“The more organizations know about zero trust, the less they feel competent in zero trust,” Goerlich adds. “The more they learn, the more they realize they need to go further.”
In implementing zero trust, no one size fits all
Survey data also indicated a change in zero-trust adoption patterns. Zero-trust early adopters selected products based on their feature set rather than starting with their desired outcomes or use cases, the report explained. Today the focus is on outcomes over features. Organizations are now finding value in adopting zero trust when they focus on business outcomes rather than simply keeping the conversation limited to products and technologies.
“In implementing zero trust, no one size fits all. Therefore, any risk management plan priority should be to focus on outcome requirements, including IAM, visibility, data protection, resilience, and incident response,” says Chuck Brooks, president of
Brooks Consulting International and an adjunct professor in Georgetown University’s graduate applied intelligence and cybersecurity programs. “To optimize the risk plan, it needs to include people, processes, and technologies. What technologies and products are selected will depend on the requirements and missions.”
Zero-trust principles baked into every layer
“What often happens to security concepts that begin as buzzwords and capture momentum is they fade off into business as usual,” Goerlich says. “What we’re seeing is people no longer asking, ‘Are you doing zero trust?’ It’s, ‘Are you securing this new line of business? Are you securing our mergers and acquisitions? Are you protecting us against ransomware? Are you enabling the business to keep up to changing market demands and changes in the threat landscape?”
“Now that we have the outcomes identified,” Goerlich continues, “we can apply the appropriate technologies and appropriate pillars to achieve those outcomes. What we’re going to continue to see is zero-trust principles becoming fundamental security principles. As we move forward, good security is good security, and good security will include some of these zero-trust principles baked into every layer.”