Organizations around the world are embarking on their Zero Trust journeys. Often, these voyages are undertaken without a complete understanding of the destination: Zero Trust maturity. Reaching a level of Zero Trust maturity requires careful planning and a steady course to get there.

Forrester recently published a report to help security and IT pros achieve a level of Zero Trust maturity, Chart Your Course To Zero Trust Intermediate. This research provides a process and technological roadmap of three-dozen tasks that organizations should complete to get from the conventional state to credible Zero Trust.

We chose an intermediate rather than advanced target of maturity for this report because the majority of Forrester clients and other organizations that we talk to are at the beginning stage of Zero Trust. They have a conventional security architecture, with flat networks, poor visibility, and no automation. With these clients in mind, we’re presenting a roadmap to go from where they are at now to an intermediate level of maturity first, with an eye toward stepping to advanced later.

We’ve scheduled a webinar in support of the report in which we’ll help you understand the different maturity levels and then cover five phases of the journey to intermediate.

Behind The Research: What’s Happening Below Decks

This is a foundational piece of research from the Zero Trust analyst team at Forrester, representing a year of collation, collaboration, creation, and review. It builds on one of our most widely read reports, A Practical Guide To A Zero Trust Implementation, but goes much deeper into the actual details of what needs to be done. The “Chart Your Course” report centers around 37 tasks, grouped into five phases.

Where did we get all these tasks, you ask? The short answer is from years of advisory with clients about Zero Trust. The longer answer includes these sources:

  • Forrester’s short-form maturity assessment on Zero Trust
  • Forrester Consulting’s long-form maturity assessment
  • Forrester Wave™ evaluation research and interviews
  • Dozens of client interactions
  • Interviews with industry luminaries
  • US federal government guidance

There are other technological roadmaps out there — you’ll see some from the vendor community, but of course, they’re not entirely objective, nor would you expect them to be.

The Forrester roadmap is ordered based on four parameters that we assigned for each task:

  • Difficulty. Cybersecurity is hard. Let’s face it, some stuff is harder than others. We assigned difficulty scores to each task based on our own research, experience, and insights gleaned from security pros.
  • Impact. Similarly, some tasks may yield more impact to your security posture than others.
  • Priority. By combining the first two parameters (impact + difficulty), we prioritized the tasks that should be done first within the cohort of each phase. In general, high impact + low difficulty yielded high priority.
  • Dependency resolution. One especially unique feature of our roadmap is that the dependencies are already resolved. After isolating the tasks, we drew dependencies between them and then wrote some nifty Python code to resolve them and spit out the tasks in priority order.

We also put a draft of the report into the hands of external security and risk professionals for peer review and comment. Some of them are listed in the credits of the reports; the ones who couldn’t be (you know who you are), thank you!

One output of this research is that we’re also updating the online Forrester Zero Trust assessment tool. It’s currently offline but should be back up soon. Watch this space for that announcement.

Your Next Ports Of Call

As you prepare to chart the course of your Zero Trust journey, read the report and share the learnings with your team, then register for the upcoming webinar. We’ll cover overall report flow in the webinar but intend to leave the bulk of the time for Q&A.

As you dig deeper, read these Forrester reports for more context and vendor selection:

Finally, schedule an inquiry or guidance session with any member of our Zero Trust research team: Heath Mullins, Carlos Rivera, Tope Olufon (based in the EMEA region), or myself. Bon voyage!