Share this
dnsUNFILTERED: Dr. Chase Cunningham
Podcast > Episode 50 | March 30, 2026
Mikey Pruitt (00:03)
Welcome everybody to another episode of DNS unfiltered today. The doctor's in Dr. Zero Trust. Chase Cunningham. How are you?
DrZeroTrust (00:12)
Hey man, thanks for having me. I appreciate you inviting me over.
Mikey Pruitt (00:16)
Well, hey, I'm happy to and I was just telling you this chase when I was doing a little bit deeper research I kind of became the doctor zero trust fanboy So, please excuse my exuberance while we're doing this interview, but I've got some questions laid out but first like Just tell me about yourself your background a little bit and like what you're working on
DrZeroTrust (00:37)
Yeah, so I'm a retired Navy chief cryptologist. I was at NSA after that for a little while and then I was at Forrester Research following there. I was a consultant at a few companies since then. I've managed to write going on 14 books now. Got six or seven patents and then most importantly I've got four kids going out in the world that are relatively useful. So I'm doing okay, I think.
Mikey Pruitt (01:03)
That that is the real win. It's like I'm a good person. It's like that the ending scene of Saving Private Ryan where the old old version of him looks at his own. Yeah. Tell me I'm a good person. I like like one of two movies that makes me cry. My wife's like, hey, you know, this is a really sad moment. Should I turn Private Ryan on so that you can shed a tear?
DrZeroTrust (01:06)
Yeah.
Yeah, be a good person, right? Tell me I'm a good person.
That's a great one. Yeah.
Yeah, that's one of my favorite flicks of all time.
Mikey Pruitt (01:32)
So we're apparently we're robots. But anyway, you went from like a Navy mechanic, I believe. And now you're this. Yeah. But then you kind of got into cryptography and ended up as some three letter agencies. Like, how did that transition from mechanic, which is not digitally technical, but very technical? How did that transition happen?
DrZeroTrust (01:39)
Yeah, was a diesel engineer, you know. ⁓
Yeah, so when I joined the Navy at 17 and I would grow up on this little bitty nowhere ranch out in the middle of Texas and I was one of the few kids when high school that kind of was interested in computers, but I didn't really do much. We were a dirt poor farming community, but we had a few computers. So I helped kind of put the lab together and do some of those things. And this is way back before we had even like documentation. So it was a
learning events and then fast forward right I joined the Navy I go off and I wanted to be a mechanic because I like working on cars and fixing things ⁓ but what I found out really quickly was in the military unless something is really broken at sea typically contractors fixed it so I didn't do a lot of the work I was hoping to do ⁓ to be short it sucked and I really didn't want to be there anymore because I wasn't fixing anything ⁓
Anyway, we had one piece of gear that we had gotten. I think it was from like Lockheed Martin or Raytheon or one of the Beltway bandits. But this piece of gear was the newfangled computer controlled piece of gear that was supposed to control how our evaporator made water. And it never worked right. Like they came in and installed it and it was kind like the mechanic thing where the first day it worked great. And then as soon as the contractors left, it was just an absolute piece of crap. Like nothing ever worked right. ⁓
But I knew enough about computers that I had seen the guys from the contractor configuring the settings with the laptop. ⁓ Now go forward from there. That laptop was given to our chief engineer. So it's a big no-no to go into an officer's stateroom and take something out of their stateroom, which I did. Yeah, I did it at like two o'clock in the morning when I was on watch because I was sick of trying to recalibrate this piece of gear. ⁓ And anyway, I brought it down to the engine room and I'm down there.
Mikey Pruitt (03:30)
Especially a laptop. I'm
DrZeroTrust (03:40)
you know, messing with this thing and changing settings, whatever, and everything lights up green. I was like, great, like I fix this thing. I'm going to sneak it back upstairs. No one's going to be the wiser. And just so happened by dumb luck, the guy who was the at the time, the cryptologic officer, which now they call him the C. Well, the cyber warfare officer was walking around the ship at two thirty in the morning because he was just unable to sleep. And like I'm doing this like poking away on this thing. And I look over to my right and I see this head come around the corner.
Mikey Pruitt (04:10)
you
DrZeroTrust (04:10)
And he just looks
at me and raises an eyebrow. Yeah. And I was like, I was like, ⁓ shit. ⁓ I'm in deep trouble, right? Cause he didn't say anything. He just looked at me and saw, and then he walked off. ⁓ crap. I actually, ⁓ the next day I even called my mom from the ship sat phone and said like, mom, I'm probably in big trouble, just so you know. And anyway, he comes back after a couple of days, let me sweat it out. And he goes, he just says, look, I looked at your personnel record.
Mikey Pruitt (04:16)
you
DrZeroTrust (04:37)
Your time's coming up. You're going to separate. He said, do you like doing the engine thing? And I was like, sir, I like working on engines, but I'm not doing that. And I don't want to do this anymore. He goes, well, have you ever heard of cryptography? And I was like, I have no clue what that is. But he said, well, we work in the spaces upstairs where there's no doors and no windows and no one knows what we do. He said, does that sound interesting? I was like, sure.
Mikey Pruitt (05:01)
Yeah.
DrZeroTrust (05:02)
And fast forward from that, like I filled out all the paperwork, I waited my time on the ship to get my security clearance, and then what we in the Navy call cross-rated, and I went to Pensacola, Florida and went through code school. And then from there, I just got lucky and kind of fell into a career.
Mikey Pruitt (05:19)
OK, so many things unpacked there. It's funny, I have like a list of questions, and I think I'm just going to ignore all of them. So I'm assuming the CWO came by. Perhaps he saw those green lights and was like, he fixed it. Interesting. And then he looked.
DrZeroTrust (05:26)
It's all good.
I think he was probably
like what is an engine doing with a laptop more than anything like they typically figure we're down there chewing on nuts and bolts, you know.
Mikey Pruitt (05:37)
You
But he let you either fail or succeed. And then he did a little background check. He's like, who is this guy? He's farmer from Texas, our kind of people.
DrZeroTrust (05:48)
Yeah, he
went in from what I understand from my senior chief. He went to my senior chief and asked, ⁓ you know, is that Cunningham kid know anything about computers? And my senior chief had seen me in the engineering log room ⁓ doing stuff with not like things like technically on the computer, but I could type really fast on the computer. Actually, senior chief had me do his logs. So he was like, yeah, he knows how to use a computer. And that was kind of ⁓ further validation, I guess.
Mikey Pruitt (06:17)
Yeah, that was probably an anomaly back then anyway. I'm not sure how I'm not trying to guess your age or anything, but. yeah, we're like the same age. What am I? Yeah, I'm 46 now. man. Anyway, let's get back to it. So so ⁓ you get go to code school like first of all, that's a killer word. I didn't know it was called that. So you go to go ahead.
DrZeroTrust (06:20)
⁓ yeah. Now I'm, 46.
Yeah. Well, yeah, I mean,
it's kind of interesting ⁓ because it's one of the only spots other than linguistics where, or special forces where you'll have every service that goes to the same school. So Air Force, Army, Navy, Marine Corps at the time there was no space for us, but now there is. So we all went to Pensacola and it's this little, little hole in the wall base up the street from the nice base where the air debt people go.
Cory station is what it's called. You can look it up on the internet. No, that's classified. But yeah, it's ⁓ it's a Kind of grody little spot that is a hole in the wall that they only send a very select group of people to that have been through all the clearance crap and then you go there for your first school, which I think mine was like six months of nothing but math and code stuff
Mikey Pruitt (07:33)
So when did the, I guess, like a switch flip when you were a little bit more invested, let's say, into the cybersecurity space? And then what happened to make you a little bit more outspoken, which I guess you could say you are now?
DrZeroTrust (07:50)
I mean, ⁓ the majority of the stuff I wish I could tell you I can't because it's stuff I did in classified spaces. But I would
just say that I was lucky enough to be involved in some operational things where we kind of saw the power of cyber at the time. And it was very useful for what we were doing in the war on terror. So that's kind of where I can leave it. But it was eye opening for me to see like, well, wait a minute. These guys were trying to, you know,
do collection on a target for whatever through traditional means. And we did our cyber stuff in like a couple hours and we were good. Um, and that was one of those kind of wake up calls for me. And then, you know, I think, um, going on from there, uh, I've said it many, many times, like I've just been super blessed to be engaged with the right people at the right time. I wish I could say I was smart enough to figure it out. It's all just kind of happened by, you know, kind of circumstances and,
wound up, you know, following on to the next thing. As far as being outspoken, I just have gotten kind of like stone in my craw with the way that the market does what it does and the vendors that kind of screw things over. And there's so much stuff that is sold to people that doesn't work. And I do lots and lots of pro bono work with small businesses and whatever that need help. And it just, it's just wrong and it's disingenuous and it's not helping. And
I figure if I have, if I have any influence on three people, then great. If that changes things. So, and luckily we live in a world where you can have as loud a voice as you want. You just have to be willing to deal with the, you know, internet. Yeah. Internet and people saying things and cease and desist orders and stuff like that. But yeah.
Mikey Pruitt (09:32)
Cameras.
Yeah, we've gotten our fair share of ceases and desists here at Dean's Builder. ⁓ So actually kind of leads into my next line of thinking. It seems like you're kind of on this mission to separate vendor marketing from like actual technical capabilities of a product. But put yourself in the mindset of, ⁓ I talk a lot with managed service providers and there's like SMB IT teams and even mid-market enterprise IT teams and they're
trying to determine if this product does what it says it does, or if it's just kind of vaporware or boasting a little bit too heavily. How do you separate that and educate people on how to spot what's working and what's just bloat?
DrZeroTrust (10:25)
I think that that's the... So the difference for me in thinking, right, is like it's not about the product or the technology. We have unequivocally solved the problem of cybersecurity. Like we have the solutions to solve the problem. Does it mean you'll never have a compromise? Absolutely not. Does it mean that you can stay in the fight and you can be survivable and you can continue to do what you need to do for the purposes of whatever? Yes. ⁓
And that's something I think people get wrapped up around as they try and go, okay, well, what's perfect look like? There is no perfect. There is only survivable and there is, you know, remediation. ⁓ I think we're moving to a space where that's becoming more of the standard for people to adopt, which is good. Then the follow on to that is really, cause I do workshops with folks all over the world is really like, look, what is your strategic initiative? And it doesn't have to be called zero trust or whatever, but something, whatever that.
Strategic initiative is okay. Let's start with that and then let's work our way backwards and I Typically try and get people understand. This is not about a defensive mindset It's about an offensive mindset and you need to align your strategy to beating the bad guys the adversaries where they operate everything else is just lipstick on a pig and if you don't think any other way you're wrong like that's you know, that's the proof and of course, you know people can make their own decisions, but
the data tells me that there's a right way and a wrong way to do things.
Mikey Pruitt (11:54)
So you've said that there is no zero trust product and I wholeheartedly agree with that. That zero trust is more of a philosophy or like a framework of sorts. ⁓ Like take, let's just take DNS filter as an example. How do we...
use the language zero trust without violating the trust of the market.
DrZeroTrust (12:17)
Well, mean, it's really clear, I think, if people from the vendor side would look at, well, where's, I mean, they pay a lot of money to Forrester and Gardner and all these other analyst firms. The analysts are super smart. They tell you what you should do, and then people go off and do the opposite anyway. Because like I said, I was at Forrester. I know how that game is played. But I mean, the reality of it is vendors would look at their research, look at their data, and their customers that are telling them this is the problem they're trying to solve, and then align to how you enable that thing.
That's the difference between that and then all the folks that go. It also is very disingenuous when you see vendors that are like, oh, the market is broken. The technology space is fundamentally flawed unless you buy us, right? Then all the things are fixed. And it just, you know, it's not helpful. Like DNS filtering, DNS is super critical to anything that goes on the internet, right? It's the backbone of how things are routed where they're supposed to go. It's very simple to sort of align on what.
what somebody would get from using your product to solve a particular strategic problem. And that's what you go for. And I think too that it's more helpful for vendors if they would hitch their wagon to a particular initiative instead of trying to like gently touch all of them possibly because it could lead to market share. That's not actually showing that you're committed to the value proposition of the solution. I'm a little bit of sassy, but I'm also ZT. And then I'm also ZT, but I'm also
NIST 800 blah blah blah. Like it's just, you know, pick your thing and align to it and then drive the rest of it along those. Because you can't be everything to everybody.
