When you picture a financial institution defending itself against cyberattacks, you might imagine hundreds of security engineers and a sprawling SOC. STCU looks nothing like that.

With just five people on the application administration team, STCU could have easily accepted the narrative that Zero Trust is “too big” for a regional credit union of its size.

But instead, it leaned into the challenge. And today, it has achieved lots of success on its Zero Trust journey.

On a recent episode of The Segment podcast, I sat down with Greg Mitchell, application administration manager at STCU. We discussed why Zero Trust is a necessity for organizations of every size and how it’s entirely achievable with the right mindset and approach.

Zero Trust isn’t just for giants

STCU is one of the largest credit unions in the Pacific Northwest. But compared to massive financial institutions with security orgs to match, it’s lean.

That’s exactly why its Zero Trust story matters.

“Smaller organizations don’t have to break the bank,” Greg said. He explained that the latest and greatest application or software isn’t going to propel your Zero Trust strategy that much further. It’s about analyzing what you already have and figuring out how to do more with it.

That mindset shift — from limited to resourceful — is what allowed STCU to treat Zero Trust as a business initiative, not just a security project.

Treat security like a business priority

For Greg, the key to their Zero Trust journey success was reframing the initiative. He wanted to make sure the business saw it as a cross-functional imperative.

“We agreed that Zero Trust was just as important as the progress toward our business and technology goals,” explained Greg. “We treated it like any other major project.”

That meant including it in quarterly project check-ins, assigning clear owners, and communicating regularly with stakeholders — not just within IT, but across the business.

We agreed that Zero Trust was just as important as the progress toward our business and technology goals. We treated it like any other major project.

Sponsorship by business leaders like Greg’s director also played a critical role.

“Our director had the foresight to push this conversation with the other leaders and say, ‘This is important,’” Greg said. “That leadership buy-in made everything else possible.”

Progress, not perfection, is the goal

STCU is well ahead of most organizations with its Zero Trust implementation. But company leaders know that Zero Trust doesn’t have a stopping point.

“Zero Trust isn't something you set and forget,” Greg said. “You constantly have to revisit each application and ask, ‘What more can we do?’ Because attackers are always trying new things.”

Fortunately for defenders, even partial coverage makes a difference.

Zero Trust isn't something you set and forget. You constantly have to revisit each application and ask, “What more can we do?” Because attackers are always trying new things.

Why Zero Trust matters for SMBs

Zero Trust is a mindset.

And that mindset is especially important for small and midsize businesses — not in spite of their size but because of it.

Smaller teams wear more hats. They can’t afford complex security strategies. But they can build Zero Trust with the right mindset, the right leadership support, and a practical approach.

If you’re leading a lean team and wondering if Zero Trust is achievable, the simple answer is that it is. It just takes focus, planning, and a commitment to getting better every day.

As Greg reminded us, “There’s always more you can do. But you have to start somewhere. And you have to keep going.”