9 in 10 organizations have embraced zero-trust security globally

Nearly 90% organizations have begun embracing zero-trust security, but many still have a long way to go, according to a report by multinational technology company Cisco. The report, based on a survey of 4,700 global information security professionals, found that 86.5% have started implementing some aspect of the zero-trust security model, but only 2% have mature deployments in place.

Cisco measures maturity based on four “pillars”:

• Identity, which includes multi-factor authentication (MFA)
• Device, which includes continuous validation of users’ devices
• Network and workload, which includes network detection and response, as well as micro-segmentation
• Automation and orchestration, which includes security orchestration and automated response (SOAR)

The report noted that an organization doesn’t need to implement all four pillars before it starts reaping the benefits of zero trust. For example, organizations completing the identity pillar are nearly 11% less likely to have a ransomware event. Completion of the network and workload pillar can reduce the likelihood of malicious insider abuse by 9%.

The big payoff is for organizations that have implemented all four pillars (only 2% of the survey sample). They’re two times less likely to report security incidents than those just starting out on their zero-trust journey.

Big jump toward zero trust

This year’s survey results reflect a growing awareness and maturity in organizations about what zero trust is all about, notes Cisco Advisory CISO J. Wolfgang Goerlich. “In past studies, a significant part of the sample said they had zero trust in place and were good to go.”

“This year we dug into the technology stack and asked them what technologies they were using, what zero trust aspects have they deployed,” Goerlich continues. “In doing that, our findings went from a large percentage of people saying they deployed zero trust to 2% saying they made progress across all the pillars. That reflects a maturation in security and IT leaders’ understanding of zero trust. Two years ago, people would say, ‘I did identity. I’m good.’ Now that they’re into a real strong push behind zero trust, they’re realizing they need device controls, network coverage, and automation and orchestration.”

“The more organizations know about zero trust, the less they feel competent in zero trust,” Goerlich adds. “The more they learn, the more they realize they need to go further.”

In implementing zero trust, no one size fits all

Survey data also indicated a change in zero-trust adoption patterns. Zero-trust early adopters selected products based on their feature set rather than starting with their desired outcomes or use cases, the report explained. Today the focus is on outcomes over features. Organizations are now finding value in adopting zero trust when they focus on business outcomes rather than simply keeping the conversation limited to products and technologies.

“In implementing zero trust, no one size fits all. Therefore, any risk management plan priority should be to focus on outcome requirements, including IAM, visibility, data protection, resilience, and incident response,” says Chuck Brooks, president of

Brooks Consulting International and an adjunct professor in Georgetown University’s graduate applied intelligence and cybersecurity programs. “To optimize the risk plan, it needs to include people, processes, and technologies. What technologies and products are selected will depend on the requirements and missions.”

Zero-trust principles baked into every layer

“What often happens to security concepts that begin as buzzwords and capture momentum is they fade off into business as usual,” Goerlich says. “What we’re seeing is people no longer asking, ‘Are you doing zero trust?’ It’s, ‘Are you securing this new line of business? Are you securing our mergers and acquisitions? Are you protecting us against ransomware? Are you enabling the business to keep up to changing market demands and changes in the threat landscape?”

“Now that we have the outcomes identified,” Goerlich continues, “we can apply the appropriate technologies and appropriate pillars to achieve those outcomes. What we’re going to continue to see is zero-trust principles becoming fundamental security principles. As we move forward, good security is good security, and good security will include some of these zero-trust principles baked into every layer.”