Accurately assessing the success of zero-trust initiatives
Zero-trust preparation can be difficult. Measuring how well the model provides security and business benefits after implementation is even more difficult.
Zero trust is a two-word phrase that likely evokes strong emotions in many security practitioners. Over the last few years, the concept of zero trust has grown from an idealistic concept to a strategic imperative -- and for good reason.
Security teams struggle with the effects brought on by digital transformation. Cloud adoption, application modernization and new work models have all wreaked havoc on traditional security architectures. At the same time, the threat landscape continues to evolve as attackers use automation to increase their scale, develop new malware that evades detection and seek to exploit the security gaps that can be introduced as the enterprise digitizes.
At its core, zero trust involves removing implicit trust from the environment, enforcing least privilege and continuously monitoring every session. Through these tenets, organizations can shift to a more dynamic security posture, limit their susceptibility to attack and reduce the effect of attacks that inevitably occur.
On the positive side, research from TechTarget's Enterprise Strategy Group (ESG) found 77% of organizations that have begun a zero-trust initiative report at least one security and business benefit. On the security side, this includes reducing the number of incidents, improving security operations center efficiency, simplifying compliance and reducing data breaches. From a business perspective, benefits include increasing adaptiveness and agility, improving employee productivity and user satisfaction, and reducing costs.
Zero-trust questions remain
Yet, this raises some important questions, including the following:
- Because zero trust is so broad, exactly what practices are organizations implementing to achieve these results? For example, ESG research found that only 44% of the organizations surveyed strongly agreed they check the health and posture of a device before allowing it to connect to their network. Similarly, only 45% strongly agreed that they follow a least privilege access model. Finally, only 39% strongly agreed that they use microsegmentation in their on-premises data center. Despite being foundational elements of zero trust, these elements were not pervasively implemented.
- How do security teams connect the zero-trust practices they implement to the benefits they claim? Related to the first question, are security teams accurately assessing causation between zero-trust actions and benefits, or are they relying on correlation?
- While any improvement is welcome, exactly how much is the needle being moved? Are incidents down 3% or 30%? Did the organization save $1,000 or $1 million? Because of the investments in time and resources needed to successfully implement a zero-trust model, the scale of success matters.
This lack of clarity makes it difficult for practitioners planning for zero trust to judge the impact of specific practices, assess what makes the most sense and determine what would create the most value in the least amount of time for their organization. Each organization is different, but learning from peers should be a critical aspect of the planning process.
Vetting zero-trust vendors
While zero trust should be viewed as a strategy or set of principles on which to base a cybersecurity program, technology ultimately comes into play. When assessing zero-trust vendors, security practitioners should prioritize those that can offer both qualitative and quantitative metrics on the benefits customers have seen after deploying the practices their tools support. Studies identifying quantitative benefits that are clearly and directly tied to zero-trust practices can help security leaders connect their priorities with the actions most likely to result in quick, effective wins. Case studies and customer examples can then provide the specifics needed to validate these top-line successes.
Security teams ultimately need vendors that can act as trusted advisors on the journey toward zero trust. This can take many forms but should include providing meaningful and actionable data that security leaders can base decisions on.
The path toward zero trust can take time. But reducing time to value through effective planning and selecting the practices that create the most positive effect can generate the momentum needed to achieve long-term success.
