63 Percent of Organizations Implemented a Zero-Trust Strategy

According to a Gartner survey, 63% of organizations worldwide have fully or partially implemented a zero-trust strategy. For 78% of organizations implementing it, this investment represents less than 25% of the overall cybersecurity budget.

A fourth quarter 2023 Gartner survey of 303 security leaders whose organizations had already implemented (fully or partially) or are planning to implement a zero-trust strategy found that 56% of organizations are primarily pursuing a zero-trust strategy because it’s cited as an industry best practice. “Despite this belief, enterprises are not sure what top practices are for zero-trust implementations,” said John Watts, VP Analyst and KI Leader at Gartner. “For most organizations, a zero-trust strategy typically addresses half or less of an organization’s environment and mitigates one-quarter or less of overall enterprise risk.” Gartner outlined three primary top-practice recommendations for security leaders implementing a zero-trust strategy.

Practice 1: Establish Scope for a Zero-Trust Strategy Early

To successfully implement zero-trust, organizations need to understand how much of the environment they cover, which domains are in scope, and how much risk they can mitigate. The scope of a zero-trust strategy does not typically include all of an organization's environment. However, 16% of survey respondents said it will cover 75% or more while only 11% believe it will cover less than 10% of the organization’s environment.

“Scope is the most critical decision for a zero-trust strategy,” said Watts. “Enterprise risk is much broader than the scope of zero-trust controls, and only so much enterprise risk can be mitigated. However, measuring risk reduction and improving security posture is a key indicator of success for zero-trust controls.”

Practice 2: Communicate Success Through Zero-Trust Strategic and Operational Metrics

79% of organizations that have fully or partially implemented zero-trust have strategic metrics to measure progress, and of that 79%, 89% have metrics to measure risk. Security leaders must also keep their audience in mind when communicating these metrics. 59% of zero-trust initiatives are sponsored by either the CIO or CEO/president/board of directors.

“Zero-trust metrics must be tailored for the zero-trust deliverables as opposed to rehashing metrics used for other areas, such as the effectiveness of endpoint detection and response,” said Watts. “Zero-trust efforts deliver on specific outcomes - such as reduction of malware’s lateral movement on a network - often not captured by existing cybersecurity metrics.”

Practice 3: Anticipate Increases in Staffing and Costs but Not Delays

62% of organizations anticipate their cost will increase and 41% of organizations expect their staffing requirements will also increase as a result of a zero-trust implementation. “The budget impacts of organizations who adopt a zero-trust strategy will vary based on the scope of the deployment as well as how robust the zero-trust strategy is early in the planning process,” said Watts. “Zero-trust initiatives inherently affect the budget as organizations take a systemic and iterative approach to mature their policies toward risk-based and adaptive controls, adding overhead to the organization’s ongoing operational burden.”

While only 35% of organizations said they encountered a failure that disrupted their zero-trust strategy implementation, organizations should have a zero-trust strategic plan outlining operational metrics and measuring the effectiveness of zero-trust policies to minimize delays.