Hello, CyberTech community. Welcome to part #19 episode of the CyberTech Top Voice interview series with Chad Cragle, CISO at Deepwatch.

In 2025, Zero Trust investments continue to evolve, with strategies and costs varying depending on the size of the company and the robustness of its existing security infrastructure. For small to mid-sized businesses (SMBs), the initial investment in Zero Trust solutions could remain under six figures, whereas larger enterprises may allocate multi-million-dollar budgets to deploy these frameworks.

We sat down with Chad Cragle, CISO at Deepwatch to understand how his organization help customers to optimize costs, with existing security tools like Identity and Access Management (IAM), endpoint security, and SASE (Secure Access Service Edge) technologies, while adopting a phased implementation strategy that aligns with both short-term needs and long-term goals. Today, companies like Deepwatch play a critical role in overcoming these challenges. With their expertise in managed security services and threat intelligence, they help businesses implement and optimize AI-driven threat detection, automated security processes, and real-time monitoring. This collaboration not only simplifies the complexity of Zero Trust but also ensures businesses can improve their ROI through more efficient and proactive security measures.

Ultimately, for businesses to realize long-term success in their Zero Trust investment, it’s crucial to align security initiatives with broader operational goals, ensuring that security becomes an enabler of business growth rather than a hindrance.

Let’s hear more from Chad as part of our CyberTech Top Voice interview program. 

 How much should Zero Trust investments cost in 2025? Do you have any tips on optimizing these costs for better outcomes and security results?

 The cost of Zero Trust in 2025 varies widely depending on company size, existing security investments, and how aggressively you implement it. Small and midsize businesses can often stay under six figures, while enterprises will see multi-million-dollar investments, especially for large-scale deployments.

 Optimizing costs starts with assessing what you already have. Many companies don’t realize they can leverage existing tools like identity and access management (IAM), endpoint security, and Secure Access Service Edge (SASE) rather than layering on redundant solutions.

 Another smart approach is a phased rollout. It spreads costs over time and allows you to fine-tune your strategy. Cloud-native solutions can keep costs down while improving scalability. Before committing to any major spending, always evaluate whether building or buying is the smarter play for your business. The companies that get the best ROI are the ones that make strategic investments—not just the biggest ones. 

Recommended CyberTech Interview: CyberTech Top Voice: Interview with ABBYY’s Max Vermeir

What are the top challenges when implementing a Zero Trust strategy, and how have you overcome them? 

One of the biggest hurdles is modernizing legacy infrastructure. Upgrading systems to support Zero Trust can be expensive and disruptive, so taking an incremental approach—starting with high-risk areas—makes it far more manageable. Prioritizing IAM, endpoint security, and network controls before a full-scale rollout helps smooth the transition. 

Another major challenge is user experience friction. Stricter access controls often frustrate employees, which leads to workarounds and resistance. Adaptive authentication and risk-based access help keep security tight without unnecessarily slowing people down.

Cultural pushback is also a real issue. Many organizations still operate under traditional security models, and moving to Zero Trust requires executive buy-in and ongoing security awareness training. However, security awareness training is often met with resistance, so the point is that the easier you make it to roll out Zero Trust and demonstrate its value, the less friction you’ll encounter.

Finally, visibility gaps can derail an implementation. Maintaining a strong asset inventory and using micro-segmentation improves observability, making it easier to enforce policies effectively. In my experience, Zero Trust works best when approached strategically, step by step, rather than trying to force a massive shift all at once; honestly, like most everything when it involves many people. 

Which technologies do you consider essential for building a successful Zero Trust framework, and why?

Like most anything in Security, including Zero Trust it isn’t about just one tool—it’s about layering multiple controls to minimize risk, like defense-in-depth.  But if I had to call out the essentials, these should be top of mind:

  • Identity and Access Management (IAM): The foundation of Zero Trust. Every user and device needs to be verified before access is granted.
  • Multi-factor authentication (MFA) is a must-have. Even if credentials are compromised, MFA acts as a second barrier.
  • Endpoint Detection and Response (EDR/XDR): Real-time threat visibility and rapid response capabilities help detect and mitigate potential breaches.
  • Network Segmentation & Software-Defined Perimeters: Prevent lateral movement, ensuring attackers can’t roam freely if they get in.
  • Secure Access Service Edge (SASE): Critical for hybrid workforces, integrating networking and security for seamless, secure access.

And of course, let’s not forget about AI-driven threat detection—the game-changer everyone is eyeing. AI-powered security tools analyze massive amounts of data in real-time, identifying anomalies faster and automating risk assessments. This improves detection and response times and reduces manual workload, making Zero Trust more scalable and effective. 

Recommended CyberTech Interview:  CyberTech Top Voice: Interview with Zimperium’s Krishna Vishnubhotla

The best strategy is to find the right mix of best-of-breed solutions that fit your company’s existing infrastructure and risk tolerance. But one thing is clear: AI-driven automation is becoming a must, not a nice-to-have.

