Why Incentives Will Determine Your Zero Trust Maturity
Vice President, Industry Solutions
On a recent episode of The Segment podcast with Ross Haleliuk, cybersecurity expert and co-founder of a stealth-mode cyber startup, I realized that security is a lot like driving.
Drivers know the rules of the road. They learned them and passed the test. And yet accidents still happen. Not because people don’t know the rules, but because they’re distracted, in a rush, or trying to get somewhere faster.
That same dynamic exists in cybersecurity.
We often define Zero Trust through architecture and tools. Those controls matter, but there’s a deeper issue.
In most organizations, the security team is the only one measured on security outcomes in the business.
That gap is structural. Incentives drive behavior, and behavior shapes risk.
Zero Trust recognizes this reality. It assumes mistakes will happen and limits the damage when they do. It can’t succeed through policy alone. It requires influence and alignment across the business.
Zero Trust is about behavior, not just technology
Zero Trust is often described as an architecture. We talk about microsegmentation, least-privilege access, and continuous verification.
Those are all important. But technology alone doesn’t make Zero Trust work.
Zero Trust is also a behavioral system.
The security team is responsible for security outcomes. Other teams have different priorities. Engineers are measured on how fast they ship code. IT teams are measured on how quickly they close tickets. Sales teams are measured on revenue.
Security teams are measured on preventing incidents that may never happen.
That creates tension.
If an engineer takes extra time to review access controls, they may slow down delivery. If IT spends more time reviewing permissions, they may miss their ticket resolution targets. If a salesperson shares a sensitive document to close a deal faster, they may hit quota.
None of these actions are malicious. They are rational responses to incentives.
Zero Trust recognizes this reality. It assumes that people will optimize for their goals. Instead of relying on perfect behavior, it builds guardrails. It limits how far access extends and reduces how much damage a single mistake can cause.
That is why architecture matters. Zero Trust requires practical controls that contain risk when human incentives pull in other directions.
Zero Trust is built through relationships
During our discussion, Ross compared security leadership to product management. Product managers rarely have direct authority over engineering, legal, or operations teams. They succeed by building trust and aligning stakeholders around shared goals.
Security leaders must do the same.
It’s easy to publish a policy, but it’s much harder to influence behavior across teams with different incentives. Yet Zero Trust depends on that influence.
Policies are necessary, but they aren’t enough. If security teams rely only on policy enforcement, they end up managing exceptions instead of reducing risk.
Real progress happens when security leaders build relationships, explain risk in business terms, and connect controls to outcomes that matter. That requires communication skills instead of just technical expertise. And those relationships incentivize teams across the business to care about security, too.
Operationalizing Zero Trust beyond compliance
Compliance regulations also shape incentives. Some criticize compliance as a box-checking exercise, but Ross sees it as a starting point.
Compliance forces organizations to build baseline controls. It ensures that basic hygiene isn’t optional, but it doesn’t guarantee resilience.
Zero Trust goes further. It assumes that compliance alone won’t stop an attack. It focuses on limiting damage and enabling faster recovery.
The organizations that handle incidents best aren’t always the ones with the most advanced tools. They’re the ones that operationalized fundamentals every day.
They maintain asset inventories, review access regularly, segment critical systems, and monitor internal traffic.
The work is repetitive and rarely glamorous. But it makes a measurable difference when something goes wrong.
Zero Trust works when the business commits to it
Digital environments are only becoming more connected. Cloud services, third-party integrations, and automation expand the attack surface every year.
In that world, Zero Trust can’t be a one-time project or a tool the security team deploys and manages alone. It has to become part of how the business operates.
If incentives stay misaligned, security will always feel like friction. But when Zero Trust is framed around resilience and containment, the focus shifts. The goal isn’t perfection but rather limiting fallout and recovering faster when mistakes happen.
Organizations that embrace this mindset may still face attacks, but they’ll contain the damage, protect trust, and avoid turning incidents into crises.
That is the ultimate benefit of a Zero Trust security strategy.
