‘For zero trust, you need an offensive mindset’

What if zero trust is not about distrusting people at all – but about confronting risk head‑on and thinking like an attacker? In the interview, Chase Cunningham aka Dr. Zero Trust argues that the point is to minimize risk and adopt an offensive mindset to achieve cybersecurity goals.

Chase Cunningham, many people seem to misunderstand zero trust. What do they typically get wrong?

Most people, when considering zero trust, make the mistake of thinking it means we do not trust individuals. That is not the case at all. What we are saying is that we cannot be certain that someone or something within the organisation will not introduce risk. Our aim is to mitigate that risk. As a cybersecurity professional, I find it perplexing that, despite decades of evidence showing we should not place blind trust in systems and people, we still debate this point. Compromises are caused by both people and machines, and lateral movement can be devastating. We ought to move beyond this outdated thinking.

Do you travel by air?

Yes, occasionally.

When you fly, you are in a zero-trust environment the entire time, although most people do not realise it. At the airport, you are verified several times. You pass through security, where everything you have is checked. When you board the plane, your ticket ensures you are a passenger, not the pilot, and you sit in your assigned seat. Once the flight is over, you disembark and that is the end of it. The entire process is a zero-trust engagement. It is not so unpleasant that people avoid flying; it simply exists because there are exceptional risk and value in the transaction, so we take steps to mitigate those risks. It amuses me that people still argue against this approach.

You say zero trust is a strategy, not something you can simply buy as a product. Managers and leaders often focus on tools, but for zero trust, they must change their mindset. How does that work?

The interesting aspect of zero trust is that it is not a technological issue. The technology required for zero trust already exists; it is simply a matter of using it correctly. What most people get wrong is that they approach things with a defensive mindset, which is ineffective in cybersecurity. You must think offensively – where can you confront the adversaries and outmanoeuvre them? You need to make yourself a more difficult target so attackers will look elsewhere. This requires a shift in thinking.

For decades, we have believed that building higher walls and acquiring more technology would eventually prevent all compromises. That approach does not work. Anything engineered can be reverse engineered, and breaches will always occur. The real objective should be to accept that compromises are inevitable and then allocate resources and tools to confront the adversary. The goal is to make it unprofitable for them to target your environment, as they operate on a business model.

‘What most people get wrong is that they approach things with a defensive mindset.’

Chase Cunningham

In many organisations, cybersecurity is viewed as a cost factor or a form of insurance, so there is reluctance to invest adequately in security. How can cybersecurity professionals gain management support for their proposals or plans?

For many years, security departments were given a blank cheque. Those days are over, as management now expects a return on investment. This is what makes a zero-trust strategy so valuable. Organisations that adopt zero trust often free up funds by eliminating assets that provide no value and do not help stop attackers.

Strategists look at the problem and determine the minimum necessary to eliminate or reduce the threat. That is the right approach. We need to move beyond the mentality of ‘give me more and eventually I’ll have enough to stop the attacker.’

Another calculation management must consider is the cost of security versus the cost of a breach. Consider how long a business is disrupted and how much money is lost during downtime. That is the calculation you should be making.

So, it is essentially risk management?

Yes, it is about risk management and productivity. That is the objective we are all striving towards.

What about cultural change in organisations when introducing zero trust?

A zero-trust strategy may change the way people think or work. It requires a certain level of security awareness to understand what is happening and why it is necessary – for example, why you should label your documents. Nobody enjoys it, myself included.

There are different schools of thought on this. My view, based on experience, is that security awareness is often pushed too much as a control. If we conduct phishing training and security awareness programmes, people will be more educated and better able to avoid traps. That is not necessarily wrong, but it is not a security control. People still fall for phishing attacks all the time. The most common password in 2025 is still ‘1234567&’. We are not making much progress with the human element.

My perspective differs from many others: I do not want people to be experts in security; I want them to work securely. That is what we are trying to achieve with the right technology aligned to the strategy. People should be able to do their jobs, and security should happen seamlessly in the background.

I would like to discuss medium-sized enterprises. Often, they do not have their own security or IT departments and rely on IT partners. How can an SME introduce zero trust if they lack the funds or expertise?

There are two ways to address this issue. Firstly, if you cannot dedicate the necessary resources and time, seek external support from a managed security service provider. This saves money, and when things go wrong, you have someone to help you recover. Eight times out of ten, I advise organisations in this sector to find a partner to assist with zero trust.

