Volume 9 Number 1 March/April 2017 digital.onthefrontlines.net
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
74CONNECTIVITY
SCALE
YOUR DIGITALTRANSFORMATIONFITNESS SCORE
APPLICATIONS
VISIBILITY
DATA
INTEGRATION
TRANSFORMATION 81
66
52
67
73
87
95
FIT FOR DIGITALTRANSFORMATIONIn 10 Minutes…
SEE HOW YOU COMPARE TO SURVEYED IT LEADERS
OF GOVERNMENT AGENCIES SAY
Visit www.Digital.SoftwareAG.com and Find Out.
RECEIVE YOUR PERSONALIZED DIGITAL FITNESS PLAN AND A COMPLIMENTARY STUDY COMMISIONED BY SOFTWARE AG
ARE OPTIMIZED FOR IT
But only
INCREASING OPENNESS AND TRANSPARENCY IS A HIGH OR CRITICAL PRIORITY
ARE YOU?
65% 12%
3PROFILES IN EXCELLENCE
Words To Govern By
It occurs to me…Jeff Erlichman, Editor, On the Frontlines
Those words from David Wennergren are certainly words to govern by no matter the era, no matter the administra-
tion. Mr. Wennergren served in many roles at DoD including Deputy Assistant Secretary of Defense for Information Man-agement, Integration and Technology.
Many in government already practice what Mr. Wenner-gren advises. This special “Profiles in Excellence” issue chron-icles the 2016 achievements and 2017 plans of 11 of these senior government leaders.
Leaders from DoD, Treasury, NASA, DHS, DOT, DISA, FCC and Navy talked about their challenges and successes to a live audience at the National Press Club in Washington DC.
Hosted by Jim Flyzik, the audience listened as these IT executives spoke of their tangible achievements of 2016 and what they wanted to accomplish in 2017. All spoke about the importance of information sharing, agile development and cultivating a culture of excellence.
Their mantra: Communicate, communicate and communicate some more.
For example, Terry Halvorsen from DoD talked about the challenges of moving to one OS. FCC’s David Bray shared how FCC went from maintaining 217 systems to 0. DHS’s Soraya Correa talked about how DHS’s FLASH contract for agile development speeds the delivery of capabilities.
Each leader shared their story which was recorded and broadcast on Federal News Ra-dio as part of a special “Profiles In Excellence” edition of the Federal Executive Forum (FEF). Now you can read about and/or see them for yourself.
In addition to the Profiles of these 11 government leaders, 4 former senior govern-ment executives — Dr. Dale Meyerrose, Dr. Dave McClure, David Wennergren and Jim Flyzik — provide commentary which lays out a practical “playbook for change” for how
to deal with the inevitable change that comes with a new administration.
Finally, Subject Matter Experts from four leading govern-ment IT suppliers — One Identity, FireEye, Software AG and Tanium — share their expertise on how to take advantage of advanced technologies to fulfill mission objectives.
These 19 senior leaders clearly demonstrate how “out-comes that matter can transcend political ideology”. Read how they are doing it. Then, the next steps are up to you.
Outcomes That Matter Can Transcend
Political IdeologyDavid M. Wennergren2017
4 PROFILES IN EXCELLENCE
Federal Leaders Share Success StoriesInside Profiles In Excellence
At the special “Profiles In Excellence” Federal Executive Forum held at the National Press Club in Washington, DC and broadcast on Federal News Radio, 11 federal IT leaders shared their stories about successful programs, lessons learned and challenges met. Read the thumbnails below and then read the rest of the story.
10 Basic Blocking and Tackling Works Sonny Bhagowalia CIO, Treasury
Treasury blocks complex, sophisticated and brazen cyber-attacks every day. Using an NFL analogy,
Mr. Bhagowalia called those applications and operations professionals doing all the hard work behind the scenes Treasury’s offensive and defensive lines, which don’t get the credit.
10 One Computing Ecosystem Dave Bennett CIO, DISA
One enterprise computing ecosystem fosters standard sets of processes, tools, TTPs, governance
structures and a common way of doing business, opening opportunities to leverage things in a way not done before.
11 From 217 To 0 David Bray CIO, FCC
FCC once supported 217 different systems on premise. Today that number is 0. 100% is either on
a public cloud or with a commercial service provider. And maintenance spending is down from 85% to less than 50% of budget.
11 Procurement In A FLASH Soraya Correa Chief Procurement Officer, DHS
The idea of the $1.54 billion FLASH contract is to simplify the process, while making sure DHS can
buy what’s needed fast. We started with the result and then figured out how to achieve it, rather than start with processes.
14 One Word Changed, Broadband Delivered!
Rob Foster CIO, Department of the Navy
5 years is too long to get a broadband tower installed. By changing one word in the contracts —
from lease to easement — we reduced tower deployment from 5 years to 12 months or less.
14 An Agile FEMA Adrian Gardner CIO, FEMA, DHS
Agile IPT (Integrated Project Team) is an integral part of FEMA modernization activities, spawning
discussions on the software engineering lifecycle process; and how to strategically look at acquisition in an ongoing engagement with senior leaders.
15 One OS for DOD Terry Halvorsen CIO, Department of Defense
For the first time, DOD is going to one operating system within DOD — Windows 10, impacting 3
million Windows-based laptops, desktops, tablets and major networks. Improvements in cybersecurity, the patching processes and monitoring networks across all of DOD are expected.
15 Build With Agility and Purpose Luke McCormack CIO, DHS
When the system needed is a purpose-built one, DHS springs into agile development mode. Using
agile development, minimal viable products are delivered quickly, then subject to feedback and continually improved. It’s a tectonic shift in the way DHS delivers software services.
20 Unintended Benefits Richard McKinney CIO, Department of Transportation
Now DOT understands everything on its network, with the ability to manage and patch it correctly. It
also knows if there is anything unknown connected to the network and is instantly alerted IT so it can take appropriate action.
20 Above, On and Below Earth Rod Turk
Acting Deputy CIO and CISO, Commerce On security, strategic planning takes into account the need not only for end point security from the
CDM program, but also looking at network monitoring processes and procedures; and also database processing and procedures to enhance the security posture.
21 Exploring New Frontiers Renee Wynn CIO, NASA
The focus from day one: How to get 10 centers with really smart folks — they are rocket scientists —
going in the same direction and how to change the dialog on cyber from ‘IT speak” to enterprise needs.
PrintAd-OnTheFrontlines-CW-25972.indd 1 1/31/17 1:51 PM
PrintAd-OnTheFrontlines-CW-25972.indd 1 1/31/17 1:51 PM
6 PROFILES IN EXCELLENCE
Your Playbook For ChangeInside Profiles In Excellence
Four former government senior executives — Jim Flyzik, Dr. Dale Meyerrose, Dr. David McClure and Dave Wennergren — present a playbook for succeeding in government’s changi ng environment. Read excerpts below. Then turn to pages 24-27 for full commentary.
24Transition(S) Survival Guide
Jim FlyzikThe Flyzik Group
Look for ways to embrace the changes. Don’t ever say, “That’s not how we do things here”! Embrace change rather than fear it. Think of some changes you were trying to pursue with the prior regime but couldn’t get done — this may be an opportunity. Stay with the old adage that there are no constraints, just challenges.With change comes some anxiety and fear of the unknown but by embracing change you can help move the organiza-tion forward and build a healthy working relationship with the new team. In the words of Andre Gide, “Man cannot discover new oceans unless he has the courage to lose sight of the shore”.
Mr. Flyzik served as Treasury CIO and senior advisor to Tom Ridge in the White House office of Homeland Security.
Turn to page 24 to read Mr. Flyzik’s full commentary.
25Everyone’s for Progress — It’s Change We Don’t Like
Dr. Dale MeyerroseMajor General, U.S. Air Force (retired)
Successful change is more relationship-dependent than merit-based. The key to managing change is to reduce drama whenever possible. Creating change usually entails adopting new concepts/ideas (seen as winners within the organization) and abandoning previously embraced ones (rightly or wrongly, considered losers). The buzz phrase in today’s business classes is to “create win-win situations” in change processes. In practice, there aren’t as many of these — don’t expect to routinely have such opportunities at your disposal, if ever. Unlike other parts of modern culture, in changing organizations, not everyone gets a trophy (gasp!). And that’s a good thing (double gasp!).
Dr. Meyerrose, Major General, U.S. Air Force (retired) was the first Senate-confirmed, President-appointed Chief Information Officer for the Intelligence Community after over three decades of military service.
Turn to page 25 to read Dr. Meyerrose’s full commentary.
26Accomplishing Remarkable Results with a Heart of Change
David McClure, Ph.D.Executive Chair, Industry Advisory Council
So often we try to change people’s minds by presenting them with facts and analysis — “ANALYSIS-THINK-CHANGE” — but this approach, while important, does not often ignite change. It may be because you really don’t need it to find the big truths, or underlying assumptions draw the analysis into a managerial fistfight, or it simply is not motivating. Instead, we must appeal to people’s emotions, using what Kotter and Cohen call the “SEE-FEEL-CHANGE” model: cleverly presenting real-life examples of the problem that people can see and even touch — that they can truly experience — to trigger feelings that lead to significant change.
