CIOs are Implementing Zero Trust to Secure IT Infrastructure
CISA’s Robert Costello and Commerce’s Nagesh Rao talk zero trust, standardization and culture change.
The Department of Commerce and Cybersecurity and Infrastructure Security Agency (CISA) are implementing new security strategies like zero trust and multifactor authentication (MFA) to build out resilient IT infrastructures as the cyber threat landscape continues to evolve.
CISA is in a unique position, where they help other federal agencies comply and align with federal security mandates. The agency’s CIO Robert Costello explained during GovCIO Media & Research’s Blueprints of Tomorrow virtual event that he’s focusing on zero trust solutions like MFA, faster ATOs, continuous evaluations and risk-based approaches.
“I have to make sure all the programs of CISA have the technology that they need to deploy those solutions to the rest of the federal civilian executive branch or critical infrastructure partners. A big part of my role there is making sure that we’re modernizing our own internal approach to security,” Costello said. “I think we’ve been really successful there.”
Nagesh Rao, Commerce Bureau of Industry and Security (BIS) CIO, explained some of the zero trust pilots his team has launched to develop a “security first” mindset. He noted that zero trust is not an end-all, be-all solution, but it can help agencies prepare for and quickly mitigate evolving cyber threats.
“I think everyone thinks that zero trust means it’s going to be secure and safe,” Rao said. “[But] if a hacker has the mindset to break in, they’re going to break in — they’ll figure it out. What we have to do is be responsive to that if it does happen — be ready for it, be able to counter it, mitigate it and correct it.”
Rao’s current focus is moving to the cloud. He noted that BIS is on target to be 100% cloud native within the next four to six weeks. Once completely cloud native, Rao will focus his efforts on leveraging the next generation of cloud solutions, specifically related to cybersecurity.
As DOC continues to modernize and secure its infrastructure, Rao offered advice to industry partners: standardize solutions.
“I have to have something that’s portable. I have that’s not that can change quickly. Stop doing customization,” Rao said. “Work off the baseline that everyone operates on, then you build off from that.”
Workforce training and recruitment is top of mind as CISA and Commerce continue to accelerate security. By focusing on the people, agencies will be able to better account for identities and devices accessing networks, which became even more critical with the COVID-19 pandemic and remote work.
“It comes down to the people first when it comes to cybersecurity and ensuring that risk model — people, people, people — that’s what’s so most important,” Rao said. “I’m noticing it with my CISO team and my colleagues in the cybersecurity area that it’s education, awareness and understanding.”
Costello explained that CISA is adding flexibility to attract and retain top talent through offerings like telework, modern technology and automation to reduce workforce burdens. DHS also recently launched its new hiring system, the DHS Cybersecurity Service, to streamline hiring processes, offer more competitive compensation and increase diversity.
“It’s not just around providing the proper training, but it’s also recruiting efforts as well,” Costello said. “We want an environment where people can bring up issues as they occur. I’d rather have people over report potential security issues than under report them. That’s really important.”
This is a carousel with manually rotating slides. Use Next and Previous buttons to navigate or jump to a slide with the slide dots
-
Biden Signs New Tech Executive Orders Before Departing Office
Joe Biden signed two new executive orders this week promoting future cyber and AI priorities before Donald Trump takes office Monday.
5m read -
DODIN Strategy Aims to Outpace Cyber Threats
JFHQ-DODIN Commander Lt. Gen. Paul Stanton says the new "How We Prevail" plan moves from reactive defense to proactive threat mitigation.
4m read -
Preparing for the Future Cyber Landscape
CISA, CFPB and Rubrik discuss how they’re building cybersecurity best practices and developing their workforces to prepare for the future threat landscape and bolster cyber resilience.
30m watch -
Air Force Chief: Modernization Is Critical to Maintaining Superiority
Air Force Secretary Frank Kendall cites AI, automation and cyber resilience as key modernization components to outpace China by 2050.
3m read