Zero Trust Adoption Requires a Culture Shift, Cyber Leaders Say

Shifting the needle on zero trust adoption comes down to culture, said some federal cyber leaders at ATARC’s Zero Trust Summit Tuesday.

Since the White House’s May 2021 Executive Order on Improving the Nation’s Cybersecurity mandating federal agencies implement zero trust architectures, the question of how to successfully “implement” zero trust has dominated federal cyber discussions, with some agencies favoring certain tools or approaches over others.

But ATARC’s summit highlighted a unifying theme: zero trust doesn’t work if your internal culture isn’t on board.

“For me it’s about persistent awareness around that culture shift,” said Togai Andrews, CISO for the Bureau of Engraving and Printing at the Department of the Treasury. “For me it’s always having that persistent awareness and making sure people are aware of what that change it, whether social engineering or zero trust.”

Focusing on the business value aspect of zero trust can also help move culture in the right direction, Andrews added. The Treasury is currently hyper-focused on identity and access management solutions, one of the key pillars of a zero trust strategy.

Alyssa Feola, cybersecurity advisor with the Federal Acquisition Service at the General Services Administration (GSA), said showing team members how zero trust benefits them is critical. Firewalls, for example, feel culturally “safe” from a cybersecurity perspective. Workers need to start thinking about zero trust the same way.

“We have a saying: demos not memos,” Feola said at the summit. “The more you can show people instead of telling them, it definitely helps. Our administration has a catchphrase: make the damn website work so you can show them something works and works well and is friendly and accessible and secure.”

Angel Phaneuf, CISO for Army Software Factory, compared the zero trust journey to a marriage.

“We’re focused a lot on how to bake in zero trust into our DNA,” she said at the summit. “It’s a bit of a marriage — you have to work on it. You have to make sure you’re keeping up with technology.”

Phaneuf spearheads these cultural efforts through constant communication with the cohorts of soldiers at Army Software Factory even if they don’t have a security skillset.

“Culture is one of the biggest things in government we always talk about,” Phaneuf said. “Are we on the same page about zero trust? Let’s get on the same page together. We have to be kind and compassionate when we do that. Being able to be open and say, ‘I’m not really sure, let me phone a friend or three friends.’ … It’s ok to not know the answer. If you don’t want to come on a zero trust journey, I’m going to grab you anyways and tug you along because we have to get there. We have to do this together.”

At the Army Software Factory, soldiers spend time on both the software development and security teams. This is key for establishing a strong security culture where everyone is on the same page to develop a product that aligns with zero trust principles from concept to delivery to the end user.

“I think many people think of zero trust as an end-user journey and don’t think about the whole end aspect of it,” Phaneuf said. “It’s just as important if not more important because someone could leave tomorrow, but I’m going to have this machine that runs and is doing these things … that’s very important. It’s right there with the end-user experience and how we manage that as well. If you don’t have zero trust on the back end, you don’t have zero trust.”

Donald Coulter, a senior science advisor for cybersecurity at the Department of Homeland Security’s Science & Technology Directorate, said multiple teams focused on artificial intelligence (AI), cyber and data are working together to “look at the human aspects” to make zero trust “easier to adopt.”

“I’m looking beyond the five- to 10-year mark to see where the threats are going to be and opportunities we can leverage to advance technology to increase defense of our networks,” he said at the summit. “I am excited about one of the programs we’re working on — critical infrastructure and resilience research program — and [we’re looking] at the application of zero architectures to legacy ICS and OT-type systems. [We’re] getting to look at spreading that across some of these legacy OT systems, [which] is going to be a critical area to focus on the next few years here.”

The Army is also exploring the relationship between AI and zero trust, according to Phaneuf.

“We partner with [Army’s Enterprise Cloud Management Agency] so [we’re] working out that security automation aspect to get our applications into production a lot sooner,” she said.