Zero trust security: A must-have for CISOs

Why Zero Trust is no longer a cybersecurity option, but a business imperative.

In an era where cyberattacks can cripple supply chains, bring down e-commerce platforms, and shake customer confidence, zero trust has emerged as more than just another security framework. It is a fundamental rethink of how we protect digital assets. For CISOs, it’s no longer a buzzword or optional strategy. 

Zero trust security: Overview

• Security is now a boardroom issue
• The evolving role of the CISO
• A short refresher: What is Zero Trust?
• Why Zero Trust is urgent, not optional
• Real-world impact across industries
• Implementation challenges: No silver bullet

Security is now a top boardroom issue

Cybersecurity has officially moved from the IT and security department to the boardroom. With every headline-grabbing breach, organisations are realising that trust-based security models, ones that assume “safe” users and devices inside a defined perimeter, no longer hold up.

The 2020 SolarWinds attack was a turning point. Attackers infiltrated the software update process, bypassed firewalls and gained unprecedented access to networks across government and enterprise sectors. The breach was a case study in how deeply flawed the traditional perimeter model is. Once inside, attackers moved without resistance. A zero trust approach, with enforced segmentation and continuous verification, could have significantly reduced the impact. 

Fast-forward to April 2025: Marks & Spencer was forced to shut down online services and contactless payments in response to a suspected ransomware attack. They later revealed that personal customer information had been stolen. 

The lesson is clear: trust is a vulnerability, and attackers are exploiting it.

The evolving role of the CISO

Today’s CISO is no longer just a technical lead—they are a strategic business enabler. They must balance security with usability, compliance with innovation, and cost with risk reduction. Implementing zero trust is now central to this mission.

CISOs are expected to:

• Align zero trust strategies with business goals
• Conduct risk assessments across departments
• Guide the cultural shift toward “never trust, always verify”
• Drive policy development and enforcement
• Oversee technology integrations and user adoption
  
  

Today’s CISOs are also navigating a transformative shift in how they operationalise zero trust. Leaders like Mansi Thaparr, Head  - Global Cyber Security at Apollo Tyres , and George Eapen, Group CIO at Petrofac, emphasised in a previous HotTopics roundtable debate that modern zero trust is not just a security framework, it is a cultural and organisational redesign. 

With affordable and scalable technologies finally catching up to long-standing security goals, CISOs now have the tools to enforce continuous verification, segment business functions, and monitor behavior in real time. This enables a more adaptive, identity-centric defense posture. 

However, as Eapen noted, the technology is often the easy part; the challenge lies in deeply understanding team workflows and aligning access policies accordingly. The result is a security model that does not just protect, but empowers.

A short refresher: What is zero trust?

Zero trust is often misunderstood, in part due to vendor hype. It is not a product, but a strategic security model typically rooted in a single principle: never trust, always verify.

Every user, device, and application (internal or external) must be authenticated, authorised, and continuously validated before being granted access. The model assumes breach as a starting point and designs systems to limit damage.

The core pillars of zero trust include:

• Identity: verifying who is requesting access
• Devices: ensuring only secure endpoints can connect
• Network: segmenting and monitoring all traffic
• Applications: enforcing least-privilege access
• Data: securing sensitive information at rest and in motion
• Visibility and analytics: detecting anomalies in real-time

Yet, the complexity of zero trust doesn’t just lie in the technology, it is in communicating its value clearly. As Chuks Ojeme, Global CISO at Brenntag, cautioned in a previous roundtable on Demystifying innovation in cybersecurity, “Sometimes IT is talking too technical, and the business doesn’t understand the impact.” Security leaders must therefore bridge that gap, translating zero trust into clear, strategic business language and showing how it supports innovation, resilience, and growth.

Mark Guntrip noted, zero trust means verifying not just users but also applications and the data itself. That expanded perspective is essential in today’s hybrid, cloud-driven environments where digital identity and user awareness play a critical role. Without a strong understanding across the organisation, even the best zero trust implementation risks becoming a “lost investment,” as Daniel Adaramola of the Young CISO Network put it.

Why zero trust is urgent, not optional

The urgency around zero trust has grown as enterprise environments become increasingly complex. Cloud adoption, remote work, BYOD (bring your own device) policies, and third-party integrations have dissolved traditional boundaries. Meanwhile, threat actors have grown more patient, persistent and well-funded.

Adding to the pressure are the limitations of legacy solutions. VPNs, which were once the cornerstone of remote access, are now seen as risk enablers. A recent Zscaler ThreatLabz report found that over half of organisations cite regulatory and cybersecurity concerns when relying on VPNs, citing ransomware attacks as a growing concern.

Zero trust, by contrast, minimises the attack surface and ensures that every request is contextually validated, drilling down on who is requesting access, from where, on what device and under what conditions.

Real-world impact across industries

The retail and e-commerce sectors illustrate the urgency of zero trust adoption.

With millions of customer records, payment data and logistics systems to protect, these platforms are prime targets. A Ponemon Institute report showed that the average cost of a breach in the retail sector reaches millions—threatening both revenue and brand trust.

In one e-commerce case study, cited in a recent ResearchGate publication, organisations implementing zero trust significantly reduced internal lateral movement of malware and were able to isolate compromised systems faster. Even FinTech companies are realising the potential of zero trust security architecture, significantly reducing the risk of fraud and cyberattacks and enhancing overall security infrastructure.

Recently, Adidas joined a growing list of high-profile companies affected by data breaches—including Marks & Spencer, Co-op, and Harrods. The sportswear giant disclosed on its website that “an unauthorised external party obtained certain consumer data through a third-party customer service provider.” This incident underscores the importance of extending zero trust principles beyond internal systems to include third-party vendors and service providers, where vulnerabilities are often overlooked.

Implementation challenges: No silver bullet

While the benefits are clear, implementing zero trust is not without challenges. MFA fatigue, a common user complaint, illustrates the delicate balance between security and experience. 

Likewise, micro-segmentation and policy enforcement can be complex and resource-intensive. That’s why leading CISOs are taking a phased approach. The starting point? Identifying areas of highest risk: privileged users, third-party vendors, and sensitive data environments.

Other common challenges include:

• Integrating legacy systems with zero trust principles
• Gaining organisation-wide buy-in
• Training staff to adopt a new access mindset
• Balancing automation with human oversight

Ultimately, zero trust is more than a technical upgrade, it is also a cultural one. It forces organisations to move away from implicit trust and toward a multi-layered, dynamic security posture. It’s about assuming compromise, planning for resilience, and verifying everything, always.

Guidance from the UK’s National Cyber Security Centre (NCSC) and similar bodies around the world further validates zero trust as the standard to meet modern cyber threats. And with regulations tightening and stakeholder scrutiny increasing, CISOs have an opportunity, if not a responsibility, to lead the charge.

What comes next?

As zero trust matures, we’ll be sharing more perspectives from CISOs across the HotTopics community, leaders who are driving this transformation from theory to practice. Join the CISO community and connect with the sharpest minds in cybersecurity.