Forrester Panel: Government Cybersecurity Leaders Discuss Next Steps for Zero Trust

The recent Forrester Security & Risk Summit in Baltimore featured government cybersecurity officials discussing a newly published guide on zero trust and evaluating the next steps for the security model.  

In fact, Forrester is known for introducing the zero-trust security model back in 2009. The motto “never trust, always verify” suggests a least-privilege approach. Former Forrester analyst John Kindervag, now a chief evangelist at Illumio, was an initial champion of zero trust. 

In a Dec. 10 panel, cybersecurity leaders discussed “Navigating the Federal Zero Trust Data Security Guide,” which the federal CISO and CDO Councils published on Oct. 31. The guide, developed by 70 people from more than 30 federal agencies and departments, offers a breakdown of how government agencies and organizations should think about data risks. The goal is to provide a practical guide on how to implement zero trust. 

A Holistic View of Data and Security 

During the session, Steven Hernandez, CISO in the US Department of Education and co-chair of the US federal CISO Council, discussed how the guide could teach federal and private cybersecurity professionals to think from both a zero-trust and data perspective. 

“It’s interesting because we talk about how to harness data, so we use a lot of behavioral analytics and logs from our systems, etc.,” Hernandez told the audience. “That’s one side of the coin, but the other side of the coin is how we protect data using zero trust principles, technologies, and operations, and in the data management section, we're going to have to basically straddle both of those platforms to be successful.”  

Anne Klieve, management analyst in the Office of Enterprise Integration at the US Department of Veterans Affairs, agreed that a goal of the guide was to create a document that both the data and security communities could understand.  

“It was about creating a guide that would be readable to both the cybersecurity and data communities, and specifically looking at how separate even the jargon was for both communities,” Klieve said during the session. 

Massachusetts CIO Jason Snyder said he appreciates how the guide can move federal agencies and organizations past understanding the architecture of zero trust and doing something with it. He also said Massachusetts was at “ground zero” as far as zero trust. 

“One of the things I really liked about the guide was its primary focus is data, and when you talk about zero trust, I think that is the right area of focus,” Snyder said during the panel. “So, what we’re doing within Massachusetts is really driving forward from a data perspective and better understanding our data, better understanding different types of data we have, and then working on ways to protect that data.” 

Read the rest of this article on InformationWeek.