A CTO's Interview with the "Godfather of Zero Trust"
In this blog
A few weeks back, I had the privilege of sitting down with John Kindervag, the "Godfather of Zero Trust," in WWT's office in Plano, Texas. In that quiet conference room, we discussed his perspectives on innovation in cybersecurity and the profound impact of the zero trust model. It was an engaging dialogue that shed light on both the history of technology and contemporary cybersecurity challenges.
Kindervag's journey through technology is a narrative steeped in incremental technology experiences. He began his career as somewhat of an accidental technologist, first dabbling in broadcasting before engaging with emerging computing technologies. Reflecting on these beginnings, he illustrated the challenges faced when transitioning from what was considered cutting-edge (a bit tongue in cheek) — a typewriter to the now ubiquitous digital realm. "I started out fixing typewriters," he recounted amusingly. "It's hard to imagine that was once the pinnacle of technology."
"The freedom to explore without constraints…"
Among the fascinating anecdotes he shared during our discussion, one stood out: his encounter with Jack Kilby, co-creator of the integrated circuit, on the day Kilby was awarded the Nobel Prize in physics. Kindervag recalled the experience fondly, highlighting Kilby's humility amidst unparalleled achievement:
"I got to be with Jack Kilby on the day he won the Nobel Prize. I started out in broadcast engineering, which is a subset of engineering, and I ran Texas Instruments television as a contractor for several years. One morning, I received a call instructing me to get over there and set up the studio — Kilby had won the Nobel Prize, and we were going to do live shots with all the news organizations all day long. So, I spent an entire day with Jack Kilby, the co-creator of the integrated circuit, along with Bob Noyce at Intel. They both discovered the same thing in 1957 without knowing each other and agreed to share the credit to avoid what could have been akin to the Leibniz versus Newton debate over calculus. For this collaboration, he was awarded the Nobel Prize in physics.
"I remember asking Kilby what he did first upon winning the Nobel Prize. He said, 'Well, I got some coffee because they called so darn early.' He was utterly unfazed by it, considering the magnitude of the recognition. Initially, he wasn't going to accept the prize because Bob Noyce had already passed away, and Kilby didn't think it was fair. Andy Grove, CEO of Intel, had to persuade him by saying, 'Bob would have liked you to accept this.' Jack then asked if he had to go to Stockholm and wear a suit. When they said yes, he'd need to wear a tuxedo, he mumbled about not having one, but they assured him they'd take care of it."
"Despite such renown, his humility shone through. I had the chance to ask him what drove him to create the groundbreaking integrated circuit, and he casually answered, 'Air conditioning,' because they had none. As the youngest engineer, when his colleagues took time off during the hottest two weeks, he stayed back, tinkered around with ideas, and eventually came up with the integrated circuit. This story reminds us of the value of having the freedom to explore without constraints — a recurring theme that has propelled significant advancements throughout the history of technology.
This profound instance of understated excellence serves as a metaphor for originality and quiet perseverance often found within real technological advancement—qualities mirrored in the spirit of Zero Trust itself.
"We iterate a lot these days…"
A significant theme was the transition from iteration to innovation. In John's view, modern technological advances often inflate iterations on existing models rather than pioneering new ones. He mentioned, "We iterate a lot these days, adding layers upon layers — it's like putting chocolate sauce on a sundae but not inventing a new dessert." This metaphor summed up his frustration at the industry's reluctance to break away from incremental improvements to embrace genuine innovation. It's a notion that resonates sharply amidst today's rapid technological shifts, where major advancements are demanded more frequently than ever before.
This leads directly to his advocacy for the zero trust paradigm — a concept he developed to revolutionize how we approach cybersecurity. Kindervag's famous five-step zero trust process radically shifts focus from network perimeters to protect surfaces — specific zones safeguarding critical data, applications, assets or services. As he explains, "The attack surface is like the universe — constantly expanding. But the protection surface is something we can define, manage and secure."
Understanding these protection surfaces is fundamental to affording organizations customizable security measures adaptable to evolving threats. One illustrative anecdote shared involved a restaurant chain whose operations languished for want of clarity around visibility. They overlooked a single polling server igniting enterprise-wide disruptions. "That critical piece — knowing transaction flows — could have protected them," he explained, emphasizing the value of comprehensive system visibility.
"Our greatest vulnerability is the elevators…"
During our conversation, John Kindervag shared a thought-provoking anecdote about his consultancy experience with a hospital system that redefined the priorities of cybersecurity in operational technology (OT). As the chief information security officer (CISO) introduced electronic medical records (EMRs) as their critical focus area, an unexpected voice chimed in — the chief technology officer (CTO). He pointed out what might seem surprising to many: The elevators controlling patient movements were, in fact, of greater priority.
