Conversations With CXOs:
Your Crash Course on the Future of Gov
Conversations With CXOs: Your Crash Course on the Future of Gov 1
“At some level, all things being equal, I would pick grit and persistence over the smartest person in the room.” — Taka Ariga, Chief Data Scientist, Director of Innovation Lab, Government Accountability Office (GAO)
To help government employees develop a working knowledge of current trends in IT, Carahsoft and GovLoop have partnered to provide resources on the latest federal, state and local tech innovations that are shaping how government operates. With new insights into their agencies’ operations and services, employees are empowered to take part in transformation and fuel innovation.
Contents 04 Executive Summary 05 Blazing a New Career Path
11 The New Career Competencies » The Case for Digital Literacy » The Future of AI Hangs on Ethics, Trust » Q&A: Getting Schooled on Zero-Trust Security » 3 Tenets for Advancing Equity in Your Everyday Work
27 The Career Corner 34 Takeaways
Executive Summary
For government employees looking to build successful and satisfying careers in public service, the curriculum is changing. It’s not enough to develop mastery of agency processes and policies or to stockpile continuing education credits on traditional core competencies. Instead, public servants need to develop a working knowledge of current trends in IT and management that are reshaping how government operates. IT and management: That’s the operative phrase. Technology is continually improving the efficiency of work processes and the productivity of employees. But efficiency and productivity only go so far. It’s at the intersection of technology and management that real change is happening. Agencies are gaining new insights into their operations and services, and using those insights to fuel innovations across their organizations. Government employees at all levels have the opportunity to be part of this transformation, but they need to get up to speed on the key trends. Where are they to begin? For this guide, GovLoop, in collaboration with Carahsoft, interviewed chief information officers, a chief data scientist and other senior leaders in federal, state and local government about four competencies that could be critical to the careers of public servants:
Analytics
Artificial intelligence
Zero-trust security
Equity
In addition, we ask these leaders to share career tips, their own lessons learned and other insights that can help govies develop their all-important soft skills. We hope you find this guide both educational and enjoyable.
Blazing a New Career Path
Over the past 18 months, COVID-19 has forced government employees to adapt in new ways, revise long-standing processes, learn new skills and get smart quickly on a host of software applications and tech features rolling out across their agencies. They’ve also had to rethink workplace policies and how to better serve customers via digital services. For some employees, job requirements and responsibilities have shifted too, forcing them to upskill or reskill into new roles required in an increasingly tech-enabled world. Let’s take a look at some of the key developments driving government employees to deepen their knowledge in areas at the intersection of IT and management.
Did you know? “By 2022, at least 54% of workers across the world will need significant reskilling in order to keep up with the pace of technological innovation.” — Future of the Federal IT Workforce, May 2020
?
Demand for Digital Services Driving factors: State employees in California were tasked with modernizing the technological backbone of the country’s largest DMV, all while ensuring services were available during the pandemic. This meant that some 1,200 employees, including call center and field office employees, had to adapt to a new cloud-based service that allowed them to securely access department data from home. Employees also had to adapt to new workflows aimed at helping them process customer applications faster. The department used its new platform to give customers the option of remotely uploading their documents to the cloud, enabling the DMV to authenticate them before their appointment. As a result, the department has succeeded in shortening the time DMV staff interact with customers to complete the federally mandated Real ID applications from 28 minutes to 10.
?
? Lessons Learned
☑ Challenge conventions and assumptions. ☑ Encourage staff to ask why processes exist. ☑ Don’t make assumptions. Ask employees and external customers what they need.
Conversations With CXOs: Your Crash Course on the Future of Gov 5
“Changes in management practices and policies in [response] to the pandemic have driven widespread speculation about how workplaces might look and function post-pandemic. Sweeping changes to agency designs, for example, have meant a substantial portion of Federal employees have worked in technology-mediated contexts, completely remote from traditional worksites.” — 2020 Federal Employee Viewpoint Survey
Influx in Funding Disbursements Driving factor: The urgent need to rapidly disburse pandemic relief funds has been — and will continue to be — an ongoing demand on government employees. Whether you’re in
...
Lessons Learned ☑ Tap into the expertise of technology power users. ☑ Consider what existing tech features might be relevant but underutilized. ☑ Help colleagues understand how technology supports new and existing processes.
finance, grants management or another department, chances are the rush to disburse funding will likely directly or indirectly affect you and your colleagues. That was the case for local employees in the town of Silverthorne, Colorado. Adaptability and resilience were key in coordinating both the time and method through which the town would make businesses aware of the relief funds in April 2020, verify their eligibility and disburse the money. “It wouldn’t have been possible with paper applications … and faxes,” Finance Director Laura Kennedy told GovLoop. On top of that, her team had a limit on employee overtime because of budget constraints brought by COVID-19. Kennedy credits a team member who’s familiar with the business license process for suggesting that the town tap into existing technology investments to streamline grant disbursements. “If you have a good technological ecosystem, and a staff that understands it, you can stay ahead of the game,” Hughey Newsome, Chief Financial Officer (CFO) for Wayne County, Michigan, said during a July GovLoop online training. State and local governments like Montana and Wayne County have received millions of dollars in federal aid from the American Rescue Plan (ARPA) and the CARES Act. The scale of funds they must now manage has created newfangled challenges, as well as fresh opportunities for creative thinking.
A GovLoop & Carahsoft Guide 6
Do you have what you need to effectively do your job?
Access to technology and opportunities are key as employees seek to deepen their knowledge in areas at the intersection of IT and management. Here’s what federal employees said when asked about their experiences at work:
Expanded information technology (IT) support
Information about data security policies and procedures
Needed and available to me
54%
64%
Needed, but not available to me
15%
8%
Not needed by me now
31%
28%
I am given a real opportunity to improve my skills in my organization.
I feel encouraged to come up with new and better ways of doing things.
