Opening Argument on the Fallen Castle
Trust is the breach that precedes the breach. For years, organizations have used firewalls, access gateways, and network controls, and still risk being vulnerable if all they have for evidence of a secure network is a valid credential. In almost one in three incidents over the past decade, the credentials obtained during the attack were used to enter a trusted environment (Verizon, 2024a). If the attacker logs on as someone allowed by the system, it may not be perceived as a danger. For instance, a finance member opening payroll files, a contractor accessing a shared drive, or an admin connecting after hours can all seem legitimate. That is why the old castle model does not work at the very place where it should work best.
The wall was never in control; the assumption behind it was. The castle model requires a clear distinction between inside and outside, and today’s security advice is not to implicitly trust anything just because it is inside the network, physically located at the site, or under asset ownership (Rose et al., 2020). That is important because even though a laptop is recognized on an internal network, it may still be compromised, and even if the account is legitimate, it can be misused. The security perimeter can identify the origin of the request, but is not responsible for ensuring that the request is safe. A badge, password, or internal IP address is just a first step. The opening argument is thus rather simple: modern cybersecurity breaks down when trust is a risky alternative for proper verification.
Why the Castle Model Failed
Perimeter Boundaries Became Unreliable
The castle failed because its border became imaginary. Traditional perimeter security was based on the principle that users, devices, and systems within the network could be trusted more than those outside. Modern zero trust guidance is built on the premise that trust should never be based solely on network location or asset ownership (Katsis & Bertino, 2025). This is the core weakness of the castle model. It believes that entry is an indicator of safety. Once an attacker has gained access via stolen credentials, compromised device, or approved connection, the internal network is a trusted operating space. The wall remains, but its protective function is reduced.
Cloud Migration Weakened Centralized Control
The castle model failed because the systems it was designed to protect no longer remained inside a controlled network perimeter. Cloud migration moved data, applications, and workloads to infrastructure that is not owned or directly managed by the organization. A shared responsibility approach is necessary in cloud security, and the provider and the customer have different aspects of security to be taken care of (National Cyber Security Centre, 2022). This changes the conventional thinking of having a single defensible perimeter. A customer database could be hosted in a cloud system, synchronized with third-party applications, and viewed at the same time by remote users. A firewall protecting the corporate office is not enough to secure information, applications, and user access distributed across cloud platforms, remote devices, and third-party systems. The wall lost its value because the data it was meant to protect now existed beyond the organization’s controlled perimeter.
Remote Work Expanded the Attack Surface
The castle was unsuccessful because the work was not done in one controlled space. The goal of remote access is to bring employees, contractors, vendors, and business partners outside of the traditional network and enable them to access protected resources. NIST guidance considers telework, remote access, and BYOD devices to be security issues that must be addressed in light of anticipated threats (Scarfone et al., 2020). This is important because the user could be using a home router, a personal laptop, or a public network. The model of the castle assumes a controlled drawbridge, while nowadays access is achieved through multiple users, devices, networks, and locations. The person’s location is no guarantee of security.
Insider Access Undermined Perimeter Defense
The castle model failed because it assumed authorized access was safe access. Insiders are individuals who have legitimate access to the system, such as current or former employees, contractors, or business associates, but who can gain unauthorized access, either knowingly or unknowingly (Saxena et al., 2020). This is particularly harmful in the case of perimeter security. A malicious administrator does not need to break the wall. Files can be exposed by a careless employee sharing them in a common folder or sending them to the wrong person by email. A compromised account can operate without raising suspicion, as the activity might seem normal or legitimate. The castle model is the least effective when it comes to actors that are already within the castle walls, and that is where modern attackers now look to operate.
The Business Cost of Misplaced Trust
Breach Costs Become Business Costs
When trust is misplaced, normal access can be misused, compromised, or extended to sensitive systems without proper verification, at increasing cost. Business disruption, customer response, investigation, and remediation costs pushed the average cost of a breach to $4.88 million globally in 2024 (IBM, 2024). The trusted account can be used to copy payroll data, edit data, or access customer records, adding costs above and beyond technical recovery. The organization will have to inform the parties involved, assist customers, determine the point of access, and answer to regulators. The impact on finances is particularly high in the healthcare sector, which IBM identified in its 2024 breach report as the most costly industry to have suffered a data breach, at an average cost of $9.77 million per breach (Alder, 2024). In the case of misappropriation or unauthorized access to medical records, an organization will have to notify patients, face scrutiny from regulatory authorities, accept legal liability, experience service interruptions, and incur prolonged recovery expenses.
