With organizations across the Federal space challenged with meeting the needs of Zero Trust, we caught up with Matthew Martin, Information Security Director with Disruptive Solutions. Leveraging experience as a SME with DISA’s Assured Compliance Assessment Solution (ACAS); with DOD contacts, primarily supporting Army Training Requirements and Resources System (ATRRS); supporting the Department of Education’s Federal Student Aid; and most recently providing security engineering and architectural direction to improve Cyber Security of Patent and Trademark Office (USPTO) and Bureau of the Fiscal Service (BFS) enterprise processes, we looked to learn more about the Zero Trust Journey, the automation opportunity and how one pain point can lead to a change in perspective.
SME Defined
The label SME is broadly applied to people with extensive knowledge on a certain product, related to a specific audience or capability. In the case of Matthew, it quickly becomes apparent that SME equates to something more akin to an orchestra’s conductor, understanding how to balance distinct tools for different security products, looking at the full ecosystem of security services, mapping, conducting gap analysis and recommending solutions.
“Ultimately the goal is understanding how we do things better. How do we leverage what we have, how do we incorporate new guidance, and who do we need work with. Can we establish a framework, utilize cloud native solutions, and build better processes that are interconnected between teams?”
Today, a big part of Matthew’s work is helping agencies understand Zero Trust directives and constantly updated guidance. “CISA’s Zero Trust Maturity Model is a guide to help agencies take a holistic approach to Zero Trust, but its needs to be broken down into manageable chunks, and it takes someone who can relate those Zero Trust functions to the ongoing initiatives happening within their organizations.”
The Zero Trust Journey
Over the past decade there has been an evolution in security with greater restrictions and greater definitions of where security needs to be applied. The challenge Matthew tackles is looking at where an agency is in its maturity and helping apply a maturity rating to help move them from A to B.
“It comes down to gap analysis again, taking the Zero Trust terminology, discussing with a CIO or CISO where their organization is in terms of maturity. Are they doing some of it or all of it? This knowledge helps piece together a roadmap of which initiatives need attention this year, or next. It helps drive a picture that you can take back to your system owners, and they can understand the enterprise perspective behind it all.”
Noting that within every organization there is limited influence between different segments on what others are doing, Zero Trust requires a holistic approach across the enterprise, across application teams, data and network teams, and security teams, and a requirement that everyone works together. “One of my goals is to create a data fusion, to marry all of the components together in a dashboard or display so leadership can make informed decisions about strategic initiatives.”
Having been involved in various aspects of the work throughout his career Matthew helps fill in that gap of the grind work, not taking the CISO into the weeds but seeing the bigger picture of how all the information needs to flow between different teams.
Automation
Part of the challenge, the delay in many processes is the manual component. The email I must send and wait for, or hope it will be read, and then the response will be forthcoming. “What if we were all working from the same dashboard that would allow us to drill down into specifics, or roll up for someone else? How do we relate activities and data to each other to provide a more holistic picture?” The journey of optimizing internal processes and introducing automation begins with understanding the products that each team within the organization is responsible for. “I enjoy learning different business processes, so that I can describing each one’s inputs and outputs, determining the technology at play and connecting them”
Moving beyond a security aspect, this kind of overarching view solidifies smoother operations, ensures decisions are made based on all available data, that responsibilities are known across the organization, and that the source of truth for one arm is the same as for another. “It’s important to know that introducing automation and standardization does not take away a person’s job or diminish their value to the organization. On the contrary, by automating the mundane, grindy work, staff are unburdened and provided with the opportunity to focus and work on higher-level, big picture improvements which benefit the organization.”
Removing the Pain Point Load
As with any job, within the field of security there are repetitive tasks that, if eliminated, would allow people to do things that are more meaningful, more impactful on ensuring the security of what you are responsible for. “Maybe you can never start talking about multi-factor authentication because you’re always focused on keeping up with patches. If I can create that understanding, that, oh so if I didn’t have to do x because that can be automated, then I can actually find time to do y, people see the light for the most part.”
When the end result seems too far away, too grandiose, then the focus pivots to smaller chunks, to quick wins, to that one pain point it is agreed is worth eliminating. “That isn’t the conversation I have with CISOs because they have that big picture view, know where they want to be. That is the conversation I have with the people doing the work, the people who are most impacted by the day to day.”
“It’s fun for me, to get me in front of someone who wants to talk about this kind of stuff, and I can show them a whole other world.”
Not Yet a Premium Partner/Sponsor? Learn more about the OS AI Premium Corporate and Individual Plans here. Plans start at $250 annually.