Breaking Down the 2021 Zero Trust Market Dynamics Study

In July 2021, Dr. Chase Cunningham—aka Dr. Zero Trust—conducted a global survey of nearly 1,300 security and risk professionals to understand their views of the Zero Trust framework and explore adoption plans. Dr. Cunningham’s extensive industry credentials include being known as creator of the Zero Trust eXtended Ecosystem framework during his tenure at Forrester. He also has authored Cyber Warfare – Truth, Tactics, and Strategies and the new fictional cyberthriller, gAbriel.

I recently sat down with Chase to glean his first-hand insights on the new 2021 Zero Trust Market Dynamics study. This blog is a synopsis of the Q&A video which can be viewed below. You’ll also want to download the accompanying infographic, full of survey stats on the driving forces, headwinds, technical difficulties and moving full speed ahead on Zero Trust strategies.

Q1: What was this survey about and what you were looking to glean?

Dr. ZT: I really wanted to do this because I’m able to do a non-biased, non-vendor, non-partisan study. We got about 1,300 responses from people all over the world, and it was good to get what I consider to be one of the first real ground-truth analyses—with a lot of data points—on what Zero Trust is, as it stands right now, in 2021.

Q2: Most respondents indicated their company sees Zero Trust as a necessary strategy. How do you think perceptions of Zero Trust have changed in response to high-profile cyberattacks, the pandemic and the White House executive order?

Dr. ZT: I think once we finally got over the hump of responding to the COVID crisis and moving everyone remote, leadership realized that there’s an opportunity to do things differently.

And you have a lot of organizations that continue to get hacked, which is showing that the old archaic [security] approach just wasn’t going to stand up to the future state.

It really is a perfect storm of influences that have put us in the place we are today—where Zero Trust is being adopted by organizations big and small. I think we’re in a better spot than we were—it continues to evolve, though.

Q3: Budget restrictions and competing security endeavors are perceived as getting in the way of Zero Trust adoption. What guidance would you give to help somebody articulate the value of Zero Trust to their organization? And then how do you kick-start the Zero Trust journey?

Dr. ZT: Number one, everyone always asks, “What should I do?” I think you should look at what you don’t want. If you look at the organizations that have continued to think that they can stay in the old model of a perimeter, and somehow, someway it’ll work out for you … you’re wrong.

People in leadership positions need to be the initiators of the move to Zero Trust—otherwise breaches are a matter of when and how bad.

Number two, I think what’s important is to look at the study itself and to understand that there’s a maturity curve. There’s a progression and just because you’re moving to Zero Trust doesn’t necessarily mean you’re starting at the ground floor. There are things you do first because it’s going to make a substantial difference, such as identity and access management (IAM) … and there are things that you do later.

You’re not starting from scratch, necessarily—don’t get bogged down in that—understand there’s a progression, there’s a lifecycle, there’s a maturity curve.

Q4: You brought up identity access management (IAM), which was called out in the survey as what most respondents believe to be the starting point. Can you unpack the imperative of getting IAM right as a first step into a Zero Trust journey?

Dr. ZT: If you look at where we are, you had this old approach of a firewall. And that was your segmentation if you will.

Where we are now, it’s really about the users: identity, access and privileges—that’s the key factor around which cyber revolves.

And that is so critical, because if you look at the history of exploitation, you look at how things go from bad to worse, there’s a key trend: the use of accesses and privileges. So, if you’re going to solve a problem first, solve identity and access management.

Q5: Network security came in a close second to IAM as a Zero Trust starting point. Were you surprised by this?

Dr. ZT: That goes to the maturity curve of this whole thing where identity is a first problem to solve, then tackle the network itself: the infrastructure, how things connect, how you move packets back and forth. But those two are almost symbiotic … you can’t necessarily do one well without the other.

Q6: Based on the data, it appears there are two main technical difficulties that people are running into. The first is applying a modern security mindset like Zero Trust to the existing security ecosystem with legacy infrastructure. What’s your advice about how they navigate those waters from a Zero Trust standpoint?

Dr. ZT: What stood out most to me in this whole thing: it wasn’t cloud that was extremely difficult and it wasn’t the network itself.

It is really the policy management side that’s the most difficult … because that is what is interoperable across all those disparate pieces of infrastructure.

Q7: Was there anything else that you thought was insightful?

Dr. ZT: Visibility is absolutely key, command and control…

I like to think about things from the perspective of a battlefield commander. If cyberspace is my battlefield, how do I control that battlefield? Well, I’ve got to have good visibility, so I want to be up top of the hill. I want to see as much as possible.

And I want to be able to combat threats where they are most likely to occur.

By knowing and seeing and having policy controls and being able to act on anomalies, you can direct counters to the threats as they are presented to you. And that’s a very effective place to be in a defensive posture.

Q8: Any closing thoughts related to the survey or that you’ve noticed in the Zero Trust realm?

Dr. ZT: I think one of the most important things is that we have collectively moved past the days of arguing whether this is the thing that makes the most sense. Studies show that if you do Zero Trust, there are business benefits, there are budget savers … there are all these good things that come out of it.

But we also need to be real with people and make them at least aware that change is never easy.

However, you’re in a binary situation: you either adapt and change and you survive and come out better on the far end; or you don’t and you just hope and pray—and so far hope and prayer has not proven to be a good strategy for survival.

Watch the complete Q&A interview with Dr. Chase Cunningham now.