Attivo Networks Blogs

Just 35% of security pros say they are ‘very familiar’ with zero trust

Despite all the hype surrounding zero trust over the past few years, those in the industry might reasonably expect that most organizations would have implemented by now, or at least be in the advanced stages of doing so.

However, research from CyberRisk Alliance Business Intelligence based on 300 responses from IT and security decision-makers and influencers found that most security pros still find zero trust a vague concept. The CRA research, which was sponsored by Attivo Networks and HP Wolf Security, reports that only 35% of respondents believe they are very familiar with zero trust and are knowledgeable about the framework and controls. The remaining two-thirds say they have just a modest understanding of zero trust with limited knowledge about the concepts and controls.

CRA researchers say deployment has been slowed by an ongoing struggle to fully comprehend the elements that embody zero trust and how to put all the pieces together. But the increased threat landscape finds respondents open to the basic zero-trust concept in giving them a fighting chance against stealthy attackers in the coming months, although organizations will find implementation challenging  without the knowledge, budget, management support and prioritization focus.

According to the CRA research, at least in the near-term, management support and budget limitations are hindering zero-trust adoption. The primary barriers for organizations that have yet to adopt zero-trust programs are lack of management support (26%) and budget limitations (23%). Other issues among non-adopters include the following: lack of prioritization (15%), lack of knowledge (13%), and lack of qualified staff to implement (10%).

What’s driving implementation? Follow the leaders

As part of the research, CRA set up a “Champions” segment of 70 responding companies that had sufficient budget, met the technical qualifications, had management support and knowledge of zero trust, and knowledge on how to implement zero trust.

CRA found that 64% of the “Champions” group use the NIST Cybersecurity Framework and another 50% use the NIST SP 800-207 Zero-Trust Architecture Model. The top components of the group’s zero-trust models and strategies included the following: identity and access management (86%); data protection (84%); cloud security controls (84%); network controls (80); and endpoint controls/host instruction prevention (77%).

The top areas where “Champions” apply zero-trust processes include: cloud apps and services (86%); network operations (80%); data center (77%); and the security operations center (70%). The top applications where zero trust gets applies include: web and cloud applications (89%); databases and other data center applications (82%); mission critical servers such as DNS and web servers (82%); and critical OT/IT applications (80%).

When deploying a zero-trust architecture into existing environments, NIST recommends enterprises consider starting small and expanding. NIST Special Publication 800-207 details how enterprises should look for ideal situations to introduce zero-trust processes and how the move to zero trust can take place one step at a time. NIST says enterprises need to make sure that the common elements of the program, such as identity management, device management and event logging are flexible enough to operate in the zero-trust and non-zero-trust security environments. Organizations must also look to zero-trust tools that will interface their APIs with existing systems and security tools.

Read the original article by Steve Zurier on SC Media.

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free


Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

Newsletter Signup

    Yes, please opt me in to receive your quarterly newsletter, event invitations, and product updates.

    I understand that I can opt out at any time, and can refer to Attivo Networks Privacy Policy for more information.
  • This field is for validation purposes and should be left unchanged.

ADSecure 90-Day Free Trial


  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise


Leave a Comment

Your email address will not be published.

twelve − five =

Ready to find out what’s lurking in your network?

Scroll to Top