If you haven’t adopted a zero trust strategy, what are your reasons for not doing so?

2.4k views1 Upvote11 Comments

Head of IT and Security in Finance (non-banking), 51 - 200 employees
Budget restrains. Zero trust will require a big investment in our environment. Encrypted traffic needs to be decrypted to be checked which will need to change the network infrastructure and an ssl offloader. We need to invest in MFA as well.
Director in Construction, 1,001 - 5,000 employees
Our issue is twofold. First is that Zero Trust requires a change of the overall architecture strategy of the organization.  The current architecture is based around firewalls and segregation of system so moving that to Zero Trust requires a different approach to architecture which involves change.  The second is education of architecture teams.  Legacy system architects think in terms of networks, IP and ports.  Changing their architecture mindset to think instead in terms of users and access is a fundamental shift that is, unfortunately, taking time.

I have two wishes for Zero Trust vendors.  (1) Train architects in the benefits of thinking about Zero Trust with your solution.  If you train the solution architects they will come, and (2) offer solution architecture services as part of your post sales team.  Don't make if free (because then their is no perceived value) but instead make solution architecture using your solution a consulting service available to customers attempting to build a Zero Trust direction using your solution.
Director of Information Security in Manufacturing, 1,001 - 5,000 employees
While we agree with the overall concept of Zero Trust, getting the relevant bits and pieces in place has proven to be very difficult, mainly based on a lack of technical expertise with internal resources, and an overall seemingly staggering incremental cost.     Where possible, we are keeping the direction in mind when we upgrade individual components (e.g. the IDM, or the firewalls) but right now it does not look like the individual parts will result in a true 'Zero Trust' setup without an additional effort.
Director of Information Security Operations in Consumer Goods, 1,001 - 5,000 employees
budget, leadership engagement, too many players selling the same 
Director, Strategic Security Initiatives in Software, 10,001+ employees
Investment, Strategy, Customer, Supporting systems, etc.
Principal Information Security Officer in Education, 10,001+ employees
Implementing a comprehensive Zero Trust strategy (rather than a smaller piecemeal approach) will require a thoughtful planned and non-disruptive approach to completely redesign network and security strategy, rewrite policies and documentation and an awareness campaign.  Some parts can be implemented earlier in stages and in conjunction with other initiatives -- such as MFA and other strong identity and authentication, NAC/posture-checking, migration from on-premises data center services to the cloud, migration from on-premises networks to work-from-home or work-from-anywhere.
Head, Information Security and Compliance in Finance (non-banking), 1,001 - 5,000 employees
The core challenge of zero trust is locking down access without bringing workflows to a grinding halt. Zero-trust cybersecurity may eventually lead to superior security, but along the way, it can put companies at greater risk.
Director of Tech and Cyber Strategy in Finance (non-banking), 1,001 - 5,000 employees
We have implemented components of ZT such as network logging, basic PAM, and some rudimentary SIEM functionality. IMO there are a number of challenges to implementing a full ZT stack, much of which has been addressed by the others:
1. I don’t think anyone actually knows what ZT means. Conceptually yes, but the devil is in the details. I believe this is because its origins stem from an amalgam of things conveyed by different security vendors.
2. It is expensive. If you go with a gold-plated suite it can cost millions. The case for ROI is nebulous and related to “better security” but you’re ultimately trying to prove a negative. As you start to add in additional layers you invariably have tools that overlap and it becomes increasingly harder to justify the costs unless you actually have a large breach (assuming it doesn’t happen while you are implementing ZT in which case it could be counter productive).
3. You can buy tools but strategy and processes cannot easily be purchased. Hiring consulting firms often ends up with people telling you what you want to hear (I say this as ex-consultant) and people often overestimating how much can be done with existing resources who have often times been conditioned to work in a siloed environment that doesn’t require the nuance of ZT (unless you block everything which defeats the purpose).
4. It is impossible to implement when you aren’t dealing with users. Open PKI infrastructure simply doesn’t exist in the IoT world, where security is years if not decades behind traditional IT security.
5. Finally, do you really need it? Basic PAM, MFA, and SSO can often delivery very quick ROI. Same with a tuned awareness program. As per the process comment above there is a lot of work in implementing a full ZT strategy and much of this requires things like GRC, DLP, a tuned SIEM, etc. but in many cases these may increase complexity and result in a lot of underutilized tools sitting around. The more legacy infrastructure and tools you have in place the more difficult this becomes as people often have no idea what does what and risk aversion gets in the way of progress.

In summary my concern is that buzzwords like ZT get thrown around as cure-alls when they should really be viewed as a starting point but ultimately become meaningless if you don’t right size the work based on your goals, resources, and ultimately business value. If you take ZT at it’s absolute extreme I suspect one would be hard pressed to actually say that a soup-to-nuts implementation is worth the effort over one that focuses on the best risk-adjusted ROI.
CISO in Education, 5,001 - 10,000 employees
Our current environment contains too many isolated or disconnected applications. Until we can get all of our account provisioning connected with all applications, a zero trust architecture would be unreasonably difficult to manage. I also think that as our agency continues to adopt my cloud offerings, it will make it easier to centrally manage applications. Ultimately, we want to implement a zero trust strategy, but there is work to do before we can move forward.
Executive Director, Enterprise Infrastructure & Cybersecurity in Finance (non-banking), 10,001+ employees
Partially adopted

Content you might like

Strongly agree11%




Strongly disagree0%

Other (please specify)0%



CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
43.8k views132 Upvotes320 Comments

Way more involved5%

Somewhat more involved47%

A bit more involved31%

Security’s current role is adequate9%

A bit less involved3%

Somewhat less involved1%

Way less involved1%