Zero Trust Journey

Victor Monga

Zero Trust Journey isn’t about taking sides—it’s about real conversations, sharing research, and learning together. Our goal is to explore Zero Trust from every angle and help cybersecurity practitioners make sense of it in a practical, no-fluff way. And yes, we do love to chat about coffee and listen to the occasional dad joke along the way. Here’s what we do: Conversations with Experts: We chat with subject matter experts who share their opinions, experiences, and Zero Trust journeys.Research and Product Insights: We explore Zero Trust products and solutions in the market that may fit into a Zero Trust architecture.A Zero Trust Architecture: We’re building and refining an ever-growing architecture focused solely on the needs of cybersecurity practitioners.CSA CCZT Study Group: We host a study group for the Cloud Security Alliance (CSA) Certificate of Competence in Zero Trust (CCZT).If you’re a cybersecurity professional looking for honest discussions, practical insights, and tools that evolve with your Zero Trust strategy (plus the occasional coffee tip), Zero Trust Journey is for you. Join us!

  1. APR 12

    Episode 46: Navigating Third-Party Risk and Continuous Monitoring

    In this episode, host Tiernan O'Malley sits down with Rachel Curran, GRC practitioner and founder of Locktivity, to unpack the complexities of Governance, Risk, and Compliance (GRC) in a cloud-first world. We dive deep into why third-party risk management cannot just be a "check-the-box" compliance exercise and how organizations must shift their focus from merely assessing vendors to actively managing how they interact with them. What You’ll Learn: ◈ The Fallacy of the Checklist: Why passing an audit doesn't automatically equal operational security. ◈ Continuous vs. Point-in-Time: The true value of SOC 2 audits and where continuous monitoring actually needs to step in (like catching missing 2FA). ◈ Quantifying Risk for Leadership: How to move beyond dollar amounts and make cyber risk personal and relatable to the C-suite. ◈ Silent Attack Vectors: The danger of stale OAuth tokens, unenforced SSO, and secrets left in commit histories. Key Moments: 02:40 ➔ The Breach Reality: Why assessing vendors to completely avoid breaches is impossible, and why impact mitigation is the real goal. 05:43 ➔ The Snowflake Example: How point-in-time audits often miss critical dynamic configurations like 2FA. 10:53 ➔ Personalizing the Threat: How agentic AI integrations exposed a CEO's tax history—and why that changes the security conversation. 16:36 ➔ The OAuth Danger: Why leaving unused OAuth tokens active is like leaving your front door open while on vacation. 18:34 ➔ Warning Signs: How M&A activity, mass layoffs, and vendor evasiveness can predict upcoming security risks. 🎙️ Meet the Guest: Rachel Curran is a GRC practitioner with over a dozen years of experience building SOC 2 and ISO security programs for startups. She is the founder of Locktivity, a platform focused on helping companies understand where their true third-party risk lies and how to proactively limit impact. ➔ LinkedIn: Rachel Curran ➔ Locktivity: locktivity.com About the Host: Host: Tiernan OMalley, Framework Security Subscribe to our LinkedIn to never miss news, updates, and quizzes to earn digital badges. https://ztjourney.comLinkedIn YouTubeDisclaimer: The views expressed are those of the speakers.

    23 min

  2. APR 3

    Episode 45: From the Courtroom to the Boardroom: Cyber Resilience & Executive Accountability

