Roadmap
Zero trust implementation roadmap
A phased zero trust rollout has three stages: Foundation (40-50% of budget), Expansion (35-45%), Optimisation (15-25%). This page covers what to deploy in each phase, how long it takes, what each phase costs at SMB / mid-market / enterprise scale, exit criteria, and what to defer when budget is constrained.
Pre-phase
Quick wins, first 30 days, $0-$10K
Five high-leverage controls that deploy before Phase 1 launches and materially reduce risk during programme spin-up.
- Enable MFA on all admin accounts using existing M365 or Google identity. No new licensing required. Highest single-control risk reduction available.
- Document and SSO-consolidate the top 10 apps. Inventories the actual app landscape and removes the most-targeted credential reuse vectors.
- Revoke stale privileged accounts. Active Directory and IdP cleanup. Labour-only cost. Reduces blast radius of compromise.
- Conditional access on admin portals. Block legacy authentication, geo-block where appropriate, require compliant device for admin portal access.
- DNS filtering deployment. Cloudflare Gateway free tier or equivalent. Quick zero trust control. Stops most commodity malware C2.
01
Phase 01: Foundation
3-9 months - 40-50% of total budget - Pillars: Identity, Device
| Org size | Phase 01 cost (year-of-phase) | % of total programme |
|---|---|---|
| SMB - 100 users | $80K-$180K | 40-50% |
| Mid-market - 500 users | $350K-$700K | 40-50% |
| Enterprise - 2,000 users | $1.2M-$2.5M | 40-50% |
Workstreams
Identity baseline
- Phishing-resistant MFA on privileged accounts (FIDO2 keys)
- SSO consolidation - top 10 critical apps
- Conditional access policies on admin portals
- PAM deployment for tier-0 / break-glass accounts
Device baseline
- MDM enrolment of all corporate devices
- EDR deployment with response actions enabled
- Device compliance policies feeding conditional access
- Asset inventory baseline
Governance
- Quarterly access reviews for privileged groups
- Joiner / mover / leaver flow documentation
- Security architect FTE in seat
- Vendor selection finalised for Phase 2 ZTNA
Exit criteria
- 100% of privileged accounts on phishing-resistant MFA
- 95%+ workforce on SSO with conditional access
- 100% of corporate devices in MDM with EDR active
- Tier-0 PAM operational with session recording
- Identity governance access-review cadence established
02
Phase 02: Expansion
6-18 months - 35-45% of total budget - Pillars: Network, Workload (basics)
| Org size | Phase 02 cost (year-of-phase) | % of total programme |
|---|---|---|
| SMB - 100 users | $70K-$150K | 35-45% |
| Mid-market - 500 users | $280K-$600K | 35-45% |
| Enterprise - 2,000 users | $1.0M-$1.8M | 35-45% |
Workstreams
Network
- ZTNA pilot replacing legacy VPN (50-200 users)
- ZTNA full rollout with 60-180 day VPN parallel run
- DNS filtering deployment
- Microsegmentation pilot in critical zones (PCI, regulated)
Application access
- Conditional access policies on all SaaS apps
- CASB deployment for SaaS visibility
- App-level DLP enforcement (monitor mode initially)
Workload (basics)
- CSPM deployment across cloud accounts
- Container image scanning in CI/CD
- API discovery (passive monitoring)
Exit criteria
- Legacy VPN decommissioned for general workforce
- 100% sanctioned SaaS apps in CASB
- Microsegmentation policy enforced in PCI / regulated zones
- CSPM coverage on all production cloud accounts
- DLP policies in monitor mode with tuning underway
03
Phase 03: Optimisation
12-24 months - 15-25% of total budget - Pillars: Data, Workload (advanced), Telemetry
| Org size | Phase 03 cost (year-of-phase) | % of total programme |
|---|---|---|
| SMB - 100 users | $30K-$70K | 15-25% |
| Mid-market - 500 users | $120K-$250K | 15-25% |
| Enterprise - 2,000 users | $400K-$800K | 15-25% |
Workstreams
Data
- Auto-classification on file create / save
- DLP move from monitor to enforce mode
- BYOK / customer-managed keys for sensitive workloads
Workload (advanced)
- Service mesh / mTLS for service-to-service
- API runtime protection (schema enforcement, abuse detection)
- Workload identity (short-lived tokens)
Telemetry and automation
- UEBA on identity, device, network signals
- SOAR for automated response on high-confidence detections
- Passwordless rollout (FIDO2 keys workforce-wide)
Exit criteria
- Auto-classification active on 90%+ of regulated data stores
- DLP in enforce mode with sub-2% false-positive rate
- UEBA detections feeding SOC playbooks
- Passwordless adoption above 70% of workforce
- All five pillars at CISA Advanced or Optimal tier
Constrained budget
What to defer when money is tight
Three high-impact deferrals that cut 20-40% from total programme cost without leaving critical risk unaddressed.
