Earlier this summer, DOD’s Deputy CIO and Senior Information Security Officer provided an update, noting the agency was on track to implement its Zero Trust cybersecurity framework by fiscal year 2027 as planned. Looking to understand the challenges agencies face and how the industry can help move them forward, we caught up with Will Smith, Chief Cybersecurity Architect and Subject Matter Expert with RELI Group. Here, Will shares vital insights for working with government clients and how the industry can help contracting officers support their agencies.
Beginning the Conversation
As with any concept, a discussion with a government client around Zero Trust begins with an assessment to understand where they are in their journey. It’s about the client’s tech environment, personnel, and organizational culture. “I can set up a team to work through your environment and get an understanding of that, but we also need to recognize how you train and enable your personnel to defend against threats,” explained Will.
After establishing the baseline, the client should conduct a specific global threat assessment. “While we can make some assumptions based on previous experience and best practices, it’s always important to identify the nuances of every client’s mission to know what threats they face,” Will said. “Threat actors dedicate themselves to exploiting information for malicious intent in every mission, from national defense to protecting healthcare-related information. An initial Threat Assessment’s primary objective is to identify these actors and gauge the risk to the client’s mission. When developing IT and cybersecurity systems, it’s vital to recognize that an interconnected governance model isn’t merely about its existence, but about actively crafting it.”
With this knowledge in hand, the team can begin to build a plan specific to the needs and threats of that client. “We want to look at how many things they have in place already that can apply to Zero Trust and can be reinforced, perhaps supplemented, or that may need to be changed to close gaps.”
Risk Appetite
Once the team understands the current state of their environment and how it maps to the Zero Trust model, it’s time to discuss the customer’s Risk Appetite. Of course, risk is part of doing business. We aim for acceptable mitigation over eradication, but we need clear visibility to execute the mission confidently. If someone exploits a weakness, it can cause the business to fail, even if you do everything right on the mission/business end.
“Every client is unique, and every customer faces a unique set of risks. While understanding those unique risks is a critical part of beginning the Zero Trust journey, you must start with the initial risk appetite of the client. That may or may not change with the results illuminating the threats to their mission, but you can’t defend against what you don’t know.”
At the outset of planning the infrastructure for Zero Trust, “Determining the level of aggressiveness required is crucial before implementing any tools.”
Reducing Risk
With a comprehensive snapshot of who the client is, their risks, and how willing they are to face them, you’re ready to take steps to mitigate them. “Clients often want to jump directly to this stage, but you need to build a fundamental understanding first if you’re going to mitigate effectively,” explained Will. That may also involve looking at specific threat actors who are interested in that customer and whether their tools are helping reduce the risk of that threat actor.
Understanding that every organization balances legacy tools, policies, and people, creating an initial baseline, a “this is where you should be today,” can help make actionable movement from where they are to that first goal. “That requires a distinct appreciation of that customer and their governance model. It requires establishing a guiding coalition between those who want to advance the mission and the legacy owners of the mission.”
Knowing that sometimes this will require hard conversations and facts about threats to and within an organization, RELI Group brings together expertise and perspective from former feds, cyber and execution experts, and thought leaders who can understand all sides of the equation and drive actionable results. “Being able to speak their language, to make them feel comfortable knowing that you understand them and care about delivering on the mission, is critical. It’s what sets us apart.”
If this conversation has sparked your interest in building your own Zero Trust journey, you can hear more from Will at the upcoming CyberMaryland Conference, happening December 6-7 in Hyattsville, MD. Will speaks about the basics of establishing a secure environment, a conversation based on a discussion at the RSAC 2023 CISO Boot Camp held earlier this year. Or you can always contact RELI Group to arrange a time to talk more about the specifics of your journey – we want to understand who you are and the challenges you face!
About Will Smith
With over twenty years of experience in information security and cybersecurity, Will Smith is a seasoned professional with a solid military background and extensive technical expertise. Currently serving as the Chief Cybersecurity Architect at RELI Group, he has defended the digital assets of more than 16 million users against diverse cyber threats. Will’s career spans astute global operations management and collaborations with organizations like TekSynap Corporation and Hewlett Packard Enterprise, with his foundation rooted in a profound sense of duty developed during his U.S. Navy service.
Years of practical experience and a dedication to keeping up with the latest technological advancements have allowed him to develop a strong technical proficiency, which is the foundation of his professional identity. Constantly adapting to the ever-changing tech landscape, Will’s expertise in creating innovative security solutions and policies makes him a crucial figure in the constantly evolving realm of cybersecurity.
Will is a trusted cybersecurity expert with a focus on innovative solutions.
Not Yet a Premium Partner/Sponsor? Learn more about the OS AI Premium Corporate and Individual Plans here. Plans start at $250 annually.