Executive Order No. 14028 (2021) mandates U.S. federal agencies to enhance cybersecurity by adopting Zero Trust Architecture (ZTA) principles to strengthen defenses against increasingly sophisticated cyber threats targeting critical infrastructure and supply chains. Originating from the Jericho Forum’s concept of de-perimeterization and advanced by Kindervag’s Zero Trust model, ZTA shifts security from traditional network perimeters to continuous verification, least privilege access, and comprehensive network monitoring. The COVID-19 pandemic accelerated remote work adoption, exposing new vulnerabilities and amplifying the need for Zero Trust strategies. Despite growing interest, user-related barriers often impede successful implementation of Zero Trust in non-governmental organizations.

This qualitative study surveys Chief Information Security Officers (CISOs) from U.S.-based organizations that have implemented Zero Trust principles to at least the initial stage of maturity, as described by the Cybersecurity and Infrastructure Security Agency’s Zero Trust Maturity Model (ZTMM). The study explores user-related barriers, mitigation strategies, and lessons learned to identify best practices that enhance security while fostering user acceptance.

Findings contribute to the cybersecurity body of knowledge by emphasizing the importance of clear communication, proactive training, and incremental implementation in overcoming resistance. This research fills a gap in understanding the human factors impacting Zero Trust adoption and offers actionable recommendations to support effective cybersecurity modernization in a complex and evolving digital environment.