Get the Newsletter

Demystifying Zero Trust Misconceptions as a Buzzword and Strategy | Aaron Brongersma and Dr. Chase Cunningham

Interested in sponsoring an episode like this with your target buyer?

→ Reserve your sponsorship here. ($2,575)

When a concept or strategy gains enough traction, marketing and sales jump in to capitalize on it, and eventually, it becomes a poisoned well from which people draw.

This happens not because the strategy itself lacks merit, but because we, as humans, get saturated with information, and anything that everyone is talking about begins to seem like BS.

However, just because there's a lot of noise around a particular concept doesn't mean that there isn't something valuable at the core.

Brutally honest insights from Aaron Brongersma, Leader of the Cloud Center of Excellence at Check Point and Chase Cunningham Chief Strategy Officer (CSO) at Ericom Software.

In this episode of Audience 1st, Dani Woolf had a conversation with Aaron and Chase about their challenges, goals, what vendors do that piss them off, and the alternatives.

Guests at a Glance

💡 Name: Aaron Brongersma and Chase Cunningham 

💡 What they do: Aaron is currently the Leader of the Cloud Center of Excellence at Check Point and Chase is currently the Chief Strategy Officer (CSO) at Ericom Software and creator of the  Zero Trust eXtended framework.

💡 Where to find Aaron and Chase:  Aaron Brongersma and Chase Cunningham 

Episode Insights:

What motivates Aaron in his role as Cloud Center of Excellence Leader?

Aaron Brongersma is leading the newly formed Cloud Center of Excellence team at Check Point and one of his primary objectives is to shorten the lifecycle between pre-sales and post-sales.

He wants to eliminate the weird stigma of people saying it's not their job when facing roadblocks while working with customers. 

“You know, when you work with a customer and sometimes you hit that roadblock and you're like, ‘eh, that's not actually on me.’ Well, my team, we're kind of the folks that first run into it and solve problems for our customers. And then we'll sort out who owns it later,” says Aaron.

Aaron has worked as an individual contributor, manager, and product owner throughout his career, and his primary motivation is being passionate enough about the problem space he's trying to resolve. 

Aaron claims, “If I don't feel passionate enough about the problem space that I'm trying to solve, it really removes my energy, so I definitely need to be pumped up about the problem.”

Security has always been a challenge for every organization he's been at, and this was an opportunity for him to bring infrastructure engineers to the table. 

They're used to doing all the automation, but now it's time to step up and think of security first when rolling out infrastructure.

What's Chase's bleeding neck challenge as the Chief Strategy Officer?

As the Chief Strategy Officer at Ericom Software, Chase faces a major challenge: making security available for everyone in the digital space, considering it a human right. 

He's a former red teamer and has worked with the government, and he doesn't like the power shuffle happening in the digital space where we are not in the winning position.

Chase's current "bleeding neck" challenge is getting people to stop wasting money on phishing training.

 Although he thinks that training people to be smarter about clicking links and knowing what's going on is essential, he believes that some of the budget should be reallocated towards technology, not just human fixes. 

This is because people click things and there are technologies available that can substantially reduce the chance of a successful exploit from a phish.

Chase works with many small and mid-sized businesses and doesn't want them to waste money on something that decades of data tell us statistically won't make a difference. 

His goal is to make security available for everyone in the digital space and to ensure that companies are spending their resources on the right solutions.

“Well, the biggest thing is to get people to stop pissing money away on phishing training, honestly. It's not that I don't think we should train people to know what's going on and be smarter about it, meaning clicking links and whatever else. And that's my current bleeding neck challenge: what I'm trying to do is to reallocate, not all of it, but some of that budget towards technology, not human fixes. Because we're people. People click things.” 

What's Aaron’s bleeding neck challenge in his role managing the Cloud Center of Excellence team?

Aaron's main challenge this year is to tackle alert fatigue and the overwhelming amount of alerts that come with it. 

He believes that fighting alert fatigue is crucial to achieving Zero Trust, as it's hard to fix problems if you can't trust the alerts or the systems that are supposed to notify you of potential issues.

“If you can't trust your alerts and if you can't trust the systems that you have in place to let you know when there are problems, how will you ever fix them?”

To address this challenge, Aaron has been collecting a lot of data, ranging from posture management to network security. 

He thinks that it's time to take advantage of the new and exciting advancements in AI and machine learning to supercharge the people who manage these systems.

“Instead of giving me 30,000 alerts of maybe on a scale of 1 to 10, give me the top 10 from a range of 8 to 9, so I can go stomp those out first thing in the morning because I'm not going to spend all day solving these problems,” Aaron says.

