Netanel Azoulay
30.01.2023
Sad, But True: Why Organizations Will Likely Fail With Zero Trust
Okta’s latest ‘State of Zero Trust’ report found that 97% of companies either have a Zero Trust initiative in place or will have one in the next 12-18 months. According to Gartner, over 50% will fail to realize the benefits, and just 10% of large enterprises will have a “mature and measurable” Zero Trust program by 2026.
Zero Trust is a mighty security mindset that can be transformative to businesses. It empowers organizations to eliminate implicit trust with identity-centric and context-based risk-appropriate trust adaptively. However, its full potential can only be realized if organizations embrace it not just as a security standard but also as a cultural shift and vision. It’s essential for businesses to have clear communication about Zero Trust in order to realize the benefits of Zero Trust architecture rather than fail with it.
Zero Trust Programs Stall, Despite Interest
The massive security vendor hype surrounded Zero Trust in recent years, with many claiming to have the solutions to ‘Zero Trustify’ organizations out of the box, creating vast confusion among security leaders and IT executives.
It’s well-emphasized that a Zero Trust Architecture cannot simply be adopted by implementing new technology, nor is it a point product or service you can go out and buy. According to CISA (Cybersecurity and Infrastructure Security Agency), it’s an ongoing journey rather than a destination that requires continuous refinement.
In addition to the transformative mindset, in order to properly implement a ZTA, organizations are forced to acquire new knowledge and skills, implement new processes, and adopt new technologies. That might explain why according to Forrester, over 63% of organizations are struggling to implement Zero Trust.
Despite the Biden administration’s mandate for federal agencies to implement Zero Trust, and given the high level of market saturation, many organizations have struggled with their Zero Trust initiatives in 2022. Even though the landscape has changed drastically since previous years, organizations have been caught in stiff headwinds. They are still not yet even close to reaping the full benefits of Zero Trust security, as according to Gartner, only 1% currently have a mature and measurable program in place.
Those who hadn’t made the leap to Zero Trust in 2022 said the transition was just too difficult and wouldn’t be effective at their organization. Others said budget limitations and inadequate staff to provide oversight or support for a zero-trust model kept them from adopting it. However, the most prevalent obstacles in adopting Zero Trust were the lack of knowledge about the framework and the lack of buy-in from senior management.
And the resounding result is that Gartner predicts that over 50% of organizations will fail to realize the benefits of Zero Trust.
This dramatic conclusion should agitate every Zero Trust leader.
It’s difficult to comprehend how organizations will likely end up unsecured, inefficient, and non-compliant despite massive spending of a cumulative total of $241B on a Zero Trust security by 2027, as per MarketsandMarkets.
Failing to realize the benefits of Zero Trust means waste of resources, higher business risk, high costs and complexities, a less productive workforce, poor user experience, and more.
The Reasons
As ZTA is a transformational architecture that shifts organizations’ traditional cybersecurity strategy, it comes with inherent challenges that make it elusive to achieve. These barriers can be categorized into three core pillars: technological, organizational, and economical.
Technological Challenges
(1) The new “Everywhere Enterprise” comes with pain.
Protecting a distributed enterprise is highly challenging.
The paradigmatic shift from site-centric architecture into an identity-centric isn’t a walk in the park. Mobile workforce, multi-cloud infrastructures, SaaS applications, chaotic data posture, newly embraced technologies, dependency on internet access, and more turns Zero Trust in the cloud to be daunting for modern enterprises.
Absurdly, that results in “next-gen” complexity that inhibits the implementation of the root principles of Zero Trust:
- Explicit verification of every (!) digital interaction or transaction
- Least privilege access and permissions
- Assume breach mindset
(2) Difficulty in keeping up the Zero Trust architecture with the constantly evolving threat landscape.
These days, companies struggle with Zero Trust as attackers adapt to get around it.
Today, the digital threat landscape is evolving at an unprecedented rate. Adversaries are constantly evolving and are leveraging innovative attack vectors while businesses increase their efforts to deploy the latest security measures of protection. IBM researchers warned recently that cyber attackers are devising new techniques to exploit innovative controls such as MFA and EDR, making a ZTA challenging for security teams and leaders. Gartner estimates that only 10% will create a mature zero-trust framework by 2026, and by that time, those measures will end up only blocking or minimizing the impact of about half of all attacks.
Amidst all this, businesses can find it a daunting task to invest and upgrade their defense measures while also going through an exhaustive and resource-consuming process of adopting Zero Trust architecture.
(3) Difficulty in comprehensively maintaining the necessary level of security, visibility, and control.
