Remember user experience in the zero trust journey
Education, user-friendly technologies and leadership buy in can help bring employees onboard.
Agencies must prioritize the user experience as they move toward zero trust architecture, experts said, to both ensure a smooth transition to new security requirements and make certain ongoing requirements do not become too onerous.
The need for a smooth user experience is especially important when implementing the identity pillar of the five zero trust principles as outlined by the Cybersecurity and Infrastructure Security Agency. Since identity validation has arguably the most direct impact on individuals, agencies must ensure that the benefits of multifactor authentication policies are explained fully to employees and give them the opportunity to engage on new policies and explain any shortcomings they find.
That human side of zero trust, which can sometimes be lost amid a blizzard of cybersecurity rules and terminology, is the “soft side of technology,” said Aaron Drew, senior enterprise solutions architect in the Office of Information & Technology at the U.S. Department of Veterans Affairs, during a panel discussion at the recent Zscaler Public Sector Summit in Washington, D.C.
A crucial part of the user experience for governments on their journey toward zero trust is helping agency employees understand new cybersecurity processes and why they are important. Those procedures could be requiring tokens or other identity verification methods for multifactor authentication or taking away legacy systems that may be less secure than newer alternatives, Drew said.
Helping employees understand why "their normalcy has been redefined" is a challenge, but when IT teams engage with workers early and often, users can "understand the gravitas of what this is all about,” he said.
"[If] I now have to tell someone that there's now an extra step or two in order to access that application that is different from what it was last week,” Drew said, “at the end of the day, I need them to be OK with it."
And implementing those new processes and policies designed to better protect cybersecurity will take an “organizational effort” that goes beyond cybersecurity staff and should “include your user population early,” advised Gerald Caron, chief information officer at the Department of Commerce’s International Trade Administration.
“Don't look at it as a cybersecurity project,” he said during the summit. “It's a modernization project."
New Jersey Chief Operating Officer Roger Gibson agreed, adding that IT officials should be prepared to "articulate that story, that narrative, at multiple different levels," including at the highest levels of government. Leaders might be skeptical, he said, but when they follow best practices and lead by example, they set the tone for the rest of the organization.
To modernize security, agencies might need to “change their mindset,” Sean McCann, Zscaler’s regional vice president of state and local government and education, said in an interview on the sidelines of the Public Sector Summit. He said it is a “work in progress” and may take several years, but if done properly it could result in agencies and organizations having a better cybersecurity posture.
“You have to basically show these folks that there's a better, more efficient way to get better security outcomes,” McCann said. “If they all work together, they're going to get much better output and have much better protection.”
NEXT STORY: ChatGPT could make phishing more sophisticated