If an enterprise wants a lesson in quickly forming a zero-trust strategy for a sprawling organization, they should look to the US federal government’s effort to make all agencies compliant by 2024. That’s what Chris DeRusha, who was appointed federal CISO in the Office of Budget and Management (OMB) in 2021, had to figure out quickly.
He used his keynote talk on Wednesday during Forrester’s Security & Risk event in Washington, D.C., to give an overview of the government’s daunting cybersecurity efforts and how that strategy could be used in other organizations.
DeRusha estimates there are just over 100 agencies involved with the zero-trust strategy, including Transportation Security Administration (TSA), Federal Emergency Management Agency (FEMA), the Secret Service, the Coast Guard, and many other sensitive and high-profile civilian government bodies.
“But honestly, if you really broke it down into the independent operating units, there are hundreds, and they’re all across the spectrum of capability and resources,” he said.
So how does a manager wrangle the security needs of that many organizations when there’s a need to move quickly and decisively?
A Starting Point
“It felt like, ‘This is it,’" DeRusha said. "The things we’ve been talking about for the past decade and working about … it’s all happening to us right now. We needed to figure out how we’re going to galvanize and try to insert energy and focus into federal agencies to really drive forward on the things that we’d been working on for well over a decade. But we were struggling to make meaningful progress.”
The team had a starting point: a 170-page document that laid out the fundamental goals. But such a Herculean task -- streamlining a zero-trust plan to be shared by diverse organizations -- would require more than words on a page. “I remember reading it, and saying, ‘This is really interesting, and useful and feels right.’ But no one was going to interact with that," he said. "So, this was a foundation. We needed a focused action plan.”
An action plan and hard deadlines helped get some organizations on the right path, but others without resources in place needed extra attention. “We decided, let’s go and meet each agency where they’re at … let’s work with each of them to have their own tailored implementation plans,” DeRusha said. Large organizations with smaller departments and groups can take a similar hands-on approach, encouraging each unit to develop its own plan that works.
Read the rest of this article on InformationWeek.