What the zero-trust security market looks like beyond 2022

Gartner predicts that global end-user spending for the information security and risk management market will grow from $172.5 billion in 2022 to $267.3 billion in 2026, attaining a constant currency growth rate of 12.2%.

Additionally, according to Gartner, end-user spending on zero-trust network access (ZTNA) systems and solutions globally is projected to grow from $819.1 million in 2022 to $2.01 billion in 2026, attaining a compound annual growth rate of 19.6%. On top of that, global spending on zero-trust security software and solutions is projected to grow from $27.4 billion in 2022 to $60.7 billion by 2027, attaining a CAGR of 17.3%. 

It’s a sector that continues to grow with no signs of slowing down. A recent report from ERM shows that the zero-trust security market is growing at a CAGR of 17.3%, increasing from $22.9 billion in 2021 to $59.8 billion by 2027.

Zero trust is gaining market momentum 

Enterprises and the CISOs leading them are dispelling the myth that zero-trust security frameworks are expensive and hard to implement by getting them done. Zero-trust frameworks are quickly becoming the foundation of hybrid cloud security, as the recent CNAPP announcement by CrowdStrike at their Fal.Con 2022 event illustrates. 

Ericom’s Zero-Trust Market Dynamics Survey found that 80% of organizations plan to implement zero-trust security, and 83% agree that zero trust is strategically necessary for their ongoing business. Additionally, 96% of security decision-makers say zero trust is critical to their organization’s success. 

Key factors driving the market include President Biden’s executive order from May of this year, which mandated zero-trust architectures for all governmental entities and accelerated adoption across all organizations. 

“Last year, they started issuing funding to help the federal agencies execute (on order), then you saw the DoD coming out with prescribed standards even for suppliers and vendors. And so, for the public sector, that code is almost codified to support zero trust,” said Kapil Raina, vice president of zero trust, identity and data security marketing at CrowdStrike. “Agencies tell us, ‘I have a budget here that here are the technical requirements for zero-trust compliance.'”

Another series of factors driving the market growth is the need for organizations across sectors to have better security for their permanently remote and hybrid workforces. As a result, Gartner is seeing a 60% year-over-year growth rate in ZTNA adoption. Its 2022 Market Guide for Zero-Trust Network Access is noteworthy in providing insights into all CISOs need to know about zero-trust security. 

What follows is a curated list of the most recent cybersecurity forecasts and market estimates.

Start with multifactor authentication, network analytics and workload governance 

CISOs need zero-trust project wins to hold on to their budgets and persuade stakeholders to invest more. Microsegmentation is often taken on later in a zero-trust roadmap, given how challenging it can be to get right. Getting it right is the cornerstone of a successful zero-trust framework, however. Least-privileged access combined with identity and access management (IAM) and privileged access management (PAM) helps enterprises prevent privileged credential and identity abuse. 

While every organization’s zero-trust roadmap differs, many share common attributes of multifactor authentication, microsegmentation, Identity Access Management (IAM), least privileged access and device management. Sources: Statista, CompTIA 2021 State of Cybersecurity  

Zero trust can reduce average breach losses by nearly $1M

Enterprises with zero trust deployed reduced the average cost of a breach by $950,000 compared to those without it. The average cost of a data breach for an enterprise without a zero-trust framework is $5.1 million, compared to $4.15 million for the enterprises that have one. The 20.5% reduction in breach costs accelerates as an enterprise gains more experience and matures with its zero-trust initiatives, according to the IBM Cost of a Data Breach 2022 report. 

The more mature a zero-trust framework becomes, the more it reduces the average cost of a breach by securing more potentially damaging threat vectors that bad actors exploit. For example, enterprises with early adoption of zero trust see an average data breach cost of $4.96 million, dropping to $3.45 million when zero trust is applied across all domains. 

