Page 1 of 2 Zero Trust Validation: From Practical Approaches to Theory Yuri Bobbert 1 *, Jeroen Scheerder 2 1 ON2IT, Antwerp Management School, Netherlands 2 ON2IT, Netherlands Introduction Nowadays platform oriented businesses are built on api- based-ecosystems of data, assets, applications and services. These hybrid technology landscapes, most of the time built on clouds, lack real-time visibility and control when it comes to their operations [1]. This makes it hard for boards to take ownership and accountability of cyber risks [2]. Standardized frameworks such as the ISO27000 are being applied in order to implement Information Security. According to Siponen [3] “these frameworks are generic or universal in scope and thus do not pay enough attention to the differences between organizations and their information security requirements”. In practice we have seen the application of frameworks falter because they tend to become a goal on their own rather than a supporting frame of reference to start dialogues with key stakeholders. Kluge et al. [4] for example also noted that the use of frameworks as a goal on its own does not support the intrinsic willingness and commitment to improve. This is especially the case for mid-market organizations that lack dedicated security staff, capabilities and / or sufficient budgets. Puhakainen and Siponen [5] noted that information security approaches are lacking not only theoretically grounded methods, but also empirical evidence of their effectiveness. Many other researchers [6-8] have also pointed out the necessity of empirical research into practical interventions and preconditions in order to support organizations with improving the effectiveness of their security. These theoretical voids, as well as the practical observation of failing compliant- oriented approaches, widen the knowledge gap [9]. This “knowing- Received Date: May 25, 2020 Published Date: June 26, 2020 ISSN: 2687-8097 DOI: 10.33552/SJRR.2020.02.000546 Scientific Journal of Research and Reviews Research Article Copyright © All rights are reserved by ON2IT BV Netherlands This work is licensed under Creative Commons Attribution 4.0 License SJRR.MS.ID.000546. *Corresponding author: Yuri Bobbert, ON2IT, Antwerp Management School, Netherlands. Abstract How can high-level directives concerning risk, cybersecurity and compliance be operationalized in the central nervous system of any organization above a certain complexity? How can the effectiveness of technological solutions for security be proven and measured, and how can this technology be aligned with the governance and financial goals at the board level? These are the essential questions for any CEO, CIO or CISO that is concerned with the wellbeing of the firm. The concept of Zero Trust (ZT) approaches information and cybersecurity from the perspective of the asset to be protected, and from the value that asset represents. Zero Trust has been around for quite some time. Most professionals associate Zero Trust with a particular architectural approach to cybersecurity, involving concepts such as segments, resources that are accessed in a secure manner and the maxim “always verify never trust”. This paper describes the current state of the art in Zero Trust usage. We investigate the limitations of current approaches and how these are addressed in the form of Critical Success Factors in the Zero Trust Framework developed by ON2IT ‘Zero Trust Innovators’ (1). Furthermore, this paper describes the design and engineering of a Zero Trust artifact that addresses the problems at hand (2), according to Design Science Research (DSR). The last part of this paper outlines the setup of an empirical validation trough practitioner oriented research, in order to gain a broader acceptance and implementation of Zero Trust strategies (3). The final result is a proposed framework and associated technology which, via Zero Trust principles, addresses multiple layers of the organization to grasp and align cybersecurity risks and understand the readiness and fitness of the organization and its measures to counter cybersecurity risks. Keywords: Zero Trust Strategy, Design Science Research, Zero Trust Readiness, Artefact design and development