Zero Trust architecture rhymes with the principles of the Gartner CSMA notion (Cybersecurity Mesh Architecture) and is designed to work when all of its principles are implemented and adopted constantly and holistically. Many zero-trust-adopting businesses struggle to maintain a consistent level of security, visibility, and control across the complex and dynamic environment of multi-layer, multi-vendor, traditional processes and siloed operation of the business.
(4) Difficulty integrating existing security infrastructure and tools with a zero-trust architecture.
Most businesses are built on and still use traditional strategies and technologies that are becoming obsolete and never built to support or integrate Zero-trust principles. Integrating such traditional environments to support a Zero Trust architecture becomes a huge challenge for businesses interested in adopting Zero Trust, as it demands heavy reforms in existing environments — resulting in significant gaps, resources, and budget consumption.
(5) Difficulty in ensuring the necessary level of security for cloud and mobile environments.
Zero Trust requires all identities to be constantly authenticated with the minimum level of access to resources to do their tasks. Many organizations today have controls and policies that are not built with zero-trust principles in mind. Implementing zero-trust principles in environments where data, applications, and infrastructure rely on the cloud for functioning can be very challenging. Introducing new changes in such an environment can become expensive quickly. It can lead to friction in user productivity, experience, and downtimes, which may further result in business loss or service disruptions.
Organizational Challenges
(1) Shift in mindset
Although the term Zero Trust was conceived in 2010 by John Kindervag, an analyst at Forrester Research Inc., today, businesses everywhere are still struggling to understand and implement its principles.
Not only does it indicate a change required in the traditional business mindset but the amount of time it can take for the business world to understand, transform, and adopt Zero Trust fully.
(2) Marketing noise causes confusion
Although Zero Trust has become the new industry standard for cybersecurity, its frequent productization by vendors and sales teams has led to confusion and misconceptions around it. Vendors today intensively overuse the term ‘Zero Trust’ for their benefits. As stated earlier this year by zScaler’s CEO, Jay Chaudhry, “Network security firms have ‘hijacked’ zero trust, “ resulting in a fog around this imperative notion. Unfortunately, organizations end up mainly with a ‘fancy’ toolset but not with the appropriate mindset.
(3) Cybersecurity skills shortage
According to experts, 59% of businesses would find it difficult to respond to a cybersecurity incident due to the shortage of cybersecurity skills. While over 3.4 million cybersecurity jobs are waiting to be filled, the available talent is mainly educated on network-centric security rather than identity-centric security — making it even harder for organizations to adopt and implement Zero Trust.
(4) Resistance to change and adoption of new technologies and processes
Every organization has workers that may be reluctant to change and may need special training to understand and adopt new technologies and processes introduced in an existing workplace environment. It can be time and resource-consuming for businesses to conduct such special employee training while productivity also drops.
(5) Difficulty in balancing security with user experience and accessibility
Implementing security practices of Zero Trust in an existing digital infrastructure means re-designing key processes, operations, UI/UX elements, etc., from a Zero Trust security perspective. It poses significant challenges for businesses, requiring major reforms in an already functioning business environment.
(6) Lack of understanding of the concept of Zero Trust architecture and its benefits.
A survey finds nearly half of the IT professionals surveyed, 47% say their company’s leadership doesn’t understand zero trust security.
The traditional site-centric “moat-and-castle” architecture served as the main foundation for cybersecurity for decades. Transforming into a novel mindset and strategy is a highly challenging task at the organizational level. The departments and teams are experienced and synced around a site-centric and network-identities strategy, and shifting away from it, requires a granular and fundamental change in mindset.
Economical Challenges
(1) Difficulty in obtaining buy-in and support from upper management and other key stakeholders
Adopting Zero Trust is a major ongoing change in any organization — a change in terms of both business infrastructure and mindset. Due to a lack of knowledge, employee resistance, or other factors, the higher management of a business may not approve the implementation of Zero Trust.
(2) Insufficient budget and resources to implement and maintain a zero-trust architecture.
The changes required for implementing Zero Trust in all aspects of a business can require a plethora of resources and investment that the management or other stakeholders of an organization may not approve, while small-to-medium enterprises may not even have the required resources to begin with.
Conclusion
If an organization fails to implement a zero-trust architecture, it may be at a higher risk of data breaches and cyberattacks. This can lead to several negative outcomes, such as financial losses, reputational damage, legal liabilities, loss of confidential information, difficulty managing a distributed workforce, and many more.
Mesh Security is the industry’s first complete Zero Trust Posture Management (ZTPM) SaaS platform, a single source of truth that enables companies to implement and monitor a unified ZTA on top of their existing stack. Without using agents, Mesh seamlessly maps a company’s entire cloud XaaS estate in minutes, providing comprehensive contextual visibility, control, and protection of the ‘Everywhere Enterprise’.
Great article, thanks for covering