This perspective shifted the conventional security discourse, emphasizing how intertwined IT and OT systems demand tailored approaches. The discussion elucidated the broader implications of protecting operational assets that have direct ramifications on human lives. This story underscores the need for comprehensive risk assessment across diverse functional domains. By recognizing the elevators' paramount importance, the hospital acknowledged that healthcare's ultimate goal is saving lives, a mission hinging on uninterrupted patient mobility.
It exemplifies why tailored cybersecurity measures must consider intricate operational dependencies — showcasing how zero trust principles not only apply to safeguarding data but also to ensuring critical infrastructure integrity. This insight highlighted the dynamic, situational nuances prompting industries to reassess traditional security frameworks and adopt asset-driven strategies that align more closely with real-world operational exigencies.
"Start small, get a win and then repeat…"
Innovation in this context means redefining an organization's approach to its resources from the inside out. "Start with what you need to protect — your data and core assets — and let your strategy flow outward," Kindervag asserted. This seemingly simple yet profound rethinking propels organizations away from traditional protective postures towards nimble, adaptive security ecosystems.
Zero trust isn't merely technological; it's practical, scalable and prioritizes business continuity. Practical examples of successful zero trust implementations across various industries — including healthcare organizations prioritizing patient transport systems over electronic health records — evidenced a systemic focus. Each case underlined the need for tailored assessments based on unique operational dynamics, a poignant reminder of zero trust's versatility.
Protecting digital privacy
Still, physical infrastructure protection remains but one facet. Protecting digital privacy stands equally contentious, particularly balancing state-sponsored oversight against individual liberties. Facing this tension head-on, Kindervag stated, "Privacy can be taken too far in the digital world.
"You don't have enough visibility to know whether someone is engaging in malicious activity, and you won't discover it until it's too late due to governmental policies related to privacy. Now, privacy is a good thing, but it can be taken too far in the digital world. We need to make a distinction between the digital world and the analog world.
"Often, we anthropomorphize the digital world to understand it from our analog perspective. So, when we say things like, 'John is on the network,' it's not literally true. Neither John nor anyone else has actually shrunk down to traverse a network or appear on a Zoom server — this only rarely happens in movies like 'Tron' or 'The Matrix.' We anthropomorphize things for comprehension, but this creates problems when we equate a digital identity with a human being. People often say to me regarding zero trust, 'John, you're saying people aren't trustworthy.' I'm not saying that at all — I'm saying people aren't packets.
"A packet doesn't tell you about the person; it's simply data transmitted through keystrokes from a device. When you examine a packet capture, you can't discern if the sender has long or short fingernails, red hair or blue. It's essential to realize that conflating the digital with the analog leads to misunderstandings, forming one of our fundamental issues."
As our conversation ventured deeper into challenging territories, Kindervag imparted leadership insights calling for a collective embrace of strategic thinking. His views reflect prevalent issues within an industry battling legacy friction — detrimental silos and obsolete compliance models:
"So I always, I always say, zero trust has two sides. There's the strategic and tactical. The strategic side will never change. It was designed to resonate up to the highest level of any organization, yet be tactically implementable using commercially available, off-the-shelf technology. But I always knew that the technology would get better and better. So there are no constraints on the technology, no sure programmatic things that say you have to use this product or that product, because zero trust isn't a product. And so we see it get better and better."
For those new in their career…
For anyone stepping into cybersecurity today, Kindervag encourages blending technical acumen with strategic foresight. On cultivating future innovators, he advised, "Get the basics right first — know how things work, then build business understanding." Addressing junior professionals inspired by his journey, Kindervag stressed an ethos towards hard problem ideology.
"Do you want a job or do you want do you want a purpose? Right? If you want a purpose, this is a great career for you. If you're purpose-driven, if you're mission-driven, this is a great career for you. A friend of mine named Dan Kaminsky, who you may have heard of, very famous. He found the Kaminsky vulnerability in DNS and and got that patched up. But one of the most brilliant people I've ever met, and I remember, I was at an event, and he was giving a speech and he was talking about this next generation of people who are coming in and he said, 'I get really tired of hearing people say, 'Oh, doing this is hard.' And he said, 'Folks, we are cybersecurity people. We worship hard.' Meaning we worship the hard problems. If you aren't a person who likes to solve hard problems, then you probably should be in a different job. There are easier things to do."
John Kindervag's ongoing work underscores purposeful evolution within the cybersecurity domain. Despite perceived complexities, his push toward protect surfaces renders zero trust equally relevant and practical in safeguarding dynamic landscapes. With emergent scenarios — whether OT environments converging with IT systems, or cross-industry benchmarks, his approach represents a paradigm for optimizing, securing and innovating strategically.
Meeting John Kindervag reiterates the transformative power of ideas driven not by constraints alone, but ambitious creativity enmeshed in concerted action. The zero trust architecture's promise lies ahead — not merely shielding today's assets but sculpting tomorrow's free, transparent digitally-enabled world.