The percentage of organizations worldwide that have implemented a zero-trust initiative has almost tripled in the past three years going from 24% in 2021 to 61% in 2023, according to data from Okta\u2019s 2023 State of Zero Trust report. Companies with between 5,000 and 9,999 employees are more likely to have zero trust in place\u2014three out of four\u2014 than those with 500 to 999 employees.\n\nThe report is based on responses from 860 information security decision-makers from North America (United States, Canada); EMEA (Denmark, Finland, France, Germany, Ireland, Netherlands, Norway, Sweden, United Kingdom); and APJ (Japan, Australia).\n\nThose planning to implement a zero-trust security initiative in the next 18 months make up 35% of respondents and only 4% were neither planning nor had one in place. The North American region is leading in terms of initiatives already in place, but EMEA and APJ organizations are quickly gaining ground, and nearly all the holdouts in both regions plan to adopt a zero-trust initiative within the next 6 to 12 or 13 to 18 months.\n\nDespite macroeconomic pressures forcing cost cutting, 80% of the respondents reported that their budgets for zero-trust security initiatives had increased over the previous year\u2014 60% reported budget increases of between 1% and 24%, and another 20% increased by 25% or more.\n\nIdentity has become a big part of zero trust strategies with 51% of all respondents saying it is extremely important, a considerable increase from 2022\u2019s 27%. Another 40% said it is somewhat important.\n\nIdentity begins to shift from IT to security\n\nIdentity and access management (IAM), which used to be owned by IT departments, has increasingly shifted to cybersecurity teams. This is backed by Okta\u2019s research that found that 73% of security teams now owns IAM in North America and 50% in EMEA.\n\nIn APJ the change is slower, while 41% of organizations task security with managing IAM, another 56% of organizations have security either oversee identity or manage the technology, but not both. There are further signs of the growing importance of identity initiatives, with 34% of respondents using multi-factor authentication (MFA) for external users and 33% for in-house staff.\n\nAcross the four industries the report focused on, healthcare organizations are prioritizing MFA for external and internal users and connecting directories to cloud apps. In the public sector the priority is MFA for external users, secured access to APIs, and MFA for employees, in financial services MFA for employees first followed by MFA for external users, and privileged access management for cloud infrastructure, and in software the priorities are MFA for employees, secured access to APIs, and MFA for external users.\n\nSecurity decision-makers\u2019 focus\n\nIn the next 12 to 18 months decision makers will prioritize managing privileged access to cloud infrastructure (42%), securing access to APIs (42%) and implementing multi-factor authentication (MFA) for employees (42%). Furthermore, when it comes to protecting authentication, organizations are more likely to use MFA and single sign-on protection for servers and databases.\n\nMore than half of the C-suite respondents said this year that identity was extremely important to a zero-trust strategy, with another 40% declaring it somewhat important. A big shift from last year, when 26% of C-suite respondents declared identity as mission-critical.\n\nIT leaders are integrating their IAM systems with mobile device management (MDM). SIEM, MDM, and endpoint protection are the top three \u201cmost important\u201d systems to prioritize integrating directly with an IAM solution, according to the report.\n\n\u201cLow assurance\u201d passwords are still the standard\n\nPasswords remain the \u201cstubborn standard\u201d for authentication globally, \u201cdespite their low assurance, and are still used at more than half of the respondents\u2019 organizations.\u201d Security questions, which aren\u2019t much better, are the second-most often used, globally and in EMEA and APJ, while they\u2019ve taken the top spot in North America. The report also found other low assurance services in use including hardware OTP and SMS, voice, and email OTPs.\n\nFactors deemed by the report as of medium-assurance like physical token OTPs and push authenticators are in use at fewer organizations (36% and 29%, respectively), and just 19% of organizations are using high-assurance factors like platform-based authenticators and biometrics. \u201cWe expect to see MFA continue its march to the mainstream, while increasing regulations will likely push industries like financial services and the public sector toward passwordless and other high-assurance phishing-resistant authentication factors,\u201d found the report.