How to build trust in a zero-trust environment: Security leaders share insights

In a security leader roundtable at RSA Conference, experts share insights on taking a zero-trust approach in the age of 'hyperconnected ecosystems'.

Many in the cybersecurity community have been hungry for guidance on where the industry is heading, and how all parts of the community can come together to defend against the next big cyber threat. The longing for better partnership between governmental institutions and private organizations has been around for some time, and the need for such robust partnership has only grown as cyberthreats have proliferated over the past five years. Organizations on their own have made huge strides in technology and innovation, but coordination between individual entities in the private and those in the public sector lags. 

These concerns were highlighted at last week’s RSA Conference 2022, being one of the first times in which thousands from the cybersecurity community could meet together in-person again after the COVID-19 pandemic. Conference organizers decided to call upon three of the industry’s top leaders to sit down for a conversation that tackled these same questions: Building Trust in a Zero-Trust World to Confront Tomorrow’s Cyber Threats. 

The discussion, moderated by Niloofar Razi Howe, a Senior Operating Partner at Energy Impact Partners, included Jen Easterly, Director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Kevin Mandia, CEO and Director of Mandiant, and Sudhakar Ramakrishna, President and CEO of SolarWinds.

Here's a summary of the roundtable discussion on zero trust at RSA Conference 2022.

Get key takeaways from a survey of 300+ security professionals on software security.Plus: Download the report: Flying Blind: Firms Struggle to Detect Software Supply Chain Attacks

Where the security industry stands in a 'hyperconnected ecosystem'

Howe began this highly-anticipated conversation by noting that we now live in a “hyperconnected ecosystem,” which feels more fragile with every new device that becomes connected to it. Mandia was the first to respond to Howe’s set up with a hard truth: the number of zero-days per year has doubled since 2019, and today, there is enough money in cybercrime for more zero-day attacks to continue at a faster rate.

Mandia stressed that with a more complex network than ever before, the threat surface for cybercriminals is larger, and technological advancement has forced these same criminals to attack smarter. He made it clear that bolstering defenses should be the highest priority for organizations. 

Howe then shifted the conversation to hear from Director Easterly about her take on today’s cybersecurity landscape. Easterly has a unique perspective, having both a private and public sector background, and now heads CISA, the agency responsible for defending America’s critical infrastructure (CI) against cyber threats. Easterly became the CISA Director because she felt that our government needed a more cohesive approach to defending CI.

She pointed out that much of America’s CI is owned and operated by private organizations, and cyber attacks targeting these institutions are hard for the U.S. government to detect, as was the case with SolarWinds. With a constantly growing threat landscape, Easterly warned that the community as a whole needs to do a better job of communicating both externally and internally what a shared common ground in defending cybersecurity looks like. 

Ramakrishna’s introduction was up next, and he immediately brought up the elephant in the room: the infamous SolarWinds incident of December 2020, also known as Sunburst. While he was not the CEO of the company at the time of the incident, he made it clear how important it is to take a humble approach after experiencing an attack like SolarWinds. Ramakrishna believes that we need to look at security breaches and other attacks “as a way to learn and as a way to serve,” in order to benefit the greater community. He stressed that organizations who have suffered from an incident need to be communicative and transparent about it, and be willing to improve their operations.  

The viewpoints of these three leaders made for a lively discussion that followed. 

SolarWinds: It's a two-way street

Howe used the SolarWinds incident as context for what she posed next to the panel: what did we learn after, and what could we have done differently as a community? From Easterly’s point of view, it was evident that governmental institutions did not have a good sense of where critical infrastructure stood in regards to security.

For example, Easterly mentioned that SunBurst was not first spotted by the government, but rather by a private entity. The Biden Administration’s May 2021 Executive Order on Improving the Nation’s Cybersecurity tackled this head-on, calling out the need for better public-private partnership to protect the nation’s CI.

Mandia pointed out that the zero-trust model was not enforced enough at the time of SunBurst. He went on to define it: “zero-trust is watching every door that walks out and in,” rather than just paying attention to one flow of traffic. Ramakrishna paid closer attention to a different challenge as a result of SolarWinds: a lack of end-user education. Easterly then chimed in to note that technology companies also need to make it easier for the end-user, promoting a “collective responsibility” approach to the problem. 

Joint Cyber Defense Collaborative: A revolutionary partnership

Easterly continued to stress the importance of private-public partnership in the industry, and mentioned the Joint Cyber Defense Collaborative as an example, consisting of leaders of private and public organizations, with a goal of tackling cybersecurity threats. Despite the presence of this collaborative effort, Easterly did stress that trust both within and outside of the cybersecurity community is low. She made it clear that “we cannot get this job done without trust,” and the industry needs to move away from a “transactional” mindset in order to attain this trust. 

Mandia agreed with Easterly on this, and said that having “competitors” no longer matters, because vendors are working together like never before. This collaboration on the private side of the aisle allows the community to handle issues more quickly as they arise. Ramakrishna also agreed on this, and took it a step further in noting that right now, the industry stands as “to each their own,” which he says is “not getting us anywhere.” Therefore, revolutionary partnership not only looks like better communication between the public and private sectors, but also strong collaboration between private entities. 

How do we build trust? 

Howe brought up that the public generally sees the media and governmental institutions as dividing forces, rather than as guiding ones in times of crisis. She asked the panel how we can build a robust sense of trust from all angles of the community, despite it being a time when trust is at a historic low. 

Mandia stressed that the overwhelming distrust society feels goes beyond the cybersecurity community, and at the end of the day is a “human nature issue.” However, he did note that setting clear and uniform expectations across the board for topical concerns like privacy and anonymity will relieve this lack of trust to some extent. 

Next, Ramakrishna had two solutions. The first: to defragment governmental agencies all working separately on the same cybersecurity and CI issues. He questioned how the average person can trust a series of agencies all doing the same work. And the second solution: the industry as a whole needs to overtly end victim shaming, so that victims can be more trusting of the community’s help in the aftermath of an incident. 

Easterly responded to Ramakrishna’s comments by making it clear that the U.S. government does not want to come across as confusing to the private sector. She shifted to then answer this concern of a lack of trust: building that trust, from the view of the public side, means seeing value added to the community’s defensive capabilities, from all actors and institutions that have a responsibility to make it better. Collaboration from all entities involved is what builds that trust, Easterly said. 

Moving forward: better protections

Howe concluded the panel’s hour-long conversation by asking what we should all be doing to protect ourselves from today’s pressing cyber threats. For Easterly, it’s education. For Ramakrishna, it’s reorganization. And for Mandia, it’s the use of real-time attribution. 

These three leaders, all having unique perspectives and experiences within the world of cybersecurity, mostly agree on where we were, and where we need to go as a community. The strongest agreement, however, was a key theme throughout the discussion, is that progress must continue if the community desires a secure future.