Zero Trust in the Mid-Market — Where Most Implementations Stall

The Intent-Implementation Gap

The narrative around zero trust has shifted from "should we adopt it" to "why has adoption stalled." Gartner's April 2024 research found that 63% of organisations worldwide have implemented a zero trust strategy in some form. In the United States, adoption runs higher — StrongDM's November 2024 survey of 600 IT and security decision-makers placed the figure at 81%. Okta's State of Zero Trust report found that 96% of organisations consider zero trust important to their business.

The adoption numbers look encouraging until you examine maturity. Gartner projects that by 2026, only 10% of large enterprises will have mature, measurable zero trust programs in place. Most implementations cover half or less of the organisation's environment and mitigate one-quarter or less of overall enterprise risk.

The gap between adoption and maturity is not new in cybersecurity — many technologies follow this pattern. What distinguishes zero trust is the size of the gap and the length of time it has persisted. Organisations have been investing in zero trust for years, and the maturity needle has barely moved. Something structural is preventing progress, and it is not a shortage of available technology.

This is not a willingness problem. Organisations understand why zero trust matters. What they lack is a realistic execution path — one that accounts for the budget constraints, skill gaps, and architectural debt that define the mid-market operating environment.

The enterprise playbooks that dominate vendor marketing were not written for organisations running lean security teams against expanding threat surfaces. They assume dedicated security architecture functions, multi-year transformation budgets, and executive sponsorship structures that most mid-market organisations simply do not have. The result is a growing population of organisations that have purchased zero trust tooling, begun implementations, and then watched those implementations stall at partial coverage — protecting some environments while leaving others exposed.

The Five Barriers That Stall Mid-Market Adoption

The reasons implementations stall are well documented across multiple industry surveys. What is less discussed is how these barriers compound in organisations that lack dedicated security architecture teams. In enterprise environments, each barrier can be addressed by a specialised team. In the mid-market, the same three to five people who must solve the multi-cloud policy problem are also the people who must address the skills gap, manage legacy integration, and justify the budget — simultaneously.

Cost Is the First Wall

A typical mid-market zero trust implementation runs between USD 200,000 and USD 500,000, depending on scope. That figure competes directly with other IT priorities — infrastructure upgrades, cloud migration, application modernisation — in organisations where the security budget is already stretched.

StrongDM's data shows that 52% of stalled deployments cite budget conflicts with other IT priorities as a contributing factor. This is the defining dynamic of mid-market security investment: it is not evaluated on its own merits but against every other demand on a constrained IT budget.

The problem is not that zero trust is expensive in absolute terms. The problem is that it is expensive relative to everything else a mid-market IT organisation is asked to deliver simultaneously. When the CFO sees a USD 400,000 line item competing against a cloud migration that directly enables revenue growth, the security initiative loses — not because it lacks merit, but because it lacks the urgency of a revenue-linked deadline.

Multi-Cloud Policy Consistency Is an Architectural Problem

Forty-nine percent of organisations in the StrongDM survey identified multi-cloud policy complexity as their top barrier. The root cause is straightforward: AWS IAM, Azure RBAC, and GCP IAM are fundamentally different policy systems. Each has its own syntax, its own inheritance model, and its own approach to least-privilege enforcement.

Without a unified control plane, configuration drift is inevitable. Policies that are consistent on day one diverge by day ninety as teams make environment-specific adjustments without propagating changes across platforms. The organisations that solve this treat policy consistency as an architecture problem, not a tooling problem — they establish a single policy definition layer that abstracts cloud-specific implementation details rather than attempting to maintain parallel configurations manually.

The Skills Gap Compounds Every Other Barrier

ElectroIQ data places expertise shortage at 45% prevalence, but the downstream effects are more telling. JumpCloud's research shows that MFA adoption among firms with 26 to 100 employees sits at just 34%. Tailscale's 2025 report, surveying 1,000 IT professionals, found that 83% admitted to bypassing security controls to maintain productivity.

That last figure deserves emphasis. When four out of five IT professionals — the people responsible for enforcing security — are themselves circumventing controls, the problem is not user awareness. It is implementation design.

