How do we empower warfighters with real-time, secure communication in the most challenging operational environments? In this episode of Tech Transforms, Carolyn sits down with Dan O'Donohue, VP of Secure Communications at Owl Cyber Defense and retired U.S. Marine Corps Lieutenant General, to explore the cutting-edge of tactical network technologies. With firsthand experience leading Marine Forces Cyber and Joint Force Development, Dan discusses the evolution of secure data exchange, the integration of AI, and the significance of adaptability in disrupted environments.
\n\nDiscover how secure communication networks drive operational success, how cross-domain solutions enhance coalition interoperability, and why a modernized, data-driven military is essential in today’s battlespace. Whether you're a tech enthusiast or a leader seeking insights on the future of tactical networks, this episode will transform the way you think about secure communications.
\n\nTune in for expert perspectives and actionable takeaways from one of the foremost leaders in the field.
","summary":"In this episode of Tech Transforms, Carolyn welcomes Dan O'Donohue, Vice President of Business Development for Secure Communications at Owl Cyber Defense and retired U.S. Marine Corps Lieutenant General. With a distinguished military career that included leadership roles in cyber operations and joint force development, Dan shares his expertise on the evolution of secure communication technologies in multi-domain operations. The discussion delves into the critical role of tactical networks in empowering warfighters, overcoming challenges in disrupted environments, and integrating advanced technologies like AI and edge computing to gain a decision-making edge. From cross-domain solutions to coalition interoperability, Dan offers actionable insights for leaders navigating the complex landscape of secure communications.","date_published":"2024-12-12T12:00:00.000-05:00","attachments":[{"url":"https://aphid.fireside.fm/d/1437767933/81d9d6b0-0045-48da-8495-fd87c4613d7f/a5103130-9c91-41fd-95b7-9f8e2051e77e.mp3","mime_type":"audio/mpeg","size_in_bytes":133357566,"duration_in_seconds":3310}]},{"id":"5b5569f4-6ca0-4a48-880a-cf1bbe56a44e","title":"Episode 86: Navigating AI in Sensitive Environments: What You Need to Know","url":"https://techtransforms.fireside.fm/86","content_text":"In this episode of Tech Transforms, Tracy Bannon, a software architect and researcher at MITRE, dives into the exciting potential and challenges of using generative AI in the Software Development Lifecycle (SDLC). Tracy explores how AI can revolutionize workflows, enhance testing, and even act as a collaborative team member. From addressing human trust issues with AI to building decision-making tools, Tracy shares her journey in navigating the evolving role of generative AI. Tune in for actionable insights and learn how careful integration of AI can unlock innovation while maintaining security and trust.\n\nKey Topics Covered:\n\n\nIntegrating generative AI into the SDLC\nTrust and human factors in using AI tools\nPromising applications of AI in software development\nSecurity considerations and risks of AI-generated code\nShaping the future of AI in a responsible way\n\n\nSponsor:\nThis episode is brought to you by OWL Cyber Defense, leaders in secure data transfer solutions for critical networks.","content_html":"In this episode of Tech Transforms, Tracy Bannon, a software architect and researcher at MITRE, dives into the exciting potential and challenges of using generative AI in the Software Development Lifecycle (SDLC). Tracy explores how AI can revolutionize workflows, enhance testing, and even act as a collaborative team member. From addressing human trust issues with AI to building decision-making tools, Tracy shares her journey in navigating the evolving role of generative AI. Tune in for actionable insights and learn how careful integration of AI can unlock innovation while maintaining security and trust.
\n\nKey Topics Covered:
\n\nSponsor:
\nThis episode is brought to you by OWL Cyber Defense, leaders in secure data transfer solutions for critical networks.
In this episode of Tech Transforms, host Carolyn Ford welcomes back Kris Saling, the Director of Talent Analytics and Data Strategy for the U.S. Army, to discuss her new book, Data-Driven Talent Management. Kris shares how analytics is reshaping recruitment, retention, and employee engagement across both the public sector and private industry, providing leaders with powerful tools to build stronger, more motivated teams. From the value of non-monetary incentives to the evolving role of AI in hiring, Kris reveals practical ways data can transform talent management. Whether you're in marketing, cybersecurity, or beyond, this episode is packed with actionable insights on creating a people-first workplace. Join us for a deep dive into the future of workforce management!
","summary":"In this episode, host Carolyn Ford sits down with Kris Saling, Director of Talent Analytics and Data Strategy for the U.S. Army, to dive into her new book, Data-Driven Talent Management. Kris shares how data is changing the game when it comes to recruitment, retention, and employee engagement. We discuss practical ways leaders can use analytics to build stronger teams and keep top talent motivated. If you're looking for actionable insights on how data can transform the way we work, you won’t want to miss this conversation!\r\n","date_published":"2024-10-29T16:00:00.000-04:00","attachments":[{"url":"https://aphid.fireside.fm/d/1437767933/81d9d6b0-0045-48da-8495-fd87c4613d7f/d15c20ff-e5c1-4086-b5c2-8e6726d10150.mp3","mime_type":"audio/mpeg","size_in_bytes":117194117,"duration_in_seconds":2908}]},{"id":"237afb8b-dc59-48af-b19f-77c15d74624e","title":"Episode 85: Exploring AI Trends and Cybersecurity Evolution in the Federal Tech Landscape with Jason Miller","url":"https://techtransforms.fireside.fm/85","content_text":"Jason Miller is the Executive Editor of Federal News Network and has covered the federal technology space over the course of five Presidential administrations. He brings his wealth of knowledge as he joins Tech Transforms to talk about AI, the top things government agencies are working towards this year and his predictions around FedRAMP changes. Jason also pulls on his decades of experience as he discusses events that changed the nation's approach to cybersecurity and the longstanding need to have data that is better, faster and easier to use.Key Topics00:00 AI's impact on texting and cloud's significance.04:17 Federal Enterprise Risk Management in government tech.07:20 AI trends shifting toward real-time application.11:22 2025 and 2027 deadlines for zero trust.13:31 CISOs and CIOs adapting to modern technology.16:45 Frustration with FedRAMP leads to reform efforts.21:39 Applying similar model to expand decision-making.23:37 GSA discussed OSCAL at private industry day.27:55 CISA's role has grown within DHS.30:33 Increased transparency in cybersecurity changed approach significantly.34:17 Reflecting on the 2006 significance of data.39:19 AFCEA events bring together good people.42:53 Fascination with government architecture and dedicated government workers.44:35 Promoting positivity and accountability in government industry.Cybersecurity Evolution: Examining Technology's Political Neutrality and AI Commitment Through Administrative ChangesConsistent Focus on Cybersecurity Evolution Across Political AdministrationsJason expressed a clear conviction that technology issues are largely immune to political fluctuation and are a continuity in government agendas. Reflecting on his experience across five administrations, he noted that the foundational technological discussions, such as cloud adoption, cybersecurity enhancement and overall IT improvement are fundamentally preserved through transitions in political leadership. He highlighted that the drive to enhance government IT is typically powered by the resilience and dedication of public servants, who generally carry on valuable reforms and initiatives regardless of the sitting administration's politics. These individuals are essential to sustaining progress and ensuring that technology remains a key priority for effective governance.Federal IT Policies Consistency: \"No one comes in and says, I'm against AI, or cloud is bad, move back on premise, or cybersecurity, defund cybersecurity. I think those are the issues that stay the same.\" — Jason MillerExecutive Orders and AI AdoptionAddressing the specifics of executive orders, particularly those influencing the implementation and development of artificial intelligence (AI), Jason examined their historical persistence and their potential to shape operational practices in the government sector. He and Mark discussed how the stability of AI-related orders through various administrations is indicative of a broader governmental consensus on the integral role AI holds in modernizing federal operations. Despite changes in leadership, the incoming officials frequently uphold the momentum established by their predecessors when it comes to leveraging AI. Indicating a shared, bipartisan recognition of its strategic importance to the government's future capabilities and efficiencies.Cybersecurity Evolution: Zero Trust Principles and Network Security Challenges in Federal AgenciesZero Trust and Cybersecurity BudgetingDuring the podcast, Carolyn and Jason delve into the current trends and expectations for federal cybersecurity advancements, with a particular focus on zero trust architecture. Their discussion acknowledged that agencies are on a tight schedule to meet the guidelines set forth by the Office of Management and Budget, which has highlighted 2025 as the target year for civilian agencies to embrace specific zero trust requirements. While the Department of Defense has until 2027. Moving past the traditional perimeter defense model, zero trust principles necessitate an ongoing and multifaceted approach to security, which includes sizable budget implications. Jason underscored the importance of the 2024 fiscal year. Noting it as the first time federal budgets are being crafted with clear delineations for zero trust capabilities. This shift in focus is exemplified by the rollout of endpoint detection and response (EDR) technologies. Vital components in this architecture that ensure rigorous monitoring and real-time responsiveness to cyber threats.Understanding the Cybersecurity EvolutionJason underscored the complexities of network security as federal entities confront the expanding cybersecurity landscape. Highlighted was the layered approach needed to fortify cybersecurity, starting with IAM. This segment illuminated the government's drive to update antiquated systems with modern identification and credentialing processes to better regulate access control. The discussion spilled into a critical analysis of data layer security, emphasizing the necessity for agencies to marshal their applications and data against unauthorized access. Furthermore, Jason hinted at the broader horizon of security measures, which now includes OT and IoT devices. The intertwining of these technologies with standard IT infrastructure adds layers of complexity for security protocols. The conversation shined a light on the massive task that lies ahead as agencies work to comprehend and safeguard the expanded network perimeters and develop strategies to encapsulate a variety of devices under a comprehensive cybersecurity shell.The Evolution of AI in Cybersecurity: \"We can take data that was 3 years ago or data over the last 3 years and look for trends that we can then use for our future. I think what they're looking for now is more real time, more immediate, especially if you think about, like, cybersecurity.\" — Jason MillerInnovations and Challenges in Tech ReportingTimeliness in Problem ReportingJason believes that being proactive is vital when it comes to identifying and addressing potential issues within federal agencies. He highlighted that by the time an oversight report, such as those from the Government Accountability Office or an Inspector General's office, is made public, the concerned agency has likely been aware of the issue and has already taken steps to address it. This underlines the criticality of immediate agency reactions to problems. In the context of these reports, Jason suggested reading the agency's responses first. They provide the most current view of what's happening and the actions taken, often making them more newsworthy than the findings of the report itself.ACT-IAC and AFCEA Gatherings Key to Cybersecurity Evolution DialogueWithout specifically endorsing any one event, Jason acknowledged the importance of various industry gatherings where government and industry leaders convene to discuss pressing topics. He emphasized the ACT-IAC and the AFCEA events as beneficial arenas that enable him to engage deeply in conversations that can lead to actionable insights and meaningful connections. He also mentioned that these events provide an opportunity to interact with federal agency leaders outside the formal constraints of an office setting. This can lead to more open and candid exchanges of ideas and experiences within the government tech community. The ACT-IAC conferences and AFCEA's branch-specific IT days, according to Jason, yield particularly high-value discussions that contribute to both immediate news items and broader thematic reporting.Probing the Cybersecurity EvolutionJason's Insight on Federal Tech TrendsJason brings a wealth of knowledge specific to federal government technology trends. He highlights AI as a prevalent topic within current discussions. His emphasis on AI signifies the shift from its former buzzword status to a fundamental tool in federal IT arsenals, especially regarding applications in cybersecurity and immediate data analysis. Jason notes that this mirrors the pattern of past tech trends in the industry, where initial hype evolves into concrete implementations. The conversation underscores the fact that while AI is gaining traction in strategic planning and operations, it is critical to discern genuine AI adoption from mere marketing.AI Shift Reflects Cybersecurity Evolution and Predictive Technology Integration in Government OperationsAs the conversation progresses, Jason, Carolyn and Mark explore how the vigorous enthusiasm around AI aligns with patterns observed during the advent of previous technologies. The cycle of tech trends typically begins with a surge of excitement and culminates with the practical integration of technology within government operations. Jason points out that although AI is the topic du jour, the government's drive towards embracing real-time and predictive capabilities of AI is indicative of its elevated role compared to earlier technology hypes. This shift spotlights AI's increasing value in enhancing operational efficiency and decision-making processes across various federal agencies.Appreciating Government Employees: “There's so many great people who work for the government who want to do the right thing or trying to do the right thing, that work hard every day, that don't just show up at 9 and leave at 5 and take a 2 hour lunch.