As zero-trust frameworks gain greater maturity and improve their effectiveness across enterprises, the average data breach cost drops by $1.51 million. Source: IBM Cost of a Data Breach Report 

73% of organizations have plans to adopt cloud-based ZTNA over the next 18 months

Of those, 19% intend to standardize only on software-as-a-service (SaaS)-based zero-trust access capabilities. Ivanti’s Zero Trust Progress Report also found that 64% of CISOs and security leaders find verifying the identities of users, devices and infrastructure components to be the most valuable benefit of implementing a zero-trust framework.

Data protection (63%) and continuous authentication/authorization (61%) are the second and third most valuable benefits, according to the survey.  

More organizations are opting for SaaS-based ZTNA to gain greater speed, time-to-market and consolidation in their tech stacks, according to Ivanti’s survey. Source: Ivanti 2021 Zero-Trust Progress Report

Strong authentication, automated risk detection, remediation and adaptive access are the zero-trust components organizations choose to implement first 

Protecting identities and endpoints while also improving automation and orchestration also dominate enterprises’ zero-trust roadmaps. It’s noteworthy that no single security risk area stands out as a primary starting point for zero-trust strategies, as fewer than 15% start with the same security risk area.

Microsoft Security’s Zero Trust Adoption Report identifies the differences in identities, endpoints, apps, networks, infrastructure, data, automation and orchestration implementation levels. 

Securing access controls to protect networks, implementing threat protection, filtering for context-based signals and encrypting all traffic are the highest priorities security leaders are pursuing when implementing zero trust across their networks. Source: Microsoft Security Zero-Trust Adoption Report

Integrating IAM, cloud access security brokers (CASB) and security information and event management (SIEM) is key 

Seventy-seven percent of security leaders have current integration in place with their endpoint protection and management platforms (EMM), followed by CASB integration (69%). Planned integrations with SOAR and SIEM dominate roadmaps, with more than 40% of security leaders saying these technologies are the ones they are most planning to integrate into their tech stacks. 

Securing endpoints is table stakes for zero-trust security, as every identity needs to be treated as a new security perimeter. Integrating security tech stacks with CASB and SIEM secures hybrid cloud configurations and provides valuable event and threat data. Source: OKTA,The State of Zero-Trust Security 2021 

68% of organizations plan to increase their investments in zero trust

Security decision-makers believe excelling at zero trust can provide increased organizational agility (52%), safer cloud migrations (50%) and better support for their digital transformation strategies (48%).

Despite security leaders saying they are facing a challenging time obtaining funding, 67% of security leaders surveyed say their organizations will expand their zero-trust budgets in 2022, allocating a third (36%) to zero-trust initiatives. 

77% of enterprises either have ZTNA frameworks in production or are implementing them today

Revamping security tech stacks to reduce as much implicit trust as possible between devices, identities and endpoints leads to more integration with passwordless authentication and SASE systems. Enforcing least privileged access is a core design goal of ZTNA frameworks, which is why having API-based integrations to various IT network technologies is essential. In addition, emerging IT security technologies’ platforms must be designed for secure API integration if they scale as a business grows.  

Zero trust is defining CISOs’ futures  

Zero trust needs to be treated as a business decision, with CISOs taking the lead in defining the value their teams deliver. 

“I think the CISO will be a coveted role in the boardroom. You have a CFO and those folks, but I’m seeing more and more CISOs joining boards. And I think this is a great opportunity for everyone here to understand what impact they can have on a company,” George Kurtz, co-founder and CEO of CrowdStrike, told the Fal.Con 2022 audience earlier this month. 

Kurtz believes the future of the CISO role is one of delivering business value by reducing risk and threats. That’s core to getting zero-trust frameworks right while consolidating tech stacks and improving endpoint visibility and control. 

As Gartner’s 2022 Market Guide for Zero Trust Network Access illustrates, the most successful implementations begin with a strategy supported by a roadmap.

The guide is noteworthy in its insights into the areas CISOs need to concentrate on to excel with their ZTNA strategies. Identities are the new security perimeter, and the Gartner guide provides prescriptive guidance for taking on that challenge.