Federal and industry experts suggest that cultivating a zero trust security culture requires laying a solid foundation by prioritizing continuous learning, securing strong leadership support, and constructing a framework of strategic investments for lasting success.
The push for zero trust implementation in the Federal government has accelerated following President Biden’s May 2021 cybersecurity executive order, which directs agencies to embrace zero trust cybersecurity principles and adapt their network architectures accordingly.
However, turning this vision into reality is more complex than it sounds.
At ATARC’s Zero Trust Summit on Oct. 3, several Federal and industry leaders highlighted that fulfilling Federal zero trust mandates requires returning to that foundational groundwork.
Wayne Rodgers, zero trust lead for the Department of Education, explained that before agencies get into the intricate work of patching vulnerabilities they need to get down to the nitty gritty of educating their workforce on basic cyber hygiene.
“Take a step back … basic cyber hygiene is really an issue in so many environments … [and] before you can even get into the advanced realms is there a trust in each pillar. Ultimately, 80 to 90 percent of breaches or hacks or anything that happens is still due to weak usernames and passwords, not using phishing resistant multi-factor authentication,” Rodgers said.
“If you don’t clean that up and have basic cyber hygiene, the emerging threats are going to compound the threats that you already are going to be facing. So that’s the first step, and everything else, pretty much can come simultaneously, but that really should not be an afterthought,” he added.
Amy Hamilton, faculty chair at the National Defense University, echoed Rodgers’ sentiments, but took them a step further.
“We teach basic home security safety … we teach this [to] make sure people have basic safety. So, we need to make sure that we’re doing this basic user education and it has to start from the earliest age,” Hamilton said.
Hamilton explained that educating non-cyber experts on the need for zero trust principles and how to protect against cyberattacks begins with a cultural shift.
“We really have to just start to change the culture … We really have to change the entire way that we’re looking at cybersecurity from the earliest ages all the way through,” she said.
Another critical aspect of building a solid foundation for cultivating a zero trust culture in an agency is securing strong leadership support.
Sean Cortopassi, division director for the Pentagon’s Defense Manpower Data Center, explained that cultivating a zero trust culture should be a “coordinated effort built across your organization.”
“It’s not [just] a cyber thing so let the cyber guys do it. It involves so many facets of the business. So, to get senior leadership support you have to put it in clear language, distill it, demystify it, and spell out the value,” Cortopassi said.
Steve Pitcher, senior cyber survivability analyst for the Defense Department’s Joint Staff J6, echoed Cortopassi’ statements, adding that “plain language explanations” allow senior leadership to understand the value of investments in cyber.
“We can’t throw the ball across the table to the cyber guys and say, go forth and do good things and then slap us and say you can’t do that. We need to be able to spell out that value in simple, simple English. We need to define and talk about the risks and value you’re adding to your organization,” Pitcher said.