    In this episode of the Zero Trust Journey, Dr. Victor Monga sits down with Erin Logue Smith, leader of Governance, Risk, and Cyber Strategy at World Wide Technology (WWT). We dive deep into the dangerous gap between checking the compliance box and achieving actual security, how the regulatory landscape is shifting to hold executives personally accountable, and how a legal background investigating faulty convictions translates into building robust cyber resilience. What You’ll Learn: ◈ Compliance vs. Safety: Why having regulatory frameworks in place doesn't automatically mean your organization is secure from a breach. ◈ The Executive Friction: How to handle C-suite pushback when security protocols clash with user convenience. ◈ The Cyber Insurance Shift: Why brokers are getting smarter, utilizing AI gap analysis, and demanding tabletop exercises before underwriting policies. ◈ The Investigative Edge: How analyzing evidence at the Innocence Project directly mirrors uncovering the root causes of a devastating cyber incident. Key Moments: 02:49 ➔ The C-Suite Problem: When executives want security on paper but refuse to adopt the friction themselves. 05:06 ➔ The Accountability Era: Why the SEC and boards are firing executives for claiming "I didn't know." 07:47 ➔ Insurance Brokers Level Up: Why the days of insurers blindly paying out for preventable breaches are over. 11:17 ➔ Courtroom to Boardroom: How an investigative legal mindset sets you apart in the cybersecurity industry. 🎙️ Meet the Guest: Erin Logue Smith leads Governance, Risk, and Cyber Strategy at World Wide Technology (WWT). With a unique foundation holding a JD and early career experience at the DA's office and the Innocence Project, Erin brings an unparalleled investigative and regulatory perspective to cybersecurity. She previously served as a Field CTO at Dell Technologies specializing in cyber resilience and spent a decade managing international data privacy at PNC. ➔ LinkedIn: https://www.linkedin.com/in/erin-logue-smith Subscribe to our LinkedIn to never miss news, updates, and quizzes to earn digital badges. https://ztjourney.comLinkedIn YouTubeDisclaimer: The views expressed are those of the speakers.

    13 min

  3. APR 2

    Episode 44: Stop Punishing, Start Rewarding: Mastering the P.A.R. Method for Phishing Defense

    In this episode of the Zero Trust Journey, Dr. Victor Monga sits down with Craig Taylor, former CISO at JP Morgan Chase and Vistaprint, and the founder of Cyber Hoot. We are throwing out the old playbook. If your security awareness program relies on "shocking" or punishing employees for clicking phishing links, you are fighting a losing battle. Craig explains why the future of cyber literacy lies in psychology, gamification, and giving employees the right tools to build muscle memory against AI-powered threats. What You’ll Learn: ◈ The Power of Rewards: Why behavioral psychology proves that positive reinforcement and gamification are far more effective than the traditional "three strikes" punishment model. ◈ Mastering the P.A.R. Method: How to train your workforce to Pause, Assess, and Report—turning a split-second reaction into a calculated defense mechanism. ◈ Solving Human Problems: Why we need to stop applying binary (0/1) IT solutions to complex human behaviors. ◈ AI-Powered Phishing: How attackers are using GenAI to create hyper-personalized lures, and why the P.A.R. method is your best defense against flawless social engineering. Key Moments: 02:57 ➔ The Effectiveness Gap: Why annual compliance training shows zero correlation with reduced phishing failures. 06:07 ➔ The "Dog Training" Analogy: What B.F. Skinner can teach us about using rewards over punishments in cybersecurity. 07:11 ➔ THE QUOTE: "We are trying to solve a human problem with zero one binary solutions." 12:41 ➔ Building Muscle Memory: How the Pause, Assess, Report (P.A.R.) framework stops AI-generated phishing in its tracks. 🎙️ Meet the Guest: Craig Taylor is a seasoned cybersecurity leader and former CISO for organizations like JP Morgan Chase, Vistaprint, and Neoscope. Armed with a background in psychology and decades of IT experience, Craig founded Cyber Hoot, a learning management platform dedicated to re-engineering cyber literacy through positive reinforcement and behavioral science. ➔ LinkedIn: https://www.linkedin.com/in/craigmtaylor Subscribe to our LinkedIn to never miss news, updates, and quizzes to earn digital badges. https://ztjourney.comLinkedIn YouTubeDisclaimer: The views expressed are those of the speakers.

