The challenge of implementing zero trust is explaining the benefits to the end users, Federal and industry cybersecurity experts said today at the Zscaler Public Sector Summit in Washington, D.C.
However, the experts explained that it’s critical to explain the benefits of zero trust to the end user to avoid pushback, and recommended organizations essentially make the users a “part of your team.”
“I’m going through change management, or dare I say, grief management,” said Dr. Aaron Drew, the senior enterprise solutions architect in the Office of Information and Technology at the Department of Veterans Affairs (VA). “Because I now have to tell someone that there’s now an extra step or two to access that application – different than what it was just last week. And at the end of the day, I need them to be okay with it.”
“When you get down to the masses, and in my world, you get down to the hospitals, the clinics, and the tens of thousands of people that are my user population, they’re going to have a concern that they’re not part of that conversation,” he continued. “They don’t understand: ‘why is it extra harder now to do what I used to do last week?’ I need them – because that pushback will only slow me down.”
“I need that acceptance … and so that’s the challenge,” Dr. Drew said.
The moderator of the panel, Danny Connelly, who serves as the chief information security officer (CISO) for Americas and public sector at Zscaler, added that he always targets the “persistent complainers,” because if they’re happy with the implementation of the cybersecurity solution, “it’s a good day.”
“That’s so key is just being able to explain or articulate to the user,” he commented. “Being able to explain to the end user why you’re doing something really helped alleviate some things or complexities, roadblocks, barriers, things of that nature.”
For Roger Gibson, chief operating officer for the State of New Jersey, Office of Information Technology, he noted “it made him a hero” to be able to provide a tool to users “to do more and do better than what we’ve been able to do thus far.”
“Have a story. Have a reason why. Don’t forget your advocacy,” Gibson said. “Part of our role as the leadership of a centralized IT organization is being a leader and explaining the reasons why.”
Similarly, Gerald Caron, the chief information officer (CIO) at the International Trade Administration (ITA), reiterated the importance of being inclusive of everyone in the zero trust journey.
The CIO reminded organizations that zero trust is not just something you give to the cybersecurity folks, but it’s an organizational effort – one that will benefit the end users.
“That’s why I say don’t look at it as a cybersecurity project – it’s a modernization project,” Caron said. “There is opportunity, if you take the right approach, in looking at doing zero trust. There’s opportunity because there are benefits that you’re going to bring to your users.”
While it might take a couple more clicks, he said zero trust will offer the end user “the right data [and] the right people, at the right time.”
“Performance wise, there’s a lot of benefits. So, include your user population early. Make them part of your team, basically,” Caron said.
As for other advice for organizations looking to get started in their zero trust journeys, Amy Parde, director of cybersecurity operations at Lockheed Martin, shared two mantras organizations can use when they feel stuck.
“Those are: progress over perfection, and start by starting,” Parde said. “Sometimes the worst that can happen when we take the first step is that we learned something not to do again.”