\" — Jason MillerThe FedRAMP Overhaul DebateRethinking FedRAMPFedRAMP's reform was a critical topic addressed by Jason, who noted industry-wide eagerness for revising the program's long-standing framework. Not only has the cost of compliance become a pressing issue for businesses aiming to secure their cloud solutions, but the time-consuming journey through the certification labyrinth has compounded their challenges. Advancements in technology and a shift towards better automation capabilities have supported the argument for modernizing FedRAMP. The white paper presented by the General Services Administration responded to such pressures with the goal of making the process more efficient. Jason also mentioned a legislative angle with Representative Connolly's involvement, marking the congressional ear tuned to the private sector's concerns about the program's current state.Predicting the Future of FedRAMPMoving forward, while discussing federal efforts to enhance cloud security protocols, Jason described the nuances in predicting FedRAMP's evolution. He cited the Department of Defense's actions as a positive development, in which they suggested frameworks for accepting FedRAMP certifications reciprocally, depending on security levels. This reciprocity aims to foster mutual trust and reduce redundancy in security validations. However, Jason exercised caution in providing a timeline by which tangible reforms might materialize for businesses pursuing FedRAMP accreditations. Despite the uncertainties, he recognized automation, specifically via OSCAL, as a potential accelerant for the much-needed reform, bringing about quicker, more cost-effective compliance processes.Tracking the Cybersecurity Evolution: From 2006 Data Breach to Contemporary Data Protection StrategiesAnalyzing the Cybersecurity Evolution Post-2006 Veterans Affairs Data MishandlingJason provided context on the evolution of cybersecurity. Drawing from an incident in 2006 when the Veterans Affairs department mishandled tapes containing sensitive data of millions of veterans. This episode, he explained, was an eye-opener, underscoring the importance of data security within the federal government. The aftermath was a pivot towards greater openness about cybersecurity issues. Moving away from a more secretive posture to one where sharing of information became essential for strengthening overall security. What we observe now is a more concerted effort within government circles to collaborate, engage with industry partners, and cultivate a proactive stance on cybersecurity threats, with agencies actively communicating about and learning from security incidents.Emphasizing Data ProtectionThe conversation highlighted the criticality of data protection as it has become the nucleus of many governmental operations and decision-making processes. Since the intrusion into the Office of Personnel Management's records, there has been a palpable shift, gearing towards more robust data safeguards. Jason pointed out how being well-informed about such dynamics is crucial. Entailing an immersion in various activities such as attending industry events, networking with key players, and thorough analysis of inspector general and Governmental Accountability Office reports. Such proactive engagement helps in staying abreast of the current and emerging landscape of federal technology, especially the methodologies and strategies deployed to protect the troves of sensitive data managed by government entities.About Our GuestJason Miller has served as executive editor of Federal News Network since 2008. In this role, he directs the news coverage on all federal issues. He has also produced several news series – among them on whistleblower retaliation at the Small Business Association, the impact of the Technology Modernization Fund and the ever-changing role of agency CIOs.Episode LinksFedRAMP Memo ACT-IAC EventAFCEA Events ","content_html":"Jason Miller is the Executive Editor of Federal News Network and has covered the federal technology space over the course of five Presidential administrations. He brings his wealth of knowledge as he joins Tech Transforms to talk about AI, the top things government agencies are working towards this year and his predictions around FedRAMP changes. Jason also pulls on his decades of experience as he discusses events that changed the nation's approach to cybersecurity and the longstanding need to have data that is better, faster and easier to use.
Jason expressed a clear conviction that technology issues are largely immune to political fluctuation and are a continuity in government agendas. Reflecting on his experience across five administrations, he noted that the foundational technological discussions, such as cloud adoption, cybersecurity enhancement and overall IT improvement are fundamentally preserved through transitions in political leadership. He highlighted that the drive to enhance government IT is typically powered by the resilience and dedication of public servants, who generally carry on valuable reforms and initiatives regardless of the sitting administration's politics. These individuals are essential to sustaining progress and ensuring that technology remains a key priority for effective governance.
Federal IT Policies Consistency: "No one comes in and says, I'm against AI, or cloud is bad, move back on premise, or cybersecurity, defund cybersecurity. I think those are the issues that stay the same." — Jason Miller
Addressing the specifics of executive orders, particularly those influencing the implementation and development of artificial intelligence (AI), Jason examined their historical persistence and their potential to shape operational practices in the government sector. He and Mark discussed how the stability of AI-related orders through various administrations is indicative of a broader governmental consensus on the integral role AI holds in modernizing federal operations. Despite changes in leadership, the incoming officials frequently uphold the momentum established by their predecessors when it comes to leveraging AI. Indicating a shared, bipartisan recognition of its strategic importance to the government's future capabilities and efficiencies.
During the podcast, Carolyn and Jason delve into the current trends and expectations for federal cybersecurity advancements, with a particular focus on zero trust architecture. Their discussion acknowledged that agencies are on a tight schedule to meet the guidelines set forth by the Office of Management and Budget, which has highlighted 2025 as the target year for civilian agencies to embrace specific zero trust requirements. While the Department of Defense has until 2027.
Moving past the traditional perimeter defense model, zero trust principles necessitate an ongoing and multifaceted approach to security, which includes sizable budget implications. Jason underscored the importance of the 2024 fiscal year. Noting it as the first time federal budgets are being crafted with clear delineations for zero trust capabilities. This shift in focus is exemplified by the rollout of endpoint detection and response (EDR) technologies. Vital components in this architecture that ensure rigorous monitoring and real-time responsiveness to cyber threats.
Jason underscored the complexities of network security as federal entities confront the expanding cybersecurity landscape. Highlighted was the layered approach needed to fortify cybersecurity, starting with IAM. This segment illuminated the government's drive to update antiquated systems with modern identification and credentialing processes to better regulate access control. The discussion spilled into a critical analysis of data layer security, emphasizing the necessity for agencies to marshal their applications and data against unauthorized access. Furthermore, Jason hinted at the broader horizon of security measures, which now includes OT and IoT devices. The intertwining of these technologies with standard IT infrastructure adds layers of complexity for security protocols. The conversation shined a light on the massive task that lies ahead as agencies work to comprehend and safeguard the expanded network perimeters and develop strategies to encapsulate a variety of devices under a comprehensive cybersecurity shell.
The Evolution of AI in Cybersecurity: "We can take data that was 3 years ago or data over the last 3 years and look for trends that we can then use for our future. I think what they're looking for now is more real time, more immediate, especially if you think about, like, cybersecurity." — Jason Miller
Jason believes that being proactive is vital when it comes to identifying and addressing potential issues within federal agencies. He highlighted that by the time an oversight report, such as those from the Government Accountability Office or an Inspector General's office, is made public, the concerned agency has likely been aware of the issue and has already taken steps to address it. This underlines the criticality of immediate agency reactions to problems. In the context of these reports, Jason suggested reading the agency's responses first. They provide the most current view of what's happening and the actions taken, often making them more newsworthy than the findings of the report itself.
Without specifically endorsing any one event, Jason acknowledged the importance of various industry gatherings where government and industry leaders convene to discuss pressing topics. He emphasized the ACT-IAC and the AFCEA events as beneficial arenas that enable him to engage deeply in conversations that can lead to actionable insights and meaningful connections. He also mentioned that these events provide an opportunity to interact with federal agency leaders outside the formal constraints of an office setting. This can lead to more open and candid exchanges of ideas and experiences within the government tech community. The ACT-IAC conferences and AFCEA's branch-specific IT days, according to Jason, yield particularly high-value discussions that contribute to both immediate news items and broader thematic reporting.
Jason brings a wealth of knowledge specific to federal government technology trends. He highlights AI as a prevalent topic within current discussions. His emphasis on AI signifies the shift from its former buzzword status to a fundamental tool in federal IT arsenals, especially regarding applications in cybersecurity and immediate data analysis. Jason notes that this mirrors the pattern of past tech trends in the industry, where initial hype evolves into concrete implementations. The conversation underscores the fact that while AI is gaining traction in strategic planning and operations, it is critical to discern genuine AI adoption from mere marketing.
As the conversation progresses, Jason, Carolyn and Mark explore how the vigorous enthusiasm around AI aligns with patterns observed during the advent of previous technologies. The cycle of tech trends typically begins with a surge of excitement and culminates with the practical integration of technology within government operations. Jason points out that although AI is the topic du jour, the government's drive towards embracing real-time and predictive capabilities of AI is indicative of its elevated role compared to earlier technology hypes. This shift spotlights AI's increasing value in enhancing operational efficiency and decision-making processes across various federal agencies.
Appreciating Government Employees: “There's so many great people who work for the government who want to do the right thing or trying to do the right thing, that work hard every day, that don't just show up at 9 and leave at 5 and take a 2 hour lunch." — Jason Miller
FedRAMP's reform was a critical topic addressed by Jason, who noted industry-wide eagerness for revising the program's long-standing framework. Not only has the cost of compliance become a pressing issue for businesses aiming to secure their cloud solutions, but the time-consuming journey through the certification labyrinth has compounded their challenges. Advancements in technology and a shift towards better automation capabilities have supported the argument for modernizing FedRAMP. The white paper presented by the General Services Administration responded to such pressures with the goal of making the process more efficient. Jason also mentioned a legislative angle with Representative Connolly's involvement, marking the congressional ear tuned to the private sector's concerns about the program's current state.
Moving forward, while discussing federal efforts to enhance cloud security protocols, Jason described the nuances in predicting FedRAMP's evolution. He cited the Department of Defense's actions as a positive development, in which they suggested frameworks for accepting FedRAMP certifications reciprocally, depending on security levels. This reciprocity aims to foster mutual trust and reduce redundancy in security validations. However, Jason exercised caution in providing a timeline by which tangible reforms might materialize for businesses pursuing FedRAMP accreditations. Despite the uncertainties, he recognized automation, specifically via OSCAL, as a potential accelerant for the much-needed reform, bringing about quicker, more cost-effective compliance processes.