Mikey Pruitt (13:56)
So transparency and honest marketing. It's like basically being a human or a good human, I should say.
DrZeroTrust (13:59)
I mean, it's a shocker, right? Crazy,
crazy idea. I know it's like way beyond the pale. ⁓ it's like you said earlier, like it's funny. It's funny, but sad to me that I have people that I'll be, you know, traveling or something else. They've read something or seen a podcast or whatever and they'll see me and they'll say, man, I'm so glad somebody's saying what they think. I'm like, that's sad that that you think that that's good. I mean, why would I?
Why would you not? Like what's the worst somebody's gonna do? Tell you you're wrong or that you're stupid or they don't like your face? Like I don't care, that's not my problem.
Mikey Pruitt (14:37)
You're like, I've been that's been happening my whole life. ⁓
DrZeroTrust (14:40)
I genuinely don't care. Say what you want to say. It's a big internet. Like, feel free to go somewhere else.
Mikey Pruitt (14:47)
So ⁓ I've seen your three J's framework. ⁓ There's like a justify, a just in time, and a just once. Can you kind of describe those for me?
DrZeroTrust (14:59)
Yes, that's just a real simplistic sort of framework for looking at how authentication and authorization should occur. If you really think about what needs to happen for minimization of risk in that particular context, right? Just in time. OK, I need to get access to this thing. Do you need it for 30 days? Probably not. Human sleep. Do you need it for eight hours of your work day? OK, great. Do you need it for the next 40 minutes? Even better. Let's just in time that. And then, you know, the next couple of J's are pretty simple of
just keeping that as minimal as possible and making sure that you have control over that. The twist on that whole thing is you can't do it without a policy engine. ⁓ Ricky the intern in a spreadsheet is not going to work. You've got to have policy engine, you've got to have automation, and you've to be to this stuff at scale, especially nowadays when we're creating, call it digital users every minute of the day because people are building their own agents for God knows what. So it's a very important
Mikey Pruitt (15:52)
you
DrZeroTrust (15:59)
problem to solve, but it's also one that's very solvable. Like the technology to do that, it's all over the place. There's no excuse for it not to be in place, honestly.
Mikey Pruitt (16:09)
So you so I am identity is really at the core of cybersecurity. Is that your opinion?
DrZeroTrust (16:17)
I mean, I think that it's funny because if you really think about the mechanism of what makes cybersecurity functional, right? We have to have users on machines. We have to have people or agents doing things, whatever else. So I think that identity is one of the core mechanisms around which all of the many moving parts of the cybersecurity engine revolve. ⁓ But you can also transpose that with
different pieces of infrastructure depending on the problem you're trying to solve. I do think that it's problematic for most organizations to go, let's deal with the data problem first because data is so ethereal nowadays and it's so different between organizations and what used to be data, right, like a record in a database that was valuable isn't necessarily what we put value on today. ⁓
I think more what folks should focus on is like, I call it the center of gravity of their organization. Wherever the most important things take place that keep your business operational, functional, useful, that's where you focus. ⁓ If you try and track down your quote data to begin with, you'll be tracking that forever and you may never even solve the problem.
Mikey Pruitt (17:26)
.
Okay, that's interesting. But first I want to go back to what you said a moment ago about that we've solved cybersecurity. ⁓ Is that having identity around the elements, the most important elements? Is that the solution of cybersecurity? Like, tell me about that.
DrZeroTrust (17:53)
I mean, that's a valid solution. Is it the ultimate end all be all? No. Does it mean you're bulletproof? No. Does it mean you're on a bullet resistant? Probably. ⁓ But I mean, I'm also like putting together a podcast today that I'm recording on my own show that's basically like, look, here's how much people still suck at passwords in 2025. ⁓ You know, and it's, it's one of these things of folks will say, well, I don't know how we solve this problem is I can tell you like, there's a reason that
There's entire sectors of our market that are dedicated to research like Mandy and Trends and Forrester and Gardner and Verizon, DBR and whatever. And they tell you the same thing every year for a decade plus is the majority of the problem. And people still go, well, gosh, I wonder how I solve this. If users suck at passwords, you use a password manager and you mandate the MFA. Problems relatively solved. ⁓ It's not rocket science.
Mikey Pruitt (18:50)
Why is that so hard? Like everyone in the audience, think of your average family member or friend and their password hygiene. Like everyone listening to this, you and I are probably on the nerdy side of things. like I have like, you know, if I can put 150 characters in a password field, I will do it. Like, cause who cares? Cause I don't have to remember it. And I have the security around accessing that password. But why is it so hard for people to...
do those like three extra steps. Like what is the human hangup?
DrZeroTrust (19:22)
I mean, that's why it's always kind of comical to me when I have a column like ⁓ conversations, which really are arguments with folks online about like phishing training and human side of the security or whatever else. I always go, have you ever met a user? Like users suck. People in general are not super awesome. So why would you continue to try and combat human nature and not use a technical control? ⁓
And we have the technology to make like my position is I think that security should be part of the experience of the internet. It shouldn't be this Klugey Bolton thing that you do all day, every day. And the reason that people don't do it is because it's the same reason that gym memberships are crazy from January 1 to February 15th, because it looks like a good idea. And then people realize it takes a lot of work and it sucks and it's uncomfortable and they quit because people are lazy and people don't like change. So
Mikey Pruitt (19:58)
You
you .
DrZeroTrust (20:17)
I I wish that there was some more altruistic thing or some super insightful whatever, but truth is people are people and no one wants to do this stuff. Just like I don't want to do taxes,
but I have to, because if I don't I go to jail, right? mean, it's just the people are not good at not doing things that they don't want to do. ⁓ But these are simple control. These are like buckling your seatbelt.
Mikey Pruitt (20:45)
I have a friend group chat and ⁓ friends I grew up with and we all have kids and one of them, his two sons are like getting to their mid teens and starting to ask questions about touchy subjects and he doesn't want them to go on the internet and find out like something crazy.
And I was like, hey, DNS filtering is a really good idea. And I gave him some options and I'm like, he's like, yeah, but I talked to him. And I'm like, well, that's great, but you should also put in some technical controls because they're just fallible humans. Like they're not going to obey every time. So if you put some technical controls in place, that will help. And that's the same thing in business.
DrZeroTrust (21:12)
Yeah, there you go.
Yeah.
I mean, it's, it's people deny. It's just weird to me. Like people will fight the reality of how human beings have operated for since the dawn of time. And then they wonder why it doesn't work. It's like, cause that's just not smart. Like it's not, it's not crazy to think that, Hey, if you put a kitty picture in front of people, they'll probably click it. Cause people like pictures of kittens. mean, I, when I used to read team folks, like I would
I sent pictures of puppies and kittens and I got clicks all day every day. ⁓ It's not hard.
Mikey Pruitt (22:06)
So you had a, like, I guess an extension of the ZTA, was it ZTA? guess whatever, Zero Trust Extension Framework. And you developed that and it's being used, I guess, and we're incorporated into NIST and CISA guidance. But how has your thinking evolved since that?
DrZeroTrust (22:15)
Yeah.
Mikey Pruitt (22:24)
extension that you created.
DrZeroTrust (22:26)
I mean, think the cool thing was that it's a broad framework, so it's something that's adaptable and people can use it in general terms, which is why it's being used by others, which honestly, I think that's what a framework is supposed to do. the thing that I kind of would love to redo, even though I'm no longer at Forrester or maybe Forrester hears us wink wink like you guys might redo this or whatever, but like some of the ⁓ pillars of that.
have evolved since then. Like one of them we had at the time was users. Now users is great, but what is a user today is way different than what it was when I put that framework together in 2018 or 2017 or whatever, 2016, whatever it was. like those things need to change, I think, because people will still ask the question, well, okay, what do you mean by users? And to their point, I thousand percent agree. You know, is a user an AI agent now? Is it a person? Is it a non-human machine? Is it a
Mikey Pruitt (22:58)
Hmm. you
DrZeroTrust (23:21)
⁓ You know a web thing that logs into something is that an MRI machine that has access to something so those things should be clarified a bit maybe expanded upon but I think you know, I think in general the framework survives because it is malleable and it's broad enough that people can look at and go okay Well, I can define users in my context I can define devices in my context and and that's what I encourage folks to do is like
Mikey Pruitt (23:48)
you
DrZeroTrust (23:50)
Make it your own. No one is... as far as I know, there is no governing body in cyber saying thou shall only do this.
Mikey Pruitt (23:57)
Well, there are, there's not governing bodies, there is people that put out entities that put out frameworks. And I am curious, what do you think the best path forward is as an industry to keep those frameworks malleable, I guess, updated and keep people from looking at them like a checklist?
DrZeroTrust (24:19)
Well, we're never going to get to have people not look at them like a checklist because we have people that that's how they operate in this space, right? Is you know, they're they're very formulaic, which is fine, but it's it's going to be problematic to keep running along with that approach. I think what we need to remind people of is that these are reference architectures like the word references in there for a reason. It's not, you know, chiseled in stone architecture, so refer to it, use it.
make your own decisions, do your own things with it, go forward from there. ⁓ And then pushing some of these governing bodies to kind of set something and have it be there for a bit. We seem to change this stuff up way too much because we're constantly chasing. ⁓ So like I'm a fan of 800-207. I think it's really well aligned for ZT and I think it's a very prescriptive approach. Just, okay folks, let's just NIST. Let's just say like that is our zero trust.
reference architecture done. We don't need anything else right now. Just pick it and let's roll with it for a bit. But that, you know, that's kind of the nature of the market to be honest.
Mikey Pruitt (25:27)
Yeah, agreed. But yeah, when you're when you're adhering to these frameworks, keep in mind that they were written at a point in time and things change, evolve. ⁓ Speaking of a Russian gang breaking into your network, you had mentioned red teaming a moment ago.
DrZeroTrust (25:36)
Yeah, they're snapshots. I mean, that's what compliance is to compliance is a snapshot. And there's never been a Russian ransomware gang that broke into a network and went, no, they have PCI.
Mikey Pruitt (25:55)
⁓ which is just, you know, attacking your own infrastructure to find vulnerabilities before the bad guys. So how do people, how would people start down a path like that? .
DrZeroTrust (26:06)
encourage them to not start down the path like that themselves. What they should do is reach out to
folks that know what they're doing and bring them all along as service providers. There are some automated solutions now that can help with that. If you go look up like automated bread team, your pen testing, those things are out there. ⁓ And the reason I say that you should not do this yourself is if you're not really good at it you don't know what you're doing, the odds of you bricking something important or pissing a lot of people off or
Potentially causing yourself more misery than you want is very very high. So yeah, unless you're a red teamer don't do it yourself ⁓ maybe consider some automated options that will help you get results and things like that or Outsource something in it now the reason you should do that and the reason I think you should do that first before you try and do anything else is What logical person would say I'm gonna come up with a plan to defend myself if I don't know where I'm actually weak
Mikey Pruitt (27:03)
Yeah. Yeah, you don't know what you don't know.
DrZeroTrust (27:03)
⁓ you know what mean? I'd like, ⁓ if you're not prepared for, call it the fight, you're not actually prepared for the fight. And no, and adversaries
don't play by rules. We do. They don't, you know, they don't go, no, I can't, I can't go after an IP address. That's not in the sub net. I can tell you, cause I've been a red team or when I'm scanning and I see an IP address that showed up that it wasn't supposed to be there. It's like, Hmm, interesting. Why is that?
Mikey Pruitt (27:33)
The.
So Red, so when you're hiring someone, you're looking for this, you know, entity to come in, or should you be prescriptive and like, I want to test this or should you just say, you know, hurt me, try to hurt me in a safe manner.
DrZeroTrust (27:49)
I mean...
I might my my thing is like we're have him do it like let him go just you know, ⁓ call wild because that's what is going to happen on the adversary side. I want him. I want him to attack people up there ⁓ on their home networks. I want him to try USB drops. I want rubber duckies. I want wireless stuff. I want printers gone after I want DDoS like all those things that are potentially problematic like let's do those and see how we respond and one thing that you.
you know, my takeaway too is like you don't actually have to do the technical red team or hacky things. Get the people around that lead and bring them into a room and give them whiteboard sessions and tabletops and go, okay, here's our scenario and run through it. You know, as of ⁓ 300 this morning, we experienced a ransomware events on these systems and we are no longer able to use email. What do we do? And then just see what happens.
