
The Zero Trust Hub Editions
Zero Trust trends, insights, and resources for today’s cybersecurity leaders
Stop Treating Symptoms: Why Cybersecurity Keeps Relapsing

Chief Evangelist
My friend and Zero Trust expert Dr. Chase Cunningham was badly injured while serving in the Navy during the Global War on Terror. He spent years on the highest dose of fentanyl a body can safely take, alongside up to 20 Percocet a day, because that was the VA’s answer to his chronic pain.
Every time he complained, the system gave him more of the same medicine that wasn’t working. Nobody stepped back and asked why the pain kept coming back. They just raised the dose.
Chase eventually walked away from that protocol and rebuilt his entire approach to recovery from the ground up. He’s healthier now in his forties than he was the day he was medically retired in his thirties.
I think about Chase’s story every time I look at a typical enterprise security stack.
Our industry treats breaches the way the VA treated his pain, with more of the same medicine, dispensed in higher and higher doses, contract after contract. Similarly, when a cybersecurity incident happens, we buy another tool, we add another box to the warehouse, and we call it progress.
Then another incident happens, because we keep dosing the symptom and leaving the disease untouched.
Zero Trust is the discipline that finally asks security leaders to step back, diagnose the actual problem, and build a system that stops relapsing for good.
Defense in depth is expense in depth
Our colleague Rick Holland gave this phenomenon its honest name years ago: Expense in Depth. Buy enough products, the thinking goes, and something in the pile will eventually stop a breach.
Stacking unrelated tools tends to produce complexity rather than coverage. Controls are built to monitor and block traffic in siloes, ending up in conflict.
In general, this approach leads to unwieldy management overhead. So teams loosen policy just to make things work. Everything in cybersecurity comes down to policy, and complex systems drive overly permissive policy.
This is much like two specialists prescribing medication without ever consulting one another.
I once watched five CISOs cycle through a single organization in seven years, each one arriving with a blank check and a fresh stack to build, on top of whatever the last CISO had already piled up.
Nobody pruned the old prescriptions. They just kept writing new ones, until that company was running somewhere around 60 separate security products at once.
Sunk cost keeps shelfware hanging around long after everyone privately admits the purchase was a mistake. Many times, it outlives the three-year contract it was sold under.
In a market moving as fast as ours, three years might as well be a decade.
Policy, not products: the anti-fragile Zero Trust prescription
This is where the actual cure starts. Security leaders need to ask how the system should behave, not which product to buy next.
A Zero Trust security strategy gives you a set of policies that govern how every packet, every identity, and every workload is allowed to move. This is all built on the principle that nothing inside your environment earns automatic trust just by being there.
Segmentation is what makes that principle enforceable. It turns policy into breach containment, drawing the boundaries that keep an intruder who gets past one control from roaming freely through the rest of the system.
Architecting policy at the system level, rather than acquiring point products one purchase order at a time, is what finally treats the underlying condition. It builds something closer to a healthy body than a medicine cabinet.
The human body gets stronger under the right kind of stress. Lift the weight, and the muscle rebuilds tougher than before.
Nassim Taleb called this anti-fragility, and it applies directly to how we should be building security architecture. A Zero Trust environment, segmented and governed by granular policy, gains strength from every attack.
Cybersecurity can’t afford another relapse
Attackers are moving too fast for our budgets to keep up. And every dollar spent on shelfware is a dollar not spent fixing the structural problem.
Boards are asking harder questions about accountability after a breach, and a stack of best-of-breed receipts is wearing thin as an answer for regulators, customers, and shareholders.
Our industry can’t afford another cycle of symptom chasing. Step back, diagnose the system you’re actually protecting, and build the Zero Trust architecture that keeps it well.
That’s how cybersecurity finally stops relapsing.
STATSHOT
Buying a Way In
Many ransomware groups buy access from initial access brokers, or IABs, that sell entry into compromised environments. This lets attackers focus on moving through the network, getting higher-level access, and deploying ransomware. VPN and RDP make up nearly four in five IAB offers. Other access types like SSO, ProxyShell, and RMM are less common, but they still give ransomware groups more ways to access the environment.