Dr. McClure served as the Associate Administrator of the Office of Citizen Services and Innovative Technologies at the General Services Administration from 2009-2015.
Turn to page 26 to read Dr. McClure’s full commentary.
27Leading Change During Times of Transition
David M. WennergrenExecutive Vice President & Chief Operating Officer, Professional Services Council
Flexibility becomes a crucial survival skill. It’s important to get ahead of the new team’s agenda. Infrastructure improvements, jobs growth and better access to commercial innovation are clearly issues that will matter. And regardless of who arrives to lead the agency, there are clear mandates for the federal government to harness technology and new business models to modernize government service delivery and bring in more commercial innovation, while improving government operations to better compete globally. Times of change are times of opportunities and current government employees have a crucial role in creating the future.
Mr. Wennergren served as DoD Assistant Deputy Chief Management Officer and Deputy Assistant Secretary of Defense for Information Management, Integration and Technology. Turn to page 27 to read Mr. Wennergren’s full commentary.
8 PROFILES IN EXCELLENCE
Solutions For Today’s NeedsInside Profiles In Excellence
Working with the private sector, agencies are making great strides in enhancing government services, while keeping government systems and the data it holds secure. Read how four of government’s leading IT partners — FireEye, One Identity, Software AG and Tanium — are helping agencies succeed and learn how you can integrate their strategies into your agency.
12The Subtle Battle over Privileges
Dan ConradIdentity and Access Management ExpertOne Identity
The Personal Identity Verification (PIV) and Common Access Card (CAC) initiatives are stronger than ever and great strides have been made toward compliance and reporting. It is imperative we continue to do everything possible to provide stronger authentication as quickly as possible for ALL accounts and remove access to passwords for every account. A key principle in secure authentication is to take vulnerability (such as a password) and, instead of implementing great measures to make it uncrackable, just make it irrelevant. Using a privileged account management system in conjunction with multifactor authentication (PIV/CAC) is a step toward making the password irrelevant.
16Modernizing our Government’s Technology
Ralph KahnVice President FederalTanium
To date, new IT capabilities have been adjusted to fit requirements, when it should be the other way around: requirements should be adjusted to take advantage of our nation’s cutting-edge and innovative tools. Instead, today’s IT procurements produce highly customized, expensive, and cumbersome technology that is obsolete by the time it is deployed. Agencies should follow the model set by the private sector and use a new mechanism that allows them to try a tool for a month, evaluate it, and purchase it as a subscription service, rather than undertaking the massive, multi-year contracts that are currently used.
18Automated and Orchestrated Response
Tony ColeVP and Global Government CTOFireEye, Inc.
One of the first things an organization can do is look at the tools they already have and then establish a strategy to integrate those tools for incident response thorough security orchestration. This can allow security teams to get more value out of their tools by building courses of action for all the daily mundane security tasks that must be accomplished…This is a real game changer for defenders. They can now understand attacks before they happen through pre-breach threat intelligence, tie that in with machine-led threat intelligence and post breach threat intelligence, and integrate that with courses of action that automate response.
22Is Your Integration Strategy Future Ready?
Chris BornemanVP & CTOSoftware AG Government Solutions
The five essential steps to a successful hybrid integration strategy: Step 1: Understand your integration “center of gravity” — the locations of the systems you have in place today, including strategic systems of record. Step 2: Determine how much control and responsibility you want or need — public, private or hybrid cloud? Step 3: Know your users. For example, “citizen integrators” are increasingly common non-IT staff responsible for the implementation of departmental SaaS applications. Step 4: Plan how to keep up with project demands by leveraging existing integration assets. Step 5: Consider how you will ensure data quality for your systems of record.
digital.onthefrontlines.net
TECHNOLOGY EXCELLENCEIN GOVERNMENT
Volume 8 Number 1 January/February 2016
TEGS E R I E S # 1
SEWP MissionThe SEWP Program Office manages a suite of government-wide IT products and services contracts that enable NASA and all Federal Agencies to achieve their missions and strategic initiatives by providing streamlined access to critical technologies and solutions.
The Program provides best value for the Federal Government and American taxpayer through innovative procurement processes, premier customer service and outreach, acquisition insight, and partnership with Government entities and Industry.SEWP VisionSEWP will provide Federal Agencies high availability access and insight to strategic solutions through utilization of SEWP’s suite of ICT products and services.
High level agency decision makers will have direct access to their acquisition data to assist with strategic oversight and control of internal ICT acquisition and external supply chain processes.
www.sewp.nasa.gov
© C
op
yrig
ht
20
16 T
rezz
a M
ed
ia G
rou
p, P
ub
lic S
ect
or
Co
mm
un
ica
tio
ns,
LL
C.
SEWP V2016–2017 Contract Guide
NASA
digital.onthefrontlines.net
THE CONTAINERIZATION OF GOVERNMENT
Volume 8 Number 3 Fall 2016
TEGS E R I E S # 2
Software container technologies are enabling
the Agile development and Continuous Delivery of applications
government can run in any environment and in any cloud.
Putting You
Of IT Innovation
To Download: http://digital.onthefrontlines.netClick link or Scan QR code
Sponsorships: Contact Tom Trezza: 201-670-8153; [email protected]
10 PROFILES IN EXCELLENCE
Department of Treasury
DISA
Treasury CIO Sonny Bhagowalia, oversees its $3.5 billion IT investment portfolio and IRM strategy.
With several trillion dollars of GDP flowing through Treasury systems, keep-ing systems reliable and secure is a really important mission – the most important, Mr. Bhagowalia declared.
“We have to be secure and we have done tremendous amount of work to make sure our infrastructure is secure.” But while there has been a lot of activity, especially in cybersecurity, not much is being said publicly.
Using an NFL analogy, he called those applications and operations professionals doing all the hard work behind the scenes, Treasury’s offensive and defensive lines, which don’t get enough credit.
“The coach and the quarterback get the credit, but I want to credit these profession-als who are the offensive and defensive lines in the cyber war. Some of these complex, sophisticated and brazen attempts blocked
are scaled at millions of attempts a day. I applaud those who are doing great work.”
Mr. Bhagowalia described today’s IT environment as one that is transforming people, processes, technology and gover-nance at breathtaking speed.
“We have to work the culture and understand how people look at these transformations,” he explained. “Celebrate the good things they are doing, but get them ready for the new world where technology changes are not 18 months of Murphy’s Law, it is 6 months.”
He sees issues in the supply chain, because the U.S. doesn’t have enough people to check code developed globally. He wants government to identify what data and high value assets really need to be secured, so the rest can be open data. Especially with cyber, Mr. Bhagowalia said we must train professionals to conduct their mission and be vigilant, because the adversary won’t stop trying until stopped.
As DISA CIO, Dave Bennett is responsible for the delivery and operation of secure worldwide enterprise IT services enabling the efficient and effective execution of DISA’s global combat support missions.
Part of that responsibility is oversee-ing DOD data centers, which through rigorous consolidation and optimization have been reduced to just eight.
But, “up to now, each has been independent with its own set of tactics, techniques, print procedures and tool sets as well individual ways of doing business supporting the DOD apps we support,” Mr. Bennett explained.
Because each data center is acting, operating and optimizing at the “each is” level, Mr. Bennett noted that “we are not as efficient as we should be; and not doing things as we should be from an enterprise perspective.”
“The one computing ecosystem activity is to get away from eight indepen-dent data centers’ ‘doing their thing’ to
one computing ecosystem,” Mr. Bennett stressed. With that comes a standard set of processes, tools, TTPs governance structures and a common way of doing business.
“The focus is on how do we optimize from an enterprise perspective? How do we drive costs down, rates down, be more efficient, more effective. We see oppor-tunities to leverage things in a way we’ve not seen before, because we are now operating at the enterprise level.”
With change, of course comes chal-lenge. Mr. Bennett noted getting the idea that change is necessary and getting the culture to accept that are the key issues.
He counseled to “get the right people involved up front who believe in change and not doing things the way we have always done it,” he declared. “Give them the opportunity to show you new and in-novative ways to do things because they understand the environment and how to make things better.”
Basic Blocking and Tackling Works
One Computing Ecosystem
Treasury blocks complex, sophisticated and brazen cyber-attacks every day.
One enterprise computing ecosystem fosters standard sets of processes, tools, TTPs, governance structures and a common way of doing business.
Sonny Bhagowalia CIODepartment of Treasury
Dave Bennett CIODISA
�
�
11PROFILES IN EXCELLENCE
David Bray
Department of Homeland Security
Three years ago, when David Bray took over as CIO at the FCC, he was the 10th CIO in the past 8 years. Not a good track record for someone looking for long-term employment.
At that time, the FCC was spending more than 85% of its IT budget just to maintain its systems. Further, the average federal employee had been there 15.5 years and average contractor 19 years.
