Federal agency tech leaders this week identified issues of cost and culture when it comes to the biggest challenges to implementing zero trust security architectures.
Top cyber experts from the Departments of Labor (DOL), Health and Human Services (HHS), and Energy (DoE), along with the Cybersecurity and Infrastructure Security Agency (CISA), explained that since the release of zero trust requirements by the White House last year, agencies have had to move beyond talking about the transition and closer toward implementation.
“The Executive Order comes out that clearly says ‘Hey, you guys need to go to a zero trust architecture,’” Paul Blahusch, DOL’s chief information security officer (CISO) said. “That took what maybe was a side burner issue and turned it up to 11.”
“It required that we put together a strategy about how we were going to get to zero trust,” he said.
“Our challenge is . . . finding the funding that’s going to allow us to kickstart that effort off,” he said. “So, I think we have the plans in place now to . . . implement. And to implement, we just need to find those funding sources we can use.”
Amy Hamilton, DoE’s Senior Cybersecurity Advisor of Policy and Programs, said her agency has been working over the past year to change the culture of the organization as it rethinks security.
“How do you get people to recognize that that moat and castle [security] approach – not only is it not working, but it has never worked,” she continued, “Moving down that path is absolutely critical. Getting people to first recognize that there has to be the change, and that’s a lot of what we did in our first year.”
Gerald Caron, chief information officer for HHS’ Office of the Inspector General, agreed that culture change has been one of the agency’s biggest obstacles, but that it’s finally to the point of planning and making purchases.
“This is a modernization effort as well as improving our cybersecurity posture. That’s underway,” Caron said. “The rubber is starting to meet the road finally.”
He added, “We have a good roadmap going forward as well to lead us on our path.”
CISA’s Sean Connelly, the agency’s senior cybersecurity architect and Trusted Internet Connections program manager, said that zero trust training is the biggest concern he sees among agency leaders. “The training part of it is where we hear the most concern. Just the educational opportunities, what’s available . . . [and] how we can just instill the zero trust principles,” he said.
Despite challenges, Connelly said, “Collectively there’s still a number of ways to go, but you can hear the momentum is building for zero trust.”
All of the agency leaders agreed that the road to zero trust marks an overall modernization effort that will improve user experience at the end of the day.
“This is a modernization effort … and I certainly embrace that,” Blahusch said. “It’s an effort to improve the way we deliver IT services in the Department of Labor.”
He added, “We need to be talking to our … teams so they understand what zero trust is, and isn’t, so they can plan appropriately.”
Caron added on, saying, “Go back to those principles . . . of what true zero trust is.”
“[We] make sure we’re being effective, not just compliant at the end of the day,” he said.