In the mid-market, the skills gap does not manifest as an abstract staffing problem. It manifests as misconfigured policies, incomplete rollouts, and security controls that users route around because no one had time to design them for usability.

When the same team responsible for implementing zero trust is also responsible for maintaining firewalls, managing endpoints, and responding to incidents, implementation quality suffers. Controls get deployed in permissive modes and never tightened. Monitoring gets configured but never tuned. The initiative technically exists but practically delivers a fraction of its intended value.

Legacy Systems Resist Zero Trust by Design

Twenty-one percent may seem modest, but legacy integration is the barrier most likely to kill an implementation outright. Systems built before the zero trust model existed often lack support for MFA, granular role-based access control, or API compatibility with modern identity and access management platforms. These systems cannot be ignored — they frequently run critical business processes — and they cannot be easily replaced.

The pragmatic approach is to wrap legacy systems in a zero trust access layer rather than attempting to retrofit them internally. Several patterns work:

• Reverse proxies with identity-aware authentication placed in front of legacy web applications
• Identity-aware application gateways that broker access and enforce MFA without modifying the target system
• Network micro-segmentation that isolates legacy systems and restricts lateral movement to and from them
• Session recording and monitoring for privileged access to systems that cannot generate their own audit trails

None of these approaches require changes to the legacy systems themselves. This is not elegant, but it is effective — and it allows the organisation to proceed with its broader implementation while legacy modernisation follows its own timeline.

What Zero Trust Actually Costs

Understanding the true cost of zero trust implementation is essential for realistic planning. Vendor marketing tends to emphasise per-user licensing costs while underplaying the professional services, integration work, and internal labour that constitute the majority of the investment. Total cost of ownership varies predictably by organisation size. The following ranges reflect industry data for full implementations across identity, network, and workload pillars:

The critical detail for mid-market planning: pilot and proof-of-concept phases typically absorb 20 to 30% of total budget, translating to USD 50,000 to USD 150,000. This is the investment required before an organisation has validated that its chosen approach will work in its specific environment. Skipping the pilot to save money is a false economy — it simply moves the validation cost into production, where failures are more expensive and more visible.

Payback periods, when properly scoped, fall within 12 to 18 months. The return comes primarily through application rationalisation — eliminating redundant access tools, consolidating VPN infrastructure, and reducing the operational overhead of managing disparate security controls.

One detail that mid-market budget owners frequently overlook: a significant portion of zero trust investment replaces existing spend. Legacy VPN infrastructure, standalone MFA tools, network access control appliances, and remote access solutions are not additive costs — they are costs being consolidated. The net new investment is typically 40 to 60% of the headline figure once displaced tooling is accounted for.

Budget owners who present zero trust as a net-new line item to the board are making the business case harder than it needs to be. The accurate framing is consolidation with uplift — and the uplift delivers capabilities that the existing tooling never provided.

Start with Identity

If there is one area of consensus in zero trust implementation guidance, it is this: start with identity. Identity is the new perimeter. It is the control point that persists regardless of where users, devices, or workloads reside.

Identity and access management is absorbing the largest slice of security budgets across organisations of all sizes. The shift from IP-based to identity-based access is not a trend — it is a structural change in how access decisions are made. In a world where employees work from personal devices on home networks, connecting to cloud-hosted applications through third-party integrations, the network perimeter has no meaningful boundary to defend. Identity is the only consistent control point.

Several data points illustrate the current state of identity-centric security adoption:

• Phishing-resistant MFA adoption stands at 14%, but grew 63% year-over-year according to JumpCloud
• 87% of businesses are deploying passkeys, per HID Global and FIDO Alliance data
• Over 3 billion passkeys are now in active use globally
• 48% of the top 100 websites offer passkey login
• The privileged access management market reached USD 3.6 billion, growing at 23.3% CAGR according to MarketsandMarkets
• 34% of organisations now use zero trust network access solutions

The passkey trajectory is particularly relevant for mid-market planning. Passkeys eliminate the single largest attack vector — credential phishing — without requiring hardware tokens or complex enrolment processes. As passkey support becomes standard across enterprise applications, the cost and complexity of deploying phishing-resistant authentication drops substantially.

