Leonard Kleinman

expert panel

The foundational philosophy of zero trust can sound deceptively simple: Verify everyone, trust no one and keep attackers from moving freely. In practice, though, it’s not that neat. Businesses change, employees need access to new tools, cloud environments expand and attackers keep finding fresh ways to test old assumptions. New users, new systems, new attack vectors: The environment that zero trust is meant to protect keeps changing, which means it’s time to move beyond philosophies and frameworks and implement realistic, forward-thinking architectures. The essential question is whether an organization can clearly see what’s happening across its systems, contain damage when something goes wrong, and keep operations running without forcing people to work around security controls to get their jobs done. The answer lies in shifting focus from implementation milestones to measurable outcomes: protecting the most critical assets, supporting the way people actually work, and measuring progress through outcomes rather than activity.  The goal of zero trust isn’t to prove that every possible risk has been eliminated. It’s to show that an organization is becoming harder to compromise, faster to respond and easier to operate securely. Members of the Senior Executive Cybersecurity Think Tank have years of experience and deep expertise in enterprise cybersecurity strategies, threat detection, risk management and zero-trust architecture. Below, five of them discuss how to define “good enough” zero trust progress in practical terms and the real-world signals that tell leaders they’re reducing risk, not just adding friction.

expert panel

For years, VPNs were a favored security solution for both consumers and businesses. IT teams deployed them and users trusted them, because the assumption was that a VPN meant protection. But when a federal agency warns against personal VPN use, it underscores an uncomfortable reality: Some tools marketed as protection can actually expand the attack surface, expose user data or encourage habits that work against enterprise security goals. VPNs were architected for an era when the corporate network was a fortress to be protected. They provided a bridge for connected users, extending broad access and trust and encrypting data in transit. Once in, you were considered “trusted” until you disconnected. But in a distributed, cloud-first work environment, that singular stronghold no longer exists.  Rather than eliminating risk, a VPN may simply relocate it, handing it off to third-party providers whose privacy practices, security posture and incentives aren’t clear. Further, some VPNs aren’t just unsafe, they’re also unethical—actively monetizing user data and functioning less like a privacy shield and more like a surveillance layer in disguise. While it may be easy enough for private users to steer clear of VPNs, businesses are in a tricky spot. Remote workers still need safe, convenient ways to work from anywhere, especially when they’re under pressure, and they may be tempted by quick fixes that promise privacy with almost no effort. If companies want to steer employees away from risky workarounds, they need to do more than issue warnings; they need to offer secure alternatives that are truly trustworthy and easy to use. Members of the Senior Executive Cybersecurity Think Tank bring deep, hands-on expertise in zero-trust architecture, risk management, threat detection and enterprise security strategy. Below, two of them break down just how widespread VPN risk has become—and what security leaders should be promoting instead.