APAC CISOs warm up to zero trust

Chief information security officers (CISOs) in Asia-Pacific (APAC) are starting to adopt zero-trust security, but they still need to overcome a number of challenges to reap the full potential of the security model, according Forrester.

In a report, Forrester noted that some organisations are in the early stages of learning and exploring zero trust security, while others have implemented some capabilities in an ad-hoc manner or are funding zero trust as a strategic priority.

At the same time, APAC organisations are also being confronted with local challenges, starting with the lack of visibility and influence.

According to Forrester, organisations in APAC still underfund security initiatives. Of C-level security decision-makers in the region, 29% said the lack of visibility and influence was an IT security challenge for their firm, compared with just 13% of their North American counterparts.

The analyst firm also called for CISOs to emphasise the many elements of the zero-trust framework that goes beyond the network. “If CISOs don’t elevate zero trust, their implementation efforts won’t achieve their business and security goals,” it said.

Another challenge is that APAC cultures are founded on trust. Forrester said security leaders around the world have had to overcome the myth that zero trust conflicts with their organisation’s trust initiative and could imply that they do not trust people.

“This nomenclature issue is particularly acute in APAC cultures, where trust plays a significant role,” Forrester said, citing a CISO who noted that in firms where trust is an important part of its culture, zero trust as a concept would not resonate well.

In APAC, security leaders often look to their competitors and other brands to evaluate whether a technology or operating model is right for them. Forrester said this herd mentality is slowing adoption of zero trust across the region.

The shortage of security staff is not helping either. In APAC, 19% of C-level security decision-makers said the lack of security staff was a major IT security challenge for their firm, according to Forrester.

“They will soon feel the pinch more acutely – a recent report revealed that Australia has a measly 7% of the cyber security skills that it needs. The same issue recurs throughout the region,” it added.

Meanwhile, CISOs are frustrated with vendors touting their solutions as the zero-trust gospel. As one CISO put it: “Zero trust feels a bit random, because any vendor you speak with will sell you a silver bullet.”

Forrester added that in some countries, aggressive sales cultures at some technology suppliers are not accompanied by the same level of investment in delivery capability. “One CISO complained that a vendor had just one or two subject-matter experts in one country to support local zero-trust implementations.”

To succeed with zero trust, Forrester advised companies – among other recommendations – to develop a zero-trust roadmap by assessing their current state of adoption, understanding current business and security initiatives, documenting where they can reuse existing capabilities and setting goals.

“Consider pursuing quick wins such as IAM [identity and access management] technologies that solve critical problems and applying least-privilege principles if your organisation is less mature,” Forrester said. “Or begin with more complex technical items such as micro-segmentation if you work in a highly regulated industry.”

Forrester also advised organisations to validate vendor claims on zero trust, which, contrary to vendor claims, is not a single-product solution. “With market hype comes the need for security pros to carefully distinguish vendor marketing from real capabilities and technology alignment with their zero-trust strategy.”