Zero Trust has emerged as a prominent paradigm for addressing the limitations of perimeter-based security, gaining momentum through policy mandates, industry adoption, academic interest, and broader public discourse. Yet, little to none is known about how cybersecurity professionals understand and interpret Zero Trust for translation into practice and what roadblocks they perceive. In this work, we present the first study that investigates the human side of Zero Trust through 27 semi-structured interviews with cybersecurity professionals from U.S. government, industry, and academia. Across sectors, participants consistently describe Zero Trust as a promising shift in security thinking, while expressing skepticism about the term itself and the impressions it creates. When translating Zero Trust into practice, they reported recurring patterns that span perceiving value, planning, execution, and measuring progress. Our participants highlighted several challenges stemming from ambiguity in guidance, organizational culture, and domain-specific constraints. Our results highlight the socio-technical nature of Zero Trust adoption and identify opportunities for cross-sector collaboration, policy guidance, and future research to better support the translation and realization of abstract security paradigms in practice.
ACM Conference on Computer and Communications Security (CCS)
2026-11-15
2026-06-24