2016
63%
58%
2017
64%
59%
67%
62%
2018 2019 2020
66% 70%
61% 67% Source: 2020 Federal Employee Viewpoint Survey
Conversations With CXOs: Your Crash Course on the Future of Gov 7
A GovLoop & Carahsoft Guide 8
Industry Spotlight
Edge Computing Raises Ransomware Risk
An interview with James M.T. Morrison, Distinguished Technologist for Cyber Security, Hewlett Packard Enterprise Agencies could pay a steep price, literally, if they do not secure the growing volume of data at the edge of the network. The problem is that edge computing – in which data is being aggregated, accessed or processed outside the network perimeter – is leaving data exposed to cyber criminals who see an opportunity to make money through ransomware schemes.
For example, let’s say a cybercriminal steals body camera data from a law enforcement agency. While the agency might be able to restore that data from backup systems, it still might pay to avoid having that data published online.
According to Gartner, a research and consulting firm, edge computing will grow 75% by 2025. In government, the surge is being fueled both by a growth in end-user devices in mobile and remote computing and in non-traditional devices associated with the Internet of Things (IoT) and operational technology (OT), such as sensors and cameras.
“Probably 90% of cybercrimes are driven by money,” Morrison said. “That’s a nuance that government agencies really need to understand.”
In many cases, agencies support edge computing by moving data into the cloud, rather than requiring end users or devices to go through the data center. This hybrid cloud environment mitigates performance and latency problems but also makes the network perimeter even more porous. “You’ve got to think, ‘How do I secure that? How do I secure every device on my network?’” said James M.T. Morrison, Distinguished Technologist for Cyber Security in the Office of the North America Chief Technology Officer at Hewlett Packard Enterprise. “How do I make sure that every device has the proper authentication and authorization?”
Ransomware Reality Check
Agencies might think that much of their data would be of little interest to cyber criminals. But when it comes to ransomware, many malicious actors are not necessarily looking for data they can use but rather data that agencies cannot afford to lose or to have exposed – what’s known as dual extortion.
Zero Trust at the Core
Increasingly, zero trust security is seen as essential to addressing the challenges of edge computing. “It’s the idea that everything you add to your network needs to be secured,” said Morrison. In practice, zero trust requires agencies to build a system for authenticating and authorizing every end user and device attempting to access a network resource. This capability provides a “core of security” on which to lay applications and devices, he said.
The Transformation Journey
There are no shortcuts to better security. Instead, agencies should focus on incorporating security into every aspect of their digital transformation. That is the approach HPE brings to its customers when assisting them on their transformation journey. “Security is built into the core of everything we do,” Morrison said. “We’ve built security into our servers, the core of our network devices, the core of our hybrid cloud models.” “And we do believe the future is cloud,” he added. “And the future is the edge, and security is going to be part of that.”
Conversations With CXOs: Your Crash Course on the Future of Gov 9
Demand for Cyber-Savvy Employees
As governments increase access to online services, the need for cyber-savvy employees to protect those digital assets and data also increases. Federal, state and local governments are desperate for cybersecurity employees, from entry to management. Federal: There are discussions about how and what a cyber apprenticeship program would look like. So far, the federal government has graduated two cohorts from its Cyber Reskilling Academy, which showed both promise and challenges for how to create new career paths for people without them being forced into lower pay grades. State and local: “Almost every state offers cyber training for executive branch state employees,” according to the National Conference of State Legislators. “In most states, this training is voluntary.” That was back in 2017, but with the rise of ransomware and cyberthreats, training demands are evolving. Here’s a list of security training offerings by state.
Did you know? “There are over 150 apprenticeship programs across the federal government that enroll nearly 1,500 apprentices spanning healthcare, financial services, transportation, and skilled trades occupations, yet thus far no programs for cybersecurity work roles.” — NIST.gov
Rise of Artificial Intelligence in the Public Sector
also understand how the algorithms and tools they are working with draw conclusions and affect outcomes.
As the AI conversation evolves in government, there’s a recurring question and concern that is regularly raised: How are agencies preparing the workforce? Gone are the days when only IT staff had to understand the inner workings of technology. Now supervisors and employees must
“Establishing governance structures and processes at a system level helps managers ensure the AI system achieves its intended outcomes and complies with relevant laws and regulations.” — Government Accountability Office
A GovLoop & Carahsoft Guide 10
The New Career Competencies In an interview with GovLoop, a chief data scientist talks about the importance of data literacy. Govies, he said, need to be familiar with the core concepts of data and how it works, even if they have no need or interest in becoming experts. The same might be said of all the competencies discussed here. In the following interviews, senior government leaders share insights into a new and evolving set of career competencies.
The Case for Data Literacy An interview with Taka Ariga, Chief Data Scientist, Director of Innovation Lab, Government Accountability Office (GAO) The worth of data literacy is like the value of a general contractor in a home renovation. Maybe you’ll need a plumber to redo the kitchen or a structural engineer to add a bedroom – but to successfully complete the remodeling, you need a general contractor to coordinate the right resources and understand the overall state of the project. At the Government Accountability Office, general contractor proficiency is the goal for data literacy. Much like when remodeling a home, not everyone needs to be a data specialist to make essential professional judgments – but everyone must be data literate to evaluate the data that impacts their work. “We’re not trying to make them into statisticians or data scientists,” said Taka Ariga, GAO’s Chief Data Scientist. “We just want to make sure they understand the core concepts, can supervise them accordingly and know what right and wrong looks like when they scope these types of capabilities in their work.” Without data literacy, employees by definition defer judgment to those with statistical, mathematical or data science specialties – even when they already have domain expertise and experience. This isn’t a best practice, not in GAO’s book. With or without data backgrounds, all employees can possess a basis of assessing the appropriateness of data methodologies, outputs and contexts in their line of work. When they do, they create a data-driven organization.
Who Are the Key Players?
