New Ponemon/Converge study shows zero trust increases productivity of DevOps and IT security teams and hinders attacker movement within networks, but organizations struggle to align their technologies with a zero-trust strategy.

A zero-trust security strategy, according to new research, improves the effectiveness of organizations’ security practices and increases productivity. However, organizations still encounter obstacles with legacy technologies and effective technology prioritization. That’s according to a new report released by Converge Technology Solutions— “The State of Zero-Trust Architecture in Organizations”—with research conducted by Ponemon Institute and sponsored by Check Point Software Technologies. The research surveyed organizations that have adopted a zero-trust strategy.

The findings reveal organizations’ varying levels of zero-trust maturity. 27% of respondents claimed their organizations are in the mature phase of zero-trust adoption, with zero-trust activities fully deployed across the enterprise. 33% are in the full adoption phase with zero-trust activities mostly deployed. Of respondents in the mature or full adoption stage, 71% said it took 5 to 7 years or more to achieve.

Efficiency and productivity gains

51% of organizations surveyed have adopted a zero-trust network architecture. The most often-cited reasons for doing so were to reduce connectivity issues and improve user experience (52%) and to reduce the difficulty of provisioning new users and decommissioning departing users (51%).

When it comes to the benefits of zero trust, the top two advantages cited by respondents were increased productivity of DevOps teams and increased productivity of IT security teams. These benefits were followed by stronger authentication and lateral movement prevention.

“Interestingly, the top reasons for moving to zero trust and its top benefits were not primarily security-related,” said Dan Gregory, VP Solutions Architecture at Converge Cybersecurity. “This shows that zero trust has the benefit of increasing efficiencies not directly related to security while at the same time improving security.”

Restricting lateral movement

The use of zero trust also improves the ability to minimize risks from dwell time and lateral movement. 53% of respondents agreed that zero trust has reduced attacker dwell time in their networks, and 56% agreed zero trust is very effective or highly effective at eliminating lateral movement between users and servers. This is especially important because should a system be compromised, only 39% of respondents are confident that their organization knows which critical business services could be impacted or how an attacker could use that system to move laterally.

Challenges and obstacles

Technology proves to be a challenge for many organizations when it comes to aligning new and existing technologies with a zero-trust strategy. Only 42% of respondents claimed that their current security tools are very or highly aligned with their zero-trust roadmap. Only 50% said they are very or highly effective at determining which existing security technologies can continue to be used, and 54% said they are very or highly effective at prioritizing which new technologies to acquire. The continued use of legacy technologies was the most commonly cited obstacle to zero-trust implementation (65% of respondents). In addition, 50% of respondents said their organizations are very or highly reliant on perimeter security.

40% of organizations cited a lack of budget and expertise as a challenge. 75% say their staff does not have zero trust certifications, while 76% handle their zero-trust implementation by outsourcing at least some zero-trust activities to a third-party organization.

“The purpose of this research is to understand organizations’ challenges and opportunities when embarking on the zero-trust journey,” said Dr. Larry Ponemon, Chairman and Founder of Ponemon Institute. “One of the key takeaways from the research is the importance of gaining the support of senior leadership by regularly informing them about the effectiveness of the zero-trust program as measured by key performance indicators. Such buy-in may help to secure the necessary resources for a successful implementation.”

The report is based on a survey of 694 IT and IT security professionals in US organizations with a headcount of between 1,000 to more than 75,000. To be included in the research, all respondents had to confirm that their organizations had some level of zero-trust adoption. 

Download the full report to learn more about organizations’ journey to zero trust, including:

  • The top components making up organizations’ zero-trust security models
  • How organizations are using metrics to track the effects of zero trust
  • Organizations’ top obstacles to detecting cyber attackers within their networks
  • How organizations handle zero-trust activities in-house versus outsourcing
  • The effectiveness of zero trust in reducing cloud security risks