New CISO research points to zero trust

CISOs have long warranted a seat at the table and now they have it – they have become one of the most critical roles in the modern enterprise. And they find themselves under immense scrutiny, leading the frontline defense against cyberattacks that threaten operational continuity, data security, and business success.

In the federal government specifically, CISOs face even more unique challenges given shifting geo-political tensions, accelerating digital transformation and convergence, and critical talent shortages. Whether its threats to mission systems or critical infrastructure, these attacks are growing in sophistication, aggression and impact, with a real ability to harm governments’ ability to provide vital services to citizens and uphold national security.

New research – The CISOs Report: Perspectives, Challenges and Plans for 2022 and Beyond – from Aimpoint Group, W2 Communications and CISOs Connect sheds light on how CISOs across all industries are meeting the moment. We found these global findings insightful for federal CISOs, especially in underscoring the importance of zero trust.

The report found CISOs’ horizons are darkening: Seven out of 10 perceive the threat landscape to be more severe now than it was a year ago.

In our conversations with federal CISOs, they share similar perspectives. Other insights from the research include:

• The IT components CISOs see as most needing security improvements are APIs, cloud apps (SaaS) and cloud infrastructure (IaaS and PaaS). These concerns reflect the massive increases in remote work, adoption of cloud services, and “bring-your-own-device” (BYOD). And they track the growing complexity of the networks CISOs must defend — endpoints aren’t just laptops and IoT devices. They’re cloud instances and container-based applications too.
  
  
• The cyberattacks CISOs fear most are those that lead to the exposure of PII or other sensitive data.
  
  
• CISOs feel better equipped to detect attacks than to prevent or respond to them.
  
  
• Third party risks top the list of vulnerabilities causing the most concern, which tracks with the escalation of supply chain security issues over the last two years.
   

Three new principles for federal CISOs

By detailing the depth and breadth of challenges facing enterprises, the research ultimately underscores why federal CISOs must adopt new assumptions about the IT environment:

1. The perimeter is dead. 
   Firewalls and VPNs cannot protect the network. 
   
   Cloud-native applications dynamically reconfigure the network based on users, performance optimization, and workload demand. CISOs must lean into this complexity by making innovative use of automation; integrating device and user identities; and ensuring a streamlined user experience by employing human-centered design.
   
   
2. Compromise must be assumed.
   Intruders are omnipresent, aggressive, agile, adaptive, and persistent.
   
   Defenders must lay the foundation of independent and autonomous resiliency by employing dynamic threat analysis of multiple attack vectors.
   
   
3. Data is what truly counts.
   Devices, even internal ones, can be friendly one moment and hostile the next.
   
   What we’re really protecting is our sensitive data and intellectual property, not devices and endpoints.

These three principles summarize the importance of implementing a zero trust security model to create a dynamic, robust, and proactive cybersecurity defense. While the basics of zero trust have been part of federal standards and regulations for some time, more must be done to succeed, including:

• Expanding our commitment to protecting data at rest, in motion, and in use, to explicitly include being processed. This reflects additional use cases stemming from the emergence of AI and machine learning, which are creating new, mission-critical applications for data.
  
  
• Further controlling user access by employing dynamic trust scoring, which evaluates the state of the identity, the security profile, posture, and behavior of the device, and other threat intelligence data, to underpin access decisions.
  
  
• Deploying tools to prevent data loss at endpoints, edge devices, and in app to prevent unauthorized access.
  
  
• Preparing for post-quantum cryptographic standards.
  
  
• Ensuring adherence to data and system classifications as you integrate applications to foster frictionless business.
   

Four questions to shape federal CISOs’ zero trust approach

For federal CISOs, deadlines from the May 2021 executive order and the planning rhythm for the upcoming fiscal year create opportunities for zero trust investments now. During this time, there are four questions every federal CISO should be asking themselves:

• Have I implemented Progressive Safeguards that protect high-risk, high-value targets through cybersecurity intelligence and risk-based scenarios/tabletops, and also mature from reactive detection/response toward proactive threat hunting?
  
  
• Have I established risk-based identity management and access controls? Does my identity program drive integrated and collaborative risk management across functions?
  
  
• Have I enabled independent/autonomous resiliency through dynamic operations, ensuring continuity of operations while reducing impacts from unpredictable events?
  
  
• Am I building a cyber-savvy workforce that adapts quickly and securely during disruption and change?
   

As federal CISOs move to implement zero trust, these four questions can guide agency action. Effectively implementing zero trust can help CISOs succeed in their increasingly important and complex roles, to better tackle today’s demanding cybersecurity needs.