Illumio research finds nearly half of security leaders don’t think they will be breached, which contradicts the fundamental tenets of Zero Trust Strategies most profess to believe.

While 90% of security leaders say that advancing Zero Trust strategies is one of their top three security priorities this year, 47% say they don’t think that they will be breached, a finding which was described as the most disappointing in the study.

PJ Kirner, Illumio’s co-founder and CTO

While 90% of security leaders say that advancing Zero Trust strategies is one of their top three security priorities this year, 47% say they don’t think that they will be breached, a finding which was described as the most disappointing in the study.

Zero Trust Segmentation vendor Illumio has released a new report specifically around Zero Trust Segmentation rather than Zero Trust in general. The study found that 47% of security leaders – almost half – don’t believe they will be breached despite increasingly sophisticated and frequent attacks. Zero Trust strategies offer a significant degree of protection against these attacks, and 90% of the leaders said that advancing Zero Trust strategies is one of their top three security priorities this year. Nevertheless, counting on the existence of Zero Trust in place and then focusing on other things is a counterproductive strategy, which works against the whole premise of Zero Trust and its ongoing efforts.

“We started Illumio with these principles in mind 10 years ago and sometimes we think that people fully understand them, but that 47% data point suggests that isn’t the case,” said PJ Kirner, Illumio’s co-founder and CTO. Only 4% said that they will definitely not breached, while 12% said that they will likely not experience a breach, something that Kirner thought in some cases simply meant that the executives didn’t think they had the kind of data that was valuable enough to steal.

Kirner described the 47% as fence sitters.

“Their focus is really on protecting their crown jewels,” he said. “However, Zero Trust requires customers always assume that a breach has taken place and that attackers are inside. This group believes in Zero Trust, but I don’t think they buy into the assume the breach part yet.” This is so even though in the past two years alone, 76% of organizations surveyed have been attacked by ransomware, and 66% have experienced at least one software supply chain attack.

Kirner pointed out that Zero Trust is really a return to traditional principles of IT security, ones which were forgotten during the rise of network security in the 1990s.

“One of those core principles is the principle of less interest, where users should have the necessary function to do their job but no more,” he said. “Even UNIX machines were built that way. But in the 1990s, the perimeter was all-important. We focused on keeping the bad guys out, but if they got inside the wall, they could basically do anything. Zero Trust is a resurgence of these older techniques, which also includes other things like continuous evaluation.

“When you adopt Zero Trust, you have changed your organization,” Kirner emphasized. “People who think you do Zero Trust like an event, and move on to something else aren’t doing Zero Trust. It’s not an easy button. It requires rethinking how you think about things and how you get the benefits out of them.”

While the 47% figure was the biggest disappointment in the study, a plus was that Zero Trust Segmentation has developed a quantifiable business impact.

“It reflects a growing awareness that mistakes have become common, and that when you have a segmented environment, you are isolated from those mistakes,” Kirner said. “This is based around, business value, which is different from security value. I knew it was there, but it came out a lot stronger than I thought.” The metrics here are that organizations that have adopted Zero Trust Segmentation as part of their Zero Trust strategy save an average of $20.1 million in application downtime, avert five cyber disasters per year, and plan to accelerate 14 more digital and cloud transformation projects over the next year.

Kirner noted that this was the first Illumio study to specifically focus on their core competency of Zero Trust Segmentation.

“Before we focused on Zero Trust in general,” he said. “81% believe Zero Segmentation should be part of the core strategy. It will be interesting to watch that one over time. The fact that people believe segmentation is a core pillar of Zero Trust is an important one for us, because it validates what we are doing.”