How do you ensure alignment between your Zero Trust strategy and broader business goals, especially when securing remote and hybrid work environments?

I learned very early on that Security shouldn’t slow the business down—it should enable it. A good Zero-Trust strategy prioritizes security and usability, aligning with business goals.

Seamless authentication is critical for remote and hybrid work. Adaptive access and risk-based policies ensure employees can work securely without friction. Security should run in the background, protecting users without disrupting their workflows. 

From a business perspective, Zero Trust investments must be justified with real outcomes. Metrics like compliance adherence, breach reduction, and improved uptime demonstrate that Zero Trust isn’t just about locking things down—it’s about enabling sustainable growth.

Executive buy-in is also key. Adopting Zero Trust becomes much easier when leadership understands that it reduces risk, streamlines operations, and supports long-term business objectives. The best implementations are positioned as business enablers, not just security mandates. 

What is your approach to Zero Trust investments—do you recommend a phased implementation or a full-scale overhaul, and why?

A phased approach is almost always the best option; in my opinion. Every company starts from a different place, but a full-scale overhaul is rarely practical. 

The first step should be tightening identity and access controls, ensuring solid authentication and authorization mechanisms. From there, gradually implementing micro-segmentation and adopting Zero Trust Network Access (ZTNA) helps contain threats while improving secure remote access. Over time, extending Zero Trust to cloud workloads and IoT devices ensures full coverage. 

A phased rollout spreads costs, minimizes disruptions, and allows for iterative improvements. It also enables security teams to test and refine their approach before committing to larger investments.

 Some companies, particularly those dealing with a recent breach or building security from the ground up may need a full-scale overhaul. But for most, a gradual, strategic rollout ensures Zero Trust strengthens security without becoming a roadblock to operations.

Looking ahead to 2025, how do you see Zero Trust solutions evolving in terms of cost, complexity, and ROI for organizations, and how should businesses prepare for these changes? 

As we look into 2025 and beyond, Zero Trust is becoming more cost-effective and less complex, especially as vendors consolidate solutions. Instead of buying separate tools for IAM, SASE, and ZTNA, companies can now invest in integrated platforms that bundle multiple capabilities, reducing cost and complexity. 

AI-driven automation will also be a game-changer. AI will simplify policy enforcement, risk assessment, and threat detection, making Zero Trust adoption easier and more scalable. This shift will improve efficiency, speed response times, and lower operational overhead.

From an ROI perspective, businesses that invest in Zero Trust will see faster threat detection, reduced attack surfaces, and improved compliance—all of which strengthen the business case for continued investment. To prepare, companies should focus on converged security solutions to cut vendor sprawl, prioritize automation to reduce manual workload, and stay ahead of regulatory requirements as more industries adopt Zero Trust mandates.

Ultimately, organizations that proactively align their security strategy with these trends will be best positioned to stay ahead of cyber threats and industry regulations, all while keeping costs under control.

Recommended CyberTech Interview: CyberTech Top Voice: Interview with Oasis Security’s Danny Brickman

Thank you so much, Chad, for your delightful insights. We look forward to having you again at the CyberTech Top Voice engagements.

To participate in our interviews, please write to our CyberTech Media Room at news@intentamplify.com

About Chad

With nearly two decades of real-world experience as an Information Security and Compliance Subject Matter Expert, Chad has a distinguished record of transforming and elevating security postures within organizations. As the Chief Information Security Officer (CISO) at Deepwatch and the Leader of IT, Security, Compliance, and Cloud, Chad is not just a figurehead but a true leader. His proactive security, compliance, and privacy improvements ensure the organization is always ahead of emerging challenges, instilling confidence in the team and the organization as a whole.

Chad’s leadership is instrumental in scaling security programs and building a robust foundation for Deepwatch’s security initiatives. He has successfully navigated some of the most rigorous and recognized frameworks, including achieving FedRAMP Moderate authorization and overseeing the completion of ISO 27001, PCI DSS Level 1, HIPAA, SOC 1, and SOC 2, among others. These achievements are a testament to his dedication and expertise in moving the maturity needle in the right direction.

Chad’s mission is to protect Deepwatch proactively. He ensures his teams continuously adapt and evolve within the ever-changing security landscape. His collaboration with other leaders and executives across Deepwatch, embodying the role of ‘customer zero’—the first consumer and early adopter of all innovations related to Deepwatch’s mission, is a testament to this commitment. Chad is dedicated to securing and implementing “security by design” in the technology, products, and services to serve Deepwatch’s customers effectively.

About Deepwatch

​​Deepwatch® is the pioneer of AI- and human-driven cyber resilience. The Deepwatch Platform enables lean security teams—regardless of skill level—to enhance their organization’s cyber resilience and maintain regulatory compliance. By combining AI, security data, intelligence, and human expertise, Deepwatch helps organizations reduce risk through early and precise threat detection and remediation. The platform also lowers costs, maximizes existing tool investments, and enhances security team productivity.