By doing this, he believes that he can make a significant impact in reducing alert fatigue and enabling his team to be more effective in managing these systems.

What's the deal with all the stigma around Zero Trust?

  • When a strategy gains enough traction, we get saturated with information and anything everyone talks about seems like BS.

According to Chase, when a concept or strategy gains enough traction, marketing and sales jump in to capitalize on it, and eventually, it becomes a poisoned well from which people draw.

“It's like anything else in any space, when there's enough gravity behind it, marketing and sales go, Ooh, I could use that and I can make some money off of it,’” asserts Chase.

This happens not because the strategy itself lacks merit, but because we, as humans, get saturated with information, and anything that everyone is talking about begins to seem like BS.

However, just because there's a lot of noise around a particular concept doesn't mean that there isn't something valuable at the core.

Chase believes that the perimeter-based model of security has been fundamentally flawed for over a thousand years, dating back to the fall of Troy. 

“I like to remind people, do you know when the first failure of the perimeter-based model security was? It was the fall of Troy. That's why we used to call malware Trojans actually,” Chase says.

Despite this, we have digitized and accelerated this model without addressing its inherent flaws. 

The Zero Trust model has finally gained acceptance because it acknowledges the reality of the adversary's needs to succeed.

However, Chase emphasizes that just because you've addressed some of the fundamental flaws in your security model, it doesn't mean that you'll never be breached. 

He advises organizations to focus on control and response rather than worrying about getting hacked, which is inevitable.

Chase asserts, “I told people I already do workshops with, you're going to get hacked, that's just a given. So don't worry about it. Deal with control and response, those types of things.”

  • Concepts get twisted distorted with marketing buzzwords that start as good intentions

Aaron thinks that the challenges surrounding marketing buzzwords often begin with good intentions, but as companies put their spin on it, the original concept can become twisted and distorted. 

“As developers and as engineers, we need to start releasing our applications as if they would be immediately on the internet, and then treat our end users as if they were always on the internet. And I think that that started down a really healthy path,“ says Aaron.

He further adds, “When it gets productized, every company puts their spin on it. And that's where something good can kind of be turned around and spun in different directions.”

He believes that at the heart of the matter, organizations need to start asking deep questions about how they can extend services to their end-users and customers.

While it's easy to get caught up in the hype and noise surrounding new strategies or concepts, it's essential to remain grounded in the fundamental principles that underpin them. 

Organizations should focus on their end-users and customers and ask themselves how they can best serve them.

How can vendors prescriptively and successfully map solutions to the Zero Trust eXtended framework?

Chase created the Zero Trust eXtended Ecosystem in Cybersecurity during his time at Forrester, which has been adopted by the Department of Defense and is being used internationally. 

“If you're a vendor and you're trying to figure out how you fit into a Zero-Trust strategy, go Google Zero Trust eXtended ecosystem, look at the framework and then map yourself to that framework,” says Chase.

Aaron also emphasizes the importance of using frameworks, whether it's for Zero Trust or cloud security in general. 

When talking to customers, it's essential to maintain a neutral third-party perspective, which helps level the playing field for an RFI or RFE for a customer and removes any bias towards a specific vendor.

Before mapping to a framework, it's essential to understand the customer's expected outcomes, gaps, and goals for moving in a particular direction

Four questions to ask customers before getting to the point of a framework, according to Aaron, are:

  • What is the expected outcome?
  • What gaps did you have? 
  • Why are you doing this? 
  • How do you evolve what you're doing today to move in that direction?

Mapping to a framework keeps vendors honest, ensures they stay on the right path.

“But it also kind of shows you a maturity model. If you don't know where you're at on the spectrum there, it's really difficult to move forward and have an effective program,” says Aaron.

“Check Point maps to these frameworks as well. And we do that a lot of times in a discovery session or in a workshop and we'll sit down with our customers. But it's very much tailored,” he adds.

Dropping in a pre-canned RFP or white paper doesn't work since every organization is unique, and vendors must understand the organization they are solving for to provide effective solutions.

What are some of the ways vendors can better understand their buyers?

  • Identify and address any communication gaps between teams to ensure a smooth and efficient implementation of Zero Trust.

One of the biggest challenges he encounters is getting the right people at the table when driving an initiative such as Zero Trust. 

This is often because different teams within the organization don't communicate effectively with each other. 

As a result, the process becomes drawn-out, painful, and costly for the customer.

