Zero Trust has come a long way since the term was first coined by John Kindervag at Gartner back in 2010. Or has it? The reality is that eliminating implicit trust and continuously verifying and validating requests for network access (rather than relying on traditional perimeter-based security measures), can be incredibly complex. And defining the concepts and framework to make it all work has required a massive effort from researchers and vendors.
This complexity is what led Forrester to establish the seven core pillars of Zero Trust in 2018, NIST to release their guidelines (SP 800-207) for a Zero Trust architecture that same year, Gartner to release ZTNA in 2019, the White House to release its Zero Trust strategy in 2021, and so on. All the work over the last decade has gotten us to today, where mainstream organizations finally have a comprehensive roadmap to deploy a Zero Trust framework.
So, how’s that going and what’s the reality of Zero Trust priorities within organizations? Where are they in the planning and deployment process? What’s driving their move to Zero Trust, or holding them back? To answer these questions and more, Syxsense teamed up with Enterprise Management Associates’ Managing Research Director, Christopher Steffens. The result was a new research survey report titled, “Advancing Zero Trust Priorities” (which you can download here). Let’s dive into some of the key findings.
- Nearly one-third of organizations are not pursuing Zero Trust (ZT) – The elephant in the room question. Who’s investigating or planning for ZT? 61.8% of organizations surveyed claim to be in the process of investigating or planning ZT projects, with 31.9% not actively pursuing it, and 6.4% not having insight into the process at all.
- More than half of organizations are still planning for ZT – If in process with ZT, what stage are organizations in? Surprisingly, only 4.8% are near project completion, with 6.3% monitoring and evaluating implementation results. 55.6% are still either planning, getting budgets approved, or having internal discussions. While 33.4% have initiated the project with budget requests and vendor selections.
- Improving data protection, cloud adoption and access, and IT management capabilities are the main drivers of ZT projects – What’s driving ZT projects within these organizations? 38.1% claim ZT is driven by data security and protection, 21.4% by cloud adoption and access, 15.1% to improve IT management, 7.9% to increase utilization of IT/security resources/staff, and the rest to address compliance controls, gain greater visibility, enable business innovation, drive remote working, and microsegment the network.
- Lack of funding is the main factor preventing organizations from pursuing ZT – For organizations not exploring ZT (which was nearly 32% of those surveyed), what’s the rationale? 41.5% cited lack of budget and funding, followed by technical challenges, not knowing how to begin, concerns that ZT could negatively impact operations, other competing security priorities, lack of security headcount, and more.
- Most organizations struggle to start a ZT project – Interestingly enough, 76.1% of respondents said the biggest barrier to ZT implementation is the inability to define a clear starting point, and 79.9% also stated the amount of time it takes to implement the framework is a barrier. More than 91% also stated that maintaining a ZT infrastructure will require more resources and effort that it does to maintain their current security environments.
- IT compliance and auditing tools are in high demand for ZT – What is the most important component or solution organizations’ feel they need as part of a ZT project? 18.1% selected IT compliance and auditing tools, 16.2% selected data security and classification tools, 12.3% selected data encryption tools, 9.8% selected anti-virus and anti-malware solutions, 8.3% selected endpoint detection and response tools, followed by IAM, SIEM, policy enforcement, device trust and more.
As we move into 2023, Zero Trust will continue to be a major buzzword, but progress is being made toward widescale adoption and the barriers are becoming more clear. And, if you believe the reports and projections from Gartner that security and risk management spending will reach $267.3 billion by 2026, this increase in budget spending should help drive Zero Trust adoption over the next few years. I believe that in 2023 we will finally see Zero Trust concepts implemented within corporate IT environments at higher rates. By adopting these principles and technologies, organizations will significantly improve their cybersecurity posture and reduce the risk of cyber-attacks.
If you want to read the entire EMA “Advancing Zero Trust Priorities” data survey, click here.