In this episode, we challenge the “Grand Delusion” of cybersecurity and zero trust by exposing the gap between industry hype and real-world strategy. Listen in to discover practical, no-nonsense insights on how businesses—big and small—can build a robust security posture without falling for common misconceptions.
At ThreatLocker Zero Trust World 2025 in Orlando, Chase Cunningham, often referred to as “Dr. Zero Trust,” delivered a thought-provoking session titled The Grand Delusion. The event, filled with IT professionals, managed service providers (MSPs), and small to midsize business (SMB) leaders, provided the perfect backdrop for a candid discussion about the state of cybersecurity and the real-world application of Zero Trust strategies.
Challenging the Status Quo
Cunningham emphasized the need for businesses to adopt realistic cybersecurity practices that align with their resources and needs. He pointed out the pitfalls of smaller organizations attempting to emulate enterprise-level security strategies without the necessary infrastructure. “Cyber shouldn’t be any different” than outsourcing taxes or other specialized tasks, he explained, advocating for MSPs and external services as practical solutions.
Zero Trust as a Strategy, Not Just a Term
The session underscored that Zero Trust is not merely a buzzword but a strategic approach to security. Cunningham stressed the importance of questioning the validity of industry claims and seeking concrete data to support cybersecurity initiatives. He encouraged attendees to avoid being “delusional” by blindly accepting security solutions without a critical evaluation of their impact and effectiveness.
Actionable Steps for Small Businesses
Cunningham shared practical advice for implementing Zero Trust principles within smaller organizations. He recommended focusing on foundational controls like identity and access management, micro-segmentation, and application allow and block lists. He noted that achieving security is a journey, requiring a structured, strategic approach and an acceptance that immediate results are unlikely.
The Future of Zero Trust
Looking ahead, Cunningham expressed optimism about the continued evolution of Zero Trust. He highlighted its growing global significance, with his upcoming engagements in Taiwan, Colombia, and Europe serving as evidence of its widespread adoption. Ultimately, he framed Zero Trust as not only a business imperative but a fundamental human right in today’s digital world.
Tune in to this episode to hear more insights from Chase Cunningham and explore what Zero Trust means for businesses of all sizes.
🔹 Dr. Chase Cunningham, VP Security Market Research at G2 | On LinkedIn: https://www.linkedin.com/in/dr-chase-cunningham/
🔹 Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber] | On ITSPmagazine: https://www.itspmagazine.com/sean-martin
🔹Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast & Audio Signals Podcast | On ITSPmagazine: https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli
✅ ThreatLocker: https://itspm.ag/threatlocker-r974
🔗 Book | vArIable: A Novel in the gAbrIel Series: https://amzn.to/41yHOUo
🔗 Full ZTW 2025 Coverage: https://www.itspmagazine.com/zero-trust-world-2025-cybersecurity-and-zero-trust-event-coverage-orlando-florida
🔗 ITSPmagazine’s Event Coverage Hub: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverage
🎧 More Redefining CyberSecurity Content: https://www.itspmagazine.com/redefining-cybersecurity-podcast
🎧 More Redefining Society Stories: https://www.itspmagazine.com/redefining-society-podcast
📢 Want to share your Brand Story Briefing as part of our event coverage? Learn More 👉 https://itspm.ag/evtcovbrf
📢 Want Sean and Marco at your event? Let Us Know 👉 https://www.itspmagazine.com/contact-us
Marco Ciappelli: All right. 3, 2, 1. 3, 2, 1. Let's do it. All right, Sean. Sean, this is amazing. [00:01:00] We're in Orlando, Florida. It's in Florida, right? That, that, that, that Orlando.
Sean Martin: I think that's that Orlando. Okay. I was trying to think if there's another one that we could mess with.
Marco Ciappelli: No, I was just, I was just kidding with you.
No, no. Exciting to be here. Uh, Threatlocker event. Big event.
Uh,
unexpected to be so many people we know as a matter of fact, even our guests today, we already got a chance to talk to you. It's always nice. Chase Cunningham. How are you doing?
Chase Cunningham: I'm good. Thanks. Yeah. This is definitely a good event.
It, uh, doubles up every year. So they're doing something right.
