* [Blog](https://www2.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www2.paloaltonetworks.com/blog/corporate/)
* [Secure the Enterprise](https://www2.paloaltonetworks.com/blog/category/secure-the-enterprise/)
* The Zero Trust Learning C...

# The Zero Trust Learning Curve: Deploying Zero Trust One Step at a Time

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2020%2F04%2Fnetwork-zero-trust-learning-curve%2F)  
[](https://twitter.com/share?text=The+Zero+Trust+Learning+Curve%3A+Deploying+Zero+Trust+One+Step+at+a+Time&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2020%2F04%2Fnetwork-zero-trust-learning-curve%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2020%2F04%2Fnetwork-zero-trust-learning-curve%2F&title=The+Zero+Trust+Learning+Curve%3A+Deploying+Zero+Trust+One+Step+at+a+Time&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/2020/04/network-zero-trust-learning-curve/&ts=markdown)  
\[\](mailto:?subject=The Zero Trust Learning Curve: Deploying Zero Trust One Step at a Time)  
Link copied  
By [John Kindervag](https://www.paloaltonetworks.com/blog/author/john-kindervag/?ts=markdown "Posts by John Kindervag")  
Apr 01, 2020  
6 minutes  
[Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)  
[Zero Trust Security](https://www.paloaltonetworks.com/blog/network-security/category/zero-trust-security/?ts=markdown)  
[Thought Bubble with John Kindervag](https://www.paloaltonetworks.com/blog/tag/thought-bubble-with-john-kindervag/?ts=markdown)  
[Zero Trust](https://www.paloaltonetworks.com/blog/tag/zero-trust/?ts=markdown)

![The Flørli stairs in Lysefjorden, Norway, feature 4,444 wooden steps. John Kindervag took this photograph on a trip near where his grandfather spent his childhood, and uses the steps as an image to illustrate his concept of the Zero Trust learning curve.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/03/4444-steps.jpg)

I recently visited the Flørli stairs in Lysefjorden, Norway, near where my grandfather spent his childhood, and looked up at 4,444 wooden steps stretching toward the top of a plateau through a steep, tree-covered hillside. It's an old maintenance stairway used by workers at the turn of the century who were building a hydroelectric plant. The workers who climbed those stairs ascended from sea level to a height of 2,428 feet, often with 50-kilogram bags of concrete on their backs. It's hard to imagine how they managed the task, but as I thought about what it takes to tackle such a thing daily, I realized it reflects a lesson that applies to those of us working to improve cybersecurity, particularly through deploying Zero Trust architectures. Just like climbing the Flørli stairs, reaching the top of the Zero Trust learning curve is accomplished one step at a time.

When I first started talking about Zero Trust, many people didn't understand what it is or why they should deploy it. The principles of Zero Trust didn't match what they were familiar with, and it took time to convince people that we needed to practice cybersecurity in a new way, since the way we'd approached cybersecurity before wasn't working.

Now that more people understand [what Zero Trust is about](https://www.paloaltonetworks.com/cyberpedia/what-is-a-zero-trust-architecture), I'm more likely to hear the objection that deploying it sounds overwhelming and people aren't sure where to start. The thing I fight against now is doing nothing. It's easier to keep things the way they are, easier not to start climbing those wooden stairs.

I'll be honest. When I went to Lysefjorden, I went up 10 steps and said, "Okay, I'm done with this." I didn't need to reach the top to check that off my bucket list, so I didn't keep going. The problem is that, for the workers who had to climb those stairs, reaching the top wasn't about a bucket list. It was about doing the job they needed to do with the buckets they were carrying.

In cybersecurity, in a threat environment that's constantly escalating, we can't settle for keeping things the way they are. Organizations have to find a way to reach the top of those stairs.

##### **We Need to Change How We Approach Deploying Zero Trust**

I have worked in Zero Trust environments for well over a decade. I used to think that we should start deploying Zero Trust with the most sensitive data an organization needs to protect because those things are the most important. Experience now tells me that thinking was wrong, and we need to change it.

Deploying Zero Trust environments is based upon the concept of [protect surfaces](https://www.paloaltonetworks.com/blog/2018/09/define-protect-surface-massively-reduce-attack-surface/), the smallest possible reduction of the attack surface. A protect surface contains a single [DAAS element](https://www.paloaltonetworks.com/resources/zero-trust#page6) (Data, Assets, Applications and Services), and these vary as far as how sensitive or critical they are.