The key players are middle management. Junior staff who are “digital natives” may innately understand how to use data for their jobs, but they don’t always understand why they should. Senior leaders may understand why data literacy is foundational to evidence-based policymaking, but they don’t always understand how it is done. “It’s the middle layer that has to understand not only the why, but the how,” Ariga said. The challenge, frankly, is that data literacy is not part of official performance evaluations. Already juggling a full load, data literacy can seem superfluous and even daunting for middle managers and staff. Training for maybe later, maybe never. GAO tackles this challenge by articulating the benefits directly to performance criteria. It ceases to be a waste of time when staff understand that applying data science will help them execute audits more efficiently, save time and make stakeholders happier. It becomes less daunting when they understand data skills as an additional professional judgment that gets layered on top of their existing skill sets. And it becomes vital when they realize data literacy keeps them in control of their judgment calls, not passed over to data specialists.
A GovLoop & Carahsoft Guide 12
What Are the Best Practices?
To institute a data literacy framework, it must be in alignment with the agency’s mission. “We don’t want to treat all data literacy as equal,” Ariga said. Someone who works in national defense requires different data skills from those in environmental or financial management auditing. “We firmly believe it’s not a one-size-fits-all approach,” Ariga said. Training must be catered to tradecraft. It’s the reason GAO is creating its own data literacy curriculum specific to the oversight community, instead of relying on third-party training that focuses on generic, often commercial aims. Additionally, the best time for people to learn data skills is when they actually need them. On-demand tools such as microlearning videos and a walk-in Genius Bar ensure staff can access data solutions and build literacy when they need, instead of waiting months to register for a class. Hands-on learning is also key. You don’t learn how to ride a bike by reading a user manual. “You ride the bike,” Ariga said. At GAO, a sandbox construct assures freedom to practice new skills without the fear of failure. Employees may not want to conduct a complex regression analysis for the first time on a big project. But they can do it comfortably in a closed safe space.
What Should We Avoid?
Avoid building a data literacy echo chamber. When one person’s perspective drives the entire framework, it can build in implicit and explicit biases.
“It’s not ‘Take the Chief Data Scientist’s word as golden,’” Ariga said. GAO’s data literacy framework involves learning center staff who understand how people absorb materials, statisticians who understand the technical mechanics of what is being taught, experience designers who understand the impact of the interactions staff undergo to access training and so on. This ecosystem of curriculum builders is important because there must be an ecosystem of learners to sustain a data-driven organization. “The goal of data literacy is not that we train Bob, Suzy and Michael, and they go into their little corners of existence and don’t talk to each other,” Ariga said. “Having that ecosystem of a community of practice is an important sustainment tool. Otherwise, we’re just going to be repeating the same data literacy concepts over and over again.”
5 Tips for Data Literacy 1. Understand how data literacy impacts and applies to your agency’s tradecraft. 2. Use in-house talent to build the program. 3. Focus on the art of the possible. 4. Treat data literacy as a team sport. 5. Create an ecosystem of learning and practice.
“Treating data literacy as a team sport is paramount,” Ariga said. And it’s how GAO is approaching it.
Conversations With CXOs: Your Crash Course on the Future of Gov 13
The Cornerstone for Complex Identity Environments
RadiantOne Intelligent Identity Data Platform is your essential starting point for quickly unifying today's toughest identity environments Delivering Identity at the Speed of the Mission: Enhance Security Posture
Enable & Accelerate Critical Identity Initiatives
Improve User Experience
Future-Proof Your Identity Infrastructure
Make Identity Adaptable to Mission Needs
Zero Trust with Zero Friction: Radiant Logic Selected to Participate in NIST's NCCoE Zero Trust Architecture KuppingerCole Report: Identity Integration for Zero Trust and Digital Transformation Turning Integration Bottlenecks into Mission Enablers
Learn more at radiantlogic.com
A GovLoop & Carahsoft Guide 14
© 2021 Radiant Logic, Inc. All rights reserved.
Industry Spotlight
Why Stronger Security Hinges on Identity Data
An interview with Wade Ellery, Vice President of Solutions Architects and Senior Technical Evangelist, Radiant Logic At the crux of every cybersecurity strategy is an identity data management challenge: How much information does an agency need to verify the identity of an individual requesting access to network resources? As it turns out, a lot. The problem is that edge computing – in which data is being aggregated, accessed or processed outside the network perimeter – is leaving data exposed to cyber criminals who see an opportunity to make money through ransomware schemes. To understand the risks posed by an individual, you need to assess a wide array of identity data: not just their credentials (i.e., user name, password) but also their behaviors and their relationships with other users or systems. The second part of the challenge is to capture all of that information and to make it available to a wide variety of applications and systems in real time. The solution is an Intelligent Identity Data Platform, said Wade Ellery, Vice President of Solutions Architects and Senior Technical Evangelist at Radiant Logic, which provides a platform that spans on-premises and cloud environments. “An Intelligent Identity Data Platform provides one place to get everything I need to answer all questions I have about managing identity, access, authentication, authorization,” Ellery said.
Assessing Risk in Real Time
To understand the need for an Intelligent Identity Data Platform, consider two scenarios. In the first case, a user logs into an application from her office at 2 p.m. each day. In this case, she will be considered a low risk, based on three factors: Her credentials, her usage patterns and location data. In the second scenario, this same user logs into the application from her office but at 2 a.m. The aberration in her routine (i.e., usage pattern) raises a red flag, as would a change in her location.
Even this simple use case requires an agency to have a holistic picture of an end-user, which is not possible without a central platform.
Multi-Cloud Complexity
The challenge of managing identity data has grown more complex with the emergence of hybrid and multi-cloud environments. Critical information is siloed in diverse stores and applications from on premises to across different clouds like AWS, Azure, and Google—so what you know about a user is often scattered throughout these disparate systems with no easy way to retrieve and reconcile the data. An Intelligent Identity Data Platform makes it possible to integrate that information both to develop a fuller understanding of each user and to enforce access policies consistently across different platforms.
Enabling Zero Trust
The capabilities of an Intelligent Identity Data Platform are essential to the concept of zero trust security, Ellery said. Rather than basing access management on user credentials alone, “I’m going to continuously evaluate your request against everything I know about you in real time, and make a decision on whether you can gain access to another resource,” he said. Radiant Logic’s RadiantOne Intelligent Identity Data Platform is the standard identity enablement foundation for many federal and defense agencies, including the Army, Navy, the Department of Homeland Security and the Defense Information Systems Agency.
