- 82% of cybersecurity professionals are actively working on implementing zero trust.
- 93% said the White House announcement about zero trust impacted their decision to adopt it.
- According to experts, switching to a zero-trust strategy costs an average of $656,762 and most often takes seven to 11 months.
- Professionals believe the term “zero trust” is misused 63% of the time.
The rise of zero trust
Zero trust in cybersecurity focuses on resource protection. It’s the idea that trust can’t be granted implicitly and must be constantly assessed. Traditionally, agencies (and enterprise networks in general) have focused on perimeter defense. Once on an internal network, authenticated subjects are granted authorized access to a wide variety of resources. This strategy can lead to a major challenge for companies and agencies: unauthorized movement within the environment.
While the cost to move to zero trust can seem high, you can start with small, measurable, and affordable steps. For example, laying the foundation with Zero Trust Authentication is a far less costly way to move past the traditional “trust but verify” protection approach.
To find out what professionals think of zero trust architecture we surveyed 512 cybersecurity professionals in the U.S. who are familiar with it. They defined it, explained its use, and shared their thoughts about the future of perimeter-less security and its new slogan: Never trust, always verify.
Zero trust in 2023
By the end of 2024, the U.S. government will require certain agencies to follow the nationally mandated zero trust architecture policies. This deadline has cybersecurity professionals working toward making the framework universal.
Most professionals surveyed (82%) are currently working on implementing zero trust, and 16% plan to begin within 18 months. Cybersecurity professionals rated the ideology seven out of 10, showing their support for this security program. Over 90% of those working on zero trust cited the 2022 Federal Zero Trust Strategy as their motivation.
Next, let’s look at the actions cybersecurity professionals have taken to move to a zero trust architecture.
Zero trust is here to stay, with more than half of respondents already updating their authentication technology. Furthermore, 37% of cybersecurity professionals surveyed said they’re reviewing their existing technology and processes to keep up with changing needs. And since only 10% of respondents have more than two years of experience with zero trust, there’s plenty of room for learning and innovation.
We also asked respondents to share which standards their zero trust frameworks have adhered to. Most of them (82%) had used the one created by the National Institutes of Standards and Technology (NIST), while less than half (48%) had used that of the International Organization for Standardization (ISO). The reason NIST has been used more often may be that it’s considered a good option for companies that are just getting started with mitigating cybersecurity risks.
Now, let’s bust some misconceptions about zero trust.
Understanding zero trust
Zero trust seems to imply no faith in users, devices, or the security measures designed to protect them, but this is a misconception partly caused by incorrect branding by marketers. Let’s clear that up.
Zero trust is based on the principle that users are not trusted or responsible for maintaining their digital security. Due to the dangers inherent in digital environments, this is an enormous task. It’s a more sensational headline to say that new security measures don’t trust any user, but the truth is more nuanced and charitable to both users and the professionals in charge of protecting them.
With 70% of respondents clarifying the approach as simply not trusting users to keep up with their own security, zero trust is hardly the insult it’s made out to be. Most cybersecurity professionals we surveyed said they believe the term is misused more than half of the time (63%), and 82% felt that marketers had incorrectly branded it. While the truth is most likely somewhere in the middle, it’s better to think of the framework as one that’s concerned with ongoing security rather than treating users as suspects.
The most crucial aspects
Knowing is half the battle when it comes to adopting new technology. Here’s a more in-depth look at what cybersecurity professionals believe are the most critical components of zero trust.
After noting earlier in our study that 56% of cybersecurity professionals said they’re currently upgrading their authentication technology, it makes sense that 64% gauged authentication as essential to zero trust and 32% said it’s critical.Identification and Access Management (IAM: a framework of policies and technologies ensuring the right users have access to resources) is also important to zero trust, and 73% of our respondents agreed. Almost a third even said it’s critically important. Only a small few—between 1% and 4%—thought IAM and authentication were unimportant.
The lowest required level of access granted was the most highly rated attribute of zero trust by 53% of respondents. It’s the principle of least privilege; users should have access to only what’s necessary for their task. Microsegmentation and repeated verification were voted nearly as critical at 52% and 50%, respectively. Next on the list were assuming network hostility and internal/external threats, showing the importance of ongoing vigilance.
We also asked cybersecurity professionals what authentication capabilities they believe are required to achieve zero trust. Over half (53%) said codeless capability is the most necessary attribute of a zero-trust network. They also judged being passwordless and ensuring each device meets specific security thresholds almost equally important. Meanwhile, they deemed maintaining policy at each authentication point just as critical to network safety as protecting from social engineering tactics such as phishing.
Adopting zero trust
Numerous aspects of zero trust aren’t just useful; they’re becoming necessary. Being an early adopter brings with it the ability to pioneer best practices, but costs and challenges come with this innovative mindset. We’ve asked cybersecurity professionals to weigh in on the most convincing arguments behind zero trust and the obstacles you may encounter on the road to execution.
According to 59% of respondents, the best way to convince an organization to adopt zero trust is to explain the basic concept to them. Nearly as many experts ranked explaining threats to data privacy using the current security framework as important (57%). Revealing existing vulnerabilities and how zero trust will address them can be a compelling argument for adopting new security measures.
One of the first questions any business will ask about implementation is: What will it cost? We’ve determined it costs $656,762, on average, for an organization to switch from its current policy to a zero trust architecture.
The question that usually follows is: How long will this take? Half of the cybersecurity professionals surveyed believe adopting zero trust would take seven to 11 months to execute. Overall, it’s a relatively small investment of time and money to keep a company secure. Organizations are also likely to ask how security policy changes will affect day-to-day business and users.
According to our survey results, achieving organizational buy-in was the smallest speed bump on the road to implementation. Instead, the majority of experts said limiting access points and decreases in productivity are the most challenging aspects of zero trust execution. Almost half of the respondents also noted that handling increased workflow and a limited budget were other major obstacles.
Evaluating zero trust
It’s happening, and not just due to government mandates: Professionals in the industry appreciate the strength of adopting zero trust. Let’s look at which businesses, in particular, they believe to be best served by these policies.
It’s virtually unanimous: 92% of cybersecurity professionals stated zero trust was their top option for a security approach. And 65% believed the policy framework is either very or extremely effective in protecting businesses and users. They also thought the BFSI industry (companies in the banking, financial services, and insurance sectors) and small businesses were the most suited to switching to zero trust due to the inherent danger of internal and external threats they face. And while experts rated in-person work settings as the best place to implement these security measures, the rise of remote work also shows a clear need for zero-trust processes.
The future of zero trust
Zero trust is poised to be the future of cybersecurity, so it benefits businesses to begin familiarizing themselves with the framework. The White House mandate requiring certain agencies and organizations to adopt this security architecture is evidence of zero trust’s critical role in the coming digital defense landscape.
With numerous advantages and a relatively small cost, zero trust shouldn’t be a hard sell, though it may take some getting used to—for both employers and employees. The sooner a business makes the switch, the sooner it positions itself on the right side of digital security philosophy.
We surveyed 512 cybersecurity professionals in the United States that reported being familiar with zero trust.
About Beyond Identity
Beyond Identity is the first and only company to provide phishing-resistant and passwordless MFA, empowering all people and businesses to securely, privately, and effortlessly control their digital identities.
Fair use statement
If you’d like to share anything you’ve read here with friends or colleagues for noncommercial purposes, please add a link to this page to credit the team that spent time and effort researching and presenting this material.