Essential steps for zero-trust strategy implementation
63% of organizations worldwide have fully or partially implemented a zero-trust strategy, according to Gartner. For 78% of organizations implementing a zero-trust strategy, this investment represents less than 25% of the overall cybersecurity budget.
A fourth quarter 2023 Gartner survey of 303 security leaders whose organizations had already implemented (fully or partially) or are planning to implement a zero-trust strategy found that 56% of organizations are primarily pursuing a zero-trust strategy because it’s cited as an industry best practice.
“Despite this belief, enterprises are not sure what top practices are for zero-trust implementations,” said John Watts, VP Analyst, KI Leader at Gartner. “For most organizations, a zero-trust strategy typically addresses half or less of an organization’s environment and mitigates one-quarter or less of overall enterprise risk.”
Gartner outlined three primary top-practice recommendations for security leaders implementing a zero-trust strategy.
Practice 1: Establish scope for a zero-trust strategy early
To successfully implement zero-trust, organizations need to understand how much of the environment they cover, which domains are in scope and how much risk they can mitigate.
The scope of a zero-trust strategy does not typically include all of an organization’s environment. However, 16% of survey respondents said it will cover 75% or more while only 11% believe it will cover less than 10% of the organization’s environment.
“Scope is the most critical decision for a zero-trust strategy,” said Watts. “Enterprise risk is much broader than the scope of zero-trust controls, and only so much enterprise risk can be mitigated. However, measuring risk reduction and improving security posture is a key indicator of success for zero-trust controls.”
Practice 2: Communicate success through zero-trust strategic and operational metrics
79% of organizations that have fully or partially implemented zero-trust, have strategic metrics to measure progress, and of that, 89% have metrics to measure risk. Security leaders must also keep their audience in mind when communicating these metrics. 59% of zero-trust initiatives are sponsored by either the CIO or CEO/president/board of directors.
“Zero-trust metrics must be tailored for the zero-trust deliverables as opposed to rehashing metrics used for other areas, such as the effectiveness of endpoint detection and response,” said Watts. “Zero-trust efforts deliver on specific outcomes – such as reduction of malware’s lateral movement on a network – often not captured by existing cybersecurity metrics.”
Practice 3: Anticipate increases in staffing and costs but not delays
62% of organizations anticipate their cost will increase and 41% of organizations expect their staffing requirements will also increase as a result of a zero-trust implementation.
“The budget impacts of organizations who adopt a zero-trust strategy will vary based on the scope of the deployment as well as how robust the zero-trust strategy is early in the planning process,” said Watts. “Zero-trust initiatives inherently affect the budget as organizations take a systemic and iterative approach to mature their policies toward risk-based and adaptive controls, adding overhead to the organization’s ongoing operational burden.”
While only 35% of organizations said they encountered a failure that disrupted their zero-trust strategy implementation, organizations should have a zero-trust strategic plan outlining operational metrics and measure the effectiveness of zero-trust policies in order to minimize delays.