Do you remember when IT security was simple? You had your firewall, your VPN, and everything inside your network was... well, trustworthy. Those days are over. And honestly? That’s a good thing.

Today we’re talking about Zero Trust – a concept that repeatedly causes raised eyebrows in our consulting projects. “Does that mean we don’t trust anyone anymore?” clients ask us. “Do we now have to buy everything new?” comes next. And then the classic: “That’s only for Google and large enterprises, right?”

Let’s speak plainly.

What Zero Trust really means (spoiler: it’s not about distrust)

Zero Trust is an architectural approach in which inherent trust is removed from the network. Sounds technical? Let’s put it differently...

Imagine your office building had only one entrance with a security check. Once inside, you can go anywhere – from the server room to the CEO’s office. That’s the old model. Zero Trust? That’s like having separate access control in front of every important room. Not because you don’t trust your employees, but because you know: if someone malicious gets in, they shouldn’t be able to get everywhere.

The biggest myths – and why they’re nonsense

Myth 1: “Zero Trust is a product I can buy”

Oh, how often we hear that! Vendors come in and promise: “Our Zero Trust solution makes everything secure!”

Reality? Zero Trust is a strategy, not a box you slide into a rack. It’s like fitness – you can’t just buy a membership and expect to get fit automatically. You actually have to go and train. And yes, different tools help you do that, but the concept itself... you have to live it.

Myth 2: “We have to rip everything out and rebuild”

This myth prevents so many companies from even getting started. But it’s complete nonsense!

We recently helped a mid-sized company that had exactly this fear. What did we do? Started small. First, we introduced multi-factor authentication for critical systems. It took two weeks and had an immediate impact. Then we moved forward step by step. After one year? A significantly more secure network – and most of the old hardware is still running.

Keep your traditional security controls until the new Zero Trust controls are effective. No one expects you to overhaul everything overnight.

Myth 3: “This is only for large enterprises”

Oh right... because cybercriminals only attack big companies, right?

The statistics say otherwise: 46% of all data breaches affect small businesses. And while large enterprises may be able to absorb an attack, 60% of small businesses go bankrupt after a successful cyberattack.

Zero Trust is not more complex for small businesses – quite the opposite. You have fewer legacy systems, less complexity, less politics. In our experience, smaller companies can often implement Zero Trust faster and more efficiently than large corporations.

Myth 4: “It makes everything slower and annoys users”

“My employees will hate me if they have to authenticate constantly!”

We get it. But modern Zero Trust implementations are smart. They use context: Does Maria log in every morning at 8:30 from her company laptop? Everything normal, no extra check. Is someone trying to access Maria’s account at 3 a.m. from an unknown device in Russia? Then it gets stricter.

More on this in our article Why your network security model is broken.

The reality: how to implement Zero Trust in practice

Now that we’ve cleared up the myths, let’s get specific. The NCSC defines eight principles for Zero Trust. In practice, we’ve distilled them down to three core areas:

1. Know your crown jewels

Before you do anything: what are your most critical data and systems? Not everything is equally important. The coffee machine app does not need to be protected like your customer database.

One of our clients, an engineering firm, approached it like this: they divided their assets into three categories:

• Critical: CAD designs, customer contracts, financial data

• Important: Internal communication, project management tools

• Nice-to-have: Cafeteria schedules, parking management

Guess where they started with Zero Trust?

2. Identity is the new perimeter

Forget network boundaries. In a world of remote work, cloud, and BYOD, identity is your new security anchor.

In concrete terms, this means:

• Multi-factor authentication (yes, for all critical systems – no exceptions)

• Device trust (is this Maria’s laptop or a random device from an internet café?)

• Continuous verification (not only at login, but throughout the entire session)

3. Assume breach – and plan accordingly

This may be the biggest mindset shift: assume you are already compromised. Sounds paranoid? It’s smart.

If you assume attackers are already inside (or will get in), you design your architecture differently:

• Microsegmentation: Even if someone gets in, they can’t go everywhere

• Least privilege: Everyone gets only the minimum rights they need for their work

• Continuous monitoring: You constantly watch what is happening in your network

The journey is the destination (and you don’t have to go it alone)

Zero Trust is a journey, not a destination. And like any journey, there are different paths.

Some of our clients start with identity – they roll out MFA and get quick wins. Others begin with network segmentation, which is technically more demanding but makes sense for critical infrastructure.

What the right path is for you? That depends on your situation:

• A lot of remote work? → Start with identity and device trust

• Critical legacy systems? → Focus on segmentation and access control

• Planning cloud migration? → Perfect time for Zero Trust from the start

The uncomfortable truth

Let’s be honest: Zero Trust is not a cure-all. It does not make your security perfect. There is no “Zero Trust switch” you flip and everything is fine.

What Zero Trust really is: a fundamentally better way to think about security. One that fits the modern IT world. One that assumes the bad guys are smart – and still has a plan.

In our projects, we see it again and again: companies that take Zero Trust seriously and implement it step by step are significantly more resilient. Not invulnerable – but when something happens, the damage is limited.

Your next step

You don’t need a complete Zero Trust network by tomorrow. But you should start thinking about it tomorrow.

Our advice? Start small:

1. Take stock: What do you have, what is critical, where are the gaps?

2. Pick a low-hanging fruit: MFA for admin accounts? Segmentation for a critical application?

3. Measure success: Not only technically, but also in user acceptance

4. Iterate: Learn from the first step and take the next

Zero Trust is not a revolution – it is an evolution. And the best time to start? Was yesterday. The second best? Today.

PS: If you’re asking yourself, “Okay, but where exactly do I start?” – that is exactly the right question. And that is exactly what we help with. No vendor pitches, no overpriced “Zero-Trust-in-a-Box” solutions. Just pragmatic, step-by-step transformation that fits your company.