Episode Details

Here’s the uncomfortable truth: Zero Trust is not the strongest security model. And giving every user total freedom isn’t the most productive option either. Both extremes are broken. If your M365 setup leans too far in either direction, you’re leaving gaps—or grinding productivity to a halt. In this workshop, I’ll show you how top-performing organizations hit the sweet spot: a perfectly tuned system where CISO, GDPR officer, and everyday user are all satisfied. The tradeoffs may surprise you, and the solution usually isn’t where most IT pros start looking.Why Extremes Always FailWhat happens if you go all in on Zero Trust or let users roam free with unlimited access? In practice, both of those choices end up creating more problems than they solve. On paper, Zero Trust looks perfect—it promises a world where every access request is inspected, validated, and logged. Nothing moves without constant checks. The framework sounds airtight, and security teams love the neat diagrams vendors put in front of them. But the reality of running it inside a production environment hits much harder. Each one of those trust decisions translates into real policies, prompts, and denials that ordinary employees need to fight against just to get their work done. Think about what it feels like for someone on the marketing team trying to launch a campaign under strict rules. Every time they log in, they’re hit with extra verification screens. They try sharing a file externally, and it bounces back. They go to approve an ad buy, but the system blocks the unfamiliar IP of the agency. Before long they’ve spent more time emailing IT than working. What looked like “tight security” in a governance meeting turns into delayed projects, frustrated staff, and managers asking why everything takes twice as long now. It’s the digital version of walking through an office where every single door has its own unique key. Not only do you need to carry a giant ring with dozens of keys, but you’ll also end up stuck in hallways because you can’t find the right one. In theory, each door has its own lock, so only the right people get in. In practice, people end up propping doors open with chairs just to move around and do their jobs. That’s not better security, it’s a workaround created by frustration, and it undermines the whole system. Now look at the opposite extreme where every user enjoys total freedom. Maybe IT is tired of approvals, so they just hand out admin rights across the board. At first, it feels amazing. Install whatever you need, fix your own problems, no more waiting. But it doesn’t take long before an employee clicks the wrong link, installs infected software, and suddenly ransomware is encrypting shared drives. The same freedom that felt empowering quickly turns into a wildfire spreading through systems that were supposed to stay protected. By giving everyone a key to the entire building—including the server room—you’ve essentially invited attackers to do whatever they want with no barriers in place. Plenty of IT teams have lived through both of these scenarios. Some remember the six-month Zero Trust rollout that clogged workflows so badly that leadership demanded half the rules be rolled back. Others remember the “everyone’s an admin” decision that ended with entire environments rebuilt from backup after an attack. Both groups reach the same conclusion: there’s no shortcut where you simply pick one side and declare victory. These extremes consume countless hours, either by dragging down productivity or by forcing frantic damage control after a breach. It’s a natural question—if each approach fails, why can’t we just optimize one until it works? The trouble is that the system doesn’t allow it. Security, compliance, and usability are tied together like communicating vessels. Strengthening one without regard for the others just shifts the pressure around until something bursts. If you crank security to the maximum, workflows collapse. If you open access to