The State of Zero Trust in the UK
Building a Cybersecurity Strategy with Zero Trust
Zero Trust is a foundational component of digital security. In fact, research commissioned by Illumio, the pioneer and leader of Zero Trust segmentation, reveals that 91% of UK businesses alone consider Zero Trust to be an important part of their company's future cybersecurity strategy. Contrastingly though, Illumio's investigation into the current state of Zero Trust in the UK also shows that a storm of confusion about the security approach is brewing. The report's findings indicate some crucial cultural barriers and technical challenges that UK organisations are coming up against in the face of Zero Trust implementation, resulting in many projects and initiatives being ‘redlit'.
In this Q&A, Trevor Dearing, EMEA Director of Technology at Illumio, sheds light on how UK organisations are approaching Zero Trust.
1. Can you give us a brief overview of Illumio's research report, ‘The Current State of Zero Trust in the United Kingdom' and how it affects cybersecurity strategy?
Yes absolutely. Zero Trust has recently become a foundational component to digital security and something a number of cybersecurity vendors, including ourselves, are talking about. As such, we wanted to carry out some research which looked at just how widespread Zero Trust is, how organisations are dealing with its implementation and whether any common challenges are arising.
The research provided a number of interesting statistics for consideration. Very positively, we discovered that the majority (98%) of organisations plan to or have already implemented Zero Trust architecture, and most of them regard it as important to their cybersecurity strategy. Furthermore, the biggest benefit organisations are seeing is that Zero Trust is building confidence in securing critical or confidential data however, organisations are coming up against some technical and cultural barriers when it comes to implementing it.
2. Drawing on Illumio's investigation and your own experience, walk us through how UK businesses are approaching Zero Trust? Tell us the good, the bad, and the ugly.
What's great to see is that most (91%) UK organisations agree that Zero Trust is important to their security model and they're backing this up with concrete action. However, organisations are all at different stages in their Zero Trust journey, with some still at an early planning stage, yet others saying they have fully implemented their Zero Trust strategy. There are also various reasons why organisations are implementing Zero Trust, from cloud migration and digital transformation to a desire to protect sensitive data and a need to mitigate the risk of fully remote employees.
It's important to note that while the Zero Trust model's mantra is “never trust, always verify” this can be interpreted and therefore implemented in different ways. What we see in the results is that the first steps to implementing Zero Trust are identity management and micro-segmentation, and this matches what we see in most Zero Trust projects around the world.
As you would expect, a majority of organisations have networks that have been segmented using either virtual networks or firewalls. The issue with that approach though is that as we see applications becoming more distributed across multiple platforms, and regulators tightening their rules, there will be an increasing need for enhanced segmentation between apps and environments. Those legacy methods I just mentioned do not provide the scale organisations will need to deal with those changes.
As such, we're seeing organisations turning to newer approaches that focus more on verifying the identity of a resource and enforcing fine-grained segmentation of applications, users, and devices. Some respondents in our survey said they are carrying out micro-segmentation based on workloads, something we believe offers the best opportunity, giving organisations the path to granular segmentation that's easy to deploy and enforce.
3. According to the report's findings, ‘96% of survey respondents have an opinion of Zero Trust, but their understanding of the term varies'. What is the correct definition of Zero Trust and why do you think UK organisations, in particular, are struggling to define it? Are there any existing Zero Trust misconceptions in the country?
Zero Trust eliminates automatic access for any source – internal or external – and assumes that internal network traffic cannot be trusted without prior authorisation. Zero Trust is all about adopting the security mindset of “never trust, always verify” to segment internal networks and prevent the spread of breaches.
Although I don't believe Zero Trust is just another security buzzword, it is widely used, and different cybersecurity vendors offer different solutions that help organisations to achieve a Zero Trust approach, which can cause some confusion for organisations and dilute the message. In Europe for example, Zero Trust is increasingly thought of as a best practice approach, but organisations need to be aware that no single solution can solve all of their Zero Trust requirements.
One of the main misconceptions we come across is organisations thinking that a Zero Trust strategy has to be fully implemented all at once, however the truth is that “achieving” Zero Trust can happen incrementally. If organisations do it right, they can start reaping the benefits right from the start.
The research also highlighted other misconceptions such as Zero Trust only being applicable for big enterprises, or organisations feel they don't have the data to make it work. 22% of respondents also suggested that they don't have the budget to carry out Zero Trust implementation.
4. What are the primary, stifling cultural barriers and technical challenges disrupting the UK enterprise from implementing Zero Trust?
Many Zero Trust projects are still in their infancy, so it's no surprise that our research found that 80% of respondents have faced technological or operational barriers to implementing it. On the technical side, legacy technology is a common barrier, closely followed by cost and resource challenges. But it seems the cultural barriers are also having a big impact on Zero Trust adoption and implementation, and that's what I find more concerning.
Our research showed that resistance to change is a roadblock in the Zero Trust journey, with many (33%) respondents suggesting that unless there's a clear compliance mandate associated, employees won't switch up their strategies and processes.
5. Delving even deeper into cultural barriers, the report further states that 32% of senior IT decision-makers fear that their employees will think that they don't trust them if they implement Zero Trust. How can IT leaders gain their staff's trust when it comes to adopting new security approaches?
Yes, this was an interesting statistic that came out of our research and one I think is important that organisations consider when implementing new approaches or models like Zero Trust. What this comes down to is the human element of security – a security solution or cybersecurity strategy is only going to be as good as the people using it, so it's important they understand the why behind it.
The words “Zero Trust” can spark the misconception that nobody is trusted, however that's not the case at all. It's a proactive approach to security. One which allows people to access what they need but does not grant access to opportunistic attackers looking for a quick win.
In order to gain staff's trust, the best approach is education and awareness. I'd like to see CISOs and other IT/security leaders within the organisation lead by example and spearhead information campaigns that clarify what Zero Trust architecture is and why it is beneficial to the entire business.
6. If you could give UK security leaders 5 top tips for implementing a successful Zero Trust program and overcoming Zero Trust barriers, what would they be?
My first tip would be to secure board backing to ensure there will be adequate budget and resources available to carry out full Zero Trust implementation.
Once the funding and resources are secured and security teams are looking to implement Zero Trust, it's vital to remember to not take it all on at once. Zero Trust is not something that will be fully implemented overnight and never looked at again, but equally, organisations can start reaping the benefits from day one if they do it right.
You need visibility into your environments and how different components connect and communicate. Zero Trust is an ongoing approach and one that organisations can implement incrementally, tackling bite-sized projects and prioritising the segmentation of certain applications or data that are deemed the most critical within the organisation. Focusing on securing the crown jewels, or the most critical assets, is a good place to start to gain some early wins and demonstrate the value of Zero Trust. A third tip that relates to this is to remember that no one technology alone gets an organisation to “achieve” Zero Trust.
However, focusing on identity management and Zero Trust segmentation will get businesses a great deal of the way. Scalability and ease of use should be top of mind too.
Furthermore, if this research has taught us anything it's that having buy in from the entire organisation is one of the keys to the success of any Zero Trust strategy so I would really encourage CISOs and other security personnel to educate employees on the benefits a Zero Trust approach will bring to them and the organisation as a whole.
Ultimately, when done right, Zero Trust can help businesses and governments become more resilient, reduce cyber-risk in the face of continuously evolving threats, and drive digital transformation. So, my final tip for security leaders would be just start.
Liked this article? Subscribe to the YouTube Channel for more educational content in enterprise technology.