We’ve all been told what we can’t do on our employer’s computer networks. We’re regularly reminded what websites we shouldn’t access and what free software tools we can’t download from the internet — even if they make our jobs easier.
It’s all for good reason, but cybersecurity can often feel restrictive and at odds with the very mission government employees signed on to do, such as public education, grant management, health care services, fire and rescue and a host of other services.
But the large-scale move to remote work, combined with recent high-profile cybersecurity attacks have forced government agencies to rethink how they invest in and implement cybersecurity practices that are effective yet also user-friendly.
You’re hearing newer terms like zero trust, which “assumes there is no implicit trust granted to user accounts based solely on their physical or network location.” That’s according to the National Institute of Standards and Technology. In other words, just because you have access to get through the front door, that doesn’t mean you can go into every room.
At GovLoop’s recent briefing center, a collection of short online trainings, experts from government and industry shared their cybersecurity priorities, how these changes impact employees and the way they work and why it’s critical for agencies to balance security and usability.
Below we’ve included a roundup of takeaways from each speaker.
COVID-19 Accelerates New Security Models
– Tony Scott, Former Federal Chief Information Officer, Chairman of the Tony Scott Group
In a telework environment, a change to the security posture is needed, Scott suggested.
As opposed to walled cybersecurity with a soft underbelly, identity and access must be hardened and verified constantly. Scott described it as a whitelist – devices and accounts that are allowed – versus a blacklist – devices that aren’t.
Scott identified automation and education as two areas where agencies can improve immediately, moving toward modern security without “boiling the ocean.”
Automation can fill gaps in the cyber skills shortage. And agencies can look toward the Girl Scouts – yes, the Girl Scouts – as a model for cybersecurity education and engagement.
Security as an Enabler
– Chris McMasters, Chief Information Officer, City of Corona
As a security shop of one, McMasters is a firm believer that all city employees play a role in cybersecurity. As he puts it, “everyone in some shape or form is a cybersecurity professional.”
He involves employees in security conversations about top threats and helps them understand the role they play in keeping data, systems and the mission safe.
He sees his role as an enabler, to support the business of government and ensure people can work in a way that’s most conducive to them. Using gamification, infographics and short digests, he’s proven that security and usability need not be at odds.
Vetting the Supply Chain
– Alma R. Cole, Chief Information Security Officer and Executive Director, Cybersecurity Directorate, Office of Information and Technology, US Customs and Border Protection, Department of Homeland Security
Identify, Protect, Detect, Respond and Recover. These five words, the hallmark of the Cybersecurity Framework, guide the work that Cole champions. The ability for agencies to detect and respond to threats is especially pertinent as revelations about the SolarWinds hack continue to unfold.
Cole shared lessons learned from the attack, which includes looking closely at the supply chain, what technology is brought in and used and whether it meets baseline security needs.
Hackers don’t have to target government agencies directly to be successful, Cole said, noting that his team is reviewing third-party risks that run deep through contractor supply chains as well.
Balancing the Basics With Newer Tech
– Corona Ngatuvai, Enterprise Architect, State of Utah
Ngatuvai and his team see artificial intelligence and machine learning as critical for making decisions faster, identifying anomalies and ensuring employees can securely access what they need.
But these investments don’t negate security basics. You can’t assume that everyone knows what a phishing email looks like just because they passed the annual exam, he said.
One measure of success is how many employees fall victim to phishing simulations and whether education helps or if further actions must be taken.
“We train you to keep you safe,” he said. “If we can’t keep you safe, we have to look at other things.”
Zero Trust: A Logical Solution
– Gary Pentecost, Networking Director of Sales Engineering for the U.S. Public Sector at Citrix
Remote work — and the likely emergence of a post-pandemic hybrid work environment — is pushing agencies toward a zero trust architecture, Pentecost said.
With the increasing mobility of the workforce, agencies can’t think about security in terms of on premises versus remote. “We need to create solutions in ways that allow users to access what they need, when they need it, wherever they are working,” he said.
Because zero trust puts security controls around individual network resources (e.g., applications and data), it provides a cohesive approach to supporting that hybrid environment.
User Experience Key to Security
– Jeremiah Cunningham, Senior Director for Federal Sales at Citrix
Indeed, the user experience is a vital concern when it comes to security, Cunningham said.
“It used to be that you gave up a lot of performance to get security,” he said. “Now, we want performance, but we also want security, and the move to the cloud is driving that.”
In the past, people working remotely typically had to use a VPN, and they took it for granted that performance would suffer. But that’s not the case with cloud solutions. These days, people expect the same experience, no matter where they are working or what devices they are using, Cunningham said.
Isaac Constans and John Monroe contributed to this report.
This online training was brought to you by: