Definition

Zero Trust is an architecture model (NIST SP 800-207) that eliminates implicit trust for any user, device, or network segment, enforcing continuous verification before granting access to resources. This playbook delivers Zero Trust outcomes through five 90-day moves that leverage existing identity, endpoint, and conditional access tooling rather than full infrastructure replacement.

Why it matters

The pressure on Cybersecurity Advisory programmes is shifting in specific, observable ways:

• NCA ECC-1 3-2-1 and SAMA CSF 3.3.5 require least-privilege and need-to-know enforcement; Zero Trust identity controls directly satisfy both without requiring new network hardware.
• 80% of GCC breach incidents analysed in 2024–25 involved lateral movement through over-permissioned service accounts — a problem solvable with existing Entra ID or Okta conditional access policies.
• UAE NESA IA-5.2 mandates privileged access management (PAM); deploying just-in-time admin via CyberArk or BeyondTrust on existing infrastructure fulfils the control at a fraction of a full ZT network project.
• Cyber insurers (AIG, Marsh) now apply 15–25% premium surcharges for organisations lacking MFA on privileged accounts, making identity-first ZT moves directly cost-recoverable.

Evidence sources to capture

What an auditor or reviewer will sample for — wire each source into your evidence repository before the next review cycle:

• Entra ID / Okta sign-in logs — capture MFA failure rate, conditional access policy hit/bypass count, and legacy authentication protocol usage per application.
• CyberArk / BeyondTrust PAM session recordings — privileged session count, just-in-time request approval time, and standing privilege duration per account.
• Microsoft Defender for Endpoint or CrowdStrike Falcon device compliance reports — % devices meeting conditional access baseline (patch level, AV, disk encryption).
• Network segmentation firewall ACL audit — east-west rule count, any-any rules present, and VLAN isolation compliance per Purdue level.
• SIEM (Sentinel / Splunk) lateral movement detection alerts — alert volume, true-positive rate, and mean time to contain (MTTC) by tactic.

Recommended next actions

A 90-day plan, sequenced so each step produces evidence the next step depends on:

• Day 0–30: IAM Engineer inventories all service accounts in Active Directory/Entra ID; disables legacy authentication protocols (NTLM v1, basic auth) and enforces MFA via Conditional Access Policy for all privileged roles.
• Day 31–60: PAM Administrator deploys just-in-time privilege elevation (CyberArk Conjur or BeyondTrust PRA) for the top 20 highest-risk admin accounts, targeting zero standing Domain Admin sessions.
• Day 61–90: Network Engineer implements micro-segmentation for the three highest-value application tiers using existing firewall (Palo Alto Security Zones or Cisco TrustSec) without hardware replacement.
• Day 90+: Security Architect formalises the Zero Trust policy framework referencing NIST SP 800-207 pillars and maps each control to NCA ECC-1 and SAMA CSF identifiers for regulator evidence.
• Ongoing: SOC team reviews Conditional Access named location and risk-based policies monthly, tuning sign-in risk thresholds based on Entra ID Identity Protection signals.

Example metrics

Instrument these and report them monthly to the executive sponsor; sustained adverse trends become board-level conversations:

• Legacy authentication protocol usage — target: 0% of authentications using NTLM v1 or basic auth within 90 days.
• Standing privileged account sessions — target: <5 standing Domain Admin accounts; 100% JIT elevation within 60 days.
• Device compliance rate in conditional access — target: ≥95% of managed endpoints meeting policy baseline.
• Lateral movement alert MTTC — target: ≤2 hours from first alert to network isolation.
• MFA enrolment rate for all users — target: ≥99% within 30 days of policy enforcement.

A the next two quarters working plan

MAST Consulting Group runs this Cybersecurity Advisory work in four moves. Each move is short, evidence-producing, and signed off by a Lead Practitioner before the next begins.

• Frame (week 1). Confirm scope, regulators in play, and the decisions the work has to enable — referenced against NIST CSF 2.0 (Govern, Identify, Protect, Detect, Respond, Recover). Without that framing, the rest becomes a documentation exercise the audit committee will not read.
• Diagnose (weeks 2–4). Walk through incident response plan and runbooks and tabletop exercise reports as they exist today. Capture not just gaps but the design decisions behind every existing control — those are usually where audit findings hide.
• Design (weeks 5–8). Make the contested choices early and pre-clear them with sector regulators with cyber expectations. Document the rationale; Cybersecurity Advisory reviewers care more about reasoned decisions than perfect ones.
• Operate (weeks 9–12). Move evidence collection into PAM (CyberArk, BeyondTrust, Delinea) and EDR (CrowdStrike, SentinelOne, Defender). A control that depends on a separate GRC tool nobody opens will fail within two cycles.

Pitfalls we keep seeing

Across MAST Consulting Group's Cybersecurity Advisory portfolio, the same recurring failure modes show up cycle after cycle. None are exotic; all are expensive when they reach the audit report.

• Pattern: a strategy that lists capabilities but not outcomes. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: IR plans untested against the company's actual likely scenarios. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: identity controls that stop at email but not at admin tooling. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: logging without a use case behind each source. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.

Tooling we actually reach for

MAST Consulting Group is deliberately tool-agnostic, but in practice the same shortlist keeps appearing on Cybersecurity Advisory engagements because the integrations are cheap and the evidence is defensible:

• PAM (CyberArk, BeyondTrust, Delinea) — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.
• EDR (CrowdStrike, SentinelOne, Defender) — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.
• SIEM/XDR — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.

How MAST Consulting Group can help

MAST Consulting Group runs Cybersecurity Advisory programmes for banks, insurers, healthcare networks, payments providers, telcos and government entities across the UAE, KSA, India and the wider GCC. We bring Lead Practitioners, sector specialists, and a working library of policies, risk methodologies and evidence templates that have passed audit at firms recognisable to your board.

If anything in this playbook is relevant to a programme you are scoping or rescuing, the fastest next step is a 30-minute working session with the practice lead. We will look at your specific situation, share what we have seen work for Cybersecurity Advisory programmes at similar scale, and tell you honestly if the work is something you should bring to us or run in-house.