63% of Organizations have Implemented Zero-Trust Gartner Survey Finds
A recent Gartner survey reveals that while 63% of organizations worldwide have fully or partially implemented a zero-trust strategy, the scope and impact of these initiatives remain limited. The survey, conducted in the fourth quarter of 2023, included 303 security leaders from organizations that have already implemented or plan to implement a zero-trust strategy. Selecting from a pool of respondents who already planned to implement zero-trust could seem to skew the polls value, but we must remember that in 2021, Microsoft reported nearly all security decision makers placed establishing a zero-trust strategy as their number one priority.
The primary motivation for adopting a zero-trust strategy, cited by 56% of respondents in the Gartner survey, is its recognition as an industry best practice. This varies from a Pulse 2022 survey which found that supporting a hybrid workforce was the leading objective for zero-trust initiatives. However, John Watts, VP Analyst and KI Leader at Gartner, notes that “despite this belief, enterprises are not sure what top practices are for zero-trust implementations.”
The Gartner survey findings indicate that for most organizations, a zero-trust strategy typically addresses half or less of an organization’s environment and mitigates one-quarter or less of overall enterprise risk. From our perspective, this isn’t a fault of zero-trust but instead results from common hurdles we see in implementation:
-
Lack of qualified vendors and solutions: A significant challenge is the limited availability of comprehensive zero trust solutions and qualified vendors. This can lead to security gaps and increased operating costs due to vendor and solution sprawl.
-
Difficulty Integrating with existing systems and infrastructure: Ensuring that zero trust solutions can seamlessly integrate with both on-premises and cloud environments, as well as legacy systems, is essential for a successful implementation. This can be particularly challenging when dealing with a hybrid work environment.
-
Legacy systems and applications: Retrofitting or replacing legacy systems that were built with perimeter security in mind can be a costly and time-consuming process. These systems may not adapt well to zero trust models, creating potential security gaps.
-
Continuous verification and authentication: Implementing a system that continuously verifies and authenticates users and devices can be complex and resource intensive. This process requires a robust identity and access management system to be effective.
-
Cultural and organizational challenges: The transition to a zero-trust model requires a significant shift in mindset and organizational culture. Employees must understand and adapt to the new security environment, which can be a hurdle for organizations.
-
Lack of understanding and qualified personnel: Many organizations face a shortage of qualified personnel who understand zero-trust concepts and can effectively implement and manage these systems.
-
Scalability and complexity: As organizations grow and their networks become more complex, maintaining a zero trust model can become increasingly challenging. The need for ongoing administration and management can be a significant hurdle.
But this isn’t unusual as real-world implementations catch up with best practice security theory. Every day we see progress with emphases on ease of use, scalability, performance, and the ability to handle security breaches effectively.
Back to the Gartner survey, they outline three key recommendations for security leaders implementing a zero-trust strategy:
1. Establish scope early: Organizations must understand the extent of their environment covered by zero-trust, the domains in scope, and the potential risk mitigation. Only 16% of respondents expect their zero-trust strategy to cover 75% or more of their organization’s environment.
2. Communicate success through strategic and operational metrics: 79% of organizations with fully or partially implemented zero-trust strategies have strategic metrics to measure progress, with 89% of those having metrics to measure risk. Metrics should be tailored to zero-trust deliverables and communicated effectively to sponsors, often the CIO or CEO/president/board of directors.
3. Anticipate increases in staffing and costs: 62% of organizations expect costs to increase, and 41% anticipate higher staffing requirements due to zero-trust implementation. The budget impact varies based on the scope and robustness of the zero-trust strategy. Organizations should have a strategic plan outlining operational metrics and measure the effectiveness of zero-trust policies to minimize delays.
While only 35% of organizations encountered failures that disrupted their zero-trust strategy implementation, the survey emphasizes the importance of a comprehensive strategic plan and effective measurement of zero-trust policies’ effectiveness. As organizations continue to navigate the challenges and benefits of zero-trust strategies, Gartner’s findings provide valuable insights and recommendations for security leaders looking to optimize their approach and maximize the impact of their zero-trust initiatives.