Zero trust? Not yet a must for most IT departments

Reader survey results When we published the questions for this survey, our view was that zero trust, or ZT, has finally begun to become a thing – as a real technology in real companies.

Now we have the results from more than 500 respondents, though, has it turned out that we’re right? See for yourself below.

We started gently with a have-you-heard-of-it-at-all question: “How great is your awareness/knowledge of the zero-trust approach to security?” At the bottom end of the scale we have roughly a tenth of people (11.5 per cent) who’ve not even heard of it, and at the opposite end are the consummate professionals – 5.9 per cent have a “high level of practical experience.”

JavaScript Disabled

Please Enable JavaScript to use this feature.

The highest scoring category, with 30.9 per cent, was those who understood the concept but with only a modest level of knowledge, and not far behind on 24.9 per cent are those who are one step up and feel that they could have a stab at implementing it. Trailing in at the end we have the 10.5 per cent who’ve heard of ZT but don’t know much about it, 5.3 per cent who have a highly detailed knowledge and understanding, and 11.3 per cent who’ve some experience of using it. All of which means that fewer than a fifth – 17.2 per cent – have actually implemented ZT at all.

For the second question we widened the net: while the first question was about whether the respondents themselves knew about ZT, we’re now talking about the team as a whole. Oddly a total of only 13.4 per cent of teams have implemented ZT. 14.4 per cent had no awareness of it at all, 18.3 per cent had heard of it but knew little, 28.2 per cent understood it as a concept, and 20.8 per cent felt their team knew enough to implement it. Only five per cent had a highly detailed knowledge, eight per cent had used it a bit, and 5.4 per cent had implemented it significantly.

Next, we moved from whether you or the team knew about it, and focused on whether you’d actually used it. The split was almost exactly 60:40 between those who haven’t yet implemented it and those who had, respectively. Interestingly, 50 respondents – 9.6 per cent – said that not only have they not done anything with ZT but they have taken a positive decision not to do so. And 30 people – 5.8 per cent – said that although they’d used it, they’ve decided to stop at what they’ve done.

Moving swiftly along, we asked what you knew about the ZT offerings of your existing vendors – on the premise that vendors have a habit of trying to up-sell you into buying stuff that they aren’t yet selling you to go alongside the stuff they are. 147 people – over a quarter – said that they had zero knowledge of any ZT offerings from their suppliers … which, quite frankly, is a sad testament to some terrible vendor biz-dev teams. 252 – almost half – had a little knowledge, 10.3 per cent had what they called “solid” knowledge of the vendors’ products, 9.7 per cent had used some of the options available and 4.2 per cent – 22 people – had adopted them extensively.

Finally, we asked about vendors that people don’t already use. A whopping 32.2 per cent fessed up that they knew nothing about any vendors’ offerings, while 257 – almost exactly half of those who responded – claimed a “limited” knowledge. A smidge under a tenth said they’d a solid level of knowledge, six per cent said they’d used some and 2.1 that they’d used them extensively (these last two are presumably from previous roles, given that the question was about vendors people don’t use).

So, then. Yes, some people are using ZT to a significant extent. The majority, though, aren’t. And perhaps scarily, over a tenth of both people and teams have zero knowledge of it at all – which does make one wonder what other potential security concepts those people and companies are also missing out on. ®