2023 Federal Tech Trends: Changing Agency Culture While Migrating to Zero Trust

Federal agencies are generally ahead of their private-sector peers in their adoption of zero trust. This was likely spurred by requirements outlined in President Joe Biden’s May 2021 executive order, which have since evolved into an official federal cybersecurity strategy.

But there is more work to be done to establish zero trust, which involves continuously validating each user and device trying to access an agency’s data and network.

Zero trust is more of a philosophy than a single architecture. To take hold, it requires a cultural shift among stakeholders, including agency IT leaders.

Zero trust is also a journey that requires getting off on the right foot. A key early step in an organization’s zero-trust journey is to break down traditional IT silos and facilitate interdisciplinary conversations about data and access.

“Zero trust is a completely different way of thinking about cybersecurity. It’s not the perimeter moat,” says Samir Hans, a principal at Deloitte who leads the cyber risk market offering. “Zero trust requires collaboration and the sharing of information, which is a cultural change for a lot of agencies. It’s not inherent.”

IT silos at many federal agencies look a lot like the five pillars outlined by the Cybersecurity and Infrastructure Security Agency. Departments in charge of identity, devices, network/environment, workload and data dutifully do their own things, checking boxes and following procedures.

“The cultural change would be to really change the mindset from being just a checklist-compliance-based organization to one truly doing cyber engineering to protect their assets. Zero trust requires you to do that,” Hans says.

Sean Frazier, federal chief security officer at Okta, says that to embrace cultural change is to embrace the ability to infuse zero trust into the five pillars of security. “It gets us to that kind of holistic security that happens across the board in an organization,” he says. “It gets us to the point where we need to be, where security is part of the conversation at every point when we’re deploying stuff.”

Collaboration Inside and Outside the Agency

Collaboration shouldn’t be limited to internal offices. It should extend outward to anyone managing aspects of the agency’s security, such as contracted vendors. Historically, however, security vendors have put up walls around their slices of the agency’s information.

“Most government agencies, by design, procure at a very granular level. Work is contracted out to multiple vendors, whether it’s a competition thing or whether it’s a concentration risk. It’s a part of a strategy,” Hans says. “If you have two different vendors, they would not talk to each other. In a way, they’re told not to talk to each other, because that’s how contracts are procured. That is a little bit of a hindrance.”

Instead, IT leaders can work with their procurement teams to encourage collaboration when dealing with vendors.

“Going forward, especially for zero trust, there has to be a little bit more flexibility in some of the ways things are procured. Have clauses in the contract that require companies to collaborate and share data with each other. The IT leadership and the procurement leadership need to foster that,” Hans says.

EXPLORE: Why zero trust needs to be a goal, not just a mindset.

Agency conversations with vendors could shift, Hans notes: “We’re going to do it a little bit differently. We expect you to do these five things, whether it’s collaboration or sharing of data, and, as a matter of fact, we think it’s good behavior on your part to do that.”

Whether information sharing occurs outside the agency or within, it provides valuable context. “Context is so important in cyber operations. Without that, you don’t know what’s happening,” Hans says. “A lot of breaches happen because of that.”

Hans shares an example to illustrate the value of context in collaboration: “If there is a vendor doing firewalls and IPS/IDS, and the identity folks are doing their thing, how nice if the identity folks can get some context as to what’s happening in the perimeter. If the intrusion detection system is telling you that there’s been an intrusion, it’d be nice for the identity folks to know that there’s an intrusion happening.”

Click the banner below to get Insider access to exclusive articles about federal IT trends.

Change That Starts at the Top

Another cultural shift is rethinking who should lead the agency’s zero-trust efforts. If an organization has done a lot of work around identity, Hans says, it may default to its head of identity as the zero-trust champion.

“Agencies are re-evaluating that to say it can’t be somebody who is just part of one pillar, because you still have to deal with the other pillars,” Hans says. “Maybe someone at the top of the organization needs to be the zero-trust champion.”

An obvious choice is the CISO, but even that role can have limitations given the truly holistic view needed for zero trust. Sitting atop the CISA pillars are visibility, analytics and reporting. Having someone at the agency with a centralized view of these aspects provides a level of context that’s crucial for zero trust.

LEARN ABOUT: How DevSecOps can help your federal agency modernize.

If no one has that view, consider creating a position and filling it internally with someone who understands the IT operations landscape and the mission of the agency. But that’s not the only tactic to take. “Sometimes getting somebody from the outside with a different experience might help, as well,” Hans says.

Part of the cultural shift, along with establishing zero-trust leadership, is making sure employees understand the agency’s direction. Deloitte recommends creating an organizational change management strategy that “will give impacted users the knowledge and skills needed to embrace the change.” The firm also recommends developing “a compelling employee value proposition that connects individuals to the greater vision and mission tied back to the organization’s long-term strategy.”

Collaborating across security functions, procuring vendors that encourage information sharing, establishing strong leadership and having a roadmap showing the way — these are the confident first steps agencies should take to prepare for their zero-trust journey in 2023 and beyond.