TL;DR: A five-person security team at Spokane Teachers Credit Union says it reached more than 90% segmentation enforcement by treating cybersecurity as a business initiative, starting with smaller applications, and building repeatable Zero Trust habits, according to Illumio. The lesson is that resilience scales through governance discipline, not team size.
NHIMG editorial — based on content published by Illumio: How the 5-Person Security Team at Spokane Teachers Credit Union Achieves Big Zero Trust Wins
By the numbers:
- 90% segmentation enforcement as part of their Zero Trust strategy.
- Small teams can move an app from 100% exposed to 40% protected and still make meaningful progress.
Questions worth separating out
Q: How should security teams roll out Zero Trust segmentation without disrupting the business?
A: Start with a small, low-risk application set, define clear ownership, and use phased enforcement so the team can learn how policy behaves before expanding it.
Q: Why do small security teams often succeed with Zero Trust when larger programmes stall?
A: Small teams can shorten decision loops, align more easily with leaders, and avoid overengineering early controls.
Q: What breaks when Zero Trust is treated only as a technical project?
A: Controls become harder to adopt, exceptions multiply, and application owners see the programme as an obstacle rather than a shared operating model.
Practitioner guidance
- Map segmentation to business initiatives Tie each Zero Trust rollout to a named business programme, owner, and review cadence so segmentation is tracked alongside other leadership priorities, not treated as a background security task.
- Start with smaller applications first Use low-complexity applications to validate policy design, exception handling, and operational handoffs before moving to higher-value systems that have more business impact if misconfigured.
- Measure progress as containment, not completion Track how much of the environment moves from fully exposed to partially protected, and use that delta to justify the next phase of control expansion.
What's in the full article
Illumio's full blog covers the operational detail this post intentionally leaves for the source:
- The five interview-backed lessons from STCU's security lead on sequencing Zero Trust work in a lean team.
- The way the team built a repeatable playbook for smaller applications before expanding to more complex systems.
- The role of quarterly disaster recovery exercises and third-party testing in validating segmentation assumptions.
- The practical leadership dynamics behind getting business buy-in for segmentation as an enterprise initiative.
👉 Read Illumio's full account of STCU's Zero Trust segmentation journey →
Zero trust segmentation at STCU: what IAM teams should notice?
Explore further
Zero Trust segmentation becomes durable only when it is governed as a business operating model. STCU's story shows that technical enforcement improves when leadership treats cybersecurity as a tracked initiative rather than an isolated technical project. That governance framing is just as relevant to IAM and NHI programmes, where access policy fails if it is disconnected from business ownership. The practitioner conclusion is simple: segmentation, privilege boundaries, and review cadence need executive sponsorship, not just tooling.
A question worth separating out:
Q: How do organisations know whether segmentation is actually improving resilience?
A: They should look for measurable reductions in exposed paths, clearer ownership of application boundaries, and successful recovery tests that prove containment still works during failure. A useful signal is whether the team can move a workload from fully exposed to partially protected without creating new operational blind spots.
👉 Read our full editorial: Zero trust segmentation lessons from a small credit union team