Zero trust touches everything: identity, applications, networks, data, and devices. The best approach is not to change everything all at once. Instead, start with the big picture.
In our research, we’ve found the most successful organizations dedicated the first phase of theirzero-trust initiativesto working out an architecture. They didn’t rush into deploying solutions as though starting with a greenfield.
Everyone else dove in fast, mixing the foundational work onzero trustwith one or more of the knock-on efforts: rearchitecting networks, security, and data management; buying tools; forming implementation teams and setting them to work. All those things need to happen, of course, but with zero trust, it pays to do a lot more thinking about how all the pieces will fit together before undertaking the changes needed, either at the architectural level or in the tool set.
When we talk about security success, in this case we mean organizations with a very low ratio of serious cybersecurity incidents. The more successful organizations had, at the most, two serious incidents per 100 cybersecurity incidents (a serious incident is defined as one that has an impact on staff or the business, or requires external reporting). And in most cases, these successful organizations kept their ratios well below this 2% threshold. (Data comes from Nemertes’ recent research on cybersecurity, theSecure Cloud Access and Policy Enforcement Research Study 2021-22)