How organisations can succeed with zero trust

Zero trust has been bandied about by cyber security suppliers in recent years, but the concept is still confusing to many people, with just 10% of large enterprises expected to have a mature zero-trust programme in place by 2026, according to Gartner.

Gartner defines zero trust as a security paradigm that explicitly identifies users and devices and grants them just the right amount of access so a business can operate with minimal friction and reduced risks.

“It’s as much a mindset, accompanied by an organisation-wide vision and a strategy that utilises specific architectures and technologies to achieve its goal,” said Lisa Neubauer, Gartner’s advisor in security and risk management practice, at the analyst firm’s recent Security and Risk Management Summit 2023 in Sydney.

Richard Addiscott, Gartner’s senior director analyst, noted that as more organisations improve their capabilities and treat cyber security as a business investment, zero trust will increasingly become embedded in an organisation’s vision. “Investment into zero trust will become less tactical and reactive, and become more structured, proactive and measured alongside other programme-level security initiatives,” he said.

But translating the technicalities of zero trust into business benefits remains a challenge, partly because very few standards for zero-trust protocols and technologies exist, said Addiscott. Operational metrics to measure the effectiveness of zero-trust programmes are also hard to come by.

“Vendor communities often cite their own maturity models and benchmarking services oriented around their specific product offerings, and as a result, benchmarking of zero-trust posture is increasingly difficult with no universal standard for anyone to follow,” he added.

Another challenge, Addiscott said, is managing the complexities and expectations around zero trust, which cannot be achieved with a single technology. “It will require a mature, widely deployed implementation which is heavily dependent on integration and configuration of multiple different components,” he said.

To achieve success with zero trust, Neubauer called for organisations to start small and adopt an evolving zero-trust mindset so they can better grasp the benefits of their zero-trust programme and manage the complexities one step at a time.

“Deploy your programmes and prioritise risk mitigation for the most critical assets. This is where you’ll be able to demonstrate the greatest returns for your efforts and prove to the business that the investment has been worth it,” she said.

However, zero-trust programmes should not be undertaken in isolation, Neubauer said, urging organisations to combine zero-trust initiatives with other preventative measures, such as planning for cyber resilience and managing exposures to cyber threats.

“Make sure you set the expectation that this is not a one-time investment and that there will be a need to maintain an ongoing commitment to find resources after its implementation. This will be critical for things such as testing for resource isolation, and adherence to least privileged access policies for implemented controls,” she added.