At the recent Zero Trust World conference, The National CIO Review sat down with Danny Jenkins, CEO and Co-Founder of ThreatLocker, a leader in Zero Trust endpoint security, to discuss the most pressing cybersecurity strategies for technology leaders.

With over 20 years in the trenches of cybersecurity, Jenkins has seen it all, from building and securing corporate networks to serving on both offensive (red) and defensive (blue) security teams. His practical experience and no-nonsense approach have made him a leading voice in an industry often dominated by hype and complex jargon.

Strategic Security Initiatives for IT Leaders

Implementing Zero Trust Effectively

Jenkins emphasized that the Zero Trust approach should be seen as a strategic framework rather than a technology product. While there are tools to support Zero Trust strategies, the core philosophy is about minimizing access and continually verifying all entities within a network.

“Zero Trust is not a product. It’s a strategy that involves reducing privilege, blocking untrusted software, and implementing strict controls over what applications can do.”

A successful Zero Trust strategy involves a multi-layered approach to limiting access and minimizing risk. Allow listing is a critical component, ensuring that only approved software can run on corporate devices, which prevents unauthorized programs from executing within the network. Another key tactic is ring-fencing applications, which involves restricting what software can do and where it can connect, helping to contain potential threats if a breach occurs. Additionally, removing admin privileges is vital to reducing risk, as it ensures elevated access is granted only when necessary and for as short a time as possible, limiting the potential damage if credentials are compromised.

One of the biggest misconceptions, Jenkins noted, is treating Zero Trust as a “set-it-and-forget-it” solution. Instead, it requires ongoing management and strong communication to ensure employees understand new security protocols.

“Communication is key,” he added, urging leaders to avoid confusion and resistance during implementation.

Addressing Endpoint Vulnerabilities

“All endpoints are vulnerable. It’s the point where the human interacts with the network.”

Jenkins pointed out that endpoints – where employees interact with systems – are often the weakest link in an organization’s security posture. He stressed that endpoint security should be a top priority, especially for new CISOs trying to establish a secure baseline. While human behavior can be unpredictable, strong endpoint controls and allow listing can significantly mitigate risks.

Jenkins shared a success story where he onboarded a major airline with 20,000 endpoints in just 10 weeks, drastically reducing the attack surface by tightly controlling which applications were permitted to run on corporate devices.

Highlighting how strategic changes can lead to substantial security improvements. Well-managed endpoint strategies are practical and effective.

Enhancing Cloud Service Controls

While cloud applications are essential to modern businesses, Jenkins stressed the need for stronger cloud service controls. Though allow listing offers immediate security benefits on endpoints, cloud environments present unique challenges that require more nuanced strategies.

“It’s a more complicated project, but absolutely necessary.”

Jenkins advocated for dual-factor authentication, which adds an extra layer of security to access controls by ensuring user identities are thoroughly verified before granting access to critical systems. He also recommended IP restrictions, which help limit access to cloud resources by allowing only approved locations to connect, thereby reducing the attack surface. Additionally, comprehensive access management is crucial for monitoring permissions, helping organizations quickly identify potential security gaps.

He cautioned that the complexity of managing multiple cloud systems can create vulnerabilities if not addressed with the same rigor as on-premise environments, underscoring the need for consistent security practices across all digital assets.

Leading from the Top

“Block untrusted software, limit what your applications can do, and shut down any unnecessary network ports.”

When asked how he would advise a board of directors on cybersecurity, particularly with regard to AI, Jenkins delivered a straightforward pitch. He noted that high-stakes boardroom conversations often require simple, actionable insights, as board members may not always have a deep technical understanding of cyber threats.

He emphasized that while AI introduces new risks, the core threats – like ransomware and unauthorized access – remain largely unchanged.

“We’re still being destroyed by the same ransomware we were a year ago,” Jenkins noted, suggesting that the excitement surrounding AI should not distract leaders from addressing existing vulnerabilities.

Focusing on foundational security practices – like allow listing, limiting permissions, and shutting down unnecessary network ports – is often the best defense.

Dispelling Cybersecurity Myths

“You can’t run a program if you’re not a local admin.”

Jenkins debunked a persistent myth in the cybersecurity world, clarifying that malware can be installed even without admin rights. Many IT professionals mistakenly believe that limiting administrative privileges is enough to prevent unauthorized software installation, but threat actors can still exploit user-level permissions to execute malicious code.

This misconception often leads to inadequate defenses, leaving systems vulnerable to portable apps, browser-based threats, and malware installations within user profile folders.

He illustrated this with a real-world example of an airline’s prolonged recovery from a cyberattack, highlighting how leadership gaps in cybersecurity knowledge can amplify the impact of incidents. Jenkins noted that underestimating threats and over-relying on outdated security assumptions can cripple response efforts, emphasizing the need for qualified leadership that understands the nuances of modern threats.

“Some CIOs shouldn’t be allowed to be CIOs,” Jenkins quipped, emphasizing the importance of qualified leadership in maintaining strong security practices.

The Wrap

Talking to Danny Jenkins at Zero Trust World was a refreshing reminder that cybersecurity doesn’t always need to be complicated. His core message was surprisingly simple: “Reduce privilege wherever you can.”

Jenkins emphasized that small, strategic moves, like implementing Zero Trust principles, tightening endpoint security, and boosting cloud controls, can make a big difference. By cutting through the AI hype and focusing on basics, IT leaders can help their organizations thrive – no gimmicks required.

At the end of the day, Jenkins’ advice feels grounded in reality. Technology leaders don’t need to chase every new trend or buy into buzzwords. Instead, keeping security strategies practical, communicating clearly with teams, and sticking to proven practices can go a long way toward building resilience.

As cyber threats continue to evolve, it’s the steady, thoughtful approach, not the flashiest solution that will help organizations navigate uncertainty and come out stronger on the other side.