How to Decipher Zero Trust for Your Business
Xcitium , A Research from Gartner
Security and risk management leaders are asking for investment to implement zero trust security, but zero trust can be confusing to business executives. To obtain support, these leaders must be able to communicate what zero trust is, the benefits it brings, and the challenges it creates for the business.
Security and risk management leaders are asking for investment to build zero trust security, but zero trust can be confusing to business executives. To obtain support, these leaders must be able to communicate what zero trust is, the benefits it brings, and the challenges it creates for the business.
- Security leaders are inundated with marketing and vague language about zero trust and so struggle to translate the technical reality into business benefits.
- Too many vendors are using zero trust in terms of a huge range of products, yet this is an organizational vision that is anchored in architecture and principles, and is not solvable by a technology alone.
- Executive backing is critical to the success of zero trust programs as they require changes in architecture, culture and technology.
Security and risk management leaders must:
- Clarify what zero trust approaches can deliver by communicating the business relevance of the concept and how it supports resilience and agility in a hybrid-first world.
- Communicate the benefits and business impacts of zero trust by mapping it to relevant business outcomes.
- Make zero trust part of the organization’s culture by building a communication plan with your executive leadership and gaining their backing, involvement and support.
Strategic Planning Assumption
Over 60% of organizations will embrace zero trust as a starting place for security by 2025. More than half will fail to realize the benefits.
The term “zero trust” is now prevalent both in security marketing (with many vendors using it to describe their products – or aspects of them) and in security guidance from governments and associated entities. As a mindset – replacing the implicit trust that is rife in current networks and being exploited by attackers with identity- and context-based risk appropriate trust – it is extremely powerful.
Zero trust is a security paradigm that explicitly identifies users and grants them just the right amount of access so that the business can operate with minimal friction while risks are reduced.
However, the term zero trust is being abused with overloaded expectations and confusing and self-serving language. The term itself is a misnomer – it doesn’t mean that no-one should be trusted. But it does mean that no-one will be implicitly trusted, and that only the right trust will be granted – but the implication is that we will not trust users (and the expectation is that this will disrupt work).
When added to the vendor marketing, it is challenging for many security and risk management leaders to articulate both that this is not a technology concept (but a mindset) and what it is to executives, and therefore even more problematic to communicate the business value.
Since zero trust is both a security principle and an organizational vision, it will certainly require cultural shifts. It is imperative to attain executive understanding and associated support for this change in culture and the required efforts; the question is what is the best way to achieve this support?
You need clear communication, mapping to business outcomes and benefits, and the ability to demystify the jargon and marketing associated with zero trust (see Figure 1). Security and risk management leaders should use our guidance on effective strategies to attain this support and to have a more successful zero trust journey.
Figure 1: What is Zero Trust?
Clarify What Zero Trust Means for the Business
An effective zero trust strategy means focusing on balancing the need for security with the need to run the business. An appropriate level of protection is critical, but equally so is ensuring that employees, contractors and partners have the access they need to enable the business to succeed. It means building a structure where everyone gets all the access they need to do their job when they need it, but no more – reducing possible incidents whether accidental or malicious. This access will adapt to the situation in which the connection is made. If the situation appears to be more risky, then less access can be granted – and these changes can happen in real time.
Zero trust is falsely promoted as “the” optimal approach to cybersecurity, when in fact it is an approach that makes it possible to optimize security for the business. Vendors are using it to describe their products regardless of function and simply meaning “better” security, and governments are adopting the term as their “standard.” In the U.S. alone, Zero Trust guidance and mandates include the Executive Order On Improving the Nation’s Cybersecurity1 and associated guidance from NIST,2 CISA3 and the OMB,4 but other governments (like Canada5) and organizations are also using the term. It is also becoming increasingly relevant across the globe and Gartner expects that similar policy bodies will cascade down zero-trust-like recommendations in countries around the world in the coming years.
This furore of noise and activity means that executives and boards are asking security and risk management leaders what this means to their organizations. Gartner’s definition of zero trust is an architectural and technical one, but for the concept to live up to the hype for you, it must map to your business objectives, and help address your business risk.
Communicate the Benefits and Impacts of Zero Trust
Effective communication is where established security leaders differentiate themselves. Communicating the business benefits of a zero trust approach (see Figure 2) while maintaining a tie to cultural and business value is critical.
