For years, I’ve said that Zero Trust was designed to strategically resonate at the highest levels of an organization. At the same time, it’s practical enough to tactically implement using the latest, commercially available, off-the-shelf technology.  

Strategies shouldn’t change. That would be too disruptive. But tactics improve with technological innovation. That balance has always been part of the Zero Trust strategy.

So when the Office of the Director of National Intelligence (ODNI) announced a renewed focus on Zero Trust and a shift toward a data-centric model last month, it followed a path that has been building for some time.

This is not a new direction. It builds on years of work across the U.S. government. We’ve seen it in the presidential cybersecurity strategy, in NSA guidance, and in agency programs.  

Now we’re seeing another clear signal from leadership. Zero Trust continues to gain support at the highest levels and is becoming a core part of how organizations approach security.  

Zero Trust was designed to last

When I created Zero Trust, I didn’t tie it to a specific product or technology. I treated it as a strategy that could adapt as technology changed.

That decision matters even more today. Environments are more complex, systems are more connected, and the pace of change is faster. Even so, the strategy still applies.

Zero Trust was built to serve both leadership and operators. It needed to help leaders manage risk and guide long-term decisions, while also giving technical teams a way to implement controls using tools they already had.

At its core, the approach is simple. You identify what matters most, define your Protect Surface, and verify every interaction with it. That process gives you focus and allows controls to evolve as your environment changes.

Why data-centric security fits naturally

The ODNI announcement places strong focus on data-centric security. That aligns closely with how I first developed Zero Trust.

Early on, I described the process as defining your data. Over time, that expanded into the Protect Surface, which includes data, applications, assets, and services. That shift made it easier to apply Zero Trust across different environments, including operational technology.

The goal hasn’t changed. The focus remains on protecting critical data.

When breaches are defined in legal and regulatory terms, the outcome is consistent. Sensitive data is taken by an attacker. Whether under GDPR, CCPA, or PCI, the result is the same: data leaves the organization.

A data-centric approach addresses that directly. It helps organizations focus on what matters most instead of trying to protect everything equally.

In a Zero Trust architecture, every request is evaluated, and access is never assumed. That reduces the chance of data loss and limits the impact if an attacker gains access.

Past breaches show why Zero Trust is a priority

We don’t have to speculate about the risks because we’ve already seen the consequences.

A good example is the 2015 Office of Personnel Management (OPM) breach. It exposed sensitive data tied to security clearances and created long-term national security concerns and showed how damaging data loss can be at scale.

That breach also made it clear that when trust is assumed inside a network, attackers can move more freely than they should and reach systems that were meant to stay protected.

Events like this helped shape how the government approaches cybersecurity. They pushed organizations away from implicit trust and toward continuous verification, which is central to Zero Trust.

At the same time, much of the early work around Zero Trust happened out of public view. Many organizations were already implementing it, but they couldn’t always talk about it due to the sensitivity of their environments.

That changed with the 2021 executive order. It made Zero Trust a formal priority across federal agencies and brought more visibility to the work.

Today, every federal agency has a Zero Trust program with leadership, funding, and defined goals. The ODNI announcement builds on that foundation and reinforces the need to continue this work.

Why this matters beyond government

It’s easy to see the ODNI announcement as a government initiative, but the impact goes much further.

Zero Trust is about aligning security with what matters most. It gives organizations a way to manage risk in environments that change quickly and often.

When an organization like ODNI emphasizes Zero Trust, it shows that the approach works at scale. It supports complex systems and high-risk environments, and those same principles apply in the private sector.

The tools may differ, and environments will continue to evolve. Zero Trust principles, however, remain consistent.

That consistency is what allows organizations to manage risk with confidence, even as the threat landscape changes.