Zero trust thought leadership group members: Geeta Kapoor (MSC Direct), Noah Davis (Trane Technologies), Leon Ravenna (KAR Global), Barney Baldwin (ex-MUFG, Columbia), Chase Cunningham (Ericom), Eve Maler (ForgeRock), Sean Frazier (Okta).
There is no single, clear path to zero trust. The path varies according to an organization’s maturity and its regulatory and compliance demands. A CISO might focus on establishing an action plan, on the steps needed to translate that plan into action, or on the action itself. The path to zero trust spans all these areas and should also incorporate the ability to harvest benefits and learnings, reset priorities and objectives, and progress incrementally towards a zero trust vision.
An organization’s current maturity levels and/or business priorities shape its perceptions of “the path to zero trust.” Stratascale research identifies three distinct phases and ten discrete steps that will help CISOs as they define a multi-year approach to ZT strategy development and refinement. The path starts with “GOHIO” (Get Our House in Order), ensuring that the business has the core capabilities needed to embark on the zero trust journey. It then proceeds through three stages: foundational activities that establish ZT priorities and objectives; transitional initiatives that bridge from high-level strategy to substantive ZT process and technology rollouts; and a deploy, monitor, and evolve stage that includes first steps, instrumentation, incremental deployment, and continuous improvement. Through the process, a detailed understanding of how ZT is achieving security goals, combined with a business-level understanding of how this achievement contributes to business success, enables the CISO to build proactively to a state where ZT enables continuous alignment with evolving business requirements and opportunities.
Many valid paths to zero trust are defined by the maturity of enterprise security capabilities, the priorities of the CISO, and the business's specific needs. Articulating these paths for business executives, the board, or even members of the security team can be complex: “Zero trust sounds like a very far away destination, and I don't know if [standard, referenceable] paths are laid out on how to get there.”
There is some consensus on where the ZT journey begins. Contributors to this document unanimously agreed that a ZT strategy starts with assessing current capabilities and requirements and should focus first on achievable objectives that “tie back to real problems from a risk visibility and corporate strategy perspective.”
However, there are many branches in the ZT path from these core positions. As one CISO contributing to this document put it, “I think zero trust principles and objectives are clear. But to communicate the strategy effectively, you need to be able to say, ‘Here is zero trust phase one. These are the things we should do out of the gate’” – prerequisites – “‘before we get more complicated and move to a more advanced ZT phase two.’” The initial steps and the more advanced actions take different forms in different contexts, shaped by current maturity levels and business needs.
The zero trust thought leaders provided fascinating insight into how options vary according to starting points, but ultimately coalesce into a multipoint roadmap with three main stages. Each contributor had a different set of key ZT adoption issues and different reasons for emphasizing the priorities that define the path and its success. Across many different answers to the question, the priorities aligned with three broad areas.
The first consisted of foundational activities, such as ensuring sufficient security hygiene – which one contributor labeled colorfully as “GOHIO” (“Getting Our House in Order”) – plus understanding current capabilities, identifying “protect priorities,” and defining strategic objectives for the ZT strategy.
The second included steps that might be thought of as transitional – objectives that bridge from high-level strategy to substantive ZT process and technology rollouts: development of a detailed zero trust activity roadmap, establishment of an effective communications approach that will keep all stakeholders aligned throughout a multi-year ZT strategy, and initial tests of new systems.
The third stage – described by one contributing expert as more akin to a loop than a line – is comprised of actions associated with deploy, monitor, and evolve. These include pursuing low-friction first steps that build trust and momentum, deploying telemetry to ensure that the organization can identify areas of need and opportunities for refinement and progress, and building capabilities incrementally in response to these signals. This leads to the vision of ZT deployment as a loop, with CISOs using data gathered from instrumented systems to reset their ZT objectives.
Despite the popularity of Laozi’s famous saying, “A journey of a thousand miles begins with a single step,” most executives would agree with data scientist Randal Olson’s rejoinder, “Really, that’s not true. Every major journey begins with a plan.” Indeed, several of the expert sources contributing to this document focus their ZT attention primarily on planning – most likely because ZT is still too new within their organizations to allow for a meaningful definition of next-step activities or because they believe that without a sound foundation, implementation will fail.
Although only one member of the zero trust thought leadership group used the phrase “Get Our House in Order,” the concept was advanced repeatedly as a necessary prerequisite to establishing a ZT strategy.
