Zero Trust Becomes a Modernization Strategy As Leaders Move Beyond Compliance Thinking

Zero Trust works best when treated as a modernization strategy for how organizations operate, not as a security program to be audited. Too often, mandates and reporting requirements narrow the focus to checklists and technical controls, slowing real transformation. The result is stalled maturity and security teams locked into reactive modes instead of enabling the mission.

Gerald Caron, VP of Cybersecurity at RIVA Solutions, a federal IT and cybersecurity solutions provider, brings more than two decades of experience leading IT and cybersecurity operations across the U.S. government, including prior roles as CIO for the International Trade Administration and the Department of Health and Human Services. A Forrester-certified Zero Trust Strategist and U.S. Army veteran, Caron has helped shape the government’s approach to security modernization through practical, mission-driven change. He approaches Zero Trust less as a security initiative and more as an operating model for how organizations modernize, migrate, and get work done.

"I’ve never really looked at Zero Trust as a cybersecurity effort. I’ve always looked at it as a modernization effort. You improve how people work, you improve the mission, and at the same time you’re improving your security posture," says Caron. Central to his philosophy is a distinction many organizations overlook: compliance does not inherently equal effectiveness.

• The compliance trap: In the rush to satisfy federal mandates, teams can fall into box-checking mode, turning security into a roadblock rather than a strategic enabler of the mission. "You can be compliant and still not be secure, and I’ve seen that firsthand when people focus more on checking the box than actually reducing risk," Caron says.

To illustrate his point, Caron offers a simple example: if a compliance rule merely requires authentication, a team might deploy a basic username and password system. While technically compliant, it is not nearly as effective as modern multi-factor authentication. True security effectiveness comes from an integrated, holistic view of the five pillars of Zero Trust: identity, devices, networks, applications, and data. Caron has seen many implementations in which leaders focus heavily on identity, forgetting that identity is only a means to the ultimate asset: data.

• Phish-proof your posture: As cyber threats grow more sophisticated, Caron points to assumed breach as a practical reality rather than an abstract principle. Attackers are now using AI to generate phishing emails that "look perfect," without the misspellings or visual cues people once relied on to spot them. In that environment, the priority shifts from trying to keep every attacker out to limiting the damage when one gets in. "Reducing the attack surface and preventing the lateral movement is what Zero Trust has been all about," Caron says, describing an approach designed to contain breaches by shrinking the blast radius across the environment.

• Built into budgets: Caron points to budgeting as one of the clearest signals of whether Zero Trust is being treated as modernization or sidelined as an IT problem. During his time in government, technology and security costs were no longer positioned as separate line items competing for funding. Instead, they were embedded directly into the mission programs they supported. "IT is an enabler of the mission," Caron explains, noting that priorities were already being set by mission owners. By folding security and infrastructure costs into those initiatives, Zero Trust stops looking like discretionary IT spend and became part of what it actually cost to deliver outcomes. "It was key to treat it as a modernization effort, not just some IT thing."

• Less friction, more flow: When the focus shifts to improving how people work and enabling the mission, security stops being a barrier and becomes a built-in outcome. Caron points to practical changes such as eliminating inefficient network hairpinning by sending users directly to cloud applications. The objective is to design security into modern workflows from the start, rather than adding it later as an afterthought. "If you think of it as a modernization effort, then you get much more buy-in. Because you're making an end user's life easier while also improving my security posture at the same time."

The path to a mature Zero Trust posture is often described as open-ended, but Caron sees it differently. For him, the destination is clear, even if the route requires patience and discipline. Frameworks like the CISA Zero Trust Maturity Model provide structure, but progress depends on understanding the current state of the environment, especially where data lives, how it moves, and what "normal" actually looks like.

The work is incremental by design, focused on measurable improvements rather than architectural perfection. "Zero Trust is a journey," Caron concludes. "You don’t need to make a big leap. You need to understand where you are today and figure out how to get to the next level, because every step forward improves your posture."