Over the last few years, the term zero trust has taken on different meanings depending on the speaker's motives. So when we discuss it today, to any audience, we must take great care to be clear about what we mean.
In the government sector especially, the American public could be forgiven for believing its elected officials aren’t the savviest in cutting-edge technology.
The public sector CIO’s responsibility
In my nearly eight years as the CIO for the State of Wisconsin, I can confirm that many of the governors I met did not have the most sophisticated understanding of important domains like cybersecurity. While there were exceptions, it simply wasn’t the sweet spot for most officials. Typically, they ran for office out of a desire to serve, not combat cyber adversaries.
Instead, governors and their secretaries looked to CIOs like me to educate them about IT issues facing their constituents. Instead of launching into the details of network security, I tried to outline a recent history of cyber-related events: ransomware attacks against hospitals and municipalities, supply chain disruptions like those against JBS Foods, and attacks targeting critical infrastructure like the Colonial Pipeline, to name a few examples that typically struck a chord. I spoke in plain language and created relatable context to be as influential as I could be.
It’s crucial agency leaders are aware of the enormous amount of cyberattacks that have happened already, that they’re not going away, and that they have real effects on Americans. IT leaders in the public sector must express that, as long as networks connect computers, this problem will persist. History is telling us we’re vulnerable.
After conveying the high probability that cyberattacks will persist into the future, it’s important to stress that there are existing models that can help protect us. Pillars and principles like those in NIST’s guidelines for zero trust network architecture are already informing the federal government; all 50 states should also adopt them. Governors should pay close attention to the 2021 executive order to institute a zero trust model across agencies to protect critical infrastructure across the U.S. The states that rely on that infrastructure should be interested in best practices for its protection.
But herein lies the rub: implementing and running a cybersecurity program based on the latest best practices requires resources and funding. Ongoing resources and funding.
Selling cybersecurity in the public sector
Before working for the state of Wisconsin, I spent years as a CIO in the energy sector. I found that in public or private, many of the challenges in conveying the importance of cybersecurity investment are the same. Whether an IT executive is briefing a CEO of a corporation or a state governor, a dollar is a dollar. Executives want to know that they’re serving their constituents, whether those constituents are shareholders or the voting public. Tight budgets and competing priorities can obfuscate the actual value and importance of risk reduction.
By now, most executives know they’re making a smart investment by overhauling thirty-year-old legacy networks that are overcomplicated and difficult to manage. They see in the private sector technology advancements leading to cost savings, productivity gains, and other benefits of purging technical debt. But discussions about digital transformation shouldn’t happen without discussions about security transformation. If anything, security should precede transformation in terms of priority, and it’s up to CIOs and CISOs to make sure the order isn’t reversed.
I’ve found storytelling helpful for securing organizational buy-in. I would express the current cybersecurity situation to officials like this: we began with closely guarded mainframe computers. Hardly anyone had access. Then, with the rise of personal computing, it’s as if we started distributing cars without requiring drivers' licenses, providing instructions, or explaining the need for periodic maintenance.
The point is to emphasize the increased risk today’s organizations face from the proliferation of connected devices. Different organizations have different levels of risk exposure, but all have some. There are simply too many connectivity points to absolve any entity of it completely.
Luckily, along with models like zero trust – which increases our safety through measures like identity verification, encryption, network segmentation, and others – there are organizations dedicated to furthering the good these models do. I’m thinking specifically of the Cloud Security Alliance, which has partnered with companies like Okta, CrowdStrike, and Zscaler to advance zero trust principles beyond any commercial interest.
Measures like NIST’s zero trust framework and guidance from the Cloud Security Alliance are how we reign in the resulting chaos. They’re the guardrails on our highways, the airbags in our cars, and the road safety standards developed after much study and refinement. IT leaders looking to drive change in the public sector should insist on their inclusion when pursuing transformative technologies.
Otherwise, we risk letting our technology run us off the road to a safe and prosperous society.
What to read next
One nation under zero trust: sizing up the OMB’s cybersecurity memorandum
Public sector cybersecurity: We can't afford to leave SLED behind