Frank Kim, SANS Institute Fellow January 9, 20255 Min ReadEmre Akkoyun via Alamy StockAdopting zero-trust security architectures is increasingly becoming a corporate imperative, with zero trust serving as the recommended approach for building resilience against the evolving nature of enterprise threats. This shift represents more than just implementing the latest and greatest best-of-breed tools. Its a foundational shift away from perimeter-based security controls and external network defenses that were not designed for todays threat landscape.More than 80% of all data breaches today are attributed to human error or negligence, making human risk a pressing security concern amid the rise of hybrid work environments. A zero-trust architecture limits the damage that a compromised user can cause by segmenting the organizations security environment into smaller, isolated zones that restrict the ability to access sensitive data across the entire ecosystem. Unfortunately, the path to effective implementation has proven challenging. Forrester research found that more than 63% of enterprises are struggling to implement zero-trust frameworks, and Gartner predicts that by 2026 only 10% of large enterprises will have a mature and measurable zero-trust program in place.This heightens the role of the transformational CISO to the forefront. CISO success today requires more than being a pure technologist from the SOC room. They need to serve as transformational leaders who are capable of navigating shifting organizational priorities to foster collective buy-in amongst executive leaders, establish effective processes with business line stakeholders, and develop versatile security teams. Cultivating this company-wide alignment is critical to alleviating the roadblocks that hinder zero-trust adoption today.Related:Articulating Zero Trusts ValueNearly 50% of IT professionals describe collaboration between security risk management and business risk management as poor or nonexistent, according to NIST research. As CISOs, its our job to bridge this divide by framing zero trust as an enabler of business agility, operational efficiency, and competitive advantage rather than focusing on technical specifications. Leveraging scenario-based planning and risk quantification techniques can effectively articulate the value of zero trust in terms that resonate with various stakeholders -- correlating the ramifications of cyber incidents to high-value outcomes that impact their department. Marketing leaders, for example, might better appreciate zero trust when they understand how it prevents customer data breaches that result in brand reputational damage.Related:CISOs should establish regular touchpoints with business unit leaders to understand their workflows, pain points, and growth initiatives. This collaborative approach helps identify opportunities where zero trust can enhance business processes rather than hinder them. By securing visible support from the C-suite, CISOs can overcome initial resistance and ensure the necessary resources are allocated for successful implementation. It also helps strengthen organizational buy-in across all employees, giving the company a platform to address concerns, share implementation progress, and maintain alignment with business objectives.Minimizing Organizational FrictionSuccessful zero-trust adoption requires a carefully orchestrated change management strategy. Rather than pursuing lower-risk areas, organizations often achieve better results by starting with mid-risk priorities and moving methodically toward more complex challenges. This approach prevents implementation paralysis and drives meaningful security advancement.Clear communication at every stage is essential. Regular updates, user awareness training, and open feedback channels help maintain transparency and address concerns proactively. When employees realize that zero trust can streamline their access to resources while maintaining security, resistance typically diminishes. The key lies in balancing security requirements with user experience. Modern implementations should leverage automation and contextual access controls to make security seamless. Implementing single sign-on solutions alongside zero-trust principles can enhance both security and convenience, making the transition more palatable for end users.Related:In addition, developing a comprehensive change impact assessment helps identify potential friction points before they emerge. This involves mapping current workflows, understanding dependencies, and creating mitigation strategies. Regular user satisfaction surveys and feedback sessions enable continuous refinement of the implementation approach, ensuring that security measures align with operational needs while maintaining robust protection.Positioning Practitioners for SuccessThe technical complexity of zero-trust architectures demands a targeted focus on skill development amongst security practitioners. With practitioners often wearing multiple hats across architecture, implementation, operations, and monitoring, they must be all-around defenders who are capable of seamlessly transitioning between functional roles. This requires a strong foundational knowledge spanning both on-premises and cloud security domains. Security teams must understand the organization's end-to-end security environment, from network tools to cloud applications, endpoints, and data storage systems.Investment in targeted learning is crucial here. Prioritize formal trainings and upskilling programs that build team-wide competencies and implement cross-training initiatives that facilitate knowledge sharing to reduce key person dependencies and develop operational resilience. Establishing a dedicated zero-trust center of excellence can accelerate this skill development by providing guidance and support to other security team members while maintaining documentation and best practices.The path to zero trust is a continuous journey of organizational transformation. While technical implementation remains crucial, the transformational CISO's ability to bridge cultural gaps, foster organizational alignment, and develop comprehensive team capabilities will determine the success of zero-trust initiatives. As cyber threats continue to evolve and regulatory pressures mount, organizations that successfully execute this cultural and technical transformation will be better positioned to protect their critical assets and maintain business continuity in an increasingly complex threat landscape.About the AuthorFrank KimSANS Institute Fellow Frank Kim is a SANS Fellow where he leads the Cloud Security and Cybersecurity Leadership curricula to help shape and develop the next generation of security leaders. Previously, he served as the organizations CISO where he led the information risk function for the most trusted source of cybersecurity training and certification in the world.See more from Frank KimNever Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.SIGN-UPYou May Also LikeWebinarsMore WebinarsReportsMore Reports