Gartner: Zero Trust Will Not Mitigate Over Half of Attacks

Written by

Just one in 10 large enterprises will have a “mature and measurable” zero trust program in place by 2026, and even those that do will increasingly find its controls unable to mitigate the impact of attacks, according to Gartner.

The analyst claimed that take-up of zero trust would increase slowly from just 1% today, indicating the difficulty of turning plans into reality.

Zero trust received a major boost following a US presidential executive order in 2021 that forces federal agencies to adopt the approach.

However, it’s by no means a silver bullet. Gartner warned that over the coming three years, more than half of all cyber-attacks will be focused in areas that zero trust controls don’t cover and can’t mitigate.

“The enterprise attack surface is expanding fast and attackers will quickly consider pivoting and targeting assets and vulnerabilities outside of the scope of zero trust architectures (ZTAs),” said Jeremy D’Hoinne, VP analyst at Gartner.

“This can take the form of scanning and exploiting of public-facing APIs or targeting employees through social engineering, bullying or exploiting flaws due to employees creating their own ‘bypass’ to avoid stringent zero trust policies.”

Despite this, however, the approach will still offer a valuable way to reduce risk and limit the impact of many threats, Gartner said.

“Many organizations established their infrastructure with implicit rather than explicit trust models to ease access and operations for workers and workloads. Attackers abuse this implicit trust in infrastructure to establish malware and then move laterally to achieve their objectives,” said John Watts, Gartner VP analyst.

“Zero trust is a shift in thinking to address these threats by requiring continuously assessed, explicitly calculated and adaptive trust between users, devices and resources.”

CISOs and risk management leaders should start by defining the scope of their enterprise zero trust program, and then focus first on identity, bearing in mind that zero trust is about people and process as much as it is technology, Watts continued.

Editorial credit icon image: T. Schneider /

What’s hot on Infosecurity Magazine?