A key step in achieving zero trust security is building a different kind of trust, a “cultural alignment” within agencies that allows employees to trust in the steps needed to proactively respond to threats, a top Department of Energy (DoE) official said on Oct. 24.
Ann Dunkin, DoE’s chief information officer, said that as that agency has moved toward a zero trust architecture, she has fielded some concerns from staff members that essentially amount to “what are you going to do to me?”
“So I had to build this relationship,” Dunkin said at the Dell Technologies Forum. “No, I’m not going to do anything to you. We’re going to make progress together. So we spend a lot of time and energy reinforcing the risk-based approach, making sure that folks in department elements understand that we’re there to support them…to partner with them and to work together.”
“Over time, that has resulted in more transparency. Now, I’m not always thrilled with the transparency when I find out what’s actually happening,” Dunkin joked. “But knowing what’s happening is the first step to fixing it. So as we get that increased transparency, then we’re able to collaborate to identify how we can improve our risk posture across the enterprise.”
Dunkin spoke at a panel discussion on zero trust, which has been an increasing focus for Federal agencies scrambling to comply with the Biden administration’s National Cybersecurity Strategy and last year’s Office of Management and Budget (OMB) memo requiring agencies to meet specific zero trust goals by the end of fiscal year 2024.
Yemi Oshinnaiye, chief information officer at the Transportation Security Administration (TSA), said during the session that communication is also essential in his agency’s zero trust journey.
“We’re all security professionals and…we tend to look more to what the benefit of our platforms are, as opposed to trying to figure out what the holes are,” he said. “But that conversation is challenging because you have people coming from different varying environments with (different) skill sets.”
“And I think still to this day,” Oshinnaiye continued, “we think of zero trust on a physical plane…we still think about the attack surface as being geographical. And we need to change it to where there’s a risk model and a priority for risk. I think we’re getting there. But that’s the approach.”
Dunkin and Oshinnaiye have been at the forefront of Federal agency efforts to advance zero trust, with Dunkin focused on creating a new and forward-looking cybersecurity strategy and Oshinnaiye speaking out about protecting critical infrastructure against what he calls an ongoing “cyber war.”
The session’s moderator, Bobbie Stempfley, also spoke about what she called the “the business language, or mission language” of zero trust and how communication is critical to getting agencies on board.
“We have to communicate as security individuals to people who aren’t security individuals and to reinforce and incentivize alignment towards a set of common principles,” said Stempfley, a former top Department of Defense (DoD) and Department of Homeland Security (DHS) official who is now vice president, business unit security officer at Dell Technologies.