Introducing Illumio Insights — breakthrough AI-powered observability, detection, and containment.
Explore Insights
Experienced a Breach?
|
Support
|
Contact Us
|
+1 855 426 3983
ZERO TRUST HUB ARCHIVE/ WEEKLY BRIEFING

What a Former Citi CISO’s Career Taught Him About Zero Trust

Raghu Nandakumara
Vice President, Industry Strategy
December 8, 2025
7 min. read
Raghu Nandakumara
VP, Industry Strategy

Carl Froggett, former Citi CISO and current CIO at Deep Instinct, started his career crawling under raised data center floors in a suit and tie. He was pulling cables at Salomon Brothers and wondering why his computer science degree had led him there.

Those early days taught him something technical roles rarely emphasize. Cybersecurity isn’t just about systems. It’s about the business those systems power.

When I spoke with Carl on a recent episode of The Segment podcast, that theme emerged again and again.

Back then, security barely had a budget. It existed because auditors required it, not because the organization saw strategic value. That forced Carl to learn a skill most CISOs still struggle with today — speaking the language of business leaders.

That early lesson has shaped his entire 30-year career in cybersecurity. And it’s the foundation of Carl’s belief that Zero Trust isn’t a technical framework but a critical business strategy.

Zero Trust helps you stop guessing and start proving

Carl doesn’t frame Zero Trust as a product category or a compliance checkbox. For him, it’s about reality.

Today’s reality is that attackers move fast, AI has lowered the barrier to launching catastrophic attacks, and most environments are too complex to secure based on assumptions.

“When every threat is new, evasive, and moving laterally, you don’t have time to debate what’s ‘probably’ safe,” Carl said. “You need facts, visibility, and control.”

Zero Trust gives you a way to stop guessing and start proving. It works across any environment because it’s a strategy for how you architect and operate.

A Zero Trust strategy begins and ends with the business  

Carl didn’t get buy-in for his security strategy by talking about MITRE coverage or dwell time.  

He earned trust by aligning with what his stakeholders actually cared about: uptime, performance, and customer experience.

“As a CISO, you’re not just securing tech,” he said. “You’re ultimately supporting the business strategy.”

At Citi, that meant understanding every line of business — from consumer banking to high-frequency trading — and shaping security around what mattered most to each team.

That’s why Carl believes Zero Trust should never start with picking a product. It should start with asking:

  • What are you protecting?
  • Who needs access?
  • What happens if they get more access than they should?

Zero Trust works best when it’s grounded in how your business actually runs, not how you think it runs.

Build trust before you need it

Just like Zero Trust depends on understanding your business, it also depends on something just as critical — trust. The fact is that you can’t operationalize Zero Trust in a vacuum.

For example, when Carl tested Palo Alto Networks back in its earliest days, the tech performed incredibly well. But it still took trusted relationships, especially in the security operations center (SOC), to validate the results and drive adoption.

“If I didn’t have that relationship with the SOC, it would’ve been much harder to prove our success and get buy-in,” he said. “You’ve got to build the trust before you need it.”

In one case, a business leader didn’t care about security features. He just wanted consistent app performance. When Carl showed how a Zero Trust strategy reduced latency and unpredictability, that leader became an advocate.

The takeaway is that if you want to lead with Zero Trust, start by listening. Make sure your strategy speaks your stakeholder’s language.

Don’t wait for perfect. Act on what you know now.  

As we wrapped up our conversation, Carl reminded me of something we both lived through: there’s never a perfect time to change course. But waiting often costs more than acting.  

At Citi, that meant replacing an entire intrusion detection system (IDS) stack in under a year. It meant pushing for new protections before the boardroom was asking for them.  

Today, it means understanding that AI-driven threats won’t wait for you to finalize your Zero Trust roadmap. “If you’re too slow, you’re going to get breached,” Carl said. “But if you try to be perfect, you’ll never move.”  

That’s the balance every leader needs to strike. Zero Trust doesn’t require perfection, but it does require commitment — from your team and the rest of the organization.  

Zero Trust Resources

Report

2025 Global Cloud Detection and Response Report

Discover how 1,150 global cybersecurity leaders are tackling alert fatigue, blind spots, and lateral movement in the hybrid multi-cloud.

Read now
eBook

Strategies for DORA Compliance: Key Role of Zero Trust Segmentation

Is your organization ready for the January 2025 DORA deadline? Discover key strategies for cyber resilience and how Illumio Zero Trust Segmentation simplifies compliance.

Read now
GUIDE

Zero Trust Segmentation for Dummies

Breaches are inevitable, but the damage isn’t. Zero Trust Segmentation for Dummies simplifies how to stop threats from spreading, protecting your organization before they cause harm.

Read now

Ready to learn more about breach containment?

See the Platform