And if you can't work your way through those kind of broad ⁓ tabletop exercises, you don't have a hope in hell of surviving an actual red team. ⁓
Mikey Pruitt (29:01)
Yeah, makes sense. So I want to get back
to ⁓ something I heard you say about this sassy, which gosh, can't You're like, know what he's going to say. That is basically what you said. I think it was at Zero Trust World last year. You were like, sassy is the dumbest stuff I've ever heard.
DrZeroTrust (29:11)
I hate that term so much. There's so many reasons I hate it.
Mikey Pruitt (29:22)
Which is hilarious. But why is that?
DrZeroTrust (29:23)
Yeah.
Well, number one, ⁓ it's the analyst firm trying to jump on to a market trend and then go, hey, we came up with that when it was like there. That was already kind of the thing, right? ZTNA was really taking over and that was where Gardner was like, well, shit, we're going to lose market share to this. So let's come up with our own term. We'll call it SASE and it's secure access service edge. And then we can bill people for that stuff because we coined the term, right?
Not that it was anything different, or there was anything new, or there was anything earth shattering. It was just, how do we keep our own claws into this thing? And then I'm also just sitting there thinking from the perspective of, you when someone says, what is your strategic initiative for something, go, we're sassy. Like what? Like that, that's honey boo boo. ⁓ Yeah, we're sassy child. Yeah, like, no, I mean, secure access service edge. Okay, sure.
Mikey Pruitt (30:12)
Yeah, you're like, like this? Finger wagging sassy.
DrZeroTrust (30:21)
that's also zero trust network access or nowadays universal zero trust network access, which is the new sort of thing. So, you know, I don't think it provided any value to the community at large. I think it honestly just skewed a bunch of stuff because problematically as soon as Gartner published that a bunch of vendors were like, well we got to say we do that too. So now you wind up with this ZT sassy transmogrification amalgamation of BS and people are sitting around going like,
Well, what's the difference between sassy and zero trust? And I have to go back and go, God, here we are. Okay, let me break this down for you. So I just don't think it was helpful at all. it was, you know, and also I don't run it. I did 200,000 miles internationally last year doing zero trust workshops. Never once did I run into a CISO or a leader that was like, we're engaging in a sassy strategy.
Mikey Pruitt (31:16)
So I think we'd be better off as an industry if any acronym that comes out doesn't have to include a pronounced like.
DrZeroTrust (31:24)
Or
yeah, like let's try this with our kids and if they laugh at us, it's kind of stupid, you know. Right, I'm sassy, like that's dumb. That sounds really dumb. Yeah. Yeah, you're, you be sassy.
Mikey Pruitt (31:30)
That's a good test too. They're like, great, great dad. So this is this
section of this line of questioning is like the industry critique sections. Uh, don't hold back. Cause I've seen some of your statements, uh, specifically about, and we touched on this earlier about like, um, cybersecurity is really like, unfortunately there's a lot of, uh, BC backing, like pushing.
using terms like SASE, ZTNA, and kind of muddying the waters to actually help people. And it sounds like that's your opinion, but could you elaborate?
DrZeroTrust (32:11)
Well, mean, it's good that we have a market and it's good that there's so much going on here. But if you look at the trends, right, typically a market should follow some line of success. And what we have in cyber is the problem space keeps getting worse and we keep failing to prove that what's being invested in is actually returning on that investment. But we're still dumping money into it. And why are we doing that? Because it's an infinite problem that people, it's
It's big pharma for tech is basically where we're at. Like why would I cure the disease when I can treat the symptoms and keep the patient long live or so a lot alive longer so that I can keep, you know, making money off of them. And that's what I think the disingenuous of the disingenuousness of the market is really trying to push people towards is, ⁓ shit, new problem. Follow that thing. Well, wait a minute. That thing is invoked by PowerShell. Why don't we just stop PowerShell? No, no, no, you can't do that because that would
No, that's not our super AI magic kernel level blog. Well, hang on. ⁓ Users suck at passwords. Why would I not just use password manager type deal? And then you've got the VCs, the vulture capitalists, not the venture capitalists. And that's what they're doing is they're just sitting out there going, cool, where can we make money off of this? And ⁓ are they going to return a nice hit on that? And then we throw a bunch of money. And I mean, if you read the research on VCs, they typically are
doing good if they get one out of every like 20 to 30 investments to return money to offset all the other losses. So they play where there's the most potential, which is cyber for the foreseeable future. AI is kind of quickly sucking that up, but that's where they're at. And no VC person that I know of that I've talked to lots of them has ever said, I want to help people be better in cyber security. I want to help the general population be more secure. think it's a fundamental human right. People should operate securely online.
That's not what they say. They say, want rule of 40. I want 15 to 1 return on my investment and I want to throw in as much money as I possibly can as fast as I can so that I know if this is going to take off. That's the money game. I literally was laughing at myself like, shit, I'm a Patagonia. My one Patagonia shirt I'm wearing. I don't have any money so I can't be a VC guy.
Mikey Pruitt (34:21)
You are you totally are. You vulture, vulture. ⁓
Let me take a break real quick and let this cat out of here. She's getting crazy. She's like, it's cold outside.
DrZeroTrust (34:33)
Yeah, no problem.
Mikey Pruitt (34:46)
That's funny. I told her I was like, listen, cat, we got we're on camera all morning. Don't be making them. They probably heard the word cat and they're like.
DrZeroTrust (34:51)
Well, there's my dog's parking right now.
It's, they're going to go outside probably is what it is in the snow.
Mikey Pruitt (35:02)
⁓ so we were talking about the dirty Bertel Bert, a vulture capitalist. You're wearing a Patagonia sweater. Is it a vest? Is it a vest? Let's see the sleeves. Okay. Okay. You're safe. You're safe. So I've heard you say the, ⁓ the phrase, a self-licking ice cream cone of misery. I I just love that. We're like also, ⁓ chronically online that we can pull quotes from like all over the place. ⁓ so like,
DrZeroTrust (35:10)
Yeah, it's a sweater. No, it's a sweater, but at least it's not the down vest thing. Yeah.
Yeah.
Mikey Pruitt (35:32)
Just tell me what that is. What is that? The self-looking ice cream can.
DrZeroTrust (35:35)
Well, mean, it's anything that you,
it's anything that you, and this is a term I learned in the military. I want to say it was from a Master Chief or something, but like the whole thing is just like, if you continue to engage in failed practices and you're doing it for no other purpose than kind of theatrics or to say that you did the thing, you're just making yourself miserable for no real reason. And I think in our market, we do that a lot. You know, I'm working on a paper about this, but I correlate a lot of what we do in
digital space, digital health, guess you could call it too, like physical health. And people don't want to hear that the basics make biggest difference, right? You know, eat healthy, sleep right, drink water, exercise, those types of things. It'll make a difference over time, but it's way sexier to go, here's a pill and you can lose a bunch of weight and you know, whatever else. But that's not, that's not a change. That's just a effect from something. And that's what we do in cyber all the time is
We're trying to grab the next super cool whatever and try and think we solved the problem when we could solve the majority of the problem with better basics and better fundamentals. it's not, it's none of it's, it's not protected information. mean, you can open up your Google LLM and have it go collect all that crap for you and then ask the body question.
Mikey Pruitt (36:56)
So your critique on cyber is really a, is a very much like the correlation of a critique on healthcare in that we're treating the symptom and not the root cause. ⁓
DrZeroTrust (37:06)
I mean, why would as a company that's making billions of dollars off of treating the symptoms, why wouldn't especially when I have shareholders,
why would I ever cut my own throat and actually fix the problem when I can just go? Yeah, I can just go, oh, well, you had one dot. Oh, here's two dot. Oh, and let me just, you know, make that a little bit more expensive and add some new features to it. And I mean, you know, tangentially that too.
Mikey Pruitt (37:19)
the incentives.
DrZeroTrust (37:35)
When you talk, because I talk to companies all the time in the space that are coming out of stealth or whatever, everybody wants to go to Enterprise. It's like, well, Enterprise is a big giant thing. It's going to take you a long time to sell there and whatever else, but one deal might cover two years worth of work. Or you could actually go after the small and mid-sized businesses that can make decisions in 30, 60 days and a pile of sticks is still a bonfire. ⁓ So why not do that? And it's not helping anyone.
to try and keep fixing the enterprises because the enterprises are not where compromise occurs anymore. Now it's typically the small and mid-sized and third parties and contractors. So which is it folks? Are you for real trying to fix the problem? Then you go to the market that needs serving or are you trying to make more money and you serve the market that's already saturated?
Mikey Pruitt (38:25)
But you might, you could even make more or at least the same in either market or both. Interesting.
DrZeroTrust (38:29)
I mean, Threadlocker's built
a billion dollar business off of serving the market that everybody else ignored. And I give Danny and Sammy and the whole team so much kudos because I knew them when it was nothing but a drawing on the back of a napkin. And Danny flat out was like, nope, we're going where everybody else isn't because they need help. And I was like, good for you, man. You figured it out.
Mikey Pruitt (38:51)
Yeah, and that product is as close to zero trust as I really see too. like you just can't do anything unless it's approved.
DrZeroTrust (38:56)
It's legit,
I mean, it's not hard,
know, they put their stuff in, figures out what's being used, figure out what's not and then turn it off.
Mikey Pruitt (39:07)
Yeah, that's like turning the dial of 10.
So we've talked about, we mentioned the word AI a few times. I like every episode of this podcast, have a little AI section. And I'm assuming you're a little bit skeptical, but in a way that's like, we're just kind of misrepresenting it and not necessarily that it's not useful.
DrZeroTrust (39:32)
Not super useful. mean, it's a tool. by the way, none of it's AI. It's machine learning that's been marketed as AI. So people should be aware that we don't want real AI because that's a whole other ball of wax. Matter of fact, if you, if you've never read the book, if anyone builds it, we all die. Like you should go read that because it's very pressing on like actual artificial intelligence issues. But we should be using ML everywhere that we can. I use it all the time, two or three times a day. I got my kids licenses for it for school and
their teachers, I've had one of their teachers email me and go, well, we don't allow that. And I was like, nope, not having the Cunningham household. Like we cheat to win here. Like, I don't know what to tell you. Cause I don't know about you and I are basically the same age. I don't know if they did it you, but when I was in algebra, they were like, you can't use calculators. I was like, what?
Mikey Pruitt (40:09)
you
This is the
I go back to this every time they're like when you're out in the real world, you're not going to have a calculator in your pocket. I'm like, you're wrong. You were you were just wrong. Can we all just admit that you're wrong?
DrZeroTrust (40:23)
I do. have a phone. It's with me 24 7. Yeah. So. Right, and
I mean for the the the the value of the tools that are there is exponential in nature. So I mean I'm I'm even back into like coding some stuff up because I hate coding but now I can vibe code and it's way more functional and way more useful. But you know I'm never going to push a vibe coded app into prod.
Mikey Pruitt (40:48)
Ahem.
DrZeroTrust (40:51)
until I have it secured and tested as best as I can. But yeah, these tools are super, super useful. It's like fire, the automobile, the internet, and now this particular tech. ⁓ And we're seeing a revolution that occurs, but people just have to be smart with it. And I do think that, unfortunately, just at a macroeconomic level, the use of these tools is going to separate the users from the detractors, and that's going to cause it
really large gap in income and earnings and stuff in the future because you're either going to use it and benefit from it and function like you're 20 people or you're to be like, no, I'm not using that ML and AI stuff and whatever else. And then you're not going to be employable.
Mikey Pruitt (41:35)
I love that both of our like, I'm an idiot voices are like kind of hillbilly right now because we're both hillbilly right now.
DrZeroTrust (41:38)
is kind of hillbilly right next door.
Yeah, that's who
I grew up with. So it's yeah. Yeah. I do remember the people being like, no, I'm not doing that internet stuff. It was like
Mikey Pruitt (41:50)
You yes, you are eventually I promise We had a meeting at this past weekend and it's like, you know, what'd you do this weekend? And everybody's like, I don't know and I was like I went did redneck stuff on the out in God's country. They're like, what's that? I'm like four wheelers Firearms and fire. It was fun. Yeah rednecks Rednecks like the internet too. We like the internet too y'all
DrZeroTrust (41:51)
Yeah, you're okay. Good luck.
