Three years ago, the White House released its Executive Order on Improving the Nation’s Cybersecurity, and included in it was a call for agencies to develop plans to implement zero trust architectures. The order, and subsequent guidance from CISA, marked the start of a zero trust journey for agencies and mission partners alike.

So, how are we doing?

Many agencies are making progress and are to be congratulated for their consistent and committed efforts to adopt zero trust as the default security approach. Others are moving more slowly, and that’s ok. Zero trust is complex and requires a mindset shift that moves beyond just compliance. It’s about security and enabling critical missions, and about acknowledging that protecting a network perimeter is not enough. Our adversaries are advanced and only becoming more so. The same is true of the techniques they use to do harm. They only need to be right once; we need to be right all the time. That’s a tall order in the best of circumstances. It’s impossible without the shift in thinking that zero trust ushered in. So, as we approach the anniversary of the Executive Order, three things stand out to me as indicators of how far we’ve come and what still remains ahead.

The Organizational Shift in Thinking Continues

We have shifted our thinking away from the perimeter. But we need to shift more. We need to build resilience into architectures because we can't defend 100% of attacks. There will be breaches. What’s important is that data is protected, and resilience is prioritized. Software-defined solutions can help ensure we are constantly evolving and updating our toolset – because zero trust is a journey of continuous improvement and innovation.

The Complexity of the Environment is Changing; We Must Also

Second, the complexity of the environments in which we operate is changing all the time. The need for all-domain information has driven an exponential increase in connected operational technology and internet of things (IoT)-enabled devices and sensors. There’s more AI and machine learning-based technology on our networks than there’s ever been before – and still less of it than there will ever be again. This is all going to remake the balance of security and new technology, and it'll be harder than ever to maintain. Our zero trust approaches need to evolve in kind. And, for the most part, it is. Our guidelines are constantly changing and that is a good thing.

Zero Trust IS Enterprise Modernization

Finally, the last three years have shown that, today, zero trust is enterprise modernization. As agencies prepare for the future, there is a need to accelerate software development and to become more efficient with the services that they have. Zero trust supports this objective because it allows teams to take advantage of existing infrastructure and use tools in a more data centric way. It also sets teams up to experiment and use AI, as one example, more readily and more easily because requires teams to look at security at a data level. AI can identify activity that is unusual and detect slight variances that humans can’t, which can help to address future threats. As agencies envision the future and their use of the emerging technologies that will comprise it, zero trust is an enabler of that vision.

These are the kinds of conversations we have with customers all the time at GDIT. We imagine the art of the possible and technology’s role in bringing that to life on a customer’s mission. Three years into the zero trust journey, “the art” and “the possible” are changing – and that’s exactly how it should be. It’s also exactly what we monitor and shape for our customers and partners.