Why Zero Trust – and Why Now?

Organizations are flocking toward Zero Trust because the drivers have never been stronger:

• The threat landscape keeps expanding. In the 2024 State of Zero Trust & Encryption Study by Ponemon Institute and Entrust, 67 % of 4,000 security professionals said their main motivation was the risk of a data breach or the expanding attack surface.
• It is rapidly becoming the norm. Gartner predicts that > 60 % of enterprises will embrace Zero Trust as their baseline security strategy by 2025.
  An Expert Insights survey of 2,200 leaders found 43 % have already adopted Zero Trust and another 46 % are actively moving toward it, leaving only 11 % yet to begin.
• Regulators are turning up the heat.
  NIS 2: EU directive expects least‑privilege, MFA and supply‑chain controls.
  • DORA: The Digital Operational Resilience Act becomes fully enforceable on 17 January 2025 for banks and insurers, demanding granular access controls and continuous monitoring.
  • PCI‑DSS 4.0: New segmentation guidance maps Zero Trust patterns to scope reduction for payment data.
  • A Deloitte Global Future of Cyber Survey 2023 shows 47 % of CISOs rank regulatory alignment as a top driver.

In short, “never trust, always verify” is now a board‑level mandate.

What This Means for Different Sectors

By now many industries have seen a need for adopting a Zero Trust strategy and have taken a first glance at frameworks like CISA’s ZTMM. The main driver for looking at a zero trust strategy is the reality that infrastructures are so connected and grew in size so significantly, that the management got more difficult. In everyday language this means an infrastructure design needs to assume breach – therefore the core ZT principle “never trust, always verify” emerges.

The Zero Trust Maturity Model spans in every corner of the business and is so wide that most organizations will not adopt every element of the Zero Trust Maturity Model. But that’s also not the goal. These frameworks are designed as guidance and industry standard. Which part of the framework is reasonable to adopt is an individual choice for each organization. Depending on the industry the accomplished goals will look different.

So how do organizations work out a plan that fits their needs, but doesn’t run above their budget?

Protect Before You Perfect

Waiting until every asset is discovered and each framework box is ticked can leave critical systems exposed for months. Instead, follow the principle of kickstarting Zero Trust with ZTNA: identify the 5–10 assets that would stop the business if compromised and wrap Zero Trust controls around them first. See how this looks like for OT in our blog How to Kick‑Start Your OT Security

Immediately Start Gathering Information

Gathering information should serve as input for your decision making and give some indicators how big the mountain to climb actually is. However it’s important to not do any action, which would limit your options at a later stage. For example, if your team starts with data labelling and tagging, but you haven’t assessed if this capability is required it will be draining resources, which are needed elsewhere.

Regarding a zero trust journey starting with asset discovery is a useful enabler.

A non-exhaustive list of what an asset inventory should contain is:

• Employees
• Devices
• Applications
• Users
• Credentials

The discovery process can be sped up by asset discovery software, application detection engines or by simply having your team document the data as a byproduct of their daily work. It could also be a strategy to start with the most critical areas of the business first and quickly you can see where the challenges in discovery lie.

Work Out a Concept

In parallel a zero trust strategy can be worked out. This concept doesn’t need to become a big thesis, but it should capture which components of the ZTMM you want to implement and the intent of how you plan to achieve this goal in an easy understandable way. The challenge is that there are major factors influencing your options like resources, goals and time.

• Resources: Defines what resources are available. This could be any type of resource like engineering resources, budget or the buy-in from peers to execute. Partners and suppliers are also resources which can be leveraged.
• Goals: Defines which components of the ZTMM you want or need to implement. This could be implementing an IAM as a trusted identity source, implementing a ZTNA solution for accessing applications or implementing a macro segmentation project to restrict lateral movement.
• Time: Defines how fast these goals need to be implemented. It’s important to think about constraints given by the business like achieving a compliance standard by a deadline or how long second order effects would take like training key personnel.

There is a reciprocity between these components. For example, if you have more resources you can achieve your goals in a shorter period of time. If you’re fixed in time because you have a compliance deadline with a given standard, you’ll need to invest more resources or remove some less critical goals.

Usually it’s a good thing to work out three options which have a different weight of these factors to have a basis of discussion within the management organization. Some questions which can provide guidance for creating a ZT concept are:

• What does implementing a ZT strategy mean in the big picture of our organization i.e. why are we doing it?
• With which KPIs are we measuring that the goals have been achieved?
• What are key areas in the organization where a risk reduction in terms of business impact would have the biggest effect?
• Are there any external constraints, like achieving a compliance standard, staying below a certain budget or legal requirements, which need to be met?
• In which areas are we free in decision making?
• Which capabilities do we already have as an organization and which ones do we need to acquire?
• Which capabilities are easy to achieve for us and which ones are difficult?
• Which capabilities would enable the business to save costs?
• Are there tools which cover more than one capability?
• Can we leverage partners with existing expertise?

One Doesn’t Start from Scratch

Most organizations discover, given there is a central identity store in place and minimally the critical assets have been inventoried, that first results can be achieved rather quickly. Zero Trust Network Access alone allows it to cover a solid amount of capabilities across the User, Device, Application & Workload, Network and Visibility & Analytics pillars. Additionally, rarely an organization starts with zero capabilities on the ZTMM. One specific example – many organizations have a centralized device management in place, so by leveraging this together with ZTNA the capability for enabling device posture checks is straightforward to achieve. Even when implementing ZTNA, most customers start by implementing access to key risk applications first. It’s easy to implement, it directly brings a risk reduction and the organization gains confidence in the journey.

Learn from others
The good news is that one does not have to walk alone. At Open Systems we bring expertise in guiding customers through the zero trust journey. We use and operate the solutions we develop by ourselves. We also learn from our customers and the challenges they face. As a community we can learn from each other and achieve our goals faster.