Federal agencies are generally ahead of their private-sector peers in their adoption of zero trust. This was likely spurred by requirements outlined in President Joe Biden’s May 2021 executive order, which have since evolved into an official federal cybersecurity strategy.
But there is more work to be done to establish zero trust, which involves continuously validating each user and device trying to access an agency’s data and network.
Zero trust is more of a philosophy than a single architecture. To take hold, it requires a cultural shift among stakeholders, including agency IT leaders.
Zero trust is also a journey that requires getting off on the right foot. A key early step in an organization’s zero-trust journey is to break down traditional IT silos and facilitate interdisciplinary conversations about data and access.
“Zero trust is a completely different way of thinking about cybersecurity. It’s not the perimeter moat,” says Samir Hans, a principal at Deloitte who leads the cyber risk market offering. “Zero trust requires collaboration and the sharing of information, which is a cultural change for a lot of agencies. It’s not inherent.”
IT silos at many federal agencies look a lot like the five pillars outlined by the Cybersecurity and Infrastructure Security Agency. Departments in charge of identity, devices, network/environment, workload and data dutifully do their own things, checking boxes and following procedures.
“The cultural change would be to really change the mindset from being just a checklist-compliance-based organization to one truly doing cyber engineering to protect their assets. Zero trust requires you to do that,” Hans says.
Sean Frazier, federal chief security officer at Okta, says that to embrace cultural change is to embrace the ability to infuse zero trust into the five pillars of security. “It gets us to that kind of holistic security that happens across the board in an organization,” he says. “It gets us to the point where we need to be, where security is part of the conversation at every point when we’re deploying stuff.”