Organizations still struggle to understand what is needed to implement zero trust effectively. That's according to a new Gartner survey looking at zero trust security strategies.
Zero trust is a security practice that means by default no one is trusted from inside or outside the network. It requires verification from everyone trying to gain access to resources on the network.
Gartner's survey shows that 63% of organizations say they have fully or partially implemented a zero trust strategy. For 78% of organizations implementing a zero trust strategy, this investment represents less than 25% of the overall cybersecurity budget.
For its fourth quarter 2023 survey, Gartner queried 303 security leaders whose organizations had fully or partially already implemented, or are planning to implement, a zero trust strategy. Gartner found that 56% of organizations are primarily pursuing a zero trust strategy because it’s cited as an industry best practice.
The scope of a zero trust strategy does not typically include all of an organization's environment, Gartner said. Only 16% of survey respondents said a zero trust strategy will cover 75% or more of their organization’s environment while only 11% believe it will cover less than 10% of it.
Meanwhile, 79% of organizations that have fully or partially implemented zero trust, have strategic metrics to measure progress, and of that 79%, 89% have metrics to measure risk.
Another key finding is that 62% of organizations anticipate their cost to implement zero trust will increase. Also, 41% of organizations expect their staffing requirements will also increase as a result of a zero trust implementation.
While the implementation of zero trust appears is considered best practice, organizations still grapple with its implications.
“Despite this belief, enterprises are not sure what top practices are for zero trust implementations,” said John Watts, vice president Analyst, KI Leader, at Gartner. “For most organizations, a zero trust strategy typically addresses half or less of an organization’s environment and mitigates one quarter or less of overall enterprise risk.”
Gartner’s Zero Trust Best Practices
Taking the survey results into account, Gartner outlined three best-practice recommendations for security leaders implementing a zero trust strategy:
1. Establish Scope for a Zero Trust Strategy Early
To successfully implement zero trust, organizations need to understand how much of the environment they cover, which domains are in scope and how much risk they can mitigate.
“Scope is the most critical decision for a zero trust strategy,” Watts said. “Enterprise risk is much broader than the scope of zero trust controls, and only so much enterprise risk can be mitigated. However, measuring risk reduction and improving security posture is a key indicator of success for zero trust controls.”
2. Communicate Success Through Zero Trust Strategic and Operational Metrics
Fifty-nine percent of zero trust initiatives are sponsored by either the CIO or CEO/president/board of directors. Therefore, zero trust metrics must be tailored for the zero trust deliverables as opposed to rehashing metrics used for other areas, such as the effectiveness of endpoint detection and response.
“Zero trust efforts deliver on specific outcomes, such as reduction of malware’s lateral movement on a network, often not captured by existing cybersecurity metrics,” Watts said.
3. Anticipate Increases in Staffing and Costs But Not Delays
Only 35% of organizations said they encountered a failure that disrupted their zero trust strategy implementation. However, organizations should have a zero trust strategic plan outlining operational metrics and measure the effectiveness of zero trust policies in order to minimize delays.
Watts asserts that the budget impacts of organizations who adopt a zero trust strategy will vary based on the scope of the deployment as well as how robust the zero trust strategy is early in the planning process.
“Zero trust initiatives inherently affect the budget as organizations take a systemic and iterative approach to mature their policies toward risk-based and adaptive controls, adding overhead to the organization’s ongoing operational burden,” he said.