Alternatively, if you wish to do it yourself, there is a wealth of research material available to guide you. I recommend moving towards cloud solutions and focusing on the basics. One of the biggest risks for ransomware in SMEs is PowerShell on Windows machines. If you want to reduce the threat, disable PowerShell on those machines. That single step can make a significant difference. Many tasks that seem difficult are not, but this is where the mindset must shift: what does the attacker do, and what simple measures can you take to make it less worthwhile for them? You will never eliminate breaches or risk entirely, but you can reduce them as much as possible.

So, is it often a matter of missing security basics?

We refer to it as ‘blocking and tackling’. If you excel at these fundamental practices, you are likely ahead of most others. Consider it from the attacker’s perspective: if I am a burglar and I drive down a street, I see two houses – one with three Dobermans, security cameras everywhere, and a high fence, and another with nothing. Which house do I target? The answer is obvious.

In the zero-trust world, the concepts of resilience and deterrence are becoming increasingly recognised. I want to recover quickly and continue working, and I can accept some compromise because it is anticipated. I want to deter adversaries, to make it clear that attacking me will not be enjoyable.

That means, the aim is to stop the attacker and recover from an incident as quickly as possible?

Precisely. There is also a concept gaining traction in zero trust strategy, borrowed from the military, called ‘contested space’. There are systems I will never be able to fully secure or control. I isolate them, segment them, and maintain as much command and control as possible, but I do not waste resources on them.

It is a matter of accepting risk where necessary?

Exactly. We all do this. At some point, you must accept a certain level of risk. If I can isolate the real risk to that contested space and maintain confidence in what I can control, then I am doing it right. There is a famous saying: ‘If everything is a priority, nothing is.’ You must prioritise and calculate risk accordingly. For years, there has been discussion about ‘crown jewels’ and zero trust. I understand that, but as a strategist, I prefer the term ‘centre of gravity’. You may not know what your crown jewels are, but most people know where the centre of gravity of their business lies. If I asked Swisscom what their most valuable intellectual property is, the answer might be uncertain. But if I asked about the centre of gravity – the most important group, infrastructure, or asset – they could probably tell me.

Sometimes I wonder, if everyone is so proficient in security, why do attacks still occur?

Because priorities are misplaced, and that is why defensive thinking is problematic. We should be thinking offensively and accepting reality. This is the hardest concept for people to grasp.

Let us discuss the offensive side. I like your idea that attackers view organisations as graphs. If I understand correctly, from the outside, they see network connections between devices and look for weak points to exploit through lateral movement. But they do not have a complete overview of the infrastructure. You suggest companies should know their own map. What should be on this map, and how do you start building it?

If you embark on a journey, you need a map to show you the way. Most organisations lack a comprehensive asset inventory and do not know what is connected within their infrastructure. With the addition of Slack, AI, GPTs and cloud services, it becomes a confusing mix. To defend yourself effectively, you need to understand the terrain. Your map does not need to be perfect, but it should be better than the attacker’s. Security graphs, as described in my book ‘Think Like an Attacker’, are invaluable. Graph theory was literally how we tracked adversaries in Iraq and Afghanistan.

I am not sure I understand the expression ‘dumpster chicken’ from your book ‘How NOT to Lead’. What is the impact on cybersecurity when leaders fail to make clear decisions?

It leads to a slow decline. If you constantly hear ‘no’, ‘we cannot’, or ‘this will not work’, eventually you become resigned and let things happen. That is not the right approach, especially in a field as critical as cybersecurity. In my book, I mention ‘dumpster chicken’ as a lesson from a leader: if you present a problem, you must also propose a solution before leaving. It may not be a perfect solution, but it must offer a way forward. Many of us in technology are binary thinkers – yes or no – but we need to embrace the grey areas and find ways to move past obstacles. Leaders should be willing to do this.

‘For years, there has been discussion about crown jewels and zero trust. I understand that, but as a strategist, I prefer the term centre of gravity.’

Chase Cunningham

Managers often think in terms of costs – how much does it cost, and how much does it cost if we do not act? When I speak with cybersecurity professionals at Swisscom, they often say the challenge is translating technical jargon into language managers understand.

That is a challenge for everyone. Many of us in technology are not adept at speaking ‘business’. I had to learn how to communicate in business terms, and I am still learning. From our perspective, we should focus on learning to speak business.

Have you ever heard of the Lockheed Martin kill chain? In workshops, I show people the kill chain – a very technical, cyber concept – and then I present a sales model from Harvard Business School. I map the sales model to the kill chain, and they are not so different. It is a process, a methodology, an outcome. Usually, the business people in the room suddenly understand, because we have translated it into their language.