What’s Your Zero Trust Approach?

Interview with Gerald Caron III, CIO of International Trade Administration at the U.S. Department of Commerce.

We’re living in an age where many systems carry copious amounts of data that’s both critical and vital to our personal, business, and societal needs. As a result, cybersecurity has gone from what was once a side concern to front and center for most organizations and agencies. However, not every cybersecurity requirement and need must be met with the same approach.

In a recent GovFuture podcast interview, Gerald (Gerry) Caron III who is the Chief Information Officer, International Trade Administration at the U.S. Department of Commerce shared insights on the use of AI, automation, and analytics in the context of cybersecurity, and also general thoughts on Zero Trust, differences in cybersecurity considerations, and the rise of new, sophisticated cyber attacks and how government agencies need to prepare for a rapidly changing and challenging future, and stay ahead of the curve.

The intersection of trade and security

The main mission of the International Trade Administration (ITA), which is not well-known to most of the general public, is to strengthen the international competitiveness of U.S. industry by promoting trade and investment, and ensuring fair trade and compliance with trade laws and agreements, including challenging unfair subsidies for foreign producers and exporters of seasonal and perishable products.

As CIO of the ITA, Gerry is responsible for all aspects of IT for the Bureau within commerce, and especially its far-flung employees as the agency has many people overseas, with about 2,200 people within the Bureau that make up ITA and support its mission. Gerry shares that with that global exposure comes global risk from cyberthreats from international actors.

“I am a big advocate, evangelist, preacher, whatever you want to call it about Zero Trust,” says Gerry Caron. “I got a huge appreciation for Zero Trust because prior approaches to cybersecurity focused on the problem of the day and what size band aid do I need to put on it to fix it? It was very tactical, very reactive. Zero Trust to me was looking at it more as a strategy of how to go about and approach it, and definitely eliminating those stove pipes. As a CIO, of course, I’m responsible for the security posture and the cybersecurity posture of my organization to make sure everything is safe. So if I have to go to the patch person and ask how are we doing on patching, go to the network person, do we have any end of life equipment, go to the splunk person, are you seeing anything strange in the log? I’m going to all these stove pipes of excellence to figure out what is my operational risk posture across my area of responsibility.”

The ever increasing importance of data

“I need data in order to protect data. And if we get into True Zero Trust and understand the true principles that John Kindervag, when he fathered Zero Trust and the five principles that he created at Forrester,” explains Gerry Caron. “When I describe Zero Trust, I kind of describe it from the inside out. What am I trying to protect at the end of the day? And I always refer to it and I keep it, I’m keeping it overly simple, but I’m protecting data.”

“All data is not created equal,” he continues. In traditional approaches to cybersecurity, “We kind of choose the highest value of data and we draw this big circle around it, in what I like to call the Tootsie Roll Pop approach. Then we have the Hard Outer Shell and the Soft Gooey Center. And I kind of trust those people in the Soft Gooey Center. But we know how many bites it took Mr. Al to break into the Soft Gooey Center of the Tootsie Roll Pop… It only took three.”

“So bad guys, nation state actors and stuff, they’re very well backed, financed, persistent as well about getting information. Identity is the most important thing. But you want to get the right data to the right people at the right time, not all the data to all the people all the time. And if you got compromised, my first question as a cybersecurity analyst is probably going to be, what did you have access to? I’m not talking about you anymore. I’m talking about data. So again, all data is not created equal.”

In another colorful analogy Gerry shares, “ I like to use the stupid analogy of a bologna sandwich and crown jewels. I cannot afford to lose the crown jewels. I cannot recreate those. If I lose those, I’m done. But my bologna sandwich, I’m not as concerned about it. If it gets stolen, yeah, I might go hungry and I might have to take the effort to build another bologna sandwich, but there’s plenty of bologna in the world. Did I protect my crown jewels? If we’re doing that Tootsie Roll pop of security, if my bologna sandwich gets compromised, my crown jewels are going to probably get compromised eventually. So putting our protections closer to those things that are important and then working the way back, how are they accessed?”

He continues to share additional insights into his approach on cybersecurity as well as ways to different security and data access in the GovFuture podcast episode. Gerry shares additional insights as a panelist at the GovFuture Forum DC event at George Mason University where he discusses how AI, quantum, and other technologies are shifting the cutting edge of cybersecurity.