As American military operations against Iran finishing its third day, I’ve been flooded with calls and messages from friends, neighbors, and colleagues. I can’t express how grateful I am for every single one of them. People reached out not just to ask what I think about the situation, but simply to check on me as a human being. They want to know how I’m holding up, what I believe might happen next, and how I’m processing everything that’s unfolding. Their concern has meant more to me than they can ever realize.
When people ask for my thoughts, I often start in a place that surprises them. I begin with the idea of trust.
I explain to them that the trust idea isn’t new. Ronald Reagan expressed it clearly in Russian during the Cold War when speaking with Mikhail Gorbachev: “doveryay, no proveryay,” which means “trust, but verify.” Reagan understood that when you are dealing with an adversary, trust is never automatic. It has to be proven again and again. This mindset eventually shaped the “Zero Trust” approach we use in cybersecurity today. In both geopolitics and cybersecurity, everything eventually circles back to one simple question:
Can trust be established and can it be verified?
If the answer is no, then everything else shifts. What is the strategy, the tone, and the level of risk a nation or an organization is willing to tolerate.
Zero Trust boils down to three basic principles:
- Never trust by default
- Always verify
- Continuously monitor
Trust has to be earned in real time and reinforced through consistent, observable behavior.
When Trust Breaks Down
In cybersecurity, we see this all the time. When a device or system starts behaving strangely, like maybe it ignores security policies, sends unexpected traffic, or bypasses rules, we don’t negotiate with it or give it the benefit of the doubt. We immediately isolate it. We quarantine it. And if the issues keep coming back, we remove it completely.
Real-world foreign policy operates in a very similar way.
Think about the past two decades of interactions with the Iranian government. Around the world, policymakers have tried many ways to build trust with Iran: diplomatic talks, nuclear inspection agreements, economic incentives, back-channel discussions, timelines, verification mechanisms, and even temporary de-escalation deals. Some of these efforts showed progress. Others fell apart quickly. And each time an agreement broke down, due to lack of transparency, regional military activities, or disputes over inspections, the international trust model took another hit.
Eventually, when trust repeatedly fails to materialize, as it has with the Islamic Republic of Iran, we will have to change the posture. We move from hopeful engagement… to careful monitoring… to containment… and, in some cases, to addressing the underlying threat more directly.
Anyone who works in risk management should recognize the pattern instantly. It’s exactly what we do when a system in our network keeps failing verification checks. At some point, the risk outweighs everything else.
The Question People Keep Asking
A lot of people want me to give a simple yes-or-no opinion about what’s happening. I understand the instinct. When emotions are high and events are moving fast, simplicity feels comforting.
But real security decisions rarely fit into clean, binary boxes. That’s true in technology. It’s true in geopolitics. It is true in medical field. And it’s true in moments like this.
What we’re watching unfold now is not just politics. It’s a global trust assessment happening in real time. And the consequences of getting that assessment wrong can be enormous. President Trump understands this risk very well.
After 47 years of watching trust built, broken, rebuilt, and broken again, Ronald Regan’s principle remains as true as ever:
Trust without verification is vulnerability.
