Forrester started covering Zero Trust (ZT) adoption in APAC in early 2020, when Zero Trust was largely touted as a buzzword in our region. At the time, this inaugural APAC-specific ZT research showed that, while ZT was already mainstream in the US and Europe, it was slowly but surely gaining adoption in APAC. Fast-forward two years or so, and the story is very different: In 2023, Zero Trust is finally moving from concept to reality in Asia Pacific — Forrester clients can access the report covering the topic here. So what has changed and what has stayed the same?
- Zero Trust in APAC has moved from being a piecemeal to a strategic initiative. In 2020, CISOs who we spoke to in the region had fallen short of embracing ZT as a holistic framework and settled for adopting parts of the framework. By contrast, in 2022, 80% of APAC organizations have senior leadership committed to adopting a ZT security strategy and 78% investing resources into a ZT security strategy. ZT is a strategic initiative, and organizations aren’t shying away from adopting it to its fullest.
- CISOs in APAC have moved from a wait-and-see approach to pioneering adoption. The CISOs who we spoke to in 2020 were still looking toward their peers, adopting a herd mentality to evaluate whether adoption is right for them. This is not so in 2022, when many CISOs we spoke to were seeking many of the benefits of pioneering adoption: to be seen as innovators, garnering commercial benefits, and working with new solutions.
- APAC organizations understand that ZT comes with significant business and employee experience benefits. In 2020, organizations in APAC still underfunded security initiatives, with 29% of C-level security decision-makers saying that lack of visibility and influence was a top IT security challenge for their firm. In 2022, the biggest supporters of ZT programs in the region are business executives, and the CISOs who we spoke to are eager to understand and unblock the pain of doing business by using ZT to improve the employee experience and enable the business, as well as provide protection.
There Are Still Obstacles To ZT Adoption, But They’ve Evolved
It is true that ZT is becoming part of the nomenclature in almost all APAC markets in APAC, and ZT adoption is now widely accepted and discussed. Like all things security, however, it’s not all beer and skittles. Our 2020 research showed several obstacles to adoption, and while some of these have been resolved, some have stayed the same, with new adoption obstacles emerging. Here are the highlights that we’ve revealed in our 2023 research:
- ZT nomenclature and a paucity of ZT pioneers are no longer stated as obstacles to adoption. Both of these were significant challenges to CISOs in the region in 2020 but were either no longer mentioned as obstacles or have been overcome. For example, ZT nomenclature was a major obstacle for adoption in countries founded on trust, so the CISOs who we spoke to used different language to depict their ZT strategy as a way to solve these nomenclature challenges. And as mentioned above, far from adopting a wait-and-see approach, CISOs in the region are working to realize the many benefits from pioneering adoption.
- The lack of visibility and influence remains an issue, but in 2022, this comes with a twist. In 2022, Zero Trust implementation in APAC is no longer coming from boards or the business but rather largely from technology teams such as network, architecture, and development teams. This means that CISOs in the region have to work harder with their technology counterparts instead of focusing on selling ZT to the pverall business.
- Vendor hype and small security functions continue to challenge adoption. Unfortunately, vendors still pretend to be ZT experts, and security functions here remain relatively small. Most security functions are lacking the bandwidth and capability to deliver large-scale implementations such as a Zero Trust rollout, with talent acquisition and retention remaining significant challenges. This will likely remain a challenge, and CISOs will need to be strategic, work with service providers, and cut through vendor hype to overcome these.
- Two new obstacles to adoption emerge. The CISOs who we spoke to mentioned two new obstacles that they now encounter. They are overwhelmed by the sheer volume and scope of the many well-intended ZT frameworks and definitions, such as from the National Institute of Standards and Technology, the White House, the Cybersecurity & Infrastructure Security Agency, or the Singapore government. CISOs here simply aren’t always sure which framework to adopt for what purpose. And legacy applications remain a major bottleneck, inhibiting consistent ZT implementations.
Overcome The Challenges And Leapfrog To Modern Security By Embracing ZT
In conclusion, you can wait to see if your government, board, or media talk enough about ZT for you to take notice. On the other hand, you can be proactive, lead the way in adoption, and get the many commercial, strategic, and leadership benefits that can come with being an early adopter. How? Here are our tips, but you’ll need to read the research to learn more:
- Assess your ZT maturity.
- Get some quick wins under your belt and demonstrate value along the way.
- Lead with empathy to win over tech stakeholders.
- Challenge vendor claims and demand product rationalization.
- Integrate ZT as part of your digitization strategy.