TL;DR: Boards are increasingly demanding evidence that cybersecurity spend protects uptime, not just detections, and Gartner expects 80% of CISOs to face direct mandates to connect investment to business outcomes by 2028. The real test of Zero Trust is whether it shrinks blast radius, reduces lateral movement, and improves continuity under attack.
NHIMG editorial — based on content published by Zero Networks: How to Measure Cyber Resilience: Zero Trust ROI
By the numbers:
- The mean time to contain a breach is 60 days, on top of the 181 days it takes to detect a breach in the first place.
- 86% of cyber incidents now cause operational downtime, reputational damage, or both.
- 88% of CISOs report significant challenges operationalizing Zero Trust.
Questions worth separating out
Q: How should security teams measure Zero Trust ROI in practice?
A: Measure Zero Trust ROI through outcomes that matter to the business, not through activity metrics.
Q: Why do identity controls matter so much to cyber resilience?
A: Identity controls determine who or what can move after the first compromise.
Q: What do teams get wrong when they report security success to the board?
A: They often report output instead of outcome.
Practitioner guidance
- Track blast radius as a board metric Measure how many systems, segments, and identity boundaries a single foothold can reach, then show how that number changes after segmentation or access cleanup.
- Map lateral movement pathways from identity to critical service Start with compromised user, cloud identity, and third-party access paths, then document where standing privilege, over-scoped service accounts, or cached credentials shorten the route to critical assets.
- Tie resilience reporting to business impact analysis outputs Use BIA to define which services matter most, what downtime is tolerable, and which dependencies need tighter identity controls.
What's in the full article
Zero Networks' full article covers the operational detail this post intentionally leaves for the source:
- A step-by-step cyber resilience assessment method built around business impact analysis and critical asset prioritisation.
- Specific guidance on measuring blast radius, lateral movement pathways, and time-to-containment as executive metrics.
- Examples of how to map attack paths from compromised users, cloud identities, and third-party access into measurable control gaps.
- Operational detail on Zero Trust enforcement and identity-based microsegmentation examples used to support the measurement model.
👉 Read Zero Networks' analysis of Zero Trust ROI and cyber resilience metrics →
Zero trust ROI: are your resilience metrics proving business value?
Explore further
Blast-radius control is becoming the real test of Zero Trust maturity. The article is right to move the conversation away from alert counts and toward operational containment, because resilience is measured by how far an attacker can travel after the first compromise. In identity-heavy environments, blast radius is often determined by standing privilege, service account scope, and internal trust paths rather than by perimeter weakness. Practitioners should treat path reduction as the business outcome, not an implementation detail.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
A question worth separating out:
Q: Who is accountable for resilience when internal access paths remain open?
A: Accountability sits with the teams that own identity governance, network enforcement, and service continuity because open internal access paths are usually a design choice, not an accident. If those paths enable disruption, the control owners should be able to show which risks were accepted, reduced, or left unresolved.
👉 Read our full editorial: Zero trust ROI is shifting toward measurable cyber resilience