Zero trust is the security buzzword of the moment, and while it is a very powerful approach, nearly every enterprise security product on the market \u2013 and some that aren\u2019t even security products \u2014 are saying they enable zero trust. This is particularly prevalent in the marketing of multi-factor authentication (MFA) platforms and endpoint protection (EPP)\/endpoint detection and response (EDR) point solutions, but it\u2019s by no means limited to them.The problem is this: you cannot buy zero trust.Zero trust is an approach, an architecture, and a journey, not software, hardware, or a service to deploy. And it\u2019s popular because zero trust hardens security by denying access by default and only allowing access according to policies based on the Principal of Least Privilege. If there is a breach, micro-segmentation prevents threats from moving laterally across the network, containing the damage and minimizing the blast radius. Zero Trust also allows companies to explore retiring large parts of their existing traditional network and infrastructure in favor of more commodity (read: less expensive) solutions such as public internet links vs. MPLS circuits. It also improves productivity, because when properly implemented, accessing digital assets is frictionless in zero trust, so long as one is authorized to do so.Certainly, you build a zero trust architecture with products. But buying and deploying those products isn\u2019t enough, and it\u2019s not the hard part. It would be like saying you\u2019ve updated your home from mid-century modern to contemporary by buying a bright blue piece of art. There\u2019s so much more to zero trust than its components.First, your organization must have strong security fundamentals. Good IT hygiene may not be particularly sexy, but nothing provides a stronger security ROI than proper, consistent management of assets, patches, and privileges.The organization also needs to secure broad C-level support for the project. The path to zero trust is not always smooth. It\u2019s a wholesale change in how a company approaches security \u2013 a complete flip of the table. The organization will frequently find itself taking two steps back to take three steps forward, and people will get frustrated. Only strong leadership and commitment from the most senior levels will enable the company to persevere.Next, establish \u201cbirthright\u201d access for every role, which defines the default access an individual should have when they join the team at a specific level. It\u2019s a complex task, but necessary to inform the policies that zero trust will enforce.Once these goals have been achieved, only then should an organization begin buying, deploying, and assembling the components. Without this foundation, it doesn\u2019t matter how strong the components are \u2014 you\u2019ll never achieve zero trust. Reader beware, zero trust is often like a canary in a coalmine for all the basics you may not be good at. Once you roll out all those agents and tools for MFA, EPP\/EDR, SWG, SDP, etc., those tools will need to actually DO something \u2014 and that signaling comes from your source systems such as asset management, identity management, etc. In the legacy world, not having accurate CMDB typically doesn\u2019t have operational implications, but in the zero trust world if the data is inaccurate, the application may simply not work. Be good at the basics!Throughout the process, leadership must continually communicate the benefits that zero trust will bring to everyone. Zero trust is unique among security initiatives in that it can reduce cost, improve security, and increase productivity. Typically, one can only achieve two out of three, at best.It's important to keep in mind that the zero trust journey is never truly over. The organization will continue to learn and make improvements. So be careful not to go off track: nurture that C-level commitment to zero trust, pay attention to IT security fundamentals and don\u2019t fall for expansive marketing claims about how a single SKU will act as a shortcut to zero trust.There are no shortcuts. Zero trust is a journey \u2014 but it\u2019s one that is well worth undertaking.To learn more about getting started on your organization\u2019s zero trust journey, visit us here.