Why agencies need containment, not just more cyber tools

Federal agencies do not have a cybersecurity spending problem; they have a resilience problem.

That may sound counterintuitive when government is under constant pressure to modernize defenses, advance zero trust, and keep pace with a threat landscape that grows more complex every day. But one reality is becoming harder to ignore: More tools do not equal more security. In many cases, they increase complexity and slow the very response security teams rely on.

Recent research points to a persistent gap between detection and containment. While 95% of IT and cybersecurity leaders said they are confident they can detect unauthorized lateral movement, 46% said their organizations struggle to stop attackers once they are inside. Only 17% said they can isolate a compromised asset in near-real time.

For federal agencies, that gap has direct consequences for mission continuity. Mission continuity depends less on how many alerts a team can resolve and more on whether an intrusion can be contained before it spreads across interconnected systems and environments. 

Moving beyond tool-driven security

Like most large organizations today, agencies are operating in an environment where security response is increasingly reactive by necessity, not neglect. A new threat appears, and the answer is another tool. A new mandate arrives, and the response is another dashboard. A new vulnerability dominates headlines, and teams are pushed to prove they can see it, scan it, and report on it. 

That creates activity. It does not always create resilience, and it can leave agencies architecturally exposed. Disconnected controls create fragmented visibility, uneven policy enforcement, and too many handoffs during an incident. The result is a security posture optimized for detection and response, but not necessarily for containing damage or keeping operations on track.

Many zero-trust efforts stall at the same inflection point. Agencies have improved identity, access, and visibility, but the real question is whether those gains materially reduce risk across the environment. Zero trust delivers value when it translates into tighter access, consistent visibility across hybrid systems, and clear limits on lateral movement during a breach.

Many of the biggest risks to resilience remain rooted in the fundamentals. The research found that leaders cite IT vulnerabilities, employee error, and fragmented IT and operational technology environments among top cyber risks. Those are not signals that more tools are needed. They point to the need to apply zero-trust principles more effectively to strengthen the environment itself.

For federal agencies, that starts with a shift in mindset.

Containing intrusions before they spread

Resilience starts with clarity about what truly cannot fail. Treating everything equally important is one reason security teams get overwhelmed. Resilience depends on knowing which services and systems must remain available, even during an active incident.

Reducing implicit trust inside the environment is equally critical. Some attackers will breach the perimeter. The bigger issue is the level of access they have once they are inside. Least privilege still matters, especially in hybrid environments where users, workloads, applications, and third parties are connected in ways that are difficult to govern in real time.

Finally, resilience requires limiting how far a compromise can spread. This is where segmentation becomes practical rather than theoretical. The goal is not another perimeter; it is to contain an intrusion to a small part of the environment, so one compromised system does not become a broader mission disruption.

This is where zero trust becomes operationally meaningful. Agencies must assume breach, protect core systems, limit the spread of compromise, and preserve operations even during an incident. 

Federal agencies understand that prevention is not perfect. The challenge now is making sure detection is matched by containment. A mature security program is not defined by how much it sees; it is defined by how well it can absorb a hit without disrupting the mission.

That is what cyber resilience should mean now: not assuming every attack can be prevented, but ensuring no single intrusion can take down what matters most.

Gary Barlet is the public sector chief technology officer at Illumio and the former CIO of the U.S. Postal Service Office of Inspector General.