Kevin Kirkwood, the Deputy CISO of LogRhythm, reflects on the progress and challenges faced by the U.S. government in the pursuit of Zero Trust Architecture. President Biden’s Executive Order on Improving the Nation’s Cybersecurity, issued over two years ago, marked a significant step in modernizing U.S. government security defenses and emphasizing the importance of prioritizing security across federal, state, and local agencies.
The upcoming target of September 2024 for the White House’s Zero Trust implementation has prompted a renewed focus on cybersecurity within government agencies. However, recent cyberattacks, such as the Russian cyberattack that targeted U.S. government agencies, schools, hospitals, and local government institutions, have underscored the need for more robust security measures.
In response to these challenges, the Cybersecurity and Infrastructure Security Agency (CISA) released the second version of its Zero Trust Maturity Model, which provides a guide for federal agencies on the path to Zero Trust. The model acknowledges that different agencies are at varying stages of their Zero Trust journeys, with some facing obstacles due to legacy infrastructure and resource limitations.
Kirkwood asserts that the public sector can learn valuable lessons from the private sector when it comes to implementing Zero Trust. He emphasizes the importance of adopting the agility and flexibility of the business world to streamline the progress of Zero Trust projects, especially with looming implementation deadlines.
When planning to build out a Zero Trust program, Kirkwood recommends that government agencies begin by conducting a comprehensive assessment of their current security posture to identify potential gaps and threats. Following the assessment, agency leaders can then plan the transition and define goals for the project’s outcome, while also allocating necessary resources for implementation.
The execution of Zero Trust is highlighted as a critical phase, requiring agencies to ensure that employees receive dedicated training on working within the newly deployed architecture. Additionally, Kirkwood stresses the importance of implementing processes for monitoring and continuous improvement of Zero Trust architecture even after deployment is complete.
Looking ahead, Kirkwood anticipates that conversations about Zero Trust implementation will continue to dominate the public sector in the coming year. He believes that by drawing from the experiences of the private sector, government agencies can gain insights into which steps to take and which to avoid along their Zero Trust journeys.
In conclusion, Kirkwood reiterates the need for the public sector to leverage the expertise and best practices honed in the private sector as it pursues Zero Trust. By doing so, government agencies can build a more secure future and ensure the protection of critical infrastructure and sensitive data.