ZT strategies are often undermined by overly ambitious or haphazard implementation plans that ultimately become incomplete projects and end up stalling or getting scrapped.
Successful zero trust implementations tackle fundamental organizational and technology problems before embarking on ambitious transformation projects. One government entity began their transformation by having sessions with stakeholders to understand potential impacts before implementation and then gradually increased awareness. This approach shifts the perception from “yet another security initiative/tool/policy/etc.” to one where you can address specific stakeholders interests and highlight how ZT benefits them, not only security.
In an industry where goodwill and being right are valuable currency, a clearly defined roadmap that keeps you on course and enables success is essential. The report provides practical guidance on how security leaders can avoid these common problems:
- Fail to align with business objectives or explain the business case.
An all too common stumbling block on the road to zero trust is the alignment or as is all too often the case, a misalignment with business objectives. Initiatives that fail to address specific business goals that go beyond “more security” will flounder. A classic example are IAM systems that don’t take into account legacy infrastructure or employee working realities. A security engineer at one software firm said users were being “MFA’d to death”. Your IAM initiative can quickly turn into another bottle neck that will be treated as an inconvenience if poorly thought out.
- Operating in siloes and with misaligned views on what goals of implementing ZT are.
Organizations with siloed business structures create information silos which over time result in fragmented objectives and a lack of uniformity. A shared vision and access to information (data and process) are essential to getting value out of zero trust. One UK bank had an IAM roadmap with its own ideas of Zero Trust and a networking team that wanted to do micro segmentation with a completely different idea and objective of Zero trust which predictably caused friction and duplicated efforts. If your business functions have different ideas of what zero trust looks like, you are basically creating Shadow IT 2.0. Break down those silos to understand individual business interests and use that information to create a strong business case.
- Forget to define and measure benefits that can be understood by the business.
Defining success for a Zero Trust (ZT) implementation is crucial for measuring progress and ensuring tangible benefits. Success in ZT means a stronger defense with measurable results, such as reduced breaches, faster threat response, or increased productivity. One German-based manufacturer linked ZT funding streams to productivity enhancements and increased agility and choice. Tangible KPIs that enable you get a pulse for your progress towards these goals enable you identify problems and course correct quickly. Start by developing three levels of metrics: strategic, operational and tactical that appeal to your stakeholders.
The full report provides a detailed step-by-step approach to designing and implementing a Zero Trust roadmap, addressing each stage of the process. By following the recommendations and avoiding common pitfalls, organizations can successfully transition to the Zero Trust security model. Forrester clients can access the full report here.
