Accelerate your zero-trust journey with your existing stack

Jun 05 2025

A strategic guide for CISOs

In an era of constant cyber threats and digital transformation, legacy perimeter-based security models fall short. Zero trust helps protect your business by reducing risk, supporting compliance and enabling secure innovation. Zero trust isn’t just a security model—it’s a smart investment in the future resilience of your organization.

There’s a critical mindset shift at the heart of zero trust. Instead of relying on perimeter-based defences or implicit trust, CISOs must lead their organizations to treat every access request as untrusted until proven otherwise. This includes both external and internal access requests, including those from employees.

However, before investing in additional tools or rolling out new policies, CISOs need to understand what zero-trust success will look like for their organization. By having measurable objectives, all stakeholders can track progress, adjust plans and achieve milestones. Key objectives should include security goals, business outcomes and compliance requirements.

CISOs should start their zero-trust journey by recognizing the first step isn’t buying new technology. Instead, it’s assessing their current environment for existing capabilities for alignment with zero-trust principles, while also planning for the modernization of legacy systems where needed. Many organizations stall in their zero-trust journey because they assume it requires a complete technology overhaul or expensive new investments. This misconception often leads to delays and underutilized resources.

Meaningful progress can start with strategically leveraging existing tools as a foundation—without waiting for a massive transformation. Many zero-trust capabilities already exist within most organizations’ stacks.

Key steps to build a dynamic, risk-adaptive security model

Implementing zero trust isn’t a one-time project. It’s a journey of maturity that evolves across multiple domains, each advancing with greater visibility, intelligence and automation over time. As zero trust matures, contextual intelligence of user identities deepens. Instead of following static rules, the system continuously evaluates who is requesting access, what device they’re using, where they’re located, when they’re accessing and how they’re behaving. This progression builds a dynamic, risk-adaptive security model.

If this is the goal, where should organizations start, and how can you prepare effectively based on where your organization is today? Here we’ve outlined eight key steps to help you assess your zero-trust maturity and build a strategic, phased roadmap tailored to your risks, assets and operational context.

Zero-trust maturity

	IAM	Network	Device	Data	Application	Automation and orchestration	Visibility and analytics
Traditional			✓	✓		✓	✓
Initial	✓				✓
Advanced		✓
Optimal
Governance

^{An example of how a CISO could use the framework to organize their maturity across the seven pillars.}

The journey to zero trust can feel overwhelming, and many organizations don’t know where to start. That’s why it’s critical to assess your current maturity level.

Leading organizations use frameworks like the Cybersecurity & Infrastructure Security Agent (CISA) Zero Trust Maturity Model, which organizes maturity across seven pillars: identity, devices, networks, applications/workloads, data, visibility and analytics, and automation and orchestration. Each pillar is evaluated across four maturity levels: traditional, initial, advanced and optimal, and this helps CISOs better understand their organization’s current state.

You can’t protect what you don’t know exists. The first step is identifying what your organization must protect—your digital crown jewels (DCJs). These typically include the following: personally identifiable information (PII), intellectual property, financial data, customer records, critical infrastructure systems and proprietary code or algorithms.

Organizations must start by engaging business and IT leaders to perform an inventory of critical data assets, as well as their locations and sensitivity. The goal is to understand who owns the data, where it resides (cloud, on-premises, Software as a Service (SaaS)), how it’s accessed and what would happen if it were leaked or tampered with. This exercise sets the foundation for a risk-aligned zero-trust strategy.

Once your DCJs are clearly defined, the next step is to map their data footprint, including storage, transmission and access points. Where is your data stored? How is it transferred across systems? Who accesses it, and through which applications, devices and networks?

One way to map your data footprint is to use something like a data flow diagram to illustrate how sensitive data moves through your ecosystem. Regardless of the method you use, the aim is to uncover shadow IT, unmanaged endpoints and unsanctioned applications that pose hidden risks.

Zero trust is context driven. As such, understanding how your users interact with DCJs is crucial to designing proper controls. Common patterns include the following: privileged users accessing production environments remotely, developers working from unmanaged devices and uploading code to Git repositories, and third-party vendors logging into internal systems via a virtual private network (VPN).