“There were 217 different systems with an average age of 10 years old, all on prem-ise,” Mr. Bray explained. “The situation was only going to get worse. I was asking them to trust me — as CIO Number 10 in less than 8 years — to make the move to the public cloud.”
Now the number of systems FCC ssup-ports on premise is 0.
“100% is either on a public cloud or with a commercial service provider. We don’t maintain anything ourselves and our spend for maintaining our systems is down from
85% to being less than 50%.”More importantly, Mr. Bray noted that
previously, it would have taken six months to get a new prototype if you had come to us with requirements. Now being cloud based, we can get a working prototype to customers in less than 48 hours, he declared.
Not surprisingly he said challenges were 80% people and 20% technology. To overcome that Mr. Bray recommended that “Number One bring empathy, bring listening. The best C-suite leader is one who plays the role of counsel and therapist to the organization. And in that world there are no IT projects, simply mission projects with IT baked in.”
Assume your network has already been compromised; then change the conversa-tion from just about cybersecurity to cyber resiliency. Talk in language leaders can understand — risk management and how to leverage private sector strengths.
At DHS, Soraya Correa is focused on ways to bring innovation and creativi-ty to procurement processes. A prime example is how Flexible Agile Support for the Homeland (FLASH), a $1.54 billion contract to provide agile design and de-velopment services, was developed and implemented.
To understand the needs of our customers, Ms. Correa brought together stakeholders throughout DHS.
“We actually white boarded the idea of a FLASH contract,” she recounted. “I start-ed with the question how are you going to use this vehicle? What will it be used for? And how will we order services? We ended with the result and then we figured out how to achieve the result, rather than the processes.”
Ms. Correa stressed that FLASH was done differently. “We held an Industry Day like we have never done before,” she noted.
“We were not focused on the solicita-tion; we talked about the programs that
were under the pilots that were going to use this vehicle. We had subject mat-ter experts available to talk to industry representatives. We did a little ‘speed dating with government reps’ to answer questions and help them team up; and then we answered questions.”
When the solicitation was issued DHS surprised industry by issuing a ‘tech chal-lenge’ instead of the standard proposal. “It was really a tech challenge, where we describe a problem and they come in and present a solution using the ‘agile meth-odology’”, Ms. Correa said.
“We had teams of observers and eval-uators that worked with these companies; the company had four six hours to present their technical challenge and then a 1-hour presentation.”
All of this was done in 120 days; some-thing that would normally take 2 years. DHS received 114 proposals and awarded the contract as a 100 percent small busi-ness set aside to 13 small businesses.
From 217 To 0
Procurement In A FLASH
Maintenance spending has been reduced from 85% to less than 50% of our IT budget since moving to the cloud.
The idea was to simplify the process, while making sure you have the ability to get what you want.
David Bray CIOFederal Communications Commission
Soraya Correa Chief Procurement OfficerDepartment of Homeland Security
�
�
12 PROFILES IN EXCELLENCE
We’ve seen significant mentality changes in the world of Federal IT over the last few years. From Tony Scott’s
Federal Cyber Security Sprint during the summer of 2015, to new NIST recommendations, to DISA requirements, it is pretty obvious the way we think about the security of what happens when we hit that Ctrl-Alt-Delete in the morning has changed.
Obviously, the push has been to provide stronger authen-tication, but a lateral push has been made in the way manage-ment and Security officers look at administration, privileges, and the admins themselves.
The Personal Identity Verification (PIV) and Common Access Card (CAC) initiatives are stronger than ever and great strides have been made toward compliance and reporting. It is imperative we continue to do everything possible to provide stronger authentication as quickly as possible for ALL accounts and remove access to passwords for every account.
“Free Range Admin”?In my background in system administration, I can see how
auditing and controlling my “free range admin” rights would have felt like the start of a battle with the Security team.
I can tell you that I probably would not have been com-pletely cooperative, but nobody is excited to find out they are being watched. I can’t say we fought security, but we sure weren’t working together. In fact, knowing I wasn’t being watched gave my ego a certain boost, and although I always thought I was acting in accordance with security rules, there were always shortcuts available that worked quickly and were not audited.
Mitigation StrategyWhen a new mandate driving stronger security is released
there are always organizations that can’t completely comply immediately, mostly due to functionality or mission — that’s a given. But we still need to push to do as much as possible to mitigate the vulnerabilities. One idea that I hear is this:
“If I can’t meet 100% of the security mandate today, let’s just wait until we can.” This concept has some validity in that spending valuable dollars in a time of shrinking budgets on a temporary solution seems like a waste. But just because you can’t do everything doesn’t mean you shouldn’t do some-thing. Keep in mind, the mandates are published to mitigate a vulnerability and compromise can be much more costly than a solution. For example, PIV and CAC enabling adminis-trative accounts. Most systems with admin or root accounts do not support the PIV/CAC enabling of those accounts. Does this mean we do nothing to secure these highly-privileged accounts? Although we can’t truly PIV or CAC enable these accounts we can use a Privileged Account Management solution to obscure the passwords from the admins and even make the passwords much less relevant.
Vulnerability IrrelevancyA key principle in secure authentication is to take a vul-
nerability (such as a password) and, instead of implementing great measures to make it uncrackable, just make it irrelevant. Using a privileged account management system in conjunc-
The Subtle Battle over PrivilegesWhen reigning in the keys to the kingdom, Admins aren’t always on board.
By Dan ConradIdentity and Access Management Expert One Identity
A key principle in secure authentication is to take a vulnerability (such as a password) and, instead of implementing great measures to make it uncrackable, just make it irrelevant.
13PROFILES IN EXCELLENCE
tion with multifactor authentication (PIV/CAC) is a step toward making the password irrelevant.
When you change the way admins operate, be prepared for pushback “admin style”. Some see the increased security as an improvement while others will be forced in through the “kicking/screaming protocol”.
The same is true when dealing with administrators, par-ticularly when it comes to auditing and compliance. There are three concepts that have evolved in my mind over the last 20+ years of government IT. I’ve adjusted these concepts when working with admins and their privileges:
1. Any change comes with some level of overhead, at least initially.
2. If you don’t make life easy for your admins, they will find a way to make their lives easier and Security will not like how they do it.
3. If more than one person knows the password to any account, auditing the actions of that account is pointless.
Next StepsAs the new requirements around privileged accounts
(service accounts, root, admin, whatever your preferred name) turn into projects, the project plans usually involve a phased approach. Getting control of shared accounts or service accounts is typically at the top of the list. The next phase is usually local accounts on devices such as servers, worksta-tions, firewalls, network devices, etc.; then the final phase is personal privileged accounts such as domain/enterprise admins, etc. Obviously, the larger the enterprise the longer the phases tend to take, but this phase-in can leave significant vulnerabilities in the environment.
For instance, leaving the personal privileged accounts unmanaged can allow admins to bypass required lockdowns on things like service accounts in Active Directory. If an Enter-prise Admin really wants to take control of an account, they can reset the password on the account and use it. For reasons like this it is imperative that the project run the full course through all phases and is kept on track, or even accelerated.
As our security posture becomes further ingrained into day-to-day admin life the battle between Security officers and admins will subside. As an administrator, I plan to work with Security to understand the intent of the mandates as well as help them understand how the mandates effect functionality of the systems I support.
SOLUTION FOCUS
One Identity Resource ManagerManaging elevated and shared access credentials is one of the biggest challenges facing complex heterogeneous orga-nizations today.
Administrators must be able to access the systems they manage with sufficient rights to do their jobs, but organiza-tions must control that access to ensure security and regulato-ry compliance.
Privileged accounts are everywhere in our enterprises. They’re on servers, on every workstation, in the Unix envi-ronment, on our network devices and even shared among admins. In today’s world, getting control of these highly-privi-leged accounts must be a top priority to protect the data and ensure availability of critical systems.
One Identity Privileged Password Manager automates, controls and secures the entire process of granting admin-istrators the credentials necessary to perform their duties. Privileged Password Manager is a critical component of One Identity privileged account management solutions and is deployed on a secure, hardened appliance.
This solution gives government organizations the capabili-ty to roll all types of privileged accounts under the control of a secured, hardened appliance. Any use of privileged accounts can then be authenticated through the PIV or CAC without having to modify the end system. All privileged account use can then be fully audited and controlled.
Privileged Password Manager ensures that administra-tive access is granted according to established policy, with appropriate approvals; that all actions are fully audited and tracked; and that the password is changed immediately upon its return.
Delivered as a secure hardened appliance to ensure that your passwords are safe. The appliance can only be ac-cessed via a secure, role-based web interface that protects against host admin attacks, as well as database, OS or other system-level modifications. This secure appliance-based ap-proach takes away the concern and effort to install and secure access to the software.
Learn more at: www.quest.com/PrivilegedAccountProtection
14 PROFILES IN EXCELLENCE
Department of the Navy
Department of Homeland Security
Navy CIO Rob Foster and his team are responsible for deploying broadband ser-vices to users and their families at 124 bas-es across the Navy. Sounds straightforward enough; you just call your local broadband provider and voila, it’s installed.