The CISO who used the GOHIO term associated it with “doing the basic things” – such as having asset management, good vulnerability management and patching, visibility into how users are authenticating into the corporate environment, MFA, network diagrams, and similar foundational attributes. Other contributors highlighted similar issues as prerequisites to moving forward with ZT: one connected fundamental “house in order” capabilities to ZT strategy by saying, “I have to pave the road first before I start setting speed limits,” focusing on establishing identity and governance before socializing more advanced capabilities and objectives.
Many of the experts contributing to this document began their recommended paths with variants on examining, understanding, or defining their current capabilities. Specific items cited as important in this context included:
One of the defining features of zero trust is apparent in this phrase: While security teams are adept at attack surface management – identifying and responding to vulnerabilities – ZT takes the asset as its starting point.
One expert contributing to this report posited that “identify[ing] the target resources that you want to protect” should be the first point on the ZT journey, noting that this identification presupposes that a business is already engaged in data classification. Another expert stated that “protect surface, not attack surface” should be an initial zero trust priority.
A third contributor highlighted the question, “What IP [intellectual property] do we need to protect?” This, the CISO believed, is at the core of “a conversation with the business that every security leader should be having.” Expanding on the point, this zero trust thought leadership group member added that this step also includes a need to understand regulatory requirements, as these provide an important input to defining protect priorities.
CISOs culminate the ZT planning process by defining the business and security objectives that the ZT strategy will address.
While several contributors discussed this issue, one took a particularly compelling view of why working with business leaders to answer the question “what strategic advantage can be achieved by implementing zero trust?” provides a basis for establishing the importance of the security function at the senior leadership team (SLT) and board level: because “that gets you into the idea of consumer confidence, employee engagement, job satisfaction, all of these things where you build a culture of security, which can be a competitive advantage for companies.”
One contributor positioned defining strategic objectives both as a foundational step and as part of a continuous improvement loop: as the immediate predecessor to “put the plan in place” but also as a living understanding of goals and direction—an understanding that evolves as the security organization learns from its experiences and receives additional input from the business with respect to priorities and requirements.
The diagram above includes a note of caution or advice for effective action tied to each of the three stages of the ZT journey. The one associated with these foundational steps states, “Don’t simply invest and expect the ‘transformative nature of security’ to fix problems.”
In cybersecurity, more investment does not directly yield more protection: An effective security posture is much more a function of alignment of resources against most urgent needs than a straight correlation to budget.
Security leaders need to ensure that they invest in the right capabilities and avoid investment in non-critical or redundant products or processes.
While no contributor to this document viewed transition as “step one” toward ZT, several emphasized the importance of measures that create a bridge from strategy to production-scale deployment.
In many ways, all the content in this document, and all the steps in the graphic above, could be subsumed under this header. But the contributors who positioned roadmapping as a transitional step viewed it in a specific light: as a means of highlighting and building plans addressing opportunities for improvement or as a stage at which ZT policies governing rollout are defined.
This latter point is important to positioning ZT roadmap development as a key step in moving from strategy to execution. Large organizations will have many different initiatives happening at once, across the security function as a whole, and in pursuit of different ZT objectives. To keep the portfolio on track, the CISO will need to create structures that apply across different initiatives. In particular, as one expert observed, there will be a need to identify responsible and accountable parties.
It’s often the case that communication is the most powerful tool in the executive toolbox, and it was recognized as such by multiple members of the zero trust thought leadership group. One contributor observed that “this is where you see ALL the failures” in ZT rollouts. Security leaders need effective executive communications to “minimize surprises”; failure creates friction with the SLT, potentially reducing commitment to the ZT strategy.
One contributor with extensive SLT and board exposure noted that “competitive analysis is usually fairly compelling to board members.” Advice to CISOs included, “Take the business objective – tie it to what you’ve done or are doing – and describe what other [competitor] firms have done right in this area.” This expands the requirement to augment ZT business objectives with a broader understanding of how ZT enables other firms to reduce costs, increase revenues, reduce risk, or be more agile, but it will significantly increase the CISO’s credibility at the board level.
Testing is often given short shrift in strategic plans, but several members of the thought leadership group emphasized the importance of ensuring that new capabilities be proven with target groups before general release.
