Last week, Dr. Zero Trust, AKA Dr. Chase Cunningham, posted in Linked in that he was fed up with people who say they don’t understand Zero Trust. To a certain extent, I feel his frustration.

Journalists understand the concept. We have a decades-old saying, “If your mother says she loves you, check it out.” It doesn’t get more zero trust than that.

The problem is that while it’s easy to understand as a concept, it isn’t easy to build a zero trust infrastructure, especially with the misleading gobbledygook most cybersecurity companies put out. Cunningham says there are hundred of books and articles on the subject. He’s right, of course. The question is, which one do you choose?

At the RSAC Conference, I sat down and briefly talked with Dale Hoak, CISO for RegScale, about how easy it is to understand Zero Trust but how complex it can be to pull it off. RegScale does government regulation compliance (GRC) and has only been around since 2021, but I found several competitors who promote themselves by saying “when you’re tired of RegScale, come see us.” I find that a ringing endorsement of the company.

So I called Dale up and said I wanted a longer talk about the issue of Zero Trust and where GRC fits in. We also spent some time talking about how the US federal government seems to be stepping away from cybersecurity regulations. I’ll be doing a larger story about that later, but this conversation is a good start.