OK, Zero Trust Is An RSA Buzzword — So What?
Last week was the annual RSA Conference. Estimates are that more than 45,000 security personnel, business professionals, and leaders attended the event, up from 35,000 last year. Regardless of the numbers, it was an epic display of how prevalent cybersecurity has become.
As expected, a few buzzwords rang throughout the Moscone Center halls. Artificial intelligence, machine learning, GDPR, and Zero Trust were everywhere. Because of the work that we do at Forrester, and thanks to John Kindervag coining the term nearly a decade ago while at Forrester, most of our team was approached at some point with a question around Zero Trust (sorry, team!).
As I meandered — or, in some cases, sprinted — between meetings with folks at or near the event, I was stopped dead in my tracks by an attendee who must have correlated my picture with some of the Zero Trust material. He stepped directly in my path and said, with conviction in his eyes, “Zero Trust is a buzzword, dude.” Now, my immediate response to anyone who stands directly in my path is usually to either sidestep them and move on or drop my shoulder and make them regret their foolish positioning. But I had a few minutes to kill that day, and it seemed like a good chance to gain some insight into what someone whom I don’t often speak with thought.
Our conversation was brief, but this is how it went.
Dude: “Zero Trust is a buzzword and basically a sales pitch.”
Me: “So is literally everything else at this show. That’s kind of the point, hoss.”
Dude: “Fair enough, but people are selling Zero Trust tools and technologies, and as far as I know, there aren’t many use cases or instances of end user clients doing Zero Trust. There’s no Zero Trust compliance directive or framework.”
Me: “OK. I realize there are a lot of companies selling Zero-Trust-related technologies and offering Zero Trust solutions, and I can see how this might make it a buzzword. But just because you don’t know any end user clients using Zero Trust, or how or where they’re using these solutions, doesn’t mean it isn’t happening. It’s in the realm of the possible that organizations might be engaging in this endeavor and you, the all-powerful Oz, don’t know about it.”
Dude: “I get your point. Snark much?”
Me: “No, never. Now out of my way, or EMS will be peeling you off the floor.”
We bumped fists and moved on. It was an interesting moment on an intellectual level and provided me with a point of reflection.
As I thought more about it, I realized that it’s actually all right that Zero Trust has reached buzzword status. This means that there’s enough gravity around the term and the potential benefits to clients for most vendors and a ton of end users to be asking questions around it. It’s a good thing that there’s so much momentum behind changing strategy from technology buying to strategic technical alignment, and it’s a good thing that some semblance of a related lexicon around Zero Trust is emerging.
It’s a bad thing if the industry allows the outcome of the adoption and alignment for Zero Trust to be marketed to death solely for selling gear. And it’s a bad thing if end users are never willing to stand up and act as guideposts of what Zero Trust is supposed to look like. If that happens, Zero Trust really is just “marketology,” and the term will become just another drop in the ocean of shenanigans that is market outreach.
Luckily, there are real use cases on how Zero Trust is being deployed coming very soon, and Forrester launched our own demonstration of a Zero Trust virtual reference architecture. I can’t speak for others in the space, but I’m working to provide insight in this area by authoring a series of papers that detail real-world deployments of Zero Trust. There are vendors that understand where and how their solutions tie into Zero Trust, and there are vendors and users that have embraced Zero Trust X as the framework they use to clarify a solutions position in the industry. Lastly, there are examples of quality speaking sessions and designs around Zero Trust design that indicate that a movement is underway.
Is Zero Trust a buzzword? Sure. And that’s OK — for now.
Buzz can be a good thing if the right outcomes are the result of the hype, and I think we are just starting to see that. The industry alignment, compliance, technical definitions, and directives are coming, but we’re collectively only a few years into the growth cycle for Zero Trust. It will take time for more formality and deeper technical outcomes to balance out against marketing — that’s how things work. First the market grows and buzz is established as more users dive in on the idea, and later, specific technical items emerge (I’m pretty sure there was a lot of buzz around the automobile when people were still riding horses, and it wasn’t until decades later that the first mandates for engine design or safety-compliant designs showed up — yes, I know, more snark).
Rome wasn’t built in a day, and we can’t undo 30 years of failed security strategy overnight.
Buzz Buzz Buzz.