Why Haven’t More SMEs Adopted Zero Trust?

Zero Trust is a security approach that rectifies the shortcomings of traditional perimeter security in a modern environment.

Instead of treating infrastructures as physical on-premise entities to protect, it prescribes security at the resource access level, no matter where the resources live or how they’re accessed.

This adjusts security practices to accommodate cloud infrastructure and SaaS, which are fast becoming the business standard. Zero Trust is the best means of protecting an organization from modern threats.

But according to a survey conducted in late 2021, a little over half (58.6%) of small and medium enterprises (SMEs) reported pursuing or planning to pursue a Zero Trust security program. In another survey conducted in the same year, only 23% of respondents said they had fully adopted it already.

Why hasn’t it seen wider adoption?

Unfortunately, market trends have created barriers to adoption, making Zero Trust seem confusing, costly, and unattainable. However, in reality, Zero Trust is more straightforward than it appears to be, making it a realistic goal for most SMEs, and there are ways to optimize resources and overcome common challenges with adoption.

The Piecemeal Problem

The SaaS market tends to encourage companies to keep up with the latest and greatest tech; companies, in turn, end up stacking their infrastructure with security tools that lack cohesion and strategy. This ad hoc purchasing approach and high tool volume tend to move companies further away from Zero Trust rather than closer to it. 

Further, many products now claim to be the “Zero Trust magic bullet;” however, Zero Trust is not a product — it’s a framework. While products may help organizations move closer to achieving Zero Trust and supporting a Zero Trust architecture, there’s no one product that can magically “turn on” Zero Trust for an organization. This productization of Zero Trust in the market has driven confusion and even more tool-by-tool purchasing, leading to messy infrastructures jam-packed with a tool for every needed functionality. 

These cluttered infrastructures require many complex integrations to get tools to work with one another. They likely contain many dependencies (which usually are not all documented) that slow any agility that the tools might have promised. Anything from a tool update to a new addition to the stack can break one integration, sending a domino effect through the rest of the environment. 

Businesses working within such an environment that haven’t yet tried to adopt Zero Trust might hesitate to do so, not wanting to make sweeping changes in an infrastructure fraught with fragile dependencies. On the other hand, businesses that went this piecemeal route in attempts to adopt Zero Trust might have abandoned the cause after witnessing an ever-increasing complexity without any increased security to show for it.

In addition to the technical problems of an overly complex infrastructure, it can also negatively impact the user experience, which leads to lack of buy-in, error, and other usability problems that ultimately decrease security.

The Solution: Tool Unification

Instead of purchasing new tools as new functionality needs arise, IT teams should construct their tool ecosystem strategically. There are many areas where multiple functionalities can be solved with a single tool. 

Unified tools keep infrastructure streamlined and present IT with fewer tools to maintain. And fewer tools means fewer integrations and potential pathways for data to disperse and deviate, keeping more operations reporting to the same sources of truth. 

In addition, fewer tool investments lowers costs and reduces IT’s burden of learning and maintaining new technology, as well as simplifying the end user’s environment and experience. Keeping your infrastructure and data streamlined, in combination with a straightforward user experience, significantly improves a Zero Trust initiative’s effectiveness. 

Tool unification requires strategic planning and a strong Zero Trust roadmap: you should approach tool acquisition with current and future needs in mind. 

Cost and Resource Limitations

The piecemeal approach to Zero Trust tool purchasing can cause costs to compound — not just in terms of solution purchases, but in terms of the labor and expertise it takes to manage them as well. And even strategic Zero Trust rollouts that avoid piecemeal purchasing are likely to require an occasional technology investment. 

In addition, because Zero Trust architectures tend to use fairly new cloud-based technology, a lack of familiarity with Zero Trust solution management among IT is common. Businesses that hire new employees or external help often find that cybersecurity expertise is hard to come by and expensive.

Cost and resource limitations are particularly difficult in organizations with legacy infrastructure. The cost and logistics of a rip-and-replace initiative can create significant challenges for IT as well as hesitancy among leadership when it comes to approving a Zero Trust initiative.

The Solution: Plan Strategically and Incrementally

No business can implement Zero Trust all at once. In fact, Forrester developed a method for drawing up a Zero Trust roadmap that generally spans 2-3 years. This roadmap is meant to aid companies in developing an incremental rollout that works within their environment rather than bulldozing it to start from ground zero. This helps companies optimize costs, leverage their current technology where they can, and make use of a partial Zero Trust architecture along the way. 

Setting Expectations

Leaders, stakeholders, and your IT team should understand that achieving full Zero Trust security is a long and incremental process. Clarifying the roadmap and timeline helps leaders understand the associated costs and IT teams contextualize how much time they’ll have to learn and implement new solutions. The best way to communicate this is by sharing the Zero Trust roadmap and keeping goals, milestones, and progress transparent.

Prioritizing

In general, your roadmap should prioritize the highest security needs. Since you can’t achieve Zero Trust all at once, start by implementing it to protect: 

• Core business operations. 
• Customer data. 
• Personal identifiable information (PII) and IP data.
• Financials. 
• Users who can access the above resources.

CRMs, ERPs, accounting software, payment or billing software, and HR platforms are common tools that fall under these priority categories. Similarly, users with admin privileges should receive priority security measures.

Work with What You Have

Most organizations have at least some Zero Trust friendly implementations in place at the start of their journey. Look to expand upon these elements as an easy way to start making quick progress.

Common Zero Trust implementations many organizations already have in place include: 

• Multi-factor authentication (MFA).
• Single sign-on (SSO).
• Device visibility and management.
• Patch management.
• Identity and access management (IAM).

Lack of Leadership Buy-In

Earning buy-in can be difficult for SMEs: leaders often assume Zero Trust is just a buzzword, that security is only a problem for large enterprises, or that the costs don’t justify the means. Without leadership support, Zero Trust plans don’t usually receive approval — and even if they do, they’re unlikely to receive the support they need to stay afloat. 

The Solution: Start with a Good Pitch

Start off on the right foot with a compelling proposal. When proposing your Zero Trust program to leadership, make sure to:

• Present compelling evidence that Zero Trust is necessary. This includes statistics around cyber incidents to companies the same size or industry as yours, examples of what competitors are doing, and demonstrating how your current security falls short. If leaders think security is only for the Fortune 500 companies, include recent statistics to show that SMEs are vulnerable as well, for example. 
• Communicate the benefits and impacts of Zero Trust. While the logistics and technical details are important, don’t lose the forest for the trees. Leaders are concerned with their business’s viability, growth, revenue, competition, and other big picture factors; tailor your proposal to speak to these values. 
• Use hard data. Include costs, timelines, risk factor analyses, and other real numbers to contextualize your proposal. 

Overcoming Real-Life Zero Trust Challenges

Like any IT initiative, implementing Zero Trust is easier said than done. You’re likely to encounter challenges throughout a Zero Trust rollout, whether it’s battling shadow IT, appropriately allocating costs, or avoiding accidental downtime while making changes. For a guide to overcoming the challenges IT professionals tend to run into during Zero Trust implementations, download The Ultimate Guide to Implementing Zero Trust in an Imperfect World.