Yeah. You know, he's right.
Marco Ciappelli: If you double up every year, you know, he's right.
Sean Martin: Yeah. One of the things I have taught chatting with a bunch of people. Yes, there are a lot of customers here, but there are a lot of people that just want to learn. Yeah.
Um, and a lot of IT, not just security. Um, so it's a really good mix of people who need to manage systems, protect systems, and ultimately enable the business. And, uh, that's all. More than you got. Trust, right?
Chase Cunningham: Yeah, and you get a lot of folks here that are small and mid [00:02:00] sized business. You get a lot of MSPs. You know, it's not the traditional mega enterprise thing, which I think is great. Yeah.
Sean Martin: Yeah. So you're speaking here.
Chase Cunningham: I did. I did my session today, which was cool. I, uh, my bar for success is if I don't fall off the stage and no one boos me, then I win. So I think I got that far. So you did good. Yeah, exactly.
Batting 100.
Marco Ciappelli: How did people left from your session? Because the title is The Grand Delusion.
Chase Cunningham: Yeah.
Marco Ciappelli: So, I don't know, did they feel You know, did you bring some optimism in the, in that or what it was all about?
Chase Cunningham: I think the whole session really is on the way that we do things in the space is kind of counter to what, you know, we would expect from any other space and the market is the market because it's a market, right?
And then I just really tried to run folks through here's the reality of the space in which we operate. Here's the stuff that is valuable and here's the stuff that is not and you should also understand that even the experts, myself included, You should always be asking the experts to kind of give you the data and the proof behind their concepts and theories.
You don't, don't just take [00:03:00] anything at face value. And that was my whole point, is if you're not doing this, you're delusional.
Marco Ciappelli: Right, right, right, right. Are you delusional, Sean?
Sean Martin: I'm always delusional. And, so I, I always look at things from a operational perspective and a business ability perspective. Were you able to touch on any of that, uh, during your session?
Chase Cunningham: Yeah, I mean, the whole point, too, of businesses, especially these folks, MSPs, small and midsize business, et cetera. My point to them is why would you try and do things and enterprise does when you don't have those resources? Like there's, I talk to folks all the time and they're saying, Oh, we're trying to do X and Y and Z.
That's what MSPs and MSPs and services are for. You know, I run my own small business. I don't want to do taxes because I'm not good at it and it's not fun. I have someone that does my taxes for me. Cyber shouldn't be any different.
Marco Ciappelli: Right, right. So how do you rap this whole vision into the culture of zero trust and I call it culture because I think that's kind of the theme here It's the fact that [00:04:00] it's culture is not gonna be a technology development that is going to give you the zero trust
Chase Cunningham: Yeah, so I mean zero trust is a strategy and that's I I said it towards the end of my session is you know You have a lot of people that will say oh Well, we don't like the term and we don't like the way that it makes people feel It's not about calling it zero trust.
It's about having a strategy that's based on what will make a difference, and then you apply it to your business. And the great thing about this space, to your point, there is a culture. We've got tons of reference material, we've got tons of growth, we've got tons of things that people can leverage. You should be working towards this.
And the proof is in the pudding. I mean, I think Google's a great example. Google moved towards their version of ZT after Operation Aurora. When's the last time you heard about Google having a major breach in the news?
Sean Martin: So I, I forget when we spoke last, but, uh, the, the concept of what Zero Trust is very vague in the beginning, very, I think, high in the sky, hard to [00:05:00] achieve, um, thinking perhaps you had to be a large enterprise with a mature culture, a mature team, a mature set of technologies that you can then tune and lock up to.
Enable Zero Trust, whatever that was. Things have changed, um, and I think it's still very different for each organization, right? Um, every business runs differently, some, some cloud software services, other services, some on prem still, um, running finance, running manufacturing. How does this, how does an organization start to define the culture they want from Zero Trust and other resources for that
Chase Cunningham: Yeah, there's lots of resources from folks like, uh, Jason Garvis at Numberline that's put out a maturity model.
There's folks from the Cloud Security Alliance. We just published a big guide on small business, zero trust. So there's plenty of reference materials. I think what folks should really look at, I personally consider the Verizon DBIR and the mandate interim supports like biblical in nature. When [00:06:00] those come out every year, go look at what the bad guys were doing that was successful and apply your basic controls to begin to negate that.
