's the first piece. The second thing is active 24-7. Threat actors don't sleep, right? So you might be open from 6 to 8, where you got people in your organization, you know, 6 a.m. to 8 p.m. But what about the other, you know, uh 12 hours of the day, right? That you're not covered. Um, you'd be surprised, right? They're anywhere that's connected to the internet, as we all know, you're vulnerable because any threat actor from across the world can access your systems. You need to have active threat monitoring, which really comes in the way of the overused XDR, but you really have to have a managed detection response where a Knox looking at it, a SOC's looking at it real time. You really need, and and and this gets into the build buy or borrow, because the idea is to build a SOC and have the expertise is very expensive. You can buy it, but most organizations, like you're a candy company, make world class candy. Does it make sense for you to be a cyber ops organization? It may not. So borrowing it, subscribing to it with good. Expertise. And then when you subscribe, you need to ask some real key questions. There is a mean time to contain, a mean time to detect, is really what I start with, and a mean time to respond, and a mean time to contain. Those three act you should ask that question because a lot of the big, big boys out there that everybody gets comfortable with, and I'm not going to name names that we work with, they just because they're big, it's a little bit like nobody gets fired for you know deploying IBM or using Cisco. Not always the case, right? That anymore, it's a different world. And it's not a lot different in SOCs. When you start asking the tough questions, you need to really know that they can validate their mean time to respond. A lot of those organizations are taking 45 minutes to an hour, and a lot can happen in 45 minutes to an hour. So mean time to detect it, do we know what's going on? Mean time to respond to it, figure out what's going on, if we detected something bad's going on, and then how long does it take us to contain it? That's really important KPIs, key performance indicators that you need to know about. That's the other thing is really having a 24-7 you know SOC that's actually actively monitoring your network for all of those things. And now one little caveat that's overlooked. A lot of times we'll talk about you know managed detection on your network or your systems or an EDR endpoint detection response, all of our acronyms, but those that's great. They do those. One of the things overlooked is ITDR, which is your identity threat detection, which basically is we all a lot of a lot of organizations have their front-end email spam blockers, whether that's a proof point type solution or whatever it is. But a lot of organizations don't think about their Office 365 tenants, and that's where the threat actors camp a lot of times, and they can do a lot of nefarious activity on the back end that you may or may not know about in your O365 tenants. So having an active identity threat detection system that knows something nefarious is going on is really important in that whole strategy of putting a SOC in place or SOC services. Those are the two things. Yep. Number one, as I just said, know about your backups and your whole process mutability. And then number two, you should have a 24-7 SOC that's looking at your systems doing all the right type of monitoring.

SPEAKER_01

Amazing. Scott, this is such a valuable conversation. And honestly, the best education I've received on cybersecurity and zero trust. So thank you. And so for me, if there's one takeaway from today, it's this is zero trust isn't something you declare. It's not something you buy, it's something you operationalize. The seven pillars were just so helpful. And if you suspect your organization may be operating inside the illusion we discussed, that's not failure, but it is an opportunity to tighten discipline and strengthen resilience. And Scott has generously offered a complimentary e-copy of his Amazon bestseller, Visible Op Cybersecurity, for listeners who want to go deeper into the process, governance, operational framework behind real cybersecurity maturity. So to receive this book, simply text your email address with the words Secure2026 to 541-359-1269 or visit scottaldch.com. I'll link that in the show notes. And you can fill out the contact form noting secure 2026. He's also so generously offered up three no-cost level one pen tests or scans for qualified organizations. So these assessments typically range from$2,500 to$10,000 in the market and provide real visibility into your current cybersecurity posture. So, Scott, will you share? First of all, thank you. That's such a generous offer. Would you please share how the audience can connect with you on this?

SPEAKER_00

Yeah. So same uh phone number that you shared, and you just put the secure 26, and they just know pen test or whatever penetration test is really what that stands for. But pen test in there, and you're one of the first three. We'll note you, my team will reach out to you and get you scheduled. Uh, we typically sign a non-disclosure and then we can do the test. But it gives real, the report is awesome. It gives a real insight. Back to really the whole theme today of trust but verify, right? You may have been told, or maybe you had a pen test a year ago or six months ago, but where do you know that you're at today? It's a snapshot in time. So trust but verify. So that pen test is really valuable and will provide a lot of insight to your organization. And if it finds a gap or a hole, you can take that back to your team and they can help plug that hole in that gap, or your provider, or certainly my team would love to talk to you about our services as well.

SPEAKER_01

Incredible. Incredible. So I'll link all of these resources in the show notes. And you can also connect with Scott through our platform, technologymatch.com, and just enter Xero Trust or Cybersecurity or IP services, and his solution pages will come up there and you can connect directly there. You can also find him on LinkedIn. Again, I'll put it in the show notes for you. Thank you for listening. We'll see you next week. Scott is coming back to talk about cyber risk in the age of AI. You know, that's gonna be like when when I had my pre-call talk with Scott, it was just so clear that we needed to, we needed to split this up into a couple episodes because I know we're hearing from our audience a lot that they want more coverage on how how does AI and the, you know, the this agentic era that we're ushering in, how does that impact my cybersecurity strategy? So we're gonna dive into that in a whole other episode. So you can tune into that one. We'll continue building on what we discussed today. It's gonna be so good. I can't wait to learn from you when we when we do that one, Scott. Thank you so much.

SPEAKER_00

Thank you. Thanks for having me.

SPEAKER_01

Thank you for tuning in to Between Fires and Futures. We know the weight tech leaders carry, the pressure, the pace, the constant pull between keeping things running and building what's next. If no one said it lately, you're doing hard, important work. And we see you. If this episode sparks something for you, follow the show, leave a review, and share it with another tech leader who gets it. Thanks again for listening. Keep leading through the fires and daring to build the future anyway.