Forrester Report: Zero Trust Adoption in Europe Is HighForrester's Tope Olufon on Regional Issues Related to Zero Trust Progress, Barriers
Over two-thirds of European security decision-makers have begun to develop a zero trust strategy, and public sector organizations are leading the way, according to a new survey report by Forrester.
Organizations recently hit by a breach are more likely to be on a zero trust journey than those that weren't breached, but attitudes still vary across the region, and numerous cultural and regulatory roadblocks are ahead for zero trust, says Tope Olufon, a Forrester senior analyst and author of the report.
"Zero trust involves a lot of monitoring, and some organizations and cultures may not be very friendly toward that," Olufon says. "So, being able to articulate what you are using the data for, how it's processed and how you maintain employee privacy is very important in making effective zero trust."
In this video interview with Information Security Media Group, Olufon discusses:
- The state of zero trust in Europe;
- Cultural and regulatory roadblocks to its adoption;
- Practical steps security leaders can take to adopt a zero trust approach to security.
Olufon is a senior analyst in the security risk space, advising businesses on how best to set and attain security goals. His research focuses on the current state and evolution of zero trust, digital identity and e-signature, and managed detection and response.
Anna Delaney: What is the state of zero trust in Europe today? Hello, I'm Anna Delaney for ISMG. And with me to discuss a recently published report from Forrester, 'Zero Trust Comes Into the Mainstream in Europe' is senior analyst Tope Olufon. Tope, thank you very much for joining us.
Tope Olufon: Thanks a lot for having me. Pleased to be here.
Delaney: So Tope, it would be interesting to understand what data you were studying for this report. Could you share a brief overview of the regions you were assessing in Europe?
Olufon: So, while, of course, the report covered the whole of Europe, seven countries came up very frequently. In the EU, we have France and Germany. And, of course, outside the EU, we have the U.K. So a lot of these countries reflect broader cultural attitudes toward zero trust in the European continent.
Delaney: So what were the predominant zero trust trends? What did you learn about the state of zero trust in Europe today?
Olufon: So also, one of the biggest changes is a lot of security leaders are reporting directly to CEOs. So naturally, you would expect security prioritization to have a bigger piece of the pie, so to speak. And one big trend we've seen is public organizations are leading the adoption of zero trust in Europe. So which is a good thing because zero trust is the vehicle toward better information security. Another thing we have seen is zero trust is isolated by breaches. And a lot of the time if these breaches impact some insurance premiums, organizations that are affected by such tends to prioritize zero trust as opposed to organizations that have not yet been breached. So we see breaches as a driver toward zero trust adoption, which makes sense, because a lot of security leaders see zero trust as a way to handle risk.
Delaney: Were there any notable differences between regions?
Olufon: Not exactly. However, we found that German organizations tend to prioritize it the most. So, and again, we've also seen that a lot of German organizations have hybrid cloud as a strategy. So it makes a lot of sense that prioritization of zero trust is closely followed.
Delaney: Do you have any indication as to why that is?
Olufon: I wouldn't say there any specific reasons. But a lot of German organizations are going through digital transformation process. And with things like hybrid working exploding and remote working been the mainstay since the pandemic. It makes a lot of sense that organizations will look to something that handles the unique security challenges of a distributed workforce.
Delaney: Now, as I understand the last report that Forrester published on zero trust was in 2020. So what changes have you observed since that last report?
Olufon: Organizations have stopped asking why and what, so they've moved from that. And now they're focused on how. So no one is asking if they need zero trust, what zero trust is, they're asking us how can we go ahead and start a zero trust journey because they have seen the value. So right now, organizations are no longer wondering about the value. They're wondering about how to go around implementing and extracting the value?
Delaney: Where do you see zero trust initiatives often fail, Tope?
Olufon: It typically feels when organizations do it as a big bang approach. So there tends to be an all or nothing approach. And it doesn't work like that. Zero trust is a journey. It's a transformative process. So I typically recommend organizations to start small, and build on it. But if you try to do zero trust as one big giant zero trust project, it tends to fail. But when it's tied to business initiatives and translatable to real business objectives, then you have a high chance of success.
Delaney: So you mentioned earlier that what they struggle with is how to start the journey. Where do you recommend starting the journey? And could you share some examples?
Olufon: It depends on the maturity of an organization. First, I typically say organization starts with IAM, and that's identity and access management. So because a lot of the time it reviews other issues in the organization that you would want to fix. And zero trust, again, is about building an entire security. So zero trust is not for zero trust, it's the improved security. And IAM is a very good vehicle to introduce that.
Delaney: So the report mentioned some cultural and regulatory roadblocks that EU security leaders face. Can you expand on some of these?
Olufon: At the heart of zero trust, there's data and data sovereignty and data privacy is a very big topic in Europe. So in other regions, these roadblocks might not be so evident. But, for example, where the data to power zero trust is stored is a very significant question. And it's something security leaders need to answer to avoid roadblocks down the road. Also, from the cultural aspects, zero trust involves a lot of monitoring. And some organizations and cultures may not be very friendly toward that. So being able to articulate what you're using the data for, how it's processed and how you maintain employee privacy is very important in making effective zero trust.
Delaney: What do you see is critical components of a zero trust strategy?
Olufon: I'll typically say tied to business objectives. That's what tends to fail, and break it down, tried to improve the experience. I'm going to use the example of improved identity and access management. If you say IAM is good, yes, we know. But if you cannot tie it to business objectives, it tends to fail because security leaders think that it concerns to security people, when speaking to business people who understand business objectives, but saying IAM would improve better and faster customer onboarding, because you have used the modern authentication flow is a good way to position yourself. That way, it's no longer a security for security sake, it's security for aligning yourself with business objectives.
Delaney: What are the missteps you see organizations make when it comes to IAM implementation?
Olufon: Again, the whole big bang approach. Do a maturity assessment, figure out where you are, and then build on it. But if you're trying to leapfrog entire processes, say your organization doesn't even have a central authentication system. But then you're trying to jump to passwordless authentication, you have failed somewhere. It's possible, but I wouldn't recommend it. So be realistic with your outcomes and build on it. Again, you don't need, you don't always need perfect security. But start, do not let perfect be the enemy of good.
Delaney: The title of your report talks about zero trust becoming mainstream. What trends do you foresee over the next year or so in this space?
Olufon: As organizations mature, it's going to stop shifting the question of how but how they can mature on the journey. Some organizations might say, already have a halfway toward zero trust, but didn't exactly know what it's called. So organizations are going to start looking and benchmarking themselves saying, "Okay, this is where we are, this is where we're trying to be." So they're going to be different maturity skills. And as organizations grow and mature, zero trust interoperability will become the next topic.
Delaney: Do you see similar movement within the vendor community? Have they matured as a community to respond to organizations' needs?
Olufon: Yes, a lot of vendors have very specific zero trust offerings. Of course, like with any technology, there's a lot of marketing balls, and people slapped the term zero trust on everything. But we're beginning to see vendors become more realistic and practical with their claims. Because as security leaders have a better understanding of what it is, it becomes very important for vendors to have products that meet specific needs, as opposed to just slapping zero trust on, well, everything, because of brand name.
Delaney: Finally, what practical steps can you offer to EU leaders to steer their organizations to zero trust security?
Olufon: As mentioned earlier, one of the biggest roadblocks we tend to see is that security leaders in Europe face the data collection constraints. So start with building a use case for your data. What are you collecting? How I collect it? Where am I going to use it? In the reports, we provide a sample use cases that are aligned with the MITRE framework on how to communicate your data collection needs. That's where you can allay everyone's fears, address their concerns. And basically let leadership know that you're not collecting the data for collection sake, the data will be processed carefully, the data be stored appropriately. And I'm going to be practical here. If a European organization, try to make sure your data stays in Europe. If you cannot make sure you have appropriate controls for transferring it outside. Because data sovereignty is a very big topic and we expect it to get bigger. So you just need to be practical and realistic when addressing these concerns.
Delaney: Excellent. Well, Tope, this has been very helpful and informative. Thank you so much for your time.
Olufon: Thank you.
Delaney: I've been speaking with Tope Olupfon of Forrester. For ISMG, I'm Anna Delaney.