During the opening fireside chat, CISA Associate Director for Vulnerability Management Jay Gazlay described the state of federal IT infrastructure as "pretty porous" and susceptible to penetration by foreign adversaries. He advised federal agencies to focus on deploying robust data strategies and employing data governance to get the most out of a zero trust strategy.
Defense Digital Service Expert Nicole Thompson and HHS OIG CIO Gerald Caron echoed Gazlay’s comments during panels on software and endpoint security, asserting that the first step toward zero trust is data-mapping as opposed to network-mapping. Organizations must understand where their data is and what’s “normal” for their data before they can protect it effectively.
One of the biggest problems facing organizations is balancing a friendly user experience with cybersecurity controls. One of the Defense Department’s cybersecurity goals is to unify endpoint management to improve user experience while maintaining a strong cyber posture, according to DISA Technical Director Drew Malloy.
“Security can't just come at the cost of performance,” Malloy said.
Gazlay also highlighted how user-friendly data access strategies can result in increased cybersecurity risks, but user experience and a strong cyber posture don’t have to be mutually exclusive.
For many organizations, zero trust is a radical cybersecurity transformation. Natalia Martin, acting director of NIST's National Cybersecurity Center of Excellence, said creating community through workshops and common language can help federal agencies and private companies begin zero trust first steps like monitoring the software supply chain.
Cultivating a cyber-aware workforce is also key. Training teams to see security as “the most important thing” is a major priority for VA CIO Kurt DelBene.
“The people driving your system need to have a sense of what zero trust means to them,” he said during the closing fireside chat.
Identity management is everything when developing a robust cybersecurity strategy. Malicious cyber actors are increasingly pursuing identities of users, devices and machines because they can unlock data access on a network.
Due to this trend, GSA’s Director of the Identity Assurance and Trusted Access Division, Ken Myers, is focused on insider threat mitigation and building identity, credential and access management (ICAM) solutions into core IT infrastructure.
Felipe Fernandez, director of systems engineering at Fortinet Federal, wants federal agencies to develop ICAM solutions to the point of automation, so data access can be revoked as quickly as it is granted to limit breaches.
One of the biggest misconceptions around zero trust is that it’s going to be “easy,” according to Gazlay. Zero trust is a journey, and not every organization will immediately shift into a perfect zero trust posture.
One challenge to zero trust is technical debt. For many federal agencies, the technology “is just not there,” Gazlay said.
USPTO CISO Don Watson said cybersecurity leaders need to be “enablers” of their business or agency mission and develop close relationships with product and development teams to move towards a zero trust mindset.
DDS’ bug bounty program is one strategy for helping the Pentagon inch closer to strong cyber defenses incorporating zero trust principles, according to Thompson.
A zero trust “scorecard” can also help federal agencies stay on track with their zero trust vision, DelBene said.