We Asked Kindervag: Why Are So Many Organizations Still Getting Zero Trust Wrong?
Federal Zero Trust mandates have been on the books for years. Agencies have built frameworks, stood up portfolio management offices, worked through compliance checklists, and filed the reports. The effort is real. So is the gap between what those efforts produce and what Zero Trust actually requires.
The architecture problem is well documented. Less discussed is the institutional one: the habits around procurement and compliance that have quietly shaped how Zero Trust gets implemented across the federal government, turning a security strategy into a series of tasks to be completed and forgotten.
John Kindervag has been making this argument since 2010, when his Forrester white paper "No More Chewy Centers" defined Zero Trust and set off a decade and a half of policy, debate, and uneven implementation. Don Yeske has been living it. He led network modernization for the Marine Corps enterprise network, served as CTO at the Department of the Navy where he sponsored FlankSpeed, the first program the DoD's Zero Trust Portfolio Management Office certified as meeting all established qualifications, and then moved to DHS where he inherited Zero Trust strategy for the third-largest department in the federal government.
"I did not plan on leading Zero Trust," as Yeske tells it. "But it became my job to define our actual strategy and implementation plan for Zero Trust as a department."
The two sat down recently on Virtru's Hash It Out podcast, hosted by Matthew Howard.
Watch the full interview here, or keep reading for a recap.
The Acquisition Reflex and the Checklist Problem
Yeske is direct about what keeps going wrong, and he includes himself in the critique.
The federal government is structurally oriented toward buying things. As he put it, if you removed the entire federal workforce tomorrow, roughly ninety-eight cents of every federal dollar would still get spent, because that money flows to contracts, not personnel. When Zero Trust arrived as a mandate, agencies did what they know how to do: they went looking for what to purchase. Vendors met them there, putting Zero Trust on the side of the box and building compliance narratives around it. The market responded to the incentive, not the mission.
The second problem is the checklist. M-22-09 gave agencies a concrete list of tasks, which is not inherently wrong. Measurable accountability matters. But the task list became the destination. Yeske was still having that argument last year: "I have had the argument, fairly recently, with people who were like, well, this is what Zero Trust is because that's what OMB said. So if I do these tasks, I'm done. No. That same exact document says it's a starting point."
He is candid that this is not purely an external failure. He said directly that he was "kind of upset at myself" that the strategic framing his team developed at DHS did not gain the same traction at the Department of War. These were systemic patterns that shaped the environment everyone operated in, including the people who understood the problem best.
Kindervag made the same point from a leadership angle. Strategies resonate with leaders. Tactics resonate with doers. When Zero Trust is communicated only as a task list, it never reaches the people with the authority to change how the organization is incentivized. He described a three-star general thanking him after a briefing for being the first person to explain Zero Trust in a way that connected to operational outcomes, because everything else had been checklists he could not make sense of as a mission leader.
If You're Trying to Protect Everything, You're Protecting Nothing
Both Kindervag and Yeske came back to this point more than once.
The attack surface only expands. Every new system, every new identity, every workflow stood up without telling the security team adds to it. You cannot shrink it. Trying to secure it comprehensively does not produce comprehensive security. It produces thin coverage everywhere and strong coverage nowhere.
Frederick the Great said it about warfare. Kindervag has been saying it about cybersecurity for fifteen years: he who tries to protect everything protects nothing. The federal government's orientation toward broad compliance, toward checking every box across every system, is a version of this mistake. It spreads resources across an ever-growing surface and leaves the things that actually matter underprotected.
The antidote is a question that sounds obvious and is harder to answer than it looks: what are you actually trying to protect? Kindervag still walks into agencies that have purchased significant Zero Trust tooling without being able to answer it. Without that answer, there is no principled way to sequence efforts, no way to distinguish spending that reduces real risk from spending that reduces the appearance of risk on a report.
How DHS Actually Started
Yeske's approach at DHS offers a practical model for how to begin, and it did not start with technology.
Phase one was inventory. His team went to components and asked basic operational questions: Do you have an inventory of users? An inventory of applications? How do you handle phishing-resistant multifactor authentication? Walk us through how you actually do this, not in policy terms, but in practice.
"The first step in wisdom is to know something about yourself," he said. The admission that a capability existed only on paper was not a failure. It was useful information. "Both of those answers are hugely valuable because it tells you where you start."
People first. Process second. Product last. The question is not what tool solves this. It is who in your organization is responsible for this, and how do they actually do it. That question is specific enough that it demands a real answer, and real answers are where the work begins.
The Other Half of the Mandate
Most of the conversation around federal Zero Trust focuses on what the architecture prevents. What gets less attention is what it should enable.
Data that cannot be shared has no operational value. Yeske framed it simply: "For there to be value in data, someone has to use it." The post-9/11 lesson was not just that agencies needed better protection. It was that over-restriction carries its own failure mode. The dots existed. The architecture did not allow them to be connected.
Federal cybersecurity culture still tends to treat protection and sharing as opposing forces. You lock data down to protect it. You relax controls to share it. That framing produces a posture that oscillates between over-classification, which breaks mission coordination, and under-controlled sharing, which creates exposure.