Human Access Creates Operational Risk
Human access is also hard to manage and becomes an expensive liability when it is misplaced. In Verizon’s 2024 data, human factors were involved in 68% of breaches, including errors and social engineering, not malicious privilege misuse (Verizon, 2024b). The business impact of a technical exploit may be just as great as that of a misplaced file share, an approved vendor account, or an employee tricked by a realistic request. It is not just a problem of user behavior. It is the organization’s decision to allow broad access with limited verification. Too many privileges in ordinary accounts can lead to compromised records, disrupted operations, and embarrassing damage control for the company.
Delayed Detection Increases Exposure
When trust is misplaced, it is even more destructive if not detected on time and not corrected. In 2023, the global median dwell time was 10 days, indicating that intrusions often persisted for a while before being detected (Kutscher, 2024). Ten days is sufficient time to escalate privileges, discover useful repositories, compress files, and set up exfiltration. The business cost increases because response teams have to reconstruct activity spread across accounts, systems, and data stores. Every unknown login is a question for the legal, compliance, and executive teams. If the suspicious activity is treated as regular access, then it will be difficult to know what was done properly and what was part of the breach. When this uncertainty exists, it becomes a governance issue.
The Zero Trust Framework and the Discipline Behind It
Zero Trust Requires Verification
Zero Trust is not about buying a security product; it is about a strict access principle. Even if the user, device, or application seems familiar, it must be verified before access is granted. Zero Trust rejects the previous notion that an entity or user within an organization’s network can be trusted by default. Zero Trust was a term coined at Forrester by John Kindervag, and my Zero Trust Strategist certification was based on the discipline required to apply this model across an enterprise. This is important because purchasing tools without a change in access rules only repackages the old problem. The Zero Trust approach is only successful when its verification approach becomes the standard way of operating.
Identity Must Be Continuously Checked
The first control point is identity, as attackers will often try to obtain legitimate access before seeking technical exploits. The Zero Trust Maturity Model prioritizes identity as the focus of access control decisions and mandates the continuous enhancement of identity stores, authentication, authorization, and risk-based access for agencies over time (CISA, 2023). This implies that a password on the login screen is not sufficient. A service account or administrator with an application, a contractor accessing a file, or a service calling a database should all be considered in context. The issue is not whether the account exists. The issue here is whether this particular request should be permitted at this time.
Devices and Networks Need Limits
Devices and networks should always be evaluated, as a trusted person can still use an unsafe endpoint. Rather than depending on a single perimeter control, the Office of Management and Budget’s federal zero trust approach calls on agencies to achieve specific outcomes across identity, devices, networks, applications, workloads, and data (Office of Management and Budget, 2022). A compliant laptop, an unmanaged phone, and an infected workstation should not be granted the same access. Micro-segmentation must also be part of network controls, to ensure that a compromised account cannot roam at will through internal systems. This narrows access and enforces it more strictly. It also provides some degree of protection should a single device, credential, or connection fail.
Applications and Data Need Direct Protection
Applications and data should be protected, as the goal of attackers is ultimately to get useful access, not just get into the network. The Cybersecurity and Infrastructure Security Agency (CISA) describes zero trust as a transition to identity, context, and data-driven controls that operate across users, systems, applications, data, and assets over time. Access to applications should therefore be given on a per-session, per-user, and per-context basis. If a member of staff was required to apply for access last month, they should not retain access indefinitely. Data controls classification, encryption, and access restrictions must follow the data itself. Sensitive files need protection wherever they are stored, processed, copied, or shared.
