Building A Zero Trust Roadmap: A Practical Guide
Zero Trust (ZT) strategies are often undermined by overly ambitious or haphazard implementation plans that ultimately become incomplete projects and end up stalling or getting scrapped.
Successful Zero Trust implementations tackle fundamental organizational and technology problems before embarking on ambitious transformation projects. One government entity began its transformation by having sessions with stakeholders to understand potential impacts before implementation and then gradually increased awareness. This approach shifts the perception from “yet another security initiative/tool/policy/etc.” to one that allows you to address specific stakeholder interests and highlight how ZT benefits them, not only security.
In an industry where goodwill and being right are valuable currency, a clearly defined Zero Trust roadmap that keeps you on course and enables success is essential. Our recent report provides practical guidance on how security leaders can plan a successful zero trust implementation by avoiding these common problems:
- Failure to align with business objectives or explain the business case
An all too common stumbling block on the road to Zero Trust is the alignment or, as is all too often the case, a misalignment with business objectives. Initiatives that fail to address specific business goals that go beyond “more security” will flounder. A classic example is identity and access management (IAM) systems that don’t take into account legacy infrastructure or employee working realities. A security engineer at one software firm said that users were being “MFA’d to death.” Your IAM initiative, if poorly thought out, can quickly turn into another bottleneck that will be treated as an inconvenience.
- Operating in silos, with misaligned views on the goals of implementing ZT
Organizations with siloed business structures create information silos that over time result in fragmented objectives and a lack of uniformity. A shared vision and access to information (data and processes) are essential to getting value out of Zero Trust. One UK bank had an IAM roadmap with its own ideas of Zero Trust and a networking team that wanted to do microsegmentation, with a completely different idea and objective related to Zero Trust, which predictably caused friction and duplicated efforts. If your business functions have different ideas of what Zero Trust looks like, you are basically creating shadow IT 2.0. Break down those silos to understand individual business interests, and use that information to create a strong business case.
- Forgetting to define and measure benefits that can be understood by the business
Defining success for a Zero Trust implementation is crucial for measuring progress and ensuring tangible benefits. Success in ZT means a stronger defense with measurable results, such as reduced breaches, faster threat response, or increased productivity. One German-based manufacturer linked ZT funding streams to productivity enhancements and increased agility and choice. Tangible KPIs that enable you to get a pulse for your progress toward these goals enable you to identify problems and course-correct quickly. Start by developing three levels of metrics — strategic, operational, and tactical — that appeal to your stakeholders.
The full report provides a detailed step-by-step approach to designing and implementing a Zero Trust roadmap, addressing each stage of the process. By following the recommendations and avoiding common pitfalls, organizations can successfully transition to the Zero Trust security model. Forrester clients can access the full report here.