The 0.1.2 (January Edition): Aiming for a Boring 2026
Posted: Tuesday January 20, 2026
Author: Jason Garbis
Welcome to the January edition of The 0.1.2, Numberline’s Zero Trust in Practice newsletter.
As we dive into 2026 in earnest, it’s worth pausing to consider how we want to approach the year from both a security and strategy perspective. Numberline CEO Jason Garbis makes the case for why aiming for boring is actually the most exciting goal of all, and how to begin your “journey to boring” (a phrase better left as a concept than a rallying cry).
We also share our perspectives on the recent vulnerabilities affecting ServiceNow and Fortinet and what we can learn from them, takeaways from a recent CrowdStrike acquisition, and observations on new Zero Trust guidance from the NSA.
Of course, no Numberline newsletter would be complete without a recipe. For this edition, we’re actually recommending 200 of them, courtesy of a cookbook from our friends at America’s Test Kitchen. During these chilly winter months, we often reach for our slow cookers, and this cookbook offers some great ideas worth trying.
Finally, Scully the Terrier would like to remind those of you in snowy climates to use pet-safe ice melt on your driveways, and to take the extra couple of minutes to shovel a dog run in the yard. Stay warm and safe.
News
- We recently released a new eBook, Applying the Zero Trust Blueprint: A Practical Guide for the Enterprise. This detailed guide lays out a clear, structured path from strategy to execution to help you demonstrate measurable Zero Trust progress.
- Reflections on 125+ Conversations with Security Leaders: We share insights drawn from more than 125 conversations from the past year, and highlight not only what these discussions have in common but what they reveal.
- Why does CrowdStrike’s acquisition of SGNL matter to you, even if you’re not a customer of either vendor? Watch our video commentary to learn why this standards-based approach to dynamic Zero Trust access policies is so important, and what we can expect to see as a result.
- What happens when a five-year-old VPN vulnerability gets exploited? The short answer is that bad things happen. That’s exactly the case with a recent Fortinet VPN vulnerability. Watch our brief video commentary to learn more, and download our free Dynamic VPN Defense Guide.
- What can we learn from the recent “near miss” AI agent vulnerability discovered in ServiceNow? In our video commentary, we explain what happened and how this example can be used as a catalyst to drive better oversight and controls around AI agent deployment in your organization.
- The United States’ National Security Agency (NSA) just released two new Zero Trust documents, a Primer and a Discovery Phase document. These documents are substantive – they weigh in at a total of 300 pages – and contain a great deal of detailed instruction on capabilities and implementation tasks. So, what do these cover, why did they create them, and what can we learn from them? Join us on January 26 at 11am ET for a live walkthrough and discussion about these documents, so learn what enterprise security teams should take away from these new assets. Register here, and we’ll see you on Monday!
Opinion: Why a Boring 2026 Would be the Most Exciting Outcome of All
By Jason Garbis, Numberline Security Founder and CEO
Assisted by Scully the Terrier, who rotates between three cozy napping spots (sofa, dog bed by the heating vent, and cushy chair) to keep things from getting boring.
I live an exciting life. Between weeding my vegetable garden, doing crossword puzzles, and cooking family dinners, I think I rank up there with astronauts, rock stars, and Hollywood directors, no?
Jokes aside, I want to talk about what boring security actually looks like, and why it may be the most exciting security approach of all.
When an information security program is boring, it means that things are running smoothly, tasks are completed on time, and incidents are infrequent, short, and low-impact. It means there are defined and enforced processes for key activities, and that people follow those processes. And it means that, as much as possible, security happens as a byproduct of normal operations.
Now, being this boring isn’t easy, and unfortunately the default enterprise security mode often seems chaotic. So challenge yourself and your teams to be as boring as possible this year. Define and enforce standard processes, ensuring that access, accounts, and visibility are accurate on Day 1, Day 2, and Day 365 (see our blog here for details)
Having a boring security environment means you’ll free up time to focus on more strategic, higher-impact activities. And that is the most exciting outcome of all.
Assess your Zero Trust Readiness
Take our free, 5-minute Zero Trust Readiness survey, and instantly get your customized report. Full details here.