Jason provided context on the evolution of cybersecurity. Drawing from an incident in 2006 when the Veterans Affairs department mishandled tapes containing sensitive data of millions of veterans. This episode, he explained, was an eye-opener, underscoring the importance of data security within the federal government. The aftermath was a pivot towards greater openness about cybersecurity issues. Moving away from a more secretive posture to one where sharing of information became essential for strengthening overall security. What we observe now is a more concerted effort within government circles to collaborate, engage with industry partners, and cultivate a proactive stance on cybersecurity threats, with agencies actively communicating about and learning from security incidents.
The conversation highlighted the criticality of data protection as it has become the nucleus of many governmental operations and decision-making processes. Since the intrusion into the Office of Personnel Management's records, there has been a palpable shift, gearing towards more robust data safeguards. Jason pointed out how being well-informed about such dynamics is crucial. Entailing an immersion in various activities such as attending industry events, networking with key players, and thorough analysis of inspector general and Governmental Accountability Office reports. Such proactive engagement helps in staying abreast of the current and emerging landscape of federal technology, especially the methodologies and strategies deployed to protect the troves of sensitive data managed by government entities.
Jason Miller has served as executive editor of Federal News Network since 2008. In this role, he directs the news coverage on all federal issues. He has also produced several news series – among them on whistleblower retaliation at the Small Business Association, the impact of the Technology Modernization Fund and the ever-changing role of agency CIOs.
Can you spot a deepfake? Will AI impact the election? What can we do individually to improve election security? Hillary Coover, one of the hosts of the It’s 5:05! Podcast, and Tracy Bannon join for another So What? episode of Tech Transforms to talk about all things election security. Listen in as the trio discusses cybersecurity stress tests, social engineering, combatting disinformation and much more.
Hillary Coover brings attention to the pivotal distinction between misinformation and disinformation. Misinformation is the spread of false information without ill intent, often stemming from misunderstandings or mistakes. On the other hand, disinformation is a more insidious tactic involving the intentional fabrication and propagation of false information, aimed at deceiving the public. Hillary emphasizes that recognizing these differences is vital in order to effectively identify and combat these issues. She also warns about the role of external national entities that try to amplify societal divisions by manipulating online conversations to serve their own geopolitical aims.
Understanding Disinformation and Misinformation: "Disinformation is is a deliberate attempt to falsify information, whereas misinformation is a little different." — Hillary Coover
The episode dives into the complexities of managing content on social media platforms, where Tracy Bannon and Hillary discuss the delicate balance required to combat harmful content without infringing on freedom of speech or accidentally suppressing valuable discourse. As part of this discussion, they mention their intention to revisit and discuss the book "Ministry of the Future," which explores related themes. Suggesting that this novel offers insights that could prove valuable in understanding the intricate challenges of regulating social media. There is a shared concern about the potential for an overly robust censorship approach to hinder the dissemination of truth as much as it limits the spread of falsehoods.
The conversation transitions to the broader societal implications of digital dependency. Specifically addressing how the diminishment of community engagement has led individuals to increasingly source news and discourse from digital platforms. This shift towards isolationistic tendencies, amplified by the creation of digital echo chambers, results in a decline of in-person political discussions. As a result, there is growing apprehension about the future of political discourse and community bonds, with Hillary and Tracy reflecting on the contemporary rarity of open, face-to-face political conversations that generations past traditionally engaged in.
In the course of the discussion, the complexity of India's electoral system, with its multitude of political parties, is presented as an example that underlines the difficulty in verifying information. The expansive and diversified political landscape poses a formidable challenge in maintaining the sanctity of the electoral process. The capability of AI to produce deepfakes further amplifies the risks associated with distinguishing genuine content from fabricated misinformation. The podcast conversation indicates that voters, particularly in less urbanized areas with lower digital literacy levels, are especially vulnerable to deceptive content. This magnifies the potential for foreign entities to successfully disseminate propaganda and influence election outcomes.
Election Integrity and AI: "Misinformation and disinformation, they're not new. The spread of that is certainly not new in the context of elections. But the AI technology is exacerbating the problem, and and we as a society are not keeping up with our adversaries and social media manipulation. Phishing and social engineering attacks enhanced by AI technologies are really, really stressing stressing the system and stressing the election integrity." — Hillary Coover
With a focus on the discreet yet potent role of foreign intervention in shaping narratives, Hillary spotlights an insidious aspect of contemporary political warfare, the exploitation of media and digital platforms to sway public perception. This influence is not just limited to overt propaganda but extends to subtler forms of manipulation that seed doubt and discord among the electorate. As the podcast discussion suggests, the consequences of such foreign-backed campaigns could be significant, leading to polarization and undermining the foundational principles of democratic debate and decision-making. The potential for these campaigns to carry a vengeful weight in political discourse warrants vigilance and proactive measures to defend against such incursions into informational autonomy.
The discussion on AI bias steers toward concrete instances where AI struggles, as Tracy brings forth examples that illustrate the inaccuracies that can arise when AI models generate historical figures. Tracy references a recent episode where Google's Gemini model was taken offline after it incorrectly generated images of German soldiers from World War 2 that did not match historical records. Similar errors occurred when the AI produced images of America's Founding Fathers that featured individuals of different racial backgrounds that did not reflect the true historical figures. These errors are attributed not to malicious intent by data scientists but to the data corpus used in training these models. This segment underscores the significant issues that can result from AI systems when they misinterpret or fail to account for historical contexts.
Continuing the conversation, Hillary emphasizes the importance of recognizing and addressing the biases in AI. She advocates for the vital need to understand historical nuances to circumvent such AI missteps. Both Hillary and Tracy discuss how biased news and misinformation can influence public opinion and election outcomes. This brings to light the critical role historical accuracy plays in the dissemination of information. They point out that to prevent biased AI-generated data from misleading the public, a combination of historical education and conscious efforts to identify and address these biases is necessary. The recognition of potential AI bias leads to a deeper discussion about ensuring information accuracy. Particularly with regard to historical facts that could sway voter perception during elections. Tracy and Hillary suggest that addressing these challenges is not just a technological issue but also an educational one. Where society must be taught to critically evaluate AI-generated content.
The dialogue acknowledges the difficulty of scaling community engagement in the shadow of digital platforms' expansive reach. Hillary and Tracy delve into the traditional benefits of personal interactions within local communities, which often contribute to more nuanced and direct exchange of ideas. They compare this to the convenience and immediacy of online platforms, which, while enabling widespread dissemination of information, often lack the personal connection and accountability that face-to-face interactions foster. The challenge underscored is how to preserve the essence of community in an age where online presence has become overpowering and sometimes distancing.
Navigating the Truth in the Digital Age: “Don't get your news from social media. And then another way, like, I just do a gut check for myself. [...] I need to go validate." — Hillary Coover
The episode reiterates the disquieting ease with which political discourse can be manipulated through deepfakes and misinformation. Showcasing the capabilities of AI, Tracy recalls a deepfake scam involving fake professional meetings which led to financial fraud. These examples underscore the potential for significant damage when such technology is applied maliciously. Hillary emphasizes the critical need to approach online information with a keen eye, pondering the origins and credibility of what is presented. Both Tracy and Hillary stress the importance of developing a defensive posture towards unsolicited information. As the blurring lines between authentic and engineered content could have severe repercussions for individual decisions and broader societal issues.
Hillary and Tracy discuss the importance of conducting stress tests to preemptively identify and mitigate vulnerabilities within election systems. These tests, which include red teaming exercises and white hat hacking, are designed to replicate real-world attacks and assess the systems' responses under duress. By simulating different attack vectors, election officials can understand how their infrastructure holds up against various cybersecurity threats. This information can be used to make necessary improvements to enhance security. The goal of these stress tests is to identify weaknesses before they can be exploited by malicious actors. Thereby ensuring the integrity of the electoral process.
The conversation emphasizes the urgent need for preemptive measures against disinformation, which has grown more sophisticated with the advent of AI and deepfakes. As these technological advancements make discerning the truth increasingly difficult, it becomes even more crucial for election officials to prepare for the inevitable attempts at spreading falsehoods. Through stress tests that incorporate potential disinformation campaigns, officials can evaluate their preparedness and response strategies. Including public communication plans to counteract misinformation. By considering the psychological and social aspects of election interference, they aim to bolster defenses and ensure voters receive accurate information.
Election Security Concerns: "Other instances are going to happen where criminals are gonna be impersonating legitimate sources to try to suppress voters in that case, or steal credentials, spread malware." — Hillary Coover
The exchange between Tracy and Hillary reveals a clear consensus on the necessity of proactive strategies for protecting elections. Proactively identifying potential threats and securing electoral systems against known and hypothetical cyber attacks are central to defending democratic processes. By focusing on anticipation and mitigation, rather than simply responding to incidents after the fact, authorities can improve election security and reinforce public trust. This proactive stance is also crucial in dealing with the spread of disinformation, which may be specifically tailored to exploit localized vulnerabilities in the electoral infrastructure.
This episode serves as a thorough examination of the challenges posed by digital communication in modern democracies. They delve into the dangers of misinformation and the manipulation of public opinion, highlighting how biases in AI can affect the information that individuals receive. They underscore the importance of stress-testing election systems against digital threats and recognize the complexities inherent to securing contemporary elections. The episode ultimately helps listeners to better grasp the ever-evolving landscape of election security and the continued need for informed, strategic action to safeguard democratic processes.
Hillary Coover is one of the hosts of It’s 5:05! Podcast, covering news from Washington, D.C. Hillary is a national security technology expert and accomplished sales leader currently leading product strategy at G2 Ops, Inc.
Deborah Stephens, the Deputy Chief Information Officer for the United States Patent and Trademark Office (USPTO), “grew up” so to speak in the USPTO. Deborah led the USPTO on its agile journey. As the agency took on its “New Ways of Working, '' by moving people and resources closer to the work, she helped empower employees to build and deploy software. Deborah shares how she guided the agency through this 4-year change journey, gaining buy-in from the organization, which was proved by an engagement rate increase from 75% to 85%. Deborah also talks about what it means to be a HISP, running USPTO as a business that is entirely self-sustaining, and, in honor of Women’s History Month, the women who have inspired her along the way.
Deborah Stephens highlights a significant increase in the number of patent and trademark applications received by the USPTO over the years. This growth, from approximately 350,000 to 400,000 applications in 2012, with numbers continuing to rise, underscores the vibrant culture of innovation and creativity in the United States. The upward trend of applications is a positive sign of the country's ongoing commitment to innovation. However, it also presents logistical challenges for the USPTO. Including the need to process a higher volume of applications efficiently while ensuring the quality of examination does not diminish.
Transition to New Ways of Working in U.S. Patent and Trademark Office: "And so in around late 2018, 19, we began our, what we referred to as our agile journey. We named it our New Ways of Working, which essentially is an entire USPTO effort. Including our business unit with 12 other business units, moving people and the resources closer to the work. Giving them that empowerment, to build, deliver, deploy software, product services for our business stakeholders, and that's both internally and externally." — Deborah Stephens
In response to the growing demand for intellectual property protection, the USPTO has been proactive in seeking ways to maintain and improve service delivery. Deborah discusses the agency's approach to managing the influx of applications, focusing on scalability and efficiency. Despite the challenges posed by the increase in applications, the USPTO's designation as a High Impact Service Provider (HISP) has had minimal impact on its existing customer experience strategy. The agency's foundational commitment to delivering exceptional service to inventors and entrepreneurs remains steadfast. With an emphasis on continuous improvement and the adoption of new strategies to better meet the needs of the U.S. innovation community.
