Connecting state and local government leaders
The cyber-cloud skills shortfall in state government could slow down zero trust implementation, but there are ways to reduce the deficit.
The lack of skilled tech workers in government could undermine the public sector’s ability to implement zero trust, leaving state and local agencies vulnerable in the face of growing cybersecurity threats.
It could take years to build a pipeline of workers capable of implementing zero trust, an effort that could require not only the help of nonprofits and training organizations, but also the federal government, observers said.
The main priority for state governments should be hiring zero trust architects, which help leaders set their zero trust strategy and navigate relationships with vendors, according to Andy Hanks, Montana’s chief information security officer.
Hanks said he first hired a security architect, because zero trust is an “incremental process” and a “series of projects” to be led by an architect, not a not a “single person, process or technology.”
Hanks is also retraining staffers responsible for IT risk management to become certified as cloud security professionals, something that he said requires “different skill sets than your classically trained security people.”
But finding people to fill those zero trust roles will always be a challenge, given the tight labor market for both cloud and cybersecurity professionals in state government. Agencies may increasingly look to contractors or vendors who specialize in some of the areas of zero trust like securing identity, devices, networks or data.
In a bid to try and build a strong knowledge base for existing zero trust employees and demystify the field for prospective ones, some private-sector groups are stepping in. Jim Richberg, public sector field CISO and vice president of information security at Fortinet, said he and other organizations are working on repositories of generalized contract terms, conditions and clauses to help contract officers and other workers understand zero trust requirements, and by doing so work to improve their skills and knowledge.
Pointing people to “exemplars” of best practices in leading states could help standardize zero trust architecture and make current and future employees’ “lives a little bit easier,” he said.
State and local governments may also need to rethink their broader procurement and contracts processes to weave in zero trust architecture and procedures, Richberg said. Public sector procurement officers may be well versed in letting contracts in some areas, he said, but with cloud infrastructure a key target for hackers, those new to zero trust may need assistance in planning for deployments.
The federal government could indirectly improve cloud security contracting by encouraging more state and local governments to use vendors authorized by the Federal Risk and Authorization Management Program or its state-level equivalent, StateRAMP. These programs were established to verify that cloud offerings used by government agencies satisfy standard security requirements.
More states joining StateRAMP could position agencies and their vendors to “replicate” the Biden administration’s 2021 zero trust executive order for themselves, said Dean Scontras, vice president of state, local and education at identity management platform Okta.
The federal government could also help states fill the thousands of vacancies in tech and cybersecurity jobs. The National Association of State Chief Information Officers has regularly called for the feds to partner more with state governments on building and filling the talent pipeline, rather than competing for the same workers.
The use of vendors to provide zero trust services is “unavoidable,” said Brandon Pugh, a policy director and resident senior fellow for the Cybersecurity and Emerging Threats team at the R Street Institute think tank.
But the federal government can help states prioritize their resources and help them make “hard decisions” about where to hire in-house or contract employees, he said, adding that the feds should continue with workforce development initiatives and use those to encourage more people to join public service rather than the private sector.
Even with more robust zero trust strategies at the state level, both Pugh and Richberg said filling those cloud security roles will “take time.”