Zero Trust creator John Kindervag once said, “If security is about buying enough stuff or spending enough money, then we’ve done it.”

In cybersecurity, we love the idea of defense in depth. But somewhere along the way, it turned into expense in depth.

I think it’s one of the most uncomfortable truths in our industry. We’ve spent decades piling on tools like souvenirs, convinced a heftier, pricier security stack meant safety.  

Yet breaches keep coming with more damage than ever.

That’s why the myth of buying a “Zero Trust platform” and instantly achieving Zero Trust is so dangerous. It’s a tempting shortcut: sign the contract, deploy the tool, and tell the board you’re “doing Zero Trust.”

But Zero Trust isn’t a product. It’s a strategy you design, build, and commit to over time. Confuse a purchase with a plan, and you’re wasting money while putting your organization at risk.

Buying isn’t the same as building

Your Zero Trust journey shouldn’t start with a purchase order.  

Technology might be something you’ll need as part of your Zero Trust strategy. But you shouldn’t be buying anything without a clear plan for what you’re protecting and how.

Zero Trust starts with architecture, not technology. Before you evaluate vendors, you have to define your protect surface. This is the specific data, applications, assets, and services that are most critical to your mission.  

Everything else flows from understanding your protect surface.  

Your Zero Trust journey shouldn’t start with a purchase order.  

If you skip this step and go straight to tools, you’re likely to end up with a solution that’s misaligned with your actual risks.

Tools don’t automatically give you the context you need to enforce Zero Trust. You have to build that context yourself that’s unique to your organization’s environment.

The illusion of instant security

Part of the problem is how the industry has talked about Zero Trust.  

Many vendors want you to believe their platform is the magic key to Zero Trust. And to be fair, many of them do offer valuable Zero Trust capabilities. But even the most advanced platform can’t deliver Zero Trust on its own.

Think about it this way. Buying a gym membership doesn’t make you fit. It gives you access to the equipment you need, but you still have to show up, learn the right form, and put in the work.  

Zero Trust works the same way. The platform is only as effective as the architecture, policies, and processes you design around it. Without that foundation, you’re just paying for potential.

Buying a gym membership doesn’t make you fit. It gives you access to the equipment you need, but you still have to show up, learn the right form, and put in the work.  

And even worse, a big purchase can create a false sense of security. Leadership feels like the problem is solved, budgets get reallocated, and the security team moves on to the next project — all while critical gaps remain wide open.  

Those gaps are exactly where attackers thrive.

Building Zero Trust the right way

You will need Zero Trust tools to achieve your strategy. But instead of looking at tools first, you should reverse the order of operations.  

Start with visibility. Map every flow in your environment, not just between users and applications but between workloads, APIs, and cloud services.  

This is the blueprint that tells you where the risks are and how to contain them.

Once you have that map, you can design policies that limit access to only what’s necessary. Then you can choose tools that align with this architecture instead of trying to bend your architecture to fit a tool.

The technology will still matter, but it becomes an enabler rather than a crutch.

The result is a Zero Trust approach that’s specific to your environment, measurable in its effectiveness, and adaptable as your business evolves.

Why this Zero Trust myth is dangerous

Too many organizations fall into the “buy first, think later” trap for Zero Trust.  

They spend millions, deploy the tool, and check the compliance box — only to discover during an incident that the attackers didn’t care how expensive the platform was.  

If the architecture isn’t built to contain them, they’ll find a way around it.

This is why debunking the “buy your way into Zero Trust” myth matters so much. The more we treat Zero Trust as a product instead of a strategy, the more we invite complacency.  

And in security, complacency is the enemy.