Leadership Must Enforce the Framework
Zero Trust cannot work when leaders use the term as technical jargon rather than as an operating discipline. The Cybersecurity and Infrastructure Security Agency (2023) explains Zero Trust as access with least privilege on a per-request basis that is intended to minimize uncertainty in systems and services. That standard means fewer exceptions granted by executives, simpler access reviews, and support for security teams when a powerful stakeholder demands unrestricted access. This is a required discipline in a federal environment where the requirements are based on TS/SCI level. In high-stakes environments, Executive Order 14028 and federal guidance for implementing zero trust demonstrate that implicit trust is not acceptable (NIST, 2021). Leaders need to take responsibility for the rules, implement them uniformly, and hold themselves accountable when workarounds compromise security.
Cybersecurity as a Board-Level Responsibility
Regulatory Accountability
Today, cybersecurity has legal and governance requirements that go beyond the management of the technical system. Material cybersecurity incidents should be disclosed within four business days of determining materiality, while annual disclosures should address a description of cyber risk management, the role of management, and board oversight (SEC, 2023). This makes weak security governance visible to investors, regulators, and customers. After a breach has happened, a board cannot simply rely on the CISO to handle the problem alone. It needs to understand the organization’s approach to cyber risk, who makes cyber response decisions, and how rapidly leadership can determine if a cyber event will materially impact the organization.
Strategic Oversight
Cybersecurity belongs at the board level because it affects enterprise value, not only system performance. According to the National Association of Corporate Directors, cyber risk is a strategic enterprise-wide risk, and directors should be aware of legal exposure, oversight, reporting, and resilience (NACD, 2026). This means that directors need to assess the efficacy of firewalls, audits, or training programs, and not take their existence as evidence of security. They should inquire about whether access rights align with business needs, whether incident response has been tested, and whether cybersecurity reporting includes financial and operational impacts. Without substantive board-level discussion, directors cannot assess the actual risk to the business.
Leadership Accountability
The other significant element of cybersecurity governance is that leadership clearly maps technical risk to business decisions. A shared perception of risks by directors and executive boards is one of the main aspects of cybersecurity governance because it enables them to observe the technical divide and gauge the risk of legal liability, economic loss, disruption of services, and business continuity (Proudfoot et al., 2023). That is why the CISO and CRO roles need to be thought of as risk leadership positions, not merely technical roles. A ransomware scenario, for example, should be handled with regard to service delivery disruption, legal responsibility, customer trust, and recovery cost. The board’s concept of accountability begins with cybersecurity being regarded as a business risk with measurable consequences.
Three Leadership Actions for Replacing Implicit Trust
Audit Implicit Trust
Leaders should first seek to understand where access is too readily granted, because unsafe trust cannot be reduced if it is hidden in the systems and processes of everyday work. Zero Trust involves continuously checking identities, locations, context, and data for each user, device, application, and transaction (CISA, 2023). Leaders should audit VPN access, shared administrator accounts, standing privileges, vendor accounts, and internal network rules. A payroll user should not automatically access HR systems from any device. Once a job is completed, the contractor should not retain access to the site. The objective is to uncover assumptions, make them transparent, prioritize risk, and eliminate unnecessary trust.
Assign Executive Ownership
When there is no authority figure to execute hard access decisions, then Zero Trust fails. Implementation of zero trust is a leadership responsibility, and the federal zero trust strategy mandates agencies to achieve certain cybersecurity requirements and goals (OMB, 2022). Priority, budget requests, exception approvals, and progress reporting should be under the owner’s control. Without that authority, teams can continuously fix identity, devices, networks, applications, and data without affecting day-to-day access decisions. A senior owner can prevent permanent exceptions, mandate least privilege, and report delays to keep weak controls from becoming acceptable practice.
Redefine Security Metrics
Boards cannot manage trust they do not measure. Cyber risk should be measured, calculated, and reported to the board in objective business language, not just simple technical activity (NACD, 2026). Leaders need to end the practice of relying solely on firewall counts, percentage of patches, or completed audit checks. Better measures include identity coverage, privileged access reviews, continuous verification rate, device compliance, and overdue access removal. These measures indicate whether implicit trust is being diminished. A board cannot effectively manage Zero Trust through technical activity reports alone.