    16 min

  4. APR 1

    Episode 43: Are You Talking to AI? Deepfakes, GANs, and the AI Security Menu

    We dive deep into the dark side of Generative AI, exploring how attackers are leveraging Generative Adversarial Networks (GANs) to bypass authentication, and why defining "AI Security" requires much more than just a buzzword. What You’ll Learn: ◈ Weaponized AI: How deepfakes, voice cloning, and AI note-takers are disrupting the identity perimeter and creating new insider threats. ◈ The User Burden: Why end-users inevitably bear the brunt of corporate security failures and the rising risk of synthetic identities. ◈ Zero Trust for AI: Strategies for isolating anomalies, maintaining visibility, and managing the risks of agentic AI. ◈ The AI Security Menu: Breaking down the 5 distinct types of AI security—from consuming commercial LLMs to building proprietary models. Key Moments: 01:36 ➔ The Deepfake Threat: Why your voice could be used to bypass security protocols. 09:59 ➔ Zero Trust vs. AI: The critical importance of visibility, discoverability, and continuous monitoring. 12:26 ➔ Third-Party Risk Management for LLMs: Moving beyond basic vendor checks to test for prompt injection and token manipulation. 14:48 ➔ The AI Security Menu: How to classify your AI risk footprint. 08:04 ➔ THE QUOTE: "Even if you don't think you have an online presence, you do in some way." Subscribe to our LinkedIn to never miss news, updates, and quizzes to earn digital badges. https://ztjourney.comLinkedIn YouTubeDisclaimer: The views expressed are those of the speakers.

    20 min

  5. MAR 8

    Episode 42: Stop Thinking Servers, Start Thinking Systems

    In this episode of the Zero Trust Journey, Dr. Victor Monga is joined by Kayne McGladrey, a veteran systems engineer and CISSP who has spent his career securing high-stakes environments—from American Idol voting systems to defense industrial base firms. We move past the buzzwords to discuss the gritty reality of ripping out legacy "flat" networks and replacing them with Zero Trust architectures that actually improve performance while reducing liability. Kayne breaks down why the private sector continues to struggle with risk and how the rise of Agentic AI is changing the identity landscape in 2026. What You’ll Learn: ◈ The "Flat Network" Nightmare: Why open cable trays and unlabeled wires are a recipe for disaster. ◈ The Business of Trust: How to use Zero Trust as a competitive advantage to command premium pricing. ◈ Redefining "System": Why your web server isn't the system, but your accounts payable process is. ◈ AI and the "Circle of Failure": Navigating the FOMO of Agentic AI without giving root access to the unknown. ◈ Building Muscle Memory: Why the best incident response teams train like professional athletes. Subscribe to our LinkedIn to never miss news, updates, and quizzes to earn digital badges. https://ztjourney.comLinkedIn YouTubeDisclaimer: The views expressed are those of the speakers.

    16 min

  6. MAR 8

    Episode 41: AI's Role in Software Development: Opportunities and Risks

    What You'll Learn: ▶ The "Vibe Coding" Illusion: Why using AI to build end-to-end web applications works perfectly for a month, but ultimately collapses into uncompilable loops under its own complexity. ▶ Object-Oriented vs. Functional AI: Understanding why Large Language Models (LLMs) struggle with piecing together complex object-oriented puzzles, and how real engineers use AI for targeted, functional modules instead. ▶ AI in Critical Infrastructure: Why blindly deploying AI-generated code into healthcare, financial, or critical systems is professional negligence, and why every single line of code still needs human justification. ▶ The Model Context Protocol (MCP) Fad: Why the highly hyped MCP might just be a passing trend destined to fail outside of decentralized utopias, and why traditional REST APIs are here to stay. ▶ AI is More Than ChatGPT: A look back at the last 20 years of AI research and why traditional machine learning and automated planning still hold massive, untapped potential outside of the LLM spotlight. This episode is a must-listen for enterprise executives, project managers, and security practitioners looking to separate AI marketing fluff from the actual realities of modern software engineering. Subscribe to our LinkedIn to never miss news, updates, and quizzes to earn digital badges. https://ztjourney.comLinkedIn YouTubeDisclaimer: The views expressed are those of the speakers.