But the Navy is not your living room. Installations are spread far and wide. Further when “we mapped the process, we found it took 5 years to get broadband towers out to the bases because of the methodology used,” Mr. Foster said.
To change that: “we had to find the right people In the installation environ-ment. Energy owns the installations and many of the spectrum managers on the bases don’t have the same chain of com-mand,” he said. “So normalizing those two we pulled together a team.”
Historically deployment required an RFI and RFP and then a lease. “If you challenge that question ‘why do I need to actually do a lease?’ you can change the discussion with the real estate pros and
the base installation spectrum folks and public work folks. In the end the actual definition became ‘easement’.”
By changing just that one word the entire process is changed because for an attorney the difference between a lease and an “easement” is a big deal. So now we are using easements to do access to towers on to bases. The process has been reduced to 12 months or less, he pro-claimed.
Now providers can build a tower, but it is not a proprietary solution, Mr. Foster noted. “So the first one in builds it; the second uses the same tower and we have more carriers faster.”
The lesson learned is to challenge why we always do the things the way we have done before? “Get the right people in the room and start with the end in mind. In our case 5 years was way too to get a tower installed.”
For Adrian Gardner, everything begins with knowing your customers. When he was a new CIO, he went to installations where they hadn’t seen a CIO in 5 to 10 years. Collaboration begins with a phone call.
And as FEMA CIO, he collaborated with DHS procurement to develop and imple-ment the FLASH agile procurement vehicle. “FLASH is probably the largest annual con-tract let across the government as a whole,” he said. “We are looking to leverage it across FEMA modernization activities.”
Mr. Gardner has also brought Agile IPT (Integrated Project Team) to the modern-ization activities. He said Agile IPT is really a communications method we are using to plan how we are going to deal with FEMA modernization activities.
This has led to discussions on streamlin-ing the software engineering lifecycle pro-cess and ensuring complete engagement with the senior leaders in the Department as partners, so people can make informed
decisions on the integrity of the product. Mr. Gardner noted that FEMA is examin-
ing its governance and project management models. “We have steering committees within the executive steering committees that oversee modernization activities.”
For example, grants modernization, financial system modernization and flood insurance are overseen by one executive steering committee.
Mr. Gardner is also working with the CIO Council on governance. “The discussion is on strategically looking at acquisition; how to advance that and strategically align that behind the Department. And we are looking at changing some government processes in place so that everyone can get on the same page.”
With governance comes linkage to actual budgets. Mr. Gardner has put in a project code for each IT system. FEMA now has true visibility and tracking. With a keystroke at the end of the fiscal year, FEMA can look at its IT spend and how it relates to systems.
One Word Changed, Broadband Delivered!
An Agile FEMA
By changing one word, the process changed and tower deployment went from 5 years to 12 months or less.
Everything begins with knowing your customers.
Rob Foster CIODepartment of the Navy
Adrian Gardner CIOFederal Emergency Management Agency Department of Homeland Security
�
�
15PROFILES IN EXCELLENCE
Department of Defense
Department of Homeland Security
For the first time, DOD has made the decision to go to one operating system within DOD. We are going to Windows 10, declared CIO Terry Halvorsen.
“We currently run, I believe, every operating system that was ever invented. We have to change that,” he said. To change that environment, DOD will now standard-ize on one OS.
With Windows 10, Mr. Halvorsen stressed DOD will see improvements in cybersecuri-ty and the patching processes. “It improves our ability to understand and see our networks across all of DOD.”
The move will include all of DOD. It will impact 3 million Windows-based laptops, desktops, tablets and major networks. DOD will spend $7.5 billion for the change-over alone — money that Mr. Halvorsen thinks is well-spent.
“This is unprecedented for the Depart-ment and unprecedented for the industry; and a big plus for Microsoft. They are help-
ing with all the logistical planning testing and implementation.”
To date we have rolled out 250,000 seats, said Mr. Halvorsen. “That might sound like a lot but that is only 12 percent of the DOD population. The goal is to hit 90% this year and finish any hard parts in 2018.”
His first challenge is the unusually large scale. “No one has done this type of turn-over on this scale,” he said. “The other thing as the DOD, you are the IT leader, manager, facilitator and counselor for the largest enterprise in the world.”
You have to get Army, Navy, Air Force, Marines and DISA together. “That’s the single biggest challenge in DOD; it’s not the technology, it is the commitment and un-derstanding of how all the finance works.”
There is a complete commitment throughout the Department and all the services that we are going to get this done, he noted.
When it comes to delivering software capabilities, CIO Luke McCormack is clear on his intentions.
“The intent is to design purpose-built, very specific systems to meet business needs,” Mr. McCormack explained. “There is only one TSA, only one CBP; they need very specific systems to meet their specific needs.”
When DHS decides the system needed is a purpose-built one, it springs into agile development mode. “Using this type of capability and methodologies, we can deliver minimal viable products, then get early feedback and continue to improve the products as we go along. That is a tec-tonic shift in the way we used to deliver software services.”
When trying to build something, buy something or cross service with some-thing, it used to take us up to a year to do the alternative analysis, he said.
There are business apps across our components at various stages of their life cycle; and we are taking all of these apps and solutions and piloting a concept where we decomposing and reconstruct-ing them; and shrinking the time we deliver them.
Mr. McCormack stressed, “we have shrunk the time to weeks and months and shrunk costs as well,” he declared. “If we need a capability in 120 days, we are not going to go through the traditional method.”
“They are under a lot of pressure, but we want them to experiment, push the envelope and get into the unknown,” Mr. McCormack noted. “That’s where the leadership must reward risk taking. We must reward that. We know folks will make mistakes and give them the air cover to adjust there and be able to adjust accordingly.”
One OS for DOD
Build With Agility and Purpose
All of DOD is transitioning to one OS — Windows 10.
Terry Halvorsen CIODepartment of Defense
Luke McCormack CIODepartment of Homeland Security
�
�
When DHS decides the system needed is a purpose-built one, it springs into agile development mode.
16 PROFILES IN EXCELLENCE
Modernizing our Government’s TechnologyYesterday’s IT solutions will not solve today’s problems
A truly resilient cybersecurity platform needs the ability to identify the breach when it occurs, isolate it, and prevent it from doing real damage, all in real time.
Our IT infrastructure is old and inefficient, barely operating at capacity and behind on updates and routine security
checks. And yet, never has our nation relied more heavily on these networks for daily tasks than we do today. With cyber-attacks becoming more frequent and sophisticated, we can’t assume our outdated security systems will protect us any longer. We need to start getting ahead of the threat, instead of trying to keep pace with it.
There is widespread agreement among lawmakers and federal officials that improved cybersecurity will require mas-sive upgrades and modernization of our federal IT infrastruc-ture. The only true way to dramatically improve our cyberse-curity is to take an enterprise-wide approach, with flexible, scalable and dynamic tools, and a procurement process to match.
Fix The DisconnectTo do this, we need to fix the disconnect between what
the government wants to do — needs to do — and what it is doing. Simply put, we need a paradigm shift.
If you look at a federal agency’s IT network today, a few common themes emerge. Chief Information Officers (CIOs) are hamstrung by outdated procurement processes that leave them with outdated technology — technology that is too slow and too limited in capabilities to meet today’s threats.
Answer Basic QuestionsAs a result of these outdated processes, the majority of
security tools in use today were created before mobile and the cloud became dominant forces in IT. They are 10, and sometimes 20, years old, and merely re-packaged to fit the government’s specific requirements. These tools cannot effectively protect today’s dynamic environments. Far too often, we find that agencies cannot authoritatively answer three basic questions about their network:
1. How many endpoints are on the network?2. What’s running on these endpoints?3. Who has access? If an agency’s CIO cannot easily obtain the answers to
those basic questions, they are running an agency blindfold-ed. Without these critical data points, CIOs can’t put together a basic risk profile. And if they cannot see what’s on their network, they cannot even begin to protect and manage it. Many IT organizations have accepted inaccurate data as a part of IT management. This no longer has to be the case. In fact, it’s imperative that this change.
Inaccurate data leads to agencies failing to detect intrusions until days, weeks, even months after they have occurred. And when they detect an intrusion, they cannot quickly mitigate it, because their IT solutions do not give them comprehensive control over their network. A truly resilient cybersecurity platform needs the ability to identify the breach when it occurs, isolate it, and prevent it from doing real damage, all in real time.
Solving the problem
To date, new IT capabilities have been adjusted to fit requirements, when it should be the other way around: requirements should be adjusted to take advantage of our nation’s cutting-edge and innovative tools. Instead, today’s IT procurements produce highly customized, expensive, and cumbersome technology that is obsolete by the time it is deployed.
By Ralph KahnVice President FederalTanium
17PROFILES IN EXCELLENCE
Agencies should follow the model set by the private sector and use a new mechanism that allows them to try a tool for a month, evaluate it, and purchase it as a subscription service, rather than undertaking the massive, multi-year contracts that are currently used. The private-sector model would re-duce the costs the government encounter, and enable faster acquisition with much lower risk than a monolithic, multi-year approach allows.
