Keith Brautigam, Global Director Identity & Access Management Program, Radiology Partners
CybersecurityInformation TechnologyZero Trust

Zero Trust, Without the Buzzword

cxomagazine

A CXO’s Guide to Silent Security Transformation

By Keith Brautigam, Global Director Identity & Access Management Program, Radiology Partners
Introducing Zero Trust

“Zero Trust” has been a cybersecurity buzzword for years, and for good reason. Unlike a simple feature, it demands a fundamental re-evaluation of an organization’s security posture, cutting across the entire IT infrastructure. This complexity often hinders adoption, even when organizations understand its core premise: never trust, always verify. It means making no assumptions about cyber hygiene or safety, regardless of user location or prior authentication. As outlined by NIST SP 800-207, Zero Trust Architecture shifts defenses from static network perimeters to focus on users, assets, and resources. No device or user, even if authenticated, should automatically gain unfettered access to sensitive systems.

Zero Trust promises to significantly improve cybersecurity, reduce overall risk, and crucially, limit the “blast radius” of inevitable compromises by rigorously enforcing the principle of least privilege. The CISA Zero Trust Maturity Model identifies five key pillars: Identity, Devices, Networks, Applications and Workloads, and Data. The challenge for most enterprises lies in organizational silos, with these functions often residing in disparate, uncoordinated teams. This fragmented landscape makes a holistic Zero Trust implementation daunting.

Ultimately, our journey wasn’t about a frenzied tool acquisition. It was a deliberate act of strategic leadership: establishing a clear vision, breaking it into digestible, achievable portions, and articulating a distinct, compelling value proposition for every initiative.

Leading the Charge: The “Under the Hood” Approach

Given these complexities, a top-down “Zero Trust” mandate is rarely sufficient. I’ve found it far more effective to significantly mature an organization’s Zero Trust posture without explicitly framing it as a grand, organization-wide objective. Alternatively, a strategic leader might create and promote internally a set of deliverables that gradually advance Zero Trust maturity and each have a distinct business value.

As a CISO, I deliberately avoided discussing “Zero Trust” with senior leadership or the Board. The phrase inadvertently implied a lack of trustworthiness, which was off-putting. My approach was to quietly address each of the CISA pillars, recognizing their interdependence, to achieve enhanced security without the loaded terminology.

Network and Data: Demonstrating Early Wins

I started with the Network and Data pillars, areas where we already had some maturity, to demonstrate quick, tangible wins. We used our existing data classification scheme to identify sensitive servers, then leveraged our VM platform’s micro-segmentation capabilities to isolate these critical systems and limit lateral movement.

While broader network micro-segmentation was in place via firewalls, manual rule management created a perpetual backlog, leading to unacceptable delays in deploying services. To resolve this, we integrated ServiceNow with our SIEM/SOAR system. This automated workflow validated network ownership, ensured security controls were in place via our vulnerability scanning tool, and directly manipulated the firewall. This powerfully illustrates why Automation and Orchestration are critical for efficient and consistent Zero Trust controls and is a foundational layer in CISA’s Zero Trust Maturity Model.

Business Devices: Unifying Management and Visibility

The Device pillar was challenging due to inconsistent management across departments. I engaged senior leaders on the strategic advantages of unified device management. My case highlighted a consistent user experience, IT efficiencies, licensing cost savings, and dramatically improved vulnerability management. For the Audit and Risk committee, I emphasized the need for comprehensive, centralized insight into the threat surface of our 50,000 endpoints, aligning with CISA’s Visibility and Analytics layer. This business-value-driven approach secured essential buy-in, empowering the IT department to lead the delivery of the new service.

BYOD and Business Devices: Identity and Network Synergy

Later, our firewall team enabled VPN clients to perform host-based health checks, validating connecting devices’ security posture regardless of ownership, without waiting for the new device management system. Likewise, device profiling was made possible via the mobile app for our MFA system. By establishing clear health policies for network access or SSO/MFA authentication, we leveraged existing services to enforce baseline device hygiene. This provided clear guidance to networking and IAM teams, showcasing how advancing one pillar (Devices) often requires synergy from others (Identity and Networking).

Applications, Data, and Identity: Granular Access Control

For Applications, we required owners to define precise access criteria. The IAM team then implemented policies via our SSO provider, ensuring only authorized individuals could even attempt to log in. For critical systems like the financial platform, we deployed an Identity Governance and Administration (IGA) platform. This enabled true role-based access control by integrating organizational roles directly into application permissions. I secured buy-in for this substantial project by highlighting improved employee and supervisor efficiency (streamlined provisioning and access management), robust compliance, and reduced organizational risk through meticulous data protection.

Conclusion: Leadership Beyond Buzzwords

Ultimately, our journey wasn’t about a frenzied tool acquisition. It was a deliberate act of strategic leadership: establishing a clear vision, breaking it into digestible, achievable portions, and articulating a distinct, compelling value proposition for every initiative. This resonated with IT and business leaders alike. By taking this business-value-driven, incremental approach, we ensured continuous progression across each Zero Trust Maturity Model pillar. Crucially, we bypassed the need for top-down mandates or arduous “Zero Trust” discussions with senior leaders, who instead focused on the tangible business benefits delivered. This “under the hood” strategy transformed Zero Trust from an abstract security concept into a concrete, value-generating business outcome.