CISOs are streamlining agency technology adoption during the pandemic

The coronavirus is forcing agencies to involve chief information security officers (CISOs) more in technology adoption, said the director of the General Services Administration’s Infrastructure Optimization Center of Excellence (IO CoE) on Tuesday.

Agencies that IO CoE works with had 5% of their workforces teleworking prior to the pandemic’s start, said director Adam Grandt-Nesher. That required a couple hundred virtual private network (VPN) licenses, so employees could securely connect to the internet from home.

But as the agencies moved to maximum telework after the pandemic hit, they required tens of thousands of VPN licenses faster than traditional acquisition allowed.

“I would argue that this is also a reskilling effort: introducing agencies to how acquisition can be done in a way that allows them to accelerate their response and meet challenges without exposing the agency to risks of corruption,” Grandt-Nesher said during an ATARC webinar.

The Infrastructure Optimization CoE is helping agencies develop skills within their CISO shops to streamline authorities to operate (ATOs) for software-as-a-service (SaaS) applications, like online meeting check-in tools, that weren’t needed prior to mass telework, he said.

Traditional ATO processes, which ensure software is secure, can take months agencies don’t have during the pandemic.

Several of the agencies the IO CoE works with don’t issue government-furnished equipment (GFE) like laptops to employees, but that’s exactly what they need to train remotely. The CoE is helping agencies develop those workflows, and CISOs can ensure they’re secure.

But CISOs also aren’t used to being part of the initial infrastructure optimization process.

“As you bring in these new technologies, suddenly your CISO shop is also responsible for training people, or at least making rules for people, on how to use these new technologies safely,” Grandt-Nesher said. “Most of these CISO shops don’t understand that reskilling is in their wheelhouse.”

So Infrastructure Optimization CoE is guiding CISOs and helping agencies responsible release new applications for teams to train on in the process.

Many teams aren’t used to reskilling or taking on additional responsibilities, and many agencies don’t manage SaaS solutions separately from in-house solutions, Grandt-Nesher said.

“A haphazard release of insufficient or unsupported tools will impede your user-base adoption,” he said.

The General Services Administration established the IO CoE as part of its larger Centers of Excellence initiative in 2018 to help partner agencies evaluate their IT infrastructure and modernize it by consolidating data centers and improving security. The IO CoE began by helping the U.S. Department of Agriculture consolidate 37 data centers down to 3 in fiscal 2019 and subsequently rationalize apps, as well as assist the Office of Personnel Management in modernizing its mainframe.