Simultaneously, the Office of Management and Budget (OMB) and the General Services Administration (GSA) should encourage a shift away from dozens of different custom-built point tools that solve singular problems. Instead, OMB and GSA should move toward platforms that are scalable enough to cover the whole environment, and flexible enough to quickly adjust security controls to whatever is being seen in the environment.
What success looks like
A few federal agencies have started to create new options for procuring innovative technologies. For example, the US Air Force was able to rapidly evaluate, acquire and deploy a new technology from Tanium for its Automated Remediation and Asset Discovery (ARAD) program. Tanium gives the Air Force real time visibility and control over its hundreds of thou-sands of IT assets. With this visibility, the Air Force can detect and remediate threats in seconds, by dynamically tuning its controls to meet the threat in front of them.
Most importantly, the Air Force is modernizing its process-es and procedures to take advantage of this new capability. They can now implement critical patches across their entire network in just hours, or uninstall software in minutes if they discover a vulnerability.
The Air Force won the 2016 Department of Defense Chief Information Officer Team Award for Cyber and Information Technology Excellence for implementing this technology. Now, the Air Force is working to implement it across all Air Force networks. Lieutenant General Bill Bender, Air Force CIO, recently stated “This is the cyber platform we will fight from in the future.”
The ARAD program is proof that the government can be on the cutting edge and, when it is, it’ll significantly improve its security and its efficiency.
SOLUTION FOCUS
15-Second Visibility and Control Over Every Endpoint. Even Across the Largest Networks.
Tanium gives the world’s largest enterprises and govern-ment organizations the unique power to secure, control and manage millions of endpoints across the enterprise within seconds. Serving as the “central nervous system” for enter-prises, Tanium empowers security and IT operations teams to ask questions about the state of every endpoint across the enterprise in plain English, retrieve data on their current state and execute change as necessary, all within seconds.
With the unprecedented speed, scale and simplicity of Tanium, organizations now have complete and accurate information on the state of endpoints at all times to more ef-fectively protect against modern day threats and realize new levels of cost efficiency in IT operations.
In a fully digital world, the lifeblood of an organization lies in its ability to gain the upper hand against bad actors by moving faster than they do and stopping attacks before they cause irreparable damage. The rising number of security breaches across both the public and private sectors is directly caused by IT’s inability to find or fix the issue quickly enough at scale — the incumbent approaches and tools are too slow and scale too poorly to secure and manage the rising number of business-critical IT assets today.
Tanium is fundamentally transforming IT with the indus-try’s only platform capable of delivering 15-second visibility and control over millions of geographically distributed end-points, from laptops to desktops to virtual machines to cloud assets to ATMs.
Instead of relying on data that is hours, days or weeks old, security and IT operations teams now have accurate and complete data that is only seconds old and the unique ability to make changes across the enterprise in seconds as well.
With authoritative data on what is actually happening — as it’s happening — and the ability to make change nearly immediately, organizations are now back in the driver’s seat to stay ahead of attackers and reclaim operational inefficien-cies that have plagued them for years.
Visit us at www.tanium.com or follow us on Twitter at @Tanium
18 PROFILES IN EXCELLENCE
Perhaps the most common problem I hear about from customers these days is that security operations teams are
overwhelmed with alerts and addressing every single one of them is eating up valuable resources.
As a result, defenders are unable to stay ahead of threats and may miss attacks altogether. Fortunately, not all is lost. There are tools and tactics that can be used to filter out the noise so security teams can more quickly turn their focus to important critical issues.
One of the first things an organization can do is look at the tools they already have and then establish a strategy to integrate those tools for incident response thorough security orchestration.
This can allow security teams to get more value out of their tools by building courses of action for all the daily mundane security tasks that must be accomplished and get in the way of real work, which involves focusing on the attacks that matter.
As the enterprise continues to evolve, orchestration can allow more flexibility through stitching together new capabil-ities on a frequent basis.
FireEye acquired Invotas because their security orchestra-tion tool provides that capability, allowing defenders time to step outside the busy alert cycle so they can follow up on the more critical and possibly impactful alerts.
Actionable Data Prior To An AttackGathering threat intelligence from behind enemy lines can
also help organizations stay ahead of attacks. This is some-thing pivotal to militaries around the globe, yet the security industry doesn’t do it nearly as well.
iSIGHT Partners, on the other hand, has built their entire company around gathering enemy intelligence. They have hundreds of analysts around the globe “living” inside attacker camps, and that is the very reason why the company is now part of FireEye.
iSIGHT Partners gives our customers a new perspective — one directly from the attackers’ point of view. Suddenly, we know what tools will possibly be used against us, why we’re a target, and how our systems will be broken into – all before the attack is executed. We have valuable information that we can use to stop an attack that hasn’t even been launched yet.
Automated And Orchestrated ResponseFiltering Out Noise, Freeing Up Resources and Shutting Down Threats at Speed.
By Tony ColeVice President and Global Government CTOFireEye, Inc.
All of this is a real game changer for defenders. They can now understand attacks before they happen through pre-breach threat intelligence, tie that in with machine-led threat intelligence and post breach threat intelligence, and integrate that with courses of action that automate response.
19PROFILES IN EXCELLENCE
Actionable Data Prior To An AttackThe threat actor’s perspective combined with our ma-
chine-led intelligence from real-time breach alert detection via our FireEye MVX driven platform provides us with ex-tremely useful and actionable data even prior to an attack.
However, it’s important to keep in mind that breaches will inevitably happen since — as we all know in the security in-dustry — nothing will stop a determined and well-resourced adversary. This is where our Mandiant Incident Response team comes into play. Mandiant teams come in and quickly investigate and mitigate the damage from an attack.
Throughout the incident response, they are gathering more threat intelligence that we can tie in to our threat actor intelligence and our machine-led intelligence. By combining this data with information from our existing legacy security tools, we can now better automate the courses of action for response.
Game ChangerAll of this is a real game changer for defenders. They can
now understand attacks before they happen through pre-breach threat intelligence, tie that in with machine-led threat intelligence and post breach threat intelligence, and integrate that with courses of action that automate response. As a result, they can stop more threats dead in their tracks — and more quickly too — without having to use up most of their resources. This allows us to revamp our security strategy with an ‘Intelligence-led’ perspective and truly understand the risk to our environment.
SOLUTION FOCUS
Protecting Before, During and After a BreachThe FireEye Adaptive Defense approach to cyber security
enables you recognize and apply the right mix of technolo-gy, intelligence, and expertise to protect against advanced persistent threats (APTs). Your security solution must be able to detect, prevent, analyze, and respond to both known and never-before-seen cyber attacks. Only Adaptive Defense lets you pick the perfect combination of industry-leading FireEye technology, real-time threat intelligence and proven expertise to meet your needs.
TechnologyProtect your email, network traffic, and content files
on mobile, endpoint, and network devices from never-be-fore-seen malware. At the core of all FireEye products is the patented Multi-Vector Virtual Execution (MVX) engine. It detonates and analyzes suspected threats in a fully-secured, realistic virtual environment. Together, FireEye technology raises the bar when it comes to identifying unknown threats and protecting your organization before, during, and after an attack.
IntelligenceQuickly identify, prioritize, and respond to important secu-
rity alerts with FireEye intelligence. Attack and attacker data is collected and constantly updated from millions of virtual ma-chine deployments and decades of incident response cases. The FireEye Labs teams track and identify the latest attacker behaviors and technical innovations and post their findings to benefits the entire security community
ExpertiseExtend your in-house team with FireEye experts who have
front line experience analyzing environments for everyday threats and battling breaches that might otherwise make headlines. With a continuous monitoring service, we proac-tively hunt for threats in your environment and instantly help respond to incidents at your request.
Modern cyber security is not just technology you can “set and forget.” Attackers are clever, technology is complex, and experts are in short supply. FireEye puts insight, power, and talent in your hands to give you agile, flexible, and integrated protection. Get started now to evolve your cyber security and protect your organizational assets.
To learn more, visit www.fireeye.com/solutions/government.
20 PROFILES IN EXCELLENCE
Department of Transportation
Department of Commerce
During DOT’s move to Microsoft 360, CIO Richard McKinney listened seriously to those unsure whether the network – a collection of 8 or 9 separately architected and designed networks — could handle the traffic.
In response, Mr. McKinney hired outside ex-perts to do bandwidth and capacity planning.
“They installed a technology called River-bed, which allowed us for the first time, to see all the devices on our network,” he said. “We started with all the known network devices; the administration gave us the information on rout-ers, servers, load balancers, the IP addresses.”
What DOT discovered was nearly 200 devic-es on their network that were unknown.
“It was a wakeup call; our federated approach to network management left us vulnerable,” he said. “It allowed field offices around the country, in their ‘cowboy’ way, to install devices onto our network. It’s a huge cyber weakness.”
