Build cyber resilience with zero-trust frameworks | PwC Canada

Build cyber resilience with zero-trust frameworks | PwC Canada Skip to content Skip to footer Trends & Insights Services Industries About Us Careers More

Search Menu

Trends & Insights Trends & Insights AI, Technology & Data Business model reinvention Cybersecurity Climate & Sustainability Risk & Compliance Trust in AI Workforce Menu

Trends & Insights AI, Technology & Data Menu

Trends & Insights Business model reinvention Menu

Trends & Insights Cybersecurity Menu

Trends & Insights Climate & Sustainability Menu

Trends & Insights Risk & Compliance Menu

Trends & Insights Trust in AI Menu

Trends & Insights Workforce

Featured

CEO Survey: A look inside the minds of Canadian CEOs Director connect: Bringing you the latest boardroom perspective Shift podcast: Amplifying the voice of industry experts Menu

Services Services AI & Technology Alliances Audit & Assurance Consulting Crisis and resilience Current insolvency assignments Data and analytics Deals Forensic services Managed services PwC Private Risk services Sustainability Tax & Compliance Transformation Menu

Services AI & Technology Menu

Services Alliances Menu

Services Audit & Assurance Menu

Services Consulting Menu

Services Crisis and resilience Menu

Services Current insolvency assignments Menu

Services Data and analytics Menu

Services Deals Menu

Services Forensic services Menu

Services Managed services Menu

Services PwC Private Menu

Services Risk services Menu

Services Sustainability Menu

Services Tax & Compliance Menu

Services Transformation

Featured

Make it happen with PwC Managed services Alliances Menu

Industries Industries Asset management Automotive Banking and capital markets Consumer markets Energy Entertainment and media Government and public services Health care Industrial manufacturing Insurance Mining Power and utilities Private equity & Pension fund Real estate Technology Telecommunications Transportation and logistics Menu

Industries Asset management Menu

Industries Automotive Menu

Industries Banking and capital markets Menu

Industries Consumer markets Menu

Industries Energy Menu

Industries Entertainment and media Menu

Industries Government and public services Menu

Industries Health care Menu

Industries Industrial manufacturing Menu

Industries Insurance Menu

Industries Mining Menu

Industries Power and utilities Menu

Industries Private equity & Pension fund Menu

Industries Real estate Menu

Industries Technology Menu

Industries Telecommunications Menu

Industries Transportation and logistics

Featured

Voice of the Consumer 2025 – Canadian insights Emerging Trends in Canadian Real Estate 2026 Menu

About Us About Us Alumni Board of directors Corporate responsibility Diversity, equity, inclusion and belonging Ethics & Code of conduct History Leadership team New partners Our people Purpose, vision and values Menu

About Us Alumni Menu

About Us Board of directors Menu

About Us Corporate responsibility Menu

About Us Diversity, equity, inclusion and belonging Menu

About Us Ethics & Code of conduct Menu

About Us History Menu

About Us Leadership team Menu

About Us New partners Menu

About Us Our people Menu

About Us Purpose, vision and values

Featured

Truth and Reconciliation Women in leadership Menu

Careers Careers The PwC Professional Benefits, flexibility and wellness​ Awards and mentorship Our Alumni network Early careers Early career openings Applying to Early Careers Support for your CPA journey Early Talent Community Experienced careers Experienced career openings Applying to Experienced Careers Women in technology Experienced Talent Community Menu

Careers The PwC Professional Menu

Careers Benefits, flexibility and wellness​ Menu

Careers Awards and mentorship Menu

Careers Our Alumni network Menu

Careers Early careers Menu

Careers Early career openings Menu

Careers Applying to Early Careers Menu

Careers Support for your CPA journey Menu

Careers Early Talent Community Menu

Careers Experienced careers Menu

Careers Experienced career openings Menu

Careers Applying to Experienced Careers Menu

Careers Women in technology Menu

Careers Experienced Talent Community

Featured

People of PwC Upcoming campus events Loading Results

No Match Found

View All Results Build cyber resilience with zero-trust frameworks Blog 5 minute read March 27, 2025 Zero trust is a security framework that requires continuous verification for every user and device trying to access resources, regardless of their location. While traditional security models rely on perimeter defences, which can be more easily breached, zero trust enforces strict access controls and continuous monitoring to better protect against modern security challenges.

Zero trust helps organizations prevent multivariable attacks. As such, a choice not to incorporate zero trust is a choice to leave your organization more vulnerable. For example, in the event of a ransomware attack, without zero trust, malware propagates through a network due to a lack of segmentation. Similarly, without zero trust, malicious insiders can exploit their trusted birthright and privileged access to do things they shouldn’t.