And if you're doing that, you're applying, you know, the principle of zero trust where the adversary is going to succeed. So do those things and then work your way forward from that. This is a program, it's a strategy, it's going to require time. Um, and people should also be very real about the fact that it took you X number of however long to build your business and this infrastructure and all this other side of it.
It's going to take you a while. There's not just going to be flip a switch and you're ZT.
Sean Martin: Right. And on that point, is it kind of like the 80 20 rule where You can kind of get fast forward to a certain level of your own version of Zero Trust in a certain amount of time and then it's, then it's slow going from there.
Chase Cunningham: Yeah, I mean a lot of these problems are somewhat simplistic, you know, to be honest, like bad usernames and passwords. Identity and access management should take care of a lot of that. People clicking on phishing links, I think enterprise browsers or browser isolation is very useful there. Um, micro segmentation, very useful.
Application allow list, [00:07:00] block list, those things. So if you do Just those things, and you do them in a programmatic, structured, strategic way, you're gaining ground. And, unfortunately, at the end of the day, this is not a rising tide lifts all ships. But if my organization is more secure, and we survive when things go sideways, that's the win.
I can't fix everybody, but I can fix us.
Marco Ciappelli: Right. Kind of, kind of rethink the model that applies the best to you.
Chase Cunningham: Right.
Marco Ciappelli: And you were making the case that the model that everybody's following, especially if you're a small business, Medium business, you're following the model of the corporation. You're probably going to fail.
Yeah. Because you don't have those resources. So, why do you think we got where we are now? Like what, what kind of market methodology or, or lack of have we, you know.
Chase Cunningham: Well, whoever's first to the problem is always going to define the problem space. And then by that, they're going to define the rest of the stuff that follows on.
To the credit of the folks that came in really early, like, they thought about things [00:08:00] from a big, broad enterprise perspective. And they did a good job of at least, like, making people aware security was necessary. But, the reality of what's transpired and as we've evolved is we've learned from it and we've gotten into a different space.
So, I think that's where people get wrapped up, too, is, well, I can't do that. But look, we're not that anymore. We're moving forward. And in today's world with democratization of technology and LLMs and all the other stuff, I don't think people have an argument anymore to say we're just not doing security.
Um, you can do it. It's very doable. And if you can't, partner with someone that can.
Sean Martin: Exactly. So as we wrap here Chase, um, I believe you're known as Dr. Zero Trust. So I'm hoping you have A joke that became a brand. There you go. Let's run with that. But, your view for what's coming for Zero Trust? Does it continue to simplify and democratize?
And, do you find that more organizations get there? What do you see? [00:09:00] What's the future look like? Big changes, you think? Yeah,
Chase Cunningham: Zero Trust is going to continue to evolve and grow, and that's what a good strategy does. The fact that, uh, you know, folks like myself and others have been invited to speak internationally about Zero Trust, I'm going to Taiwan in a week or two to talk to Zero Trust with them.
Second time in a year. I was in Colombia this year talking about Zero Trust. We're gonna go to, uh, Sweden and Norway and some of those places as well. So it's a global thing, which is great. But the truth of the matter is that this is an evolution of the overall strategic importance inside of the space.
And, uh, for me, I believe that being secure online is a fundamental human right in today's digital world. The way that we do that is ZTE.
Sean Martin: Yeah. I love it. Zero Trust. Seemed like a pie in the sky thing a few years back. We see a conference built around it. A community built around it. Learning built around it.
Brands and people supporting organizations get there. Built around it. So, Chase, it's [00:10:00] always good to see you, my friend.
Chase Cunningham: Thank you so much. It was great to run into you guys.
Marco Ciappelli: Thanks for spending time with us. Looking forward for the next time. Fingers crossed. Wherever that is. I keep getting invited, I get to come back.
Sean Martin: Alright, thanks everybody for joining us, uh, here at Zero Trust World. Stay tuned, uh, on location with Sean and Marco. There's more coming. Cheers.
Chase Cunningham: Awesome, thank you guys. Yeah, thank you. Thank you so much. [00:11:00]