While Zero Trust (ZT) security is mainstream in the US and Europe, it has only just begun gaining momentum in Asia Pacific (APAC). Why now? The global pandemic has accelerated cloud migration and remote work at the same time that firms are grappling with rapidly changing regulations and mounting consumer pressure for improved data privacy. This combination of trends has pushed APAC leaders to take a fresh approach to security and accelerate ZT adoption. Now is the time to embrace ZT and learn lessons from global peers and others who have been on the journey. To that end, I collaborated with my colleague Chase Cunningham (who leads our ZT research globally) to align the local and global experiences on this very important topic. Forrester clients can access here.
ZT Adoption Has Begun Accelerating In APAC
Zero Trust is an architectural model that combines microperimeters and microsegmentation with other critical capabilities to more intelligently and strategically upscale an organization’s security posture. It increases data security through obfuscation, limits the risks associated with excessive user privileges, and uses analytics and automation to dramatically improve security detection and response. Forrester created ZT in 2009, and it has since become a dominant security model. In August 2020, the US National Institute of Standards and Technology released its standard for ZT architecture; the US federal government, including the Department of Defense, uses ZT as a key piece of its long-term security strategy.
Firms and public sector entities across APAC are now exploring the benefits of ZT as their security architecture of choice:
- Firms in APAC are adopting ZT in a piecemeal fashion, without necessarily naming it. Chase and I interviewed dozens of CISOs around the region who are doing elements of the framework such as identity and access management and microsegmentation. Many acknowledged the guiding principles of ZT, such as, “never trust, always verify.” But full adoption and naming is still rare — not everyone is ready to take the plunge yet and embrace something different.
- CISOs in APAC see the business benefits, and vendors are coming to market to help with architectures. Thirty-seven percent of C-level security decision-makers in APAC view the complexity of their environment as a key challenge.(1) ZT helps firms rationalize security investments and reduce complexity. CISOs are also increasingly leveraging the framework to align stakeholders on common principles and improve collaboration. And while the vendor community is often accused of overhyping, in this case many are driving improved awareness and understanding of ZT benefits.
But Regional Issues Impact Adoption
CISOs in the region are at wildly different stages of adoption, ranging from “we are learning” to “ZT is a strategic priority, and we are implementing.” This disparity makes it difficult to set standard, region-wide adoption priorities, agree on a common lexicon, and share lessons learned. Some of the challenges CISOs in APAC have raised include:
- Relatively small security functions, with minimal influence within organizations. Twenty-nine percent of C-level security decision makers in APAC say they struggle with visibility and influence, compared with only 13% in North America.(1) Nineteen percent also cite lack of security staff as a major challenge. Hence, even if APAC CISOs have the bandwidth to manage large scale implementations, they’re likely to struggle getting the support and budget needed to deliver.
- The “zero” in Zero Trust is jarring for many cultures which are founded on trust. Nomenclature was repeatedly raised to us as an obstacle for adoption, since trust plays a significant role in many APAC cultures. Don’t balk at the nomenclature. Acknowledge the many valid concerns your organization and stakeholders have, but work to overcome them through education. Explain to them how Zero Trust actually builds customer trust in your organization by enhancing security. Create engaging ZT content and stay away overly manufactured security presentations and tech-speak. Focus on impact and likelihood rather than fear, uncertainty, and doubt. Use techniques like gamification to communicate your message, and use messages such as “Trust Starts with Zero Trust.”
Embrace Zero Trust And Address Your Own And Your Stakeholders’ Concerns
Implementing ZT in Asia Pacific requires more upfront planning than it does in other regions that began adopting it earlier and have many more pioneers to learn from. While no government in our region has yet adopted ZT as its cybersecurity agency’s framework, some, such as the Australian government’s Essential Eight, map to elements of the framework. So, start developing your ZT roadmap by assessing the maturity of your current ZT state, documenting where you can reuse existing capabilities, and setting goals for your future state. One of the things I’ve personally learned through this journey is that many organizations already possess key capabilities required for Zero Trust. It’s not as overwhelming as it sounds. And it’s time to act.
To learn more about How To Implement Zero Trust In Asia Pacific, you can access this on-demand webinar for more information.
(1) Base: 267 C-level security decision makers in Asia Pacific. Source: Forrester Analytics Global Business Technographics® Security Survey, 2019.