News

Zero Trust Gains Ground Despite Lack of Expertise, Staffing

• By David Ramel
• 06/08/2022

The Zero Trust security model is gaining traction in the enterprise even though it's still being held back by the ever-present skills shortage, says a new report published during this week's RSA security conference.

Titled "CISO Perspectives and Progress in Deploying Zero Trust," the survey-based report comes from the Cloud Security Alliance (CSA), a not-for-profit organization dedicated to defining standards, certifications and best practices to help ensure a secure cloud computing environment.

Zero Trust is an alternative to the standard security approach of protecting IT systems with a secure network perimeter. Instead of trying to secure perimeters, Zero Trust assumes that such fortress security approaches will fail or have already been penetrated, seeking to lessen the damage that can be caused. It has grown in popularity with the advent of hybrid work models, the proliferation of endpoints and bring-your-own devices, disparate and interconnected systems spanning clouds and enterprise datacenters, and just general complexity all around.

"The principles of Zero Trust have been around for over a decade," the CSA said. "Yet recently, the term and its implementation have garnered a lot more attention for enterprises protecting their IT systems. With the advancement of digital transformation, the shift of the workforce during the pandemic, and the announcement of the US executive order on cybersecurity, Zero Trust has taken a front seat as a promise for protecting enterprises."

That executive order is detailed in last month's article titled "Agencies Advance on Biden's 2021 Zero Trust Order." It requires federal agencies to adopt security best practices and advance toward a Zero Trust architecture.

According to the CSA, that advance is moving smartly forward, with 80 percent of C-level executives reporting that Zero Trust is a priority for their organizations:

What's more, 94 percent are in the process of implementing Zero Trust strategies:

And 77 percent are increasing their spend in Zero Trust over the next 12 months:

However, the years-long drought of expertise in cloud computing, cybersecurity and other tech sectors is holding back Zero Trust in the enterprise, the survey indicates, just like many others have.

Specifically, the report shows that "Lack of knowledge and expertise" is the No. 1 business barrier to adopting a Zero Trust strategy, listed by 37 percent of all respondents, just ahead of "Lack of internal alignment or buy-in" (29 percent) and another skills-related issue, "Additional staffing needs" (31 percent):

As far as technical barriers, those listed by CxO types include (pick up to three): Defining access requirements (33 percent); Policy enforcement across technology stack (31 percent); Access across technology stack (31 percent); Legacy technology (30 percent); and Pre-existing roles and responsibilities (29 percent).

On the whole, though, things are looking up for Zero Trust.

"The philosophy of Zero Trust has the potential to fundamentally reshape our approach to securing the technology we use across the board over the course of the next few years" said Jim Reavis, CEO of CSA. "Arriving at this destination requires greater clarity and a common understanding of Zero Trust principles as well as articulating concise strategies and adopting the appropriate frameworks. This survey is data rich and should be carefully contemplated by the industry to identify the roadblocks and opportunities for pervasive Zero Trust. CSA is aggressively producing valuable research such as this within our Zero Trust Advancement Center to bring the topic in focus for our community."

The survey received 823 responses from IT and security professionals, including 219 C-level executives, from various organization sizes and locations. It is the first installment of a multi-part survey that will be conducted this year.