Why digital trust could require zero trust

IDC guest blog post sponsored by Orange Business Services. Guest IDC Blogger: Jan Horsager, Research Director, IDC Nordic Custom Solutions

As generative AI has almost captured the Nordic tech agenda, executives increasingly want to discuss the security risks related to digital transformation — especially the link between digital trust in general and zero trust.

IDC research reveals that close to half of all Nordic organizations have experienced an increase in the number of attacks on their digital infrastructure and solutions. Media coverage of renowned large businesses coming under attack are fueling the discussion and fear, from middle management all the way to the board of directors. I am increasingly experiencing this in the Nordic IT community these days, whether via briefings, networking sessions, or through the line of questioning following a presentation. My advice is to shift the focus of the discussion just a little bit; avoid dwelling on IT security alone and instead have a more comprehensive view of digital trust. This is where the debate in event coffee breaks often leads to zero trust in a digital trust context, and for good reason. Digital trust could require zero trust.

Let’s focus on the three main ingredients of these coffee-break discussions

1. Digital-First Organizations:

As digital transformation enters a new phase, becoming “digital first” is an important milestone. Digital services are delivered close to seamlessly via multicloud infrastructure. But at the same time, cyberthreats are becoming increasingly complex, calling for proactive and managed cyber protection to protect against known, unknown, and advanced threats and build the digital trust needed in a digital-first organization.

Digital first is not a technology or a business model. Digital first applies to any organization that’s always asking if some digital-based capability could improve the desired outcomes of processes, business models, or any other activities for that matter. It is an organizational aspiration. Businesses and organizations must keep asking whether there is some digital-based capability or enhancement that could improve lives and desired outcomes.

Digital first is not just a vision. IDC continuously asks IT decision makers in tech-buyer organizations around the world to assess their digital maturity on a scale with five rungs, from disconnected digital strategies to integrated and digital-first strategies. In Northern Europe, IDC predicts that the pace of digital maturity evolution will accelerate, and at least 60% of organizations will have an integrated or digital-first strategy by the end of 2023 (versus 41% in 2021 and 49% in 2022).

2. Digital Trust:

For IDC, digital trust has become an essential element in the eight Future of X research practices comprising the ingredients required to enable digital transformation into Future Enterprises. The IDC Future of Trust Framework shown below is a triangle model with six layers from the base to the top — Risk, Security, Compliance, Ethics and Social Responsibility, Privacy, and Trust. On the right are four elements of trust — Foundational, Compulsory, Strategic, and Actualized. On the left are three overlapping semicircles representing the following trust outcomes — Trusted Governance, Trusted Ecosystems, and Trusted Enabled Commerce.

Traditional approaches to security, risk, compliance, and privacy face both scope and scale challenges. The elements of trust in the framework transform the conversation from what a company “must” do to prevent adverse outcomes to what a company “should” do to avoid negative consequences and build toward positive trust outcomes.

Right now, we are at a tipping point as business leaders prepare their digital-first strategies. Data security, confidentiality, integrity, and availability are now vital issues for all organizations, as is the imperative to use data ethically while complying with a complex web of industry and regional regulations.

Security is seen as compulsory in the complete picture of digital trust, and that’s where zero trust enters the discussion.

3. Zero Trust:

Fundamentally, zero trust seeks to ensure that only a verified and identified user, using only an authorized device, has appropriate (e.g., role-based or attribute-based) access to defined resources (e.g., applications and data) in the correct context at all times (i.e., with the above controls reassessed continuously).

Security professionals in Europe are familiar with the term “zero trust.” Its exact meaning, however, is still being debated: No clearly defined standard, standardized framework, or solution definition has yet emerged for zero trust. At a fundamental level, the term means “never trust, always verify.”

Like many major technology trends, the term “zero trust” has been overused, resulting in confusion. The situation is complicated because a single packaged product or category does not enable zero trust. It is a complex and multifaceted undertaking involving technology, process, and architecture.

Despite these challenges, IDC believes zero trust models deliver robust security and strengthen the cyber-resilience of a business when correctly implemented as part of a holistic and multi-layered defense strategy.

Call to Action:

Digital trust is essential for digital-first organizations. And digital trust could require zero trust to ensure that only a verified and identified user, using only an authorized device, has appropriate access to defined resources in the correct context at all times.

It is an essential part of the discussion that digital decision makers must have with their trusted advisors and vendors.

Orange Business thanks guest IDC Blogger: Jan Horsager, Research Director, IDC Nordic Custom Solutions for this article.