I’ve sat across from enough CFOs to know that “zero trust” lands somewhere between confusing and annoying. It sounds expensive, abstract, and vaguely threatening—like someone’s about to ask for a budget increase without being able to explain what the money buys.
So let me skip the buzzwords and tell you what zero trust actually means in language that matters to a finance leader.
What Zero Trust Is Not
It’s not a product you buy. It’s not a checkbox on a compliance form. It’s not “we don’t trust our employees” (a common misinterpretation that kills culture). It’s not something that requires replacing your existing firewall.
It’s simpler than all of that.
What Zero Trust Actually Is
Before zero trust, the model was: trust everyone inside the network, distrust everyone outside. Like a fortress. Thick walls, guarded gates, and once you’re in, free movement.
The problem with that model became obvious when attackers stopped breaking down the gates and started pretending to be people who already had keys. Phishing, credential theft, compromised VPN accounts—once an attacker is inside, the fortress model gives them free run of the castle. And the average breach dwell time is 181 days. That’s 181 days of free movement.
Zero trust replaces “trust everyone inside” with verify every access request, regardless of where it comes from. Every user, every device, every application—authenticated and authorised before it touches anything. Not once per session. Every single time.
The Business Case in Three Numbers
₹18 crore. That’s the average annual cost of unused software licences across Indian enterprises (Zylo 2024). Most of those legacy tools exist because of old security models that required point solutions per department. Zero trust lets you consolidate.
72 days. The average reduction in breach detection time for organisations that implement micro-segmentation (IBM/Palo Alto research). Faster detection means lower breach costs. The IBM 2024 report puts the average breach at ₹41 crore ($4.88M). Cutting detection time by 72 days saves real money.
30%. The typical operational savings from moving from perimeter-based security to identity-based security. Fewer appliances. Less complexity. One policy framework instead of six.
How It Works in Practice
Let me describe a real deployment we did for a multi-campus enterprise in India:
- Before: Any employee on the corporate network could reach any server. The finance team’s ERP was accessible from the canteen WiFi.
- After: Each user segment sees only what they need. Finance sees the ERP. HR sees the payroll server. The CCTV network administrator sees cameras—and nothing else. If an attacker compromises the canteen WiFi, they can’t reach a single critical server.
The infrastructure didn’t change. The firewall policies changed. Same hardware. Same team. Different rules. That’s zero trust in practice: not a rebuild, but a reconfiguration.
What It Costs vs What It Saves
The cost of implementing zero trust varies wildly depending on your starting point. If you already have a modern firewall stack (FortiGate, Palo Alto, etc.), the policy changes are mostly time, not new hardware. If you’re running decade-old infrastructure, you might need an upgrade cycle—but you needed that anyway.
The savings are more predictable:
- Fewer breach-related costs (₹41 crore average per breach)
- Consolidated tooling (fewer vendors, fewer licenses)
- Simplified compliance (one audit trail instead of many)
- Reduced incident response time (your team investigates less because you’ve already limited the blast radius)
The Bottom Line
Zero trust isn’t a security project. It’s a risk management strategy with a measurable ROI. Ask your security team to show you the blast radius of a single compromised workstation. If they can’t, you don’t have zero trust. If the answer is “it could reach everything,” you’re paying for an expensive gamble.
And the CFO in me says: that’s not a bet worth making.
Sanjay Seth, CEO of P J Networks. If you’d like a no-jargon conversation about what zero trust would actually cost (and save) at your organisation, reach out.