Conversations With CXOs: Your Crash Course on the Future of Gov 15
The Future of AI Hangs on Ethics, Trust An interview with Chezian Sivagnanam, Chief Architect at the U.S. National Science Foundation Chezian Sivagnanam, Chief Architect at the U.S. National Science Foundation, believes the next several years could prove critical in laying the groundwork for the broad use of artificial intelligence. Sivagnanam first got interested in the idea of artificial intelligence 30 years ago. At the time, researchers were focused on the idea of building neural networks – that is, technology could mimic human thought processes. But the concept was largely theoretical.
which is generated by computer algorithms trained by real-world data. The challenge is ensuring the synthetic data does not contain any vestiges of PII or PHI and the underlying algorithms do not embed any unintended bias that would undermine the AI models that use its data. Issues around ethics need to be incorporated into the education and training of data scientists and others involved in AI, Sivagnanam said.
Today, AI technology is rapidly evolving. The challenge now is to put in place the disciplines to ensure both the effective and ethical use of AI, Sivagnanam said.
“We need to make sure that the people who are creating these algorithms and using these data sets understand the challenges, that they are thinking about the [ethics] angle,” he said.
“If you look at people who want to build a career out of AI, they are interested in learning algorithms and training data, but few spend time learning [how to use AI] responsibly, ethically and transparently,” he said.
First Ethics, Then Revolution
An Ethics Curriculum?
In the next two to three years, Sivagnanam expects to see an industry emerge around the creation of what’s known as synthetic data, which presents both opportunity and risk. For the most part, today’s AI systems learn by analyzing large amounts of relevant real-world data and finding key patterns and features. It takes a massive amount of data, some of which might include personally identifiable information (PII), including personal health information (PHI). In the future, companies could make a business out of providing organizations with synthetic data,
Over the next five years or so, we could see a revolution in the use of AI, Sivagnanam said. Think about the self-driving car industry. At this point, human drivers are still a necessary part of the equation. But AI pioneers are hard at work trying to change that, and quickly. Similar advances are likely in other applications of AI. Over the next three to five years, Sivagnanam hopes to see the AI industry mature. As part of that, he expects to see the development of regulations and guidelines around AI and ethics, both from the federal government and from industry organizations. That work is already getting underway, and NSF is playing a role. Through a grants program called Fairness in Artificial Intelligence (FAI), NSF supports researchers working on ethical challenges in AI.
A GovLoop & Carahsoft Guide 16
Build Trust Through Policy Because good data is essential to AI, NSF sees a strong data policy as a foundation of its AI work. A key part of that policy is transparency. That includes documenting: • What data they capture • Why they are capturing it • Its source and lineage • How it’s being used Such transparency is especially important when it comes to data used to train AI models and algorithms. Sharing that information, and giving people a chance to offer feedback, helps build trust in the resulting AI programs. NSF is also working on an AI policy that ensures transparency and engagement around the models and algorithms themselves, Sivagnanam said. The long-term goal is to create a culture in which a concern with ethics and transparency is integral, not just an afterthought, he said.
The Hard Part of AI
When people think about all the work that goes into creating AI programs, they probably think about the process of writing algorithms and building models. But that’s not the hardest part, Sivagnanam said. Instead, the challenge is ensuring that the program gets buy-in from the people who are supposed to benefit from it. That means addressing their concerns about its adaptability, scalability and above all, its trustworthiness.
One way to do that is to involve the intended community of users in the process from the get-go. A good place to start is with the use case. “When you have a use case for any innovation, start working with the community – open up your use case, democratize it, get feedback on it,” Sivagnanam said. This is especially important for AI, because you want the users to understand how it works. That’s essential to trust. Sivagnanam calls it a people-centric approach to AI. NSF has taken it further, building a community of pioneers who are interested in driving innovation. The agency will conduct micro-pilots with them, giving them the opportunity to provide feedback on functionality as the program is taking shape. “And the good part about this approach is that as soon they see it as their invention, it’s no longer an IT invention. It’s a business invention,” Sivagnanam said Having these early adopters can go a long way toward gaining the trust of the larger community of users. “You are empowering these pioneers to be change champions,” he said.
Conversations With CXOs: Your Crash Course on the Future of Gov 17
Secure by Design Leading the way to safer IT
solarwinds.com/secure-by-design-resources
Scalable, end-to-end IT monitoring software from solarwinds.com/government
NETWORK MANAGEMENT
SYSTEMS MANAGEMENT
IT SERVICE SECURITY AND MANAGEMENT COMPLIANCE A GovLoop & Carahsoft Guide 18
DATABASE MANAGEMENT
APPLICATION MANAGEMENT
Industry Spotlight
Agencies Need to Maintain a Sense of Cyber Urgency An interview with Brandon Shopp, Group Vice President of Product Management at SolarWinds
The heightened cybersecurity risks included with remote and hybrid work could soon be compounded by another threat: security apathy and complacency. The problem is, after 18-plus months of dealing with security challenges associated with remote work, security and IT professionals and end users might begin to feel over-confident and let their guard down. Such an attitude can be costly, according to a new study released by SolarWinds, “IT Trends Report 2021: Building a Secure Future.”
agency has on them. This includes name, home mailing address, Social Security number, date of birth and other key ingredients for identity theft. Once that sinks in, it’s easier to talk to employees about their responsibility to protect the information and operations critical to supporting an agency’s mission and protecting the well-being of constituents.
“Apathy and complacency are surefire ways to reduce exposure to new technologies, better ways of working, or worse, a lack of awareness to other areas of risk within an organization that aren’t always obvious,” the report states.
Agencies must make risk aversion the norm, so employees “see any level of risk as unacceptable,” the report states.
