Zero Trust is easy to say and hard to enforce.
Zero trust sounds simple — until you try enforcing it across complex multi-cloud environments.
Fragmentation creates blind spots — and blind spots are where both attackers and auditors strike.
One pane to see them all
Part 2 of a series
Abstract
Resilience depends on being able to see the full estate. Without unified visibility, Zero Trust cannot hold.
Organisations have embraced multi-cloud for scale and innovation. What hasn’t kept pace is visibility. Each provider delivers its own console, metrics and logs. CISOs end up reconciling multiple truths, with no simple way to stitch them together.
Boards and regulators are no longer persuaded by “best efforts.” They want demonstrable, consistent control across every environment—cloud and on-prem alike. With 30–40% of IT budgets tied up in cloud, visibility is now a governance problem, rather than just a technical headache.
The Business Challenge
The risks of poor visibility show up in three ways:
Operational fragility
Security teams drown in dashboards but still lack a unified view of posture. Misconfigurations and drift go undetected until after deployment, when the cost of remediation is highest.
Material exposure
A missed control in one cloud or on-prem system can cascade across interconnected environments, triggering outages, breaches, or non-compliance findings. For regulated industries, this can lead directly to new and tighter licence conditions, higher capital charges, or reputational damage.
Rising cost
Juggling multiple tools and consoles drains scarce cyber talent, forces manual reconciliation, and duplicates investment. This is value destruction in the name of “security.”
Boards increasingly ask a sharper question:
“If we can’t see it all, how can we assure resilience?”
The Opportunity Landscape
Done well, unified visibility can be a powerful lever for performance and trust.
- Consolidated assurance — one pane of glass allows executives and boards to monitor cyber posture in real time, across cloud and on-prem estates alike. This strengthens governance and improves decision-making.
- Reduced risk and cost — unified scanning cuts duplication, prevents misconfigurations before they hit production, and lowers audit overhead. It also frees cyber teams to focus on higher-value analysis rather than reconciliation.
- Faster response — correlating risks across environments enables earlier detection and contextualised response, improving resilience under pressure.
- Regulatory trust — demonstrating a unified visibility framework directly addresses APRA CPS 234, ASIC’s operational resilience guidance, and the ACSC Essential Eight maturity model (all of which emphasise continuous control).
What the Data Shows
-
- Misconfiguration risk: According to Gartner (via UpGuard), nearly 80% of data breaches in the cloud stem from misconfigurations — oversights like open settings, excessive permissions, or forgotten credentials, not sophisticated attacks.
- Regulatory direction: APRA’s CPS 234 explicitly requires continuous visibility of controls across all critical systems, not just “best efforts.” ASIC has also flagged tougher enforcement of operational resilience.
- Australian Essential 8: The ACSC Essential Eight places configuration management and monitoring at baseline maturity; without cross-environment correlation, measurement is incomplete.
- Operational cost: A Forrester Total Economic Impact (TEI) study found enterprises adopting unified governance and automation reduced compliance and audit-related costs by ~15% over three years — representing millions in OPEX savings at scale.
- Sector impact: In financial services, AI-driven reconciliation tools have cut manual processes from hours to minutes, enabling faster closing cycles and more timely board reporting.
Leadership Imperatives:
To turn visibility into resilience, and resilience into growth capital, leaders should:
- Mandate a unified visibility strategy — stop treating each environment as a silo. Align cyber, cloud and risk teams around a single visibility framework that spans cloud and on-prem workloads. This is a governance imperative rather than a tooling decision.
- Measure Zero Trust across the estate, not per platform — Zero Trust is only as strong as its weakest environment. Demand metrics that span providers and on-prem systems and connect those measures to enterprise-wide resilience reporting.
- Invest in correlation, not more consoles — more dashboards add noise. Invest in tools that contextualise risks across environments, link them to business services, and prioritise what matters most.
- Elevate visibility to the boardroom — visibility metrics should sit alongside financial and ESG metrics in board packs. This shifts cyber resilience from a technical issue to a governance discipline.
- Tie visibility to compliance outcomes — ensure unified dashboards feed directly into APRA CPS 234 reporting, Essential Eight assessments and audit packs. This reduces manual effort and demonstrates proactive control.
Future Outlook
Regulators and investors are shifting from accepting “best efforts” to demanding continuous, unified visibility across all estates. This is fast becoming the industry standard rather than an aspirational dream.
- The EU’s Digital Operational Resilience Act (DORA), coming into force in 2025, mandates consistent, real-time visibility of ICT risks across financial entities.
- In Australia, APRA’s CPS 234 already requires continuous assurance of controls across all critical systems.
- KPMG’s Regulatory Barometer 2025 notes that operational resilience and cyber visibility are now top-three priorities for over 40% of global regulators and boards.
Organisations that act now will not only reduce exposure; they will set the benchmark for resilience and trust in their sector. Those that delay risk playing catch-up under regulatory scrutiny, with higher costs and weaker credibility.
Unified visibility will become baseline expectation. Regulators will demand consolidated assurance. Al will make real-time posture scanning table stakes. The organisations that act now will define the benchmark for trust in their sector.
Conclusion
Zero Trust without unified visibility is an illusion. One pane to see them all — across cloud, on-prem, and hybrid estates — is now the foundation of resilience.
Talk to Frame about consolidating visibility into a single, coherent model of Zero Trust.
