Executive leaders across organizations are prioritizing zero-trust security strategies in the next year, as organizations hope to build significantly on early baby steps in these initiatives.
According to a new survey out from the Cloud Security Alliance (CSA), 80% of CxO technology leaders report that zero trust is a significant priority for their organizations, with 77% of executives saying that they'll increase spending to support this prioritization.
The added zero-trust funding will be significant at many organizations, with more than two in five executives reporting an increase of 26% or more.
"With the advancement of digital transformation, the shift of the workforce during the pandemic, and the announcement of the US executive order on cybersecurity, zero trust has taken a front seat as a promise for protecting enterprises," says the report, which details results from a survey of more than 800 IT and security professional worldwide, including responses broken out from more than 200 C-level executives.
The study shows that zero-trust strategies are still a relatively a new cybersecurity roadmap for most organizations, with 53% of organizations saying their initial implementations of zero-trust strategies were put underway fewer than two years ago. The standards they're using to guide strategic planning are all over the map, with a fairly even distribution across CISA, Forrester ZTX, IEEE, NIST, and CSA standards. The front-runner by a plurality was the CISA standard, with 33% of organizations reporting they use it to guide their zero-trust strategy.
Zero trust is an evolving model of security developed to tie together many long-running security concepts of least privilege, conditional access based on risk factors, and segmentation — not only at network levels, but also down to the application and workload level. At its heart, the core concept is eliminating the implicit trust on the network that IT has long afforded users and devices once they log in with their password.
The goal is to replace that with a more adaptive and continuously assessed mode of granting access that provides limited access and bases it not just on identity, but also on operational and threat context. Executing on this takes a lot of moving parts, including strong identity and access management (IAM), effective network policy enforcement, strong data security, and effective security analytics. Many of these are areas that organizations have already put significant cybersecurity investment into in the past — it's just a matter of integrating and creating a more effective architecture to utilize these investments.
Given that, it's not a surprise that in spite of many organizations saying it's only been a year or two since they started on their zero-trust journey, respondents to this survey reported that they were slightly to moderately mature in core zero-trust areas like endpoint/device maturity, application security, IAM, data-flow management, network-security management, and user behavior and asset management.
Fundamental policy, architectural, and integration work separates the pretenders from the contenders when it comes to executing a zero-trust strategy. According to Eric Bednash, CEO of RackTop systems and a longtime security and tech practitioner in the defense and financial worlds, organizations have to start their zero-trust journey by understanding how IT and security stacks all tie together.
"It's about starting with a strong view of your overall architecture and business processes, and understanding how it all ties together. It goes beyond any single element. It's important to remember that zero trust is not a thing, it's a prescribed way of being," he says. "It's a guideline for how everything should interoperate. It's not like, 'This is a zero-trust thing and this is not a zero-trust thing.' It's a methodology. There are no shortcuts, which is why it's so hard to implement."
Doing it right requires a lot of executive buy-in, adequate expertise and staffing, and smart change management. According to the CSA survey, 40% of organizations reported a lack of knowledge and expertise, 34% said they didn't have internal alignment or buy-in, and 23% said a resistance to change was blocking the way.
In many ways, getting through these business and process barriers will require both diplomatic and disciplined communication, experts say.
"To effectively manage the change, you need to telegraph your moves and implement small changes gradually. You may know where you want to go, you may even have contracts signed for your cyber solutions, but you can't implement everything at once. It will be too unsettling," says Amit Bareket, CEO and co-founder of Perimeter 81. "The art of change management is knowing how much to implement — so don't change too much at once, yet don't drag out the process indefinitely."