    18 min

  7. FEB 16

    Episode 40: Over-provisioning access is a common issue

    In this episode of the Zero Trust Journey, Dr. Victor Monga sits down with Jamie Fitz-Gerald, VP of Product Management at Okta. We dive deep into why identity has become the new perimeter and why the biggest risk to your organization isn't just a lack of tools—it's the effectiveness of the ones you already have. What You’ll Learn: The Identity Perimeter: Why attackers have stopped "breaking in" and started "logging in."System Resilience: Lessons from electrical engineering on surviving 1, 2, and 3-point failures.Productivity vs. Security: How to balance the "padlock on the door" with a seamless user experience.The Effectiveness Gap: Why having the best tools doesn't mean you're secure if you aren't testing them.Subscribe to our LinkedIn to never miss news, updates, and quizzes to earn digital badges. https://ztjourney.comLinkedIn YouTubeDisclaimer: The views expressed are those of the speakers.

    26 min

  8. FEB 13

    Episode 39: ZTMM+ How to Assess and Roadmap Zero Trust

    "Zero Trust is not a journey where you have to spend a lot of money upfront before you can get started. In almost every case, you just need to use what you have better." In this workshop-style episode of the Zero Trust Journey, Dr. Victor Monga sits down with Jason Garbis and Jerry Chapman from Numberline Security. They move beyond the theory to conduct a live Zero Trust assessment of a fictitious company, "Precision Dynamic Manufacturing" (PDM). From "sticky note" admin passwords to flat networks where CNC machines and Wi-Fi guests coexist, Jason and Jerry map out a practical, no-fluff roadmap to maturity. IN THIS EPISODE, WE COVER: The ZTMM+ Framework: Why the standard CISA model needed an upgrade and how "Governance" acts as the critical glue across all five security pillars.The PDM Case Study: A deep dive into an SMB with 200 employees—evaluating the risks of an IT stack built by the "neighbor's kid" and how to secure it before a CMMC audit.MFA is Non-Negotiable: Jerry breaks down the journey from simple SMS codes to phishing-resistant authentication and why it’s the single most important move for identity.Stop Buying, Start Configuring: How to leverage your existing Microsoft Entra ID (Azure AD) stack to achieve Zero Trust principles without a massive capital investment.Network Segmentation for OT: Practical strategies for isolating "crusty" legacy hardware and CNC machines from the rest of the enterprise to stop lateral movement.Building External Trust: How a mature Zero Trust posture directly impacts your ability to secure cyber insurance and win contracts with security-conscious partners. Connect with the Guests: Jason Garbis: https://www.linkedin.com/in/jasongarbis Jerry Chapman: https://www.linkedin.com/in/jerrychapman Subscribe to our LinkedIn to never miss news, updates, and quizzes to earn digital badges. https://ztjourney.comLinkedIn YouTubeDisclaimer: The views expressed are those of the speakers.

    41 min
See All (46)

Ratings & Reviews

5
out of 5
4 Ratings

About

Zero Trust Journey isn’t about taking sides—it’s about real conversations, sharing research, and learning together. Our goal is to explore Zero Trust from every angle and help cybersecurity practitioners make sense of it in a practical, no-fluff way. And yes, we do love to chat about coffee and listen to the occasional dad joke along the way. Here’s what we do: Conversations with Experts: We chat with subject matter experts who share their opinions, experiences, and Zero Trust journeys.Research and Product Insights: We explore Zero Trust products and solutions in the market that may fit into a Zero Trust architecture.A Zero Trust Architecture: We’re building and refining an ever-growing architecture focused solely on the needs of cybersecurity practitioners.CSA CCZT Study Group: We host a study group for the Cloud Security Alliance (CSA) Certificate of Competence in Zero Trust (CCZT).If you’re a cybersecurity professional looking for honest discussions, practical insights, and tools that evolve with your Zero Trust strategy (plus the occasional coffee tip), Zero Trust Journey is for you. Join us!

Information

  • Creator
    Victor Monga
  • Years Active
    2024 - 2026
  • Episodes
    46
  • Rating
    Clean
  • Copyright
    © 2026 Zero Trust Journey
  • Show Website
    Zero Trust Journey