The trouble with starting with the most sensitive protect surfaces is that they're often too fragile and many people don't know how they work. Starting there with Zero Trust frequently results in failures. Too often, when this happens, organizations blame these failures on Zero Trust. In fact, the problem is that no one in the organization has experience building Zero Trust environments.

To gain that experience, you have to follow the Zero Trust learning curve.

##### **Following the Zero Trust Learning Curve**

![The Zero Trust Learning Curve is illustrated here, showing the sensitivity or criticality of a protect surface on one axis and the time on the Zero Trust journey on the other.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/03/Zero-Trust-Learning-Curve.png)

To start out deploying Zero Trust environments, an organization should consider two axes. The first is the sensitivity or criticality of the protect surface, and the second is the time you're spending on the Zero Trust journey. Ideally, that second axis will stretch out for as long as your organization exists.

The first protect surfaces to work on are what I call learning protect surfaces. You need to start with a low sensitivity environment because you have to give people the ability to fail without retribution. Lab and testing environments are ideal for learning, but pretty much anything can work if it's low criticality. You could even practice on the web page that has the specials for this week in the cafeteria.

Once you're comfortable with the basic concepts of Zero Trust environments, you can move on to the practice protect surfaces. These are a little more sensitive, a little more critical, but they're not the "crown jewels" of your organization. Remember you get to Zero Trust the same way you get to Carnegie Hall: "Practice, practice, practice."

This way, before you touch the most sensitive protect surfaces in your environment, you've practiced and gained confidence in the mindset of Zero Trust. This is the peak of the Zero Trust learning curve.

Once you've protected your high-value assets, it's smooth sailing going forward. From there, you can focus on less important assets, the secondary and tertiary protect surfaces. Eventually, you'll end up in a place where you don't have anything left that's important enough to go into a Zero Trust environment.

##### **The Zero Trust Journey Lasts a Lifetime**

Zero Trust is a strategy that's decoupled from technology. While technologies may adapt and change and you may need to update your environments as they do, the conceptual and strategic parts of Zero Trust won't ever change. Once you follow the Zero Trust learning curve, you'll be in a good position to continue protecting your organization using this mindset for as long as your organization exists.

No matter how daunting deploying Zero Trust may seem at first, my experience tells me that taking the right approach to the Zero Trust learning curve gets most organizations up to speed very quickly. One client told me, "We spent more time arguing about Zero Trust than we did deploying the first Zero Trust environment."

Don't be one of the organizations that never start the journey because they don't figure out how to take the first step. Besides, when I think of what we do in cybersecurity and IT, it's a lot easier than carrying 50-kilogram bags of concrete on your back, 4,444 steps, up to the top of a mountain.

For more information about how to deploy Zero Trust networks, download the whitepaper, "[5 Steps to Zero Trust](https://start.paloaltonetworks.com/5-steps-to-zero-trust.html)."

*** ** * ** ***

## Related Blogs

### [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### All Layers Are Not Created Equal](https://www2.paloaltonetworks.com/blog/2019/05/network-layers-not-created-equal/)

### [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### Define a Protect Surface to Massively Reduce Your Attack Surface](https://www2.paloaltonetworks.com/blog/2018/09/define-protect-surface-massively-reduce-attack-surface/)

### [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown), [Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown), [Zero Trust Security](https://www.paloaltonetworks.com/blog/network-security/category/zero-trust-security/?ts=markdown)

[#### Palo Alto Networks Is a Forrester ZTX Wave Leader](https://www2.paloaltonetworks.com/blog/2020/09/forrester-ztx-wave-2020/)

### [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### Rethinking Zero Trust Network Access for a Zero Trust Strategy](https://www2.paloaltonetworks.com/blog/2020/06/network-zero-trust-strategy/)

### [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### Secure EUC Environments with Palo Alto Networks and Nutanix](https://www2.paloaltonetworks.com/blog/2020/06/network-euc-environments/)

### [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown), [Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown), [Zero Trust Security](https://www.paloaltonetworks.com/blog/network-security/category/zero-trust-security/?ts=markdown)

[#### Achieving End-to-End Zero Trust](https://www2.paloaltonetworks.com/blog/2020/05/network-end-to-end-zero-trust/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language