Zero trust requires workforce buy-in, federal officials say

Agencies need to prioritize close collaboration with their personnel if they want to successfully adopt zero trust principles, two officials said during a panel at ATARC’s Public Sector Application Modernization Summit on Thursday. 

Rather than simply relying on firewalls to safeguard outside access to systems, the zero trust model considers all users and devices a potential cybersecurity threat that should be verified when moving across internal systems. 

The Biden administration first directed agencies to develop plans and steps for implementing zero trust architecture across their operations. Although President Donald Trump issued a cybersecurity executive order in June that did not explicitly mention zero trust, administration officials are reportedly working on a zero trust 2.0 strategy.

While the continued use of legacy systems, along with technical and data management challenges, have hampered some agencies’ implementation of the new security architecture, officials said that getting the buy-in of their workforces is key.

Louis Eichenbaum, the Interior Department’s acting chief information security officer, said cultural change is the biggest challenge he’s faced when it comes to implementing zero trust.

“It's making people understand that zero trust is not about implementing new technology,” he added. “It's a mindset. It's about understanding the principles of zero trust [and] incorporating that into everything that you do.”

To help streamline the process and make Interior personnel more comfortable with the new approach, Eichenbaum said his agency, in part, created “a zero trust community of practice” with monthly meetings that eventually grew to include roughly 1,000 people. The department also brought in outside speakers and implemented a training program, which educated more than 200 people across Interior who received zero trust certifications.

When it comes to zero trust adoption, Eichenbaum said “the most important thing is getting people to understand what it is, why we do it and just no matter what your job is — whether you're a help desk technician, network engineer, application developer — understanding the concepts of zero trust and how you incorporate it into your daily activities.”

Liza Briggs, a senior social scientist with the U.S. Patent and Trademark Office’s Insider Threat Program, echoed Eichenbaum’s comments about the necessity of cultural buy-in when it comes to adopting zero trust and the importance of strategic communication. 

“Helping people understand what's at risk in real time, updating them and making them aware of why zero trust is an important thing, what it means for us and evolving that discussion is also really important,” she said. 

Briggs added that agencies also need to be aware of “technical security fatigue,” where employees become overloaded with the constant shifting and changing of cyber protocols. As zero trust architecture is implemented, Briggs said officials should “work and foster opportunities to do it through and with people, versus to and on them.”

Even the term zero trust, she said, could — without additional explanation — turn off personnel.

“We almost suggest that people are guilty of something,” Briggs said. “And so working around that, being strategic, [means] showing your work. Show results as you implement. Show how brilliant it is. Tell people about it, be really transparent and stay connected to all parts [of your organization].”