As Federal agencies look to bring a zero trust security architecture to their disparate agencies and missions, resources are the main obstacle for agencies, the chief information security officer (CISO) for the Department of Homeland Security’s Intelligence and Analysis (DHS I&A) division said today.
Speaking at ATARC’s GITEC Emerging Technology Conference in Annapolis, Md., on May 2 DHS I&A CISO Eric Sanders said that money, the workforce, and products all contribute to the resource barrier for the Federal government.
“From a government perspective, what makes it hard is … resources,” Sanders said on a panel. “It’s not just money. It’s also the people; it’s also the products.”
Sanders said that due to the nature of the needs of different intelligence community agencies, network defenders must also question if it makes sense to reach 100 percent zero trust architecture in every network.
“Zero trust is a journey,” Sanders said. “It’s not something we’re going to get to overnight, but it may not even be appropriate to get there 100 percent in every place, in every context. So you have to decide, ‘how do I best spend this money to get the most security I can out of that money?’ But also [decide], ‘where do I find and, attract, and retain the people I need to maintain it?’ And that becomes increasingly harder all the time.”
Sanders said that in terms of the talent available to the agency versus the talent necessary to move towards zero trust, they are somewhat bound by who is committed to public service. To adjust, he said DHS has turned to training more employees in-house and also touted programs like DHS’s Cyber Talent Management System that allow them to go beyond the normal general schedule pay for government employees.
“Thankfully, at DHS, we do have some programs where we can pay beyond the GS pay scale for folks whose skills are in high demand and in cyber,” Sanders said. “So that was a big change for us and one that’s helped us keep people.”
Sanders said that he’d be inundated with responding to vendors if he took the time to respond to everyone that messaged him advertising a zero trust solution, even though no one product makes up a zero trust architecture.
“Everybody’s selling zero trust,” Sanders said. “[Vendors say,] ‘Just buy it, give me a couple million bucks, it’ll be zero trust.’ It’s not going to happen. We already have a lot of tools. We don’t have an unlimited supply of money. So, we have to make tradeoffs. We have to make decisions about what best closes this gap.”
At this point, all Federal agencies should have a zero trust implementation plan in place that should give achievable metrics for its zero trust goals. However, Sanders said that not only is every agency starting in a different place but what fully implemented zero trust architecture will look different on each network.
“[Zero Trust] looks something different for every network I’m looking at,” he said. “And that’s the challenge. … Across the IC, there are many, many hundreds of systems, and at DHS we have many dozens of systems that are under the purview of I&A. And so, just trying to determine and making sure we understand what the goalpost looks like for us. And then actually making demonstrable progress against that.”
“If we can get to where I want to be on each individual system or network within the next couple of years, then to me that’s what success looks like,” Sanders concluded.