Advancements in technology, cloud computing, remote work and the evolving threat landscape have made zero trust increasingly practical. Frameworks and guidelines from organizations like the National Institute of Standards and Technology (NIST) have also contributed to its adoption. Zero trust enables organizations to meet increasingly rigorous compliance requirements, such as the General Data Protection Regulation (GDPR) and Personal Information Protection and Electronic Documents Act (PIPEDA).

Zero trust isn’t just a technology deployment—it’s a transformation to become future-ready that involves people, processes and technology. The principles of zero trust help organizations protect what matters most, including digital crown jewels, client trust and brand integrity. They reduce the risk and impact of ransomware attacks and data breaches by protecting against vectors such as insider threats, lateral movement, compromised credentials, phishing, unauthorized remote access, device compromises, and supply chain and third-party access risks.

In our recent Global Digital Trust Insights survey, we found only 2% of respondents globally have implemented cyber resilience actions across their organization. Zero trust is a critical tool to help organizations strengthen their cyber resilience in a way traditional network security strategies simply cannot. To begin this journey, CISOs need to understand the principles of zero trust and how they can be integrated into their organization’s core cybersecurity strategy.

Determine where to start your zero-trust journey Less than half of executive respondents to our survey (both globally and in Canada) say their CISO is involved to a large extent in strategic planning, board reporting and overseeing tech deployments. However, when moving towards zero trust, communication across the C-suite and from the CISO level down on why the organization needs to adopt these principles is essential.

Zero trust creates an ecosystem, and people and processes must be aligned. Involving the C-suite and leadership in the zero-trust planning and implementation process helps make sure the initiative receives the necessary support and resources and fosters a culture of security. This collaboration enhances client and brand trust by demonstrating a commitment to robust security measures, and it also enables the organization to innovate with less risk.

The following are the top five considerations for CISOs ready to reconsider traditional security methodologies and adopt a zero-trust strategy.

1. Establish identity and access management as the core The concept of identity-based perimeter is at the heart of a zero-trust strategy. Organizations must enforce least privilege by continuously authenticating each access request, including those from third parties, based on contextual information and monitoring of user activity patterns. Key actions include the following:

Verify users by implementing multi-factor authentication (MFA) and passwordless authentication

Apply the concept of least-privilege access to allow or deny access to resources based on a combination of contextual factors across identity, network, data, device and application

Continuously verify user and device identity based on risk factors, and make access decisions based on a risk score

2. Develop comprehensive visibility and analytics For each access request, organizations must understand context by analyzing events, activities and behaviours and leverage artificial intelligence (AI). The goal is to achieve a model that improves detection and reaction speed in making real-time access decisions. Key actions include the following

Achieve real-time visibility into users, devices and applications Use AI-driven security analytics to detect anomalies and potential threats Use AI to monitor and analyze encrypted and unencrypted network traffic Implement logging and monitoring across cloud, on-premises and hybrid environments 3. Deploy microsegmentation and least privilege Microsegmentation isolates critical workloads and applications from unauthorized access. However, it can be challenging to implement, as it’s difficult to define access policies across multiple environments and map dependencies between applications, users and services. In addition, most legacy systems haven’t been designed for microsegmentation. Key actions include the following:

Use automated network discovery tools to map dependencies and define segmentation policies gradually Implement policy automation tools to streamline rule enforcement Deploy network detection and response tools for real-time visibility and anomaly detection Implement continuous monitoring tools to automate compliance checks 4. Enforce strong device and endpoint security CISOs should implement tools to monitor, detect and remediate malicious activity on devices by integrating network-wide visibility and defence orchestration capabilities. Key actions include the following:

Mandate device posture checks before granting access Implement endpoint detection and response (EDR) and extended detection and response (XDR) Continuously monitor and enforce compliance on both managed and unmanaged devices 5. Leverage continuous verification and adaptive policies The organization should use adaptive policy control methods. These methods automatically adjust based on real-time risks in the environment and automate security responses based on defined processes and security policies enabled by AI to take blocking actions and force remediations. Key actions include the following:

Transition from a static, perimeter-based model to a dynamic, risk-based approach

Use adaptive policies that adjust based on real-time risk signals

Continuously evaluate trust levels with automated threat intelligence and behaviour analysis

Build a strategic plan to invest in zero trust Tech executive respondents to our recent Global Digital Trust Insights survey (both globally and in Canada) ranked network security and continuity as one of their top investment priorities for the coming year.

We’ve listed critical investment areas for implementing zero trust below. Not all organizations will need to invest in all of these at the same time, depending on the maturity of their domains. The goal is to build a strategic plan for the next four to five years that allows the organization to increase the maturity of all domains (by buying and/or building) and then integrate them.

