While the past decade focused on determining an organization’s readiness for digital transformation, the 2020s are undoubtedly the decade where organizations try and secure their transformed architectures. More often than not, these efforts center on implementing a zero trust strategy.
But while many enterprises advocate and agree with the zero trust mantra of “never trust, always verify,” these organizations still struggle when it comes to deployment. In fact, Gartner predicts that by 2026, 10% of large enterprises will have a comprehensive, mature and measurable zero trust program in place, up from less than 1% today. While that’s an impressive level of growth, it also highlights the gap that exists between strategy alignment and deployment.
With the specter of federal regulations related to zero trust and cybersecurity looming, many believe this will be the catalyst for a sizable increase in the number of zero trust deployments. In reality, while regulations are a good first step, there are a few issues contributing to the challenges most organizations face with zero trust deployments.
The key to regulation is prescription
Go to any cybersecurity vendor’s website and there will be verbiage related to zero trust. From the network to the endpoint, everyone offers a “zero trust solution” that will be the key to minimizing risk. The issue is that while these solutions usually do offer benefits as part of a zero trust strategy, the way in which they can be deployed amid a broader ecosystem of cybersecurity solutions can be murky.
Federal regulations mandating organizations move to a zero trust strategy would be welcomed, but widespread adoption will not happen without regulations offering prescriptive guidance as to how to implement zero trust. A great starting point already exists in The National Institute of Standards and Technology (NIST)’s Zero Trust Architecture document, which walks through the areas organizations can focus on when it comes to zero trust as well as what technologies should be prioritized for deployment.
Specific guidance founded on the NIST guidelines will make the difference between acceptance that zero trust is the way forward and widespread implementation of zero trust projects.
Solving the resource gap
One of the most critical challenges organizations face with zero trust is that they lack the necessary resources to not only deploy but maintain an effective zero trust implementation. While federal regulations would no doubt make more organizations want to deploy zero trust, in reality they simply cannot afford the costs associated with ensuring they have the right resources in place to deploy a zero trust project. A key way in which new government regulations could help would be if they included incentives or programming for resource-constrained organizations. Offering this type of assistance would have a widespread and immediate impact.
The recent wave of layoffs at high-tech companies might also play a role here. For years, tech companies attracted the best and brightest cybersecurity minds, while other industries struggled with resources. As this ‘talent hoarding’ comes to an end, talented cybersecurity professionals are now looking for new opportunities, which can help organizations that traditionally struggled to attract this talent. This could mean more organizations are in a position to move from zero trust adoption to deployment.
Cybersecurity vendors must do their part
Though cybersecurity vendors do a great job advocating for zero trust, as mentioned earlier, they often do not do enough to help customers move from purchase to deployment. In some cases, these vendors offer their solution as the ‘silver bullet’ that will be instrumental to any zero trust initiative. That reasoning is faulty, as to be done successfully, zero trust must involve all layers of the IT stack. For example, an endpoint security solution cannot address zero trust at the network level and vice-versa. Even so, that does not stop vendors from proclaiming their solution to be the key to zero trust.
In addition, there are larger vendors promoting zero trust platforms, which can be proprietary in nature. The issue here is that there exists no one vendor that can address zero trust across the IT stack, meaning while these platforms can be effective in implementing zero trust in one area, organizations still require additional solutions.
Effective and successful zero trust requires a broad ecosystem of security solutions that would ideally interoperate or integrate with one another. While federal regulations cannot mandate cybersecurity vendors to work together, the industry can do its part by making integrations and interoperability a focus. This will enable organizations to deploy a zero trust strategy with the cybersecurity solutions that work best to meet their critical outcomes. This approach is illustrated in the cybersecurity mesh architecture (CSMA) approach from Gartner.
Whether it is the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA), regulations play an important role in ensuring organizations mature their approach to privacy and security. But as is the case with any complex issue, no one measure equals success. While federal regulations related to zero trust will go a long way toward advancing widespread, successful zero trust deployments, without consistent, continuous commitment from government, cybersecurity vendors and end user organizations, these regulations in and of themselves will not be enough.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.