The head of IT at the Department of Justice (DoJ) today laid out how zero trust must be incorporated into the five strategic pillars of “good IT operations,” including enhancing cybersecurity and elevating the workforce.
During her keynote speech at the Visualyze Zero Trust Security Summit in Washington, D.C. on Feb. 29 – hosted by Gigamon and MeriTalk – DoJ Chief Information Officer (CIO) and Deputy Assistant Attorney General for Information Resource Management Melinda Rogers emphasized that zero trust does not exist as an entity on its own. Rather, she said, “It is very much a part of overall IT operation.”
“Zero trust needs to be incorporated into what I consider to be some of the strategic pillars of a good IT operation,” Rogers said.
The CIO laid out the five key pillars for good IT operations that zero trust must be built upon: enabling service delivery; enhancing cybersecurity; embracing innovation; elevating the workforce; and expanding the accountability of IT investments.
Rogers said that enabling service delivery and enhancing cybersecurity are “yin and yang” of each other – meaning that the two IT operations are interconnected, mutually perpetuating forces.
Enhancing cybersecurity starts with the core tenets of zero trust, Rogers preached – knowing what you have in your environment and who you have in your environment.
“This starts with asset inventory management. I know it sounds completely not glamorous, but it is so foundational and so important to have a good robust cybersecurity program,” Rogers said. “You need to know what you have so you know how to manage it.”
“It’s always going to look worse before it looks better,” the DoJ official said. “So, if things were really bad you should comfort yourself in that now you know what activities you need to take on to fix those issues.”
Rogers noted that all IT professionals should read and often refer back to the National Institute of Standards and Technology (NIST) documents on zero trust and cybersecurity: SP 800-207, SP 800-53, and FIPS 200.
Zero trust should also focus on enhancing service delivery, Rogers said during the Visualyze Zero Trust Security Summit today.
“I think it’s important, as we are professionals in the IT arena, we really focus on the services that we deliver, the products that we produce – that they’re intentional, they actually solve a business problem, hopefully they’re well designed,” she said.
“When I say well designed, I mean a does it fulfill the intention it’s supposed to fulfill. Does it do what it’s supposed to do? Believe it or not, that’s actually kind of a tall order,” Rogers continued, “It sounds so simplistic, but you’d be surprised how many times things that are built don’t quite meet what it is totally expected on the front end.”
The third pillar – embracing innovation – is “not just about adopting the latest, shiny new project” but it could be “a combination of people, process, and technology,” Rogers said.
The DoJ CIO emphasized that elevating the workforce is also critical to an organization’s zero trust journey.
“I still believe that human resources remain one of our most critical assets at the moment in our organizations,” Rogers said. “I know there’s a lot of talk about artificial intelligence … but at the end of the day, at least where we are today, we still need that human, that smart human, to put guardrails around what we’re trying to do with AI, to tune it, to enhance it, to deploy it.”
“We need to take care of our people. We need to give them an opportunity to upskill, to learn the true craft, and hopefully as leaders of organizations you will inspire your folks to want to do more and do better for the organization,” Rogers said as she addressed the crowd during her keynote speech.
Her final pillar – expanding accountability for IT investments – revolves around the idea that “IT is just not cheap” and more people need to be involved in the buying process and “thoughtful and intentional” about spending on IT.
“There’s a lot of cost that comes with upgrading an IT system. It’s not just about, ‘Gee, I have a good idea, let me see what IT solution I can spin up,’ because once you spin it up, it’s going to take a minute to decommission everything off, and there’s a lot of IT debt that typically comes with spinning up the system,” Rogers explained.
“I think for the right reason we should be doing it,” she concluded. “I am just suggesting that we all be very intentional about how we invest in information technology, and the responsibility that doesn’t just rest on the be powers and the accountants or the IT operators, but I think as business executives we need to own the IT projects and when it’s being delivered, we have to make sure that there’s sufficient funding to cover the requisite costs.”
