Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
No two organizations are alike, and companies modernize security in different ways depending on their goals and priorities, maturity, culture, and leadership support.
This article describes three common patterns for starting a Zero Trust security adoption journey.
- Top down - Start with a high-level strategy. Resolve the strategy into detailed plans, and deliver on those plans.
- Build up - Start with one or more top priority areas to focus on quick wins. Expand to more areas and build out an overall strategy.
- Scenario-driven - Start with a specific business scenario and drive a coherent approach for that scenario across multiple disciplines.
Use this guidance to choose a starting point, rather than a pattern. It's important that your starting point enables progress without disrupting critical business operations.
Tip
Microsoft offers a rich set of security adoption workshops - the Security Adoption Framework (SAF) workshops. Our structured adoption model guidance aligns with the expert-led guidance from Microsoft Unified delivered in those workshops. Learn more about SAF workshops.
Select a pattern
Before you start note that:
- Adoption patterns aren't mutually exclusive. You can use one pattern, evolve to another, or blend them over time.
- Most organizations move through more than one pattern over time, and many adopt a blended approach where they use multiple patterns simultaneously.
- For example, a buildup or scenario‑driven approach often creates the momentum and insight needed to move toward a more comprehensive, strategy‑led adoption.
Whatever pattern you choose, we recommend that you:
- Decide how you want to modernize. Most organizations focus on updating existing processes and technologies. A few build a new security program from scratch.
- Align the approach. Align with your organizational priorities, constraints, risk tolerance, and the ability to absorb change.
- Continuously adjust. Continuously gather data to measure what is working, what isn't, and where adjustment is needed.
- Support business as usual. Ensure that you can perform while you transform. Business operations and threat actors don't pause during security modernization. Teams must do their day jobs while they're transforming their approach.
Top-down
Top-down is a strategy-led approach that starts with and end-to-end vision, and drives coordinated delivery across the organization. To use this pattern:
- Start at the beginning of the adoption path, and establish a clear strategy aligned to business priorities.
- Translate that strategy into architecture, roadmaps, and prioritized technical initiatives.
- Deliver consistently across security disciplines and technology pillars.
This approach works well for organizations where CISOs and security leaders have strong executive sponsorship and understand the importance of driving a coordinated change and active collaboration across business, IT, and security teams.
Build-up
Buildup is an incremental approach that starts with targeted improvements and expands over time. To use this pattern:
- Start with a high-impact quick win that addresses and urgent risk or operational gap. For example focuses on a specific discipline or pillar to begin.
- Demonstrate measurable value of the quick win to build credibility and support.
- Expand laterally within the same discipline for another win, or transition to a broader, strategy-led top-down approach.
This pattern works well for organizations that currently lack full executive sponsorship for security modernization. Technical and security leaders can use visible wins to reduce risk and build credibility for broader adoption.
Scenario-driven
Scenario-driven adoption focuses on securing a specific business initiative and uses it to drive cross‑discipline alignment. To use this pattern:
- Identify a high-priority business scenario.
- Secure the scenario across multiple security disciplines.
- Use the scenario to exposure dependencies, gaps, and future modernization needs.
This pattern is suitable when there's executive support and funding for a particular security initiative, but not for full security transformation. It helps organizations to connected disconnected programs and siloed efforts, improve collaboration, and defer lower-priority modernization until later.
Next steps
What you do next depends on the model you're using.
- Top down: If you're approaching adoption top down, start by reading about our structured security adoption path, and then take a look at the prioritized business scenarios
- Build up: If you're looking for a quick win, pick a business scenario, and then dig into the primary discipline.
- Scenario-driven: To modernize around specific areas, pick a business scenario, design the scenario across the required disciplines, and then start implementing it.