- Defer microsegmentation. The single highest-cost network-pillar component. For organisations under 500 users without regulated data zones, microsegmentation can move to Phase 3 or be skipped entirely. Modern ZTNA covers most of the lateral-movement risk at much lower cost.
- Defer full PAM. For organisations with fewer than 50 privileged users, Microsoft Entra PIM (free with P2) covers tier-0 just-in-time admin and session recording adequately during Phase 1. A dedicated PAM platform can move to Phase 2.
- Use Microsoft-native tooling instead of best-of-breed. M365 E3 + Entra ID P2 covers identity and device pillars at substantially lower cost than buying separate Okta, CrowdStrike, and Defender for Cloud Apps licences. Best-of-breed adds 30-50% to year-one cost; only worth it if your estate is genuinely heterogeneous.
Frequently asked
Roadmap questions
How long does a zero trust programme really take?
Two to four years to reach CISA Optimal-tier maturity across all five pillars. Phase 1 (Foundation, identity and device) takes 3-9 months. Phase 2 (Expansion, network and basic workload) takes 6-18 months and typically overlaps with the tail of Phase 1. Phase 3 (Optimisation, data, advanced workload, telemetry) takes 12-24 months. SMBs running a Microsoft-first stack often complete Phases 1 and 2 in under 12 months because so much functionality is bundled into M365. Federal contractors operating under OMB M-22-09 deadlines often compress the entire programme into 18 months at significant cost premium.
What are the quick wins before Phase 1 starts?
Five quick wins can be deployed in 30 days for $0-$10K beyond labour: (1) enable MFA on all admin accounts using existing M365 / Google identity, (2) document the top 10 most-used apps and confirm SSO is configured, (3) revoke stale privileged accounts via Active Directory cleanup, (4) enable conditional access on admin portals (block legacy auth, geo-block where appropriate), (5) deploy DNS filtering as a no-cost zero trust control via Cloudflare Gateway free tier or Cisco Umbrella. These quick wins materially reduce risk while the larger programme spins up.
What if we need to skip a phase?
Skipping is the wrong word, deferring is correct. The most common deferrals are: PAM (Phase 1 component, deferred to Phase 2 for SMBs without privileged-user complexity), microsegmentation (Phase 2 component, deferred to Phase 3 or skipped entirely under 500 users), and full data classification (Phase 3 component, often deferred indefinitely without compliance pressure). Defer with intent and document the residual risk acceptance, the security architect should sign off on each deferral.
What if budget is constrained?
Three high-leverage choices for budget-constrained programmes: (1) Microsoft-first stack, M365 E3 + Entra ID P2 add-on covers identity and device pillars at substantially lower cost than best-of-breed equivalents; (2) defer microsegmentation, the highest-cost network-pillar component is rarely needed under 500 users and can be deferred to Phase 3 or beyond; (3) defer full PAM, for organisations with fewer than 50 privileged users, Entra PIM (free with P2) covers tier-0 needs adequately during Phase 1 and full PAM can move to Phase 2.
How do we know we have actually reached maturity?
Each phase has explicit exit criteria (see the phase tables above). For an external view, run an annual independent zero trust assessment against the CISA Maturity Model, this scores each pillar against four maturity tiers (Traditional, Initial, Advanced, Optimal). A mature programme reaches Advanced across all five pillars by end of Phase 2 and Optimal in identity, network, and device by end of Phase 3. Regulated estates (federal, healthcare, finance) typically need Optimal across all five pillars and use the CISA assessment as compliance evidence.
What is the most common roadmap mistake?
Trying to deploy all five pillars in parallel. The result is integration chaos, vendor sprawl, no single deployment that finishes cleanly, and burnt budget. Phase sequencing exists because each pillar depends on the maturity of prior ones, microsegmentation policies need accurate identity context, conditional access policies need reliable device posture, DLP rules need consistent classification labels. Following the phase model takes longer but costs less and produces higher-quality controls. The second most common mistake is starting with microsegmentation rather than identity, almost guaranteed to produce policies that need rebuilding.