Nearly nine out of every 10 security leaders have experienced significantly challenges in their zero trust implementation attempts, according to a recent report from Accenture. The comprehensive nature of zero trust deployments, the level of pushback from department heads, and the extremely long time necessary for meaningful ROI are key factors in CISOs’ zero trust frustrations, say industry analysts and security specialists.
“Even implementing zero trust, a fundamental security framework, poses a significant challenge for 88% of organizations,” said the Accenture report. “This vulnerability extends to the physical world, with 80% unable to effectively protect their cyber-physical systems.”
A big part of the struggle is that many companies define zero trust very differently. It has never been a specification as much as a security approach, though this is not to say many CISOs haven’t had significant success in moving the zero trust needle at their organizations.
Moreover, that each enterprise environment is unique necessitates a lack of specific implementation details for zero trust, as compliance, geographies, verticals, and the nature of partners and others who need access to an organization’s systems can all vary wildly, in addition to on-prem, cloud, remote site, IoT, and legacy particulars.
“It’s a strategic transformation, not a tactical deployment, and that’s why we’re seeing such widespread struggle across the industry,” says Prashant Deo, the cybersecurity global practice head at Tata Consultancy Services. “Implementing zero trust at the enterprise level is an uphill taskwhich can require a phased and use case centric approach as part of the zero trust journey.”
Deo argues that the zero trust mindset is fundamentally at odds with how enterprises have always approached security.
“For decades, security was built on the premise of implicit trust within the network perimeter. The zero trust model demands a complete reversal of this thinking,” Deo notes. “Shifting an entire organization to a ‘never trust, always verify’ culture is a significant and difficult change.”
Rex Booth, CISO at Sailpoint, says definitional confusion is behind a lot of the friction.
“Zero trust means a variety of things to a variety of people. We don’t want to gatekeep what zero trust means and offer this idealized model as ‘This is the only way to do zero trust,’” he says.
Karen Andersen, an identity architect with World Wide Technology, agrees with Booth about the term’s ambiguous nature.
“I often think people don’t know what to make of the term. Some people say it’s a product, but it means different things to different people,” Andersen says. “I often think it can be seen as a marketing buzzword, but I do believe in the strategy behind it.”
In fact, Andersen is surprised that only 88% of security executives reported having found deploying zero trust difficult.
“I want to meet the 12% who have not found it a struggle,” she quips.
The never-ending journey
A truly comprehensive zero trust deployment can take more than a decade to execute, Andersen says — assuming it ever gets completed.
“When I explain zero trust [to senior management], I tell them that it’s a strategy of a 10- to 12-year roadmap, to really build that foundation,” she says. “I don’t think you ever get to the end of zero trust.”
Saleh Hamdan Al-Bualy, who spent years as the information security manager for The Four Seasons Hotel chain, is another long-term cyber exec who is concerned about the complexity of zero trust and the shortage of concrete incentives to deliver it.
“There is absolutely no incentive to do it,” says Al-Bualy, who today he serves as the security leader of a stealth AI startup and defines zero trust as the opposite of Unix’s trusted host. “It has a slowdown effect on the business. You can’t do zero trust unless you fully implement it. Until then, you won’t get any of the benefits.”
Al-Bualy stresses that the only way zero trust can be successful is if it is pushed top down, from the board or CEO down to the CISO’s office, similar to how generative AI has been pushed.
“You have to convince the board and the executive team that we need to do it for XYZ reasons,” he says.
Will Townsend, a VP and principal analyst for Moor Insights & Strategy, says the nature of a typical CISO’s compensation tends to discourage an enthusiastic zero trust deployment.
“Compensation isn’t typically aligned with [zero trust] objectives. Most publicly traded companies live quarter to quarter,” Townsend points out. “What is valued are things that improve LOB productivity, the LOB’s ability to monetize niche services. There is also more priority on cloud security. How do you attribute immediate ROI to improving security hygiene?”
Tata’s Deo says another factor that tends to add friction to zero trust journeys is the lack of visibility throughout an enterprise’s global threat landscape.
Enterprises often have “poor visibility of data flows between subject and resource and this makes it challenging to determine the current access patterns and need of zero trust access within the enterprise,” Deo says. “The ability to continuously monitor and probe for current state of user and device also proves prohibitive to adopt for real zero trust.”
No Responses