Zero trust no longer optional: Experts reveal critical pillars to secure digital transformation

Cybersecurity threats are escalating as organizations accelerate their digital transformation efforts. A new study highlights how prioritizing key elements of Zero Trust Architecture (ZTA) can safeguard critical systems against increasingly sophisticated attacks. Their findings provide a roadmap for organizations seeking to strengthen resilience while complying with evolving regulations.

Published in Information (2025), the study "Implementing Zero Trust: Expert Insights on Key Security Pillars and Prioritization in Digital Transformation", the research uses a structured decision-making approach to rank the most critical components of Zero Trust. This prioritization is essential, the authors argue, to optimize resource allocation and build a layered security strategy that addresses vulnerabilities before they can be exploited.

Which security pillars should be addressed first?

The study evaluates eight pillars outlined by the Cybersecurity and Infrastructure Security Agency (CISA) that collectively form the foundation of Zero Trust: Users, Devices, Data, Applications, Contractors and Vendors, Network Infrastructure, Automation and Orchestration, and Visibility and Analytics. Using a Multi-Criteria Decision Analysis (MCDA) supported by the Incomplete Analytic Hierarchy Process (IAHP), the researchers gathered expert assessments to rank these elements by their relative importance.

The analysis identifies Users and Data as the most critical pillars for immediate focus. Securing user identities through robust Identity and Access Management (IAM) was highlighted as the first line of defense against cyber intrusions. Experts also stressed the importance of protecting data, recommending cloud security posture management and data-loss prevention measures as top priorities.

The third priority, Visibility and Analytics, emerged as a vital component for detecting and mitigating threats in real time. Without continuous monitoring, even well-structured defenses risk being bypassed by sophisticated attacks. The study notes that security information and event management (SIEM) and security operations centers (SOC) play an indispensable role in maintaining this visibility.

These findings underscore the need for organizations to focus on foundational controls first before expanding to broader network and automation strategies. By prioritizing efforts where they matter most, companies can reduce the likelihood of breaches and strengthen their overall security posture.

Why is prioritization crucial for successful zero trust implementation?

Zero Trust is not a single technology but a comprehensive security philosophy requiring systematic deployment across multiple layers of an organization. The study reveals that without clear prioritization, many businesses adopt fragmented solutions that fail to deliver meaningful protection. The complexity of modern IT environments, spanning cloud services, remote work infrastructures, and third-party integrations, further amplifies the challenge.

Experts interviewed for the research emphasized that organizations frequently over-invest in advanced technologies without first addressing fundamental vulnerabilities. This misalignment not only wastes resources but also creates false confidence in the system’s resilience. For example, deploying AI-based threat detection tools may prove ineffective if user access controls and data protection measures remain weak.

The research also highlights the regulatory dimension. As directives such as NIS2 tighten compliance requirements, companies must demonstrate structured approaches to cybersecurity risk management. Zero Trust offers a framework to meet these expectations, but only if it is implemented strategically.

The authors recommend adopting structured models like CISA’s Zero Trust Maturity Model (ZTMM) to assess current capabilities and guide the deployment process. This maturity-based approach helps organizations identify gaps, allocate resources effectively, and progress through stages of increasing security robustness.

How can organizations translate insights into action?

To bridge the gap between theory and practice, the study integrates its findings into the ZEUS platform, a cloud-native governance tool developed with Teleconsys S.p.A. This platform leverages AHP-based prioritization to help organizations assess cybersecurity maturity, generate dynamic implementation roadmaps, and align with regulatory frameworks.

The ZEUS platform demonstrates how structured decision-making can simplify the complexities of Zero Trust. By guiding organizations through step-by-step prioritization, it ensures that investments target areas with the highest impact on risk reduction. The platform also enables continuous reassessment, reflecting the evolving nature of cyber threats and IT infrastructures.

Beyond tools, the study emphasizes the human element. While automation and AI can enhance threat detection, they must support rather than replace governance and human oversight. Effective Zero Trust implementation requires collaboration between security teams, IT departments, and organizational leadership to ensure policies are enforced consistently.

The research calls for future readiness. Organizations must adopt proactive strategies that go beyond compliance. This includes preparing for emerging threats by integrating AI-driven analytics, automating response mechanisms, and fostering a culture of cybersecurity awareness at every organizational level.