According to a survey report by Gartner, 63 per cent of organisations worldwide have fully or partially implemented a zero-trust strategy. For 78 per cent of organisations implementing a zero-trust strategy, the report stated, this investment represents less than 25 per cent of the overall cybersecurity budget.
A fourth quarter 2023 Gartner survey of 303 security leaders whose organisations had already implemented (fully or partially) or are planning to implement a zero-trust strategy found that 56 per cent of organizations are primarily pursuing a zero-trust strategy because it’s cited as an industry best practice.
“Despite this belief, enterprises are not sure what top practices are for zero-trust implementations. For most organizations, a zero-trust strategy typically addresses half or less of an organization’s environment and mitigates one-quarter or less of overall enterprise risk,” said John Watts, VP Analyst, KI Leader at Gartner.
Gartner outlined three primary top-practice recommendations for security leaders implementing a zero-trust strategy.
Practice 1: Establish Scope for a Zero-Trust Strategy Early
To successfully implement zero-trust, Gartner said, organizations need to understand how much of the environment they cover, which domains are in scope and how much risk they can mitigate. The scope of a zero-trust strategy does not typically include all of an organization’s environment. However, 16 per cent of survey respondents said it will cover 75 per cent or more while only 11 per cent believe it will cover less than 10 per cent of the organization’s environment.
“Scope is the most critical decision for a zero-trust strategy,” said John Watts. “Enterprise risk is much broader than the scope of zero-trust controls, and only so much enterprise risk can be mitigated. However, measuring risk reduction and improving security posture is a key indicator of success for zero-trust controls,” he said.
Practice 2: Communicate Success Through Zero-Trust Strategic and Operational Metrics
Per the report, 79 per cent of organisations that have fully or partially implemented zero-trust, have strategic metrics to measure progress, and of that 79 per cent, 89 per cent have metrics to measure risk. 59 per cent of zero-trust initiatives are sponsored by either the CIO or CEO/president/board of directors. “Zero-trust metrics must be tailored for the zero-trust deliverables as opposed to rehashing metrics used for other areas, such as the effectiveness of endpoint detection and response,” said John Watts. “Zero-trust efforts deliver on specific outcomes – such as reduction of malware’s lateral movement on a network – often not captured by existing cybersecurity metrics.”
Practice 3: Anticipate Increases in Staffing and Costs but Not Delays
62 per cent of organisations anticipate their cost will increase and 41 per cent of organisations expect their staffing requirements will also increase as a result of a zero-trust implementation. “The budget impacts of organizations who adopt a zero-trust strategy will vary based on the scope of the deployment as well as how robust the zero-trust strategy is early in the planning process,” said John Watts.
While only 35 per cent of organisations said they encountered a failure that disrupted their zero-trust strategy implementation, organisations should have a zero-trust strategic plan outlining operational metrics and measure the effectiveness of zero-trust policie s in order to minimize delays.