Yeah.
Yeah, blowing stuff up and yeah, writing extra fun people.
Yeah, exactly.
Mikey Pruitt (42:18)
So AI is a pretty big threat vector. And I think mostly because we don't fully understand its capabilities. It is kind of a user now, going back to your earlier statements. And I've seen, you probably have too, this Cloudbot. ⁓ It's like an AI system that can basically control a computer like a person. So how do we add, I guess we have to add identity to that. How do we secure environments like that?
Or is it not possible? Or we don't know yet.
DrZeroTrust (42:49)
Well,
I mean, that's there's some companies that are doing stuff the right way without, you know, vendor sort of shenaniganning. Like I do think there's some companies out there that are doing things that are very useful and very helpful here that are doing like inventory of resources and connection analysis and then figuring out what data goes where. And that's a useful thing. ⁓ The side of the AI ML problem that I'm not seeing people really deal with is, what if the data or the sources or the
Things that you're getting your information from to train your models is flawed or poisoned does that throw off your model by X number and that's not a Not a non-trivial thing. I mean if you're building and let's say you're building a an AI bot for I don't know pharmaceutical Medical research or something like that. Well, if somebody goes off and puts a bunch of janky resources on the internet your bots gonna pull it and even if I only manipulate your corpus by
0.01 percent 0.001 percent that's enough to cause hallucinations and wrong answers and things like that ⁓ and that could potentially hurt or kill people depending on what you're doing with it, you know, so I think there's a There's a dual sided coin and folks are really focusing on one side, but there is the whole other side of it too. So ⁓ You know securing AI I think is
I don't think it's that different from securing what we currently were doing. It's just a matter of doing it at a bigger scope and scale.
Mikey Pruitt (44:25)
Yeah, and we're not quite prepared for that bigger scope and scale because we've been doing things a bit. We thought we were automating, but it turns out we were not automating like massively enough.
DrZeroTrust (44:35)
I mean, you can automate
yourself in the misery just like you can automate yourself in a success, right?
Mikey Pruitt (44:39)
That's true. And
we see that with cascading failures on the internet. Like, ⁓ this mega multi-redundant system. And we push the change, and then it cascaded through the entire globe. And now we've got to roll back, which also takes like six hours while people are hammering the system and internet's failing everywhere. You're like, there's no undo in automation.
DrZeroTrust (44:55)
Yeah, enough sliving in all the time to try and reload their stuff. yeah.
Right. Yeah, you can you can automate failure just like you can automate success. And I mean, it's also kind of weird, too, to me when I see verticals that ignore like tsunami problems. So like ⁓ if you if you remember what happened with Marks and Spencer's, you know, they're all in the UK, which is an island, you know, and then you've got Marks and Spencer gets hit really hard and then Jaguar Land Rover gets hit really hard and then X and you can follow the track and basically draw lines between all these businesses and all these data centers.
and put the dates and go, here it came and you didn't pay attention. ⁓ know, like if I was a Jaguar Land Rover and I saw Marks and Spencer go down, I'm pumping the brakes on everything we're doing and trying to get to the next step because it's coming.
Mikey Pruitt (45:47)
Yeah, it feels like that the scene in the first Transformers movie where they're like, cut the hard line. It's like just disconnected from the internet because we're next. So AI slash what it's really ML is a threat vector. And then there's also ransomware still, you know, maybe less talked about now because AI is taking over the globe. But ransomware and you mentioned this earlier about
DrZeroTrust (45:51)
Yeah, right. Yeah, with the axe. Yeah, right. No.
Mikey Pruitt (46:11)
like Threat Lockers example, where they're going after the small to medium businesses. It seems like they are getting hit by ransomware more often because they're softer targets, whereas enterprises have been more hardened. And you can get a million, you can ransomware a million people and get the same amount of money you can if you ransomware one big.
DrZeroTrust (46:34)
Yeah, I mean, it's not, it's, it's the slow gazelle problem. You know, if all the enterprises have done to a degree what they've gotten, they've got the multi-million dollar, billion dollar infrastructure. If I'm a bad guy in Latvia, why would I go after Chase Bank when that's kind of dumb? ⁓ I want to go after, you know, the subsidiary that sells, you know, toilet cleaners to their offices and then work my way through that. And like you said,
And I mean this is, you know, literally one of the business strategies I work with people on is a pile of sticks is a bonfire. So if I get one enterprise, great. It might take me forever and I might never succeed. But if I get a thousand small businesses at a thousand dollars, you know, I made a pretty good chunk of change and it was probably a lot less time and a lot less stress and a lot less risk. So, you know, figure that one out.
Mikey Pruitt (47:24)
Yeah, so the bad guys are also good at strategizing. I mean, they're running a business.
DrZeroTrust (47:28)
I mean, they're business.
Yeah, they're multi. And mean, now that I've and this is public knowledge to like I've been reading about the drug cartels are getting in on cyber because they realized it's more beneficial, more money, less risk and right and no logistics like I don't know you mean to throw bales of coke over a fence and you know, no gallus. great. I can just like send somebody malware and they'll get hacked and they'll pay me because they want their machine. Sure.
Mikey Pruitt (47:41)
Yeah, less kinetic.
Who who is better at getting things shipped across the globe, the logistics guy for the cartel or Tim Cook from Apple?
DrZeroTrust (48:02)
Yeah, well, the logistics guy will get it there on time and under price, know, so ⁓
it's.
Mikey Pruitt (48:09)
So
you mentioned the word reading there, and I wanted to talk about your books. One in particular, the How Not to Lead book. And you've written some really cool books. There's a comic, basically. And then there's a couple of fiction stories, which I didn't get to read all of them, but I saw some excerpts. They were pretty cool. But in the How Not to Lead book, you're talking about dumpster chickens and mushroom farmers. So what is that?
DrZeroTrust (48:20)
Yeah, into the comments.
Yeah.
Yeah. So, ⁓ dumpster chickens basically are seagulls and we kind of called them that in the military because they would always be at the end of the pier. And, you always joke like, if I ran out of stuff to eat, I could eat one of those dumpster chickens. But from a leadership perspective, if you've ever been around people that will fly in squawk a lot, shit all over everything and fly away, that's a dumpster chicken, right? You're like, you, you flew in here to tell me that there's a problem. You crapped all over my solution that you left. Like what?
What good is that? I need an actual fix or I need something that will work to get us to the next thing. So don't be a dumpster chicken is kind of that side of it. And then the mushroom farmer, ⁓ you keep your people in the dark and you shovel shit on them. I mean, and that's pretty much how you grow mushrooms, right? But it's a problem because no one likes to be in the dark. And ⁓ interestingly enough, when I was writing the research for the book, I learned mushrooms have a substrate and they actually communicate, which we would call gossip. So if you don't,
Mikey Pruitt (49:31)
you You
DrZeroTrust (49:33)
shine
the light on things and actually be honest with people and tell them what's up, they will start to use their substrate, even if they're covered in shit and have communications with each other about what's going on and that will be detrimental to your organization. So don't be a mushroom farmer.
Mikey Pruitt (49:49)
The first neural network mushrooms. ⁓ So, you you're really spreading the democratizing, I guess would be a good word, zero trust. ⁓ You're kind of on this mission and I think you're successful. So congratulations for that. And thank you from the community to you. Thank you so much.
DrZeroTrust (49:51)
I mean, it's mushrooms, right?
well, thanks.
I'm trying to do what little I can, so yeah, I appreciate it.
Mikey Pruitt (50:14)
So I have some rapid fire questions to wrap up. Here we go. What's the most overrated security technology?
DrZeroTrust (50:17)
Alright.
endpoint security or phishing training phishing training okay phishing training wins
Mikey Pruitt (50:23)
You
⁓ Hold on a minute endpoint security or and fishing training fishing training with a slight edge Why why endpoint security on the list of ever rated?
DrZeroTrust (50:40)
So, I mean, if you really look at what the endpoints are, most of them, most of your organizations could run with a Chromebook and there's no operating system on a Chromebook. So, if you want to stop people from getting infected, take away the infection vector. I'll let you drop malware on my Chromebook. There's no OS. Go nuts. It's not going to do anything. ⁓ But there's this big billion-dollar industry, multi-billion dollar, hundreds of millions dollars around taking care of endpoints.
Mikey Pruitt (50:49)
Hmm.
DrZeroTrust (51:06)
just look at your use of that stuff, figure out what people really need, and then give them that and take the rest of it away. And then someone will say, well, what if we don't have internet? When do you not have internet? I come on. Yeah, I was going to say, you're like in downtown Kersk or something, sure. But other than that, you got internet.
Mikey Pruitt (51:16)
In a war zone or something. That's about it.
All right, what is underrated that managed service providers and small business owners and operators should be paying more attention to? ⁓ this is great. So ethereal endpoints, I'm assuming you mean treating them more like cattle than pets.
DrZeroTrust (51:39)
Micro segmentation and ⁓ ethereal sort of endpoints, I think is going to be the next real trend in space.
⁓ so I think we're starting to see where a lot of these, ⁓ column single use case, sorts of machines are becoming a thing. And if you can imagine not having an operating system on an endpoint, like a Chromebook, but have it be across enterprise. And whenever that machine goes to sleep and wakes back up, it just comes back with a fresh clean disc. That's, that's coming. And that's going to be very interesting because.
Mikey Pruitt (52:21)
This is like Hoonix
or like one of those Linux distros that's just like ephemeral. Wait, what was the other one you mentioned? And what was the other one you mentioned that was underrated? OK, what is that?
DrZeroTrust (52:25)
Yeah, non-persistive.
Ethereal.
micro segmentation.
I mean, that's
where you're trying to get past VLANs and you're really getting down to segmenting the asset itself and a segmentation, if you could imagine, could be segmenting a user with good passwords and good access controls. It could be segmenting a resource with the right ports lockdown. So micro segmentation.
Mikey Pruitt (52:57)
So let's talk about IPv6 for a second. Is there a future world where every endpoint has an IPv6 address, and that is their segment, essentially? Thank
DrZeroTrust (53:08)
Could be.
I mean, I think as we get more use of APIs, more use of those types of addresses within internet routing infrastructure, we can get to a place where your policy engines will be able to do that stuff at that level. But I mean, I remember people telling me IPv4 was going to run of addresses 10 years ago.
Mikey Pruitt (53:28)
Well, I mean, it kind of did. We have like, nodding and... I want everything to be internet addressable. No, I don't. Just kidding. Don't do that. All right. Worst piece of security advice that you've commonly given or received.
DrZeroTrust (53:29)
It did, but it didn't. Yeah. It did, but it didn't.
Oh gosh. Remember or change your password every 90 days is probably the one that's like, cause no one wants to do it. And it never is good. And I think that that's just lazy, especially in the world that we live in today. So use something that is going to manage that for you, not, Hey user, go change your password. You got locked out your system. I got a job to do. I don't have time to take care of that password crap.
Mikey Pruitt (54:12)
All right, last rapid fire question. Your cyber thriller books are awesome. I'm going to go get them for sure. I've read the excerpts and I'm like, got to read this whole thing now. But what is scarier, the fiction that you write or the reality that you see?
DrZeroTrust (54:27)
⁓ the reality that we live in scares the hell out of me, honestly. And that, don't mean that in a fear, uncertainty and doubt way. I just mean like the, the broad macro side of things. ⁓ there's so much going on globally between macro economics and political stuff and cyber, and we're just in a very dynamic time. ⁓ so yeah, reality's scary enough.
Mikey Pruitt (54:51)
Now I'm scared. Thanks. Well, Dr. Zero Trust, Chase Cunningham. I appreciate you joining me today. That was a that was a blast. I'll have to keep up with you on the Internet. But for others that want to follow you, where can they find you on the interwebs?
DrZeroTrust (54:56)
HMMMM
Yeah, so I've got a website, it's drzerotrust.com, links to all my social stuff. I've also got a Patreon site where we donate 100 % of any money that comes in during the year to a veterans charity. So if you want, it's three bucks, you spend more than that on Starbucks. But we do give 100 % of that money to a veterans charity. And then I'm on LinkedIn. So if I can help somebody, you know, reach out to me and if I can't help you, I'll try and find someone that can.
