One third of zero is still zero — as organizations with partialor insufficient implementations of zero trust may learn

Despite the evident need for more robust cybersecurity measures, only about one-third of organizations in the region have fully implemented Zero Trust principles, and a sizable proportion have yet to begin their journey.

Recent incidents involving Jumbo Group, Mustafa and the Singapore educational system have made headlines, while cybercriminals have been strengthening their arsenals with even more sophisticated AI-driven tools. 

So, what factors have been responsible for the low take-up or full implementation of zero trust? Bhagwat Swaroop, President, Digital Security Solutions, Entrust Cybersecurity helped CybersecAsia.net to understand the dynamics of this problem.

CybersecAsia: What are the crucial learning points of the recent massive data-breach incidents in Singapore and the region, including those involving Jumbo to Mustafa to EduTech apps?

Bhagwat Swaroop (BS): Regardless of company size or industry, attacks are inevitable. The threat landscape is increasingly diverse and sophisticated, ranging from phishing attacks and ransomware to deepfakes and identity fraud.

These incidents underscore the need for a proactive security posture: in today’s environment, an organization’s cybersecurity strategy must assume that breaches will occur. Also:

  • Rather than attempting to build an impenetrable defence, implement a zero trust approach that expects attackers to penetrate systems, and thus prepares controls to limit the blast radius. Implement a comprehensive strategy that restricts access based on roles and responsibilities, and protects data both at rest and in transit across all environments. While zero trust may not eliminate threats altogether, it significantly reduces the risk and impact of attacks when they happen.
  • Additionally, the breaches also highlight the crucial role of employee cyber awareness and training. Cybersecurity is not just the responsibility of the IT department; it requires a collective effort across the organization. Ensuring that all employees understand the basics of cyber hygiene and are aware of the common tactics used by attackers, can significantly reduce the risk of breaches.

CybersecAsia: Despite continual widespread reports of increased cyber risks, roughly only a third of organizations in the region are fully entrenched in zero trust and complementary identity security solutions. What do you think are the key drivers of this lag?

BS: Although senior leadership support for zero trust is growing, the lag in adoption can be attributed to several factors:

  • Challenges in integrating solutions Organizations, especially those with diverse legacy systems and fragmented IT infrastructures, face significant challenges in ensuring these systems work seamlessly together under a zero trust model. This can result in delays and hesitancy in fully committing to zero trust adoption.
  • Selection of vendors: The wide range of vendors and solutions available can make it difficult for organizations to find the right partners, slowing down decision-making and implementation. Organizations should take time to find a partner that provides value-added offerings, innovation, collaboration, and trusted support.
  • Lack of in-house expertise: Zero trust is a constantly evolving framework that requires specialized knowledge to implement successfully and effectively. Many organizations lack the in-house expertise required to effectively implement zero trust, resulting in slower adoption or greater challenges in full implementation.

CybersecAsia: Have you personally come across partial adoptions of zero trust that did not add to identity security, or even led to false confidence in organizations? What can we learn from half-hearted implementation mindsets?

BS: There have been cases where organizations have only partially adopted zero trust principles, resulting in a false sense of security. In some instances, companies could have implemented zero trust technologies without fully understanding the underlying principles, or without integrating the principles into their overall security strategy. This piecemeal approach leaves gaps in security coverage and can lead to vulnerabilities being exploited.

Implementing zero trust is a complex, multi-year process that requires ongoing commitment. It is not just about deploying tools: it is  about continuously evaluating systems, threats, and policies as organizations evolve, expand, and mature.

A successful zero trust approach must address both legacy systems and new developments, ensuring integration into all operations and enforcing robust compliance and governance across all risk areas. Without full-scale commitment for a comprehensive and adaptive strategy, organizations risk compromising their security efforts and wasting their investments in zero trust.

CybersecAsia: Conversely, sometimes CISOs may want full adoption fast, but face lack of senior leadership support and/or a lack of in-house expertise. What advice do you have for such situations, especially amid tense economic and geopolitical landscapes this year?

BS:In situations where there is a lack of senior leadership support or in-house expertise, it is essential for CISOs to build a compelling case that aligns with the organization’s broader strategic objectives.

  • Demonstrating how robust cybersecurity measures, including zero trust, can protect the organization’s reputation, customer trust, and bottom line, is crucial. This can be done through regular communication with senior leadership, presenting data on potential risks and the impact of breaches, and showcasing the long-term value of investing in security.
  • Additionally, organizations should consider leveraging external expertise. Partnering with cybersecurity firms or consultants can provide the necessary skills and knowledge to implement zero trust effectively, especially when internal resources are lacking.
  • It is also important to prioritize and phase-in the adoption based on the most critical needs and risks, ensuring that the organization builds a strong security foundation while gradually expanding its capabilities. A phased, risk-based approach can provide a more manageable path to full zero trust adoption, ensuring that security investments are aligned with the organization’s strategic goals.

CybersecAsia thanks Bhagwat Swaroop for sharing his professional views about proper zero trust implementation.