Ep. 22: Zero Trust Reality Check — What Actually Works

Michael Torres is CISO at an enterprise SaaS company with 4,000 employees across 12 countries. He spent the last two years implementing zero trust from scratch. Michael, what did you learn?

The biggest lesson is that zero trust is a journey, not a product. No single vendor gives you zero trust out of the box, no matter what their marketing says. It took us 22 months from start to what I'd call 'meaningfully implemented,' and we're still iterating.

Walk us through the vendor evaluation. Who did you look at?

We evaluated Zscaler, Palo Alto Networks, and Cloudflare extensively. Each has real strengths. Zscaler has the most mature ZTNA capabilities — their private access product is genuinely good. Palo Alto has the broadest integration ecosystem, which matters when you're trying to unify policies across dozens of tools. Cloudflare surprised us with their developer-friendly approach to SASE — if you're a cloud-native organization, it's worth a hard look.

Which did you choose?

We went with Zscaler for network-level zero trust and kept Okta as our identity foundation. The identity layer is the real foundation of zero trust — without solid identity, nothing else works. We spent the first four months just getting identity right before we touched the network.

What was the hardest part?

Micro-segmentation. Everyone talks about it like it's a checkbox. It's not. Mapping every application flow, understanding which services need to talk to which other services, and then writing policies that are tight enough to be secure but loose enough to not break production — that took six months alone. And we had to iterate multiple times after breaking things.

Any vendor that's overhyped in the zero trust space?

I won't name names, but there are vendors claiming 'zero trust in a box' that are really just VPN replacements with better marketing. If a vendor tells you they can give you zero trust in 90 days, they're either lying or they have a very narrow definition of what zero trust means.

What's your advice for a CISO starting a zero trust initiative today?

Three things. First, start with identity. Get your identity house in order before you buy any zero trust products. Second, get executive sponsorship. This is a multi-year transformation, not a project. You need sustained budget and organizational patience. Third, be honest about your timeline. 18 to 24 months for a mid-size enterprise. If someone tells you it'll take 6 months, they're selling you something.

Michael Torres — one of the most practical zero trust conversations I've had. Thank you.

Thanks Alex. Happy to help anyone avoid the mistakes I made along the way.