For mid-market organisations, identity is also the most achievable starting point. Modern identity platforms are delivered as SaaS, require no on-premises infrastructure, and can be deployed incrementally — starting with the most privileged accounts and expanding outward.

The recommended sequence is clear: enforce phishing-resistant MFA on all administrative and privileged accounts first. Extend to all employees. Implement conditional access policies based on device posture and location risk. Deploy privileged access management for systems that hold sensitive data or control critical infrastructure. Each step builds on the previous one, and each delivers measurable risk reduction before the next begins.

This is not a theoretical recommendation. It aligns directly with CISA's Zero Trust Maturity Model v2.0, which positions identity as the foundational pillar upon which all other pillars depend.

The Multi-Cloud Challenge

Forty-nine percent of organisations cite policy consistency across cloud environments as a major barrier, and this figure likely understates the problem. Many organisations do not discover the extent of their policy inconsistencies until an audit or an incident forces examination. The mid-market is particularly exposed here: HashiCorp's State of Cloud Strategy survey consistently shows that multi-cloud adoption is growing fastest among mid-sized organisations, yet these same organisations are least likely to have centralised platform engineering teams capable of managing cross-cloud governance.

Several approaches are gaining traction:

Policy-as-Code combines tools like Open Policy Agent with infrastructure-as-code platforms such as Terraform to define access policies in version-controlled, testable, reviewable code. This eliminates the manual configuration that causes drift. Policies become artefacts that go through the same review and approval processes as application code — which means they are auditable, reproducible, and reversible.

Central policy engines enforce attribute-based access control across all cloud environments from a single decision point. Rather than translating policies into each cloud's native syntax, a central engine evaluates access requests against a unified policy set. The advantage for the mid-market is operational simplicity: one policy language to learn, one system to monitor, one audit trail to review.

Federated identity management establishes a single source of truth for user identity across environments. This eliminates the shadow identity sprawl that undermines access controls when each cloud maintains its own directory. Without federation, an employee who leaves the organisation may retain active credentials in cloud environments that were provisioned independently — a common finding in security audits of mid-market multi-cloud deployments.

SASE and SSE architectures are converging network and security controls into unified platforms. Cybersecurity Insiders reports that 79% of organisations plan SASE implementation within 24 months. The SASE market, valued at USD 3.82 billion, is projected to reach USD 17.22 billion by 2030 according to Credence Research. For mid-market organisations, SASE is particularly compelling because it replaces multiple discrete appliances and subscriptions with a single cloud-delivered service — reducing both cost and operational complexity.

For the mid-market, the practical implication is that the tooling to solve multi-cloud policy consistency exists. What most organisations lack is the architectural clarity to deploy it effectively.

The most common mistake is attempting to solve multi-cloud policy consistency after deploying zero trust controls in each environment independently. By that point, three separate policy languages, three sets of role definitions, and three approaches to least-privilege enforcement are already in production. Retrofitting consistency is significantly more expensive and disruptive than building it from the start. Organisations that have not yet deployed across multiple clouds have a window of opportunity to implement a unified policy layer before technical debt accumulates.

For organisations already operating in multiple clouds, the migration path runs through a centralised identity provider. When authentication and authorisation decisions flow through a single platform, policy consistency becomes achievable regardless of the underlying cloud infrastructure. This is why identity-first approaches and multi-cloud consistency are not separate initiatives — they are the same initiative viewed from different angles.

The Phased Approach

Industry consensus has converged on 90-day increments as the standard cadence for zero trust implementation. This is not arbitrary — it reflects the reality that organisational change capacity is finite, and that each phase generates lessons that should inform the next.

Phase 1 — Assessment and Planning (Days 0-90). Map the current environment. Identify the gaps between current state and target architecture. Define measurable objectives tied to specific risk reduction outcomes. Conduct a thorough asset inventory — not just servers and endpoints, but data flows, third-party integrations, and shadow IT. The most common failure at this stage is underestimating scope. Organisations that skip thorough asset discovery pay for it in later phases when unknown systems surface and break assumptions.

Deliverables from Phase 1 should include a prioritised asset inventory, a gap analysis against NIST SP 800-207 or the CISA maturity model, a target architecture, and a phased roadmap with measurable milestones.

