The U.S. Department of Education has plenty of incentive to instill a zero-trust philosophy across its enterprise, even without needing to comply with the White House’s Executive Order on Improving the Nation’s Cybersecurity or the ensuing federal strategy for implementing zero-trust architectures. Because of the nature of the department’s work with students and their families, the agency holds personally identifiable information (PII) and other sensitive data on about 28% of the population.
“When we looked at zero trust, a big selling point was that we’re protecting about a third of this nation’s PII and financial information,” said Steven Hernandez, the department’s Chief Information Security Officer and Director of Information Assurance Services. His office mapped its zero-trust implementation plans using the Cybersecurity and Infrastructure Security Agency’s Zero Trust Maturity Model, and set about raising awareness and educating users departmentwide.
Many agencies have some of the foundational capabilities of zero trust in place already, such as Identity, Credential and Access Management (ICAM). “What zero trust calls us to do is take all of these capabilities to the next level. That’s not a technological solution,” said Hernandez. “Zero trust is a cultural journey as much as a technological one.”
At the department, the change began with buy-in from high-level officials who convinced deputy secretaries and other senior leaders that they had a vested interest in zero trust’s success. “There were lots of briefings, one-on-ones, phone calls and personal conversations,” Hernandez said. “Leadership buy-in is a foundational pillar.”
Open Communication Is Key
In taking the program enterprisewide, Hernandez and his team held regular cyber risk briefings and provided notice that training sessions or system tests were coming. They also wove zero trust into the standard user-awareness training that all department staff receive.
Opening lines of communication was the secret sauce that made the education program work. “We decided that we’re going to communicate until people tell us it’s too much,” Hernandez said. “And they never did.”
For example, his office issued an early call about new pilot programs and recruited volunteers to test them. Word spread from the volunteers to their colleagues, who also became interested in zero trust’s advantages and offered to participate. “We originally planned for 50 to 60 people to take part in the pilots and wound up with hundreds,” Hernandez said. “And we got great feedback from the training.”
Making Your Case
Selling employees on zero trust’s advantages takes some marketing, he noted. For instance, Secure Access Service Edge (SASE) technology, one of the technological pillars of zero trust — along with Security Orchestration, Automation and Response and enterprisewide ICAM — replaced VPNs by performing the same type of tasks, but far better.
So, rather than downplaying the change, Hernandez’s team emphasized what SASE did differently, providing encrypted tunnels via the internet and carrying out zero trust at the endpoint instead of within the network. “This is a game-changer,” he said. “We don’t trust the network — that’s one of the core tenets of zero trust.” The department also emphasized other advantages of the switch to SASE, such as reduced downtime and other interruptions, and increased efficiency. “What used to take weeks or days now takes us hours or minutes,” Hernandez said.
In addition, it was important to recognize staff who contributed to the transition. When Hernandez briefed the department secretary on the progress with zero trust, he made sure to call out program-level leaders, including people outside the security teams. “When we build champions, they become champions for us,” he explained.
This article appeared in our guide, “How to Build a Cyber-Savvy Workforce.” To learn more about how agencies are integrating cyber awareness throughout their organizations, download it here:
Leave a Reply
You must be logged in to post a comment.