Convincing users key for zero trust rollouts, city CISO says
Implementing a zero trust cybersecurity strategy is simple in theory, but gets increasingly complicated as the infrastructure gets closer to the user, Washington, D.C., Chief Information Security Officer Suneel Cherukuri said at an event in the city Wednesday.
Cherukuri, who has been the district’s top cybersecurity official since 2018 and has worked with the city government for more than 12 years throughout his career, said because of this complexity that Washington D.C.’s focus on zero trust is “just going to keep going on.”
Zero trust architecture, which places additional security controls and safeguards inside of networks, has become more popular with government in recent years as agencies sunset their perimeter security models, in which most or all security measures are aimed at preventing unauthorized users from breaching the outer perimeters of networks.
“It’s not going to stop,” Cherukuri said at a cybersecurity event hosted by Scoop News Group. “It’s not going to be like ‘we have implemented everything.’ Once we complete an implementation, obviously the technology changes, new features and new functionalities come in and our journey starts all over again.”
Cherukuri said convincing senior leadership in the Washington, D.C., city government on zero trust’s importance was easy.
“We need zero trust,” Cherukuri said. “[Senior leaders] did not have to understand a lot more than we have the data, and we need to understand who is accessing our data and why, and how we can make sure they’re doing it for the right purposes.”
Cherukuri said the hardest part of the job is to explain to end users — “the people that actually do the real work” — that they need to adopt zero trust. He said it’s hard not to be perceived as a barrier to getting work done.
“We started talking to individuals as a user, as opposed to an executive or a CISO,” Cherukuri said. “So we talk about what they’re trying to do, how they’re actually looking at it, understand their business requirements, their processes, what they have today, and rolling those into our zero trust strategy discussions actually started helping what we do today.”
“We’re so used to our habits, to do things ‘my way,” Cherukuri continued. “Five years ago, I could never imagine myself not having admin privileges on my laptop. I would say there’s no way that I could do my day-to-day job without having full admin access.”
Cherukuyri said the “excuse” he provided was that he was a security professional and needed to have access to every network device.
“It was so convincing, and I still keep trying to convince myself right now that I should have that kind of access,” Cherukuri said. “But if you really look at where we are and how the technology has improved, I don’t need the access.”
Cherukuri said the endless journey to zero trust will be more bearable if the district can ensure users aren’t overly burdened by security checks during their daily work.
“How do we talk to the people about it? It’s very important,” Cherukuri said. “How do we get to our staff, our workforce, our leadership? I always say that cybersecurity is common sense. Obviously there will be mistakes. The threats are becoming really serious, that means we need to make sure that our zero trust journey starts with communicating with our workforce as much as we can.”
