It’s been nearly two decades since former-Forrester analyst John Kindervag brought the zero-trust concept into the mainstream tech industry, advising organizations to “trust no one” and “verify everything.”
But it’s been a long haul for zero trust.
While respondents to a recent CyberRisk Alliance (CRA) survey of 205 security and IT leaders almost universally regard zero-trust as the right path forward, nearly 20 years later, less than one-third have actually implemented zero trust in their organizations.
Many blame the high costs of implementation and the complexities of introducing zero-trust practices to existing workflows. Others say they can’t get leadership buy-in and struggle to show ROI for something that defies easy explanation.
Security pros need to understand that zero trust isn’t a discrete security product: it’s a strategy. On the one hand, it doesn’t have to mean ripping and replacing legacy IT, but sometimes it does require that kind of bold action. Zero trust has not been designed to disrupt the user experience, but its emphasis on authentication and least-privileged access could frustrate those unaccustomed to the extra security scrutiny.
“Our culture values employee empowerment and collaborative innovation,” writes one respondent. “To some, zero-trust is considered draconian.”
The high cost was another reason some respondents are balking at zero trust:
“Cost is at the top,” said another respondent. “It has to make sense for us. We can turn on MFA for some of our systems already, that’s included in software packages we own. To do zero-trust we are probably looking at another software package and the question as to why would be asked. The disruption that it could cause to the users may be seen as enough to prevent us from implementing.”
The case for zero-trust: AI to the rescue?
But even with the low rates of deployment, 62% of respondents believe that zero trust has grown in importance over the last 12 months.
Many recognize zero trust as superior to perimeter-based defenses that’s better equipped to secure data in today’s mobile environments. Others see zero trust as an important step in securing identities and access against unauthorized users, insider threats, and malware attacks. Because of that, a clear majority have plans to finalize a fully drawn-up zero-trust framework in 2024.
Respondents are also excited about the impact artificial intelligence (AI) can have on zero trust. They say AI has the potential to help them identify breach attempts faster, reveal patterns in user behavior and network activity, and foil convincing phishing attempts.
"The expectation is that AI could help shift security from being a fixed, static operation to one that's dynamic and adaptable based on context and continuous monitoring," said the CRA report.
Click here to download the report "The Zero-Trust Dilemma."
