A lack of buy-in from security and operational teams is creating a barrier to the successful adoption of a Zero Trust cybersecurity strategy for many New Zealand businesses.  

Lagging on critical tech issues is an accusation often levelled at c-suite executives, but a Datacom-commissioned study conducted by Forrester Consulting has shown while 83% of decision-makers see Zero Trust as the future of their firms’ security, only 52% of security teams were seen as supporters of Zero Trust at the outset of implementation. Just 40% of operational business or technology teams were supporters. 

Forrester Consulting carried out the custom survey of 204 decision-makers responsible for cybersecurity strategy in Australian and New Zealand organisations, ranging in size from 200+ to 20,000+ employees.   

Forty-eight percent of the decision-makers surveyed said their “stakeholders struggled to understand the business value of adopting a Zero Trust approach”. 

Datacom Chief Information Officer and CISO Karl Wright says the study shows a lack of understanding of what Zero Trust is and, critically, the importance of communication when companies are implementing a Zero Trust approach.  

Fifty-two percent of cybersecurity decision-makers who were surveyed identified technical knowledge and skills as the most important factors in driving Zero Trust programmes, while just 13% identified organisational communication as important. 

Change management approach key to success

“Stakeholders are not buying into Zero Trust because they are not getting the information they need. Implementing a Zero Trust approach is not as simple as adopting a new piece of technology, and organisations really need to consider adopting more of a change management approach,” says Wright.  

“Cybersecurity leaders need to communicate early and often, starting with their own tech teams. They need to tackle the misconceptions that exist around Zero Trust, for instance the idea that it will make systems so ‘locked down’ that they aren’t functional or that it requires entirely new equipment to implement.”  

“They have been successful in selling the business value of Zero Trust in the boardroom, but have work to do winning over the team responsible for IT and security on a day-to-day basis.” 

Wright says a Zero Trust approach should be viewed as a positive that keeps your people and your organisation safe by giving the right people authenticated access to the right data and applications at the right time whilst significantly reducing an organisations risk profile to common cyber-attacks such as malware.  

“Smart cybersecurity leaders know that technology is not enough to keep your company safe. You need to capitalise on what is arguably your organisation’s single biggest security asset and make the human firewall real in your organisation because your people are your first and last line of defence.”  

Recognised benefits of a Zero Trust approach include having more visibility into an organisation’s security status, and improving simplified, secure access to technology and information for employees who are working remotely or in a hybrid working model. 

Obstacles to Zero Trust maturity

While Zero Trust is rapidly becoming best practice around the world – including in the US where the Biden Administration has directed all government departments to adopt a Zero Trust approach as part of its national cybersecurity policy – New Zealand organisations still have work to do. 

Aside from the need to get internal stakeholders on side, the survey highlighted another potential obstacle for successful implementation of a Zero Trust programme in local organisations. 

Decision-makers perceived their Zero Trust maturity highly in several key areas including analytics and automation (78%), device (78%) and network (70%) but identified workload (possessing technical capability to enforce compliance controls and industry best practices against cloud repositories) at just 49%. 

Critically, when survey respondents were asked to describe how their company was adopting Zero Trust, 69% said “we are adopting Zero Trust piecemeal rather than taking a big bang structured approach”.  

It is an approach that Wright cautions could ultimately create inefficiencies. 

“A piecemeal approach might work well in the short term but could cost many organisations more in the long run as they face additional integration and operational costs further down the track.” 

Wright says local organisations will also find there are growing expectations from customers, partners and authorities around cybersecurity policies that are in line with global best practice.  

New Zealand’s National Cyber Security Centre earlier this year updated its Information Security Manual – the bible of cybersecurity for government IT managers – to “increase awareness of Zero Trust approaches and enable the NZISM to more directly reflect Zero Trust in future releases”. 

The Forrester Consulting survey of 204 cybersecurity decision-makers in Australia and New Zealand was carried out from March 2022 – May 2022. Download the full study and analysis here.

Related industries
Technology
Related solutions
Security