Mikey Pruitt (55:30)
Awesome. Well, thank you so much.
Welcome everybody to another episode of DNS unfiltered today. The doctor's in Dr. Zero Trust. Chase Cunningham. How are you?
DrZeroTrust (00:12)
Hey man, thanks for having me. I appreciate you inviting me over.
Mikey Pruitt (00:16)
Well, hey, I'm happy to and I was just telling you this chase when I was doing a little bit deeper research I kind of became the doctor zero trust fanboy So, please excuse my exuberance while we're doing this interview, but I've got some questions laid out but first like Just tell me about yourself your background a little bit and like what you're working on
DrZeroTrust (00:37)
Yeah, so I'm a retired Navy chief cryptologist. I was at NSA after that for a little while and then I was at Forrester Research following there. I was a consultant at a few companies since then. I've managed to write going on 14 books now. Got six or seven patents and then most importantly I've got four kids going out in the world that are relatively useful. So I'm doing okay, I think.
Mikey Pruitt (01:03)
That that is the real win. It's like I'm a good person. It's like that the ending scene of Saving Private Ryan where the old old version of him looks at his own. Yeah. Tell me I'm a good person. I like like one of two movies that makes me cry. My wife's like, hey, you know, this is a really sad moment. Should I turn Private Ryan on so that you can shed a tear?
DrZeroTrust (01:06)
Yeah.
Yeah, be a good person, right? Tell me I'm a good person.
That's a great one. Yeah.
Yeah, that's one of my favorite flicks of all time.
Mikey Pruitt (01:32)
So we're apparently we're robots. But anyway, you went from like a Navy mechanic, I believe. And now you're this. Yeah. But then you kind of got into cryptography and ended up as some three letter agencies. Like, how did that transition from mechanic, which is not digitally technical, but very technical? How did that transition happen?
DrZeroTrust (01:39)
Yeah, was a diesel engineer, you know. ⁓
Yeah, so when I joined the Navy at 17 and I would grow up on this little bitty nowhere ranch out in the middle of Texas and I was one of the few kids when high school that kind of was interested in computers, but I didn't really do much. We were a dirt poor farming community, but we had a few computers. So I helped kind of put the lab together and do some of those things. And this is way back before we had even like documentation. So it was a
learning events and then fast forward right I joined the Navy I go off and I wanted to be a mechanic because I like working on cars and fixing things ⁓ but what I found out really quickly was in the military unless something is really broken at sea typically contractors fixed it so I didn't do a lot of the work I was hoping to do ⁓ to be short it sucked and I really didn't want to be there anymore because I wasn't fixing anything ⁓
Anyway, we had one piece of gear that we had gotten. I think it was from like Lockheed Martin or Raytheon or one of the Beltway bandits. But this piece of gear was the newfangled computer controlled piece of gear that was supposed to control how our evaporator made water. And it never worked right. Like they came in and installed it and it was kind like the mechanic thing where the first day it worked great. And then as soon as the contractors left, it was just an absolute piece of crap. Like nothing ever worked right. ⁓
But I knew enough about computers that I had seen the guys from the contractor configuring the settings with the laptop. ⁓ Now go forward from there. That laptop was given to our chief engineer. So it's a big no-no to go into an officer's stateroom and take something out of their stateroom, which I did. Yeah, I did it at like two o'clock in the morning when I was on watch because I was sick of trying to recalibrate this piece of gear. ⁓ And anyway, I brought it down to the engine room and I'm down there.
Mikey Pruitt (03:30)
Especially a laptop. I'm
DrZeroTrust (03:40)
you know, messing with this thing and changing settings, whatever, and everything lights up green. I was like, great, like I fix this thing. I'm going to sneak it back upstairs. No one's going to be the wiser. And just so happened by dumb luck, the guy who was the at the time, the cryptologic officer, which now they call him the C. Well, the cyber warfare officer was walking around the ship at two thirty in the morning because he was just unable to sleep. And like I'm doing this like poking away on this thing. And I look over to my right and I see this head come around the corner.
Mikey Pruitt (04:10)
you
DrZeroTrust (04:10)
And he just looks
at me and raises an eyebrow. Yeah. And I was like, I was like, ⁓ shit. ⁓ I'm in deep trouble, right? Cause he didn't say anything. He just looked at me and saw, and then he walked off. ⁓ crap. I actually, ⁓ the next day I even called my mom from the ship sat phone and said like, mom, I'm probably in big trouble, just so you know. And anyway, he comes back after a couple of days, let me sweat it out. And he goes, he just says, look, I looked at your personnel record.
Mikey Pruitt (04:16)
you
DrZeroTrust (04:37)
Your time's coming up. You're going to separate. He said, do you like doing the engine thing? And I was like, sir, I like working on engines, but I'm not doing that. And I don't want to do this anymore. He goes, well, have you ever heard of cryptography? And I was like, I have no clue what that is. But he said, well, we work in the spaces upstairs where there's no doors and no windows and no one knows what we do. He said, does that sound interesting? I was like, sure.
Mikey Pruitt (05:01)
Yeah.
DrZeroTrust (05:02)
And fast forward from that, like I filled out all the paperwork, I waited my time on the ship to get my security clearance, and then what we in the Navy call cross-rated, and I went to Pensacola, Florida and went through code school. And then from there, I just got lucky and kind of fell into a career.
Mikey Pruitt (05:19)
OK, so many things unpacked there. It's funny, I have like a list of questions, and I think I'm just going to ignore all of them. So I'm assuming the CWO came by. Perhaps he saw those green lights and was like, he fixed it. Interesting. And then he looked.
DrZeroTrust (05:26)
It's all good.
I think he was probably
like what is an engine doing with a laptop more than anything like they typically figure we're down there chewing on nuts and bolts, you know.
Mikey Pruitt (05:37)
You
But he let you either fail or succeed. And then he did a little background check. He's like, who is this guy? He's farmer from Texas, our kind of people.
DrZeroTrust (05:48)
Yeah, he
went in from what I understand from my senior chief. He went to my senior chief and asked, ⁓ you know, is that Cunningham kid know anything about computers? And my senior chief had seen me in the engineering log room ⁓ doing stuff with not like things like technically on the computer, but I could type really fast on the computer. Actually, senior chief had me do his logs. So he was like, yeah, he knows how to use a computer. And that was kind of ⁓ further validation, I guess.
Mikey Pruitt (06:17)
Yeah, that was probably an anomaly back then anyway. I'm not sure how I'm not trying to guess your age or anything, but. yeah, we're like the same age. What am I? Yeah, I'm 46 now. man. Anyway, let's get back to it. So so ⁓ you get go to code school like first of all, that's a killer word. I didn't know it was called that. So you go to go ahead.
DrZeroTrust (06:20)
⁓ yeah. Now I'm, 46.
Yeah. Well, yeah, I mean,
it's kind of interesting ⁓ because it's one of the only spots other than linguistics where, or special forces where you'll have every service that goes to the same school. So Air Force, Army, Navy, Marine Corps at the time there was no space for us, but now there is. So we all went to Pensacola and it's this little, little hole in the wall base up the street from the nice base where the air debt people go.
Cory station is what it's called. You can look it up on the internet. No, that's classified. But yeah, it's ⁓ it's a Kind of grody little spot that is a hole in the wall that they only send a very select group of people to that have been through all the clearance crap and then you go there for your first school, which I think mine was like six months of nothing but math and code stuff
Mikey Pruitt (07:33)
So when did the, I guess, like a switch flip when you were a little bit more invested, let's say, into the cybersecurity space? And then what happened to make you a little bit more outspoken, which I guess you could say you are now?
DrZeroTrust (07:50)
I mean, ⁓ the majority of the stuff I wish I could tell you I can't because it's stuff I did in classified spaces. But I would
just say that I was lucky enough to be involved in some operational things where we kind of saw the power of cyber at the time. And it was very useful for what we were doing in the war on terror. So that's kind of where I can leave it. But it was eye opening for me to see like, well, wait a minute. These guys were trying to, you know,
do collection on a target for whatever through traditional means. And we did our cyber stuff in like a couple hours and we were good. Um, and that was one of those kind of wake up calls for me. And then, you know, I think, um, going on from there, uh, I've said it many, many times, like I've just been super blessed to be engaged with the right people at the right time. I wish I could say I was smart enough to figure it out. It's all just kind of happened by, you know, kind of circumstances and,
wound up, you know, following on to the next thing. As far as being outspoken, I just have gotten kind of like stone in my craw with the way that the market does what it does and the vendors that kind of screw things over. And there's so much stuff that is sold to people that doesn't work. And I do lots and lots of pro bono work with small businesses and whatever that need help. And it just, it's just wrong and it's disingenuous and it's not helping. And
I figure if I have, if I have any influence on three people, then great. If that changes things. So, and luckily we live in a world where you can have as loud a voice as you want. You just have to be willing to deal with the, you know, internet. Yeah. Internet and people saying things and cease and desist orders and stuff like that. But yeah.
Mikey Pruitt (09:32)
Cameras.
Yeah, we've gotten our fair share of ceases and desists here at Dean's Builder. ⁓ So actually kind of leads into my next line of thinking. It seems like you're kind of on this mission to separate vendor marketing from like actual technical capabilities of a product. But put yourself in the mindset of, ⁓ I talk a lot with managed service providers and there's like SMB IT teams and even mid-market enterprise IT teams and they're
trying to determine if this product does what it says it does, or if it's just kind of vaporware or boasting a little bit too heavily. How do you separate that and educate people on how to spot what's working and what's just bloat?
DrZeroTrust (10:25)
I think that that's the... So the difference for me in thinking, right, is like it's not about the product or the technology. We have unequivocally solved the problem of cybersecurity. Like we have the solutions to solve the problem. Does it mean you'll never have a compromise? Absolutely not. Does it mean that you can stay in the fight and you can be survivable and you can continue to do what you need to do for the purposes of whatever? Yes. ⁓
And that's something I think people get wrapped up around as they try and go, okay, well, what's perfect look like? There is no perfect. There is only survivable and there is, you know, remediation. ⁓ I think we're moving to a space where that's becoming more of the standard for people to adopt, which is good. Then the follow on to that is really, cause I do workshops with folks all over the world is really like, look, what is your strategic initiative? And it doesn't have to be called zero trust or whatever, but something, whatever that.
Strategic initiative is okay. Let's start with that and then let's work our way backwards and I Typically try and get people understand. This is not about a defensive mindset It's about an offensive mindset and you need to align your strategy to beating the bad guys the adversaries where they operate everything else is just lipstick on a pig and if you don't think any other way you're wrong like that's you know, that's the proof and of course, you know people can make their own decisions, but
the data tells me that there's a right way and a wrong way to do things.
Mikey Pruitt (11:54)
So you've said that there is no zero trust product and I wholeheartedly agree with that. That zero trust is more of a philosophy or like a framework of sorts. ⁓ Like take, let's just take DNS filter as an example. How do we...
use the language zero trust without violating the trust of the market.
DrZeroTrust (12:17)
Well, mean, it's really clear, I think, if people from the vendor side would look at, well, where's, I mean, they pay a lot of money to Forrester and Gardner and all these other analyst firms. The analysts are super smart. They tell you what you should do, and then people go off and do the opposite anyway. Because like I said, I was at Forrester. I know how that game is played. But I mean, the reality of it is vendors would look at their research, look at their data, and their customers that are telling them this is the problem they're trying to solve, and then align to how you enable that thing.
That's the difference between that and then all the folks that go. It also is very disingenuous when you see vendors that are like, oh, the market is broken. The technology space is fundamentally flawed unless you buy us, right? Then all the things are fixed. And it just, you know, it's not helpful. Like DNS filtering, DNS is super critical to anything that goes on the internet, right? It's the backbone of how things are routed where they're supposed to go. It's very simple to sort of align on what.
what somebody would get from using your product to solve a particular strategic problem. And that's what you go for. And I think too that it's more helpful for vendors if they would hitch their wagon to a particular initiative instead of trying to like gently touch all of them possibly because it could lead to market share. That's not actually showing that you're committed to the value proposition of the solution. I'm a little bit of sassy, but I'm also ZT. And then I'm also ZT, but I'm also
NIST 800 blah blah blah. Like it's just, you know, pick your thing and align to it and then drive the rest of it along those. Because you can't be everything to everybody.
