Why Nearly 80% of Segmentation Projects Fail to Operationalize

Network segmentation is a fundamental security control, especially in a world where organizations seek to implement zero-trust architectures (ZTA). Problematically, Cisco found that while 79% of organizations report that segmentation is a top priority, only 33% of organizations have fully implemented both macrosegmentation and microsegmentation. What’s more, only 44% of organizations have fully implemented even macrosegmentation. 

Beyond implementation challenges, organizations that do manage to successfully design and initially deploy segmentation struggle to effectively maintain and operationalize segmentation as part of their strategy. Segmentation requires continuous visibility of all cyber assets (IT, OT, IoT, and IoMT), adaptation, and governance – a tall order for many organizations struggling to manage this attack surface. As these networks grow more distributed and dynamic, segmentation becomes more difficult to manage.  

The Core Challenges of Operationalizing Segmentation

At a high level, segmentation seems simple. The organization creates policies that allow and deny network traffic based on risk. But as networks become more complex, implementing and maintaining the policies that control network traffic becomes complicated, especially when a single configuration change can have a cascading effect across all segments.

These four fundamental challenges illustrate why segmentation projects struggle to launch or fully implement and operationalize.

1. Context Blindspots in the Network Due to Data Gaps

Segmentation projects fail at the outset because organizations lack sufficient visibility into the assets actually on the network and how each asset behaves. Traditional Network Access Control (NAC) tools reduce devices to IP addresses, MAC addresses, and coarse-grained profiles. They offer little insight into device function, criticality, operating systems, or known vulnerabilities.

This context blind spot makes precise segmentation impossible. To avoid disrupting unknown dependencies, security teams create broad, generic policies, often applied to entire VLANs or device classes. As a result, segmentation exists on paper, but not in practice. Without deep context, policy becomes defensive and permissive rather than targeted and enforceable.

2. Risk Blindness Breaks Your Prioritization Strategy

Modern organizations connect anywhere between thousands and hundreds of thousands of devices to their networks, leaving them struggling to determine where to begin their segmentation initiative. Traditional approaches provide no mechanism for:

• Assessing risk
• Mapping attack paths
• Identifying devices presenting the greatest exposure 

With no insight into actual risk, security teams use guesswork for prioritization. Teams either treat all devices and segments the same or they prioritize the easiest options. Low-impact assets may receive more attention while mission-critical or highly vulnerable systems remain exposed. With no visibility into attack paths, segmentation initiatives become overwhelming and unsustainable. 

3. Dynamic Environments Can’t Rely on Static Security Policies

Modern networks change constantly. Meanwhile, many organizations rely on static policies and manual definitions that fail to address:

• New devices added.
• Updated applications.
• Changing communication patterns. 

As the environment evolves, the policies remain the same. Outdated rules fail to consider new threats or changing business needs. Without automation to adapt policies, security teams worry about disrupting critical services, defaulting to overly permissive configurations, or delaying enforcement. Further, security teams have very little insight into how devices are behaving against the existing policies or any new policies that get added 

4. Lack of Continuous Audit and Monitoring Leads to Policy Drift and Compliance Violations

After deploying policies, most organizations lack automation for continuously validating policy effectiveness or continued alignment with security objectives. With no way to simulate changes safely, the organization may be unable to assess change impact or audit enforcement. Over time, policies drift due to various reasons, including:

1. Onboarding new devices without proper segmentation.
2. Overlapping rules that create more blindspots. 
3. Undocumented exceptions that undermine the original design. 

Without continuous monitoring and validation, NAC deployments become ineffective. Organizations maintain these deployments primarily to avoid outages, not to reduce risk. Without continuous auditing and monitoring, operationalization fails due to the absence of governance and appropriate feedback loops.

Best Intentions, Undesired Outcomes

When segmentation projects are pushed through without the right insights and support in place, the process collapses, leading to two potential outcomes, both of which can result in a wasted investment in terms of the financial overhead (often in the seven-figure realm) and in hundreds of hours of wasted effort.   

1. Segmentation Projects That Never Launch

Without the right data, many organizations simply do not know where to start when beginning a segmentation project. Organizations spend so much time analyzing the best way to move forward that they fail to escape this phase, ending up postponed in favor of less-intensive projects. This outcome results in a NAC tool that was never implemented.

2. Over-Segmentation without Operational Support

Organizations will occasionally move rapidly to microsegment their network with the data they have, but without solving the challenges listed above, the networks can become unmanageable. Granular policies around individual devices or workloads marginally improve security, yet they create operational issues that seldom scale. 

Without automation, visibility, and validation, oversegmentation leads to administrative bottlenecks and increases the potential for service outages. Ultimately, security teams revert to scrapping their segmentation projects or move back to a flat network so they can manage all assets more easily. 

Addressing the Segmentation Challenge

Even with the best intentions, network segmentation fails because traditional NAC models were not designed to operate at a modern scale. Simply put:

• Organizations need comprehensive asset visibility that moves beyond IP addresses to understand asset context. 
• Segmentation efforts must focus on risk reduction rather than ease of implementation. Policies must adapt to dynamic environments, meaning teams need to validate them continuously. 
• Policies once applied need to be continuously audited and monitored to ensure they continue to add value to the organization and remain effective. 
• Without data-driven segmentation that allows for continuous governance while mitigating service outages, most segmentation initiatives will remain implemented but ineffective. 

In Part 2, we’ll reveal how leading organizations are finally cracking the segmentation code.