A fourth quarter 2023 Gartner survey of 303 security leaders whose organisations had already implemented (fully or partially) or are planning to implement a zero-trust strategy found that 56% of organisations are primarily pursuing a zero-trust strategy because it’s cited as an industry best practice.

“Despite this belief, enterprises are not sure what top practices are for zero-trust implementations,” said John Watts, VP Analyst, KI Leader at Gartner. “For most organisations, a zero-trust strategy typically addresses half or less of an organisation’s environment and mitigates one-quarter or less of overall enterprise risk.”

Gartner outlines three primary top-practice recommendations for security leaders implementing a zero-trust strategy.

Practice 1: Establish scope for a zero-trust strategy early

To successfully implement zero-trust, organizations need to understand how much of the environment they cover, which domains are in scope and how much risk they can mitigate.

The scope of a zero-trust strategy does not typically include all of an organisation's environment. However, 16% of survey respondents said it will cover 75% or more while only 11% believe it will cover less than 10% of the organization’s environment.

“Scope is the most critical decision for a zero-trust strategy,” said Watts. “Enterprise risk is much broader than the scope of zero-trust controls, and only so much enterprise risk can be mitigated. However, measuring risk reduction and improving security posture is a key indicator of success for zero-trust controls.”

Practice 2: Communicate success through zero-trust strategic and operational metrics

Seventy-nine percent of organisations that have fully or partially implemented zero-trust, have strategic metrics to measure progress, and of that 79%, 89% have metrics to measure risk.

Security leaders must also keep their audience in mind when communicating these metrics. Fifty-nine percent of zero-trust initiatives are sponsored by either the CIO or CEO/president/board of directors.

“Zero-trust metrics must be tailored for the zero-trust deliverables as opposed to rehashing metrics used for other areas, such as the effectiveness of endpoint detection and response,” said Watts. “Zero-trust efforts deliver on specific outcomes - such as reduction of malware’s lateral movement on a network - often not captured by existing cybersecurity metrics.”

Practice 3: Anticipate increases in staffing and costs but not delays

Sixty-two percent of organisations anticipate their cost will increase and 41% of organisations expect their staffing requirements will also increase as a result of a zero-trust implementation.

“The budget impacts of organisations who adopt a zero-trust strategy will vary based on the scope of the deployment as well as how robust the zero-trust strategy is early in the planning process,” said Watts. “Zero-trust initiatives inherently affect the budget as organisations take a systemic and iterative approach to mature their policies toward risk-based and adaptive controls, adding overhead to the organisation’s ongoing operational burden.”

While only 35% of organisations said they encountered a failure that disrupted their zero-trust strategy implementation, organisations should have a zero-trust strategic plan outlining operational metrics and measure the effectiveness of zero-trust policies in order to minimize delays.