Mikey Pruitt (13:56)
So transparency and honest marketing. It's like basically being a human or a good human, I should say.
DrZeroTrust (13:59)
I mean, it's a shocker, right? Crazy,
crazy idea. I know it's like way beyond the pale. ⁓ it's like you said earlier, like it's funny. It's funny, but sad to me that I have people that I'll be, you know, traveling or something else. They've read something or seen a podcast or whatever and they'll see me and they'll say, man, I'm so glad somebody's saying what they think. I'm like, that's sad that that you think that that's good. I mean, why would I?
Why would you not? Like what's the worst somebody's gonna do? Tell you you're wrong or that you're stupid or they don't like your face? Like I don't care, that's not my problem.
Mikey Pruitt (14:37)
You're like, I've been that's been happening my whole life. ⁓
DrZeroTrust (14:40)
I genuinely don't care. Say what you want to say. It's a big internet. Like, feel free to go somewhere else.
Mikey Pruitt (14:47)
So ⁓ I've seen your three J's framework. ⁓ There's like a justify, a just in time, and a just once. Can you kind of describe those for me?
DrZeroTrust (14:59)
Yes, that's just a real simplistic sort of framework for looking at how authentication and authorization should occur. If you really think about what needs to happen for minimization of risk in that particular context, right? Just in time. OK, I need to get access to this thing. Do you need it for 30 days? Probably not. Human sleep. Do you need it for eight hours of your work day? OK, great. Do you need it for the next 40 minutes? Even better. Let's just in time that. And then, you know, the next couple of J's are pretty simple of
just keeping that as minimal as possible and making sure that you have control over that. The twist on that whole thing is you can't do it without a policy engine. ⁓ Ricky the intern in a spreadsheet is not going to work. You've got to have policy engine, you've got to have automation, and you've to be to this stuff at scale, especially nowadays when we're creating, call it digital users every minute of the day because people are building their own agents for God knows what. So it's a very important
Mikey Pruitt (15:52)
you
DrZeroTrust (15:59)
problem to solve, but it's also one that's very solvable. Like the technology to do that, it's all over the place. There's no excuse for it not to be in place, honestly.
Mikey Pruitt (16:09)
So you so I am identity is really at the core of cybersecurity. Is that your opinion?
DrZeroTrust (16:17)
I mean, I think that it's funny because if you really think about the mechanism of what makes cybersecurity functional, right? We have to have users on machines. We have to have people or agents doing things, whatever else. So I think that identity is one of the core mechanisms around which all of the many moving parts of the cybersecurity engine revolve. ⁓ But you can also transpose that with
different pieces of infrastructure depending on the problem you're trying to solve. I do think that it's problematic for most organizations to go, let's deal with the data problem first because data is so ethereal nowadays and it's so different between organizations and what used to be data, right, like a record in a database that was valuable isn't necessarily what we put value on today. ⁓
I think more what folks should focus on is like, I call it the center of gravity of their organization. Wherever the most important things take place that keep your business operational, functional, useful, that's where you focus. ⁓ If you try and track down your quote data to begin with, you'll be tracking that forever and you may never even solve the problem.
Mikey Pruitt (17:26)
.
Okay, that's interesting. But first I want to go back to what you said a moment ago about that we've solved cybersecurity. ⁓ Is that having identity around the elements, the most important elements? Is that the solution of cybersecurity? Like, tell me about that.
DrZeroTrust (17:53)
I mean, that's a valid solution. Is it the ultimate end all be all? No. Does it mean you're bulletproof? No. Does it mean you're on a bullet resistant? Probably. ⁓ But I mean, I'm also like putting together a podcast today that I'm recording on my own show that's basically like, look, here's how much people still suck at passwords in 2025. ⁓ You know, and it's, it's one of these things of folks will say, well, I don't know how we solve this problem is I can tell you like, there's a reason that
There's entire sectors of our market that are dedicated to research like Mandy and Trends and Forrester and Gardner and Verizon, DBR and whatever. And they tell you the same thing every year for a decade plus is the majority of the problem. And people still go, well, gosh, I wonder how I solve this. If users suck at passwords, you use a password manager and you mandate the MFA. Problems relatively solved. ⁓ It's not rocket science.
Mikey Pruitt (18:50)
Why is that so hard? Like everyone in the audience, think of your average family member or friend and their password hygiene. Like everyone listening to this, you and I are probably on the nerdy side of things. like I have like, you know, if I can put 150 characters in a password field, I will do it. Like, cause who cares? Cause I don't have to remember it. And I have the security around accessing that password. But why is it so hard for people to...
do those like three extra steps. Like what is the human hangup?
DrZeroTrust (19:22)
I mean, that's why it's always kind of comical to me when I have a column like ⁓ conversations, which really are arguments with folks online about like phishing training and human side of the security or whatever else. I always go, have you ever met a user? Like users suck. People in general are not super awesome. So why would you continue to try and combat human nature and not use a technical control? ⁓
And we have the technology to make like my position is I think that security should be part of the experience of the internet. It shouldn't be this Klugey Bolton thing that you do all day, every day. And the reason that people don't do it is because it's the same reason that gym memberships are crazy from January 1 to February 15th, because it looks like a good idea. And then people realize it takes a lot of work and it sucks and it's uncomfortable and they quit because people are lazy and people don't like change. So
Mikey Pruitt (19:58)
You
you .
DrZeroTrust (20:17)
I I wish that there was some more altruistic thing or some super insightful whatever, but truth is people are people and no one wants to do this stuff. Just like I don't want to do taxes,
but I have to, because if I don't I go to jail, right? mean, it's just the people are not good at not doing things that they don't want to do. ⁓ But these are simple control. These are like buckling your seatbelt.
Mikey Pruitt (20:45)
I have a friend group chat and ⁓ friends I grew up with and we all have kids and one of them, his two sons are like getting to their mid teens and starting to ask questions about touchy subjects and he doesn't want them to go on the internet and find out like something crazy.
And I was like, hey, DNS filtering is a really good idea. And I gave him some options and I'm like, he's like, yeah, but I talked to him. And I'm like, well, that's great, but you should also put in some technical controls because they're just fallible humans. Like they're not going to obey every time. So if you put some technical controls in place, that will help. And that's the same thing in business.
DrZeroTrust (21:12)
Yeah, there you go.
Yeah.
I mean, it's, it's people deny. It's just weird to me. Like people will fight the reality of how human beings have operated for since the dawn of time. And then they wonder why it doesn't work. It's like, cause that's just not smart. Like it's not, it's not crazy to think that, Hey, if you put a kitty picture in front of people, they'll probably click it. Cause people like pictures of kittens. mean, I, when I used to read team folks, like I would
I sent pictures of puppies and kittens and I got clicks all day every day. ⁓ It's not hard.
Mikey Pruitt (22:06)
So you had a, like, I guess an extension of the ZTA, was it ZTA? guess whatever, Zero Trust Extension Framework. And you developed that and it's being used, I guess, and we're incorporated into NIST and CISA guidance. But how has your thinking evolved since that?
DrZeroTrust (22:15)
Yeah.
Mikey Pruitt (22:24)
extension that you created.
DrZeroTrust (22:26)
I mean, think the cool thing was that it's a broad framework, so it's something that's adaptable and people can use it in general terms, which is why it's being used by others, which honestly, I think that's what a framework is supposed to do. the thing that I kind of would love to redo, even though I'm no longer at Forrester or maybe Forrester hears us wink wink like you guys might redo this or whatever, but like some of the ⁓ pillars of that.
have evolved since then. Like one of them we had at the time was users. Now users is great, but what is a user today is way different than what it was when I put that framework together in 2018 or 2017 or whatever, 2016, whatever it was. like those things need to change, I think, because people will still ask the question, well, okay, what do you mean by users? And to their point, I thousand percent agree. You know, is a user an AI agent now? Is it a person? Is it a non-human machine? Is it a
Mikey Pruitt (22:58)
Hmm. you
DrZeroTrust (23:21)
⁓ You know a web thing that logs into something is that an MRI machine that has access to something so those things should be clarified a bit maybe expanded upon but I think you know, I think in general the framework survives because it is malleable and it's broad enough that people can look at and go okay Well, I can define users in my context I can define devices in my context and and that's what I encourage folks to do is like
Mikey Pruitt (23:48)
you
DrZeroTrust (23:50)
Make it your own. No one is... as far as I know, there is no governing body in cyber saying thou shall only do this.
Mikey Pruitt (23:57)
Well, there are, there's not governing bodies, there is people that put out entities that put out frameworks. And I am curious, what do you think the best path forward is as an industry to keep those frameworks malleable, I guess, updated and keep people from looking at them like a checklist?
DrZeroTrust (24:19)
Well, we're never going to get to have people not look at them like a checklist because we have people that that's how they operate in this space, right? Is you know, they're they're very formulaic, which is fine, but it's it's going to be problematic to keep running along with that approach. I think what we need to remind people of is that these are reference architectures like the word references in there for a reason. It's not, you know, chiseled in stone architecture, so refer to it, use it.
make your own decisions, do your own things with it, go forward from there. ⁓ And then pushing some of these governing bodies to kind of set something and have it be there for a bit. We seem to change this stuff up way too much because we're constantly chasing. ⁓ So like I'm a fan of 800-207. I think it's really well aligned for ZT and I think it's a very prescriptive approach. Just, okay folks, let's just NIST. Let's just say like that is our zero trust.
reference architecture done. We don't need anything else right now. Just pick it and let's roll with it for a bit. But that, you know, that's kind of the nature of the market to be honest.
Mikey Pruitt (25:27)
Yeah, agreed. But yeah, when you're when you're adhering to these frameworks, keep in mind that they were written at a point in time and things change, evolve. ⁓ Speaking of a Russian gang breaking into your network, you had mentioned red teaming a moment ago.
DrZeroTrust (25:36)
Yeah, they're snapshots. I mean, that's what compliance is to compliance is a snapshot. And there's never been a Russian ransomware gang that broke into a network and went, no, they have PCI.
Mikey Pruitt (25:55)
⁓ which is just, you know, attacking your own infrastructure to find vulnerabilities before the bad guys. So how do people, how would people start down a path like that? .
DrZeroTrust (26:06)
encourage them to not start down the path like that themselves. What they should do is reach out to
folks that know what they're doing and bring them all along as service providers. There are some automated solutions now that can help with that. If you go look up like automated bread team, your pen testing, those things are out there. ⁓ And the reason I say that you should not do this yourself is if you're not really good at it you don't know what you're doing, the odds of you bricking something important or pissing a lot of people off or
Potentially causing yourself more misery than you want is very very high. So yeah, unless you're a red teamer don't do it yourself ⁓ maybe consider some automated options that will help you get results and things like that or Outsource something in it now the reason you should do that and the reason I think you should do that first before you try and do anything else is What logical person would say I'm gonna come up with a plan to defend myself if I don't know where I'm actually weak
Mikey Pruitt (27:03)
Yeah. Yeah, you don't know what you don't know.
DrZeroTrust (27:03)
⁓ you know what mean? I'd like, ⁓ if you're not prepared for, call it the fight, you're not actually prepared for the fight. And no, and adversaries
don't play by rules. We do. They don't, you know, they don't go, no, I can't, I can't go after an IP address. That's not in the sub net. I can tell you, cause I've been a red team or when I'm scanning and I see an IP address that showed up that it wasn't supposed to be there. It's like, Hmm, interesting. Why is that?
Mikey Pruitt (27:33)
The.
So Red, so when you're hiring someone, you're looking for this, you know, entity to come in, or should you be prescriptive and like, I want to test this or should you just say, you know, hurt me, try to hurt me in a safe manner.
DrZeroTrust (27:49)
I mean...
I might my my thing is like we're have him do it like let him go just you know, ⁓ call wild because that's what is going to happen on the adversary side. I want him. I want him to attack people up there ⁓ on their home networks. I want him to try USB drops. I want rubber duckies. I want wireless stuff. I want printers gone after I want DDoS like all those things that are potentially problematic like let's do those and see how we respond and one thing that you.
you know, my takeaway too is like you don't actually have to do the technical red team or hacky things. Get the people around that lead and bring them into a room and give them whiteboard sessions and tabletops and go, okay, here's our scenario and run through it. You know, as of ⁓ 300 this morning, we experienced a ransomware events on these systems and we are no longer able to use email. What do we do? And then just see what happens.
