We all understand that zero trust is a complex initiative. There’s a wide array of use cases, supporting technologies, starting points, and strategy options. On the bright side, one of the keys to succeeding with zero trust remains something companies arguably have the most control over – collaboration across the organization. The less encouraging news? These cross-functional relationships could be better.
Recent Enterprise Strategy Group research has found that many organizations have paused or abandoned a zero-trust project at some point in the past. This includes those who are currently engaged in successful projects. The single biggest reason given was organizational issues in implementing the initiative, which was cited by half of respondents.
Among all of the organizations ESG surveyed (including those who had not paused or abandoned projects, some of the specific collaborative issues faced with regards to zero trust include:
- Communications issues related to collaborative tasks (32%). Simply opening the lines of communication across often siloed teams within and outside of the IT organization remains a challenge. Having executives buy in and craft an overarching strategy is something we often discuss. But without the day-to-day operational collaboration required to ensure that the entire business is moving in the same direction, zero trust becomes an uphill battle.
- Security teams slow to incorporate feedback (32%). There is still an “us versus them” dynamic at play to an extent as well. Non-security practitioners may feel that the security organization slows them down and ignores their concerns. Often times the reality is that security teams are redlined with keeping the wheels on, and zero trust can be described as changing the tires while the car is still moving.
- Lack of clarity about areas of responsibility (29%). Again, the executive role looms large here. Without specificity as to which teams are responsible for what parts of the process, the strategy can break down.
- Non-security teams move too quickly (29%). This is the other side of the “us versus them” coin, where security teams believe their non-security counterparts do not properly weigh cyber considerations and move on a whim. Again, the reality is often more complicated, and this can be at least partially attributed to….
- Different groups measured and compensated on conflicting goals (29%). Non-security teams are likely to be more directly responsible for business outcomes than their security counterparts. This is certainly starting to shift but remains early days. When the KPIs and goals these teams are judged on vary, priorities can deviate.
With these challenges in mind, what are organizations planning to do about it? First, the most common action organizations plan to take over the next 12-18 months to implement or optimize zero-trust strategies is improve collaboration across security operations, IT operations, and the lines of business, cited by nearly half (46%) of respondents. This held true even among those organizations who are further down the path of zero-trust adoption and rate themselves as successful in the implementation. In other words, even those who are seeing zero-trust benefits realize collaboration is critical to success, and there is always room for improvement.
Second, there is momentum towards formalizing these cross-functional working groups through zero-trust centers of excellence (CoE). While still very early, and only formally implemented by a handful of organizations to date, many are actively working towards a CoE, or have plans or interest in implanting one. We’ve seen this model work before with regards to cloud, and the broad applicability across different teams certainly rings true for zero trust as it did with cloud adoption.
Regardless of where organizations are on the zero-trust journey, the focus should be on collaboration. We’re seeing similar trends with regards to SASE, application security, risk management, and other areas. Before getting bogged down in the technology weeds, planning for how the teams involved will successfully work together should be the focus.
