Zero Trust: An Essential Cybersecurity Strategy
Zero trust is an idea that has been gaining traction in the world of cybersecurity over the past few years. It is a key component of President Biden’s Executive Order (EO) on Improving the Nation’s Cybersecurity (issued in May 2021) and it is a trend that Gartner has been tracking closely. The analyst firm predicts that spending on zero trust solutions will grow from $820 million this year to $1.674 billion by 2025.
But what is zero trust? And, what makes it an effective solution to mitigate cybersecurity threats? Zero trust is an IT security model that focuses on restricting information access within an organization to only those who need it. The premise of zero trust is to assume that threat actors are present both inside and outside an organization — therefore no users or machines are trusted by default.
In our 2022 Compliance Benchmark Report, we surveyed more than 700 cybersecurity, IT, quality assurance, internal audit, finance, and other professionals about their compliance programs. Here’s what we learned about how organizations are thinking about zero trust strategies.
Zero Trust Priorities Vary Between Industries
While over half of our survey respondents (58%) agree or strongly agree that zero trust is a strategy they must implement in the next 12 months, 29% said they are not sure what they think about its level of importance.
Priorities vary between industries, with IT services (68%), manufacturing (65%), and technology (64%) companies providing the highest amount of agree/strongly agree answers. On the other end of the spectrum, finance (49%) and professional services (47%) had the lowest amount of agree/strongly agree responses.
It’s important to note that public sector organizations who hope to do business with the federal government — regardless of their industry — must prioritize zero trust as mandated by the EO previously mentioned. As we approach one full year since that EO has been in place, we’ll likely see more industries prioritize zero trust in the year to come.
Larger Companies Are Quicker to Adopt Zero Trust
Responses also varied by company size. Our survey found that 73% of organizations with $50M – $1B in annual revenue agree/strongly agree about the need to adopt a zero-trust security strategy. For companies with less than $5M in revenue, that percentage dropped significantly to 45%. These numbers indicate that larger companies believe they are a top target for cybersecurity attacks and are taking the initiative to plan ahead and protect systems and information.
Other Cybersecurity Initiatives Remain Top of Mind
Despite lower adoption of zero trust strategies among certain industries and smaller companies, many organizations across industries still noted they would complete other cybersecurity initiatives to mitigate threats. Vulnerability scans were the most popular initiative, noted as a priority by 52% of our survey respondents, followed by penetration tests (48%) and creating business continuity and disaster recovery (BCDR) plans (42%).
Interestingly ISO 22301 certifications — a renowned standard for BCDR planning — were a particularly high priority for IT services organizations and manufacturing companies.
A Strategic Approach to Implementing a Zero-Trust Architecture
Implementing a zero-trust architecture within any organization can feel like a daunting feat without the right preparation. To make this process more manageable, the experts at A-LIGN recommend a step-by-step approach.
Before you get started, it’s important to troubleshoot possible scenarios that may occur during the implementation process. From there, plan and implement zero trust in ‘zones’ throughout your organization’s infrastructure whenever possible. This strategy will allow you to keep key business operations up and running while mitigating the chance of downtime across too many areas of your business all at once.