Interest in zero trust is surging, according to IDG\u2019s 2020 Security Priorities Study, with 40% of survey respondents saying they are actively researching zero trust technologies, up from only 11% in 2019, and 18% of organizations indicating they already have zero trust solutions, more than double the 8% in 2018. Another 23% of respondents plan to deploy zero trust in the next 12 months.But Forrester analyst Steve Turner notes that in his recent conversations with enterprise clients, a good 50%-70% completely misunderstand the basic concepts and principles of zero trust \u201cbecause the marketing hype has taken over.\u201dHe adds, \u201cWhen we bring things back to reality and tell them where they\u2019re at, there is that five stages of grief around zero trust; the realization that what you had is not what you thought it was.\u201dHere are some common myths and misconceptions associated with zero trust.Myth: Zero trust solves a technology problemZero trust does not address a technology problem; it addresses a business problem. \u201cThe first step is to sit down and understand what business problem you\u2019re trying to solve,\u201d says Turner.John Kindervag, the former Forrester analyst who created the zero trust model, also emphasizes the need to focus on business outcomes, advising CISOs to get the business involved. \u201cIf you don\u2019t know your business needs, you will fail,\u201d he says.Myth: Zero Trust is a product or set of productsOne common misconception about zero trust is that if you deploy identity management, access control, and network segmentation then you have successfully implemented zero trust. Kindervag, currently senior vice-president of cybersecurity strategy at managed security services provider ON2IT, explains that zero trust is not a suite of products or a set of tactics. \u201cIt\u2019s a strategic initiative designed to stop data breaches.\u201d Burkhardt describes it as a \u201cset of principles\u201d that you use to build a secure technology environment.\u201cNobody can sell you a zero trust solution,\u201d Accenture CISO Kris Burkhardt adds. \u201cIf you\u2019re looking to buy a product to get to zero trust, then you\u2019re asking the wrong question.\u201dTurner says he has been talking with clients who bought a product with the promise that it was zero trust, but \u201cthey didn\u2019t change their approach to anything.\u201d The organization didn\u2019t classify data; it still had employees, vendors, and contractors with excess privileges; it did not identify critical assets or change network flows.Myth: Zero trust means you don\u2019t trust your own employeesKindervag explains that the zero trust approach is not aimed at making systems trusted; it\u2019s about eliminating the concept of trust from IT systems. \u201cTrust is a vulnerability that is exploited in data breaches. We\u2019re not trying to make systems trusted.\u201dThis sometimes gets misinterpreted as the company suddenly not trusting its workers. CISOs need to explain that it\u2019s not personal; it\u2019s the equivalent of requiring a key card to enter the building. And the ultimate goal is to prevent data breaches, which affect everyone at the company.Myth: Zero trust is difficult to implementKindervag bristles at the idea that zero trust is hard to do. \u201cThat\u2019s the mythology created by people who don\u2019t want you to do it because it will kill their defense-in-depth model.\u201d He argues that zero trust is not complicated and certainly not more expensive than what companies are already doing\u2014and that\u2019s not even factoring in the cost of a data breach.Turner agrees that it\u2019s much easier today to implement zero trust: the tools themselves have improved and vendors are now collaborating across product lines. \u201cIt\u2019s significantly easier to get things done today with not as much investment,\u201d he adds.Myth: There is only one correct way to begin the zero trust journeyOver time, two approaches to getting started with zero trust have emerged: from the security side and from the identity management side, says Turner. Some organizations start with identity and move quickly to deploy multi-factor authentication, which delivers \u201cthe easiest and quickest wins.\u201dOther organizations take a network-centric approach, tackling microsegmentation first, which can be a bit more challenging, says Turner.Myth: Deploying SASE means I have zero trustSASE has recently emerged as a popular way to lean into zero trust because it\u2019s a service that puts security controls in the cloud.\u00a0 However, Turner points out that many companies turned to SASE during the chaotic early days of the pandemic to solve the immediate problem of employees working from home.SASE addresses zero trust at the edge, but as employees move back to corporate offices, organizations are realizing that they are still operating with traditional perimeter security concepts. \u201cSASE solutions are not built for hybrid models,\u201d says Turner. \u201cNow organizations need to go back to the drawing board\u201d and apply zero trust as an enterprise-wide strategy.