Once you clearly understand your organization’s access use cases, define the risk associated with each scenario and implement tailored controls to match risks to the correct level of protection.

Once you understand your organization’s maturity baseline, you can build a phased roadmap aligned to your organization’s goals. Typical roadmap structures include foundation, visibility and control, and deep protection.

At the foundation phase, organizations understand existing identity, data, network, application and device capabilities; replace legacy VPNs with zero-trust network access (ZTNA); enforce multi-factor authentication (MFA) across all access points; and start using identity-based segmentation.

At the visibility and control phase, organizations deploy secure web gateways for outbound traffic control; implement cloud access security broker (CASB) for SaaS and shadow IT discovery; and begin tagging and classifying sensitive data.

At the deep protection phase, organizations enforce least privilege through role-based access and just-in-time permissions; implement microsegmentation to isolate workloads and prevent lateral movement; and monitor insider threats through behaviour analytics.

Throughout your journey, stay anchored in core zero-trust principles that guide both technical implementation and policymaking. While many teams focus on tools, success starts with a mindset shift—where no user or device is trusted by default. Help teams embrace this by building awareness of evolving threats, using real-world breach examples and connecting zero-trust practices to business goals like resilience and compliance.

Clearly communicate that breaches are inevitable and that reducing impact through least-privilege access and continuous verification is essential. Foster collaboration across security, IT and business teams to align on risk tolerance and access controls. Design systems to limit damage, grant only necessary access and adjust permissions dynamically based on real-time risk signals like location, device health and behaviour.

Most organizations begin their zero-trust implementation by modernizing legacy access systems. Older applications and infrastructure often lack the support for modern authentication, segmentation or telemetry, so organizations must plan for modernization or containment strategies for legacy systems early on.

ZTNA replaces legacy VPN, offering secure, identity-based access. Secure web gateways enforce internet usage policies and prevent data exfiltration. CASB monitors cloud data, applies data-loss prevention policies and enables compliance. Microsegmentation limits internal access and stops lateral movement by unauthorized actors. And network access control validates devices before granting access to resources.

How zero trust leads to secure access service edge (SASE)

Zero trust starts your organization’s journey towards securing what is sometimes referred to as the who, what and how. You begin by defining who should have access to what resources and under what conditions. You implement controls like identity and access management, MFA, device posture checks and segmentation.

But at this stage, your controls are still distributed, with different tools for networks, endpoints and cloud.

At this point, the need for convergence emerges. As you scale zero trust across the enterprise, managing separate security and networking stacks becomes increasingly complex. Teams face visibility gaps, overlapping tools, inconsistent policies and performance issues for remote users.

In many cases, secure access service edge (SASE) becomes the logical next step. SASE converges networking (like software-defined wide area network (SD-WAN)) and security (like ZTNA, secure web gateway, CASB and Firewall as a Service (FWaaS)) into a single, unified service fabric. It allows organizations to enforce zero-trust policies at the edge, close to the user, with performance and security. With SASE, zero trust is built into how your network operates—not bolted on.

Interested in learning more about the benefits SASE offers to organizations? Reach out to our team.

As organizations adopt zero trust, they’re integrating multiple technologies across various domains—identity, devices, data, applications, networks and infrastructure. Without a clear governance model, efforts can become fragmented, inconsistent and unscalable.

A zero-trust governance model enables strategic alignment between business goals and security investments, consistency in policy enforcement across departments and platforms, accountability for access, data protection and risk management, and sustainability of security controls over time. Think of it as the operating system for your zero-trust journey, enabling everything to run in sync.

Enable resilient, secure digital transformation

This maturity-based approach to zero trust delivers clarity and momentum. Instead of chasing an abstract end state, organizations have a structured roadmap that aligns security investments with business-critical risks and operational realities.

This strategy helps organizations build executive trust through measurable progress, align security goals with business objectives, reduce tool sprawl by taking advantage of existing investments and improve incident response time by embedding real-time visibility.

Ultimately, this approach positions you, the CISO, not just as a risk mitigator—but as a strategic enabler driving resilient, secure digital transformation.

Ready to accelerate your organization’s journey towards zero trust?

Reach out to us to continue the conversation.

Follow PwC Canada

© 2018 - 2025 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.