Definitions
Security isn’t just the responsibility of individuals. Agencies also must ensure they treat security as a top priority. SolarWinds recommends two areas of focus:
Security apathy is rooted in a mentality of “it won’t happen to me” or “it’s somebody else’s problem,” said Brandon Shopp, Group Vice President of Product Management at SolarWinds. Security complacency, on the other hand, is a form of desensitization. Cyberattacks have become so common that some people cease to be alarmed. In either case, people lose their sense of diligence, which puts them and their organizations at risk. For example, phishing attempts often contain a tell – a misspelling, an odd URL or other clues indicating illegitimacy. People who aren’t diligent might miss them. That is why agencies need to convince their employees, IT professionals or not, security is part of their job, Shopp said.
Make Security Personal
One way to get employees focused is to make it personal. For example, get employees to think about the personally identifiable information their
Key Areas of Focus
Prioritize the development of cyber experts. Given the high demand for cyber experts, agencies should focus more energy on developing talent in house. Shopp said one approach is to convert IT professionals, who are already tech-savvy, into cyber professionals. Prioritize collaboration between tech pros and leaders. Policies and strategies aimed at reducing risk should reflect both technical and organizational expertise and requirements. Shopp said agencies also should collaborate more with trusted industry partners. SolarWinds, for example, isn’t just a technology vendor; it also has a large development shop, as many government agencies do, and can exchange ideas about cyber strategies, tools and best practices. “When I think about collaboration, it really just comes down to transparency,” Shopp said.
Conversations With CXOs: Your Crash Course on the Future of Gov 19
Q&A: Getting Schooled on Zero Trust Security An interview with Jeff Brown, Chief Information Security Officer, Connecticut In the old days, government cybersecurity depended on network perimeters protecting agencies’ data and other resources. But the new days are making this strategy seem outdated. The more government employees work remotely, the more porous agencies’ network perimeters become. Furthermore, more sensitive information about constituents is exposed than ever. These concerns mean agencies must rethink cybersecurity or risk threats breaching their network perimeters. Zero trust security might help, said Connecticut Chief Information Security Officer Jeff Brown. Zero trust security distrusts everything outside or inside organizations’ network perimeters. Agencies can prevent cybersecurity incidents by verifying that everyone and everything asking for access to their assets deserves it. GovLoop spoke with Brown about how zero trust security can benefit governments like Connecticut’s. This interview has been lightly edited for brevity and clarity.
GOVLOOP: How does zero trust security work?
BROWN: A lot of people get confused about zero trust. It is to some extent a marketing term. Zero trust as a concept is relatively straightforward. You literally don’t trust anybody, including your own people. It starts out with strong authentication and what people can do once they’re in. There’s no one technology you deploy [for] zero trust. It is a host of technologies and a way of thinking. Too many people have been focused on the perimeter – keep the bad guys out there and we’re in here. As we move towards a remote world where employees may be working from all over the place, you can’t take that perimeter-based view anymore. You need to look for insider threats from employees and people who have broken into the network. It’s not just employees. It’s anyone who is on the network. You don’t take anything for granted. You must verify everything every step of the way. Why is zero trust security valuable?
The government has a lot of control over lots of different things. We must be able to be trusted. We have sensitive data on citizens, and we need to make sure that we’re protecting that. If somebody hacked the governor’s emails and was able to send messages as him, that’s not a good thing by any measure. Fortunately, a lot of these attacks are clunky and obvious. But that’s going to change over time. People A GovLoop & Carahsoft Guide 20
are getting more sophisticated in the types of attacks they do. Our job is to make sure that these attacks are not practical to carry out. We basically push the attackers elsewhere. Multi-factor authentication is a component of zero trust. It means I’m not getting in with just the username and password. Whether it is a SMS [short message service] text on your phone or an authenticator app, there’s that second level. If you don’t deploy anything for zero trust, multi-factor all by itself is a good security control. What are some best practices you’d recommend for implementing and actively practicing zero trust security?
Zero trust means zero trust. We’re monitoring your internal systems. To an extent, we are monitoring what individuals are doing. That’s not to say we’re Big Brother. We’re not monitoring the keystrokes of every user in the state or anything like that. For the agencies, multi-factor [authentication] is a huge one. We’ve seen time and time again accounts get compromised because they had a bad username and password. If that’s the only thing protecting a system, that’s not enough. The bottom line is we know people create bad passwords. That’s a given. You can increase awareness about how to create good pass-
words, and you certainly want to try that. In many cases, people will just figure out ways around complexity requirements to get an easy-to-remember password versus a secure and strong password. You want to encourage people to have unique passwords for every single site. At some point, you need to give them a secure method of being able to remember all these passwords. By far the No. 1 thing is making sure all your systems are patched and up to date. Sadly, a lot of attacks have come through known vulnerabilities that haven’t been patched. It is what I’d call a clean air, fresh water activity. It is something so basic and fundamental to what we do. Make sure things are up to date and not at the end of their life. A lot of people keep servers well beyond their service life, and they stop receiving security patches. That’s something you need to keep in mind. Authorization is about, “Now that I know who you are, what can you do?” That level of authorization is important. Especially in the states, some people spend 30 or 40 years bouncing around different agencies. You must make sure the access people had in previous roles has changed. When you start a new role, you should lose your old access and start fresh. That’s something that doesn’t always happen.
Advancing the Art of Data Analytics 21
Deliver Better Software Faster with GitLab The Complete DevOps Platform Learn More
A GovLoop & Carahsoft Guide 22
Industry Spotlight
How to Move DevOps from Disarray to Unity
An interview with Sameer Kamani, Federal Solutions Architect and Daniel Marquard, Senior Public Sector Solutions Architect GitLab One of the pitfalls in adopting DevOps is what you might call Peter Pan Syndrome. An agency’s initial forays into integrating their development and operations teams can bear fruit quickly, leading to better quality software produced at a faster clip. The risk is that an organization will treat its initial forays as the endgame, not realizing that a more mature approach, with greater payoffs, is possible. In short, the DevOps initiatives never grow up. GitLab, which has years of experience helping organizations with DevOps adoption, has identified four stages in a DevOps journey, culminating in an approach that delivers even greater benefits than envisioned at the outset.