Deborah highlights the United States Patent and Trademark Office's (USPTO) operational model, which is uniquely self-sufficient. Relying entirely on fees collected from patent and trademark applications. This model ensures that the USPTO does not use taxpayer dollars, setting it apart from many other government agencies. By directly linking the agency's funding to the services it provides, the USPTO aligns its goals closely with the needs and successes of its primary users: inventors and businesses seeking intellectual property protection. This connection incentivizes the agency to continuously improve its processes and customer service. Additionally, Deborah mentions a tiered fee system that offers different rates for entities of various sizes. From individual inventors to large corporations. This structure is designed to lower barriers for smaller entities and encourage a wider range of innovation.
Facing economic pressures such as inflation, the USPTO's approach to budget management becomes even more pivotal. Deborah discusses the importance of prioritization and strategic decision-making in maintaining the agency's financial health. Despite rising costs, the USPTO strives to keep its budget stable and even reduce it when possible, demonstrating a high level of fiscal responsibility. This is achieved through careful analysis of projects and initiatives, focusing resources on areas that promise the highest impact. The USPTO's disciplined budgetary approach not only ensures its operations are sustainable but also serves as a potential model for other federal agencies. By showcasing how to effectively manage finances in a challenging economic environment, the USPTO underlines the value of strategic planning and prioritization in government fiscal strategy.
Deborah highlights the USPTO's preparedness for telework well before the COVID-19 pandemic. With a significant portion of the workforce already equipped and familiar with remote working protocols, the USPTO had laid a robust foundation for telework readiness. This foresight into establishing a telework culture not only ensured the continuity of operations during unprecedented times. It also underscored the agency's commitment to leveraging modern work practices. The transition to a fully remote working environment, necessitated by the pandemic, was thus more seamless for the USPTO than for many other organizations. Demonstrating a proactive approach to business continuity planning.
Introducing Change in Remote Work Environments: "There were every 2 weeks of what we refer to as, lunch and learns. And in the beginning, I was the prime speaker, saying, here's our New Ways of Working. Here's the structure. Here's how we're gonna move our processes, our procedures, and people would join in. And it was all remote. I'd have a big TV like producer kind of studio, and I'd be in front of the blue screen and talking to them about this change at least every 2 weeks, if not, sometimes more." — Deborah Stephens
The shift from traditional waterfall methods to agile methodologies marked a significant transformation within the USPTO. Deborah emphasizes that this transition was not merely about changing project management techniques. It involved a deeper cultural shift within the organization. Achieving buy-in from both individuals and teams was crucial to fostering an environment that embraced agility, empowered employees and encouraged rapid deployment of products. Key to this cultural transformation were regular remote meetings and employee engagement surveys. This played a significant role in understanding and enhancing employee satisfaction. The notable increase in engagement levels from 75% to 85% during this period of change illustrates the effectiveness of the USPTO's approach in not only implementing agile methodologies but also in cultivating a culture that is receptive and adaptive to change.
Deborah shares the USPTO's dynamic approach to technological innovation, encapsulated in the mantra "fail fast, fail forward." This methodology allows the USPTO to quickly test new ideas and technologies, while learning from any setbacks, and refining their strategies efficiently. By fostering an environment where experimentation is encouraged and failure is seen as a stepping stone to success, the agency ensures that it remains at the forefront of technological advancements. This approach is crucial in a rapidly changing tech landscape, as it enables the USPTO to adapt and innovate continuously. Deborah highlights how this philosophy has led to a more agile and responsive IT infrastructure within the agency. One capable of meeting the demands of modern patent and trademark processing.
The Value of Mentorship: "I think you need to establish your go-to network of mentors, and don't be afraid to become a mentor." — Deborah Stephens
Carolyn brings attention to the importance of customer feedback in the process of patent and trademark submissions at the USPTO. Deborah explains how the agency values the insights gained from customer experiences and actively seeks out feedback to improve services. Through a variety of channels such as webinars, outreach programs and direct communication through customer service teams, the USPTO gathers valuable input from those who navigate the patent and trademark submission processes. This dedication to understanding and addressing the needs and challenges of its customers has led to significant enhancements in the USPTO's support structures. Deborah further discusses educational efforts aimed at demystifying the complexities of the patent filing process. Thereby making it more accessible and navigable for inventors and businesses alike.
Deborah played a significant role in transitioning the agency from a paper-based application system to a fully digitized process. This monumental task involved not just the scanning of existing paper documents, but also includes integrating OCR technology to make historical patents searchable and accessible in digital form. Despite the sheer scale and potential logistical challenges of digitizing vast amounts of data, the initiative marked a pivotal moment in the agency's history. This transformation was not without its hurdles. Initial resistance to change was a significant barrier that needed careful navigation. However, through strategic planning and a commitment to modernization, the USPTO successfully overcame these challenges. Leading to a more efficient, accessible and streamlined patent application process.
Efficient Budget Management at the USPTO: "Being able to maintain our budget or even maybe decrease the overall budget by 1%, but yet inflation going up 8, 9%, we've been able to do that. And it's about prioritization, and that's part of our New Ways of Working." — Deborah Stephens
Deborah Stephens is the Deputy Chief Information Officer (DCIO) for the United States Patent and Trademark Office (USPTO). She has served at the USPTO for more than 30 years in multiple leadership roles, during which she has worked to improve the automated tools and informational resources that facilitate electronic processing of patent applications. In her current role, Deborah is the principal advisor to the Chief Information Officer (CIO) and responsible for managing day-to-day operations of the Office of the Chief Information Officer (OCIO) with significant oversight on information technology (IT) stabilization and modernization efforts. She guides teams towards continual improvements in IT delivery for maximum value to all stakeholders.
As technology rapidly evolves we as a nation need to anticipate the attacks that may come about as a result of that innovation. Travis Rosiek, the Public Sector CTO at Rubrik and former Leader at the Defense Information Systems Agency (DISA), joins Tech Transforms to talk about how the government’s approach to technology and relationship with industry has evolved over the last twenty years. He also discusses compliance, including FedRAMP compliance, managing the vast amount of data that is generated daily across the government and industry, and the importance of the U.S. Government building cyber resilient systems. Catch all this and more on this episode of Tech Transforms.
Travis discusses the early days of cloud adoption, which were often fueled by misconceptions about its benefits. The migration toward cloud computing was commonly believed to be a cost-effective solution that would reduce expenses and simultaneously enhance security. However, he points out that this was not always the case. Many organizations have since realized that the initial cost of moving to the cloud can vary greatly based on specific use cases and applications. This realization has led to a strategic shift toward what Travis refers to as a "cloud smart" approach. Highlighting the need for a more discerning and tailored evaluation of how cloud resources are utilized.
The Role of Commercial Companies vs. Government in Problem-Solving: "Industry is great about solving problems. You know, driving that capitalism type of culture, building capabilities, selling solutions. And they're quicker to implement, adapt and deploy capabilities where the government is very slow in implementation of these you know, they can figure out the problem." — Travis Rosiek
Taking a "cloud smart" approach indicates a maturation in the perception of cloud services by government agencies and businesses alike. Rather than a blanket strategy of cloud-first, Travis indicates that there is now a more nuanced consideration of when and how to use cloud services. He underscores the importance of aligning cloud adoption with an organization's unique needs. Including the potential scalability, security and cost implications. This approach suggests a collaborative and informed decision-making process. Recognizing that the cloud offers a variety of solutions, each with different features, advantages and trade-offs that must be carefully weighed against organizational goals and objectives.
Travis discusses the intricacies involved in organizational cloud migrations. Emphasizing that these undertakings are not solely about technological transitions but also encompass a variety of non-technical considerations. The shift to cloud-based services goes beyond mere data storage and infrastructure changes. It affects strategic business decisions, financial planning and operational workflows. Necessitating a comprehensive evaluation of both the potential benefits and the challenges. Organizations must be acutely aware of the detailed shared responsibility models that cloud service providers outline, which delineate the security obligations of the provider versus the customer. Understanding these responsibilities helps in effectively managing the risks associated with cloud computing.
The Importance of Human Oversight in AI: "But you still can't take the human out of the loop." — Travis Rosiek
Travis highlights a significant challenge in the cybersecurity landscape, which is the scarcity of skilled professionals equipped to manage and protect complex multi-cloud and hybrid environments. As organizations increasingly adopt a mix of cloud services and on-premises solutions, the demand for cybersecurity practitioners with the necessary expertise to navigate this complexity grows. However, attracting and retaining such talent is difficult due to competitive job markets and the limitations of government pay scales. This is compounded by the extensive skill set required for modern cloud environments, including not only security but also knowledge of cloud architecture, compliance and various cloud-specific technologies. Travis underscores the need for specialized personnel capable of addressing the advanced cybersecurity concerns that arise from this intricate, dynamic infrastructure.
Travis sheds light on the evolution of the Federal Risk and Authorization Management Program (FedRAMP), a government-wide program that promotes the adoption of secure cloud services across the federal government by providing a standardized approach to security assessment, authorization and continuous monitoring. While it is often perceived as a costly and time-consuming barrier for vendors seeking to serve government clients, Travis emphasizes that the journey to FedRAMP authorization is not the sole responsibility of vendors. Government sponsors engaged in this process also bear a significant load. This dual burden requires commitment and collaboration from both parties to navigate the complexities involved in achieving FedRAMP compliance.
Travis goes into further detail regarding the collaborative challenges of attaining FedRAMP compliance. On the government side, a sponsor’s role in shepherding vendors through the process can be incredibly taxing due to staffing and resource constraints. Furthermore, the procedural nature of the FedRAMP framework can prove to be a linear and lengthy ordeal for all involved. Travis suggests that greater investment to ease the procedural efforts for government stakeholders could potentially improve the efficiency of the overall process, helping it to mature and ultimately relieving some of the burden for both vendors and government sponsors.
Carolyn highlights the daunting challenge of classifying the vast amounts of data that individuals and organizations are responsible for. Travis acknowledges this burden, especially given the exponential growth of data in today's digital landscape. He underscores that as data multiplies rapidly and spreads across various platforms – from cloud services to mobile devices – accurately categorizing and classifying it becomes more critical yet more difficult. Ensuring the security and proper handling of this data is paramount as mismanagement can lead to significant security breaches and compliance issues.
Cybersecurity in the Era of Cloud and Mobile Computing: "If you can't answer some of those basic questions on visibility, you're gonna struggle protecting it." — Travis Rosiek
Travis points to a report produced by Rubrik Zero Labs that sheds light on the continuous surge in data volume within organizations, often experiencing growth by significant percentages over short periods. This expansion amplifies the challenge of safeguarding critical information. Moreover, the need to provide accurate access control increases in complexity when data resides in a hybrid environment. This includes multiple clouds, on-premise servers, and SaaS applications. The continuous monitoring and protection of data across these diverse and dynamic environments present an ongoing challenge for data security professionals.
