How government CISOs tackle digital transformation initiatives

In this interview for Help Net Security, Dan Tucker, Senior VP at Booz Allen, and leader of the firm’s cloud and data engineering solutions for citizen services, talks about government digital transformation efforts, security challenges, and offers tips for CISOs.

What are the most significant security challenges governments face when going through digital transformation?

With respect to security, one of the most prevalent challenges for federal government agencies is striking the right balance between the need to rapidly meet mission needs with the increasingly sophisticated threats from adversary nation-states and other malicious actors.

The ability for government to rapidly share data, derive insights, and convert that into decision-making continues to improve, but the expansion of data volume and transfer methods also increases our nation’s digital attack surface. Savvy mission and technology leaders understand that meeting this challenge is rarely solved solely via a technical solution.

For example, zero trust architecture (ZTA) approaches are proving beneficial and gaining momentum quickly these days, however there is no piece of software or technology one can purchase or deploy to make an agency “ZTA-compliant”.

A mature digital transformation effort is security-focused, requiring both an integration of contemporary application development, infrastructure configuration and data management patterns, as well as a culture of trusted collaboration across the community of mission owners and technology providers – that is the hard work.

Government CISOs deal with bureaucracy on a different level than what’s in the private sector. How does that impact their digital transformation efforts?

In general, CISOs have incredibly challenging charters, but I’m optimistic about how the public sector is addressing cybersecurity as a part of digital transformation efforts. It is true that, historically, government has been slower to adopt contemporary development methodologies and architectural patterns, but over the past several years we’ve seen an accelerated adoption of DevSecOps patterns, more government accredited services being provided by the Cloud Service Providers and other technology vendors, as well as the sharing of best practices across government.

The Cloud Security Technical Reference Architecture developed by the Cybersecurity and Infrastructure Security Agency is a good example of the latter. The process required to attain an Authority to Operate (ATO) or FedRAMP accreditation for emergent technology, services, and applications in the public sector may have seemed bureaucratic in its legacy form, but as of late I’m seeing more patterns such as “continuous-ATO” pipelines, the re-use of trusted and hardened images, and a streamlined FedRAMP process bring more velocity to this space. This allows CISOs and CIOs to bring technology enablers to the mission more effectively and efficiently, and in turn accelerate mission transformation in the public sector.

How can secure cloud solutions enable government organizations to become more agile?

Agility is a product of being able to share trusted information, and then quickly make prioritization decisions and act based on that data, in a manner which is collaborative and well-communicated. When data is secure, trusted, and easily accessible, it enables the agility of that organization or team. We saw some inspiring examples of that during the height of the pandemic when government worked collaboratively, and at a previously unprecedented velocity, to meet mission needs for our fellow citizens.

Information related to vaccine availability, transmission rates, and relief payment status was updated and made available to citizens at a pace, and with a user experience, that one would previously associate with only the most forward leaning commercial companies. That said, you can’t underscore enough the cultural components necessary to drive agility – the organization needs a shared purpose, complementary roles and responsibilities, adoption of common behaviors, and well ingrained practices and processes.

So, while secure data sharing, contemporary cloud infrastructures, and modern development patterns are important, they won’t enable meaningful agility without the aforementioned cultural shifts in an organization.

The government can’t afford to disrupt operations. What advice would you give to CISOs and CIOs that need to work together on planning large digital transformation initiatives?

Whether we’re talking about a commercially available service or a mission critical capability, tolerance for service disruption or even extended planned downtime while undergoing a digital transformation is low in 2022, and candidly, I believe those expectations to be fair. Combining nearly fifteen years of cloud migration experience across industry with twenty plus years of Agile development adoption, and advances in data management technologies, the days of the “under maintenance” page on a site or app should be behind us.

Similar to any complex organizational shift, the chance of success rises and falls less with technology, and more so with the foundational components of early stakeholder buy-in, well understood objectives, clear roles and responsibilities, timely and data-centric communications, and continuous feedback and learning.

From a technology perspective, there will always be the “all-hands on deck” or “war-room” phase leading up to a system cutover or significant go-live milestone, but if the previously mentioned operational components are in place leading up to that point, there’s rarely an issue which can’t be addressed with relative ease.