Understanding the Two Maturity Models of Zero Trust
Blog Article Published: 05/17/2023
Written by John Kindervag, Senior Vice President, Cybersecurity Strategy, ON2IT Cybersecurity.
The top mistake in the Zero Trust world is monolithic thinking. There has become the belief that eating the entire elephant in one bite is possible. Organizations' top mistake is trying to deploy all of their Zero Trust environments simultaneously. They go too big. The failure is immediate. These organizations spend all of their time thinking and arguing about Zero Trust but never get around to actually doing it.
The second and interrelated mistake is to think too tactically. The focus becomes solely on products and technology. Strategy is thrown out the window. This hyper-focus on technology loses the objective of cybersecurity: to protect something.
This makes measuring progress more difficult. I am convinced that the optimal way to measure progress in cybersecurity is through maturity.
While at Forrester Research, I worked on our overarching enterprise cybersecurity maturity assessment project. Later, I adapted that into the first maturity model for Zero Trust in the report: “Asses Your Network Security Architecture with Forrester’s Zero Trust Maturity Model.”. (Note: I authored the report in late 2016, but it was published in 2017 after I left Forrester. This is why I am listed third on the byline.)
Over the years, I had the opportunity to refine the model during real client engagements. This model was codified in the NSTAC report. You dive in deeper by looking at Appendix A.
A simplified graphic is seen below. This is the graphic I use to explain the model during presentations, including the one that I did for CSA recently.
You will notice that this Maturity Model is based on the 5 Step process for Zero Trust and is scored on a per Protect Surface basis. It uses the standard 5-level maturity paradigm originally developed by Carnegie Mellon University.
Each Protect Surface is scored individually. The model requires the identification of both the Protect Surface and the DAAS element. This way, we are breaking up the maturity scoring into manageable bite-sized chunks. An example using Directory Services as the Protect Surface is seen in Appendix A of the NSTAC report.
This means that if a Protect Surface is fully optimized, then it would be scored with a maximum score of 25 points. At ON2IT, we rarely see this.