Canadian organizations are lagging other countries in implementing zero trust and secure access service edge (SASE) architectures, a global survey for Cisco Systems suggests.
According to a report released this week, only 39.5 per cent of Canadian respondents said their organization had a mature implementation of a zero trust architecture. That compared to 61.5 per cent of respondents in Indonesia, 47 per cent of respondents in India, 46.2 per cent in Saudi Arabia and 41.4 per cent in the U.S.
Still, Canadian respondents were ahead of those in the U.K., France and Germany.
Just over 92 per cent of Canadian respondents said they were investing in some way in a zero trust architecture, with 51.3 per cent saying their organization was making steady progress, while 7.9 per cent said they were only working on it in a loose or limited way.
The U.S. National Institute for Standards and Technology (NIST) says zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location. Authentication and authorization of both a user and device are discrete functions performed before a session to a resource is established. One expert at the SANS Institute has said organizations can’t have a zero trust architecture until they have mastered basic cybersecurity controls.
In another part of the survey, 33.9 per cent of Canadian respondents said they have a mature implementation of SASE architecture. Again, that put them behind respondents in Indonesia, India, the U.S. and Saudi Arabia, but roughly even with the U.K., Brazil, Malaysia and Japan.
According to Wikipedia, SASE combines SD-WAN with computer security functions, including cloud access security brokers (CASB), Secure Web Gateways (SWG), antivirus/malware inspection, virtual private networking (VPN), firewall as a service (FWaaS), and data loss prevention (DLP), all delivered by a single cloud service at the network edge.
The survey numbers are included in volume two of Cisco’s Security Outcomes Study, a survey of 5,123 security and privacy professionals in 27 countries. They were asked about their use of 25 general security practices and how each correlates with the achievement of 11 program-level outcomes.
Cisco says the data on zero trust and SASE is important because organizations that claim to have mature implementations were 35 percent more likely to report strong security operations than those with nascent implementations.
Dave Lews, Cisco’s Canadian-based global advisory CISO, said he wasn’t surprised at how Canadians rated their maturity levels for implementing zero trust and SASE. Generally, he said, Canadians are conservative in implementing new technology.
“I’ve worked in a number of Canadian organizations. A lot were running systems that were beyond their useful life that were still being relied on as mission-critical systems.”
In the past two decades, he added, there has been “a definite improvement overall in how security is being handled” by Canadian IT leaders.
He also suggested the numbers on these two questions shouldn’t be overestimated. “Zero trust and SASE are proven methodologies that improve security in organizations. That being said, there are other approaches organizations may be using. Because an organization may not necessarily be on a path towards zero trust, I wouldn’t penalize them for a moment. They may have a different program they are utilizing to reduce risk.”
Among the study’s findings:
–modern, well-integrated IT contributes to overall program success more than any other security practice or control;
–SecOps programs built on strong people, processes, and technology saw a 3.5 times performance boost over those with weaker resources;
–Outsourced detection and response teams were perceived to be superior, but internal teams show faster mean-time-to-respond (six days vs. 13 days);
–teams that extensively use threat intelligence are twice as likely to report strong detection and response capabilities;
–The probability of maintaining business resilience doesn’t improve until business continuity and disaster recovery capabilities cover at least 80 per cent of critical systems;
–organizations that regularly test their business continuity and disaster recovery capabilities in multiple ways are 2.5 times more likely to maintain business resiliency.