Carolyn and Travis discuss the need for visibility in distributed data environments, as knowing what data exists, where it is stored and who has access to it is fundamental to securing it. Travis advocates for the NIST Special Publication 800-160 as an additional resource that can guide organizations toward building cyber resilient systems. Its principles of anticipating, withstanding, recovering and adapting offer a strategic approach to not just responding to cyber threats. It also prepares for and prevents potential data breaches in complex IT and data environments.
When considering the acquisition of technology within government entities, Travis highlights the importance of aligning with governmental objectives. Especially when it pertains to national defense, scalability becomes a paramount factor, as the technology adopted must cater to expansive operations and adhere to rigorous standards of security and efficiency. In the military and defense sectors, technologies must not only serve unique and highly specialized purposes but also be viable on a large scale. Travis notes that achieving this balance often requires a nuanced approach that can accommodate the specific needs of government operations, while also being mindful of the rapidly evolving landscape of technology.
Cybersecurity and Organizational Resilience: "Having a false sense of security, you know, in anything we build, overly trusting things or having a false sense of security, is probably our Achilles' heel." — Travis Rosiek
Travis underscores the central role of security principles in the process of technology acquisition and he places particular emphasis on the concept of Zero Trust. An approach to cybersecurity that operates on the assumption that breaches are inevitable and thus requires constant verification of all users within an organization's network. Travis argues that adopting a zero trust framework is crucial for government agencies to protect against a vast array of cyber threats. By following this principle, organizations can ensure that their acquisition of technology not only meets current operational demands but is also prepared to withstand the sophisticated and ever-changing tactics of adversaries in cyberspace.
Travis reflects on a strategic approach he learned during his tenure at DISA, known as the ABCs. A methodology imparted by then DISA director General Charlie Croom. This strategy prioritizes the use of existing commercial technologies, emphasizing 'adoption' as the primary step. By leveraging commercially available tech, organizations can tap into advanced capabilities and integrate them into their operations swiftly. The 'buy' component encourages the procurement of already fielded technologies or platforms. This may not be commercially created but has been proven in practical governmental applications. Lastly, 'create' is seen as a last resort. Reserved for instances where the needs are so specialized or critical that a bespoke solution is warranted. Often due to unique use cases or strict national security concerns.
In discussing the rationale behind the ABCs framework, Travis reveals the nuanced balance required in government tech implementations. While commercial entities' speed to deploy novel solutions can address particular gaps, government institutions often play a crucial role in identifying and tackling long-term, complex challenges. Especially in defense, the need to build solutions from the ground up may arise when existing products fail to meet the stringent requirements of security-sensitive operations. Conversely, commercial technology's versatility is a critical asset. This marked a shift from the government's historical tendency to primarily develop its own technology solutions. Travis urges organizations to use this strategic framework to make informed, prudent decisions that consider both immediate needs and long-term strategic objectives.
Travis Rosiek is a highly accomplished cyber security executive with more than 20 years in the industry. He has built and grown cybersecurity companies and led large cybersecurity programs within the U.S. Department of Defense (DoD). His experience spans driving innovation as a cybersecurity leader for global organizations and CISOs, to corporate executive building products and services. His impact has helped lead to successful IPOs (FireEye) and acquisitions (BluVector by Comcast).
As a Cyber Leader in the U.S. DoD, he has been awarded the Annual Individual Award for Defending the DoD’s Networks. Travis currently serves as the Public Sector CTO at Rubrik helping organizations become more cyber and data resilient. Prior to Rubrik, Travis held several leadership roles including the Chief Technology and Strategy Officer at BluVector, CTO at Tychon, Federal CTO at FireEye, a Principal at Intel Security/McAfee and Leader at the Defense Information Systems Agency (DISA).
He earned a Certificate from GWU in Executive Leadership and graduated from West Virginia University with Honors while earning multiple Engineering degrees. He also was one of the first of ten students from across the nation to be awarded a scholarship from the DoD/NSA’s in cybersecurity. His pioneering mindset has helped him better secure our nation and commercial critical infrastructure. Additionally, Travis is an invited speaker, author (blogs, journals, books) and has also served on the NSTAC, ICIT Fellow and multiple advisory boards.
Sebastian Taphanel has spent his life on the cutting edge of technology and innovation. This week on Tech Transforms, Sebastian is sharing tales and lessons learned from his 20 years in DoD Special Ops and intelligence and 20 years implementing sound security engineering practices focused on implementing zero trust and highly resilient environments. Join Sebastian as he recounts his time in Special Forces taking his units out of the dark ages from secure fax communications to setting up an intranet, and how he continued with that innovative spirit through his 40-year career. He also shares his new passion, encouraging the industry to utilize disabled veterans to help fill both the cybersecurity and AI workforce gaps. They, after all, already have a call for the mission.
Sebastian Taphanel’s experience spans twenty years in DOD Special Ops and Intelligence, followed by consulting in security engineering. The focal point of this episode is his role in advancing cybersecurity practices at the ODNI. Particularly emphasizing resilient cloud-based environments.
Sebastian describes the quick adaptation during the pandemic which led to the rollout of an ad hoc cloud-based workspace to ensure the ODNI's mission could endure despite the workforce being remote. GCC High, or Government Commercial Cloud High as conceived by Microsoft, is revealed as the successor to the initial setup. Providing a more secure platform managed strictly by U.S. persons. The approach highlighted the agility of cloud technology for remote collaboration within federal agencies.
Cybersecurity in Intelligence Sharing: \"Essentially, reciprocity is a process and also a culture of accepting each other's risks. And that's really the bottom line on all that.\" — Sebastian Taphanel
The intricacies of implementing Microsoft Azure and M365 (Office 365) are detailed as Sebastian underlines their pivotal use in creating an intranet with controlled document sharing and editing. These implementations include robust Mobile Device Management. Then a BYOD Mobile Application Management system that protects sensitive data in government and personal devices. Thereby, ensuring operational security and flexibility.
Sebastian advanced from using secure faxes for interstate communication within military units to establishing a multi-state secure WAN. This resulted in a significant leap in communication efficacy for special operations. Sebastian shared the potency of secure, cloud-based tools in streamlining and securing government communications. As well as their inherent adaptability to contemporary operational needs.
Zero Trust Implementation and Reciprocity in Security Controls: \"Reciprocity, in some circles, it's a dirty word. Because everybody wants to do it, but nobody really wants to be first.\" — Sebastian Taphanel
Sebastian recognizes the increasing importance of cybersecurity expertise in today's digital landscape. He points out the significant gap in the cybersecurity workforce and the untapped potential of disabled veterans who can be trained to meet this demand. This shift towards prioritizing cybersecurity skills reflects the industry's evolution as organizations increasingly rely on digital infrastructure. Thus, creating a fertile ground for cyber threats. By focusing on equipping disabled veterans, who already possess a strong sense of duty and protection, with the necessary technical skills to combat these threats, Sebastian believes that we can build a robust cybersecurity force that benefits not just the veterans but the nation's overall security posture as well.
Building upon his own transition from a military career to cybersecurity, Sebastian is passionate about creating opportunities for disabled veterans in the field. His experience has shown him that these individuals, with their ingrained ethos of national service, can continue their mission through careers in cybersecurity and artificial intelligence. Sebastian advocates for collaborations with major tech companies and training providers to establish programs specifically tailored for veterans. These developmental opportunities can help translate military competencies into civilian technology roles. As AI continues to influence various industry sectors, including cybersecurity, the need for skilled professionals who can leverage AI effectively is critical. By providing appropriate training and mentorship, Sebastian sees disabled veterans playing an integral role in shaping the future of cybersecurity and AI.
In the evolving landscape of cybersecurity, Sebastian brings to light the concept of zero trust. A framework pivoting away from traditional perimeter security to a data-centric model. He highlights zero trust as a foundational approach, which is shaping the way organizations safeguard their data by assuming no implicit trust, and by verifying every access request as if it originates from an untrusted network. Unlike the historical castle-and-moat defense strategy which relied heavily on securing the perimeters of a network, this paradigm shift focuses on securing the data itself, regardless of its location. Zero trust operates on the fundamental belief that trust is a vulnerability. Thereby, anchoring on the principle that both internal and external threats exist on the network at all times. It necessitates continuous validation of the security posture and privileges for each user and device attempting to access resources on a network.
Zero Trust as a Data-Centric Security Model: “Zero trust now has essentially redrawn the lines for cybersecurity professionals and IT professionals. And I will say it’s an absolutely data-centric model. Whereas in previous decades, we looked at network centric security models.” — Sebastian Taphanel
Zero trust extends beyond theoretical formulations, requiring hands-on execution and strategic coherence. As Sebastian explains, the principle of reciprocity plays a vital role in the context of security authorizations among different agencies. It suggests that the security controls and standards established by one agency should be acknowledged and accepted by another. Thus, avoiding redundant security assessments and facilitating smoother inter-agency cooperation. However, applying such principles in practice has been sporadic across organizations, often hindered by a reluctance to accept shared risks. Driving home the notion that strategic plans must be actionable, Sebastian underscores the critical need to dovetail high-level strategies with ground-level tactical measures. Ensuring these security frameworks are not merely aspirational documents but translate into concrete protective actions.
Amidst rapid technological advances, artificial intelligence (AI) and machine learning (ML) are being called upon to bolster cybersecurity operations. Sebastian champions the idea that AI and ML technologies are indispensable tools for cyber professionals who are inundated with massive volumes of data. By synthesizing information and automating responses to security incidents, these technologies augment the human workforce and fill critical gaps in capabilities. The agility of these tools enables a swift and accurate response to emerging threats and anomalies. Allowing organizations to pivot and adapt to the dynamic cyber landscape. For cybersecurity operators, the incorporation of AI and ML translates to strengthened defenses, enriched sense-making capabilities, and enhanced decision making processes. In a field marked by a scarcity of skilled professionals and a deluge of sophisticated cyber threats, the deployment of intelligent systems is no longer a luxury, it is imperative for the preservation of cybersecurity infrastructures.
Sebastian highlights the untapped potential of artificial intelligence and machine learning (AI/ML) as critical tools that can amplify the capabilities within the cybersecurity realm. As Sebastian provides his insights on the importance of AI/ML, it becomes clear that these technologies will serve as force multipliers, aiding overwhelmed cybersecurity professionals dealing with vast arrays of data. The envisaged role of AI/ML is to streamline sense making processes and facilitate prompt, accurate cyber response actions to threats and vulnerabilities. Sebastian portrays a future where strategic use of AI/ML enables swift and informed decision-making, freeing cybersecurity operatives to focus on critical tasks that require their expertise.
AI/ML as a Cybersecurity Force Multiplier: “I believe what’s going to be needed is the understanding, a training and culture that accepts AI/ML as an enabler.” — Sebastian Taphanel
Sebastian asserts the urgency to prepare and equip individuals for the cybersecurity and AI/ML workforce. He envisions an actionable plan to invigorate the employment landscape, creating a resilient front in the fight against cyber threats. Sebastian calls for a strategic focus on training and knowledge dissemination, particularly for disabled veterans, to incorporate them into positions where they can continue serving the nation's interests in the digital domain. Recognizing the fast evolving nature of these fields, he stresses the need for a workforce that not only understands current technologies but can also adapt to emerging trends. Ensuring that collective efforts in data protection and cybersecurity are robust and responsive to an ever-changing threat landscape.
