The results of a new survey by CyberRisk Alliance sheds light on why some zero-trust initiatives flourish while others flounder.
Although resources and staffing were important, many zero-trust “front runners” — those individuals who reported high rates of receptiveness and implementation of zero-trust policies — readily attributed their success to factors beyond funding or IT expertise.
Here’s what they said:
You’ve got to crawl before you can walk
Many IT security teams recognize the value of adopting a zero-trust framework, but encounter heavy resistance when trying to pull their organization in this direction. Perhaps their operations heavily depend on legacy security tools that weren’t designed with zero trust in mind.
Even if they manage to sunset one tool in favor of another, they need to communicate the reasons for that decision to end users as well as how this change may affect (and potentially disrupt) their workflow in the transition — a prospect which 46% of respondents blamed for impeding zero-trust initiatives.
Zero-trust front runners anticipate this obstacle and dial back accordingly.
“As a large company, we judiciously use our available resources to implement change in our security posture using a phased approach,” says one respondent.
Another mentions the success they had in rolling out zero-trust practices to a smaller test group before expanding to a larger cohort.
“The users that are a part of our test group have [actually] liked its minimal impact and ‘always-on’ function.”
The takeaway: Instead of committing the organization to full-scale transformation overnight, zero-trust front runners start small to gauge reactions, measure performance, and collect feedback to inform more ambitious efforts down the line.
Involve and invest in end users
Zero-trust front runners understand that implementing such a framework can introduce changes that affect how users work, and they make it a priority to communicate and clarify why these changes are necessary for users’ own security.
“As we move toward zero trust, it is a constant communication piece with users since it changes how they do things,” says one respondent.
“[We use] educational campaigns to demonstrate the value and importance” of zero trust, writes another respondent.
Front-runners acknowledged that users are more amenable to zero-trust enforcement when they’re provided insight into why it’s the right step forward.
As one respondent says, “we want to make sure that we are dealing with legitimate people and organizations so that is why we are very receptive in using this for our IT.”
Get executives on board
A majority of zero-trust front runners credited their leadership for enabling initiatives to get off the ground. While rank-and-file employees expect IT teams to push updates and make strong recommendations, there’s much more momentum when C-suite executives make zero trust a full business priority.
“Senior leadership and C-staff are on board with using zero trust and are pushing to ensure it is implemented across all areas of the organization,” writes one respondent. Another mentioned that executives made zero trust a central part of their 2024 roadmap.
Of course, a number of other priorities can compete for executive attention. How can security teams make sure the call for zero trust is heard by those in positions of power?
The cost of implementing zero trust is the cost of protecting the institution from data breaches, which can result in millions of dollars lost, damage to public reputation, and severing of relationships with customers and clients. CISOs can shore up support from other leaders by illustrating why zero trust is much more economical and risk-conscious than alternative security approaches.
As one respondent mentions, “we've achieved alignment with leadership that adopting zero-trust aligned strategies will help us meet our goals in a simpler, quicker, and more automation-prone manner.”
Keep pace with realities of the modern workforce
Zero-trust security emerged as a response to the new demands of the modern workforce, and that’s never been more the case than it is now.
Thousands of companies have shifted to a hybrid or even fully-remote workforce model, allowing employees to work while on-the-go, anywhere and any time. Traditional perimeter-based firewall defenses and static access policies can’t keep up with this mobility, but zero-trust practices can.
“Due to our reliance on BYOD and remote workers, we like that the zero trust security model inherently assumes those devices have been breached and requires verification for every user request, reducing some of our risk exposure,” says one respondent.
It’s not just the workforce model that’s changed, either. Millions of devices and endpoints populate today’s corporate networks. If any of these devices are assumed trustworthy by default simply because a certain user, place, or address is associated with it, you can be certain adversaries will find a way in — whether on-site, off-site, or in the cloud.
“Zero trust gives our users precise access control for environments in containers and the cloud,” says one respondent. “Moreover, we’ve implemented policies to secure different endpoints and devices across all our global locations.”
Another zero-trust front runner says the threats of today’s security environment made the shift toward zero trust an organizational imperative.
“There is awareness and understanding that access needs to be continually verified and granted only for the right accounts on the right resources for the right amount of time for the right reasons.”