Stage 1: Bring Your Own DevOps When agencies first get into DevOps, they typically don’t take a strategic approach, i.e., deciding upfront on a common set of tools and processes. As a result, the adoption of tools can be haphazard. “Teams doing the same type of work might standardize on a single tool to be able to collaborate with each other, but not necessarily with other teams performing downstream work,” said Sameer Kamani, Federal Solutions Architect at GitLab.
Stage 2: Best in Class DevOps
As DevOps becomes more established, that specialization results in the emergence of different fiefdoms, as people double down on using their particular tools and processes. This introduces substantial friction into the development process, as organizations are forced to develop manual processes to work around the lack of integration. That friction reduces the speed of development, undermining one of the primary benefits of DevOps.
Stage 3: Do it Yourself DevOps
At some point, teams will attempt to solve that problem by settling on a common set of tools. But usually they take a “best of breed” approach, in which they manually integrate tools from different vendors. This approach might look good on paper, but it is difficult to use or maintain. Organizations can find themselves pulling people off mission-oriented work just to keep those systems running, said Daniel Marquard, Senior Public Sector Solutions Architect at GitLab. “It’s not just that you have to build those integrations – they have to be supported forever,” he said.
Stage 4: A DevOps Platform
To address these pitfalls, agencies need to adopt a DevOps platform that provides an integrated set of tools for the development and operations teams, as well as the security team. The integration of security in the platform will help federal agencies meet the mandates of the recent executive order on cybersecurity by ensuring that security is addressed as part of the larger development process, Kamani noted. “A DevOps platform enables application planning, management, development, orchestration, security and operations management in a way where production of all apps can be delivered quickly, repeatedly, and reliably in a short amount of time,” he said. Just as important, the DevOps platform provides a simpler and more seamless user experience for teams throughout the software development lifecycle. This makes it more likely that users will embrace it, making it possible to transform the organization at the grassroots level.
Conversations With CXOs: Your Crash Course on the Future of Gov 23
3 Tenets for Advancing Equity in Your Everyday Work An interview with Dr. Leandris Liburd, Director, Office of Minority Health and Health Equity, Centers for Disease Control and Prevention (CDC) If there were one thing you could do to eliminate health disparities or advance health equity, what would it be? This is a question that Dr. Leandris Liburd gets asked often, but it’s not one she’s fond of. The answer isn’t a simple one, and the COVID-19 pandemic has magnified that truth. There isn’t a magic pill to ensure that no one is denied the possibility of being healthy because they belong to a group that has been economically or socially disadvantaged. And measuring success is about more than data points. Choosing one thing to advance health equity “is not possible when you’re dealing with these kinds of complexities,” Liburd said in an interview with GovLoop. “So we have to do a lot of things at the same time.” Liburd is the Director of the Office of Minority Health and Health Equity at the Centers for Disease Control and Prevention. She is also rotating as the CDC’s Chief Health Equity Officer for the COVID-19 response — a newly created role and function that she worked tirelessly with colleagues to stand up in the midst of a global crisis. Our interview felt both urgent and insightful. It comes at a time when the COVID-19 virus is still raging, and the Biden administration is trying to assess equity across government agencies, programs, services and contracting practices. Health equity is a herculean task that Liburd has been advancing for decades within the health space.
We want to extract those parallels for the GovLoop community as rank-and-file feds and leaders grapple with equity in the context of their work. To Liburd’s point of having to do many things at once to address inequities, we’re sharing some of the core tenets that can help all of us put a face and a name to equity: storytelling, awareness and education. These pillars help us understand its nuances beyond high-level concepts or policy documents and instead as a personal reality that impacts our lives, loved ones, colleagues and communities.
Awareness
We asked Liburd about the key equity issues or points that are core to her work, that she wishes people better understood. Here’s what she said: • We are more connected to one another than might be apparent. • When parts of our society have to endure long-standing inequities, there is a drain on the rest of the society. • If we were able to have more equity, there would be a more universal opportunity to prosper. “I think that’s a hard sell for a lot of people,” Liburd said. People typically think that if they are OK and have health insurance, benefits and a living wage, then everything’s good. “But we’re actually just much more connected than that,” she said. “And so COVID has really demonstrated that for us in such a profound way.”
A GovLoop & Carahsoft Guide 24
Education
We went on to ask Liburd what pushback she faces in her work around equity. “Whose responsibility is it for us to ensure health equity for our entire nation?” is a common question. Liburd broke this question down in a way that anyone can apply to equity work, regardless of your agency or mission: • Whose responsibility is it? • Where do we start?
Storytelling
• How do we untangle systems to find the best point of entry to move practices and policies toward equity? “I think that in a lot of instances, we are blind to the inherent, built-in structures that perpetuate inequity,” she said. “One of the things that’s hard in government is for us to essentially redirect or change the work that we’ve already committed to and have been doing.” Her advice: Use a lens that will allow you to see where your work is perpetuating inequities and how to redirect your work toward equity. At the Health and Human Services Department, for example, the president’s executive order on racial equity is spurring HHS’s ongoing use of disparity impact statements to better identify and address inequities.
Liburd shared how her passion for storytelling has helped her and others advance equity. “What I would say about storytelling is that it can take us out of the analytical and abstract, and represent health equity in real-life experiences,” she said, noting that her passion for storytelling likely emerged from her anthropology training. Anthropologists are professional people-watchers, and Liburd is always listening and observing what’s happening in communities across the country, including her own, to pick up on nuances that a survey might not find. Her advice: Use storytelling to connect with others. When people are able to connect on a more personal or social level, complex issues such as health equity become more accessible.
Health Equity Milestones & Policy Drivers April 2011 – HHS releases an action plan to reduce racial and ethnic health disparities.
December 2010 – Healthy People 2020 launches, providing a 10-year agenda for improving the nation’s health.
January 2021 – President Biden’s Executive Order 13985 calls for a comprehensive approach to advance equity and assess systemic barriers for underserved groups and people of color.
