Okay, let’s be honest... if you’re currently asking yourself "Zero Trust – all well and good, but where the hell do I even start?", then you’re in very good company.

At ODCUS, we’ve seen this situation with dozens of clients. The decision for Zero Trust has been made, management is convinced, the budget is available. And then... well, then you’re standing there looking at your evolved IT landscape. With that ancient CRM system that no one really understands anymore. With applications that "have always worked this way." With the VPN that everyone believes equals security.

And suddenly, Zero Trust feels less like a modern architecture and more like a huge mountain you’re supposed to climb.

The uncomfortable truth about Zero Trust migrations

Here’s the thing many consultants don’t tell you right at the beginning: a Zero Trust migration is not a sprint. It’s a marathon. A pretty long one, too.

We’ve learned—sometimes the hard way—that implementing Zero Trust in an existing network, no matter how old it is or how many legacy services you have, requires a phased approach. With many iterations. With setbacks. With adjustments.

Doesn’t sound sexy? True. But it’s realistic. And honestly... we value realism more than marketing promises.

Why you can’t just switch to Zero Trust "real quick"

Let’s briefly talk about something we see again and again (and that makes us go a little grayer each time): companies shutting down their traditional security controls too early.

We once had a client—let’s call them Company X—who was so convinced of Zero Trust that they wanted to shut down the VPN on Friday and start with the new architecture on Monday. Spoiler: we stopped them.

Imagine you’re walking on a tightrope. Would you remove the safety net before the new net is in place? Exactly.

Our basic rule: never disable traditional security controls before you have implemented AND thoroughly tested your Zero Trust controls. Otherwise, your systems are literally left exposed—and the risk is significant.

Want an example? Don’t remove your VPN until you are absolutely sure that your new Zero Trust architecture covers all threats the VPN previously intercepted. Test it. Then test it again. And maybe a third time.

We shed more light on this aspect in Why your network security model is broken.

The starting point: Understand your architecture (yes, really)

Okay, now it gets practical. The first step—and this is not just lip service—is: understand your current architecture. Really understand it.

By that we mean:

• Where are your most important resources?

• Where are the main risks?

• Which legacy services do you have that may not support Zero Trust?

• Who accesses what, and from where?

• Which data flows are business-critical?

It sounds simple, but... we’ve seen organizations invest three months in planning only to discover that a critical system from the 90s simply won’t cooperate. Those three months could have been used better.

That’s why at ODCUS, we always start with a discovery workshop. Two intensive days where we map the landscape together with the client. Not perfectly—that would be unrealistic—but well enough to make sound decisions.

The principles that guide us

Over the years, we at ODCUS have developed a framework that helps our clients navigate complexity. These principles do not automatically guarantee a secure architecture (that would be too good to be true, right?), but they help you focus your efforts.

1. Transparency across your environment
Before you change anything, you need to understand what you have. Users, devices, applications, data flows. This is the foundation for everything else. We often use automated discovery tools for this, but also good old interviews with the teams who know the systems.

2. Strong identity foundations
Every access request is based on a verifiable identity—whether human, machine, or service. This is probably THE most time-intensive part of the entire migration. Plan at least 6–9 months if you have a complex environment.

3. Continuous trust validation
Trust is not granted once and then forgotten. It is continuously verified based on context, behavior, and risk profile. That means: your monitoring has to become really good.

4. Risk-based access decisions
Not every service is equally critical. Not every access request carries the same risk. Your policies should reflect that. A controller accessing Excel from a managed office device? Low risk. The same controller accessing the finance database at night from an unknown device? Higher risk, different policies.

5. Granular access segmentation
Microsegmentation is your friend. An attacker should not be able to overrun your entire network from a compromised system. That means: make lateral movement significantly harder.

6. Encryption by default
Data in transit and at rest. No exceptions. Yes, this has performance implications. Yes, modern hardware makes it quite manageable.

7. Assume compromise
Assume that a compromise already exists somewhere in your environment—or could exist. Your architecture must be able to handle that. This is the mindset shift many find most difficult.

8. Automation and orchestration
Manual processes do not scale and are error-prone. The more you can automate—from policy enforcement to incident response—the better.

The identity challenge (and why it takes time)

Let’s talk about identity... because honestly, this is often the sticking point.

Establishing strong identities for users AND devices, or rolling out modern authentication across your entire organization—that takes time. A lot of time.

We’re not talking weeks. More like months. Sometimes longer, depending on how complex your environment is and how heterogeneous your system landscape is.

A real-world example: we had a client in the financial sector with around 3,000 employees. Migrating to a modern identity platform with multi-factor authentication for all systems took us 14 months. And that was with a dedicated team and management support.

But—and this is important—without solid identities, Zero Trust simply doesn’t work. In a Zero Trust architecture, you remove inherent trust from the network. You have to build that trust elsewhere: in user identity, in device health, in the services being accessed.

There is no shortcut here. Sorry.

The pragmatic approach: mixed estate

Here’s a reality you have to accept (and that’s okay): you probably won’t be able to implement all principles fully right away.

Maybe you have legacy systems that simply don’t support Zero Trust features. That AS/400 running since 1997 that handles your warehouse management? It won’t suddenly support modern authentication.

Maybe the technology you’re using isn’t mature enough yet. Or the budget doesn’t cover everything at once.

At ODCUS, we say: be pragmatic in your solutions.

You may need to run traditional security controls in parallel for a while. And you know what? That is completely fine. A mixed estate—i.e., a hybrid environment with traditional and Zero Trust elements—is often the reality during transition.

Internally, we call this the "80/20 rule": if you run 80% of your environment according to Zero Trust principles, you’re already in a damn good position. The final 20% can remain legacy as long as you isolate and monitor it accordingly.

The iterative approach: step by step

We always recommend an iterative approach to our clients. In concrete terms, that means:

Phase 1: Build the foundation
Start with identity infrastructure. That is your basis for everything else. In parallel: create visibility. You can’t protect what you can’t see.

Phase 2: Identify pilot services
Select services that are relatively easy to migrate and where risk is manageable. Early successes motivate people. We often start with internal tools or non-critical web applications.

Phase 3: Learn and adjust
Every phase is a learning phase. What works? What doesn’t? Where are the stumbling blocks? Which assumptions were wrong? In one of our latest projects, we adjusted the entire timeline after the pilot because we had underestimated how complex integration with a specific ERP system would be.

Phase 4: Scale
Now that you have experience and your playbook is developed, you can tackle more complex services. It also goes faster now because you’ve learned from the mistakes of earlier phases.

Phase 5: Continuous optimization
Zero Trust is not a project with a fixed end date. It’s a continuous process. New threats emerge, new technologies become available, your business keeps evolving. Your Zero Trust architecture has to grow with it.

What this means for your organization

Let’s talk about the practical implications...

Your time: A full Zero Trust migration can take years. Yes, years. For a mid-sized company with 50–100 applications, we realistically plan 18–36 months. Plan accordingly and communicate realistic timelines. Nothing is more frustrating than unrealistic expectations.

Your money: Costs are spread over a longer period, which is often easier to manage from a budgeting perspective. But don’t underestimate the costs of training, new tools, and potentially external support. Rule of thumb: expect 20–30% on top of pure tool costs for implementation and change management.

Your risks: The risk during transition is real. That’s why old security measures are run in parallel. You significantly reduce risk in the long term, but in the short term you need to be very careful. We do a dedicated risk assessment at every migration step—boring, but necessary.

Your status: Let’s be honest—Zero Trust is currently a buzzword that resonates well with management and stakeholders. Use that for buy-in and budget. But stay honest about timelines and effort. Overpromising and underdelivering is the fastest way to lose trust.

The most common mistakes (and how to avoid them)

From our experience at ODCUS, there are a few classic pitfalls:

Mistake 1: Starting too ambitiously
One client once wanted to migrate the core ERP system, HR platform, and CRM at the same time. It took us three weeks to convince them that this was not a good idea. You do not want to migrate three critical systems at once. Trust us.

Mistake 2: Ignoring legacy systems
They won’t disappear on their own. Explicitly plan how you will deal with them. Sometimes the answer is: "We leave the system as is until we can replace it." That’s okay—as long as you decide consciously and secure it accordingly.

Mistake 3: Neglecting monitoring
Without good monitoring, you won’t notice when something goes wrong. And in Zero Trust, you MUST monitor continuously. Invest here early. A SIEM is not optional; it’s essential.

Mistake 4: Shutting down too early
We’ve already said it, but it’s SO important: don’t switch off old controls too early. We had one case where a client shut down the old system against our advice... and we had to perform an emergency rollback. That was not a nice Friday.

Mistake 5: Forgetting training
Your users and your IT team need to understand what is changing and why. Otherwise, you get resistance. And shadow IT. And creative workarounds that bypass your entire nice security architecture. Change management is not optional.

Mistake 6: Underestimating performance implications
Yes, Zero Trust can have performance implications. Additional authentication steps, encryption, policy checks. Test early and under realistic load. Nothing kills a project faster than users complaining that "everything has become slow."

The way forward

So... where do you start?

If we had to break it down into a simple action plan:

1. Perform a thorough assessment of your current environment. Invest time here—it pays off later.

2. Identify quick wins—services that are relatively easy to migrate. This creates momentum and shows management that progress is happening.

3. Build your identity infrastructure (this takes time, so start early). Modern identity provider, MFA for everyone, device registration.

4. Run a pilot with a non-critical service. Learn what works and what doesn’t. Adjust your playbook.

5. Develop a governance model. Who decides what? How are policies defined and adapted? It sounds bureaucratic, but without it, it turns into chaos.

6. Learn, optimize, scale. In that order.

And most importantly: always keep your principles in mind. They are like a compass that points you in the right direction, even when the path is sometimes unclear.

Conclusion

Zero Trust migration is not a sprint, but a marathon. That may sound discouraging... but look at it this way: you don’t have to be perfect tomorrow. You just have to be one step better today than yesterday.

Network architecture is changing fundamentally. At ODCUS, we see it every day: more services are moving to the cloud, SaaS keeps growing, and flexible work models are here to stay. Employees work from home offices, from cafés, from a beach in Bali. The traditional network perimeter—that beautiful firewall that gave us a sense of security for years—is disappearing. And with it, the value of traditional defensive measures.

Zero Trust is not just a trend. It is the answer to these new conditions. It is how modern companies think about and implement security.

Yes, the mountain looks high. But with the right route, the right equipment, and a realistic schedule... you can do it. We’ve seen it many times. With mid-sized companies, with corporations, with startups.

And if, along the way, you feel like you’re not making progress or the complexity is overwhelming you? That’s normal. Completely normal, in fact. We’ve had those moments too—on every single project. Take a breath, take a step back, look at the principles again.

And then keep going. One step at a time.

At ODCUS, we like to say: "Zero Trust is like brushing your teeth. You don’t do it perfectly once and then you’re done. You do a little every day, and in the long run, it pays off."

Okay, maybe not the most glamorous image... but honest.

Need support with your Zero Trust migration?

At ODCUS, we’ve gone down this road multiple times—with all the highs, lows, and unexpected turns. Let’s explore together what your specific route could look like. No marketing blah-blah, just an honest assessment of what is feasible and what is not.

Contact us for a no-obligation conversation. No sales pitch, just an honest discussion about your situation and possible paths forward.