Gartner Survey Reveals 63% of Organizations Worldwide Have Implemented a Zero-Trust Strategy
For Most Organizations, a Zero-Trust Strategy Typically Addresses Half or Less of an Organization’s Environment
Sixty-three percent of organizations worldwide have fully or partially implemented a zero-trust strategy, according to Gartner, Inc. For 78% of organizations implementing a zero-trust strategy, this investment represents less than 25% of the overall cybersecurity budget.
A fourth quarter 2023 Gartner survey of 303 security leaders whose organizations had already implemented (fully or partially) or are planning to implement a zero-trust strategy found that 56% of organizations are primarily pursuing a zero-trust strategy because it’s cited as an industry best practice.
“Despite this belief, enterprises are not sure what top practices are for zero-trust implementations,” said John Watts, VP Analyst, KI Leader at Gartner. “For most organizations, a zero-trust strategy typically addresses half or less of an organization’s environment and mitigates one-quarter or less of overall enterprise risk.”
Gartner outlined three primary top-practice recommendations for security leaders implementing a zero-trust strategy.
Practice 1: Establish Scope for a Zero-Trust Strategy Early
To successfully implement zero-trust, organizations need to understand how much of the environment they cover, which domains are in scope and how much risk they can mitigate.
The scope of a zero-trust strategy does not typically include all of an organization’s environment. However, 16% of survey respondents said it will cover 75% or more while only 11% believe it will cover less than 10% of the organization’s environment (see Figure 1).
Figure 1: Percentage of Environment to Cover With Zero-Trust
Source: Gartner (April 2024)
“Scope is the most critical decision for a zero-trust strategy,” said Watts. “Enterprise risk is much broader than the scope of zero-trust controls, and only so much enterprise risk can be mitigated. However, measuring risk reduction and improving security posture is a key indicator of success for zero-trust controls.”
Practice 2: Communicate Success Through Zero-Trust Strategic and Operational Metrics
Seventy-nine percent of organizations that have fully or partially implemented zero-trust, have strategic metrics to measure progress, and of that 79%, 89% have metrics to measure risk.
Security leaders must also keep their audience in mind when communicating these metrics. Fifty-nine percent of zero-trust initiatives are sponsored by either the CIO or CEO/president/board of directors.
“Zero-trust metrics must be tailored for the zero-trust deliverables as opposed to rehashing metrics used for other areas, such as the effectiveness of endpoint detection and response,” said Watts. “Zero-trust efforts deliver on specific outcomes – such as reduction of malware’s lateral movement on a network – often not captured by existing cybersecurity metrics.”
Practice 3: Anticipate Increases in Staffing and Costs but Not Delays
Sixty-two percent of organizations anticipate their cost will increase and 41% of organizations expect their staffing requirements will also increase as a result of a zero-trust implementation.
“The budget impacts of organizations who adopt a zero-trust strategy will vary based on the scope of the deployment as well as how robust the zero-trust strategy is early in the planning process,” said Watts. “Zero-trust initiatives inherently affect the budget as organizations take a systemic and iterative approach to mature their policies toward risk-based and adaptive controls, adding overhead to the organization’s ongoing operational burden.”
While only 35% of organizations said they encountered a failure that disrupted their zero-trust strategy implementation, organizations should have a zero-trust strategic plan outlining operational metrics and measure the effectiveness of zero-trust policies in order to minimize delays.
Gartner clients can read more in “Top 3 Recommendations From the 2024 State of Zero-Trust Adoption Survey.” Learn how to adopt a zero trust mindset in the complimentary Gartner webinar Cut Through Zero Trust Hype and Get Real Security Strategy Advice.
About Gartner IT Symposium/Xpo
CIOs and IT executives will learn how to meet the moment and provide the vision and results needed to lift their organizations to the next level at Gartner IT Symposium/Xpo. Follow news and updates from the conferences on Twitter using #GartnerSYM.
About Gartner for Information Technology Executives
Gartner for Information Technology Executives provides actionable, objective insight to CIOs and IT leaders to help them drive their organizations through digital transformation and lead business growth. Additional information is available at www.gartner.com/en/information-technology.
Follow news and updates from Gartner for IT Executives on X and LinkedIn using #GartnerIT. Visit the IT Newsroom for more information and insights.
About Gartner
Gartner, Inc. (NYSE: IT) delivers actionable, objective insight that drives smarter decisions and stronger performance on an organization’s mission-critical priorities. To learn more, visit gartner.com.