Federal chief information security officers (CISOs) today recommended that as Federal agencies implement zero trust security architectures they also put in place continuous training programs for their workforce to keep employees up to date on the technology and best practices.
During an FCW cybersecurity webinar today, Steven Hernandez, CISO at the U.S. Department of Education, explained that while IT employees may not be used to engaging in continuous training efforts, it is vital to do so to best protect agency data.
“Make sure that as you’re bringing on technology and capabilities, you’re not just buying the license and calling it done,” Hernandez explained. “All of these vendors and providers have great training programs and, frankly, they’re the experts and they’re the best.”
“One of the things we’re doing is we’re bringing on technology for ZTA and whatnot, we’re not just asking for the services and the licensing,” he added. “We’re saying we want monthly training for our folks to keep them either up to date on what the current state of the technology is, or you know, get folks up to speed to where they need to be.”
Hernandez said that’s a “different way of thinking” for IT employees who are used to just buying cloud services or licenses for products. He said IT employees must “broaden that aperture a bit” and ask for “ongoing continuous education” for their team.
Beau Houser, CISO at the U.S. Census Bureau, noted that his agency is also providing continuous education to its employees because zero trust is “a big challenge” and a “very different type of model than what folks are used to.”
Houser said the Census Bureau has “hit this head-on” and established a robust workforce development initiative “that goes that goes far beyond cybersecurity.”
“We have cohorts of employees, the first cohort was focused on network operations – obviously secure network operations – with a cloud theme and a zero trust theme included in that skills development,” Houser said. “And so, we had several months of classes, workshops, and even on-the-job training activities focused on building those skills. The next cohort that we’re getting ready to kick off is software development.”
He explained that the Census Bureau is focused on secure software development in a cloud-centric model, because his team has found “cloud is really the opportunity when it comes to zero trust, DevSecOps, and the other sort of modern initiatives.”
“We have to migrate to cloud and we’ve got to get our cloud architecture right out of the box so that when folks migrate to cloud, they get these capabilities naturally without much retrofitting,” Houser said.
As for the Department of Education, Hernandez said his team is focused on “the difference between correlation and causation” in its training program.
“Zero trust is going to put an incredible amount of data at our fingertips,” Hernandez said. “We’re going to use a lot of technology like security orchestration, automation response, machine learning, AI, to kind of pare that down.”
“But, to train that type of technology and understand how to get the gold nuggets out of the stream, we have to understand things like basic statistics and data science,” he continued. “So, that’s an area where to get to the highest levels of maturity, your staff is going to have to have some skill sets in that space.”