And if you can't work your way through those kind of broad ⁓ tabletop exercises, you don't have a hope in hell of surviving an actual red team. ⁓
Mikey Pruitt (29:01)
Yeah, makes sense. So I want to get back
to ⁓ something I heard you say about this sassy, which gosh, can't You're like, know what he's going to say. That is basically what you said. I think it was at Zero Trust World last year. You were like, sassy is the dumbest stuff I've ever heard.
DrZeroTrust (29:11)
I hate that term so much. There's so many reasons I hate it.
Mikey Pruitt (29:22)
Which is hilarious. But why is that?
DrZeroTrust (29:23)
Yeah.
Well, number one, ⁓ it's the analyst firm trying to jump on to a market trend and then go, hey, we came up with that when it was like there. That was already kind of the thing, right? ZTNA was really taking over and that was where Gardner was like, well, shit, we're going to lose market share to this. So let's come up with our own term. We'll call it SASE and it's secure access service edge. And then we can bill people for that stuff because we coined the term, right?
Not that it was anything different, or there was anything new, or there was anything earth shattering. It was just, how do we keep our own claws into this thing? And then I'm also just sitting there thinking from the perspective of, you when someone says, what is your strategic initiative for something, go, we're sassy. Like what? Like that, that's honey boo boo. ⁓ Yeah, we're sassy child. Yeah, like, no, I mean, secure access service edge. Okay, sure.
Mikey Pruitt (30:12)
Yeah, you're like, like this? Finger wagging sassy.
DrZeroTrust (30:21)
that's also zero trust network access or nowadays universal zero trust network access, which is the new sort of thing. So, you know, I don't think it provided any value to the community at large. I think it honestly just skewed a bunch of stuff because problematically as soon as Gartner published that a bunch of vendors were like, well we got to say we do that too. So now you wind up with this ZT sassy transmogrification amalgamation of BS and people are sitting around going like,
Well, what's the difference between sassy and zero trust? And I have to go back and go, God, here we are. Okay, let me break this down for you. So I just don't think it was helpful at all. it was, you know, and also I don't run it. I did 200,000 miles internationally last year doing zero trust workshops. Never once did I run into a CISO or a leader that was like, we're engaging in a sassy strategy.
Mikey Pruitt (31:16)
So I think we'd be better off as an industry if any acronym that comes out doesn't have to include a pronounced like.
DrZeroTrust (31:24)
Or
yeah, like let's try this with our kids and if they laugh at us, it's kind of stupid, you know. Right, I'm sassy, like that's dumb. That sounds really dumb. Yeah. Yeah, you're, you be sassy.
Mikey Pruitt (31:30)
That's a good test too. They're like, great, great dad. So this is this
section of this line of questioning is like the industry critique sections. Uh, don't hold back. Cause I've seen some of your statements, uh, specifically about, and we touched on this earlier about like, um, cybersecurity is really like, unfortunately there's a lot of, uh, BC backing, like pushing.
using terms like SASE, ZTNA, and kind of muddying the waters to actually help people. And it sounds like that's your opinion, but could you elaborate?
DrZeroTrust (32:11)
Well, mean, it's good that we have a market and it's good that there's so much going on here. But if you look at the trends, right, typically a market should follow some line of success. And what we have in cyber is the problem space keeps getting worse and we keep failing to prove that what's being invested in is actually returning on that investment. But we're still dumping money into it. And why are we doing that? Because it's an infinite problem that people, it's
It's big pharma for tech is basically where we're at. Like why would I cure the disease when I can treat the symptoms and keep the patient long live or so a lot alive longer so that I can keep, you know, making money off of them. And that's what I think the disingenuous of the disingenuousness of the market is really trying to push people towards is, ⁓ shit, new problem. Follow that thing. Well, wait a minute. That thing is invoked by PowerShell. Why don't we just stop PowerShell? No, no, no, you can't do that because that would
No, that's not our super AI magic kernel level blog. Well, hang on. ⁓ Users suck at passwords. Why would I not just use password manager type deal? And then you've got the VCs, the vulture capitalists, not the venture capitalists. And that's what they're doing is they're just sitting out there going, cool, where can we make money off of this? And ⁓ are they going to return a nice hit on that? And then we throw a bunch of money. And I mean, if you read the research on VCs, they typically are
doing good if they get one out of every like 20 to 30 investments to return money to offset all the other losses. So they play where there's the most potential, which is cyber for the foreseeable future. AI is kind of quickly sucking that up, but that's where they're at. And no VC person that I know of that I've talked to lots of them has ever said, I want to help people be better in cyber security. I want to help the general population be more secure. think it's a fundamental human right. People should operate securely online.
That's not what they say. They say, want rule of 40. I want 15 to 1 return on my investment and I want to throw in as much money as I possibly can as fast as I can so that I know if this is going to take off. That's the money game. I literally was laughing at myself like, shit, I'm a Patagonia. My one Patagonia shirt I'm wearing. I don't have any money so I can't be a VC guy.
Mikey Pruitt (34:21)
You are you totally are. You vulture, vulture. ⁓
Let me take a break real quick and let this cat out of here. She's getting crazy. She's like, it's cold outside.
DrZeroTrust (34:33)
Yeah, no problem.
Mikey Pruitt (34:46)
That's funny. I told her I was like, listen, cat, we got we're on camera all morning. Don't be making them. They probably heard the word cat and they're like.
DrZeroTrust (34:51)
Well, there's my dog's parking right now.
It's, they're going to go outside probably is what it is in the snow.
Mikey Pruitt (35:02)
⁓ so we were talking about the dirty Bertel Bert, a vulture capitalist. You're wearing a Patagonia sweater. Is it a vest? Is it a vest? Let's see the sleeves. Okay. Okay. You're safe. You're safe. So I've heard you say the, ⁓ the phrase, a self-licking ice cream cone of misery. I I just love that. We're like also, ⁓ chronically online that we can pull quotes from like all over the place. ⁓ so like,
DrZeroTrust (35:10)
Yeah, it's a sweater. No, it's a sweater, but at least it's not the down vest thing. Yeah.
Yeah.
Mikey Pruitt (35:32)
Just tell me what that is. What is that? The self-looking ice cream can.
DrZeroTrust (35:35)
Well, mean, it's anything that you,
it's anything that you, and this is a term I learned in the military. I want to say it was from a Master Chief or something, but like the whole thing is just like, if you continue to engage in failed practices and you're doing it for no other purpose than kind of theatrics or to say that you did the thing, you're just making yourself miserable for no real reason. And I think in our market, we do that a lot. You know, I'm working on a paper about this, but I correlate a lot of what we do in
digital space, digital health, guess you could call it too, like physical health. And people don't want to hear that the basics make biggest difference, right? You know, eat healthy, sleep right, drink water, exercise, those types of things. It'll make a difference over time, but it's way sexier to go, here's a pill and you can lose a bunch of weight and you know, whatever else. But that's not, that's not a change. That's just a effect from something. And that's what we do in cyber all the time is
We're trying to grab the next super cool whatever and try and think we solved the problem when we could solve the majority of the problem with better basics and better fundamentals. it's not, it's none of it's, it's not protected information. mean, you can open up your Google LLM and have it go collect all that crap for you and then ask the body question.
Mikey Pruitt (36:56)
So your critique on cyber is really a, is a very much like the correlation of a critique on healthcare in that we're treating the symptom and not the root cause. ⁓
DrZeroTrust (37:06)
I mean, why would as a company that's making billions of dollars off of treating the symptoms, why wouldn't especially when I have shareholders,
why would I ever cut my own throat and actually fix the problem when I can just go? Yeah, I can just go, oh, well, you had one dot. Oh, here's two dot. Oh, and let me just, you know, make that a little bit more expensive and add some new features to it. And I mean, you know, tangentially that too.
Mikey Pruitt (37:19)
the incentives.
DrZeroTrust (37:35)
When you talk, because I talk to companies all the time in the space that are coming out of stealth or whatever, everybody wants to go to Enterprise. It's like, well, Enterprise is a big giant thing. It's going to take you a long time to sell there and whatever else, but one deal might cover two years worth of work. Or you could actually go after the small and mid-sized businesses that can make decisions in 30, 60 days and a pile of sticks is still a bonfire. ⁓ So why not do that? And it's not helping anyone.
to try and keep fixing the enterprises because the enterprises are not where compromise occurs anymore. Now it's typically the small and mid-sized and third parties and contractors. So which is it folks? Are you for real trying to fix the problem? Then you go to the market that needs serving or are you trying to make more money and you serve the market that's already saturated?
Mikey Pruitt (38:25)
But you might, you could even make more or at least the same in either market or both. Interesting.
DrZeroTrust (38:29)
I mean, Threadlocker's built
a billion dollar business off of serving the market that everybody else ignored. And I give Danny and Sammy and the whole team so much kudos because I knew them when it was nothing but a drawing on the back of a napkin. And Danny flat out was like, nope, we're going where everybody else isn't because they need help. And I was like, good for you, man. You figured it out.
Mikey Pruitt (38:51)
Yeah, and that product is as close to zero trust as I really see too. like you just can't do anything unless it's approved.
DrZeroTrust (38:56)
It's legit,
I mean, it's not hard,
know, they put their stuff in, figures out what's being used, figure out what's not and then turn it off.
Mikey Pruitt (39:07)
Yeah, that's like turning the dial of 10.
So we've talked about, we mentioned the word AI a few times. I like every episode of this podcast, have a little AI section. And I'm assuming you're a little bit skeptical, but in a way that's like, we're just kind of misrepresenting it and not necessarily that it's not useful.
DrZeroTrust (39:32)
Not super useful. mean, it's a tool. by the way, none of it's AI. It's machine learning that's been marketed as AI. So people should be aware that we don't want real AI because that's a whole other ball of wax. Matter of fact, if you, if you've never read the book, if anyone builds it, we all die. Like you should go read that because it's very pressing on like actual artificial intelligence issues. But we should be using ML everywhere that we can. I use it all the time, two or three times a day. I got my kids licenses for it for school and
their teachers, I've had one of their teachers email me and go, well, we don't allow that. And I was like, nope, not having the Cunningham household. Like we cheat to win here. Like, I don't know what to tell you. Cause I don't know about you and I are basically the same age. I don't know if they did it you, but when I was in algebra, they were like, you can't use calculators. I was like, what?
Mikey Pruitt (40:09)
you
This is the
I go back to this every time they're like when you're out in the real world, you're not going to have a calculator in your pocket. I'm like, you're wrong. You were you were just wrong. Can we all just admit that you're wrong?
DrZeroTrust (40:23)
I do. have a phone. It's with me 24 7. Yeah. So. Right, and
I mean for the the the the value of the tools that are there is exponential in nature. So I mean I'm I'm even back into like coding some stuff up because I hate coding but now I can vibe code and it's way more functional and way more useful. But you know I'm never going to push a vibe coded app into prod.
Mikey Pruitt (40:48)
Ahem.
DrZeroTrust (40:51)
until I have it secured and tested as best as I can. But yeah, these tools are super, super useful. It's like fire, the automobile, the internet, and now this particular tech. ⁓ And we're seeing a revolution that occurs, but people just have to be smart with it. And I do think that, unfortunately, just at a macroeconomic level, the use of these tools is going to separate the users from the detractors, and that's going to cause it
really large gap in income and earnings and stuff in the future because you're either going to use it and benefit from it and function like you're 20 people or you're to be like, no, I'm not using that ML and AI stuff and whatever else. And then you're not going to be employable.
Mikey Pruitt (41:35)
I love that both of our like, I'm an idiot voices are like kind of hillbilly right now because we're both hillbilly right now.
DrZeroTrust (41:38)
is kind of hillbilly right next door.
Yeah, that's who
I grew up with. So it's yeah. Yeah. I do remember the people being like, no, I'm not doing that internet stuff. It was like
Mikey Pruitt (41:50)
You yes, you are eventually I promise We had a meeting at this past weekend and it's like, you know, what'd you do this weekend? And everybody's like, I don't know and I was like I went did redneck stuff on the out in God's country. They're like, what's that? I'm like four wheelers Firearms and fire. It was fun. Yeah rednecks Rednecks like the internet too. We like the internet too y'all
DrZeroTrust (41:51)
Yeah, you're okay. Good luck.
