Zero Trust is ‘Easier Said Than Done’


While many organizations agree that implementing zero trust security architectures is the right path forward, challenges can often hold organizations back from successfully implementing those, according to a new report from CyberRisk Alliance.

The report – which surveyed over 200 security and IT professionals – found that implementing zero trust is “easier said than done,” with less than a third of respondents having actually implemented it in their organizations.

Specifically, 57 percent of respondents are receptive to zero trust, but just 30 percent have actually implemented it to some degree.

“Many blame the high costs of implementation and the complexities of introducing zero trust practices to existing workflows. Others say they can’t get leadership buy-in and struggle to show ROI [return on investment] for something that defies easy explanation,” the report says.

The report reveals that the “front runners” of zero trust – or those with the most success in implementing it – were mainly members of large organizations with well-staffed security teams. Those with the least progress – or the “holdouts” – tended to work at smaller organizations with security teams comprising of five members or less.

The most common challenges to implementing zero trust are costs to implement (57 percent), potential disruptions to productivity or workflow (46 percent), operational complexities of zero trust (40 percent), and compatibilities with legacy systems/environments (39 percent).

“First, [zero trust] is a challenging initiative to communicate. Second, it can be expensive depending on how things are done and what kind of processes are in place,” one survey respondent said.

Additionally, only 56 percent of respondents believe vendors have done a “good” or “very good” job of defining zero trust to the market.

“It’s not well-defined. Standards aren’t really there. It’s a concept, not even a suite of products. Implementations are all over the map. Since I can’t define it well, I can’t estimate either the costs or benefits. Therefore, it will stay in limbo,” another respondent said.

Nevertheless, 54 percent of respondents said they are planning a zero trust framework for 2024. Many respondents – including those still developing zero trust policies – have already implemented basic zero trust practices such as multi-factor authentication (MFA) and employee security training.

Going forward, survey respondents said they are most excited about how artificial intelligence can help them to identify breaches faster and unlock “even more value from the zero trust playbook.”