Cybersecurity: Time to Rethink Your Zero Trust Strategy?

This IDC Perspective discusses how zero trust cybersecurity has earned its place as an effective and widespread practice. Rather than allow unfettered access to data and applications once access is granted, zero trust demands that organizations never relax cybersecurity controls placed on persons and entities that access corporate resources. Instead, identities are to be verified and reverified in real time, resources are only to be accessed on an as-needed basis, and traffic is to be monitored in real time for suspicious behavior patterns. In short, zero trust comprises measures that taken together are highly effective in protecting data and applications. Cyberinsurance providers look favorably on organizations that have implemented zero trust strategies and tactics. To determine the level of implementation, assessments are required, whether performed by a third party or by the organization itself. While some zero trust measures can be implemented at little cost, others carry a higher price tag. They must be carried out by skilled cybersecurity staff and might include sophisticated tools for identity and access management (IAM), as well as for AI-enabled microsegmentation. Zero trust should not be implemented with a "set it and forget it" mindset. Rather, many organizations can benefit from reassessing and rethinking their zero trust implementations, weighing their implementation across multiple vectors: digital transformation, cost, agility, compliance, and efficiency. Doing so ensures that an organization gets the biggest bang for its cybersecurity buck, while maximizing protection within the limits of its business strategy and financial resources. "Zero trust principles are widely implemented, but levels of implementation vary widely. No cybersecurity strategy can be completely effective while still permitting business operations to function at a cost that is not prohibitive. Savvy cybersecurity leaders will apply knowledge of which zero trust measures are most effective - which can be tightened and which need to be optimized - to improve both cybersecurity and cost-effectiveness," says Stanley B. Gibson, adjunct research advisor for IDC's Executive Programs (IEP).