Phase 2 — Pilot and Proof of Concept (Days 90-180). Deploy in a controlled environment that represents real operational complexity. This phase absorbs 20 to 30% of total budget and exists to validate assumptions. The pilot should target a representative workload, not the simplest one available. Organisations that pilot against trivial use cases learn nothing useful about how zero trust controls will behave under production conditions.

Measure pilot outcomes against predefined success criteria:

• Authentication latency and user experience impact
• Policy violation rates and false positive frequency
• Administrative overhead compared to existing controls
• Integration points that required custom development
• User feedback on workflow disruption

These measurements become the evidence base for the production rollout business case. Without them, the decision to proceed to Phase 3 relies on qualitative judgement rather than data — which is a difficult position to defend when requesting the remaining 70 to 80% of the budget.

Phase 3 — Production Rollout (Days 180+). Extend validated controls to production environments in priority order. Training and change management are not optional at this stage — they are the difference between adoption and workaround culture. Recall that 83% of IT professionals admitted to bypassing security controls in the Tailscale survey. Controls that users cannot work with productively are controls that users will circumvent.

Phase 4 — Continuous Improvement (Ongoing). Zero trust is not a project with an end date. Monitoring, policy refinement, and adaptation to new threats and new infrastructure are permanent operational requirements.

Establish a regular cadence — quarterly at minimum — for reviewing policy effectiveness, access patterns, and emerging gaps. Each review cycle should evaluate whether access policies still reflect the principle of least privilege as roles, applications, and business relationships evolve.

For mid-market organisations, realistic timelines run 6 to 12 months for meaningful coverage. The organisations that succeed prioritise high-impact areas first: identity, device trust, network segmentation, and core business applications. They do not attempt to boil the ocean.

A note on change management: the technical implementation is typically not what causes phase slippage. It is the organisational resistance. Users accustomed to unrestricted access will push back against conditional access policies. Teams accustomed to shared credentials will resist individual accountability. These are predictable objections, and they require proactive communication — not reactive troubleshooting. Budget time and attention for change management in every phase, not as an afterthought in Phase 3.

The Business Case for Board Approval

For mid-market organisations, security investments above USD 200,000 typically require board-level approval. The ROI data for zero trust is now robust enough to withstand that scrutiny. The challenge is presenting it in financial terms rather than technical ones, and doing so without hyperbole.

Forrester's Total Economic Impact studies provide the most cited benchmarks:

• 246% ROI over three years for comprehensive zero trust implementations
• 92% ROI for organisations implementing zero trust with Microsoft solutions specifically
• USD 1.76 million in average breach cost savings compared to organisations without zero trust deployed
• 50% lower probability of experiencing a data breach
• 75% reduction in IT operational effort related to access management
• 50% reduction in help desk calls over three years

These figures come from large-enterprise deployments, and mid-market organisations should expect variance. However, the directional case is clear: zero trust implementations that reach maturity generate returns that significantly exceed their cost.

The insurance dimension is increasingly relevant and may prove to be the most persuasive argument for boards that are sceptical of security ROI projections. Cyber insurance underwriters are explicitly evaluating zero trust maturity during the application process. Organisations with mature programs qualify for premium reductions — a direct, measurable financial benefit that boards understand immediately.

Several underwriters now include zero trust implementation status in their application questionnaires. MFA enforcement, network segmentation, privileged access management, and endpoint detection and response are becoming baseline requirements for coverage. Organisations that cannot demonstrate these controls face higher premiums, higher deductibles, or coverage exclusions. The cost of inaction is no longer theoretical.

When presenting the business case, lead with risk reduction and operational efficiency, not technology. Boards approve investments that reduce exposure and improve margins. They do not approve architecture diagrams.

Frame the investment in terms the board already uses: risk exposure in financial terms, operational cost reduction as a percentage of IT spend, insurance premium impact, and regulatory compliance status. If zero trust is presented as a technology initiative, it competes against every other technology initiative. If it is presented as a risk management initiative with quantifiable financial returns, it occupies a different category entirely.

Building Without an Army

The skill gap is real, but it is addressable through choices that mid-market organisations are uniquely positioned to make.

