‘Don't talk to strangers, aka Zero Trust’, is Joseph Carson's advice, Chief Security Scientist & Advisory CISO at Delinea, for navigating digital onboarding and security.
Every event I attend deepens my understanding of the powerful impact team collaboration can have on cost, time, efficiency, and results, no matter what industry. For instance, during the Cyberevolution event, an event organised by KuppingerCole, in December 2024, I had an insightful discussion about Zero Trust – a critical concept for the financial sector, and not only – with Joseph Carson, Chief Security Scientist & Advisory CISO at Delinea; and before delving into the topic, as I often heard during the Cyberevolution event concepts such as ‘red teams’, blue teams’, and ‘purple teams’, I asked Joseph what these stands for. He shared how different colours represent IT team dynamics and how a combination of these colours can create a stronger security posture.
Red, for example, represents the offensive team – those actively seeking vulnerabilities within an organisation. Blue, on the other hand, symbolises the defensive team – focusing on security controls, detection of exploits, and vulnerability management. The real magic happens when these two teams collaborate, forming what’s known as the purple team. Purple is a mix of red and blue, where both sides work together, sharing knowledge and strategies to strengthen the overall security environment.
Joseph even shared his personal perspective on this. While he has always been a blue team defender professionally, he has also nurtured a passion for hacking techniques and learning from the red team's approach.
It’s clear: combining both sides, or colours, is key to building a more secure future.
It's actually pretty simple. Imagine you’re told not to talk to strangers—Zero Trust is just like that. It’s about not assuming someone is who they say they are just because someone’s wearing a uniform or has a title, it is about checking that they really hold that role. It's about verifying people—just like you might check if someone has a badge or ask a mutual friend if someone is trustworthy. Zero Trust means you verify, always. In the context of banking, it’s about making sure you don’t give access to anyone, even if they seem familiar or authorised, unless you can fully verify, that they should have it. It's all about minimising risk by questioning and validating, no matter who’s asking.
Furthermore, Zero Trust is about ‘zero assumptions’—never assuming security is already in place. Even if a transaction or resource was secure in the past, it must be revalidated each time to ensure it hasn't been compromised or altered. With most transactions now occurring over the public internet rather than trusted networks, continuous verification is essential. Security is no longer a one-time check; it's an ongoing process that requires constant vigilance.
Zero Trust is often misunderstood when it’s applied without context. Originally, it was about assuming that everything was unprotected and had to be verified. The concept emerged when we moved from controlled environments—where devices and networks were managed and secured—to a time when employees took devices outside of the office and connected them to the wider internet. This shift created a scenario where devices, once they returned to trusted networks, needed to be verified, cleaned, and updated to ensure they were secure before rejoining the network.
The core of Zero Trust, therefore, was about validating anything that left the trusted network and ensuring it was safe before allowing it to return. Over time, however, Zero Trust has evolved. As organisations increasingly move their operations outside traditional, controlled environments—especially with the rise of cloud computing and remote work—they face reduced visibility and control. The focus of Zero Trust has shifted from just securing the network to ensuring the security of devices, data, identities, and software across the entire system. Today, it's about continuously verifying all transactions, particularly those happening outside our direct visibility, such as in the cloud.
Zero Trust is often misunderstood as a product or technology that you can simply implement, but it's actually a strategy and a mindset. Zero Trust is about integrating technology, people, and processes into a cohesive framework. It’s not something you ‘fully achieve’, but rather something you continuously strive for by maintaining a Zero Trust mindset. For organisations to adopt this approach, it's also important to keep the user experience in mind. A Zero Trust strategy should aim to create ‘zero friction’—ensuring that security doesn’t hinder productivity, but rather supports it seamlessly.
However, one challenge organisations face is the perception that Zero Trust implies a lack of trust, which can be seen as counterproductive. For instance, this strategy often involves measures like multi-factor authentication, verifying VPN connections, ensuring the user has authorised access, and confirming they are in the correct location. It also requires continuous checks to ensure security configurations remain intact. These multiple checks might create the false impression (if friction is not eliminated) that it requires time/hinders productivity. Zero friction means moving security controls and checks into the background, so the user isn’t even aware they’re happening.
In these cases, it might be more effective to frame the approach differently when communicating with the business side, as ‘Zero Trust’ can sometimes create unnecessary concern.
To begin adopting a Zero Trust strategy, start by identifying the areas of your business that carry the highest risk. Focus on the most valuable business assets and assess whether they currently have a Zero Trust strategy in place. If not, prioritise these areas and implement continuous verification processes where needed.
Common high-risk areas to address include privileged identities and users, third-party access, and employees with access to sensitive data—such as accountants, legal teams, or other critical departments. Implementing a Zero Trust strategy in these areas is essential due to the potential sensitivity and damage they could cause if compromised.
To break down the Zero Trust framework, consider multiple pillars: data, identity, cloud/infrastructure, and applications. These areas should be unified under a Zero Trust approach, which ensures continuous validation, controls, and checks to maintain security.
It's been great to reconnect with the community—there's a strong sense of collaboration here, and it's always valuable to learn from each other and share lessons. The sessions I've attended have been very educational, especially around how CISOs can communicate more effectively with the board. Many CISOs come from a technical background, and translating technical issues into business language and risk management for non-technical stakeholders is crucial. This event is addressing that gap.
Another important topic discussed here is mental health, which is increasingly relevant in our field. I've noticed more focus on burnout, stress, and the fast-paced, high-pressure environment that comes with this industry. It's vital to raise awareness and find ways to support people through these challenging times.
About Joseph Carson
Joseph Carson is an award-winning cyber security professional and ethical hacker with more than 25 years’ experience in enterprise security specialising in blockchain, endpoint security, network security, application security & virtualisation, access controls and privileged access management. Joe is a Certified Information Systems Security Professional (CISSP), active member of the cyber security community frequently speaking at cyber security conferences globally, often being quoted and contributing to global cyber security publications.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now