When implementing zero trust security architectures, an official from the Department of Health and Human Services (HHS) said today that the real change is not a technology change, but instead a “cultural change” within the organization.
At ATARC’s Federal Security Breakfast Summit on April 14, Nicole Willis, the chief technology officer of HHS’ Office of Management and Policy, Office of Inspector General, explained that her agency is currently building a strategy to integrate zero trust into HHS’ culture.
“It’s not just a technology change, we’re doing cultural change efforts and changing our communication,” Willis said.
“We’re really working on the strategy around how do we change our business operations to manage a multi-cloud environment and make sure that we’re building things – building in security and zero trust architecture from the start,” she added. “And enabling the development teams to be part of the zero trust and cyber practices.”
One way HHS is doing this, Willis said, is through employee trainings centered around zero trust. These may come in the form of a “zero trust 101” training with staff or a “why is zero trust important to everyone” training with the entire OIG community, she said.
Willis explained it’s important to educate everyone on zero trust and bring the users in the community to be a “part of zero trust” so that they can be “comfortable with the concepts.” Willis’ explanation piggybacked on HHS OIG CIO Gerald Caron’s talk from earlier at the summit, which keyed on the importance of communication and collaboration in building a zero trust architecture.
“Sometimes they’re scared. They think zero trust is just going to kind of lock down everything,” Willis said. “But in some cases, I like to present it as if we’re securing the data and applications, they sometimes have more flexibility to do the things they need to do but in a secure manner.”
Jonathan Alboum, Federal CTO and principal digital strategist for the Federal government at ServiceNow, agreed with Willis and said he’s found it helpful to also explain zero trust to Federal employees in terms of the mission.
“We do IT in the Federal government, not because we’re technology organizations, we do IT because IT is the foundation for the mission delivery plan,” Alboum said.
“If you can make the connection between these changes that you have to make for zero trust and the architectures we’re going to implement, the way we need to build systems, and you tie that back to the mission outcomes, the people HHS serves… well now the people who are required to make some change they can see a little more incentive in doing so,” he added.