Almost all ICT decision-makers agree that zero trust is the future for cyber security, but piecemeal deployments could prove costly, research shows.
Of 204 cybersecurity decision-makers at organisations across Australia and New Zealand surveyed by market analyst Forrester, 58 per cent indicated they were well on their way to implementing zero trust, while just 17 per cent were yet to begin.
The Datacom-sponsored study also found 83 per cent of A/NZ decision-makers believed zero trust was the future for their firms’ security. However, 46 per cent of organisations interested in zero trust reported their internal teams lacked the time or expertise to adopt best practices effectively.
Further, a perception that zero trust was expensive and required an operational overhaul had led to piecemeal deployments that could prove costly in the long run.
Communications was another potential barrier, often overlooked yet critical to achieve buy-in for zero trust strategies.
Zero Trust is fast emerging as global best practice in cybersecurity and local leaders are on board with 83% considering it essential to the future of their organisation’s security.
Zero trust requires the default position for IT security is that every person and device must be verified and authorised before getting access to information, devices or networks.
“A zero trust approach keeps your people and your organisation safe by giving the right people access to the right data and applications and removing unnecessary risks,” said Karl Wright, Datacom’s chief information officer and chief information security officer.
However, the study highlighted that several potential barriers to successful implementation needed to be addressed, including a surprising group of detractors – those responsible for implementing and managing it.
While 83 per cent of decision-makers saw zero trust as the future, only 52 per cent of security teams were seen as supporters at the outset of implementations while just 40 per cent of operational business or technology teams were identified as supporters.
Forty-eight percent of the decision-makers surveyed said their stakeholders struggled to understand the business value of adopting a zero trust approach.
Wright said that highlighted the importance of communication as part of a company’s zero trust strategy.
Fifty-two per cent of cybersecurity decision-makers identified technical knowledge as the most important factor in driving zero trust programmes, while just 13 per cent identified communication as important.
“Stakeholders are not buying into zero trust because they are not getting the information they need," Wright said. "Implementing a zero trust approach is not as simple as adopting a new piece of technology and organisations really need to consider adopting a change management approach.”
IT and security teams need to know a zero trust approach will give them more visibility into their organisation’s security status and make it easier to protect their business from breaches, he said.
“Employees need to know that Zero Trust is not about locking them out of the apps and data they need. Having the right zero trust architecture and protocols in place provides simplified, secure access to technology and information for employees and supports remote and hybrid working models.”
Forrester’s survey also revealed a trend towards piecemeal adoption of zero trust in Australia and New Zealand.
While over half of respondents described their organisations as “well on their way” with zero trust, 69 per cent said they were adopting zero trust piecemeal.
Wright said piecemeal adoption might work well in the short term but could lead to inefficiencies, with organisations facing additional integration and operational costs in the long run.
There were some significant differences in emphasis between Australian and New Zealand respondents. Where Australians emphasised keeping up with privacy requirements and the changing nature of threats as challenges, Kiwis struggled to access sufficient skills and to instil a culture of data stewardship.
Decision-makers also noted differing levels of maturity in their application of zero trust in different areas, perceiving their maturity highly in areas such as analytics and automation (78 per cent), device (78 per cent) and network (70 per cent), but identified cloud workload maturity at just 49 per cent.
“That’s a potential risk when it comes to compliance requirements and knowing exactly where information is and who has access to it on cloud platforms," Wright said
More predictably, 46 per cent of respondents said their organisation was interested in zero trust but internal teams lacked the time or expertise to adopt best practices effectively.
Wright said local organisations will need to address these barriers if they want to meet expectations from customers, partners and authorities around privacy and data security.
In the United States, the Biden administration has directed all government departments to adopt zero trust as part of its national cybersecurity policy.
In New Zealand, agencies Kāinga Ora and the Ministry of Housing appeared to be on-point to lead the adoption of zero trust security in government last year.