“The longer the engagement goes on the vendors win. And when the vendors are engaged for a long period of time our customers are losing. They're not solving the problem,” says Aaron.

From sales perspective: 

  1. Map the organization: Understand the customer’s organizational structure, departments, and teams involved in the project.
  2. Identify the right people: Ensure that all the necessary stakeholders and decision-makers are present, and the right representatives from each department are attending the meetings.
  3. Define the problem: Identify the issue that needs to be solved and outline the expected outcomes.
  4. Set goals and timelines: Establish clear goals for the project, including timelines for completion and key milestones.
  5. Understand the products and services: Assess whether the current products and services meet the organization's needs or if there are gaps that need to be addressed.
  6. Discuss internal and external products: Determine whether the products and services are internal or external, how they are being used, and whether they need to be replaced or upgraded.

“It's very important to make sure that we treat this as a doctor’s check up. They're going to ask you a ton of questions to make sure that you've got a health check and that you're healthy. And if you don't do those basic fundamental things, you're already set up to fail,” says Aaron.

  • Diagnose the problem.

Chase says, “The thing I usually run into, it's not a technology or an operational problem, it's always a leadership issue. You need someone who has bought in on where you're going and what you're doing, and will actually drag you kicking and screaming towards success.”

Chase further emphasizes the importance of understanding where you are in the process before beginning to plot your journey towards a goal. 

Why try to persuade somebody before knowing the state of the union?

In other words, before trying to sell a solution or pitch a marketing idea, it's critical to diagnose the problem first. 

This holds true in any field, including marketing and sales. Before going out and making a pitch, it's essential to gather all the necessary information and understand the current state of affairs to create an effective solution. 

By taking the time to diagnose the problem, you'll be better equipped to address the issue effectively and provide a solution that actually solves the problem at hand.

  • Ensure operational efficiency.

“One of the things that I've noticed a lot as well is even when I'm answering an RFI or I'm solving a problem for a customer, they’re very much focused on ‘you sold me the widget, you sold me the service, you sold me the solution, now we're done.’ 

This is what backup software vendors used to do to you. They sold you some backup software. They said, yeah, you're great to go. And you could implement the best backup software but if you never tested your backups, how do you know if it was ever effective [...] So, some compliance checkbox is checked but it never turns into an operational efficiency.”

During the implementation process, it's important to keep a focus on the operational management of Zero Trust, as well as the overhead and visibility that will be required.

Key questions to always ask yourself as you implement Zero Trust:

  • Can we operationally manage zero trust?
  • What is the overhead on our team? 
  • How fast can we respond? 
  • Do we have visibility? 

“All of these little tiny things, the most important things, get swept under the rug because of the checkbox of saying ‘we did zero trust’ but no one really ever tested it,” says Aaron.

Chase supports Aaron’s claims and adds, “I was talking to a company that was selling security software. We were talking with their board and they were discussing why they weren't getting growth and I asked how many folks in this room are using this software they’re trying to sell right now. Nobody raised their hand… and I was like, you're all liars. You're all selling crap and this is why no one will buy your product.” 

It's crucial for vendors to have faith in their products and services. 

If they don't believe in their own solutions, it's unlikely that their customers will either.

Companies must be willing to use their own products and show their customers that they truly believe in what they're selling.

How does Chase see the Zero Trust eXtended framework shifting or evolving in the future given the dynamic nature of the market?

  • Users → Identities

Chase reflects on how the concept of users in the Zero Trust framework has evolved over time.

“When I put that together, I created a pillar for users. And honestly, I got that wrong,” says Chase, “and the reason I say that was at the time, our focus was on human users as part of the equation.”

Initially, the focus was on human users, but with the advancement of technology, everything now has an identity, from devices like thermostats to web-enabled toilets.

These identities are what allow access to various systems and networks. 

As a result, the concept of users has expanded to include all identities, not just human users.

Chase admits that he made a mistake in his original framework by not considering this broader perspective, but he emphasizes the importance of learning from mistakes and evolving the framework to reflect the changing landscape of technology and security.

“It is always great to look back at something that you put in the market and go, I screwed up there. I think that we collectively need to modify that.”

What are some ways cybersecurity vendors and the folks working for the vendors can quickly and authentically establish trust with buyers?

  • Admit when you are not the winner.

Aaron believes that honesty and integrity are key to building strong, long-lasting relationships with customers. 

He values being transparent about what his product can and cannot do, even if it means admitting that his company may not be the best fit for a particular customer.

For Aaron, the goal is not just to close a deal, but to truly understand the customer's needs and pain points, and to work collaboratively to find a solution that works for them.

