Learning from the Best: Successful Zero Trust Implementations

Why “never trust, always verify” became policy doctrine

By Eckhart Mehler for CISOsCISO — a perspective on cybersecurity leadership, governance and the decisions that determine whether organizations retain control.

Zero Trust is no longer a niche ambition reserved for cybersecurity purists or technology-first companies. It has become statecraft. In ministries, parliaments, and NGOs around the world, Zero Trust is being embedded into the machinery of governance itself.

Public-sector breaches, such as those caused by lateral movement, stolen credentials, and unsegmented legacy infrastructure, have cost billions in direct remediation. But these failures also left one important thing in their wake: urgency. Today’s leading governments and development organizations are not just drafting Zero Trust roadmaps—they are executing them.

The following case studies highlight four Zero Trust programmes that have moved beyond PowerPoint. They each demonstrate measurable results, powerful lessons learned, and—most critically—repeatable models of success.

⚔️ 1. The U.S. Department of Defense –

DISA Thunderdome

In 2022, the DoD committed to achieving 152 Zero Trust target and advanced outcomes across identity, device, network, application, and data domains by the end of FY 2027. Less than two years later, DISA, the Defense Information Systems Agency, had fully validated its Thunderdome prototype against all 152 of those objectives—well ahead of schedule.

This is a rare instance where one project achieved complete alignment with its policy mandate and operational maturity goals. It did so not through magic, but through strategic rigor. DISA created a dedicated Zero Trust programme office directly under the CIO’s authority, thus preventing control fragmentation and establishing a single source of prioritization.

The “Thunderdome” stack itself was engineered as a secure-access service edge (SASE) reference implementation with verifiable coverage mapped to each control category. Even the procurement contract incentivized outcome coverage and compliance velocity over feature sprawl.

Perhaps most importantly, DISA designed the initiative as a reusable federal vehicle. Any other agency in the defense ecosystem can now adopt Thunderdome under an existing contract, cutting onboarding time to weeks instead of years. This created a force-multiplying effect not often seen in government IT.

🏥 2. The UK National Health Service –

Clinical-Grade Zero Trust

The NHS is still healing from the scars of WannaCry. After that devastating ransomware incident in 2017, Zero Trust became more than a technical ideal—it became a continuity-of-care imperative.

NHS Digital designed its implementation across three stages: foundation controls, individual NHS Trust adoption, and finally, interoperability across the entire connected-care ecosystem. The result was a measurable decline in successful cyber-attacks—by some accounts, more than two-thirds in participating institutions.

Just as significantly, the move to Zero Trust improved healthcare delivery. Clinicians reported faster, more reliable system access. Remote consultations surged, enabled by strict device and identity controls that replaced VPNs with simpler, stronger protections.

The NHS succeeded because it treated Zero Trust as a clinical workflow challenge, not merely an IT upgrade. Chief Clinical Information Officers were engaged early and often. They helped co-design MFA mechanisms, badge-tap authentication, and mobile device policies in a way that aligned with how care is actually delivered on wards and in surgeries.

Furthermore, NHS leadership tied funding to patient safety outcomes, which allowed them to build long-term financial support without having to rejustify the initiative each fiscal year.

🇦🇺 3. The Australian Digital Transformation Agency –

Whole-of-Government Modernization

Australia approached Zero Trust from the top down. Under its 2020 Cyber Security Strategy, the government allocated over AUD 1.6 billion to bring federal agencies to a common cybersecurity baseline. The DTA mandated that every department align first to the “Essential Eight” maturity model—only then could agencies build toward full Zero Trust.

This phased approach proved crucial. Within three years, the percentage of federal entities meeting maturity standards more than doubled. Early adopters also reported meaningful reductions—up to a quarter—in their annual incident-response expenditures.

Crucially, the DTA embedded accountability in the right places. Agency heads were evaluated on their Zero Trust progress as part of their performance contracts. This placed security maturity alongside fiscal and operational goals, sending a clear message that cybersecurity was a leadership responsibility, not a back-office concern.

The financing model also helped. Treasury offered co-funding for Zero Trust programmes, but only after agencies presented peer-reviewed roadmaps. This created a culture of strategic rigor and cross-agency benchmarking that outlived the budget cycle.

Even more impressively, agencies tailored their priorities to mission needs. The Bureau of Meteorology focused first on API security for satellite data feeds. Meanwhile, the Department of Defence prioritized federated identity systems to enable classified collaboration with international allies. In other words, a single framework allowed very different organizations to pursue Zero Trust in ways that directly supported their mandates.

🛡️ 4. The U.S. Federal Civilian Executive Branch –

CISA and the Power of Orchestration

Following Executive Order 14028, all U.S. federal civilian agencies were required to file Zero Trust implementation plans. The Cybersecurity and Infrastructure Security Agency (CISA) became the focal point for coordination and technical enablement.

