As organisations continue to fortify their cybersecurity strategies in response to an ever-evolving threat landscape, many are turning to Zero Trust architectures to safeguard their data. However, implementing Zero Trust is not without its challenges. According to a new strategy guide from the SANS Institute, “Navigating the Path to a State of Zero Trust in 2024,” businesses often stumble over key obstacles in their journey towards Zero Trust adoption.
“The path to achieving a true state of Zero Trust isn’t straightforward. Organisations often encounter several fundamental challenges when attempting to implement end-to-end Zero Trust principles across their environment,” said Ismael Valenzuela, SANS Senior Instructor and author of the Cyber Defense and Blue Team Operations course, SANS SEC530: Defensible Security Architecture and Engineering. “By understanding and addressing these common mistakes, businesses can make better strategic and tactical decisions and increase their resiliency in the face of evolving threats.”
SANS Institute identified the top five mistakes made when implementing Zero Trust.
1) Overlooking the Importance of Organisational Culture: Zero Trust is more than just a technological shift; it requires a fundamental change in organisational culture. Chief Information Security Officers (CISOs) must align security with strategic, operational, and financial priorities. As the strategy guide states, “Effective security is driven by people, processes, and technology.” Failure to secure stakeholder buy-in from the outset can doom Zero Trust initiatives to fail.
2) Underestimating Human Risk: Employee error and negligence account for over 80% of data breaches. Hybrid work environments blur the lines between personal and professional spaces, increasing the complexity of monitoring user activity. “A Zero Trust architecture is an important line of defense against human risk,” the strategy guide emphasizes. Organisations must implement continuous monitoring and real-time assessment of user behavior to mitigate these risks.
3) Neglecting the Supply Chain: Recent high-profile supply chain attacks have underscored the vulnerabilities within interconnected systems. According to Gartner, by 2025, 45% of organisations worldwide will have experienced attacks on their supply chains. Zero Trust principles help limit the impact of these breaches by ensuring continuous verification and deeper visibility into user activity.
4) Failing to Plan for Sustainable Success: Implementing Zero Trust is a long-term commitment that requires continuous improvement and adaptation. The SANS strategy guide highlights the importance of effective change management practices: “Effective change management ensures stakeholder buy-in, facilitates user adoption, minimises disruption, promotes continuous improvement, and enhances collaboration.”
5) Inadequate Measurement of Success: Measuring the effectiveness of a Zero Trust framework is crucial for maintaining stakeholder support. The guide suggests several metrics, including authentication success rates, policy compliance rates, and the time to detect and respond to incidents. These metrics provide a clear picture of the framework’s impact and highlight areas for improvement.
“Adopting the Zero Trust ‘never trust, always verify’ mindset is essential for modern cybersecurity,” said Valenzuela. “However, the real challenge lies in having a realistic understanding of what a Zero Trust architecture looks like and avoiding common pitfalls during implementation. From cultural shifts to technical deployments, this offers vital guidance to help organisations successfully navigate the complexities of Zero Trust and enhance their cybersecurity resilience.”
For more information on implementing Zero Trust and to download the full strategy guide, visit: https://www.sans.org/u/1xo2
Discussion about this post