Work with what you’ve got: Accelerating zero trust deployments

nuttapong punna/Getty Images

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By Jim Richberg ,
Field Chief Information Security Officer, Fortinet
 

Connecting state and local government leaders

By Jim Richberg

|

COMMENTARY | Because zero trust is founded on cybersecurity tenets like segmentation and identity management, state and local governments can adopt the strategy quickly and effectively.

For many state and local CISOs and CIOs, zero trust has become an increasingly appealing option for securing their networks. While it’s unclear how widely zero trust strategies and technologies are being adopted by state and local governments and where agencies are on their adoption, what is clear is that every government IT leader should be figuring out a way to integrate zero trust strategy into their roadmap of programmatic cybersecurity initiatives.

It might seem a daunting task to take on a whole new strategy for defending against cyberattackers with the challenges posed by increasing budget constraints and a cyber workforce gap that’s only widening. It doesn’t have to be. A zero trust approach is founded on tenets like segmentation and identity management that permeate even the most foundational layers of cybersecurity.

In fact, state and local governments can rely on readily available resources to address these challenges and help make their march to implementing zero trust faster and more effective.

Don’t reinvent the wheel

Before trying to develop a framework or buy zero trust-related cyber solutions, state and local agencies should look to the resources that already exist and follow the lead of others in the public sector who have already begun to implement a zero trust strategy. 

One way is to leverage existing federal guidance. State and local IT leaders can look to individual federal strategies like those laid out by the Department of Defense—and even more so, by the Office of Management and Budget for the civilian agencies. These may not be perfect fits, but they will help. Documents like the National Institute of Standards and Technology’s SP 800-207 along with the Cybersecurity and Infrastructure Security Agency’s Tech Reference Model and Zero Trust Maturity Model can help state and local governments assess where they are in their implementation journey and where they need to go. Many federal agencies are moving into implementation of zero trust, and state and local IT leaders can take advantage of published case studies and informal lessons learned. 

Once state and local governments are past the planning stage and ready to actually buy and implement solutions, they can look at federal contracting language for examples they can use to procure zero trust-related tech. This is especially important for state and local government procurement offices that are short of cyber experts, saving them from trying to generate contracts from scratch.

This approach has the additional benefit of using contract terms that the vendor community is already familiar with, since they may also sell to the federal government. There are several initiatives underway to create virtual libraries of cybersecurity contract language that state and local government agencies can use.

Beyond that, agencies may find that products and services that are already on their security modernization roadmap align with zero trust. For example, most security information and event management (SIEM) and security orchestration, automation and response (SOAR) products perform functions that map to pillars of the federal zero trust model. They can be invaluable starting points for implementing real-time situational awareness and response.

Address the cyber workforce gap

One of the biggest challenges to state and local implementation of zero trust is the cyber workforce gap. It’s tough to get all of this retooling done without people who can translate a zero trust strategy into broader IT and security modernization plans. 

One solution is for local governments to partner with others.  Local governments can realize an economy of scale by banding together to regionalize their efforts, which may make it easier to attract or train needed talent. Agencies can work with private sector partners, who may have more experience with the latest cybersecurity technologies. They can also turn to their state for guidance and possibly for shared services.

Organizations like the National Association of State Chief Information Officers (NASCIO) offer a wealth of both information and potential partners. Their resource center is replete with documents, blogs, white papers and podcasts showing how states are tackling cybersecurity challenges, including implementing their zero trust strategies.

Beyond that, remote workers can provide state and local governments with the needed zero trust expertise. While it’s important—especially for local governments—to have the majority of their employees on the ground, the geographic range for tech talent should be widened. Remote workers with specialized skills can shepherd state and local IT teams through the zero trust journey using any number of collaboration tools we’ve all become familiar with since the onset of COVID.

It’s imperative that state and local government agencies implement zero trust strategies as soon as possible. Zero trust enables agencies to focus on ensuring the secure connection of users (employees and citizen-users), devices, data and compute resources regardless of where any of these elements is located. State and local agencies have been on the forefront of the public sector’s move toward better customer service and efficient operations—and zero trust is likely to be an invaluable tool for continuing this transformation. 

There are many resources out there that can help state and local agencies regardless of where they are in their zero trust journey. The most important part is to just get started. Agencies can use what they already have to bring together the foundational pieces and then lean on best practices and information that is already being used by others in government and in the private sector.

Jim Richberg is the public sector field chief information security officer at Fortinet.

NEXT STORY: Unpatched, known vulnerabilities still key driver of cyberattacks

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.