The good news is now everything is cleaned up.
“Now we understand everything that is on our network; we have the ability to log into it and manage it; and we make sure it is patched correctly and configured correctly. We also now have the capacity to know if there is anything connected to our network that we didn’t know about before, we are instantly alerted and we can take appropriate action.”
Mr. McKinney noted that the original goal was not only met, “but we ended up with this huge side benefit that really changed the con-versation in the Department about why with something as fundamental as the network, are we doing that in a decentralized manner?”
“The old way didn’t’ work! We have to have an architecture, standards and robust enforceable change management processes,” he said. “Cybersecurity comes with doing basics right and doing them well. It is not something you buy and bolt on, it is the way you conduct yourself.”
Rod Turk oversees 12 Commerce compo-nents, diverse in their functionality from Census to NIST to NOAA to PTO. His team manages department-wide cybersecurity initiatives, programs, and monitoring, including risk assessment of the IT owned or operated on behalf of Commerce.
“We have responsibilities from the sur-face of the sun to the bottom of the ocean.” In 2014 the Defense Reauthorization Act brought a new responsibility — meeting the new FITARA requirements, he said.
“It presents unique challenges due to the diversity of the functionalities, however we have been successful in pulling together the strategic intent of FITARA,” he said. “We have had a score of B for the past couple of cycles. Not only has this been successful, but it has also had multiple benefits.”
Benefits include allowing Commerce to be able to review investments; and putting forward the various IT security programs where there are investments.
On security, strategic planning takes into
account the need not only for end point security from the CDM program, but also looking at network monitoring processes and procedures and also database process-ing and procedures to enhance security posture.
Mr. Turk also noted that Commerce is examining the total life cycle of malware and any opportunities to identify it before it enters. Then, if malware does appear, how do you deal with it as it traverses the network.
“You need the ability to be able to identi-fy where the malware is, what is happening in your particular system, and then be able to react and be resilient and respond once you identify those issues that need to be addressed.”
The whole FITARA process has “en-hanced the CIO at the corporate level, but also the CIO at each of our components and gives them a clear view into their invest-ments and strategies.”
Unintended Benefits
Above, On and Below Earth
We have to do things smarter that just stitch everything together and hopes it all works out.
FITARA has spawned multiple benefits across Commerce.
Richard McKinney CIO Department of Transportation
Rod Turk Acting Deputy CIO and Chief Information Security OfficerDepartment of Commerce
�
�
21PROFILES IN EXCELLENCE
NASA
Renee Wynn was at NASA for merely two months when appointed CIO. The 25 year EPA veteran knew she faced a steep learning and acceptance curve. She also needed to improve NASA’s “F” grade on the FITARA report card.
“My focus from day one: How do I get 10 centers with really smart folks — they are rocket scientists — going in the same direction on important projects that are capabilities associated with our mission (airplane, satellite and rocket)?”
Ms. Wynn also was tasked with improv-ing NASA cybersecurity, where she found that often centers were working at cross purposes.
“We have changed the dialog on cyber; it’s not about a risk to a CIO or CISO, but a risk to the enterprise and the reputation of the federal agency,” she explained. “The dialog needs to change from ‘IT speak’ to the way businesses need to change, such as doing
supply chain and code and syntax checks at the beginning.”
Ms. Wynn brought the team together to focus on the goals at hand. Knowing that working together would achieve more for NASA, she realized “we needed to simplify things.” There are a lot of go-to folks who want to do a lot, We needed to sort that out so we can meet FITARA and across the board better manage IT.
Ms. Wynn’s perseverance has paid off, when NASA’s FITARA grade rose to a C+.
“Anyone who has done training knows you just have to stick with it and do things when you don’t necessarily want to. You need to reenergize yourself to remain fresh,” she said. “There’s a lot of cheerleading, cajol-ing and tough conversations. You stand in the face of stiff winds but know that on the other side you will have greatness.”
Exploring New Frontiers
We have changed the dialog on cyber from ‘IT speak” to enterprise needs.
Renee Wynn CIONASA
�
22 PROFILES IN EXCELLENCE
Agencies are adopting cloud-based SaaS applications at increasing rates and many are simultaneously moving
existing applications and systems to public and/or private cloud infrastructures, making hybrid IT environments the new standard.
There are many things to consider when designing a hybrid integration strategy. Understanding the import-ant integration challenges of evolving to a hybrid IT environment is critical.
Consider the following five essential steps to be successful when creating your hybrid integration strategy.
Step 1: Understand your integration “center of gravity.”
One of the first things to consider is where to host your integration tools and technology. Consider your “center of gravity” — the lo-cations of the systems you have in place today, includ-ing strategic systems of re-cord such as ERP or systems maintaining citizen-based information. Agencies with only a few cloud applica-tions or applications that cannot be easily moved to
the cloud for data security or regulation purposes are best left on-premises with connectivity to the cloud. Cloud-only solu-tions are best for organizations that do not have many legacy investments. Hybrid solutions make sense for agencies that have many legacy on-premises applications but are adopting new applications and infrastructure primarily via the cloud.
Step 2: Determine how much control and responsibility you want or need.
An agency’s motivation for adopting new cloud services will often answer the question of control and responsibility.
Private/public cloud integration provides the most control but requires maintenance and upgrades similar to on-premis-es applications.
Managed cloud integration offloads hosting and main-tenance to a third party, reducing the amount of hands-on management required by your organization, but also limits the control and flexibility availability to the organization. Hybrid cloud integration involves a cloud-based integration service, such as an iPaaS, to integrate cloud-based applica-tions with on-premises integration technologies, such as an Enterprise Service Bus.
This approach offers continued control over your inte-grations, reduces maintenance and upgrade responsibilities, lowers the cost of re-engineering existing integration invest-ments, provides faster time to integration, and automatically scales based on transactions running through the system.
Step 3: Know your users.Agencies are changing their integration approach so that
individual departments can gain more control of their own integration projects. “Citizen integrators” are increasingly common non-IT staff who are responsible for the implemen-tation of departmental SaaS applications.
For these users, integration tools need to be easy to use, provide a more consumer-friendly interface, and not require an understanding of advanced integration architecture and concepts.
In contrast, traditional integration developers play a key role in integration projects that are mission critical and require specialized knowledge and skills, such as designing integration architectures and plans. It is important that the solution of choice satisfy this bi-modal development.
Step 4: Plan how to keep up with project demands.As the number of SaaS applications increases, so do the
demands and complexity for integration projects. Leveraging existing integration assets, such as services, mappings, trans-formations and orchestrations, is the simplest way to keep up with integration project demand.
Another option is to think of IT’s role in integration as a service provider, giving departments the ability to do the integration work themselves, requiring that IT establish com-mon architectures, services, access, and tools for integration projects and then making these available for use by depart-mental users.
Is Your Integration Strategy Future Ready?Know the Five Steps to Creating a Hybrid Integration Strategy in Government.
By Chris BornemanVice President & CTOSoftware AG Government Solutions
Hybrid solutions make sense for agencies that have legacy on-premises applications but are adopting new cloud applications and infrastructure.
23PROFILES IN EXCELLENCE
Step 5: Consider how you will ensure data quality for your systems of record.
Changes in who develops integrations, as well as which approaches you take to build integrations, have the poten-tial to introduce risk, particularly regarding how your data is protected from corruption caused by developers who do not have the right level of knowledge about your systems of record.
Only authorized users should have access to application data, and proper governance and controls are essential to mitigating risk and maintaining compliance policies. One method is to document your integration processes and best practices with the goal of mitigating any risk that could be introduced into your environment.
Put the #1 Integration Platform, webMethods, to the Test and Get Started
By developing a hybrid integration strategy, agencies poise themselves to meet the needs of IT integration devel-opers and empower non-integration specialists with self-ser-vice integration tools to solve integration projects quickly. Are you ready to get started on building an integration strategy for the future?
Software AG provides the industry’s leading secure and reliable hybrid-integration platform, webMethods. With webMethods, you can meet the needs of your IT integration developers as well as empower non-integration specialists with self-service integration tools to solve their integration projects faster than with any other platform. Software AG’s webMethods Integration Platform runs in the cloud and on-premises, as well as in hybrid scenarios.
webMethods is a proven, pre-integrated software suite featuring the market-leading Enterprise Service Bus (ESB) that enables enterprises to rapidly integrate systems, services, devices, processes, business partners and data.