Sebastian Taphanel blends a more than 20-year DoD Special Ops and intelligence career with more than 20 years of sound security engineering practices focused on implementing Zero Trust and highly resilient environments through the use of innovative technologies and common sense business practices.
","summary":null,"date_published":"2024-02-14T06:30:00.000-05:00","attachments":[{"url":"https://aphid.fireside.fm/d/1437767933/81d9d6b0-0045-48da-8495-fd87c4613d7f/e7ae5e4e-92f4-425a-9c6f-4e99a877897a.mp3","mime_type":"audio/mpeg","size_in_bytes":73056748,"duration_in_seconds":3043}]},{"id":"1c134794-1f35-4189-9e67-4fd5d44fce72","title":"Episode 80: Harnessing AI for Cyber Innovation: Insights from Dr. Amy Hamilton at National Defense University","url":"https://techtransforms.fireside.fm/80","content_text":"The real question is, what doesn’t Dr. Amy Hamilton do? She’s currently the visiting Faculty Chair for the Department of Energy (DOE) at National Defense University and the DOE Senior Advisor for National Cybersecurity Policy and Programs, and has had previous stops in the U.S. Army Reserves, NORAD and U.S. European Command, just to name a few. At National Defense University, Amy draws on all of this expertise to educate the workforce on AI and finding the right balance between automation and workforce training. Amy also explores how she teaches her students that cybersecurity has to be more than a 9-5 job, the balance of security vs. convenience, and how it will take the entire country getting on board to make the implementation of cybersecurity best practices truly possible. In this episode, we also dive into the realm of operational technology and the need to look to zero trust as we allow more smart devices into our lives and government ecosystems.Key Topics00:00 Importance of training, education and AI integration.06:52 Cybersecurity, AI and building codes challenges.09:47 Nuclear facilities need caution, open labs innovative.11:58 Helping students understand federal government and cybertech.15:37 Cyber college compared to traditional university programs.17:18 National Defense University offers master's degree programs.22:06 Addressing the urgent need to combat intellectual property theft.24:32 Passionate plea for cybersecurity vigilance and dedication.26:40 Using automation to streamline cybersecurity operations and training.32:06 Policy person struggles to tie guidance together.33:02 Collaboration is needed for addressing industry issues.38:25 Rethink security for devices in smart tech.41:16 Choosing sustainability as a guiding principle.43:22 Overcome writing and presenting challenges for success.Leveraging AI and Automation for Cyber InnovationEmphasizing Efficiency in the Generation of AbstractsDr. Amy Hamilton underlines the capabilities of artificial intelligence to streamline time-consuming processes, specifically the creation of abstracts. This innovation allows for a transition from mundane, repetitive tasks to pursuits that require a deeper cognitive investment. Therefore, elevating the nature of the workforce's endeavors. Dr. Hamilton's discussion focuses on the practical applications of this technology, and she cites an instance from the National Defense University's annual Cyber Beacon Conference. Here, participants were challenged to distinguish between AI-generated and human-generated abstracts, often finding it challenging to tell them apart. This exercise not only highlighted AI's proficiency but also introduced the workforce to the safe and practical application of this emergent technology.How do we use AI in a way that goes from low-value to high-value work? If I'm not doing abstract, what other things could I be doing and spending my brain calories towards? - Dr. Amy HamiltonPreparing the Workforce for Cyber InnovationDr. Hamilton stresses the necessity for workforce education in the context of AI and automation. Aiming for a future where employees are neither intimidated by nor unfamiliar with the advancing technological landscape. She illustrates the Department of Energy's proactive role in integrating AI into its training programs. Thus, ensuring that employees are well-acquainted with both the operational and potential ethical dimensions of AI deployment. Acknowledging the diverse range of operations within the DOE, including nuclear and environmental management, Dr. Hamilton notes that the appropriateness of AI application varies by context. Signifying the department's nuanced approach to the introduction of these technologies. Through education and exposure to use cases within a controlled environment, Dr. Hamilton envisions a workforce that is not only comfortable with AI but can also leverage it to enhance productivity and safety in their respective fields.Cyber Innovation and Collaboration in Government EnvironmentsDr. Hamilton's Role at National Defense UniversityAmy serves as a crucial beacon for educating Department of Defense personnel on comprehensive government functions. With a focus on the distinct agencies and their interaction within the broader governmental ecosystem, she acts as a conduit, clarifying for her students the intricate dance of interagency collaboration. Grants of knowledge on how certain branches, like the Treasury, interact during cyber events. Or the functions of varied components within the agency, serve to demystify the convoluted nature of interdepartmental cooperation. Her teaching elevates students' comprehension of the interconnected roles and responsibilities that propel our government forward.Environment for Cyber InnovationAt National Defense University, there's a particular distinction made between no-tolerance environments. Such as nuclear facilities, where repetitiveness and extreme scrutiny are valued over experimentation and open science labs that thrive on creativity and incessant innovation. Dr. Amy Hamilton underlines this dichotomy. She established the need for both the rigid reliability of technology in some contexts and the unabated exploration for new horizons in others. These contrasting settings ensure the Department of Energy's multifaceted missions are maneuvered through a lens of both caution and curiosity. Across a breadth of projects from the highly sensitive to the openly experimental.Attracting Talent to Federal GovernmentThe College of Information in Cyberspace, where Amy engages with the bright minds of the defense community, presents an academic path tailored for mid to senior career professionals. With a suite of master's degrees and certificate programs, the college not only imparts education but also fosters an ecosystem ripe for nurturing government leaders of the future. Despite the widespread perception of financial hurdles within government roles compared to private sectors, Dr. Hamilton articulates a potent alternative allure. The mission-driven nature of public service. This inherent value proposition attracts those who yearn to contribute to a greater cause beyond monetary gain, ensuring a continual influx of devotion and expertise within federal ranks.So I think there's a huge amount of value of what flexibility of recognizing industry experience in cybersecurity can be very, very useful. But I also think, like, how do we attract people in the federal government when we don't have that kind of financial ability to reward? And I think it's reward by mission. - Dr. Amy HamiltonFostering Diversity and Cyber InnovationCyber Outreach and Advocating DiversityDr. Hamilton touches on the vital role of cyber outreach and advocating for diversity in the field of cybersecurity. She brings up Kennedy Taylor, who is making strides as Miss Maryland by combining her cyber expertise with her platform in beauty pageantry. She engages and educates young people, especially girls, about the significance of cybersecurity. Amy highlights the potential of such outreach efforts to challenge and change the stereotypes associated with cybersecurity professionals. By leveraging the influence of figures like Miss Maryland, there's an opportunity to inspire a diverse new generation of cybersecurity experts who can bring fresh perspectives to tackling the industry's challenges.The Need for Cyber InnovationThroughout the discussion, Dr. Amy Hamilton stresses the increased frequency and severity of cybersecurity threats that have surfaced recently. Acknowledging that the traditional cybersecurity models are faltering under these new strains. She calls for innovative thinking and proactive measures to be adopted. Amy notes that measures used in the past, such as security through obscurity, no longer suffice due to the complex and interconnected nature of modern technology. This new reality requires the cybersecurity sector to evolve and embrace zero-trust principles among other modern strategies to safeguard against the continually evolving threat landscape.How do we correct, just swiftly get around to being able to apply those patches and things that we need to do? And we have to get better out of it because our adversaries are. Our adversaries were taking advantage of this every single day. - Dr. Amy HamiltonAddressing Risk Aversion in CybersecurityIn discussing the inherent risk-aversion in human nature, Dr. Hamilton points out that despite this tendency, convenience often trumps caution, leading to increased vulnerabilities. She suggests that the answer is not to shy away from innovation for fear of risks, but rather utilize it to enhance the safety and functionality of technological systems. Dr. Hamilton also highlights the crucial role that industry partnerships play in this context, suggesting that collaboration between government and private sectors is essential in developing effective and robust cybersecurity defenses. By working together, these entities can find the balance between convenience and security, ensuring a safer digital environment for all users.Challenges in Implementing Cyber InnovationImportance of User Experience in Cyber InnovationDr. Amy Hamilton brings attention to the crucial role that user experience plays when incorporating automation into the workforce. She contrasts the tedious and often frustrating nature of conventional cybersecurity practices, such as manually sifting through logs, with the potential ease automation can provide. Amy uses the example of e-commerce, where users intuitively navigate online shopping without the need for training to illustrate her point that intuitive design is key to user acceptance of automated systems. By adopting user-friendly automation, employees' tasks can be streamlined allowing them to focus on more complex and engaging aspects of their work.And so I think that we need to really realize that user experience is important. - Dr. Amy Hamilton AI and Automation in Everyday LifeReflecting on her experience with AI in website design, Amy describes the simplicity and efficiency brought by AI-assisted tools that automatically generate content based on keywords. Thus eliminating the need for extensive technical knowledge in web development. This underscores the tangible benefits of automation for individuals without a background in coding. Moreover, Amy emphasizes the societal shift toward greater reliance on automated systems by referencing Disney World as a model of successful automation integration. The theme park's seamless integration of automated booking systems, fast passes and reservations highlight how well-designed automation can augment the customer experience and efficiency in large-scale operations.Partnerships in Cyber InnovationThe dialogue shifts toward the collaborative effort required to tackle cybersecurity breaches. Dr. Hamilton mentioned the expansive SolarWinds incident as a key example where AI and automation have a role to play. Amy underscores the significance of industry partnerships and a unified national approach for enhancing cybersecurity. The incident illustrates that automated tools and AI are not only about convenience, they are instrumental in swiftly identifying and rectifying vulnerabilities in complex digital systems. By automating these processes, agencies can respond more effectively to cybersecurity threats, underscoring the need for automation that complements and enhances human efforts in maintaining security.Educational TechnologiesAmy advocates for the use of educational tools like Khan Academy, which can benefit children by offering a controlled environment for learning. She stresses the importance of early cybersecurity awareness, suggesting that exposure to best practices should align with the first use of digital devices. This early introduction to cybersecurity principles, aided by educational technologies, is vital in preparing the next generation to navigate the expanding digital frontier securely. Automation in education, therefore, serves a dual purpose, streamlining the learning process while simultaneously fostering a culture of digital safety awareness from a young age.Executive Orders and Collaboration for Cyber InnovationThe Administration's Challenges in Artificial Intelligence RegulationDr. Amy Hamilton discusses the executive order on artificial intelligence. She acknowledged the inherent challenges of being a government pioneer in regulating groundbreaking technology. She compares the order to earlier attempts at cybersecurity regulation and the long-standing effects those have on policy today. Dr. Hamilton predicts that in hindsight, we may perceive today's orders as early steps in an evolving landscape. Given her past experience at the OMB executive office of the president, she understands the complexity of crafting policy that will need to adapt as technology progresses.Collaborative Efforts for Cybersecurity Workforce DevelopmentDr. Amy Hamilton underlines the need for collaborative synergy between government and industry to foster a robust cybersecurity workforce. With growing intellectual property theft, especially from China, she stresses that safeguarding proprietary information is not just an industry burden but also a national and allied concern. Dr. Hamilton points out that partnerships with non-profit organizations play a vital role in shaping a national response to cybersecurity challenges. Such alliances are vital for maintaining cybersecurity and counteracting espionage activities that impact not only the US but also its international partners.Public Awareness and Cybersecurity BreachesCarolyn and Dr. Amy Hamilton echo a mutual frustration over the general public's lack of awareness regarding cybersecurity threats. They underscore the gravity of cybersecurity breaches and the espionage activities that target nations' security and economic well-being. Dr. Hamilton uses historical incidents to illustrate the ongoing battle against cyber threats and the need for heightened public consciousness. The discussion implies that bolstering public awareness and concern is pivotal in the collective effort to enhance national cybersecurity.About Our GuestAmy S. Hamilton, Ph.D. is the Department of Energy Senior Advisor for National Cybersecurity Policy and Programs. Additionally, she is the Visiting Faculty Chair for the Department of Energy at National Defense University. She served two years as a senior cyber security policy analyst at the Office of Management and Budget, Executive Office of the President. She served in the Michigan Army National Guard as a communications specialist and was commissioned into the U.S. Army Officer Signal Corp, serving on Active Duty and later the U.S. Army Reserves. She has worked at both the U.S. European Command and the U.S. Northern Command & North American Aerospace Defense Command (NORAD) on multiple communications and IT projects. She became a certified Project Management Professional through the Project Management Institute in 2007 and earned her Certified Information Security Manager certification in 2011. And she presented “The Secret to Life from a PMP” at TEDxStuttgart in September 2016. She taught Project Management Tools at Colorado Technical University and was a facilitator for the Master’s Degree Program in Project Management for Boston University. She is an award-winning public speaker and has presented in over twenty countries on overcoming adversity, reaching your dreams, cybersecurity, and project management. Dr. Hamilton holds a Bachelor of Science (BS) in Geography from Eastern Michigan University, a Master of Science (MS) in Urban Studies from Georgia State University, Master in Computer Science (MSc) from the University of Liverpool, Master Certificate in Project Management (PM) and Chief Information Officer (CIO) from the National Defense University, and completed the U.S. Air University, Air War College. She completed her Doctor of Philosophy (PhD) at Regent University in its Organizational Leadership Program with a dissertation on “Unexpected Virtual Leadership: The Lived Experience of U.S. Government IT and Cybersecurity Leaders transitioning from physical to virtual space for COVID-19.” Amy’s motto is: “A woman who is passionate about project management, public speaking, and shoes.”Episode LinksWhite House Executive Order on AIThe Cuckoo’s EggM-23-22 Executive Order","content_html":"The real question is, what doesn’t Dr. Amy Hamilton do? She’s currently the visiting Faculty Chair for the Department of Energy (DOE) at National Defense University and the DOE Senior Advisor for National Cybersecurity Policy and Programs, and has had previous stops in the U.S. Army Reserves, NORAD and U.S. European Command, just to name a few.
