United Kingdom - English Investors Newsroom Alumni Platform
Contact us
Cybersecurity

Zero trust is a posture, not a product. Five enterprises explain why.

Zero trust programmes struggle when organisations buy a product and expect the posture to follow. The enterprises making progress are treating zero trust as a coordinated shift across identity, network design, workload access, telemetry, and the daily habits of operators and developers.

5
enterprise zero-trust programmes informed this briefing across financial services, public sector, manufacturing, and healthcare
5 layers
moved together in successful programmes: identity, device, network, workload, and detection-response operations
18 months
is the median period required before teams report that the posture is changing in day-to-day operational behaviour
0
single products delivered a meaningful zero-trust posture without parallel changes to access policy and operational routines

The posture shifts only when controls and behaviours reinforce each other.

The enterprises we studied all began with sensible intentions: stronger identity, better segmentation, tighter device control, or improved telemetry. The programmes accelerated only when those changes were linked into a coherent access model and operational playbook rather than pursued as separate security projects.

Zero trust became real when users, engineers, and security teams could understand who should access what, from where, under which conditions, and with what evidence. That required policy clarity, better asset understanding, and a response model able to act on the telemetry being collected.

No layer carries the posture alone. Identity, access context, segmentation, and response habits have to reinforce one another in daily operations.

Insight findings

What the five enterprises were consistent about.

Lesson 01

Identity is the foundation but not the finish line

Stronger authentication and role design improved risk posture quickly, but the real gains appeared when identity signals shaped network and workload policy decisions.

Lesson 02

Segmentation only works when teams know what they are segmenting

Application dependency mapping and business-context tagging were essential; otherwise microsegmentation became a source of outages and policy confusion.

Lesson 03

Telemetry without action creates fatigue

Enterprises generated better detection data, but value only improved when response playbooks, ownership, and escalation rights were updated to use it.

Lesson 04

Developers and operators need a usable access model

Programmes stuck when security policy felt arbitrary. They moved faster when access paths, exceptions, and break-glass routines were understandable and measurable.

Enterprise agenda

How to turn the idea into a posture.

Priority 01

Create a decision model for access

Define how identity, device state, network context, and workload sensitivity combine to grant, step up, or deny access.

Priority 02

Map the assets and dependencies that matter most

Start with critical applications and operational flows where better access control materially reduces exposure.

Priority 03

Rework break-glass and exception handling

Emergency access, supplier support, and privileged maintenance routines must be part of the posture, not hidden side doors.

Priority 04

Connect telemetry to response ownership

Detection rules, triage workflows, and remediation actions need named owners and rehearsed operating paths or the data will not change behaviour.

Early wins

Where enterprises are seeing posture gains first.

Win 01

Privileged access is becoming more explicit and reviewable

Enterprises are shrinking standing privilege and making elevated access easier to trace and challenge.

Win 02

Lateral movement risk is being reduced in critical zones

Clearer segmentation and better workload context are narrowing the blast radius of credential compromise or device drift.

Win 03

Security operations are getting better signals to act on

Teams that tie access context to detection logic are improving prioritisation and reducing noisy investigation loops.

"
Zero trust becomes real when access decisions stop being assumptions and start being explicit, contextual, and observable.
Kenji Sato - Cybersecurity & Resilience Lead, Tata Consulting Services

Shaping a zero-trust roadmap?

Request the enterprise posture briefing