Forrester started covering Zero Trust (ZT) adoption in APAC in early 2020, when Zero Trust was largely touted as a buzzword in our region. At the time, this inaugural APAC specific ZT research showed that while ZT is mainstream in US and Europe, it was slowly but surely gaining adoption in APAC. Fast forward 2 years or so, and the story is very different – in 2023, Zero Trust is finally moving from concept to reality in Asia Pacific – Forrester clients can access here. So what’s changed, and what’s stayed the same?
- Zero Trust in APAC has moved from being a piecemeal, to a strategic initiative. In 2020, CISOs we spoke to in region fell short of embracing ZT as a holistic framework, and settled for adopting parts of the framework. By contrast, in 2022 80% of APAC organizations have senior leadership committed to adopting a ZT security strategy, and 78% investing resources into a ZT security strategy. ZT is a strategic initiative, and organizations aren’t shying away from adopting it in its fullest.
- CISOs in APAC have moved from a wait-and-see approach, to pioneering adoption. CISOs we spoke to in 2020 were still looking towards their peers, adopting a herd mentality, to evaluate whether adoption is right for them. Not so in 2022, where many CISOs we spoke to were seeking many of the benefits of pioneering adoption: to be seen as innovators, commercial benefits, and working with new solutions.
- APAC organizations understand that ZT comes with significant business and employee experience benefits. In 2020, organizations in APAC still underfunded security initiatives, with 29% of C-level security decision-makers saying that lack of visibility and influence is a top IT security challenge for their firm. In 2022, the biggest supporters of ZT programs in region are business executives, and CISOs we spoke to are eager to understand and unblock the pain of business, and using ZT to improve the employee experience, enable the business as well as providing protection.
There Are Still Obstacles To ZT Adoption, But They’ve Evolved
It is true that ZT is becoming part of the nomenclature in almost all APAC markets in APAC, and ZT adoption is now widely accepted and discussed. However, like all things security, it’s not all beer and skittles. Our 2020 research showed several obstacles to adoption, and while some of these have resolved, some stayed the same and new adoption obstacles emerged. Here are the highlights we reveal in our 2023 research:
- ZT nomenclature and paucity of ZT pioneers are no longer stated as obstacles to adoption. Both of these were significant challenges to CISOs in region in 2020, but were either no longer mentioned as obstacles, or they have been. For example, ZT nomenclature was a major obstacle for adoption, in countries founded on trust – so CISOs we spoke to used different language to depict their ZT strategy, as a way to solve these nomenclature challenges. And as mentioned above, far from adopting a wait-and-see approach, CISOs in region are working to realize the many benefits from pioneering adoption.
- The lack of visibility and influence remains an issue, but in 2022, they come with a twist. In 2022, Zero Trust implementation in APAC is no longer coming from boards or the business, but rather, largely from technology teams such as network, architecture, and development teams. This means that CISOs in region have to work harder to break down the CISOs with their technology counterparts, than selling ZT to the business.
- Vendor hype and small security functions continue to challenge adoption. Unfortunately, vendors still pretend to be ZT experts, and security functions here remain relatively small here. Most security functions lacking the bandwidth and capability to deliver large scale implementations, like a Zero Trust rollout, with talent acquisition and retention remaining significant challenges. This will likely remain a challenge, and CISO’s will need to be strategic, work with service providers and cut through vendor hype to overcome these.
- Two new obstacles to adoption emerge. CISOs we spoke to mentioned two new obstacles they now encounter. They are overwhelmed by the sheer volume and scope of the many well-intended ZT frameworks and definitions, such as NIST, the White House, CISA or the Singapore Government. CISOs here simply aren’t always sure which framework to adopt for what purpose. And legacy applications remain a major bottleneck, inhibiting consistent ZT implementations.
Overcome The Challenges And Leapfrog to Modern Security By Embracing ZT
In conclusion, you can wait to see if your government, board, or media talk enough about ZT for you to take notice. On the other hand, you can be proactive, lead the way in adoption, and get the many commercial, strategic, and leadership benefits that can come with being an early adopter. How? Here are our tips, but you’ll need to read the research to learn more:
- Assess your ZT maturity
- Get some quick wins under your belt and demonstrate value along the way
- Lead with empathy to win over tech stakeholders
- Challenge vendor claims and demand product rationalization
- Integrate ZT as part of your digitization strategy