The key benefits include:
- Resilience: Building an environment that can sustain an error or a security issue without it can lead to a more serious breach causing business-level issues.
- Enablement: Allowing new and different approaches supporting business outcomes without adding risk.
- Flexibility: Providing lower business friction with greater security.
Figure 2: Zero Trust Benefits
Similarly, it is important to set expectations for challenges and negative impacts (see Table 1).
There are three main ones:
- Culture: Zero trust is a different security mindset and this means changing organizational culture around what levels of trust are appropriate.
- Process change: With identity and connection context at the core of zero trust architecture, processes that favor location and ownership will have to change. The end result will be more flexible and secure, but the change may have interim impacts.
- Expense: The need to migrate to zero trust from traditional controls will increase expenses during the journey. This short-term impact is worth it for the longer-term gains, however.
Table 1: Zero Trust Architecture: Negative Impacts
Source: Gartner (May 2022)
Each of these benefits (and complications) must be messaged appropriately based on the particular executive (or executives) in the audience; it is imperative to tailor the message to their particular concerns (see Figure 3) to ensure that you are not just heard, but understood in terms of clear and actionable next steps.
Figure 3: Executive Security Concerns
Other roles will exist; use these examples as methods for tailoring your communications about zero trust effectively to each executive’s concerns.
3. Make Zero Trust Part of the Organization’s Security Culture
Peter Drucker is commonly misquoted as saying that “Culture eats strategy for breakfast.”6 While the intent of this statement was that a good culture drives success more effectively than just a strategy, if the culture is set against a strategy, the strategy is almost doomed to failure. Zero trust is an organizational strategy and, in many cases, will be counter to elements of the existing security culture. Questions such as “why should we change?” or “isn’t what we do enough?” must be addressed with sufficient authority. A good way to approach this is through advocating for the business benefits that incorporating zero trust into the security culture would mean for your organization.
For instance, a zero trust strategy could support limited and appropriate use of bring-your-own-device (on a “gray” scale – where there is read-only access to some data, for instance), or hybrid working without disrupting the user experience. Zero trust is a natural enabler for cloud initiatives, where security and context are the primary security controls. It is this flexibility that makes the concept so powerful, not just for security, but also in support of business initiatives and objectives.
Effective change must be led from the top. Security and risk management leaders can use the techniques in this note (supported by facts and the directions from governments and similar) to enlist the executives in their cause. Once enlisted, executives can bring the weight of their opinions to bear on addressing the concerns and questions that may be raised.
This executive support will be vital to the success of the program. Continue to reinforce that this is a journey, and set appropriate milestones to show success – without having to complete the near-impossible task of building a “fully zero trust” enterprise. These milestones must be tied to the strengths above; not the implementation of a zero trust network access solution, but the flexibility achieved in supporting contractors accessing ONLY what they need to access. This milestone and business-outcome-based approach is invaluable as you progress through the journey and the culture attempts to shift away from the zero trust approach.
Source: Gartner Research Note G00762685, Charlie Winckless, Sam Olyaei, 9 May 2022
Xcitium – Don’t Fear the Unknown. Contain It. is published by Xcitium. Editorial content supplied by Xcitium is independent of Gartner analysis. All Gartner research is used with Gartner’s permission, and was originally published as part of Gartner’s syndicated research service available to all entitled Gartner clients. © 2022 Gartner, Inc. and/or its affiliates. All rights reserved. The use of Gartner research in this publication does not indicate Gartner’s endorsement of Xcitium’s products and/or strategies. Reproduction or distribution of this publication in any form without Gartner’s prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable.
Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such.
Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see “Guiding Principles on Independence and Objectivity”, on its website.
This note is based on evidence gathered by Gartner across inquiry with a range of clients.
1 Executive Order on Improving the Nation’s Cybersecurity, The White House
2 SP 800-207, Zero Trust Architecture, CSRC
3 CISA Zero Trust Maturity Model, CISA
4 M-22-09 Federal Zero Trust Strategy, The White House
5 Government of Canada Network and Security Strategy
6 Why Does Culture ‘Eat Strategy For Breakfast’?, Forbes
How do you explain zero trust?
the zero trust model