Acting National Cyber Director in the Office of the National Cyber Director Kemba Walden recently stated, “The success of the national cybersecurity strategy will be measured in part by the way companies get a return on their investment in building resilience.”
The same holds true for federal agencies – the more ROI they’re able to see in their cyber investments and zero trust strategies, the more resilient we’ll all collectively be. So how can agencies adopting this outlook not only make smarter cyber investments but also ones that help them realize a greater ROI on existing investments?
Going back to basics
First and foremost, we need to get better at doing the basics right. Until we do that, breaches will remain the norm. More than 4,100 publicly disclosed data breaches took place last year, costing organizations an average of $4.35 million.
To shore up defenses, agencies should focus on identifying vulnerabilities, ensuring cross-functional visibility, and mapping out where the most critical assets in your digital ecosystem lie. Patch when you’re told to patch, have backups for your backups, and segment your environments. Doing the basics right helps lay the groundwork for any cybersecurity investment – existing or future – priming agencies to get more ROI out of any security architecture.
On top of that, federal agencies need to have a zero trust strategy in place. The Biden Administration’s May 2021 Executive Order on Improving the Nation’s Cybersecurity made it clear that zero trust is the new cybersecurity standard. Breaches are inevitable, and our world is more hybrid and hyperconnected than ever before. The risks federal agencies are facing are dire, and they’re everywhere.
Since the EO, we’ve seen a much more concerted effort from federal agencies to shore up access and require more users, regardless of origin, to be authenticated before being granted access to specific applications or data. And we’ve seen “assume breach” slowly move into the mainstream lexicon.
This has been a marked and much needed move away from the more traditional, outdated security approach that focused solely on perimeter-based security and keeping threats “out.” And although we’ve made some progress, the reality is we still have a way to go.
Small steps make progress
When it comes to zero trust, small steps make progress, and lead to greater ROI. For teams looking to show value and progress on their zero trust journeys, focus on the quick wins. Segment your most critical assets before moving onto bigger projects. Implement more dynamic network rules and focus on maintaining visibility into communication across networks. Zero trust is an ongoing process and strategy, but resilience grows with every step.
Agencies should also think about maximizing pre-existing technology investments. For example, tools like EDR and XDR are proven to be more effective when coupled with a zero trust strategy and zero trust technologies. According to emulated attacks by Bishop Fox, microsegmentation (or zero trust segmentation) can stop ransomware attacks from spreading in 10 minutes, nearly four times faster than detection and response capabilities alone.
Lastly, when implementing any new tool or technology, make sure to leverage data. When making the case for a specific new tool or technology, agencies can lay the groundwork through risk assessments, engaging with stakeholders, and explaining the reasoning behind the investments in the larger context of operational consistency or federal compliance: why the initiative is important and how it aligns with the agency’s mission. It’s important that agencies show incremental success and use these small wins as supporting points when justifying next steps.
The cultural change
Lastly, it’s important to remember that zero trust is a cultural change; it’s not just about the technology employed. It’s predicated on putting “assuming breach” into practice throughout the organization, from SecOps teams to CXOs, and actively ensuring that the organization is prepared for the worst so that when breaches do occur, operations aren’t impeded.
Bad actors are constantly evolving their tactics, but their desired outcomes remain the same: to exploit and disrupt. But even as the attack surface expands and evolves, I’m optimistic about the future of zero trust.
As Chris DeRusha, federal chief information security officer at the Office of Management and Budget recently shared, “My favorite thing to hear from a chief information officer or a chief information security officer is, ‘I’m doing this because it’s the right thing, and I want to do it — and not because you told me.’ That’s great actually because it means that we are on the right path, and we got it right… By and large, it’s getting traction because it is what agencies want to be focusing on.”
As zero trust increasingly becomes the norm, especially in fed, not only can we expect to see more resilience, but a greater ROI in cybersecurity overall. We just have to continue to make progress on our zero trust plans with speed and transparency at the forefront of our collective approach.
Gary Barlet is federal chief technology officer at Illumio.