Software AG invites you to put webMethods to the test at your agency. Download a free trial at http://www.softwareag-gov.com/freetrial
SOLUTION FOCUS
Our Mission is Your Success.Our highly trained team takes a “special forces” approach
to solving complex IT challenges quickly and efficiently for the federal government and its supplier communities. Used to process billions of transactions every day, our customers rely on our software to tackle their toughest mission-critical IT needs. Positioned as a leader by industry analysts in a wide range of categories, our core products: webMethods, Terracotta, ARIS and Alfabet work together as a secure digital platform to sup-port organizations in four major competency areas:Integration and Process Automation
Our webMethods platform is the world’s leading technol-ogy for service-based integration and orchestration of appli-cations. The federal government already uses the platform extensively to simplify integration of disparate systems and streamline interaction with external partners. The platform is constantly evolving, with new capabilities to meet tomor-row’s hybrid integration challenges.Business Modeling & IT Management
Avoid a proliferation of duplicative and disjointed IT in-vestments. By leveraging products such as Alfabet and ARIS, government organizations can manage complexity and min-imize stove-pipes as they build and maintain IT infrastructure assets. Millions already rely on ARIS for designing, publishing, analyzing and optimizing processes. Alfabet complements ARIS by delivering insights to help agencies make the right IT portfolio investments and tie them firmly to mission goals.Real-time Big Data & Streaming Analytics
Your agency’s big data can be a big advantage, but only if you can unlock insights quick enough for them to be of use. Our Terracotta In-Memory data management platform along with Apama for real-time event processing and streaming analytics are changing how government stores, accesses and processes data. Agencies are learning to unshackle from slow, disk-bound databases and embrace managing data in-mem-ory and applying real-time analytics to that data, no matter where it resides.Mainframe Modernization
Make existing applications easier to use and accessible. Our experts can help you jump start your modernization program, unlock proven business logic for re-use, assure a consistent, intuitive user experience, and help you lower your mainframe usage to reduce your costs by nearly 80%.
Learn more at: www.softwareaggov.com.
24 PROFILES IN EXCELLENCE
I’ve been through 11 transitions during the time I worked in government. So one might think I’d have some institutional
knowledge and lessons learned about these transitions to pass on? However, I have never been involved in a change-over when the President and many of his appointed officials have little or no prior government experience. So this transi-tion will be different to say the least. I don’t believe anyone can predict some of the events that lie ahead.
Navigating The Waters However, I believe that no matter how things play out, cer-tain actions can help senior career SES’ers to get through the transition without fear of job security. Here are some of my suggestions to survive the transition(s).
First and foremost, it is a misnomer to say “the” transition. You will really face close to a year of multiple transitions as it will take time to get jobs filled and Senate Confirmations completed. The first of the transitions has already happened — the President’s transition team met with senior officials
at your agency. The second is ongoing as Agency Heads gets confirmed and his or her “team” come to town and assumes their positions. This process then continues as additional lev-els of political executives are named at your agency. At some point one of these executives will be your new political boss and he or she will bring staff to the Agency. In all cases, you will be briefing multiple newly elected officials on the work being done by you and your staff. So for what it is worth, here are my “do” and “do not’s” based on past observations.
Do’s and Don’tDO: Your homework and research as much background as
possible on your new executives before you meet with them. Learn about their prior experiences.
DO NOT: Talk politics. DO: Meet with your major contractors and get on con-
sistent messaging. The Contractors will be in a frenzy to also meet the new executives and consistency in what the government and industry are saying about programs will be important to avoid confusion.
DO NOT: Complain or criticize contractors with the new executives. You need to have time to understand the new executive’s positions on government and private sector work.
DO: Offer your time to brief them and name one or 2 mem-bers of your staff as points of contact — you want to be sure you are reachable (or someone on your team) on short notice.
DO NOT: Push too hard to get in front of them. Work at their recommended pace. Make it known you are ready to brief them when they are ready.
Guiding The New TeamDO: Accept and answer questions even if you believe they
are naïve. Remember, some of these executives never worked in the government before and we take for granted the institu-tional knowledge we have gained working in government. I’ll relate 2 actual stories I encountered. One was a meeting with a contractor and a new political appointee I was invited to attend. At the end of the meeting, the political appointee said we would purchase their (contractor) product. Rather than go into the competitive procurement rules in the government at the meeting, I simply said I’d look into the options. I then scheduled a briefing for the new executive with our head of procurement for a tutorial on how the government buys goods and services. Another example was when a new execu-tive asked who was our major integrator? When I told him, he replied he didn’t like that company and wanted to have them replaced. Again, a Procurement briefing was next since we had a 5 year contract that was going just fine. So…
DO NOT: Come across as an obstructionist and imply ques-tions are naïve. Some of the new executives are not familiar with government rules and FAR regulations — find diplo-matic ways to educate the executives on the peculiarities of government.
DO: Look for ways to embrace the changes. Don’t ever say, “That’s not how we do things here”! Embrace change rather than fear it. Think of some changes you were trying to pursue with the prior regime but couldn’t get done — this may be an opportunity. Stay with the old adage that there are no constraints, just challenges.
With change comes some anxiety and fear of the unknown but by embracing change you can help move the organiza-tion forward and build a healthy working relationship with the new team. In the words of Andre Gide, “Man cannot discover new oceans unless he has the courage to lose sight of the shore”.
Transition(S) Survival GuideBy Jim FlyzikThe Flyzik Group
Stay with the old adage that there are no constraints, just challenges..
Jim Flyzik is the President of The Flyzik Group. Mr. Flyzik also serves as the Chairman of the AFCEA International Committee on Homeland Security and hosts the monthly Federal Executive Forum radio program on Federal News Radio. Mr. Flyzik has 27 years of federal service. He served as Senior Ad-visor to Governor Ridge in the White House Office of Homeland Security (OHS). From 1997-2002 he was the Deputy Assistant Secretary for Information Systems and CIO for Treasury. He also served as the Acting Assistant Secretary for Management for Treasury in 2001-2002. Prior to his Treasury positions, Mr. Flyzik worked for 18 years at the U.S. Secret Service where he held key IT management positions.
25PROFILES IN EXCELLENCE
Heraclitus’ stated the obvious. I
would argue that this century’s old adage is axiomatic for us, even today, as individuals, societies, and cultures — and
every organization, irrespective of public or private sector orientation.
If one accepts the above-stated premise, I find it enigmatic that in development programs, business schools, and practice that leadership and dealing with change are usually treated as two separate subjects, discussions, and areas of thought and study. Isn’t the basic definition of leadership, namely guiding others to a desired future state, describing the essence of change?
Change leadership versus change managementLike the distinction often made between leadership and management, a companion discussion with regard to change is enlightening. Change management is the most recognized and often cited term of the two. This discipline, originating from accountant-type thinking, intends to codify efficient methodologies for managing and controlling change processes. Change management is largely void of sorting through the future’s uncertainties in order to decide the rea-sons behind, and degree of, change that needs to take place. Change management is a subject found in most business schools.
The concept of change leadership is less familiar, but argu-ably a more compelling top- tier leadership focus area. Similar to the leadership/management discussions, the differentia-tion between change leadership and change management is one of need versus execution. Change leadership could be described as the art and science of determining the why, what, when, where, urgency, and degree of change needed.
Know your roleIn the private sector, the catalysts for the more dramatic
organizational changes tend to be driven by external factors not normally within the control of a company: technology disruption, process breakthrough, talent, consumer demand, and market dynamics. The forces behind most change in the public sector are likely to result from a crisis, disaster, corruption, program failure, or change in the law or govern-mental policies. Irrespective of even the most drastic change, every organization, and in fact, every leader has to deal with personnel turnover, performance successes/lapses, process improvement, and new tasks, programs, and initiatives. Looks like…sounds like...feels like…change!
Making Change PositiveAs Niccolò Machiavelli reportedly said six hundred years
ago: “There is nothing more difficult to take in hand, more perilous to conduct, or more uncertain in its success, than to take the lead in the introduction of a new order of things.” Within bureaucracies, overcoming “change antibodies” is diffi-cult and painful. Below are thoughts to keep in mind, when you as a leader, are grappling with the challenge in undertak-ing or implementing change within your organization:
✓ Pick outcomes and milestones that you can affect.✓ Craft visions, strategies, and plans that have conse-
quences for failure to achieve. ✓ Map Malcolm Gladwell’s “tipping points” before you
get started — taking into account stockholders with conflicting interests.
✓ Manage participants and inputs — don’t spend too much energy in building consensus on issues not on the critical path to the desired outcome.
✓ Working in a “comfort zone” won’t bring about change — if the routine isn’t challenged, change is not underway.
✓ Don’t let meetings become debating societies or surren-der your “veto” prerogatives to others
Successful change is more relationship-dependent than merit-based. The key to managing change is to reduce drama whenever possible. Creating change usually entails adopting new concepts/ideas (seen as winners within the organization) and abandoning previously embraced ones (rightly or wrong-ly, considered losers). The buzz phrase in today’s business classes is to “create win-win situations” in change processes. In practice, there aren’t as many of these — don’t expect to routinely have such opportunities at your disposal, if ever. Un-like other parts of modern culture, in changing organizations, not everyone gets a trophy (gasp!). And that’s a good thing (double gasp!).
Dr. Dale Meyerrose, Major General, U.S. Air Force (retired) is President of the MeyerRose Group — a cybersecurity, executive training/coaching, and eHealth technology consulting compa-ny. He is an adjunct instructor for Carnegie Mellon University, Institute for Software Research running their Cybersecurity Leadership Certificate program. General Meyerrose, a Southwest Asia veteran, was the first Senate-confirmed, President-appoint-ed Chief Information Officer for the Intelligence Community after over three decades of military service.