August 2020 – Healthy People 2030 launches and sets data-driven national objectives to improve health and well-being over the next decade.
Conversations With CXOs: Your Crash Course on the Future of Gov 25
and Our Reseller Partners at Federal Fiscal Year-End ®
We Make Your IT Procurement Process Quick and Simple
24x7 Coverage
Contract Expertise
Quick Quote Turnaround
As The Trusted Government IT Solutions Provider®, Carahso offers access to leading technology through the contract vehicles you need for quick and efficient purchasing. Our manufacturers, resellers, integrators and consulting partners bring you solutions that address your most pressing IT needs, including:
Cybersecurity
Open Source
MultiCloud
DevSecOps
FedRAMP
CMMC
Customer Experience
Mobility & Work From Anywhere
5G AI, Big Data, ML & HPC
Data Center
5G
Geospatial
Request a Quote Today Let us help you find the right technology solution when you contact a Carahsoft industry expert at (888) 662-2724 . Learn more about how we support the Federal Government during Fiscal Year-End and request a quote online by visiting carah.io/FFYE.
A GovLoop & Carahsoft Guide 26
The Career Corner In addition to talking with CXOs about specific IT and management topics, we invited them to share lessons learned and offer advice on building a career in public service. We asked them three main questions:
1. 2. 3.
What do you wish you knew at the beginning of your career? What is a big learning moment you have had? What technology or trend would you like people to learn more about?
Some of the advice is specific to a particular technology or field, while others are more general. But all reflect the growth mindset that can help anyone be successful in their chosen field. Here is what they shared.
Conversations With CXOs: Your Crash Course on the Future of Gov 27
Q:
What do you wish you knew at the beginning of your career?
The Human Factor
Sometimes it’s not easy for experts to look beyond their own expertise. NSF’s Sivagnanam, who originally studied electrical engineering then went into IT, has come to appreciate the extent to which technology issues are interwoven with people issues. He didn’t understand that early in his career. “I would just go build out a system, implement it and go for lunch,” he said. “I never worried about bringing people alongside with it.” The problem with that approach is that if a new system or process doesn’t reflect how people work or what they need, they are likely to see it as something optional.
“If it’s optional,” Sivagnanam said, “people might not use it, even though I have created some wonderful thing.” He learned that the hard way about 10 years ago. His team at the time had been given a mandate to develop a particular system. After working on it for several years and spending several million dollars, they ended up with something that nobody was using. If he could do it all over again, he would take the people-centric approach that NSF uses now (see interview, P. 16), getting end users get involved from the start and eventually turning them into champions for change.
A GovLoop & Carahsoft Guide 28
Communication Is Paramount headshot
Every field has its technical terms, acronyms and lingo that make it easy for experts to talk to one another. The only problem is that when one of those experts needs to talk to non-experts – when they need to educate or persuade those non-experts – things can go amiss. Connecticut’s Brown has seen that firsthand during his career. When he got started in cybersecurity 25 years ago, it was a much more specialized field that rewarded people for their technical expertise. That specialist mindset doesn’t work so well now that cybersecurity is something that touches every aspect of organizations.
“A real industry problem is that you now have people who’ve come up through the technology ranks and they can speak technical very well, but they just can’t communicate with people,” Brown said. “You can have a chief information security officer who’s just dynamite from a technical perspective, but you put them in front of the board of directors and sometimes it falls apart.” As cyberattacks become more prevalent and more of an enterprise risk, cybersecurity experts need the ability to speak in terms everyone – not just the specialists – can understand, he said.
The Value of the Gut Check When people are still early in their careers, they tend to lean on the insights and expertise of others. That’s how we all learn. But it’s also possible to rely too much on others, even reputed experts who you pay to offer advice, said GAO’s Ariga. “A lot of issues that we tackle are so complicated, it’s very easy to get swayed by someone with a louder megaphone – perhaps someone with a sexier trifold brochure who convinces you otherwise,” he said. “But over my career, I have learned that my instincts were correct in many instances, and I should trust them more. More often than not, they have served and guided me well.”
Conversations With CXOs: Your Crash Course on the Future of Gov 29
Q:
What was a big learning moment from the first half of your career?
It’s Harder Than it Looks
Often, the more you learn, the less you seem to know. It happens with any field of expertise: Once you get past the basics, you begin to discover the nuances, complexities and uncertainties. That was Liburd’s experience in her early years of working on issues in population health, which looks at health outcomes at the group level. “Population health and improving population health was much more complicated than everyone ever told me,” she said. For example, one assumption in health education is that if people know better, they will do better – that is, they will make changes in their behavior that lead to better health. That’s true to a point, but only to a point, because behaviors are shaped by social environments. For example, you can tell people that one simple way to be healthier is to go for walks. But what if they live in a community that does not have many sidewalks? “Over time, as I started to drill down to really see the complexities of the outcomes we were trying to achieve, there was far more than behavior change that we had to pursue,” Liburd said.
A GovLoop & Carahsoft Guide 30
Never Stop Learning Here’s another adage: The longer you live, the less you seem to know. Anyone who works in IT can vouch for that, although it’s true for other fields as well. “When I look back over 25 years of security, and the stuff I learned in the first five to 10 years – all that stuff is just obsolete now,” said Brown. “Some of those operating systems aren’t even around anymore. Everything’s changed.” The pace of change is part of what makes cybersecurity so challenging, he said. Once you complete your education
and get your certifications, you might think you’re set. But you’re not. “The amount of continuous learning that you need to do in cyber I think is a little daunting for some people,” Brown said. “You must be ready at almost any given moment to unlearn things or learn things in a very different manner.” Brown was fortunate that, early in his career, he also spent time doing distance learning and education, which positioned him well to keep learning as the technology and concepts have evolved.
Smarts Only Go So Far Some days it helps to be the smartest person in the room, that is, to be the quickest thinker and the most knowledgeable. But often such smarts are not really enough, said Ariga. “Persistence and grit outshine intellect every day,” he said. “I have observed a number of occasions where maybe not the most advanced technologist or fantastical mathematician have come on top because they had that drive to succeed and not [settle] for mediocrity as a compromise.” That might sound odd, especially when it comes to the fields of technology or science. Clearly, deep knowledge is essential, but it’s not necessarily sufficient, Ariga said.