Zero Trust, properly implemented, resolves that tension. Controls travel with the data. Governance persists regardless of where the data goes or who it goes to. The goal is not restriction. It is confident sharing, with coalition partners, cleared contractors, mission partners across different environments, in a way where access is continuously verified and can be revoked. As Yeske put it: "If you're protecting it to the point where no one sees it, you're doing harm."
AI Is the Same Problem, Running Faster
The AI conversation in federal IT tends to focus on capability: what these tools can do for analysis, automation, decision support. The data question gets less attention, and it is the more urgent one.
Yeske put it directly: "We were scared of the data because we didn't know the data. AI, the effect that AI is having here is it kind of forces us to do it anyway because of velocity and because of the deepening importance of data. Data is the fuel of any modern AI-oriented system. If you're burning crap fuel, you're gonna burn out your engine."
An agency that feeds an AI system data it has never inventoried, classified, or governed will get wrong outputs fast. The same velocity that makes these tools attractive makes the underlying data problem impossible to defer.
There is a useful flip side to that pressure. Yeske is genuinely optimistic that the appetite for AI's operational benefits is creating motivation to do the data hygiene work that cybersecurity mandates alone could not compel. "People are now understanding the problem and starting to pay attention to the problem because they want the value that an LLM will bring to their organization." Agencies that found the scope of data classification paralyzing in the abstract are now confronting it because they want what AI promises, and they are beginning to understand they cannot have it without knowing their data first.
On the adversary side, Kindervag's observation about intellectual property is pointed: "Don't patent anything because a patent is a step-by-step tutorial for a nation state on how to copy what you've already done." Legal protection means nothing to adversaries operating outside that framework. Technical control over the data itself is the only reliable answer.
Where This Goes
Kindervag and Yeske are not arguing the federal government has failed, but that the way Zero Trust was communicated, as a compliance exercise rather than a security strategy, created a gap between policy and implementation that is still being worked through. The tactical guidance has been useful. The strategic framing has lagged behind.
Yeske invoked Sun Tzu on this: "Tactics without strategy is the noise before defeat. The converse is also true. Strategy without tactics is the slowest path to victory. If you understand the broad brush strokes of how you're gonna win, even if your tactics suck, you're gonna win."
The frame is not complicated. Know what you have. Know what matters. Know who is trying to take it. Build from that. FlankSpeed is a proof point that it can be done at scale inside the federal government. The maturation of agency-level Zero Trust programs is real progress. The foundation exists.
The mission environment is not getting simpler. More data, more partners, more boundaries to cross, more adversaries with more capable tools. As Yesky put it:
"We will painfully learn some of the lessons we should have learned ten years ago at higher speed, but we will actually learn them now. I have hope. I choose to have hope."
This post is based on a recent episode of Virtru's Hash It Out podcast featuring John Kindervag, creator of Zero Trust and Chief Evangelist at Illumio , and Don Yeske, Senior Solutions Architect at Virtru and former Zero Trust lead at the U.S. Department of Homeland Security. Watch the full conversation here.
Editorial Team
The editorial team consists of Virtru brand experts, content editors, and vetted field authorities. We ensure quality, accuracy, and integrity through robust editorial oversight, review, and optimization of content from trusted sources, including use of generative AI tools.
View more posts by Editorial TeamSee Virtru In Action
Sign Up for the Virtru Newsletter
Dive Deeper
/blog%20-%20ShareFile%20Takedown/26-Competitor-Blog-Blog%20-%20Virtru%20vs%20Sharefile.jpg)
Looking for a ShareFile Alternative? Here's What Regulated Organizations Need to Know.
/blog%20-%20sendsafely%20takedown/26-Competitor-Blog-Blog%20-%20Virtru%20vs%20SendSafely%20(1).jpg)
SendSafely vs. Virtru: Which Secure File Sharing Platform Protects Your Data After Download?

Dropbox Alternatives for Secure File Sharing: What IT Teams Are Missing
/blog%20-%20alex%20karp/alex-karp.jpg)
Alex Karp Is Right About the AI Problem. He's Missing the Solution.
/blog%20-%20SACR%20Report/anna-perrone-commentary%20copy.webp)
The Email Security Report Every CISO Should Read, And the Questions It Should Inspire
/temp%20-%20cmmc%20compliance%20advantage/IVIS-CMMC%20COMPASS.webp)
A 20-Year DIB Veteran on Turning CMMC Into a Compliance Advantage
/blog%20-%20shared%20services%20model/shared-services-model%20copy.webp)
Your Shared Services Model Might Be Leaking Data. Here's How to Stop It.
/blog%20-%20collaborate%20webinar%20recap/Collab-Demo-Recap.webp)
Inside Virtru Collaborate: The File Sharing Platform Built on NSA Open Standards

The Hidden Cost of a Microsoft GCC High Migration, and What the License Quote Leaves Out
/blog%20-%20Andesite%20HIO%20recap/HIO-Dave%20Brown-LI.webp)
Why the Author of "The Lean CISO" Refuses to Let AI Make the Final Call
Book a Demo
Become a Partner
Contact us to learn more about our partnership opportunities.
Become a Compliance Champion
Contact us to learn more about our partnership opportunities.
