Recently, GearBazaar Inc. security audit by third$-$party auditors has identified deficiencies in Identity & access management, network security, application security. Based on the findings, leadership has sponsored a Cyber Security improvement project.

IT security team is proposing a 'Zero trust' architecture. Business stakeholders are not fully on board as they fully don't understand what 'zero trust' means.

Here are some raw numbers from the IT team. These numbers are ROM $($rough order of magnitude$)$ and are not precise. Here are some raw numbers from the IT team. These numbers are ROM $($rough order of magnitude$)$ and are not precise.

Zero Trust project duration $1$ year Zero Trust project cost $1\mathrm{.}5$ million

Number of security incidents $45$ per year Security incidents hours $550$ hrs$.$

Direct loss $5,000$ CAD per incident hr$.$ Indirect loss $10,000$ CAD per incident hr$.$

Compliance violations $$ None Data loss $$ None

Zero trust impact $80\%$ reduction in incidents Training cost for Zero Trust $250,000$ CAD what are critical decisions to be taken?