Zero-trust is sold like an enterprise product but the principles work at any scale. Mid-market companies have an advantage: less legacy, fewer political fiefdoms, faster change cycles.
Month 1-2: identity. Move every employee onto SSO with phishing-resistant MFA. Month 3: device posture. Block unmanaged devices from sensitive resources. Month 4-5: network. Replace the flat-VPN with per-app gateways. Month 6: data. Tag, classify, and enforce DLP on the top 20 sources.
None of this requires a $2M Splunk license. It does require executive sponsorship and a willingness to break things in production for two quarters.
