Zero Trust has become a cornerstone of how we think about cybersecurity. But there’s a problem: the name itself often gets in the way. While the framework makes sense, the term “Zero Trust” can put up walls before we even start the conversation.
After two decades leading cybersecurity across US federal agencies and building technology strategies for Fortune 100 companies, I’ve seen that the way we communicate about security matters just as much as the technical solutions themselves.
Speaking the Language of Business
Here are two examples from my career that show how the right communication approach can turn skeptics into supporters:
People were avoiding us …
As a mid-career cyber professional, I took a leadership role in an enterprise-wide IT security policy program for a federal law enforcement and intelligence agency. The program was unpopular — stakeholders were disengaged and untrusting. I transformed the program by rethinking how my organization interacted with stakeholders.
We invested time in understanding each stakeholder group’s priorities, pain points and preferred communication methods. We gained insights that led us to engage intentionally, create trust and build understanding. My team attended meetings as supportive partners rather than security enforcers. In conversations, instead of leading with security requirements, we led with curiosity and connection.
My team created space for stakeholders to engage with us in constructive ways and built an information portal with targeted resources and FAQs that demystified security processes. The result? Measurably reduced enterprise risk through higher engagement with the program and improved user behavior at all levels.
We needed more staff …
More recently, at a healthcare technology organization, I faced the challenge of securing support for an information security reorganization that included additional full-time security positions. Based on what I knew about the organization’s business goals, culture and information about past engagements that the security department had with executive decision-makers, I positioned the initiative as a business growth enabler rather than a necessary security imperative.
By demonstrating how robust security would serve as a competitive differentiator and enable expansion into new markets, I secured executive buy-in for both the reorganization and funding for additional security roles. This approach transformed the conversation from “We need to do this for security” to “This will help us grow our business and serve more customers.”
Understanding Zero Trust Resistance
Pushback against Zero Trust can stem from the perceptions that the term creates, rather than the technology itself. Sometimes, when we tell our business partners about implementing “Zero Trust,” we often create unintended barriers.
Here’s what I've seen:
- Value misalignment: The phrase “We don't trust anyone” directly contradicts organizational values of collaboration and innovation. In companies that pride themselves on strong cultural foundations of teamwork and creativity, this messaging can create immediate pushback from both leadership and employees.
- Perception gap: There’s a significant disconnect between how security practitioners understand the framework (“Never trust, always verify”) and how it’s perceived by those outside the cybersecurity sphere. Business stakeholders often interpret it as a signal of paranoia or excessive control, rather than what it truly is: a practical way to protect and enable business operations.
- Innovation misconception: Some assume Zero Trust stifles business agility, when it actually enables secure collaboration. Just as cars can go faster because they have brakes, good security controls give organizations the confidence to move and scale quickly—especially in regulated industries or when entering new markets.
Overcoming Language Barriers
As security leaders, we need to consider how our terminology affects our ability to implement crucial security measures.
Here are some strategies that work:
- Frame security as business enablement - When leading federal agency technology initiatives, I found success by aligning security communications with national security objectives. The same principle applies in private sector contexts—show how security enables new business opportunities, enhances customer trust and supports market expansion.
- Focus on mission alignment - Communicate clear connections between security measures and the organization’s mission. Ensure security messaging reflects the organization’s core values and drives alignment across teams.
- Foster trust through transparency - Create open channels for dialogue about security initiatives. Develop relationships with your business counterparts. Establish regular touchpoints with business units to understand their operational needs and demonstrate how security frameworks can support their objectives.
Here are three potential alternatives that better capture the enabling nature of these security controls:
- Verified Trust Framework- Reinforces the importance of trust while acknowledging the need for validation
- Adaptive Assurance - Highlights the dynamic and continuous nature of modern security while emphasizing flexibility to business needs
- Secure Access Framework - A straightforward representation that focuses on enabling access rather than restricting it
From Tech Talk to Business Success
Fundamentally, cybersecurity is a people business, and the success of the initiatives we champion depends heavily on how we communicate about them. By choosing language that aligns with business values while conveying the intent of our security frameworks, we can accelerate adoption and strengthen organizational support for critical security measures.
Whether we choose to call it Verified Trust, Adaptive Assurance, or another term that better resonates with our organization, the key is to position security as a business accelerator instead of a blocker or barrier.
So … what framework name would resonate with your organization’s culture and objectives?
While the answer will be different for each organization, the words we choose have real impact on how successfully we can implement critical security measures—choose wisely!
