Matt Singleton vividly remembers Saint Patrick’s Day 2020. Not exactly for the celebratory reasons you’d expect, but for the massive challenge that confronted him.
The Problem Statement
“I got a call that said, ‘Hey, we’re sending the entire workforce home, and you’ve got to make them productive now,’” said Singleton, who serves as Oklahoma’s Chief Information Security Officer. “And so in the span of a couple of weeks, we had to figure out how to do that securely.”
Looking back, that herculean task humanized a cybersecurity model — known as zero trust — in a way that no memo, policy document or buzzword pitch ever could. Singleton recalled at one point being asked by a member of the C-suite if they could give employees administrative rights to their PCs. Yes, you read that correctly.
“That is almost the exact opposite of zero trust,” Singleton said during a recent GovLoop online training. “After I picked myself up [off] the floor, I said, ‘That’s probably not the right thing to do; let’s start talking through what it is you’re trying to accomplish.’”
Zero Trust in Action
That conversation led to the state rolling out privileged access management solutions, which help organizations add a layer of security between users and the privileged accounts they have access to. That work led to discussions about employing multi-factor authentication, which establishes multiple ways for users to verify their identity when accessing an account or making changes. For many government employees, that means using an ID card along with a password to access a government computer. These are all solutions that support a zero-trust strategy.
“There are a ton of tools that you pull in when you are talking about zero trust,” Singleton said. “It is really going to be what makes the most sense for individual organizations based on current toolsets and maturity in those toolsets. Identity is the cornerstone.”
Addressing Shadow IT
Shadow IT — that is, hardware, software and services being used by employees without the approval of the IT department — can pose serious risks to agencies. This often springs from employees trying to do their jobs and not from malicious intent. But organizations can’t secure what they cannot see.
There’s also a deeper issue at play, Singleton said. “When you have shadow IT, that exists because central IT isn’t doing something the business needs. You can’t just dismiss it,” he said.
- Figure Out How to Meet That Need
Singleton and his team are proactive about empowering non-IT staff to be co-creators in finding tech solutions. They published an enterprise reference architecture, or a framework that provides common vocabulary and describes the relationship between business functions and the technologies and information that support them. His team also provided technology standards and suppliers and service providers that align with those requirements. “We are trying to be very transparent with the business so they understand how central IT does it,” Singleton said.
- Provide Autonomy With Boundaries
This is key, as the state has nearly 200 different agencies. Let’s say, for example, that an agency needs a new unemployment insurance platform. It now has access to a list of potential providers to meet that need, using technologies that have been approved by the state. This way of operating has enabled Singleton to step back and take a strategic approach to managing relationships with state agencies and helping them to address business needs. “It puts them in the driver seat while you still have some controls,” he said.
This article is an excerpt from GovLoop’s guide “Why Zero Trust Matters at Work (and how to foster it).”