At a time when organisations face higher levels of cyber threat than ever before, it’s not a huge surprise that zero-trust strategies are growing in popularity.
According to a new report from Gartner, 63% of organisations worldwide have implemented some kind of zero-trust strategy, either fully or to a partial degree.
However, while the number of organisations exploring zero-trust is growing, Gartner also found that the approach typically covers less than half of an organisation’s IT environment.
What is zero-trust?
Zero-trust is an approach to security which treats everyone, whether they’re inside or outside the company network, as a potential risk. In practice, zero-trust environments constantly authenticate, authorise, and continuously validate everyone inside or outside the network.
Zero-trust means an end to the idea of a traditional network edge. As a result, networks can be local, in the cloud, or a mix of both, and people can connect to them from anywhere. Zero trust has been particularly in vogue since the COVID-19 pandemic drove a worldwide spike in remote and hybrid working.
Widespread adoption troubled by lack of clear vision
Gartner’s survey found that more than half (54%) of organisations pursuing zero-trust as their primary cybersecurity strategy were doing so because they see the approach as a best-practice for the industry.
“Despite this belief, enterprises are not sure what top practices are for zero-trust implementations,” said John Watts, VP Analyst, KI Leader at Gartner. “For most organisations, a zero-trust strategy typically addresses half or less of an organisation’s environment and mitigates one-quarter or less of overall enterprise risk.”
Three steps to zero trust
Gartner recommends three steps for best-practice zero-trust adoption.
Practice 1: Set Clear Scope for Zero-Trust Early On
To nail zero-trust, organisations should know what part of their setup they’re covering, which domains are included, and how much risk they’re cutting down. Reportedly, most organisations don’t cover their whole setup with zero-trust. In fact, 16% cover 75% or more, while only 11% cover less than 10%.
Practice 2: Share Zero-Trust Wins with the Right Metrics
Of the organisations with some level of zero-trust in place, 79% have strategic metrics to track progress, and of those, 89% have risk metrics too. When sharing these metrics, security leaders should tailor them for zero-trust, not just recycle old ones. CIOs, CEOs, and the board back an estimated 59% of zero-trust projects.
“Metrics for zero-trust should focus on its specific goals, like cutting down malware movement, rather than just general cybersecurity stats,” said Watts.
Practice 3: Expect Higher Costs and Staffing Needs, But No Extra Delays
According to Gartner, 62% of organisations think costs will go up, and 41% expect to need more staff for zero-trust.
“The cost of zero-trust varies based on the scale and robustness of the strategy from the start,” said Watts. “It can increase costs as organisations work on maturing their risk-based and adaptive controls.” While only 35% faced setbacks in their zero-trust rollout, having a solid plan with clear metrics helps keep things on track.
- Cybersecurity