Secure & Simple — Podcast for Consultants and vCISOs on Cybersecurity Governance and Compliance

Zero Trust as a Mindset: Identity, Governance, and Access | Interview with Andrew Gault

Mar 10, 2026

Andrew Gault, CEO of ZeroTier — builder of secure overlay networks — talks Zero Trust as a mindset, not a single tool. He covers identity-first strategies, policy-based scoring, encryption, and continuous verification. Conversation dives into vendor and machine identities, governance and change management, limits like shared credentials, and practical KPIs such as inventories and exception reduction.

Ask episode

AI Snips

Chapters

Transcript

Episode notes

INSIGHT

Zero Trust Is A Mindset Not A Product

Zero Trust is a strategic mindset that assumes nothing inside the network is trusted and plans as if every asset were exposed to the internet.
Andrew Gault contrasts perimeter VPN thinking with ‘default deny’ and continuous verification to prevent implicit broad access.

ADVICE

Begin Zero Trust With Identity And Policy

Start Zero Trust with identity first, then policies that score and verify connections, plus encryption and monitoring.
Andrew recommends multifactor scoring: who is the human, what device, where from, endpoint posture, and encryption decisions.

ADVICE

Issue Vendor Identities Inside Your System

Give external vendors identities inside your central identity system rather than trusting their own IdPs or multiple providers.
That lets you revoke vendor access centrally when contracts end and avoids per-application exceptions.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

In this Secure and Simple Podcast episode, host Dejan Kosutic (CEO of Advisera) interviews Andrew Gault (CEO of ZeroTier) about Zero Trust as a strategy and mindset rather than a single technology, shifting away from perimeter-based security to “default deny” with continuous verification. Gault outlines core layers such as identity for users and devices, policy-based scoring, encryption, and ongoing monitoring to reduce lateral movement when breaches occur. They discuss extending zero trust principles to suppliers by issuing vendor identities managed centrally, governance needs like documented access policies, change management, and least privilege, and challenges such as shared credentials and the ongoing effort to keep permissions current. The conversation also covers non-human identities for AI agents, service accounts, ownership and lifecycle management, audit expectations under SOC 2 and ISO 27001, vendor lock-in tradeoffs, and using inventories and exception reduction as practical KPIs.

Links from the episode:
- Conformio software to streamline and scale ISO 27001 implementation and maintenance for your clients: https://advisera.co/Conformio-software
- White label documentation toolkits for NIS2, DORA, ISO 27001, and other ISO standards to create all the required documents for your clients: https://advisera.co/page-all-toolkits
- Accredited Lead Auditor and Lead Implementer courses for various standards and frameworks to show your expertise to potential clients: https://advisera.co/Consultant-Courses
- Company Training Academy with numerous videos for NIS2, DORA, ISO 27001, and other frameworks to organize training and awareness programs for your client’s workforce: https://advisera.co/page-Company-Training-Account
- Beginner's Course for ISO, Cybersecurity, and AI Consultants: https://www.youtube.com/playlist?list=PLHwD3nQun7caKFq80LxNNYKIabATlyA7t
- How to Grow Your Cybersecurity, ISO, or AI Consultancy: Advanced Course:https://advisera.co/GrowYourConsultancyTraining

(00:00) - Interview Andrew Gault
(00:47) - Strategy Not Perimeter
(02:40) - Core Layers Explained
(03:53) - Vendors And Suppliers
(07:37) - Risks Reduced And Limits
(12:24) - Non-Human Identities
(16:04) - Managing Machine Accounts
(18:34) - Governance And Policies
(23:35) - Who Owns Zero Trust
(25:40) - Building Security Culture
(27:20) - Measuring Zero Trust Impact
(30:08) - Compliance vs Real Security
(34:35) - Avoiding Vendor Lock In
(38:33) - KPIs and Legacy Exceptions
(44:25) - Resources for Consultants and Cybersecurity Professionals