If you’ve been wondering how much the Federal government is investing in its sweeping effort to migrate to zero trust security architectures, the answer to that question may be coming this week.
That was one of the top-line takeaways today from Chris DeRusha – who wears the dual hats of Federal chief information security officer (CISO) and deputy national cyber director – in his keynote address at the Zscaler Public Sector Summit in Washington.
DeRusha recapped the first 14 months of government agency progress on the zero trust migration since the Office of Management and Budget (OMB) issued its M-22-09 Federal Zero Trust Strategy memorandum in January 2022. All of that work takes money, and the Federal CISO said the Biden administration is due to go public with those figures when it releases its FY 2024 budget request on March 9.
“We’ve made a ton of progress working with CISA [Cybersecurity and Infrastructure Security Agency] to ensure these capabilities are rolling out across all the agencies,” he said.
But another big development that DeRusha said was “close to my heart, being an operations manager … is the budget alignment.”
“We’re rolling out the budget tomorrow – you’re going to see a number for what we’re spending on zero trust,” he said.
“It’s a real number … because we have the strategy and the pillars,” he continued. “We’ve done data calls, mapping, tooling, investments at agencies up into those pillars and actions and capability areas. And we can have all that data mapped out now and give us one zero trust number for each agency.”
“That’s exciting because now we can actually say we know how much money we’re spending on our priorities because, in the zero trust strategy, we took a lot of stuff we’re trying to do in the [2021 Cybersecurity Executive Order], we put it in there so that we will be able to track and measure the progress around this,” DeRusha said.
“Nothing’s perfect, but it is exciting to be able to have these vehicles to drive the change that you want to see,” he said. “And you really do need to be able to answer that question of how much money are you spending year over year on the thing that you’re trying to change, and is it enough.”
“You don’t get to have that conversation until you have the data, and you get all that in place,” he said. “Now we’re getting into a place where we’re in our second year of being able to have that robust conversation with all the resource management officers. In the Federal government that’s a big deal because resource management officers, they’re doing the budget for the entire agency, everything that agencies need to worry about.”
“You say [to budget officials] cyber is important – everything’s important,” he said. “So, for us to really come to the table with data and information is really going to be able to drive that progress and help everybody understand kind of where we need to be investing.”
“Because the big question they always want to know is why are these the right investments,” he said. “Well, I don’t know – we wrote strategy with the best minds that we could find, so it’s the best we’ve got right now. That’s a good enough answer because it’s the only answer. We’re just going to keep iterating based on what we know today, and then keep making it better as we go.”