Everyone’s for Progress — It’s Change We Don’t Like
By Dr. Dale MeyerroseMajor GeneralU.S. Air Force (re tired)
Change is the only constant in life. —Heraclitus, 500 B.C.
26 PROFILES IN EXCELLENCE
In the first days and months of a new presidency, the hand-writing on the wall always become clearer: Change is not just
coming, but happening now, not incrementally but seismically. The status quo is literally exploding and the future is less known.
For dealing with presidential administration changes, agility has rarely been so crucial. Business and agency leaders need to prepare themselves, their personnel, and their organizations to adjust and adapt in these shifting, uncertain
times — to cope not just with new rules of the game, but, possibly, an entirely new playing field.
At the same time, we must also keep our eye on the ball, especially where technology is concerned. Because even as a new pres-ident and cabinet portend regulatory and legal changes, technology — and its concomitant safety and security
issues — will continue to evolve at its current, dizzying speed, constantly challenging us to keep pace. We fall behind at our own risk.
Opening Minds To Change Change is difficult, though. Even on the personal level,
opening our minds to new ideas or breaking bad habits can be a struggle. Getting another person to change can seem nearly impossible. How do we even think about effecting change in an entire organization?
For answers, I have turned to John P. Kotter and Dan S. Co-hen’s excellent book, “The Heart of Change: Real-Life Stories of How People Change their Organizations” (Harvard Business Review, 2012).
As the authors point out, so often we try to change people’s minds by presenting them with facts and analysis — “ANALYSIS-THINK-CHANGE” — but this approach, while important, does not often ignite change. It may be because you really don’t need it to find the big truths, or underlying assumptions draw the analysis into a managerial fistfight, or it simply is not motivating.
Instead, we must appeal to people’s emotions, using what Kotter and Cohen call the “SEE-FEEL-CHANGE” model: cleverly presenting real-life examples of the problem that people can see and even touch — that they can truly experience — to trigger feelings that lead to significant change.
Making Logic Work At one corporation, for instance, managers resisted a
senior purchasing executive’s efforts to standardize purchas-ing across all company locations. The executive’s method of changing their minds was ingenious. He had an intern gather samples of gloves used in each of the company’s factories, and attach to each glove the price at which it was purchased. When managers saw the hundreds of different kinds of gloves piled on a conference table — and the differing price tags for the same or similar glove types — they finally agreed that standardizing was a good idea!
Similarly, many of us know the skepticism that can greet efforts to introduce new technologies, including cybersecu-rity measures, into our organizations. Questions about ROI or whether these changes are even necessary may throw up barriers, hindering our efforts to stay competitive and keep our data secure.
New Times Call For New Paradigms To quote Bob Dylan’s classic song, “The times, they are
a-changing.” New times call for new paradigms, but to make the necessary adjustments we need buy-in from the others in our organizations. Given the very human propensity to resist change, accomplishing this will not be easy. To do so we may need to change ourselves first, moving away from our tendency to persuade only using reason, and appealing to emotion, instead.
To better understand the “SEE-FEEL-CHANGE” method, maybe we ought to consider how our new president cam-paigned: by connecting with voters on a visceral level. As gov-ernment agencies and programs as well as businesses come under scrutiny or are asked to take a different direction, this approach can be a powerful tool for achieving more palatable outcomes and results..
Dr. Dave McClure served as the Associate Administrator of the Office of Citizen Services and Innovative Technologies at the General Services Administration from 2009-2015. Dr. McClure’s career spans more than 25 years of working to improve government and its technological processes. He came to GSA as associate administrator of OCSIT in 2009, and has played a role in helping to shape several governmentwide proj-ects such as GSA’s Federal Risk Authorization and Management Program, known as FedRAMP, as well as USA.gov. As a political appointee in the Obama Administration, he led the Office of Citizen Services and Innovative Technologies. This put Dr. McClure at the center of many governmentwide technology driven change management initiatives such as the Open Gov-ernment Initiative, the Cloud First policy, Data.gov, the Digital Government Strategy, MyUSA, Challenges and prizes initiatives supported by Challenges.gov, FedRAMP, and the initial start-up of GSA’s 18F shop.
Accomplishing Remarkable Results with A Heart Of Change
By David McClure, Ph.D.Executive ChairIndustry Advisory Council
We must appeal to people’s emotions, using what Kotter and Cohen call the “SEE-FEEL-CHANGE” model.
27PROFILES IN EXCELLENCE
Leading Change During Times Of Transition
By David M. WennergrenExecutive Vice President & Chief Operating Officer, Professional Services Council
Never are the talents of leadership and change manage-ment more important than during a period of transition.
Change is always hard. When change occurs, the skills that got us to where we are today may not help us adapt and thrive going forward. It’s no wonder we often find it hard to step out of our comfort zone and into a bold new undertak-ing. And, if it’s hard to move in a new direction in times of relative stability, then the added uncertainty that comes with a transition to a new President only makes it more important to think through how successful change strategies need to adapt to fit a transition year.
Leadership Commitment and Organizational AlignmentIn their book, “The Power of Alignment,” George Labovitz
and Victor Rosansky highlight the imperative for people to be aligned around the organization’s goals, values and
outcomes. Without a clearly articulated strategy, efforts will not be aligned. As the saying goes, if you don’t know where you’re headed, any road will do. Alignment and successful change
management require the senior leader’s time, attention and commitment. However, during the transition from one presi-dent to another, virtually the entire political leadership team of the government swaps out. And while the initial group of top cabinet secretaries will take office quickly, the time required to fill the 4,000 or so senior political appointments in the federal government will take months. During this lead-ership vacuum, senior government career executives must pick up the torch and lead the way. It’s a fine art; pushing the organization forward while recognizing that eventually, a new team will arrive, full of energy, expectations and a new agenda. Flexibility becomes a crucial survival skill.
Focusing on Outcomes and Measuring ProgressAs Simon Sinek points out in his book, “Start with Why,”
we often focus the majority of our time on the specifics of what we’re doing and not enough time on why the initiative matters. Understanding this point is crucial in a transition year. It would be naïve to think that a new team will arrive and want to maintain the status quo. During a presidential transition, at best, current employees will be viewed with some suspicion as having been too wed to the previous administration’s agenda. During any transition, work efforts are often divided into three categories, work that should be continued, work that should be stopped and new work that should be started. Stopping some current work and starting new initiatives will be the first prior-
ities of the incoming Trump team. The key to encouraging the continuation of important on-going initiatives is to be focused on outcomes. The name and current structure of a program are far less important than why the outcome matters. For better or worse, project names often become vestiges of the prior team’s agenda. Clearly articulated outcomes, with quantifiable measures of success will be what wins the day. Outcomes that matter can transcend political ideology.
Maintaining Urgency; Encouraging SuccessRecognizing that the new team will arrive with a new set
of priorities, it can be tempting to fall into the trap of main-taining a low profile until new guidance is received. However, the worst thing to do in a transition year is to sit still. Projects that have been in place for a long time without measurable deliverables are the easiest targets to free up resources for new priorities. As John Kotter noted in “A Sense of Urgency,” maintaining a relentless focus on getting the job done is the single most important thing leaders can do to ensure success-ful program outcomes. To help keep efforts moving forward, even when there’s uncertainty about the future, leaders must communicate relentlessly and celebrate successes. Even the most well-articulated change strategies involve “perturbations of change,” initial declines in productivity as the organization moves from the old way to the new. Highlighting successes along the journey maintains commitment and momentum.
Finally, it’s important to get ahead of the new team’s agenda. Infrastructure improvements, jobs growth and better access to commercial innovation are clearly issues that will matter. And regardless of who arrives to lead the agency, there are clear mandates for the federal government to harness technology and new business models to modernize government service delivery and bring in more commercial innovation, while improving government operations to better compete globally. Times of change are times of opportunities and current government employees have a crucial role in creating the future.
Dave Wennergren is Executive Vice President & Chief Operating Officer at the Professional Services Council. He has extensive leadership experience in information technology and change management and has served in a number of senior positions, most recently in the private sector as a Vice President at CACI International Inc., and prior to that, across the Department of Defense (DoD) and federal government, including DoD Assistant Deputy Chief Management Officer, Deputy Assistant Secretary of Defense for Information Management, Integration and Technology/Deputy Chief Information Officer, Department of the Navy Chief Information Officer and Vice Chair of the U.S. Government’s Federal CIO Council.
Outcomes that matter can transcend political ideology.
WHAT IS ‘GOOD ENOUGH’ SECURITY REALLY COSTING YOU?
FireEye. Know the truth.
Truth is, good enough security is just not good enough. You simply can’t focus on just prevention or detection and call it a day. When—not if—a breach happens, who do you want on your side? The experts who are on the front lines of comprehensive detection, analysis and response or the other guys?
www.FireEye.com
Related Documents
