Gartner survey reveals challenges in zero-trust strategy implementation
A recent global survey by Gartner has revealed that while 63% of organisations have fully or partially implemented a zero-trust strategy, this approach typically covers half or less of an organisation's environment. Moreover, it often mitigates merely a quarter or less of the overall enterprise risk.
78% of the surveyed organisations investing in a zero-trust strategy allocated less than a quarter of their total cybersecurity budget towards this initiative. This suggests that businesses are grappling with the scale of investment and operational overhaul required to fully implement zero-trust security protocols.
Interestingly, 56% of organisations chose to follow this pathway as they regard zero trust as an industry best practice. However, confusion prevails regarding the top practices for zero-trust implementations. In the words of John Watts, VP Analyst, KI Leader at Gartner, "Despite this belief, enterprises are not sure what top practices are for zero-trust implementations. For most organisations, a zero-trust strategy typically addresses half or less of an organisation's environment and mitigates one-quarter or less of overall enterprise risk."
In the same report, Gartner details three primary top-practice recommendations for security leaders aiming to utilise a zero-trust strategy. Firstly, organisations must determine the scope of their zero-trust strategy in the early stages. According to the survey, surprisingly, only 16% of respondents believed their zero-trust strategy would cover 75% or more of the organisational environment. Watts points out that "scope is the most critical decision for a zero-trust strategy."
Secondly, Gartner underscores the importance of communicating zero-trust strategic and operational metrics to measure success. These metrics need to be tailored towards specific zero-trust outcomes rather than re-used from other cybersecurity areas. Watts highlights that "Zero-trust efforts deliver on specific outcomes—such as reduction of malware's lateral movement on a network—often not captured by existing cybersecurity metrics."
Finally, organisations must anticipate increases in cost and staffing requirements. 62% of organisations expect their costs will go up, and 41% anticipate a rise in staffing needs due to zero-trust implementation. Yet, only 35% of organisations have encountered a failure that disrupted their zero-trust strategy implementation. As Watts concludes, "The budget impacts of organisations who adopt a zero-trust strategy will vary based on the scope of the deployment as well as how robust the zero-trust strategy is early in the planning process."
These insights shed light on the broader challenges and strategies organisations need to consider while implementing zero-trust. The complexities of the modern security landscape require nuanced approaches tailored to individual business contexts and risks, and one-size-fits-all compliance with perceived best practices is unlikely to suffice.