Presented by Gartner

For John Wood, Chief Information Officer for Strategic Systems Programs at the U.S. Navy, zero trust represents more than another cybersecurity framework. It is a complete philosophical shift in how organizations think about defense.

Wood explains that traditional cybersecurity often followed what he calls the “castle and moat” model. In that model, organizations focused heavily on keeping attackers outside the perimeter. Once a user, device, or system was inside the network, it was generally treated as trusted. But modern cybersecurity no longer allows that assumption. Zero trust starts from a different premise: the attacker may already be inside.

To explain the mindset shift, Wood turns to the story of the Trojan Horse. Troy’s walls held for years, but the city fell because the threat was brought inside and trusted. For Wood, that ancient lesson maps directly to modern cybersecurity. Agencies cannot assume that everything inside the network is safe. They must continuously verify users, systems, devices, and behaviors.

That shift is especially important for an environment as broad and complex as the Department of the Navy. The Navy operates across vast geographies, including the Indo-Pacific, and supports mission environments where users, systems, data, and operational needs are highly distributed. Implementing zero trust in that context is not a simple technology upgrade. Wood describes it as a wholesale rebuilding of the way security is planned and executed.

The challenge is turning a large set of zero trust activities, capabilities, and pillars into a coherent security plan. Agencies must connect tools, data, policies, identities, and monitoring so they work together. Continuous verification only works when the enterprise can see what is happening, understand behavior, and act quickly when something looks wrong.

Artificial intelligence makes that need more urgent. Wood warns that AI is democratizing cyberattacks by giving less-skilled actors capabilities that previously required significant technical expertise. He points to examples of AI tools uncovering large numbers of vulnerabilities and enabling untrained users to launch attacks at scale. If untrained actors can do that today, the question becomes what skilled attackers and nation-state teams will be able to do as these tools mature.

Supply chain risk adds another layer. Wood references the lesson of attacks like SolarWinds, where trusted software delivery channels were compromised. In that case, the danger was not only the software itself, but the trust placed in the source. Zero trust helps address that problem by shifting attention from static signatures to suspicious behavior. If systems can detect unusual east-west movement, unexpected data flows, or abnormal activity, they can identify threats even when the initial compromise comes through a trusted vendor.

Wood’s view is clear: zero trust is not a slogan. It is a practical response to a world where attackers may already be inside, software supply chains can be manipulated, and AI can accelerate offensive capability. For government cybersecurity leaders, the goal is to build environments where trust is never assumed, verification is continuous, and mission systems can operate with resilience even under pressure.

Key Takeaways

• Zero trust replaces the old “castle and moat” model with continuous verification across users, systems, devices, and behaviors.
• AI is lowering the barrier to cyberattacks, making proactive security and behavioral detection more urgent.
• Supply chain risk reinforces the need to monitor malicious behavior, not just trust software sources or signatures.