“The worst feeling is to sit across from a customer and be misaligned at the goal. If your goal is to close the deal because it's the only way you’re going to hit your number this quarter, then that's not the right approach to walk into a meeting.”

When Aaron walks into a meeting, he wants to understand:

  • How can we help you? 
  • What's falling down? 
  • What can we do to get you up and running immediately?

Building trust is crucial in the vendor-customer relationship, and honesty and transparency are essential to achieving that trust. 

If a vendor is only in it for a quick paycheck, rather than a genuine desire to help the customer, that will ultimately lead to misalignment and a lack of trust.

“If a person sitting across from you at the table is only in it for a paycheck, then this is a no go.”

  • Admit when you are not a right fit for the customer.

Being transparent about your product’s capabilities and being honest about where your weaknesses lie is key to building trust with your customers. 

Aaron states, “some of the strongest relationships I've ever had with customers is telling them when I'm not the right fit for them. I just think that that's the more-fair way to be in business and I think that that's how you establish your trust with your customers.”

“If you’re sure about your product and you’re honest about what your product capabilities and where your weaknesses are, it's all software afterwards,” he adds.

Software is a tool that can be tuned and trained to meet the needs and expectations of customers. 

However, it's important to be clear about what your product can and cannot do. 

By being honest about your product's capabilities and limitations, you can avoid setting unrealistic expectations and disappointing your customers in the long run.

Chase makes an interesting comparison between trust in the physical space and the digital space.

“I ask people like, well, why do you have doors in your house and on your front door? And they're like, well, because it keeps stuff out. Okay. But you trust your neighbors, you trust your family, why do you have a door? Well, because I just want to know when they're there,” he says. 

Similarly, in the digital space, we need to have the ability to understand what's going on and have control over the transactions that are taking place, even if we trust the people we're interacting with.

This is where the concept of zero trust comes in. 

By respecting zero trust principles, we can actually build trust with the people we interact with, as it allows us to have control and visibility over our digital transactions.

However, if we disrespect zero trust principles as vendors trying to engage buyers and disregard someone's right to control, it can break trust and ultimately harm relationships.

Where is Zero Trust heading in the next 3 to 5 years?

In the next 3 to 5 years, Zero Trust is expected to migrate towards cloud environments as they offer more operational capabilities at scale.

“I think cloud is where things migrate to because cloud is your last greenfield environment and there's so much more operational capability that you can have at scale there,” says Chase.

The policy engines work well on cloud instances and self-sovereign identity biometrics and continual authentication will be combined to make the digitization of our persona more applicable in the context of ZT, according to Chase.

“We've jumped the shark on being digital and the digitization of our persona becomes even more applicable in this context, and ZT, if done correctly, actually enables that transition.”

This will make it easier for people to authenticate themselves without having to remember a hundred passwords and usernames.

“The network itself becomes less leveraged over the course of the evolution for the next three to five years because of the fact that in reality the network shouldn't be a security thing. The network moves electrons. It should be something that you use to broker connections and do isolation control. 

But we should not have so much focus on security of the network because the network is meant to move. That becomes abstracted away as ZT around entities becomes more clarified,” adds Chase.

Closing thoughts: understand your and your customers’ state of the union

  • Understand where you are.

Understanding the state of the union for both yourself and your customers is key to success.

“Just be smart about what you're doing and really deal with the reality of what you're facing. And you can't do that if you don't understand where you are. So, start there,” Chase says.

This involves mapping out the organization, identifying the right people to have at the table, and diagnosing the problem before proposing solutions.

It also involves being honest about your product's capabilities and limitations, and admitting when you're not the right fit for a customer. 

  • Honesty, integrity, and a willingness of practitioners to ask vendors tough questions is key to building trust.

Aaron says, “Just go and ask a couple extra questions. Dig a little deeper. Ask vendors, ‘Is this real? Are people running their workloads on this? Can you provide a reference?’ All of those things add up to build your trust and confidence in your vendors. You absolutely need to do those things to be successful in this space.”

As the landscape of Zero Trust evolves in the next three to five years, there will be major changes in technology and frameworks, particularly in the areas of cloud, identity, and network security.

Staying informed, being adaptable, and maintaining a focus on trust and transparency will be crucial in navigating this rapidly changing field.

Interested in sponsoring an episode like this with your target buyer?

→ Reserve your sponsorship here. ($2,575)

Subscribe to Audience 1st

Get notified every time an episode drops to better understand your audience and turn them into loyal customers.