We’ve all been told what we can’t do on our employer’s computer networks. We’re regularly reminded what websites we shouldn’t access and what free software tools we can’t download from the internet — even if they make our jobs easier.
It’s all for good reason, but cybersecurity can often feel restrictive and at odds with the very mission government employees signed on to do, such as public education, grant management, health care services, fire and rescue and a host of other services.
But the large-scale move to remote work, combined with recent high-profile cybersecurity attacks have forced government agencies to rethink how they invest in and implement cybersecurity practices that are effective yet also user-friendly.
That was a common theme throughout the GovLoop’s Briefing Center, “Ramping Up for the Future of Gov — Why Cyber Needs to Change.” Experts from government and industry shared their cybersecurity priorities, how these changes impact employees and the way they work and why it’s critical for agencies to balance security and usability.
Here we’ve included a roundup of takeaways from each speaker.
COVID-19 Accelerates New Security Models
In a telework environment, a change to the security posture is needed, said Scott.
As opposed to walled cybersecurity with a soft underbelly, identity and access must be hardened and verified constantly. Scott described it as a whitelist — devices and accounts that are allowed — versus a blacklist — devices that aren’t.
Scott identified automation and education as two areas where agencies can improve immediately, moving toward modern security without “boiling the ocean.”
Automation can fill gaps in the cyber skills shortage. And agencies can look toward the Girl Scouts — yes, the Girl Scouts — as a model for cybersecurity education and engagement.
Security as an Enabler
Chris McMasters, CIO for the city of Corona, is a security shop of one. As such, he is a firm believer that all city employees play a role in cybersecurity.
As he puts it, “everyone in some shape or form is a cybersecurity professional.”
He involves employees in security conversations about top threats and helps them understand the role they play in keeping data, systems and the mission safe.
He sees his role as an enabler, to support the business of government and ensure people can work in a way that’s most conducive to them. Using gamification, infographics and short digests, he’s proven that security and usability need not be at odds.
Balancing the Basics With Newer Tech
Corona Ngatuvai, Enterprise Architect for the state of Utah, and his team see artificial intelligence and machine learning as critical for making decisions faster, identifying anomalies and ensuring employees can securely access what they need.
But these investments don’t negate security basics. You can’t assume that everyone knows what a phishing email looks like just because they passed the annual exam, he said.
One measure of success is how many employees fall victim to phishing simulations and whether education helps or if further actions must be taken.
“We train you to keep you safe,” he said. “If we can’t keep you safe, we have to look at other things.”
Zero Trust: A Logical Solution
Remote work — and the likely emergence of a post-pandemic hybrid work environment — is pushing agencies toward a zero trust architecture, said Gary Pentecost, Networking Director of Sales Engineering for the U.S. Public Sector at Citrix.
With the increasing mobility of the workforce, agencies can’t think about security in terms of on premises versus remote. “We need to create solutions in ways that allow users to access what they need, when they need it, wherever they are working,” he said.
Because zero trust puts security controls around individual network resources (e.g., applications and data), it provides a cohesive approach to supporting that hybrid environment.
User Experience Key to Security
Indeed, the user experience is a vital concern when it comes to security, said Jeremiah Cunningham, Senior Director for Federal Sales at Citrix.
“It used to be that you gave up a lot of performance to get security,” he said. “Now, we want performance, but we also want security, and the move to the cloud is driving that.”
In the past, people working remotely typically had to use a VPN, and they took it for granted that performance would suffer. But that’s not the case with cloud solutions. These days, people expect the same experience, no matter where they are working or what devices they are using, Cunningham said.