The populations that should be tested, and the means of testing, vary with use case. Zero trust applies to “carbon and non-carbon” users – humans, but also IoT devices, applications, and other devices or logic functions that can request data or other assets that an attacker could compromise. Security systems today require human users to re-authenticate periodically, and emerging best practices suggest that ZT could enable new levels of “granularity,” in which interactions build (or detract from) an earned level of trust. Many of these approaches, though, are either untested or minimally deployed across non-carbon users, and non-carbon identities represent a large and very fast-growing segment of the user population.
Experts described several different approaches to selecting and testing target groups. One advocated for A/B testing focused on either very tech savvy or highest risk populations. Another stressed the importance of testing non-savvy users because “what appears seamless to someone who is knowledgeable many not to someone who is less so.” A third suggested including “the breakers” – people “that are always on the phone…people who walk up to a computer, and it breaks. Every company has them, everybody [at the help desk] knows who they are. We want those people to be part of rollout tests.”
These suggestions help to identify the importance of testing and options for its rollout. Individual CISOs will need to identify the most appropriate approaches for their respective businesses, but all CISOs should ensure that testing is included in the path to ZT.
Contributors adamantly advised that CISOs “be the broken record.” Rather than relying on a single conversation with stakeholders, CISOs should build endorsement through repetition of important objectives, supported by associated metrics and (per the previous point) competitive intelligence.
In reiterating these communications, CISOs should focus on non-technical terms referencing business benefits. Executives will forget technical explanations of system capabilities. But measures taken to reduce risk, increase productivity, reduce M&A cycle time, or expand secure interaction with online customers or partners address issues that command SLT and board attention.
The final stages of the ZT journey involve deployment: Having planned for ZT and managed through key transition steps, how should the CISO approach production-scale rollout?
Perhaps the best deployment advice offered by a zero trust thought leadership group member was “Start with steps that can be achieved without causing friction with upper management…the best route to take is the one that’s available to you now and is funded.” Many strategies are guided principally by a roadmap that is more extensive than that referenced in step five, and which defines a technology deployment sequence rather than a set of policies that are important to rollout governance.
Rather than working through a long-term technology checklist, CISOs should look to ensure the success of funded products and dedicate energy to initiatives that align security with executive care-abouts. The contributor added that their security team frequently uses the phrase “fail forward” – ensuring that regardless of the current state or success of an initiative, the organization as a whole works to build maturity incrementally.
One memorable discussion in the ZT research project included the assertion that ZT consists of “two bookends: data, which I’m trying to control access to, and identities, which I’m trying to grant access to – and everything else is telemetry signals.” This may be a bit dismissive of four of the six ZT pillars, but it does emphasize the need to use instrumentation and telemetry to obtain data needed to assess and improve the ZT approach.
Contributors suggested tapping into data sources ranging from device telemetry to help desk logs. These inputs can identify emerging issues and may also indicate that it is safe to migrate from outdated systems to newer solutions. From a management perspective, the message attached to this step is more direct: telemetry provides a basis for both analysis and comparison of individual ZT components, enabling the CISO to make course corrections where necessary, and to identify areas that are in greatest need of increased resources or which offer the greatest potential for additional benefit.
The concept of ZT incrementalism was discussed at some length earlier in this series, but the concept is important in the context of a path to zero trust as well. Zero trust represents a sea change in the vision for how security works – a move from focusing on hardening a perimeter to centering strategy on protecting the most critical enterprise intellectual property (IP) assets.
Because it is not at root a technology concept, zero trust does not require a rip and replace approach to installed products. Some deployed products will integrate into the ZT framework, other products will be extraneous, and some new capabilities will need to be added in response to requirements not addressed via the perimeter-based approach.
Zero trust changes the CISO’s paradigm from responding to threats to proactively developing capabilities around the highest-value assets. As one contributor stated, “Zero trust is not a product you buy, and you deploy, and then you're done.” Even if it were possible to fully tool a ZT framework overnight (and it isn’t, regardless of budget), CISOs should build in response to evolving business needs and deploy at a pace that aligns with the capacity of the organization to absorb change.
The caution associated with the deploy, monitor, evolve stage addresses an issue that all CISOs face: What happens when we deploy a new system, and users can’t absorb it? One contributor observed that “one of the things we've seen is, if you disable an old method [of performing a security task] – the old, bad method that people shouldn't use – if something goes wrong…what you're going to end up doing in a panic is letting [users] do what they did before.”
Some leaders try to forestall this reversion by employing a “burn the boats” approach, denying access to deprecated systems to remove the temptation for users to find workarounds that avoid new solutions. But this adversarial approach is unlikely to build confidence within the user community. Instead, security leaders are urged instead to make sure that new products address defined business objectives, that they are tested, and that they are introduced incrementally, to avoid overwhelming users with new features and workflow requirements. Above all, it’s important to build effective communications into the ZT approach, so that when users struggle to adopt new features or systems, the security team can engage constructively.
The bottom step in the ZT path graphic above does not represent the end of a linear process – it leads to an arrow labeled “capture benefits; reset objectives” that cycles back to either step three, “identify protect priorities,” or step four, “define strategic objectives.”
It is critical that zero trust, which is often described as “a journey” or “a mindset, not a product,” incorporate this continuous improvement loop. Members of the zero trust thought leadership group emphasized the importance of measuring and communicating business and security benefits gained through ZT and getting feedback on the business impact of these changes. At the same time, the security leaders need to be constantly in touch with new, emerging, or urgent business priorities, and prepared to adjust their ZT strategies accordingly.
This need for ongoing reassessment of impact and strategic directions speaks to why ZT doesn’t have a defined end state. The lack of a defined end state may be challenging for CISOs accustomed to achieving specific outcomes. But it is also the greatest strength of the ZT path: the ability to build a process focused on the most critical security and business objectives, and to apply that process proactively over time, enabling security to contribute visibly and meaningfully to competitive advantage.
CISOs looking to integrate this perspective on zero trust within executive-level strategy discussions can use the following constraints and takeaways to inform their approach.
This institutional understanding of critical capabilities, processes, and technologies enables the CISO to focus ZT on the business’s most important assets, and implement continuous strategy realignment based on feedback on impact and evolving needs.
Expanding on this thought, one member of the thought leadership group argued that this is actually a discussion about relationships rather than signals: In the digital world, companies need to develop the ability to “respect relationship as a first-class object.” The contributor mused that digital connections between “two parties who have different duties and different interests used to be entirely impossible. And then it was possible, but clunky. And now digital relationships are a little bit more like real life…but the parties involved typically have misaligned incentives.” The expert believed that ZT orients security toward deployment of tools that drive incrementally more fine-grained trust between the parties’ positions – “to negotiate permission to let ethical and/or legal boundaries to be traversed [for example, by sharing data, potentially in ways that aren’t fully defined or understood]. This isn't a security issue, it's a people issue. It's a business issue. It's [about] human conditions.” As is the case with so many issues that land on the CISO’s desk, the security team focuses on supporting relationship outcomes, while the senior leadership team and the board drive the security strategy by determining the relationship objectives.
 The Stratascale Zero Trust Metrics in Context and Action (Stratascale ZT-MICA) tool, linked to the Zero Trust Metrics document, contains insights into assessing identity, network, and other ZT capabilities.
 Each of these objectives is the subject of a report in this series: Zero Trust Interest and Investment Drivers covers the security considerations important to ZT strategy, while Zero Trust Business Objectives examines the business outcomes that motivate (or can be achieved by) an effective approach to zero trust.
 See also Defining Zero Trust for more discussion on this point.
 Figures vary, but it is generally thought that there are more than five times as many internet-connected devices as there are humans today, and the ratio is expected to grow to more than ten times by the end of the decade. The extent to which IoT is or will be a major security concern varies by industry, but non-carbon users are a meaningful user group today and will be a larger, more diverse, and more widespread population over time.
 A companion research series from Stratascale, The Technical Manager’s Guide to Zero Trust, analyzes ZT drivers, priorities, deployment paths, and metrics associated with identity, devices, network, infrastructure, applications, and data.
 See The ZT Rollout Notebook, which contains a section on Incrementalism.
This is the seventh of eight source documents included in Stratascale’s “An Executive Guide to Zero Trust” research series. We will also publish a capstone report connecting these eight pieces, plus a six-part companion series (“The Technical Manager’s Guide to Zero Trust”) and several compilations and ancillary documents and tools.
Readers interested in specific executive-level perspectives on zero trust may wish to explore the other publications in this series:
Readers interested in specific executive-level perspectives on zero trust may wish to explore the other publications in this series: