The government has instructed federal agencies to improve their cybersecurity efforts with a Zero Trust approach in recent years through mandates, executive orders, and directives. The Biden administration’s National Cybersecurity Strategy is the latest to address this focus area. The strategy builds on existing mandates – i.e., the Executive Order on Improving the Nation’s Cybersecurity and the Strengthening American Cybersecurity Act – yet, like many mandates and strategies, it is unfunded, lacks timeliness, and relies on understaffed IT teams to execute. As a result, agencies are struggling to determine which action items to prioritize with their limited resources.
However, a change in perspective can help agencies better establish priorities and more effectively achieve and implement mandates. Rather than chasing the impossible goal of preventing all breaches from happening, agencies can make more significant progress by proactively working to limit the impact of a cyberattack.
Identifying Priorities
With many competing expectations and limited funding, agencies can – and often do – succumb to paralysis by analysis. Recently faced with multiple cybersecurity mandates and strategies made up of varying action items, agencies often think they have to do everything immediately – and do it perfectly. But that’s not the case.
In the context of the federal government’s ongoing cyber resilience push, Zero Trust is a process. For federal organizations aiming to achieve Zero Trust and comply with new mandates and strategies, the first step is taking the time to assess everything that agencies are supposed to accomplish with these different mandates and line them up with each agency’s internal objectives. Once they’ve assessed their needs, they can prioritize them and figure out where investments can help them make the most progress.
Agencies can also be intimidated by lists of beginner, intermediate, or advanced “requirements.” Oftentimes they believe they must complete all the beginner tasks before they move to intermediate tasks before proceeding to advanced. Instead, agencies should look at those lists and decide which capabilities will have the greatest impact based on their organization’s current security posture, unique needs, and pre-existing priorities.
Shifting the Cybersecurity Mindset
When it comes to accelerating Zero Trust progress, each agency’s first task is to gain visibility across existing assets. Many agencies lack internal visibility into how their enterprise is functioning, making it difficult to secure the environment as the threat landscape expands.
The second task is changing their internal mindset about cybersecurity. For a long time, agencies have focused on the same cybersecurity tools – antivirus protection, firewalls, and device authorization – designed to prevent attackers from breaching the network. Given how much money, time, and resources have been dedicated to these efforts, these tools are likely as functional as they will get.
Unfortunately, even with precautions like these operating at full capacity, there is no guaranteed way to prevent breaches from happening. Today’s hyperconnected, ever-widening attack surface assures us that no technology can fully prevent cyberattacks from occurring. Cybersecurity teams should recognize that breaches themselves are not a failure; the true measure of success is how resilient agencies’ systems are, how minimally operations are affected, and what the net impact of the breach is. This is the philosophy that Zero Trust preaches.
Zero Trust Solutions
When choosing which solutions to invest in to accelerate Zero Trust outcomes, agencies should understand there is no single way to achieve Zero Trust. Vendors may tell you otherwise, but each Zero Trust architecture is a combination of tools, practices, and solutions working together. Each solution is a piece of a larger strategy. Agencies should take a holistic approach and determine which pieces they need to put together in order to achieve a comprehensive Zero Trust posture that best suits their needs.
In addition, most agencies have some of these pieces already, so achieving Zero Trust should not require a “rip and replace” of existing solutions. Agencies should look for products that are easy to deploy and interoperable with their existing systems. There is no single source of truth when it comes to Zero Trust. Agencies need to focus on vendors that prioritize interoperability, scalability, and API interfaces.
A Commitment to Security
Like any successful cybersecurity undertaking, resilience is both a top-down and a bottom-up effort. In order to achieve Zero Trust, there needs to be an ongoing commitment from both senior leadership and agency personnel that cybersecurity is a top priority.
Too often security is compromised for the sake of money, time, ease-of-use or fear of impacting operations. What is often minimized until it is too late is the cost, loss of time and impact to operations should a breach occur. Cybersecurity should be baked into every decision an agency makes. It starts with the user and runs through every system, application, and process. With planning, proper resourcing, and an “assume breach” mindset, agencies can start meeting mandates better in a timely and cost-effective manner and implementing an effective Zero Trust approach to further resilience efforts at large.
The views expressed here are the writer’s and are not necessarily endorsed by Homeland Security Today, which welcomes a broad range of viewpoints in support of securing our homeland. To submit a piece for consideration, email [email protected].
