Where Are You in Your Zero-Trust Maturity?

Stage 1: Pre–Zero Trust Implementation

In the pre–zero trust stage, organizations typically have traditional, perimeter-based security models with a high degree of implicit trust within their networks. Security controls primarily focus on network boundaries and don’t emphasize least-privilege access or other fundamentals of zero trust.

Perimeter-based security has its pros, but it also has major cons. For instance, this security approach “only distrusts factors outside the existing network,” according to Fortinet. “Once a threat is able to cross the moat and get inside the network, it has free rein to wreak havoc within the castle that is your system.”

WATCH NOW: K–12 schools are taking the “Shrek approach” to cybersecurity.

Stage 2: Awareness of Zero Trust

To advance from the pre–zero trust stage, organizations must assess their present security setups to gain a holistic understanding of their strengths and weaknesses. Next, they should explore new security options to overcome these shortcomings. This can lead to awareness of zero trust.

At this stage, having recognized their weaknesses and the limitations of traditional security models, organizations commonly develop an awareness of zero-trust concepts. To advance along the maturity continuum, however, knowledge is not enough. It must be actualized in the form of adoption.

Stage 3: Early Zero-Trust Adoption

Early adoption is the first stage in the Cybersecurity and Infrastructure Security Agency’s Zero Trust Maturity Model. “This includes manual configurations and assignment of attributes, static security policies and coarse dependencies on external systems, along with manual incident response and mitigation processes,” writes CDW Field CISO John Candillo in a recent white paper. “Currently, this is the stage at which most organizations find themselves.”

DISCOVER: Build a zero-trust model for your network.

During early adoption, an organization may implement zero-trust components such as multifactor authentication or basic identity and access management controls. But to progress further, IT leaders must enact additional zero-trust policies and be strategic about their zero-trust security posture.

Stage 4: Intermediate Zero Trust

According to Cybersecurity Insiders’ 2023 Zero Trust Security Report, 65 percent of cybersecurity professionals prioritize MFA, and 46 percent prioritize identity management and governance — both more than any other zero-trust control. But other controls can be just as significant.

The intermediate stage aligns to the second stage of the CISA maturity model, in which “automation is introduced,” according to Candillo. “This includes attribute assignment and configuration of lifecycles, policy decisions and enforcement, and initial cross-pillar solutions with integration of external systems.”

At this intermediate stage, organizations should also actively plan and evaluate their security posture in relation to zero-trust principles. Conducting assessments and gap analyses can identify areas of improvement, while strategies and roadmaps reveal a path for further zero-trust adoption.

“Tools such as effective identity and access management solutions are necessary, but they must be deployed strategically and integrated with other elements, such as data governance,” Candillo and fellow CDW experts write in another white paper. “Among the most critical use cases for zero trust are implementing principles within an organization’s backup and recovery systems … and securing complex cloud infrastructures.”

DIVE DEEPER: Take control of your security with a rapid zero-trust maturity assessment.

Stage 5: Advanced Zero Trust

At this stage, organizations have already integrated multiple zero-trust components into their security infrastructure and have ongoing monitoring and optimization processes in place.

In transitioning to this stage, organizations will “find that their solutions rely more heavily upon automated processes, systems are integrated across pillars, and they become more dynamic in their policy enforcement decisions,” according to Candillo.

Because organizations are running continuous monitoring at this stage, threat detection and response capabilities are part of security operations. Emphasizing centralized visibility and identity control, dynamic policies based on automated or observed triggers, and alignment with open standards for cross-functional interoperability, this stage encompasses the final two levels of the CISA maturity model.

Organizations that achieve this highest level of maturity have fully embraced the zero-trust model as part of their security culture. Those who aren’t there yet can take steps to help them improve, including gap analyses, benchmarking, self-assessments and a rapid maturity assessment. And no matter the stage, help is available for organizations to develop roadmaps, budgets and security policies to push forward.