shane - stock.adobe.com
Zero-trust is redefining cyber security in 2025
The future of zero-trust is about embedding resilience into every facet of an organisation. To achieve this, SRM leaders must reimagine their strategies to address emerging challenges and prioritise key areas.
Cyber security has long been likened to building a fortress: thick walls, watchtowers, and a moat separating the inside from the outside. This perimeter-focused approach thrived for decades, but in today’s hyper-connected digital world, resources and users extend beyond traditional fortress boundaries, providing attackers with expanded opportunities for engagement. Recent cyber attacks have only underscored the inadequacy of traditional methods, revealing just how vulnerable organisations remain in a dynamic threat landscape.
Zero-trust flips the fortress mindset on its head. It operates under a simple but transformative principle: assume the presences of hostiles actors, always establish and validate identity, and limit access to resources. As cyber threats evolve daily and data sprawls across clouds, applications, and devices, zero-trust has become today a strategic imperative for security and risk management (SRM) leaders.
The future state of zero-trust: A blueprint for 2025
The future of zero-trust is about embedding resilience into every facet of an organisation. To achieve this, SRM leaders must reimagine their strategies to address emerging challenges and prioritise key areas.
Identity remains the cornerstone of zero-trust. In 2025, SRM leaders must double down on robust identity verification mechanisms, such as multi-factor authentication, continuous monitoring, and risk-based adaptive access controls. This ensures that both human and machine identities are rigorously validated at every access point. Organisations must also refine their policies to implement least-privilege access on a broader scale. This includes dynamic, context-aware permissions that adjust in real time based on user behaviour, device integrity, and location.
The ripple effect of recent cyber attacks
In the wake of high-profile breaches targeting critical infrastructure and sensitive data, the urgency for zero-trust has reached a tipping point. These attacks have exposed systemic vulnerabilities, including over-reliance on perimeter defences and poor segmentation practices. They’ve also highlighted the growing sophistication of threat actors, who exploit the smallest gaps in security postures, most notably in cloud environments.
Despite growing recognition of zero-trust, success remains elusive for many. A recent Gartner survey revealed that while 63% of organisations had either attempted or partially implemented a zero-trust initiative, 35% reported failures that adversely impacted their operations. These findings emphasise the importance of strategic alignment, clear communication, and iterative execution to avoid common pitfalls and achieve meaningful progress.
The lessons from these incidents are clear: static defences are no match for adaptive adversaries. Organisations that fail to evolve their strategies risk not only financial losses but also reputational damage and regulatory scrutiny. Zero-trust offers a path forward by shifting the focus from “if” an attack will happen to “when,” ensuring that breaches are contained and impact minimised.
Read more about zero-trust
- Zero-trust assumes a network is already compromised. However, new EMA research shows enterprises are more concerned with securing remote access than internal lateral threats.
- When it comes to adopting SASE or zero-trust, it's not a question of either/or, but using SASE to establish and enable zero-trust network access.
- An important piece of remote and hybrid work is keeping UC environments secure. Learn how a zero-trust framework keeps user and app communications secure.
Why we need zero-trust now more than ever
The conversation around zero-trust has shifted. It’s no longer just a theoretical ideal or a buzzword, it’s a necessity. The convergence of hybrid work, cloud adoption, and the proliferation of connected devices has dramatically expanded the attack surface. At the same time, threat actors are leveraging AI and automation to execute increasingly sophisticated attacks.
In this new reality, implicit trust is a liability and should be countered with through verification. Organisations must embrace zero-trust as a foundational strategy to combat evolving threats. As attackers innovate, so too must defenders. Zero-trust’s dynamic and context-aware controls are uniquely positioned to outpace adversarial tactics. It is also essential to safeguard hybrid environments, where employees access resources from anywhere, meaning security must follow the user, not the network. Moreover, zero-trust improves resilience by reducing the impact area of successful attacks, ensuring that essential systems and date remain secure, while decreasing the time required for recovery efforts.
Leading the charge: Priorities for SRM leaders
For SRM leaders aiming to realise a successful zero trust strategy in 2025, the roadmap is clear. They should start by focusing their initial efforts on securing the most critical systems and data. This targeted approach delivers maximum impact while building momentum for broader adoption. Equally important is fostering a culture of security by educating stakeholders on the principles and benefits of zero-trust, emphasising collaboration across IT teams, business units, and executive leadership. Finally, investing in continuous improvement is crucial, as zero-trust is not a one-time initiative but a dynamic strategy that evolves in tandem with organisational changes. Regular assessments, iterative refinements, and leveraging advancements in technology are key to staying ahead of the curve.
The road ahead
As we move further into 2025, the stakes have never been higher.
SRM leaders must act decisively, turning lessons from past attacks into catalysts for transformation. By prioritising zero-trust and aligning it with organisational goals, they can build defences that not only withstand the threats of today but anticipate the challenges of tomorrow. The future of zero trust starts now, and it starts with leadership.
Gartner analysts will further explore the future of zero trust and cybersecurity priorities at the Security & Risk Management Summit in London, 22-24 September, 2025.
Dale Koeppen is a senior director analyst on Gartner's Infrastructure Protection team.
