Protocols such as zero trust and identity management aren’t new in the world of cybersecurity. In fact, despite all the recent buzz, the concept “zero trust” has been around for a decade.
What’s new, and driving urgency, is the cyber threat landscape.
“The threat environment is unlike it’s ever been,” said Suzette Kent, former Federal Chief Information Officer (CIO).
Attacks from adversaries have become more complex and direct. So, while the overall approach to cybersecurity hasn’t necessarily changed in recent years, the urgency has.
Even when agencies receive help with security training, they often face a conundrum: By the time the training is approved, cybersecurity has already evolved and the training has become outdated. “You’re always behind,” said Joseph Fourcade, Lead Cybersecurity Analyst at the Veterans Affairs Department’s (VA) Enterprise Cloud Solutions Office.
That’s why it’s critical to stay on top of new technologies and services. You can view it as a related strategy for talent challenges — if your agency prepares for the newest technologies, your workforce won’t expend time learning outdated skills and frameworks.
“We’re starting to get better, but we’re always looking for resources to make sure we know the latest coming out,” Fourcade said.
Particularly in today’s threat environment, cybersecurity teams can feel the compulsion to lock everything down. It’s like in the movie World War Z — “These guys are hammers, and to hammers everything looks like nails.” And the hammers are cybersecurity personnel, said Bo Berlas, Chief Information Security Officer (CISO) at the General Services Administration (GSA).
“We have to fight that compulsion where we are the hammer and we nail things down to the point where they’re unusable,” Berlas said.
User experience is an essential component to building out zero trust architecture, ensuring you’re not just making a secure solution, but an easy-to-use solution.
“At the end of the day, we secure our data, but it’s our users who help facilitate the work we do every day,” Berlas said.
A Continuous Effort
Broadly, people often mistake cybersecurity as a sprint with a finish line. But in reality, it is a continuous effort. There is no stopping point, Kent said.
“Security is a journey, not a destination,” said Jeremy Wilson, Deputy CISO of Security Operations for the state of Texas.
When malicious actors shift away from a target, for instance, it doesn’t mean they disappear. They simply aim for somewhere else.
“Many times when I would talk to people on the funding end or [on] overall priority efforts, there would be a mindset of ‘When is this over?'” Kent said. “We have to be clear that this is never over.”
Agencies must continue being cyber vigilant and raising the bar on expectations. It can’t just be a priority when there is a breach.
This article is based on a GovLoop virtual event, “Getting Creative with Cyber: How to Address Your Agency’s Needs.” A version of it appeared on July 21, 2022.