HomeTechnology and Security, CIO

Getting started with zero trust security

Organizations with the most mature zero trust capabilities have reduced security expenditures, increased cyber resilience, and boosted talent retention rates.

Organizations have responded to the COVID-19 pandemic by accelerating digital business transformation, expanding cloud footprints, increasing their remote workforces, and integrating their supply chains. As a result, our research indicates the percentage of remote workers serviced by the security function increased by 41% between the end of 2019 and through 2020.

But moving communication, business, and personal interactions online has also significantly increased potential attack surfaces, resulting in a dramatic surge in cybersecurity incidents and exposed records. As workloads move to the cloud, threats move with them. Our research indicates that in 2020, upwards of 90% of cyber-related incidents originated in cloud environments.

Valuable yet vulnerable: Securing critical infrastructure

The very nature of critical infrastructure implies a dynamic relationship between trust and risk. As operations move online, both IT and operational technology (OT) networks are subject to compromise. The July 2021 Kaseya ransomware attack, for example, affected up to 2,000 organizations and carried ransom demands in excess of $70 million. Our reliance on IT and OT environments means mission-critical infrastructure is increasingly vulnerable to new threats.

Interconnected risk: IT and OT risks are complex and interdependent

Interconnected risk: IT and OT risks are complex and interdependentTrust is the basis for collaboration and partnership. As these capabilities become essential to delivering value, how we think about trust is rapidly changing. While traditional approaches to cybersecurity relied on permissions and discrete network boundaries, today’s networks are defined by dynamic services and diffuse boundaries. Today’s digital platforms generate value by virtue of being interconnected, by sharing information across multiple parties.

70% of organizations are unable to secure data that moves across multiple cloud and on-premises environments.

Tensions may be inevitable. Many OT systems have traditionally relied on system isolation, yet the demand for insights from connected devices and smart systems makes such practices difficult to sustain. If anything, a lack of connectivity can render existing vulnerabilities more difficult to remediate.

Making matters worse, risks often cascade: a failure in one system often results in the failure of others. Threat actors are becoming more sophisticated in their ability to capitalize on shortcomings in IT and OT security controls.  While the potential impacts are significant, such risks can be difficult to anticipate.

Setting the pace in zero trust security

To better understand how organizations are implementing zero trust security, the IBM Institute for Business Value (IBV) partnered with Oxford Economics to survey more than 1,000 operations and security executives from organizations in 15 industries across the globe. Our analysis reveals 23% of organizations—a group we refer to as “zero trust pacesetters”—are ahead of their peers in deploying zero trust capabilities across their IT and OT environments and in their interactions with ecosystem partners.

These organizations have fashioned their IT and security operations as a single estate. They are proficient in partnering internally and externally to manage cybersecurity risk. They have modernized their security operations related to interdependent governance, risk, and compliance frameworks. They apply cloud, AI-driven analytics, and automation extensively. And they recruit, develop, and retain skilled cybersecurity resources to enable zero trust capabilities across their digital estates.

92% of organizations lack the ability to securely enable and extend new cloud-native capabilities to their internal and external partners.

Most importantly, their security operations can adapt to the complexity of the current business environment—whether it’s enabling a remote workforce; monitoring endpoints, applications, data, and network traffic; or analyzing the behaviors of employees, customers, and partners to identify emergent threats.

Read the full report to learn what sets zero trust pacesetters apart—and how your organization can create a zero trust roadmap that leads to greater cyber resilience.


Bookmark this report



Meet the authors

Chris McCurdy

Connect with author:


, Worldwide Vice President and General Manager, IBM Security Services


Lisa-Giane Fisher

Connect with author:


, Leader, Middle East and Africa, and Global Benchmark Research leader, Utilities industry, IBM Institute for Business Value


Dr. Shue-Jane Thompson

Connect with author:


, Vice President and Senior Partner, Security Strategy and Growth, IBM Consulting


Gerald Parham

Connect with author:


, Global Research Leader, Security and CIO, IBM Institute for Business Value

Download report translations


    Originally published 23 July 2021