Conversations With CXOs: Your Crash Course on the Future of Gov 31
Q:
What’s one trend in tech or management people should understand better?
It’s Not Tech ‘or’ Management
Yes, technology is important, said Liburd. For example, technology is finding its way into how the CDC does business, which has translated into meaningful efficiencies. The CDC also has launched a data modernization initiative that will help experts get quicker and deeper insights into the health problems they are grappling with. But to have lasting impacts, those systems need to become part of the agency’s management practices, Liburd said. “We need to be able to know how those new systems can help us and be intentional about incorporating them into our plans, in our staffing, in the resources that are put in place to help us with things in our work.” That said, she cautions against losing sight of the value of old-school people work. For example, while technology
can play a role in improving community engagement, it does not replace personal engagement, as the CDC has seen during the pandemic. Technology has been valuable, but “people on the ground helped to point us to some of the factors that were driving COVID disparities in certain communities because they were living it,” Liburd said. Ariga has a similar perspective. For example, advanced automation solutions, such as robotic process automation, have demonstrated their ability to free up employees from repetitive, manual processes so they can focus on higher-value work. But he has no interest in outsourcing his professional judgment. “At GAO, we’ve been advocating that the human [needs to be] at the center of any technological evolution,” Ariga said.
A GovLoop & Carahsoft Guide 32
All Eyes on Zero Trust
Ransomware is one of the biggest issues in security these days. As with any threat, the challenge is that attackers are good at changing their tactics as organizations change their defenses. “It’s very much a moving target,” said Brown. One thing is certain: Agencies need to stop being so trusting. Just because someone knows the right username and password does not mean that they should have access to everything on the network.
Instead, agencies need to move to a zero trust security model. In zero trust, the network verifies the identity of people and their devices – plus their permission levels – every time they attempt to access something on the network. “The more we do zero trust security methodologies, the better we are,” Brown said. Despite this, zero trust requires a different way of thinking even though it is important. “It’s a paradigm shift for some people,” he said (see interview, P. 20).
Technology for Good Discussions about technology typically focus on costs and capabilities, efficiencies and effectiveness, modernization and transformation. But Sivagnanam takes a philosophical approach. “Technology’s a double-edged sword,” he said. “It can serve both the good and the bad.” Cryptocurrency is a good example. This technology has provided a new way to conduct secure online transactions, but it also has become both a target and tool of cybercriminals. While it is important for people to follow technology trends – to think in terms of costs and capabilities – they also need to think about how that technology might be used, Sivagnanam said. If every innovator focused on using technology to improve human life, “the world would be a better place to live in the coming years,” he said.
Conversations With CXOs: Your Crash Course on the Future of Gov 33
Takeaways
Here are seven tips shared by our CXO subject-matter experts. ☑ Get out of the echo chamber. It’s easy for the person who’s most enthusiastic about a given topic to influence the thinking of others. Create space for multiple perspectives. Build an ecosystem of learners. ☑ Take a people-centric approach to IT. Whether building services for employees or constituents, get their feedback throughout the development process to ensure it reflects both their needs and their way of working. ☑ Look out for ethical pitfalls. AI and analytics, in particular, have the potential to do harm, undermining privacy protections, embedding unintended biases into programs and dehumanizing government services. Ethics is essential to the IT curriculum. ☑ Always ask: Who’s being left behind? When developing digital services, think about who might lack the tools or opportunity to use those services. How are you meeting their needs? ☑ Focus on the intersection of IT and management. IT tools and systems need to be deployed within a larger management framework that includes policy, training and change management plans. ☑ Speak in plain English. IT is a rat’s nest of acronyms and lingo. When talking to people who lack your own expertise on a topic, find ways to make that topic accessible to them. ☑ Invest in continuous learning. You don’t have to become an expert in every subject, but you need to keep up with what’s driving changes in your agency. The good news is that virtual learning has become ubiquitous.
A GovLoop & Carahsoft Guide 34
ABOUT CARAHSOFT
Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider®, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator® for our vendor partners, we deliver solutions for Cybersecurity, MultiCloud, DevSecOps, Big Data, Artificial Intelligence, Open Source, Customer Experience and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Visit www.carahsoft.com, follow @Carahsoft or email sales@carahsoft.com for more information.
THANK YOU
Thank you to Carahsoft, GitLab, Hewlett Packard Enterprise, Radiant Logic and SolarWinds for their support of this valuable resource for public sector professionals.
ABOUT GOVLOOP
GovLoop’s mission is to inspire public sector professionals by serving as the knowledge network for government. GovLoop connects more than 300,000 members, fostering cross-government collaboration, solving common problems and advancing government careers. GovLoop is headquartered in Washington, D.C., with a team of dedicated professionals who share a commitment to the public sector. For more information about this report, please reach out to info@govloop.com. govloop.com | @govloop
AUTHOR John Monroe, Director of Content Pearl Kim, Staff Writer Mark Hensch, Senior Staff Writer Nicole Blake Johnson, Managing Editor DESIGNER Calista Lam, Jr. Graphic Designer
Conversations With CXOs: Your Crash Course on the Future of Gov 35
Carahsoft offers numerous solutions to help public sector agencies modernize operation. These solutions are available through Carahsoft’s reseller partners on a variety of contracts including Carahsoft’s GSA Schedule 70, SEWP V, ITES-SW2, NASPO ValuePoint, NCPA, OMNIA Partners and numerous State and Local contracts. Learn more at carahsoft.com. See the latest innovations in Government IT from Carahsoft’s vendor partners at carahsoft.com/innovation.
1152 15th St. NW Suite 800 Washington, DC 20005 P: (202) 407-7421 | F: (202) 407-7501 www.govloop.com @GovLoop
A GovLoop & Carahsoft Guide 36
