When discussing cybersecurity strategies like Zero Trust, it is easy to get lost in high-level theory. However, the most valuable insights often come from those who have been in the trenches—practitioners who have managed networks, taught the next generation of cyber professionals, and navigated the constraints of real-world budgets.
One such expert is Eric Langford, an Instructor of Computer Science and Cybersecurity at Tarrant County College. With a rich background spanning the public sector, specifically K-12 education, and the defense industrial base, Langford brings a hands-on perspective to the challenges of securing modern networks.
Here is a look at Langford’s philosophy on Zero Trust, his experiences in the field, and why he believes allowlisting is a critical piece of the puzzle.
Zero Trust is a Mindset, Not a Product
For Langford, the biggest misconception about Zero Trust is that it is something you can simply buy. “It’s not a product you implement,” he explains. “Zero Trust is a… change in the way that you think about security”.
He illustrates this by contrasting modern needs with the old “medieval castle” approach to security, where a moat and walls protected everything inside. “Nowadays, that’s not the case,” Langford notes, citing the rise of cloud computing, remote work, and bring-your-own-device (BYOD) environments.
Instead of assuming safety behind a firewall, Langford defines Zero Trust as a premise where you “don’t grant trust unconditionally.” Access is granted only as needed and is “always reevaluated,” meaning access could be revoked immediately after a specific task is completed.
The Reality in K-12 and Small Business
Langford’s experience in K-12 education and small manufacturing companies gives him a unique view of the hurdles smaller organizations face. He notes that while large districts or corporations may have resources, the vast majority of schools and defense contractors are small entities often struggling with budget constraints and limited staff.
In these environments, sophisticated attacks aren’t always the primary culprit for breaches. “I’m gonna say it’s because environments are permissive,” Langford states. He points to long-standing issues like poor password policies, lack of multi-factor authentication, and unpatched systems as the vectors that remain most likely to be exploited.
This permissive nature is exacerbated when users have administrative access. Langford highlights that in many small organizations, end users still have the ability to install software freely. “Right there, that’s a huge issue because any application they download, they can run,” he warns
Evolution on Allowlisting
Langford admits that his perspective on allowlisting has evolved. Years ago, he found it difficult because “you had to manually do a lot of stuff to allow things”. However, modern tools have changed the equation.
He argues that moving to a “prevention first” mindset helps solving the issue of alert fatigue. If you can stop a threat before it executes, “it never gets into your environment,” freeing defenders to focus on other tasks rather than constantly responding to logs and alerts.
Experience with PC Matic
Langford is vocal about how PC Matic has simplified the implementation of Zero Trust principles. “I think that’s where PC Matic does a great job, is because it’s really simple from my experience… to just place things on there,” he says.
He highlights PC Matic’s global list of known good software as a key differentiator. Because the software already recognizes “known good, safe applications,” it creates a list for you automatically. This removes the heavy lifting that used to make allowlisting a burden. “It’s much, much easier now with a lot of the applications that are out there to manage that,” he concludes.
Final Advice: Start with the Basics
Despite his advocacy for Zero Trust and tools like PC Matic, Langford leaves organizations with a grounded piece of advice: do not look for a magic cure.
“Don’t get sold that it’s a silver bullet that’s gonna secure everything for you,” he cautions. He urges leaders to focus on “general cyber hygiene,” such as knowing your inventory, establishing strong policies, and managing identity access. “The more basics you can have in place, the easier it is going to be to implement a zero trust”.