Vendor consolidation is the highest-leverage move available. Enterprise organisations are locked into ecosystems of 50 to 60 point security solutions accumulated over decades of tactical purchasing. Mid-market organisations can start with integrated platforms that deliver identity, network, and endpoint controls from a single vendor with a unified management console and consistent policy model. This is not a compromise — it is a genuine architectural advantage that larger organisations cannot easily replicate.

XDR convergence is embedding zero trust principles into detection and response platforms. The XDR market, valued between USD 1.3 and 2.12 billion according to MarketsandMarkets, is evolving to enforce least-privilege access as a native capability rather than a bolted-on policy layer. For mid-market teams that cannot staff separate identity, network, and endpoint security operations, XDR platforms provide a single pane of glass that correlates signals across all three domains.

Managed security services allow organisations to outsource detection, response, and monitoring while building internal capability incrementally. This is not a permanent solution — it is a bridge that buys time for hiring and training without leaving the organisation exposed during the transition. The key is selecting managed service providers that operate transparently, share telemetry with the internal team, and support a documented transition plan. A managed service that creates dependency rather than building capability is not solving the skills gap — it is deferring it.

Free, structured guidance exists and should be the starting point for any implementation. NIST Special Publication 800-207 provides the foundational architecture model, defining the logical components and data flows that constitute a zero trust architecture. CISA's Zero Trust Maturity Model version 2.0 provides a practical assessment framework with clear progression criteria across five pillars: identity, devices, networks, applications and workloads, and data. Both are publicly available, both are vendor-neutral, and both are maintained by organisations with no commercial interest in steering procurement decisions.

Organisations that begin with these frameworks make better vendor decisions. They understand what they need before evaluating what vendors sell. They avoid the lock-in that comes from letting a single vendor define their architecture. And they have a maturity model to measure progress against — which is essential for maintaining executive sponsorship over a multi-phase, multi-quarter initiative.

The Path Forward

Zero trust in the mid-market is not a technology adoption problem. It is an execution problem — and specifically, it is a prioritisation and sequencing problem.

The organisations that succeed share common characteristics: they start with identity, they phase their implementations in 90-day increments, they resist the temptation to pilot against trivial workloads, and they build the business case around risk reduction rather than technical sophistication. They also accept that zero trust is not a destination but a continuous operating model. There is no point at which the work is finished.

The 63% adoption figure tells us the industry has moved past the awareness stage. The 10% maturity figure tells us it has not yet solved the execution stage. For mid-market CISOs and CIOs, the opportunity is to close that gap methodically — without the budget, headcount, or architectural complexity that makes enterprise implementations stall.

The mid-market's disadvantage in resources is, paradoxically, an advantage in agility. Smaller environments mean shorter feedback loops. Fewer legacy entanglements mean cleaner architectures. Leaner teams mean less organisational inertia. The organisations that recognise these structural advantages — and pair them with disciplined, phased execution — will reach operational zero trust maturity faster than the enterprise organisations that started before them.

Sources

Analyst Firms: Gartner (April 2024, zero trust adoption and maturity projections); Forrester (Total Economic Impact studies, zero trust ROI benchmarks)

Industry Surveys: StrongDM (November 2024, n=600 IT/security decision-makers); Okta (State of Zero Trust report); Tailscale (2025, n=1,000 IT professionals); HashiCorp (State of Cloud Strategy)

Identity and Authentication: FIDO Alliance (passkey adoption data); HID Global (enterprise passkey deployment); JumpCloud (SMB MFA and phishing-resistant MFA adoption); Okta (identity-first security)

Frameworks and Standards: NIST Special Publication 800-207; CISA Zero Trust Maturity Model v2.0; Microsoft Zero Trust deployment guidance

Market Data: MarketsandMarkets (PAM, XDR market sizing); Cybersecurity Insiders (SASE adoption); Credence Research (SASE market projections)

ROI and Cost Data: Forrester TEI (246% and 92% ROI figures); Microsoft (breach cost savings); Cyolo (implementation cost benchmarks); Meriplex (mid-market TCO data)

Implementation Guidance: Carnegie Mellon Software Engineering Institute; NonaSec (phased implementation methodology); AWS (zero trust architecture patterns)