Zero Trust is often introduced as a set of controls or a maturity roadmap. In critical infrastructure environments, that framing can obscure the real question leaders must answer: what does “secure enough” look like before an incident — and resilient enough after one?

In this session, Amy Yee presents a threat-centric, outcome-driven approach to Zero Trust that contrasts the before and after states of cyber disruption in safety- and mission-critical systems. Using adversary personas to illuminate how attacks unfold across interconnected digital, physical, and operational environments, she explores why perimeter-based thinking fails — and how Zero Trust principles meaningfully change outcomes.

Rather than assuming a single path to maturity, this talk emphasizes working backwards from a desired resilience state. By clarifying what must be true after an incident — for operations, safety, and public trust — organizations can better prioritize Zero Trust decisions before one occurs.

Attendees will leave with a practical framework for evolving security posture in complex critical infrastructure environments, grounded in real threat behavior and focused on resilience, not perfection.

Target audience: Security leaders, practitioners, and board-adjacent professionals working in or supporting critical infrastructure and regulated environments.
Session format: 45–60 minutes. No special technical requirements.