Does Zero Trust Mean Starting from Scratch on Cybersecurity?

Our 2022 Digital Government Summits and IT Leadership Forums are off to a terrific start. If we have already been to your state, thank you for your support and participation. Clearly, it is still important to be together to explore issues, challenges and look to the future. If we haven’t been to your state yet, we at the Center for Digital Government are excited to be planning for the event. And, if your state is not on our 2022 schedule, we will be reaching out to plan for 2023.

It has been so refreshing to be able to talk with all of you about how you are recovering from the past two years and how you are looking to the future. But we are also hearing frustration around some of the buzzwords and topics that keep swirling around. As one person put it, “I am not doing zero trust and I am tired of hearing about it.” So, with some trepidation, here is one more article on zero trust, aimed at cutting to the chase and providing practical advice on how to manage this beast, starting with what you have already accomplished through your cybersecurity strategy, plans and actions.

THE PURPOSE

First, zero trust is not a set of technology tools that are strung together to solve all cybersecurity woes. Rather, it is a framework for protecting your data from a broad range of cyber attacks. It is as much about people, process, policies and procedures as it is about technology, which means it is not just a CIO or CISO issue. Rather it cuts across your complete business strategy and plans. Remember, cybersecurity is everyone’s responsibility.

THE PROBLEM

The good news is that you likely have started to build toward zero-trust strategies with many of the actions you have already taken. You don’t need to start from scratch or completely redo your plans to be on the road to zero trust. The challenge is mapping what you have already accomplished to the zero-trust framework, and taking a risk-based approach to determining what you need to do next to strengthen defenses. Where are your gaps? What capabilities do you need? What do you need to purchase? How well does it integrate? And what skills, processes and policies are required to make it happen?

To support you in maturing your zero-trust strategy, we have developed a guide which was led by our Cybersecurity Advisory Council of state and local CISOs, along with our technology partners. It is focused not on telling you what needs to be done, but on practical steps to get you there.

The guide starts with the six key security pillars: User security, device security, network security, application security, automation and analytics.

SMALL STEPS

The guide covers seven key actions to move to a zero-trust framework:

1. Continuous user authentication
2. Continuous device authentication
3. Network micro-segmentation
4. Application access controls
5. Security Orchestration, Automation and Response (SOAR)
6. Visibility and analytics
7. Governance and strategic planning

With these actions in mind, what are the next steps?

Assess what you have
The first step is to take stock of what you have done and where it fits into the seven actions above. You will be surprised how much has been accomplished. You will also see how your future plans align with implementing the framework.

Determine who is responsible
Zero trust is not only a CISO responsibility. Your CIO, CTO, CFO, COO, operations leaders as well as the agency and department leaders play important roles in implementing the necessary controls.

Decide what comes next
You will find where your plans, purchases and actions fit into the framework. You will also find gaps that will drive your next set of purchases and implementations.

Update your architecture, strategy and plan
Once you have done your assessment, you will probably need to update whatever plan you have in place. It may mean prioritizing your future actions differently, moving in a different direction or accelerating what you had planned.

ZERO TRUST NEVER ENDS

Regardless of how you move through the steps outlined here, it is a continuous journey, not an endpoint, since the landscape is ever changing. The journey is likely not much different from what you had planned, just with a name and framework that explains your plan, priorities and actions.

At the Center for Digital Government, our role is to help you support government and make it accessible and secure for all your constituents. This guide is meant to continue the dialog and to help you keep moving forward. If you have questions or thoughts regarding the guide, we are here to listen. Thank you for all that you have done for your constituents. And remember, we are here to help.

Comments are closed.