Zero Trust Is 15 Years Old — Why Full Adoption Is Worth the Struggle

Fifteen years after its debut, Zero Trust remains the gold standard in cybersecurity theory — but its uneven implementation leaves organizations both stronger and dangerously exposed.

Zero trust isn’t failing; it’s the implementation of zero trust that isn’t complete.

The implementation of zero trust is essential for cybersecurity: but after 15 years, we’re still not there. Implementation is like the curate’s egg: good in parts.

Zero Trust turned fifteen years old on September 14, 2025. Its invention was announced with Forrester’s publication of John Kindervag’s paper, No More Chewy Centers: Introducing The Zero Trust Model of Information Security, on that date in 2010 (archived here).

Zero trust recognizes that treating cybersecurity like an M&M (a hard crunchy shell impenetrable to hackers protecting a soft chewy center where staff can work freely and safely) simply doesn’t work. “Information security professionals must eliminate the soft ...