Take These 3 Next Steps If Your Government Agency is Building Zero Trust

It's clear to me that Zero Trust has moved from being a new idea to a common practice, especially in the federal government. Agencies understand what Zero Trust is and are working to include it in their cybersecurity plans.  

This is a big change from a few years ago when many agencies were still learning about Zero Trust and why it matters.

The adoption of Zero Trust in government is good to see, but security initiatives shouldn’t stop there. In this blog post, I share my thoughts on the next steps agencies and commands should be taking on their Zero Trust journeys.

How did Zero Trust become mainstream in the federal government?

The move toward Zero Trust in the federal sector reflects a larger trend happening in many industries. This change is mostly because of increased awareness and mandates such as:

• Executive Order 14028

• CISA’s Zero Trust Maturity Model (ZTMM)

• The Department of Defense’s Zero Trust Reference Architecture (DoD ZTRA)

The large amount of education and information available has made Zero Trust a key part of federal cybersecurity plans. Agencies now have a clear guide for using Zero Trust, which makes it easier to add to their security systems.

This widespread use is not just in the government. Businesses have also started using Zero Trust. According to Forrester's Security Survey, 2023:  

• 72% of security leaders at enterprise organizations (1,000 or more employees) are planning to or already starting a Zero Trust program.

• 78% have already invested resources into a Zero Trust security plan.  

This important shift toward Zero Trust shows a big change in cybersecurity. Instead of just trying to detect and prevent attacks, Zero Trust assumes breaches will happen and proactively prepares to stop them from spreading.  

3 next steps for agencies building Zero Trust

Now that Zero Trust is widely accepted, agencies need to focus on what comes next in their Zero Trust journey. Here are the main things to concentrate on:

1. Build microsegmentation

You can’t do Zero Trust without microsegmentation, also called Zero Trust Segmentation (ZTS). While microsegmentation has been seen as a more advanced security measure, it's now seen as a Zero Trust basic that everyone needs to do.

Relying on traditional security methods to protect your network isn't good enough anymore.

Microsegmentation breaks a network into small, separate parts to stop breaches from spreading through the network. This keeps your most critical data and applications safe while making it harder for attackers to cause disruption.  

2. Automate as much as possible

As networks and organizations get more complicated, it's clear that we need cybersecurity automation more than ever. Doing things by hand just can't keep up with all the new threats and the many tasks needed to keep everything safe.

Automation helps to solve several important problems:

• Network complexity: Today's networks are large and complex, making it hard to handle security manually. Automation helps organizations put consistent security rules in place across every environment.

• Skills gap: Research by the The World Economic Forum has found a shortfall of 3.4 million cybersecurity experts. It's clear that there's a growing cybersecurity skills shortage. Automation helps bridge the skills gap by doing routine jobs, freeing up security teams to focus on more complex issues.

• Human error: Manual processes leave you open to security errors. Automation lowers this risk by limiting the number of manual work in the network. Tools like AI can help build security with less mistakes.

The move to a “shift-left” approach means more DevSecOps teams are building security first during a project. By adding automation to the start of development, organizations can avoid problems and wasted time that come from adding security later on. This way of working helps make security stronger and better able to handle challenges.

3. Consolidate security tools and decision-making

As cyber threats get smarter, agencies are consolidating their security tools and strategies. This consolidation is driven by the need for consistency, affordability, and better resource utilization. By making security a higher-level decision, organizations can streamline their efforts and improve overall security.

While I was the CIO at the Office of the Inspector General for the U.S. Postal Service, I worked with the team to move to a consolidated security decision-making model. While these kinds of changes aren’t easy, they allow you to use resources more effectively, reduce complexity, and further enhance their security posture.

2 things to watch out for during your Zero Trust journey

Starting a Zero Trust journey can improve your organization's cybersecurity. But there are some important challenges to be aware of. These are two key issues you should watch out for to make sure your work on a Zero Trust plan goes smoothly.

1. Too much focus on identity security

At one point, cyber experts thought that if they could just get identity protection right, you'd solve most security problems. This was 30 years ago, and the number of breaches continues to grow. Something isn’t working. While identity is still an important pillar of Zero Trust, it’s clear by now that identity isn’t the best answer to stopping cyberattacks.

I think the reason identity security has become so popular is because it's easy to understand and get cross-functional buy-in. But just because it's simple doesn't mean it's the best way to keep networks and data safe.  

It’s important that we focus just as much – if not more – on network security. John Kindervag often describes networks as having a strong shell but being a liquid mess on the inside. Without breach containment technologies like microsegmentation, there’s no way to stop malware that gets past identity tools.

2. Letting perfect be the enemy of good

There needs to be a major mindset shift about security ownership. And this isn’t just for the public sector – this is widespread.

We can't expect today’s security to be perfect. Breaches will happen, and we need to be prepared to reduce their effect on our operations.

We can’t blame the security team for every cyber problem. Everyone in a company needs to take responsibility for cybersecurity, not just one team or executive. This change in thinking is really important to make security a priority that everyone cares about.

The future of federal government cybersecurity

Zero Trust is a journey, not a destination. As cybersecurity keeps changing, it's crucial for agencies and commands to make sure they’re planning and prepared for the future.

Bringing these strategies together will help agencies handle cybersecurity challenges better. It's important to regularly update and adapt these strategies to stay ahead of new cyber threats and keep data safe.

Get in touch today with our federal cybersecurity experts to learn how Illumio can help build your Zero Trust initiative.