When Siemens kicked off its cloud-first transformation almost a decade ago, it sounded like a modern IT success story. It offered the organization more flexibility, more innovation, and more applications moving at the speed of business.

But behind the scenes, Thomas Mueller-Lynch and his team started to see the cracks forming — not in the cloud migration itself but in the security model meant to support it.

“More and more things went to the cloud which put many, many holes in our perimeter,” Thomas said. “The assumption that we can control the perimeter was simply not true anymore.”

It became clear that a traditional security model was actively putting the business at risk. To truly protect a cloud-first, hybrid enterprise, Siemens needed a new approach. Zero Trust emerged as the modern cyber strategy that made sense.

Thomas and other leaders brought the issue to the board and got approval for a new Zero Trust program as an immediate necessity. What followed was a four-year journey of strategic, often difficult, and ultimately transformational work to begin Siemens’ Zero Trust journey.

This is how Thomas and his team as Siemens built its Zero Trust program and what every security leader can learn from their process.

Year 1: Communicating with stakeholders and defining scope

In the first year, Thomas’s team didn’t deploy tech. They started with conversations.

“Everybody started talking about Zero Trust, but nobody understood what it really meant in a practical way to implement it,” he said.

That confusion became their starting point. If no one really understood Zero Trust, they’d make it their mission to change that.  

They went on what he called a “roadshow” across the business engaging IT, cybersecurity, and business leaders in honest conversations:

• What are our dependencies?
• What security policies do we need?
• What does success actually look like?

The outcome was shared language, stakeholder alignment, and a scope that reflected both business reality and security priorities.  

Year 2: Preparing back-end systems

Year two was the hardest, and the least visible to the organization.

The team partnered with Microsoft and other key tech vendors to prepare Siemens’ architecture for a Zero Trust model. This meant back-end cleanup, policy enforcement frameworks, and identity integrations — all the behind-the-scenes groundwork that doesn’t get a lot of recognition.

“There were lots of back-end activities that didn’t result directly in risk reduction or tangible results,” Thomas said. “People started asking whether it still made sense or not.”

Thomas believes that this is the paradox of building a Zero Trust architecture. You often have to invest before you can show results. Thomas’s team didn’t waver on their goal, and they kept building Zero Trust.

Year 3: Tangible Zero Trust progress

By year three, the behind-the-scenes work started to pay off. The team showed significant progress in enabling application and factory security.

One of the most impactful milestones was the creation of a live, shareable Zero Trust dashboard. It gave senior stakeholders real-time visibility into the program’s scope and progress.

The dashboard helped prove value. It showed that Zero Trust wasn’t just an IT initiative but an organization-wide effort delivering real outcomes.

Year 4: Turn security into a business advantage

By the fourth year, Zero Trust was no longer just an internal project. The team was excited to help integrate Zero Trust security into Siemens’ products and make it a clear advantage for Siemens in the market.

“We believe the security of our products is a main selling point,” Thomas said. “Having Zero Trust-enabled products is a differentiation argument from our competitors.”

This powerful shift shows that the core of Zero Trust helps to build trust across leadership, customers, and the market.

If you’re still waiting to start Zero Trust, you’re already behind

Siemens operationalized Zero Trust across people, processes, and technology. And in doing so, they proved the Zero Trust journey is a process you build over time and throughout the entire organization.

Understanding that process is more urgent than ever. As enterprises accelerate cloud adoption, expand hybrid networks, and rely more on distributed systems, the security assumptions of the past no longer apply.  

As Thomas experienced at Siemens, the traditional network perimeter is gone. Waiting until “someday” to rethink security and start your Zero Trust journey is a risk no business can afford.

Siemens’ journey reminds us that if you want to build Zero Trust that lasts, it starts by investing early, aligning stakeholders, building the right architecture, and delivering clear outcomes.