Critical investment areas for zero trust Identity and access management Multi-factor authentication Single sign-on Identity governance and administration Privileged access management " data-image="/content/dam/pwc/ca/en/services/consulting/p2758072-dti2025-phase2-blog1-web-assets-pictogram-identity-and-access-management.svg" onclick="highlights_modal.show_modal(this)"> Identity and access management Multi-factor authentication Single sign-on Identity governance and administration Privileged access management Identity and access management Multi-factor authentication Single sign-on Identity governance and administration Privileged access management " data-image="/content/dam/pwc/ca/en/services/consulting/p2758072-dti2025-phase2-blog1-web-assets-pictogram-identity-and-access-management.svg"> Identity and access management Network security Software-defined perimeter

Network segmentation and microsegmentation

Secure access service edge

Firewall as a Service

" data-image="/content/dam/pwc/ca/en/services/consulting/p2758072-dti2025-phase2-blog1-web-assets-network-security.svg" onclick="highlights_modal.show_modal(this)"> Network security Software-defined perimeter

Network segmentation and microsegmentation

Secure access service edge

Firewall as a Service

Network security Software-defined perimeter

Network segmentation and microsegmentation

Secure access service edge

Firewall as a Service

" data-image="/content/dam/pwc/ca/en/services/consulting/p2758072-dti2025-phase2-blog1-web-assets-network-security.svg"> Network security Endpoint security Endpoint detection and response

Mobile device management

Secure enclaves and trusted execution

" data-image="/content/dam/pwc/ca/en/services/consulting/p2758072-dti2025-phase2-blog1-web-assets-endpoint-security.svg" onclick="highlights_modal.show_modal(this)"> Endpoint security Endpoint detection and response

Mobile device management

Secure enclaves and trusted execution

Endpoint security Endpoint detection and response

Mobile device management

Secure enclaves and trusted execution

" data-image="/content/dam/pwc/ca/en/services/consulting/p2758072-dti2025-phase2-blog1-web-assets-endpoint-security.svg"> Endpoint security Data security Data loss prevention

Encryption and tokenization

Cloud access security brokers

Rights management and data governance 

" data-image="/content/dam/pwc/ca/en/services/consulting/p2758072-dti2025-phase2-blog1-web-assets-data-security.svg" onclick="highlights_modal.show_modal(this)"> Data security Data loss prevention

Encryption and tokenization

Cloud access security brokers

Rights management and data governance 

Data security Data loss prevention

Encryption and tokenization

Cloud access security brokers

Rights management and data governance 

" data-image="/content/dam/pwc/ca/en/services/consulting/p2758072-dti2025-phase2-blog1-web-assets-data-security.svg"> Data security Application security Secure DevOps

Web application firewalls

Runtime application self-protection

Application programming interface security

" data-image="/content/dam/pwc/ca/en/services/consulting/p2758072-dti2025-phase2-blog1-web-assets-application-security.svg" onclick="highlights_modal.show_modal(this)"> Application security Secure DevOps

Web application firewalls

Runtime application self-protection

Application programming interface security

Application security Secure DevOps

Web application firewalls

Runtime application self-protection

Application programming interface security

" data-image="/content/dam/pwc/ca/en/services/consulting/p2758072-dti2025-phase2-blog1-web-assets-application-security.svg"> Application security Security monitoring and analytics Security information and event management

User and entity behaviour analytics

Extended detection and response

Threat intelligence platforms

" data-image="/content/dam/pwc/ca/en/services/consulting/p2758072-dti2025-phase2-blog1-web-assets-security-monitoring-and-analytics.svg" onclick="highlights_modal.show_modal(this)"> Security monitoring and analytics Security information and event management

User and entity behaviour analytics

Extended detection and response

Threat intelligence platforms

Security monitoring and analytics Security information and event management

User and entity behaviour analytics

Extended detection and response

Threat intelligence platforms

" data-image="/content/dam/pwc/ca/en/services/consulting/p2758072-dti2025-phase2-blog1-web-assets-security-monitoring-and-analytics.svg"> Security monitoring and analytics  

Cloud security  Cloud security posture management Cloud workload protection

Identity and access management for cloud

Cloud-native application protection platform

" data-image="/content/dam/pwc/ca/en/services/consulting/p2758072-dti2025-phase2-blog1-web-assets-cloud security.svg" onclick="highlights_modal.show_modal(this)">  

Cloud security  Cloud security posture management Cloud workload protection

Identity and access management for cloud

Cloud-native application protection platform

 

Cloud security  Cloud security posture management Cloud workload protection

Identity and access management for cloud

Cloud-native application protection platform

" data-image="/content/dam/pwc/ca/en/services/consulting/p2758072-dti2025-phase2-blog1-web-assets-cloud security.svg"> Cloud security Automation and orchestration Security orchestration, automation and response