At National Defense University, Amy draws on all of this expertise to educate the workforce on AI and finding the right balance between automation and workforce training. Amy also explores how she teaches her students that cybersecurity has to be more than a 9-5 job, the balance of security vs. convenience, and how it will take the entire country getting on board to make the implementation of cybersecurity best practices truly possible. In this episode, we also dive into the realm of operational technology and the need to look to zero trust as we allow more smart devices into our lives and government ecosystems.
Dr. Amy Hamilton underlines the capabilities of artificial intelligence to streamline time-consuming processes, specifically the creation of abstracts. This innovation allows for a transition from mundane, repetitive tasks to pursuits that require a deeper cognitive investment. Therefore, elevating the nature of the workforce's endeavors. Dr. Hamilton's discussion focuses on the practical applications of this technology, and she cites an instance from the National Defense University's annual Cyber Beacon Conference. Here, participants were challenged to distinguish between AI-generated and human-generated abstracts, often finding it challenging to tell them apart. This exercise not only highlighted AI's proficiency but also introduced the workforce to the safe and practical application of this emergent technology.
How do we use AI in a way that goes from low-value to high-value work? If I'm not doing abstract, what other things could I be doing and spending my brain calories towards? - Dr. Amy Hamilton
Dr. Hamilton stresses the necessity for workforce education in the context of AI and automation. Aiming for a future where employees are neither intimidated by nor unfamiliar with the advancing technological landscape. She illustrates the Department of Energy's proactive role in integrating AI into its training programs. Thus, ensuring that employees are well-acquainted with both the operational and potential ethical dimensions of AI deployment. Acknowledging the diverse range of operations within the DOE, including nuclear and environmental management, Dr. Hamilton notes that the appropriateness of AI application varies by context. Signifying the department's nuanced approach to the introduction of these technologies. Through education and exposure to use cases within a controlled environment, Dr. Hamilton envisions a workforce that is not only comfortable with AI but can also leverage it to enhance productivity and safety in their respective fields.
Amy serves as a crucial beacon for educating Department of Defense personnel on comprehensive government functions. With a focus on the distinct agencies and their interaction within the broader governmental ecosystem, she acts as a conduit, clarifying for her students the intricate dance of interagency collaboration. Grants of knowledge on how certain branches, like the Treasury, interact during cyber events. Or the functions of varied components within the agency, serve to demystify the convoluted nature of interdepartmental cooperation. Her teaching elevates students' comprehension of the interconnected roles and responsibilities that propel our government forward.
At National Defense University, there's a particular distinction made between no-tolerance environments. Such as nuclear facilities, where repetitiveness and extreme scrutiny are valued over experimentation and open science labs that thrive on creativity and incessant innovation. Dr. Amy Hamilton underlines this dichotomy. She established the need for both the rigid reliability of technology in some contexts and the unabated exploration for new horizons in others. These contrasting settings ensure the Department of Energy's multifaceted missions are maneuvered through a lens of both caution and curiosity. Across a breadth of projects from the highly sensitive to the openly experimental.
The College of Information in Cyberspace, where Amy engages with the bright minds of the defense community, presents an academic path tailored for mid to senior career professionals. With a suite of master's degrees and certificate programs, the college not only imparts education but also fosters an ecosystem ripe for nurturing government leaders of the future. Despite the widespread perception of financial hurdles within government roles compared to private sectors, Dr. Hamilton articulates a potent alternative allure. The mission-driven nature of public service. This inherent value proposition attracts those who yearn to contribute to a greater cause beyond monetary gain, ensuring a continual influx of devotion and expertise within federal ranks.
So I think there's a huge amount of value of what flexibility of recognizing industry experience in cybersecurity can be very, very useful. But I also think, like, how do we attract people in the federal government when we don't have that kind of financial ability to reward? And I think it's reward by mission. - Dr. Amy Hamilton
Dr. Hamilton touches on the vital role of cyber outreach and advocating for diversity in the field of cybersecurity. She brings up Kennedy Taylor, who is making strides as Miss Maryland by combining her cyber expertise with her platform in beauty pageantry. She engages and educates young people, especially girls, about the significance of cybersecurity. Amy highlights the potential of such outreach efforts to challenge and change the stereotypes associated with cybersecurity professionals. By leveraging the influence of figures like Miss Maryland, there's an opportunity to inspire a diverse new generation of cybersecurity experts who can bring fresh perspectives to tackling the industry's challenges.
Throughout the discussion, Dr. Amy Hamilton stresses the increased frequency and severity of cybersecurity threats that have surfaced recently. Acknowledging that the traditional cybersecurity models are faltering under these new strains. She calls for innovative thinking and proactive measures to be adopted. Amy notes that measures used in the past, such as security through obscurity, no longer suffice due to the complex and interconnected nature of modern technology. This new reality requires the cybersecurity sector to evolve and embrace zero-trust principles among other modern strategies to safeguard against the continually evolving threat landscape.
How do we correct, just swiftly get around to being able to apply those patches and things that we need to do? And we have to get better out of it because our adversaries are. Our adversaries were taking advantage of this every single day. - Dr. Amy Hamilton
In discussing the inherent risk-aversion in human nature, Dr. Hamilton points out that despite this tendency, convenience often trumps caution, leading to increased vulnerabilities. She suggests that the answer is not to shy away from innovation for fear of risks, but rather utilize it to enhance the safety and functionality of technological systems. Dr. Hamilton also highlights the crucial role that industry partnerships play in this context, suggesting that collaboration between government and private sectors is essential in developing effective and robust cybersecurity defenses. By working together, these entities can find the balance between convenience and security, ensuring a safer digital environment for all users.
Dr. Amy Hamilton brings attention to the crucial role that user experience plays when incorporating automation into the workforce. She contrasts the tedious and often frustrating nature of conventional cybersecurity practices, such as manually sifting through logs, with the potential ease automation can provide. Amy uses the example of e-commerce, where users intuitively navigate online shopping without the need for training to illustrate her point that intuitive design is key to user acceptance of automated systems. By adopting user-friendly automation, employees' tasks can be streamlined allowing them to focus on more complex and engaging aspects of their work.
And so I think that we need to really realize that user experience is important. - Dr. Amy Hamilton
Reflecting on her experience with AI in website design, Amy describes the simplicity and efficiency brought by AI-assisted tools that automatically generate content based on keywords. Thus eliminating the need for extensive technical knowledge in web development. This underscores the tangible benefits of automation for individuals without a background in coding. Moreover, Amy emphasizes the societal shift toward greater reliance on automated systems by referencing Disney World as a model of successful automation integration. The theme park's seamless integration of automated booking systems, fast passes and reservations highlight how well-designed automation can augment the customer experience and efficiency in large-scale operations.
The dialogue shifts toward the collaborative effort required to tackle cybersecurity breaches. Dr. Hamilton mentioned the expansive SolarWinds incident as a key example where AI and automation have a role to play. Amy underscores the significance of industry partnerships and a unified national approach for enhancing cybersecurity. The incident illustrates that automated tools and AI are not only about convenience, they are instrumental in swiftly identifying and rectifying vulnerabilities in complex digital systems. By automating these processes, agencies can respond more effectively to cybersecurity threats, underscoring the need for automation that complements and enhances human efforts in maintaining security.
Amy advocates for the use of educational tools like Khan Academy, which can benefit children by offering a controlled environment for learning. She stresses the importance of early cybersecurity awareness, suggesting that exposure to best practices should align with the first use of digital devices. This early introduction to cybersecurity principles, aided by educational technologies, is vital in preparing the next generation to navigate the expanding digital frontier securely. Automation in education, therefore, serves a dual purpose, streamlining the learning process while simultaneously fostering a culture of digital safety awareness from a young age.
Dr. Amy Hamilton discusses the executive order on artificial intelligence. She acknowledged the inherent challenges of being a government pioneer in regulating groundbreaking technology. She compares the order to earlier attempts at cybersecurity regulation and the long-standing effects those have on policy today. Dr. Hamilton predicts that in hindsight, we may perceive today's orders as early steps in an evolving landscape. Given her past experience at the OMB executive office of the president, she understands the complexity of crafting policy that will need to adapt as technology progresses.