Closing Manifesto on Verification Over Trust
The castle has fallen, and the failure is practical, not symbolic. A security environment that views the internal network, approved devices, and authenticated users as secure cannot protect an organization whose data flows through cloud-based platforms, off-site connections, vendors, and privileged service accounts. The issue is not whether people should be trusted as professionals. The issue is whether any request should be accepted without current proof of identity, device health, business need, and data sensitivity. Zero Trust provides the answer with discipline: challenge every access, restrict every privilege, and eliminate any assumption that could be exploited by an attacker. In a federal system where a compromise can have national consequences, this is not the preferred mode of operation; this is the lowest level of responsible action. Now there are clear-cut options for leaders. They can maintain a model created for a past context and environment, or they can build security around verification.
Trust is not a control. Verification is.
References
Alder, S. (2024, July 31). Average Cost of a Data Breach Rises to $4.88M; Falls to $9.77M in Healthcare. The HIPAA Journal. https://www.hipaajournal.com/cost-healthcare-data-breach-2024/
Cybersecurity and Infrastructure Security Agency (CISA). (2023). Zero trust maturity model version 2.0. U.S. Department of Homeland Security. https://www.cisa.gov/sites/default/files/2023-04/zero_trust_maturity_model_v2_508.pdf
International Business Machines Corporation (IBM). (2024, July 30). IBM Report: Escalating data breach disruption pushes costs to new highs. IBM Newsroom. https://newsroom.ibm.com/2024-07-30-IBM-Report-Escalating-Data-Breach-Disruption-Pushes-Costs-to-New-Highs
Katsis, C., & Bertino, E. (2025). The Zero-trust paradigm: Concepts, architectures and applications. Foundations and Trends in Privacy and Security, 8(2), 122-253. https://doi.org/10.1561/3300000046
Kutscher, J. (2024, April 23). M-Trends 2024: Our view from the frontlines. Google Cloud Blog. https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2024
National Association of Corporate Directors (NACD). (2026, April 16). Principle one: Treat cybersecurity as a strategic risk. https://www.nacdonline.org/all-governance/governance-resources/governance-research/director-handbooks/2026-cyber-risk-oversight/
National Cyber Security Centre (NCSC). (2022, May 10). Cloud security shared responsibility model. https://www.ncsc.gov.uk/collection/cloud/understanding-cloud-services/cloud-security-shared-responsibility-model
The National Institute of Standards and Technology (NIST). (2021, April 9). Executive Order 14028, Improving the Nation's Cybersecurity. NIST. https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity
Office of Management and Budget (OMB). (2022, January 26). Moving the U.S. Government toward zero trust cybersecurity principles (Memorandum M-22-09). Executive Office of the President. https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf
Proudfoot, J. G., Cram, W. A., Madnick, S., & Coden, M. (2023). The importance of board member actions for cybersecurity governance and risk management. MIS Quarterly Executive, 22(4), Article 6. https://doi.org/10.17705/2msqe.00084
Rastogi, N., Budhiraja, I., & Ahmad, S. (2025). Enhancing Zero-Trust architecture with Artificial Intelligence Techniques. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.5791722
Rose, S., Borchert, O., Mitchell, S., & Connelly, S. (2020). Zero trust architecture (NIST Special Publication 800-207). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-207
Saxena, N., Hayes, E., Bertino, E., Ojo, P., Choo, K.-K. R., & Burnap, P. (2020). Impact and key challenges of insider threats on organizations and critical businesses. Electronics, 9(9), 1460. https://doi.org/10.3390/electronics9091460
Scarfone, K., Greene, J., & Souppaya, M. (2020). ITL Bulletin March 2020 Security for enterprise telework, remote access, and Bring Your Own Device (BYOD) solutions. https://csrc.nist.gov/CSRC/media/Publications/Shared/documents/itl-bulletin/itlbul2020-03.pdf
Securities and Exchange Commission (SEC). (2023, July 26). SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies. https://www.sec.gov/newsroom/press-releases/2023-139
Verizon. (2024a). 2024 Data breach investigations report. Verizon Business. https://www.verizon.com/business/resources/reports/2024-dbir-data-breach-investigations-report.pdf
Verizon. (2024b, May 14). 2024 DBIR Executive Summary. Verizon Enterprise Solutions. https://www.verizon.com/business/resources/reports/2024-dbir-executive-summary.pdf