AI-driven threat detection and response

" data-image="/content/dam/pwc/ca/en/services/consulting/p2758072-dti2025-phase2-blog1-web-assets-automation-and-orchestration.svg" onclick="highlights_modal.show_modal(this)"> Automation and orchestration Security orchestration, automation and response

AI-driven threat detection and response

Automation and orchestration Security orchestration, automation and response

AI-driven threat detection and response

" data-image="/content/dam/pwc/ca/en/services/consulting/p2758072-dti2025-phase2-blog1-web-assets-automation-and-orchestration.svg"> Automation and orchestration

[+] Read More Overcome organizational barriers to zero trust As with any other large-scale transformation, there can be significant organizational barriers to overcome when implementing zero trust. Challenges we often see include organization inertia, cost and project scope. To make a zero-trust implementation a success, all stakeholders, including the board, should be involved and aligned about the principles and how changes will impact processes and resources on top of their day-to-day responsibilities.

Zero trust is often best implemented in phases, starting with high-risk areas and gradually expanding to the entire organization. An approach like this allows for a more manageable and cost-effective implementation. CISOs should take advantage of existing resources and investments before allocating new budgets for zero trust. This includes using current tools and technologies to support zero-trust principles and integrating them into the overall security architecture. 

CISOs must also make sure security criteria are part of any procurement process. When sharing critical organizational data with any third-party vendor, it’s important that the vendor follows the zero-trust architecture to maintain cybersecurity posture.

As they continue their journey towards zero trust, CISOs should prioritize measuring return on investment through clear key performance indicators and metrics. The goal is to track progress and the footprint of those capabilities to make sure investments align with business objectives and deliver tangible benefits. 

Assess your organization’s zero-trust controls There are many different zero-trust controls organizations can task their red teams with testing. In the identity and access management domain, KPIs include MFA adoption rate, privileged access management effectiveness, identity verification success rate and number of failed login attempts and inactive or orphaned accounts. 

In the device security domain, KPIs include number of unmanaged devices, as well as rates of endpoint compliance, device posture assessment success and vulnerable device detection. In the network and microsegmentation domain, KPIs include unapproved lateral movement attempts, segmentation policy compliance, encrypted traffic volume and zero-trust policy enforcement rate.

In the application and data security domain, KPIs include data loss prevention incidents and rates of IT detection, access request denial and successful phishing attempts. In the threat detection and response domain, KPIs include mean times to detect and respond, as well as incident false positive and insider threat detection rates. And in the user behaviour and awareness domain, KPIs include phishing simulation success, user security training completion and anomalous behaviour detection rates. 

Begin your zero-trust journey today Failing to adopt zero trust can expose organizations to significant security, financial and reputational risks. Organizations must either have a mitigation plan in place or accept these risks.

While zero trust is often seen as a challenging goal to achieve, organizations can start their zero-trust journey today. The first step is to conduct a strategic, risk-based assessment to understand their current zero-trust capability maturity. The next step is to use the information gathered in that assessment to build a tailored, prioritized zero-trust roadmap that addresses the organization’s biggest risks.

Ready to start—or amplify—your organization’s journey towards zero trust? Reach out to us to continue the conversation. Contact us {{filterContent.facetedTitle}} {{contentList.loadingText}} {{item.videoDuration}} {{item.publishDate}} {{item.title}} {{item.text}} {{item.videoDuration}} {{item.publishDate}} {{item.title}} {{item.text}} {{contentList.loadingText}} 0)"> 0" class="btn btn--transparent collection__load-more" ng-click="contentList.loadMoreLocal()" ng-class="{primary: (!contentList.useInfiniteScroll && contentList.moreResultsLink) || (contentList.useInfiniteScroll && contentList.moreResultsLink && !contentList.hasNextLocal)}">{{contentList.loadMoreLabel}} {{contentList.viewAllLabel}} Contact us

Ozan Ocal

Director, Zero Trust Lead, Cybersecurity and Privacy, PwC Canada

Tel: + 1 416 258 3292

Email

Naren Kalyanaraman

Partner, Cybersecurity, Privacy and Financial Crime National Leader, PwC Canada

Tel: +1 416 815 5306

Email

Alvin Madar

Partner, Cybersecurity, Privacy and Financial Crime and National Cybersecurity Leader, PwC Canada

Tel: +1 604 806 7603

Email

Joanna Lewis

Partner, Cybersecurity, Privacy and Financial Crime, PwC Canada

Tel: +1 416 687 9139

Email Follow PwC Canada Contact us Office locations Press releases Procurement at PwC Sitemap © 2018 - 2026 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see http://pwc.zhutiblog.com/com/structure for further details.

Privacy Cookies info Legal Terms & Conditions Site Provider Accessibility