Yeah.
Yeah, blowing stuff up and yeah, writing extra fun people.
Yeah, exactly.
Mikey Pruitt (42:18)
So AI is a pretty big threat vector. And I think mostly because we don't fully understand its capabilities. It is kind of a user now, going back to your earlier statements. And I've seen, you probably have too, this Cloudbot. ⁓ It's like an AI system that can basically control a computer like a person. So how do we add, I guess we have to add identity to that. How do we secure environments like that?
Or is it not possible? Or we don't know yet.
DrZeroTrust (42:49)
Well,
I mean, that's there's some companies that are doing stuff the right way without, you know, vendor sort of shenaniganning. Like I do think there's some companies out there that are doing things that are very useful and very helpful here that are doing like inventory of resources and connection analysis and then figuring out what data goes where. And that's a useful thing. ⁓ The side of the AI ML problem that I'm not seeing people really deal with is, what if the data or the sources or the
Things that you're getting your information from to train your models is flawed or poisoned does that throw off your model by X number and that's not a Not a non-trivial thing. I mean if you're building and let's say you're building a an AI bot for I don't know pharmaceutical Medical research or something like that. Well, if somebody goes off and puts a bunch of janky resources on the internet your bots gonna pull it and even if I only manipulate your corpus by
0.01 percent 0.001 percent that's enough to cause hallucinations and wrong answers and things like that ⁓ and that could potentially hurt or kill people depending on what you're doing with it, you know, so I think there's a There's a dual sided coin and folks are really focusing on one side, but there is the whole other side of it too. So ⁓ You know securing AI I think is
I don't think it's that different from securing what we currently were doing. It's just a matter of doing it at a bigger scope and scale.
Mikey Pruitt (44:25)
Yeah, and we're not quite prepared for that bigger scope and scale because we've been doing things a bit. We thought we were automating, but it turns out we were not automating like massively enough.
DrZeroTrust (44:35)
I mean, you can automate
yourself in the misery just like you can automate yourself in a success, right?
Mikey Pruitt (44:39)
That's true. And
we see that with cascading failures on the internet. Like, ⁓ this mega multi-redundant system. And we push the change, and then it cascaded through the entire globe. And now we've got to roll back, which also takes like six hours while people are hammering the system and internet's failing everywhere. You're like, there's no undo in automation.
DrZeroTrust (44:55)
Yeah, enough sliving in all the time to try and reload their stuff. yeah.
Right. Yeah, you can you can automate failure just like you can automate success. And I mean, it's also kind of weird, too, to me when I see verticals that ignore like tsunami problems. So like ⁓ if you if you remember what happened with Marks and Spencer's, you know, they're all in the UK, which is an island, you know, and then you've got Marks and Spencer gets hit really hard and then Jaguar Land Rover gets hit really hard and then X and you can follow the track and basically draw lines between all these businesses and all these data centers.
and put the dates and go, here it came and you didn't pay attention. ⁓ know, like if I was a Jaguar Land Rover and I saw Marks and Spencer go down, I'm pumping the brakes on everything we're doing and trying to get to the next step because it's coming.
Mikey Pruitt (45:47)
Yeah, it feels like that the scene in the first Transformers movie where they're like, cut the hard line. It's like just disconnected from the internet because we're next. So AI slash what it's really ML is a threat vector. And then there's also ransomware still, you know, maybe less talked about now because AI is taking over the globe. But ransomware and you mentioned this earlier about
DrZeroTrust (45:51)
Yeah, right. Yeah, with the axe. Yeah, right. No.
Mikey Pruitt (46:11)
like Threat Lockers example, where they're going after the small to medium businesses. It seems like they are getting hit by ransomware more often because they're softer targets, whereas enterprises have been more hardened. And you can get a million, you can ransomware a million people and get the same amount of money you can if you ransomware one big.
DrZeroTrust (46:34)
Yeah, I mean, it's not, it's, it's the slow gazelle problem. You know, if all the enterprises have done to a degree what they've gotten, they've got the multi-million dollar, billion dollar infrastructure. If I'm a bad guy in Latvia, why would I go after Chase Bank when that's kind of dumb? ⁓ I want to go after, you know, the subsidiary that sells, you know, toilet cleaners to their offices and then work my way through that. And like you said,
And I mean this is, you know, literally one of the business strategies I work with people on is a pile of sticks is a bonfire. So if I get one enterprise, great. It might take me forever and I might never succeed. But if I get a thousand small businesses at a thousand dollars, you know, I made a pretty good chunk of change and it was probably a lot less time and a lot less stress and a lot less risk. So, you know, figure that one out.
Mikey Pruitt (47:24)
Yeah, so the bad guys are also good at strategizing. I mean, they're running a business.
DrZeroTrust (47:28)
I mean, they're business.
Yeah, they're multi. And mean, now that I've and this is public knowledge to like I've been reading about the drug cartels are getting in on cyber because they realized it's more beneficial, more money, less risk and right and no logistics like I don't know you mean to throw bales of coke over a fence and you know, no gallus. great. I can just like send somebody malware and they'll get hacked and they'll pay me because they want their machine. Sure.
Mikey Pruitt (47:41)
Yeah, less kinetic.
Who who is better at getting things shipped across the globe, the logistics guy for the cartel or Tim Cook from Apple?
DrZeroTrust (48:02)
Yeah, well, the logistics guy will get it there on time and under price, know, so ⁓
it's.
Mikey Pruitt (48:09)
So
you mentioned the word reading there, and I wanted to talk about your books. One in particular, the How Not to Lead book. And you've written some really cool books. There's a comic, basically. And then there's a couple of fiction stories, which I didn't get to read all of them, but I saw some excerpts. They were pretty cool. But in the How Not to Lead book, you're talking about dumpster chickens and mushroom farmers. So what is that?
DrZeroTrust (48:20)
Yeah, into the comments.
Yeah.
Yeah. So, ⁓ dumpster chickens basically are seagulls and we kind of called them that in the military because they would always be at the end of the pier. And, you always joke like, if I ran out of stuff to eat, I could eat one of those dumpster chickens. But from a leadership perspective, if you've ever been around people that will fly in squawk a lot, shit all over everything and fly away, that's a dumpster chicken, right? You're like, you, you flew in here to tell me that there's a problem. You crapped all over my solution that you left. Like what?
What good is that? I need an actual fix or I need something that will work to get us to the next thing. So don't be a dumpster chicken is kind of that side of it. And then the mushroom farmer, ⁓ you keep your people in the dark and you shovel shit on them. I mean, and that's pretty much how you grow mushrooms, right? But it's a problem because no one likes to be in the dark. And ⁓ interestingly enough, when I was writing the research for the book, I learned mushrooms have a substrate and they actually communicate, which we would call gossip. So if you don't,
Mikey Pruitt (49:31)
you You
DrZeroTrust (49:33)
shine
the light on things and actually be honest with people and tell them what's up, they will start to use their substrate, even if they're covered in shit and have communications with each other about what's going on and that will be detrimental to your organization. So don't be a mushroom farmer.
Mikey Pruitt (49:49)
The first neural network mushrooms. ⁓ So, you you're really spreading the democratizing, I guess would be a good word, zero trust. ⁓ You're kind of on this mission and I think you're successful. So congratulations for that. And thank you from the community to you. Thank you so much.
DrZeroTrust (49:51)
I mean, it's mushrooms, right?
well, thanks.
I'm trying to do what little I can, so yeah, I appreciate it.
Mikey Pruitt (50:14)
So I have some rapid fire questions to wrap up. Here we go. What's the most overrated security technology?
DrZeroTrust (50:17)
Alright.
endpoint security or phishing training phishing training okay phishing training wins
Mikey Pruitt (50:23)
You
⁓ Hold on a minute endpoint security or and fishing training fishing training with a slight edge Why why endpoint security on the list of ever rated?
DrZeroTrust (50:40)
So, I mean, if you really look at what the endpoints are, most of them, most of your organizations could run with a Chromebook and there's no operating system on a Chromebook. So, if you want to stop people from getting infected, take away the infection vector. I'll let you drop malware on my Chromebook. There's no OS. Go nuts. It's not going to do anything. ⁓ But there's this big billion-dollar industry, multi-billion dollar, hundreds of millions dollars around taking care of endpoints.
Mikey Pruitt (50:49)
Hmm.
DrZeroTrust (51:06)
just look at your use of that stuff, figure out what people really need, and then give them that and take the rest of it away. And then someone will say, well, what if we don't have internet? When do you not have internet? I come on. Yeah, I was going to say, you're like in downtown Kersk or something, sure. But other than that, you got internet.
Mikey Pruitt (51:16)
In a war zone or something. That's about it.
All right, what is underrated that managed service providers and small business owners and operators should be paying more attention to? ⁓ this is great. So ethereal endpoints, I'm assuming you mean treating them more like cattle than pets.
DrZeroTrust (51:39)
Micro segmentation and ⁓ ethereal sort of endpoints, I think is going to be the next real trend in space.
⁓ so I think we're starting to see where a lot of these, ⁓ column single use case, sorts of machines are becoming a thing. And if you can imagine not having an operating system on an endpoint, like a Chromebook, but have it be across enterprise. And whenever that machine goes to sleep and wakes back up, it just comes back with a fresh clean disc. That's, that's coming. And that's going to be very interesting because.
Mikey Pruitt (52:21)
This is like Hoonix
or like one of those Linux distros that's just like ephemeral. Wait, what was the other one you mentioned? And what was the other one you mentioned that was underrated? OK, what is that?
DrZeroTrust (52:25)
Yeah, non-persistive.
Ethereal.
micro segmentation.
I mean, that's
where you're trying to get past VLANs and you're really getting down to segmenting the asset itself and a segmentation, if you could imagine, could be segmenting a user with good passwords and good access controls. It could be segmenting a resource with the right ports lockdown. So micro segmentation.
Mikey Pruitt (52:57)
So let's talk about IPv6 for a second. Is there a future world where every endpoint has an IPv6 address, and that is their segment, essentially? Thank
DrZeroTrust (53:08)
Could be.
I mean, I think as we get more use of APIs, more use of those types of addresses within internet routing infrastructure, we can get to a place where your policy engines will be able to do that stuff at that level. But I mean, I remember people telling me IPv4 was going to run of addresses 10 years ago.
Mikey Pruitt (53:28)
Well, I mean, it kind of did. We have like, nodding and... I want everything to be internet addressable. No, I don't. Just kidding. Don't do that. All right. Worst piece of security advice that you've commonly given or received.
DrZeroTrust (53:29)
It did, but it didn't. Yeah. It did, but it didn't.
Oh gosh. Remember or change your password every 90 days is probably the one that's like, cause no one wants to do it. And it never is good. And I think that that's just lazy, especially in the world that we live in today. So use something that is going to manage that for you, not, Hey user, go change your password. You got locked out your system. I got a job to do. I don't have time to take care of that password crap.
Mikey Pruitt (54:12)
All right, last rapid fire question. Your cyber thriller books are awesome. I'm going to go get them for sure. I've read the excerpts and I'm like, got to read this whole thing now. But what is scarier, the fiction that you write or the reality that you see?
DrZeroTrust (54:27)
⁓ the reality that we live in scares the hell out of me, honestly. And that, don't mean that in a fear, uncertainty and doubt way. I just mean like the, the broad macro side of things. ⁓ there's so much going on globally between macro economics and political stuff and cyber, and we're just in a very dynamic time. ⁓ so yeah, reality's scary enough.
Mikey Pruitt (54:51)
Now I'm scared. Thanks. Well, Dr. Zero Trust, Chase Cunningham. I appreciate you joining me today. That was a that was a blast. I'll have to keep up with you on the Internet. But for others that want to follow you, where can they find you on the interwebs?
DrZeroTrust (54:56)
HMMMM
Yeah, so I've got a website, it's drzerotrust.com, links to all my social stuff. I've also got a Patreon site where we donate 100 % of any money that comes in during the year to a veterans charity. So if you want, it's three bucks, you spend more than that on Starbucks. But we do give 100 % of that money to a veterans charity. And then I'm on LinkedIn. So if I can help somebody, you know, reach out to me and if I can't help you, I'll try and find someone that can.
Mikey Pruitt (55:30)
Awesome. Well, thank you so much.