The Great Disconnect: Enterprises Want Microsegmentation But Can't Get It Done

SAN JOSE, CA – April 28, 2026 – A stark paradox is unfolding within enterprise cybersecurity: while an overwhelming 99% of security leaders are pursuing microsegmentation to defend their networks, over 90% have failed to protect the majority of their critical systems, leaving them dangerously exposed to attack. This significant 'say-do gap' comes from a new Omdia survey of 352 U.S. security decision-makers, commissioned by identity-based microsegmentation firm Elisity.

The findings paint a troubling picture of intent versus execution. Despite microsegmentation ranking as the top planned initiative to combat lateral movement—the insidious method attackers use to move through a network after an initial breach—it remains one of the least deployed components of Zero Trust strategies, with only 24% of organizations reporting current implementation. The consequences are tangible: nearly half of all organizations surveyed, and 49% in the healthcare sector specifically, experienced a lateral movement attack within the past year.

This gap isn't due to a lack of desire but a combination of legacy technology burdens and a significant awareness deficit. The data reveals that while organizations are acutely aware of the threat, they are struggling to implement the most effective defenses.

Legacy Scars and the Promise of Modern Architecture

The struggle to implement effective network segmentation is deeply rooted in outdated security architectures. For years, organizations have relied on cumbersome tools like Virtual Local Area Networks (VLANs), Access Control Lists (ACLs), and agent-based software. These first-generation methods, built around static network locations rather than dynamic user and device identities, have proven to be complex, labor-intensive, and ultimately ineffective at stopping modern, fast-moving threats across today's sprawling networks.

According to the Omdia report, this legacy has left lasting scars. However, 62% of security leaders now believe that modern solutions are easier to deploy than their predecessors from five years ago. The problem is that only 22% report having hands-on experience with these modern approaches, highlighting a critical gap in awareness as much as in execution.

"Microsegmentation has matured, but many organizations still carry the scars of earlier, complex approaches," said James Winebrenner, CEO of Elisity, in the press release. "What's changed is the architecture. Identity-based microsegmentation lets teams enforce precise policy on the switches they already run, so security becomes an enabler rather than a gate."

This new architectural model works by tying security policy directly to identity, not just an IP address. It allows organizations to enforce least-privilege access across all environments—including IT, Internet of Things (IoT), and critical Operational Technology (OT)—without installing agents, reconfiguring networks, or adding new hardware. This shift promises to reduce deployment times from years to weeks.

"Our data shows the shift is on," noted Hollie Hennessy, Principal Analyst at Omdia. "Enterprises intend to deploy microsegmentation, and many now see modern solutions as easier and more effective."

Critical Industries Under Pressure

Nowhere is the need for effective microsegmentation more acute than in healthcare and manufacturing, two sectors defined by unique and high-stakes operational challenges.

In healthcare, the convergence of managed clinical workstations and a constant influx of unmanaged devices—from doctors' tablets to patient monitoring equipment—creates a chaotic and vulnerable environment. The survey found that healthcare organizations see visiting clinicians (74%) and clinical staff (72%) as requiring the most granular policy control. Yet, only 6% of these organizations have segmented more than 80% of their critical systems. Their biggest challenge with past efforts has been integrating segmentation tools with existing security platforms like SIEM and EDR.

"We looked into different NAC technologies... to partially solve the picture, but it really wasn't until Elisity came along that we found a product that checked all the boxes," said Nathan Phoenix, Information Security Officer at Southern Illinois Healthcare. "Something easy to manage, easy to maintain. You could get in it quickly."

Manufacturing faces a different but equally urgent set of problems. The sector runs on zero-downtime requirements and often relies on legacy OT systems that cannot support agent-based security software. With the rise of Industry 4.0, the convergence of IT and OT networks has dramatically expanded the attack surface. For these organizations, securing remote engineer access (a 70% priority) and integrating with Industrial Control Systems (ICS) are top concerns. The risk is not theoretical; a single breach can halt production, costing millions.

Max Everett, CISO at manufacturing giant Shaw Industries, described his proactive security posture: "We assumed someone's going to get in... and we wanted to know that we had a way to quickly, in an automated way, stop that lateral movement so that they couldn't move across through a plant or even between plants."

The New Mandates: Cyber Insurance and Compliance

Beyond the direct threat of attack, powerful external forces are compelling organizations to close the microsegmentation gap. Regulatory compliance was cited by 60% of respondents as a key driver, as frameworks like the NIST Cybersecurity Framework and HIPAA demand more granular control over sensitive data and critical systems.

Even more influential, however, is the burgeoning cyber insurance industry. The survey revealed that for 32% of security leaders, meeting cyber insurance requirements is a direct business driver for pursuing microsegmentation. Insurers, facing staggering losses from ransomware and other attacks, are no longer simply writing checks. They are tightening underwriting standards and mandating specific security controls as a prerequisite for coverage.

This shift transforms microsegmentation from a purely technical decision into a core business and risk management imperative. Organizations that fail to demonstrate robust controls, including the ability to contain a breach and prevent lateral movement, risk facing exorbitant premiums or being denied coverage altogether. This pressure is particularly effective in driving adoption among small and medium-sized enterprises, which are increasingly turning to SaaS-delivered segmentation solutions to meet insurance mandates.

As threats evolve and business pressures mount, the market is responding with what recent Forrester Wave reports call "stunning" technological advancements. The consensus is clear: the era of passive, perimeter-based security is over. The ability to see every device and enforce granular, identity-based control from within the network is rapidly becoming the new standard for enterprise defense.