The maturing of zero trust: Indicators of progress

We've been tracking the tech industry's implementation of zero trust for some time. The adoption of zero trust hasn't been as slow as IPv6, which for context, started its eternal roll-out just before the three Lord of the Rings movies appeared. Still, it's been interesting watching organizations like Google lead the way while others have taken a more deliberate approach.

We've seen something of a groundswell of activity over the past five years. We've finally seen the majority of organizations reach an inflection point where business leaders and tech workers alike have realized that risk exists on all sides of a firewall, and that we need to pivot to a new set of paradigms when it comes to zero trust.

Dr. James Stanger, Chief Technology Evangelist at CompTIA details that this pivot involves moving from a perimeter mindset to what he calls a post-perimeter, non-directional approach. But zero trust involves more than just that paradigm change. Back in 2021, Dr. Stanger recorded the then-current thinking about the meaning of zero trust. In it, he compared traditional perimeter-based thinking to what happens in traditional zombie movies, such as 28 Days Later or Shaun of the Dead. In these movies, the heroes usually try to hole up behind some sort of perimeter, only to see that perimeter fail.

Today, organizations are now focusing on how to make zero trust happen. Furthermore, it's quite possible that as the many elements that create a zero trust environment become more commonplace, the term "zero trust" might even fall by the wayside. Why? Because in a few years, the wise, coordinated use of micro-segmentation, real-time analytics, and automation will simply be standard practice. There's no need, really, to give a special name to something that is a fundamental practice.

In the meantime, we'll likely still have to use the term in our meetings with executives, technical sales representatives, and fellow tech workers. Dr. Stanger offers his insight after having participated in the AFCEA Cyber Committee Zero Trust sub-committee, as well as the ATARC Zero Trust Working Group. He highlights the value that's been gained from working with industry and government experts. As part of his effort to expand access to relevant resources, he shares a few resources he has deemed valuable in his activities on zero trust committees.

• The US Department of Defense (DoD) Zero Trust Pillar Report: These pillars include technologies surrounding users; devices; applications and workloads; data; the network environment; visibility and analytics; and finally, automation and orchestration. While this report is hardly definitive, it is a useful discussion of the many elements that must work together before you can say you have a mature zero trust network.

• The ATARC Zero Trust Lab: Contains information and tips from both private and public sector subject matter experts.

Progressing to zero trust maturity: Practical steps

It's easy to discuss zero trust architecture, but implementation requires a more thoughtful, planned approach. People who have implemented zero trust share that they've taken the following steps:

• Start with executive zero trust literacy: No organization will succeed with zero trust implementation unless executive management understands exactly what it means. The result of making executives aware of zero trust will be a top-down, policy-based approach. That's the only way zero trust can mature.

• Identify the resource that you need to protect: Think about what networks, databases, and other critical assets need hardened digital security.

Take an inventory: You can't do much about zero trust unless you can identify exactly what you're protecting.

• Prioritize the resource: For example, loss of a particular resource could mean that your organization might lose its ability to do business. Or loss of a particular resource could mean that only certain customers or users would be inconvenienced.

• Outline your ability to protect these resources: This is where you source your zero trust tools. Some people call these tools "capabilities." In other words, zero trust involves using real-time analytics and automating micro-segmentation, among other things. Therefore, you carefully map analytics and segmentation tools to the resources you wish to protect.

• Identify the dependencies for each capability: A mature zero trust environment involves more than buying expensive hardware and software and then declaring "mission accomplished." First, a zero trust environment thrives and matures only when an organization's procedures and policies are in order.

This last point is why the concept of "Governance, Risk and Compliance (GRC) has become so important. In fact, you could argue that the tech profession's interest in compliance and risk management is directly attributable to the implementation of zero trust. Some might actually argue that it's the other way around. Nevertheless, it all starts with policy. Second, all of the zero trust technical elements (e.g., pillars) must be properly integrated. That's why most organizations consult with cybersecurity professionals who have experience mapping an organizations policies to its technologies. That's a true indicator of cybersecurity maturity.

Learn more about the value of zero trust and how you can continue to bolster your agency against cyber threats when you read the 2025 State of Cybersecurity Report.

Contributors to this blog included Dr. James Stanger, Chief Technology Evangelist at CompTIA