Security

Where Are You in Your Zero-Trust Maturity?

A modern cybersecurity journey involves five stages. IT decision-makers should track their progress.

J.P. Pressley is a contributing writer to BizTech magazine and an editor at Manifest.

Zero trust is an increasingly popular security architecture, especially when considering the security challenges associated with artificial intelligence. That’s why 96 percent of organizations have either implemented a defined zero trust security initiative or plan to do so soon, according to Okta’s latest report on the state of zero-trust security.

Even so, it’s often difficult for organizations to gauge how secure they really are. But it doesn’t have to be that way. From pre-zero trust to its advanced operation, zero-trust maturity follows a continuum that IT decision-makers can use to track their progress. Here is some guidance to advance from stage to stage.

Click the banner to learn how to assess your zero-trust maturity level.

Stage 1: Pre-Zero Trust

Most organizations are turning to zero trust, but this also means they don’t start out with it. In this pre-zero trust stage, businesses have traditional, perimeter-based security models with a high degree of implicit trust within their networks. Security controls primarily focus on network boundaries and don’t emphasize least-privilege access or other fundamentals of zero trust.

To advance from this stage, organizations must assess their present security setups to gain a holistic understanding of their strengths and weaknesses. Next, they should explore security options to overcome these shortcomings — which can lead to awareness of zero trust.

Stage 2: Awareness of Zero Trust

Perimeter-based security has its pros, but it also has major cons. For instance, this security approach “only distrusts factors outside the existing network,” according to Fortinet. “Once a threat is able to cross the moat and get inside the network, it has free rein to wreak havoc within the castle that is your system.”

At this stage, having recognized these and other limitations of traditional security models, organizations commonly develop an awareness of zero-trust concepts. To advance along the maturity continuum, however, knowledge is not enough. It must be actualized in the form of adoption.

Stage 3: Early Zero-Trust Adoption

Early adoption is the first stage in the Cybersecurity & Infrastructure Security Agency’s Zero Trust Maturity Model. “This includes manual configurations and assignment of attributes, static security policies and coarse dependencies on external systems, along with manual incident response and mitigation processes,” writes John Candillo, a CDW field CISO in a recent blog. “Currently, this is the stage at which most organizations find themselves.”

During early adoption, an organization may implement zero-trust components such as multifactor authentication or basic identity and access management controls. But to progress further, IT leaders must enact additional zero-trust policies and be strategic about their zero-trust security posture.

65

The percentage of cybersecurity professionals who are prioritizing multifactor authentication

Source: Cybersecurity Insiders, “2023 Zero Trust Security Report,” June 2023

Stage 4: Intermediate Zero Trust

According to Cybersecurity Insiders’ 2023 Zero Trust Security Report, 65 percent of cybersecurity professionals are prioritizing MFA, and 46 percent are prioritizing identity management and governance— both more than any other zero-trust control. But other controls can be just as significant. This intermediate stage can encompass the second stage of the CISA maturity model, in which “automation is introduced,” according to Candillo. “This includes attribute assignment and configuration of lifecycles, policy decisions and enforcement, and initial cross-pillar solutions with integration of external systems.”

Organizations at this intermediate stage are also actively planning and evaluating their security posture in relation to zero-trust principles. They are conducting assessments and gap analyses to identify areas of improvement and are developing strategies and roadmaps for further zero-trust adoption.

“Tools such as effective identity and access management solutions are necessary, but they must be deployed strategically and integrated with other elements, such as data governance,” Candillo and other CDW experts write in another white paper. “Among the most critical use cases for zero trust are implementing principles within an organization’s backup and recovery systems, enhancing the secure experience of remote workers and securing complex cloud infrastructures.”

Stage 5: Advanced Zero Trust

At this stage, organizations have already integrated multiple zero-trust components into their security infrastructure and have an ongoing monitoring and optimization process in place. They are running continuous monitoring, so threat detection and response capabilities are part of security operations.

Emphasizing centralized visibility and identity control, dynamic policies based on automated or observed triggers, and alignment with open standards for cross-functional interoperability, this stage can encompass the final two levels of the CISA maturity model.

In transitioning to this stage, organizations will “find that their solutions rely more heavily upon automated processes, systems are integrated across pillars, and they become more dynamic in their policy enforcement decisions,” according to Candillo.

DISCOVER: How to build a zero trust model for your network.

Organizations that achieve this highest level of maturity have fully embraced the zero-trust model as part of their security culture. But those who aren’t there yet can take a number of steps to improve, including gap analyses, benchmarking, self-assessments and a rapid maturity assessment. And no matter the stage, help is available for organizations to develop roadmaps, budgets and security policies to push forward.

BitsAndSplits / Getty Images