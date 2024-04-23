As much as 63% of global organisations have fully or partially implemented a zero-trust strategy, and for 78% of organisations implementing the strategy, this investment represents less than 25% of the overall cybersecurity budget, according to a survey by Gartner.

The survey of security leaders whose organisations had already implemented or are planning to implement a zero-trust strategy found that 56% of organisations are primarily pursuing the strategy because it’s considered an industry best practice.

However, Gartner experts said that enterprises aren’t sure what top practices are for zero-trust implementations.

“For most organisations, a zero-trust strategy typically addresses half or less of an organisation’s environment and mitigates one-quarter or less of overall enterprise risk,” said John Watts, VP analyst at Gartner.

Gartner outlined three recommendations for security leaders implementing a zero-trust strategy.

Establish Scope For A Zero-Trust Strategy Early

To successfully implement zero trust, organisations need to understand how much of the environment they cover, which domains are in scope and how much risk they can mitigate.

The scope of a zero-trust strategy doesn't typically include the entire organisational environment. However, 16% of survey respondents said it will cover 75% or more, while only 11% believed it will cover less than 10% of the organisation’s environment.

“Enterprise risk is much broader than the scope of zero-trust controls, and only so much enterprise risk can be mitigated," said Watts. "However, measuring risk reduction and improving security posture is a key indicator of success for zero-trust controls."

Communicate Success Through Zero-Trust Strategic And Operational Metrics

The survey showed that 79% of organisations that have fully or partially implemented zero trust have strategic metrics to measure progress, and of these organisations, 89% have metrics to measure risk.

Security leaders must also keep their audience in mind when communicating these metrics. Fifty-nine percent of zero-trust initiatives are sponsored by either the CIO or CEO/president/board of directors.

“Zero-trust efforts deliver on specific outcomes—such as reduction of malware’s lateral movement on a network—often not captured by existing cybersecurity metrics,” said Watts.

Anticipate Increases In Staffing And Costs But Not Delays

Sixty-two percent of organisations anticipated their cost will rise and 41% expected their staffing requirements will increase as a result of zero-trust implementation.

The budget impacts vary based on the scope of zero-trust deployment and how robust the strategy is early in the planning process. “Zero-trust initiatives inherently affect the budget as organisations take a systemic and iterative approach to mature their policies toward risk-based and adaptive controls, adding overhead to the organisation’s ongoing operational burden,” said Watts.

According to Gartner, while only 35% of organisations said they encountered a failure that disrupted their zero-trust strategy implementation, a zero-trust strategic plan should outline operational metrics and measure the effectiveness of policies in order to minimise delays.