In the wake of recent high-profile cyberattacks, IT experts gathered at MeriTalk’s CDM Central: The Age of Cyber Defenders virtual event on May 12 agreed that the Federal government needs to accelerate innovation when it comes to cybersecurity, and that includes implementing the Continuous Diagnostics and Mitigation (CDM) program, along with zero trust security concepts.
During the event’s Future State: Federal Cyber panel, industry stakeholders discussed how CDM and zero trust can positively impact the Federal government and protect agencies from future cyberattacks.
“The research that’s being done by CDM is great. You’re identifying these products and bringing what should ultimately for us and industry be the most important thing: doing more efficiently what was done in the past that’s addressing the current threat, but at a reduced cost to the taxpayer,” said Micah Wilson, public sector sales engineer manager at Duo. “CDM is actually putting all those together and then allowing government to buy it at better prices … that I think is an awesome mission.”
Despite CDM offering efficiency and cost advantage, Matt Park, Federal civilian agency programs director at Forcepoint, stressed that the program is “not easy” to implement. However, he believes that through the CDM implementation process, agencies develop stronger cybersecurity and are then even better equipped to implement zero trust.
“This is the beauty of CDM because honestly it’s very labor-intensive to figure out – what people should be able to use, which systems, under which circumstances, and from what device. And to quantify that across your enterprise is just an immense amount of work,” Park said. “There is a way there, it’s not easy,” he said, adding, “I don’t think zero trust is going away, it’s what we have to do, absolutely.”
As for zero trust, Mike Hurt, vice president of Federal at Palo Alto Networks, also stressed that it can be difficult to implement, but agencies need to stay invested in the process in order to protect their modern digital environments.
“From a zero trust perspective, obviously it’s a super hot topic, lots of conversations with the Federal government these days on the topic, but the one thing is you could buy products from all of us on this panel and they all do great things, but at the end of the day you can’t buy your way into zero trust,” Hurt said. “Zero trust is a methodology, not a product. And so, we believe that zero trust is a journey and agencies need to stay invested in that process, which is sometimes hard to do.”
Panelists agreed that although zero trust can be a bit of a buzzword these days, now is the time when agencies need to start taking it seriously and implementing it. Nathan Burke, chief marketing officer at Axonius, also brought attention to the fact that to implement zero trust, agencies need to first nail down “the basics” in cybersecurity.
“I think it’s exactly the right time to move to a model where we’re continuously interrogating and defending access. And when I think of zero trust, I think that asset management and identity management are really two sides of the same coin,” said Burke. “Zero trust – it’s a great ambition, it’s where we should be focused. But to get it right and to make it real, we need to nail the basics and I think that starts with asset management.”
In addition to mastering the basics, panelists agreed there should also be room for innovation in cybersecurity. Park said he is an advocate for the CDM program, but still believes there is always room for improvement and innovation.
“CDM is a great program… it’s improved the security profile of most agencies immensely. It’s helped elevate cybersecurity to this first-class topic,” said Park. “But really, I think to improve the program I think DHS needs to fail more, certainly fail faster in a couple cases.”
“While the overall focus of the program needs to be about delivering best-in-class, proven capabilities, there needs to be a lot more innovation, pushing the envelope,” he added. “Every single agency should probably have some sort of cyber innovation project going on… But I think in the end, it’ll get people excited about it, agencies will be able to tackle their pet projects as long as it doesn’t take away from that overall mission of delivering best-in-class capabilities.”