Datacom research explores reality of zero trust in ANZ
Zero trust is fast emerging as global best practice in cybersecurity and local leaders are on board, with 83% considering it essential to the future of their organisation's security.
The finding comes from a study conducted by Forrester Consulting commissioned by Datacom, Australasia's homegrown technology services provider, which looked at how cybersecurity decision-makers are approaching zero trust in this part of the world.
Of 204 cybersecurity decision-makers at organisations across Australia and New Zealand surveyed by Forrester, 58% indicated they were well on their way to implementing zero trust, while just 17% were yet to begin.
Escalating cybersecurity risks compounded by rapid digital transformation and the shift to remote working spurred by the Covid-19 pandemic have seen security advisors urge the move to zero trust to combat cyber-attacks and data breaches.
With a zero trust strategy in place, the default position for an organisation's IT security is that every person and device must be verified and authorised before getting access to information, devices or networks.
Karl Wright, Datacom's chief information officer and chief information security officer, says, "A zero trust approach keeps your people and your organisation safe by giving the right people access to the right data and applications and removing unnecessary risks."
Despite the high level of support for zero trust from cybersecurity decision-makers and business leaders, Wright says the study highlights several potential barriers to successful implementation that need to be addressed, including one surprising group of detractors those responsible for implementing and managing it.
While 83% of decision-makers see zero trust as the future of their firm's security, only 52% of security teams were seen as supporters at the outset of zero trust implementations. Just 40% of operational business or technology teams were identified as supporters at the outset.
Overall, 48% of the decision-makers surveyed said their stakeholders struggled to understand the business value of adopting a zero trust approach.
Wright says the study shows the importance of communication as part of a company's zero trust strategy is being vastly underestimated: 52% of cybersecurity decision-makers in the survey identified technical knowledge as the most important factor in driving zero trust programmes, while just 13% identified communication as important.
Stakeholders are not buying into zero trust because they are not getting the information they need. Implementing a zero trust approach is not as simple as adopting a new piece of technology and organisations really need to consider adopting a change management approach, the research finds.
"For the IT and security teams that are going to roll this out, they need to know a zero trust approach will give them more visibility into their organisations security status and make it easier to protect their business from breaches," says Wright.
According to the research, employees need to know that zero trust is not about locking them out of the apps and data they need. Having the right zero trust architecture and protocols in place provides simplified, secure access to technology and information for employees and supports remote and hybrid working models.
Forrester Consulting's customer survey also revealed a trend towards piecemeal adoption of zero trust in Australian and New Zealand organisations.
While over half of respondents described their organisations as well on their way with zero trust implementation, 69% of all survey respondents said they were adopting zero trust piecemeal rather than taking a big-bang structured approach.
Wright says piecemeal adoption might work well in the short term but could lead to inefficiencies with organisations facing additional integration and operational costs in the long run. Survey respondents also noted differing levels of maturity in their application of zero trust in different areas.
Decision-makers perceived their zero trust maturity highly in several key areas including analytics and automation (78%), device (78%) and network (70%) but identified cloud workload (possessing technical capability to enforce compliance controls and industry best practices against cloud repositories) at just 49%.
Less than half of those surveyed expressed confidence in the data and analytics at their disposal to gain insights into cloud workloads. That's a potential risk when it comes to compliance requirements and knowing exactly where information is and who has access to it on cloud platforms, the researchers state.
Another barrier to zero trust adoption, highlighted by the survey results, is a lack of skills and resource: 46% of respondents said their organisation is interested in zero trust but their internal teams lack the time or expertise to adopt best practices effectively.
With the global shift toward zero trust, Wright says local organisations will need to proactively address the barriers if they want to meet expectations from customers, partners and authorities around privacy and data security.