Two years in, the results are striking. More than 90 percent of agencies have adopted phishing-resistant multi-factor authentication. DNS traffic is now protected by CISA’s national-level Protective DNS service. The rate of unknown or unmanaged assets on federal networks dropped from over 50 percent to below 5 percent, due in part to modernized asset visibility via Continuous Diagnostics and Mitigation (CDM).

Much of this was achieved through the smart use of shared services. Instead of building everything independently, agencies consumed centrally offered capabilities—such as secure DNS, endpoint detection and response, and telemetry pipelines—often at zero marginal cost.

CISA also created positive pressure by publishing quarterly FISMA scorecards. These reports not only informed congressional oversight but created a public benchmark of progress. Agencies that performed well received additional support and attention, while those lagging were held to clearly defined improvement trajectories.

Finally, CISA’s Zero Trust community groups—such as the DNS modernization working group—actively shaped vendor behavior. By articulating shared technical requirements, federal customers influenced the SASE and secure DNS markets toward faster innovation.

🔬 Patterns of Success – Five Lessons Across All Cases

Despite the differences in geography, mission, and size, these implementations share five common traits:

1. Each Zero Trust programme had executive gravity. Whether it was a cabinet secretary, a CIO, or a national cybersecurity coordinator, someone with political or strategic weight owned the outcomes. This top-down commitment significantly accelerated maturity progress.
2. They all began with identity. Rather than tackling full segmentation upfront, they focused first on phishing-resistant MFA, device posture validation, and authoritative identity stores. This provided a solid and measurable foundation.
3. They used outcome telemetry. Progress wasn’t measured in firewalls deployed or segmentation rules written—it was tracked via real-world metrics like number of incidents avoided, percentage of devices managed, or rate of lateral movement observed in attack simulations.
4. They treated user experience as a first-class requirement. Projects that incorporated usability research—like clinical settings in the NHS or citizen-facing portals in Australia—saw higher adoption, fewer workarounds, and stronger adherence to policy.
5. They exploited platform economics. Agencies that treated their architecture as a reusable product (e.g., Thunderdome, Protective DNS) reduced cost per unit and helped their peers move faster through shared learning.

📏 Measuring What Matters – Beyond Technical Controls

The most effective Zero Trust leaders use a small set of operational indicators that map directly to risk reduction and organizational goals.

For identity, they track the percentage of authentications using phishing-resistant credentials, such as FIDO2 or PIV.

For devices, they measure how many endpoints are known, managed, and provide health posture attestation before being granted access.

For networks, they track how quickly lateral movement can be detected and blocked—using internal penetration tests as a proxy.

For data, they monitor how much sensitive content is protected by attribute-based access control and logged for audit.

These indicators give clarity to stakeholders and make security maturity a transparent, observable discipline.

🚀 What Executives Should Do Next – A Practitioner’s Playbook

If you’re leading a Zero Trust journey in government or a mission-driven organization, consider five near-term actions:

1. Define five key result areas—identity, device, network, application, and data—and set quarterly OKRs for each.
2. Secure operational budget continuity. Rather than relying on one-time capex spikes, dedicate a fixed percentage of IT operating expenses to Zero Trust enhancements over time.
3. Use procurement as a lever. Align vendor contracts to public-sector reference architectures. Demand adherence to security standards and timelines.
4. Build resilience through design. Don’t assume controls will always work. Architect compensating measures and fail-safes for high-risk or legacy environments.
5. Surface user experience metrics in governance reviews. Track not only security indicators, but also login friction, access latency, and adoption rates. What gets measured gets improved.

🏁 Coda – The Strategic Dividend of Zero Trust

Zero Trust, when well-executed, enables organizations to scale safely in an increasingly hostile digital world.

The best examples—whether in the DoD, the NHS, or civilian agencies—demonstrate that Zero Trust is not a marketing buzzword or a security fad. It is a foundational transformation in how organizations manage risk, design infrastructure, and deliver mission outcomes.

Security architectures that assume compromise and continuously verify trust are now required to defend both sensitive data and public trust. These case studies show that with executive commitment, human-centered design, and measurable outcomes, Zero Trust not only works—it pays.

Publication Note & Disclaimer
This article was originally published on LinkedIn on June 23, 2025 and may have been edited or updated for publication on this site.

It reflects my personal professional perspective and does not represent the official policy or position of my employer. Drafting and editorial refinement may have been supported by commercially available AI-assisted tools. The analysis, conclusions and final curation are entirely my own.

For information regarding image credits, copyrights, trademarks and other intellectual property rights, please refer to the Imprint.