Innovation and cybersecurity often seem at odds. That is, until there’s a shared understanding of what problems employees are trying to solve and how security can enable a strong solution.
If IT is being done outside the role of the chief information officer (CIO) it means that those who rely on the IT department are not getting the service they need, or maybe it’s too costly or perhaps as a mission owner or operator they don’t feel heard, said Robert Costello, CIO at the Cybersecurity & Infrastructure Security Agency (CISA).
His advice: Establish environments with guardrails so that employees can innovate.
Here’s what that might entail:
- Facilitated listening sessions with non-IT employees who rely on mission-critical systems to do their jobs: Do members of the IT department understand their job requirements and aspirations? There will be tradeoffs.
- Guided questions to understand what data and type of access are needed to support these goals: What are the implications if something goes wrong? What can be done to minimize the risks of something going wrong?
- Cost-estimating: Costello recommends robust conversations about cost and budgeting security into the life cycle of a program. He also highlighted programs such as the Technology Modernization Fund (TMF) and the Homeland Security Department’s Continuous Diagnostics and Mitigation (CDM) Program as resources for agencies.
- Secure access to low-code and no-code software offerings, of which Costello is a proponent: This approach to software development requires little or no coding experience.
Solving the Identity Problem
A chronic challenge for public and private organizations alike is the issue of identity.
“Sometimes you can’t solve identity with technical solutions at first,” Costello said. “You have to sit down and whiteboard and map it out.” Most places are not greenfield, meaning they aren’t entirely new organizations starting with new and modern technologies.
“The most important thing for me is that you see more segmentation,” he said. In other words, if someone gets into the network, segmentation or security checkpoints reduce the chances that they’ll be able to move about freely and exfiltrate a lot of data.
Zero Trust Enables Innovation
Take single sign-on, for example. This method is used to simplify the login process for users by allowing them to access multiple applications with one set of credentials. For employees, that means removing the hassle of trying to remember multiple passwords for different workplace applications, fewer headaches and help-desk tickets because of expired or forgotten passwords and a better login experience for remote and onsite employees. The federal government’s Login.gov platform extends these same secure benefits to the public to ease and streamline online interactions with agencies.
Costello noted the potential synergy across federal initiatives such as Trusted Workforce 2.0, a governmentwide approach to reform the personnel security process and establish a single vetting system, as well as insider threat programs and how they can feed into the continuous vetting model that zero trust supports.
Despite the benefits, this shift can be a hard pill to swallow when you’re telling everyone that you don’t trust them, he said. Zero trust isn’t an end state, and will require continuous education for everyone across the organization.
This article is an excerpt from GovLoop’s guide titled “Why Zero Trust Matters at Work and How to Foster It,” available here.