Zero Trust Finally Moves From Concept to Reality for Asia Pacific Firms
- By Jinan Budge, Forrester
- June 12, 2023
Forrester started covering Zero Trust (ZT) adoption in APAC in early 2020 when Zero Trust was largely touted as a buzzword in our region. At the time, this inaugural APAC-specific ZT research showed that, while ZT was already mainstream in the US and Europe, it was slowly but surely gaining adoption in APAC. Fast-forward two years or so, and the story is very different: In 2023, Zero Trust is finally moving from concept to reality in the Asia Pacific — Forrester clients can access the report covering the topic here. So what has changed, and what has stayed the same?
- Zero Trust in APAC has moved from being piecemeal to a strategic initiative. In 2020, CISOs we spoke to in the region had fallen short of embracing ZT as a holistic framework and settled for adopting parts of the framework. By contrast, in 2022, 80% of APAC organizations have senior leadership committed to adopting a ZT security strategy and 78% investing resources into a ZT security strategy. ZT is a strategic initiative, and organizations aren’t shying away from adopting it to its fullest.
- CISOs in APAC have moved from a wait-and-see approach to pioneering adoption. The CISOs we spoke to in 2020 were still looking toward their peers, adopting a herd mentality to evaluate whether adoption was right for them. This is not so in 2022 when many CISOs we spoke to were seeking many of the benefits of pioneering adoption: to be seen as innovators, garnering commercial benefits, and working with new solutions.
- APAC organizations understand that ZT comes with significant business and employee experience benefits. In 2020, organizations in APAC still underfunded security initiatives, with 29% of C-level security decision-makers saying that lack of visibility and influence was a top IT security challenge for their firm. In 2022, the biggest supporters of ZT programs in the region were business executives, and the CISOs who we spoke to are eager to understand and unblock the pain of doing business by using ZT to improve the employee experience and enable the business, as well as provide protection.
There are still obstacles to ZT adoption, but they’ve evolved
It is true that ZT is becoming part of the nomenclature in almost all APAC markets in APAC, and ZT adoption is now widely accepted and discussed. Like all things security, however, it’s not all beer and skittles. Our 2020 research showed several obstacles to adoption, and while some of these have been resolved, some have stayed the same, with new adoption obstacles emerging. Here are the highlights that we’ve revealed in our 2023 research:
- ZT nomenclature and a paucity of ZT pioneers are no longer stated as obstacles to adoption. Both were significant challenges to CISOs in the region in 2020 but were no longer mentioned as obstacles or have been overcome. For example, ZT nomenclature was a significant obstacle to adoption in countries founded on trust, so the CISOs we spoke to used different languages to depict their ZT strategy to solve these nomenclature challenges. And as mentioned above, far from adopting a wait-and-see approach, CISOs in the region are working to realize the many benefits of pioneering adoption.
- The lack of visibility and influence remains an issue, but in 2022, this comes with a twist. In 2022, Zero Trust implementation in APAC was no longer from boards or the business but largely from technology teams such as network, architecture, and development teams. This means that CISOs in the region have to work harder with their technology counterparts instead of focusing on selling ZT to the overall business.
- Vendor hype and small security functions continue to challenge the adoption. Unfortunately, vendors still pretend to be ZT experts, and security functions here remain relatively small. Most security functions lack the bandwidth and capability to deliver large-scale implementations such as a Zero Trust rollout, while talent acquisition and retention remain significant challenges. This will likely remain a challenge, and CISOs will need to be strategic, work with service providers, and cut through vendor hype to overcome these.
- Two new obstacles to adoption emerge. The CISOs we spoke to mentioned two new obstacles they now encounter. They are overwhelmed by the sheer volume and scope of the many well-intended ZT frameworks and definitions, such as from the National Institute of Standards and Technology, the White House, the Cybersecurity & Infrastructure Security Agency, or the Singapore government. CISOs here simply aren’t always sure which framework to adopt for what purpose. And legacy applications remain a significant bottleneck, inhibiting consistent ZT implementations.
Overcome the challenges and leapfrog to modern security by embracing ZT
In conclusion, you can wait to see if your government, board, or media talk enough about ZT for you to take notice. On the other hand, you can be proactive, lead the way in adoption, and get the many commercial, strategic, and leadership benefits of being an early adopter. How? Here are our tips, but you’ll need to read the research to learn more:
- Assess your ZT maturity.
- Get some quick wins under your belt and demonstrate value along the way.
- Lead with empathy to win over tech stakeholders.
- Challenge vendor claims and demand product rationalization.
- Integrate ZT as part of your digitization strategy.
The original article by Jinan Budge, Forrester’s vice president and principal analyst, is here.
The views and opinions expressed in this article are those of the author and do not necessarily reflect those of CDOTrends. Image credit: iStockphoto/Andreus