Playbook
Our perimeter model is failing and we need a Zero Trust strategy, not just MFA
The CISO has been told 'we have Zero Trust' because MFA is enabled. The auditor is asking deeper questions: device compliance, conditional access, microsegmentation, data classification. The current posture has gaps in every Zero Trust pillar and there is no end-to-end programme.
Trigger — Audit questions on Zero Trust posture; insurer pressure on architectural maturity.
Good outcome — Zero Trust reference architecture mapped to estate, gaps identified per pillar, phased programme launched with explicit pillar owners.