Dr. Amy Hamilton underlines the need for collaborative synergy between government and industry to foster a robust cybersecurity workforce. With growing intellectual property theft, especially from China, she stresses that safeguarding proprietary information is not just an industry burden but also a national and allied concern. Dr. Hamilton points out that partnerships with non-profit organizations play a vital role in shaping a national response to cybersecurity challenges. Such alliances are vital for maintaining cybersecurity and counteracting espionage activities that impact not only the US but also its international partners.
Carolyn and Dr. Amy Hamilton echo a mutual frustration over the general public's lack of awareness regarding cybersecurity threats. They underscore the gravity of cybersecurity breaches and the espionage activities that target nations' security and economic well-being. Dr. Hamilton uses historical incidents to illustrate the ongoing battle against cyber threats and the need for heightened public consciousness. The discussion implies that bolstering public awareness and concern is pivotal in the collective effort to enhance national cybersecurity.
Amy S. Hamilton, Ph.D. is the Department of Energy Senior Advisor for National Cybersecurity Policy and Programs. Additionally, she is the Visiting Faculty Chair for the Department of Energy at National Defense University. She served two years as a senior cyber security policy analyst at the Office of Management and Budget, Executive Office of the President. She served in the Michigan Army National Guard as a communications specialist and was commissioned into the U.S. Army Officer Signal Corp, serving on Active Duty and later the U.S. Army Reserves. She has worked at both the U.S. European Command and the U.S. Northern Command & North American Aerospace Defense Command (NORAD) on multiple communications and IT projects.
She became a certified Project Management Professional through the Project Management Institute in 2007 and earned her Certified Information Security Manager certification in 2011. And she presented “The Secret to Life from a PMP” at TEDxStuttgart in September 2016. She taught Project Management Tools at Colorado Technical University and was a facilitator for the Master’s Degree Program in Project Management for Boston University. She is an award-winning public speaker and has presented in over twenty countries on overcoming adversity, reaching your dreams, cybersecurity, and project management.
Dr. Hamilton holds a Bachelor of Science (BS) in Geography from Eastern Michigan University, a Master of Science (MS) in Urban Studies from Georgia State University, Master in Computer Science (MSc) from the University of Liverpool, Master Certificate in Project Management (PM) and Chief Information Officer (CIO) from the National Defense University, and completed the U.S. Air University, Air War College. She completed her Doctor of Philosophy (PhD) at Regent University in its Organizational Leadership Program with a dissertation on “Unexpected Virtual Leadership: The Lived Experience of U.S. Government IT and Cybersecurity Leaders transitioning from physical to virtual space for COVID-19.” Amy’s motto is: “A woman who is passionate about project management, public speaking, and shoes.”
Have you heard? Data is the new oil. JR Williamson, Senior Vice President and Chief Information Security Officer at Leidos, is here to explain where data’s value comes from, the data lifecycle and why it is essential for organizations to understand both of those things in order to protect this valuable resource. Join us as JR breaks it all down and also explores the concept he dubbed “risktasity,” which he uses to describe the elasticity of rigor based on risk. As he says, “when risk is high, rigor should be high, but when risk is low, rigor should be low.”
JR provided a snapshot into the past, comparing cybersecurity practices from the 1990s to what we see today. With 37 years of experience, he recalled a time when IT systems were centralized and the attack surfaces were significantly smaller. Contrasting this with the present scenario, he spoke about the current state where the migration to cloud services has expanded the attack surface. JR noted an increase in the complexity of cyber threats due to the widespread distribution of networks. Plus, the need for anytime-anywhere access to data. He stressed the transition from a focus on network security to a data-centric approach, where protecting data wherever it resides has become a paramount concern.
Data Life Cycle: "So part of understanding, the data itself is the data's life cycle. How does it get created? And how does it get managed? How does it evolve? What is its life cycle cradle to grave? Who needs access to it? And when they need access to it, where do they need access to it? It's part of its evolution. Does it get transformed? And sometimes back to the risktasity model, the data may enter the content life cycle here at some level. But then over its evolution may raise, up higher." — JR Williamson
In the world JR navigates, data is akin to oil. A resource that when refined, can power decisions and create strategic advantages. He passionately elucidated on the essence of data, not just as standalone bits and bytes, but as a precursor to insights that drive informed decisions. Addressing the comparison between data and oil, JR stressed that the real value emerges from what the data is transformed into; actionable insights for decision-making. Whether it's about responding with agility in competitive marketplaces or in the context of national defense, delivering insights at an unmatched speed is where significant triumphs are secured.
JR Williamson stresses the heightened necessity of enforcing security measures that accompany data wherever it resides. As the IT landscape has evolved, the focus has broadened from a traditional, perimeter-based security approach towards more data-centric strategies. He articulates the complexity that comes with managing and safeguarding data in a dispersed environment. Where data no longer resides within the confines of a controlled network but spans across a myriad of locations, endpoints and even devices. This shift has rendered traditional security models somewhat obsolete, necessitating a more nuanced approach that can adapt to the dynamic nature of data.
The Value of Data in Decision-Making: "The data in and of itself is really not that valuable. Just like oil in and of itself is not that valuable. But what that oil can be transformed into is what's really important, and that's really the concept." — JR Williamson
Both Mark and Carolyn resonate with JR's insights, drawing parallels to their own experiences in cybersecurity. Mark appreciates the straightforwardness of JR’s "risktasity" model which advocates for proportional security measures based on the evaluated risk. This principle challenges the one-size-fits-all approach to cybersecurity, fostering a more tailored and efficient allocation of resources. Carolyn, in turn, connects to the conversation with her history of grappling with the intricacies of data classification and control. She acknowledges the tactical significance of understanding which data warrants more stringent protection. Plus, the operational adjustments required to uphold security while enabling access and utility.
JR emphasizes the importance of understanding the data's lifecycle. Acknowledging that comprehensive knowledge about how data is created, managed and ultimately disposed of is a cornerstone of effective cybersecurity. This involves not only recognizing the data's trajectory but also identifying who needs access to it, under what conditions, and how it may evolve or be transformed throughout its lifecycle. By establishing such a deep understanding, JR suggests that it becomes possible to design governance systems that are not only effective in theory, but also practical and integrated into the daily operations of an organization.
Transitioning from a theoretical framework to practical execution, JR discusses the necessity of an effective data protection model that can operationalize the overarching strategy. To accomplish this, an organization must develop a structure that aligns with and supports the strategic objectives. JR identifies that existing structures often serve as the most significant barriers when agencies work on implementing new cybersecurity strategies. Organizations must be prepared to confront and renovate legacy systems and management frameworks. This is a challenge that became increasingly evident as organizations rapidly shifted to cloud services to accommodate remote work during the pandemic.
Like oil, data's true value isn't in its raw form. It is in the conversion process, which transforms it into insights for decision-making. He reflects on the progression of data turning into information, which then evolves into knowledge, culminating in actionable insights. Just as the versatility of oil lies in its ability to be refined into various fuels and materials, the potential of data is unlocked when it is analyzed and distilled into insights that inform crucial decisions. JR emphasizes that the effectiveness of insights hinges not just on accuracy. It is also on understanding the context in which these insights are applied. He suggests that these refined insights are close to competitive advantages. They enable quicker and more informed decision making in mission critical environments.
The Importance of Data Insight in Business: "Getting the insight in and of itself is important. But combining that insight with understanding of the problem we're trying to solve is really where the competitive advantage comes into play." — JR Williamson
JR expresses apprehension regarding artificial intelligence's acceleration and its implications for cybersecurity and defense. This unease stems from AI's capability to operate at a pace vastly superior to human capacity. Such rapid capabilities could lead to a perpetual struggle for cybersecurity professionals, who are tasked with defending against AI-driven attacks that continually outpace their responses. For organizations to not only protect themselves but also remain competitive, JR advocates for the adoption of similar AI technologies. By leveraging advanced tools, organizations can preemptively identify vulnerabilities and secure them before they are exploited by adversaries. He alludes to an emerging arms race in cybersecurity, driven by AI advancements that necessitate a proactive rather than reactive approach to digital threats.
Carolyn and Mark, touching on the complexities of cybersecurity, speculate about a potential paradigm shift. Rather than focusing solely on prevention, they wonder if the strategy might pivot towards containment and control once threats are within the system. JR agrees that in today's vast and interconnected digital environment, absolute prevention is increasingly challenging. Though cybersecurity has traditionally been likened to reinforcing a castle's walls, JR argues that due to the dispersed nature of modern networks and cloud computing, this approach is becoming outdated. Instead, organizations need to be agile and resilient, with security measures embedded within the data and applications themselves, ensuring they can quickly detect, mitigate and recover from breaches.
JR expresses discontent with the term "zero trust" due to its implications of offering no trust whatsoever, which would stifle any exchange of information. He advocates for the terms "earned trust" or "managed trust" to more aptly describe the nuanced relationship between users and the systems they interact with. Security architecture, JR illustrates, should not solely rely on verifying users' identities. It has to account for the integrity and security posture of the devices and locations being used to access the data. By meticulously understanding which data are most sensitive and their lifecycles, organizations can ensure that access controls are rigorously applied where necessary. This is based on the type of data, the user's context and the access environment. This nuanced approach is fundamental in constructing a robust and adaptive zero trust architecture that evolves along with the organizational ecosystem.
JR Williamson is accountable for information security strategy, business enablement, governance, risk, cybersecurity operations and classified IT at Leidos. JR is a CISSP and Six Sigma Black Belt. He serves on the Microsoft CSO Council, the Security 50, the Gartner Advisory Board, the Executive Security Action Forum Program Committee, and the DIB Sector Coordinating Council. He is also part of the WashingtonExec CISOs, the Evanta CISO Council, the National Security Agency Enduring Security Framework team, and is the Chairman of the Board of the Internet Security Alliance.
What will 2024 have in store for technology development and regulation? Our hosts, Carolyn Ford and Mark Senell, sat down with Roger Cressey, Partner at Mountain Wave Ventures, Ross Nodurft, Executive Director of the Alliance for Digital Innovation and Willie Hicks, Public Sector Chief Technologist for Dynatrace, to discuss their 2024 predictions. Discover what the experts think will occur next year in terms of FedRAMP, AI regulation, Zero Trust and user experience.
Ross predicts that in 2024, FedRAMP will be completely reauthorized based on a pending OMB memo that is expected to be finalized in late 2023. This revamp is intended to streamline and improve the FedRAMP authorization process to facilitate faster adoption of cloud-based solutions in government.
However, Roger believes the changes could temporarily slow things down as agencies take time to understand the implications of the new FedRAMP structure on their systems and assess risks. This could require investments from industry as well to meet new requirements that emerge.
FedRAMP 2024: "I think it's going to have a lot of agencies take a hard look at their risk and decide where they want to elevate certain high-valued assets, high-valued systems, high-valued programs, and the authorizations themselves are gonna raise in their level." — Ross Nodurft
As part of the FedRAMP reauthorization, Ross expects many agencies will shift their systems from a moderate baseline to a higher baseline of security controls. With more interconnected systems and datasets, agencies will want heightened protections in place.
Roger concurs that the increased scrutiny on risks coming out of the FedRAMP changes will lead organizations, especially those managing high-value assets, to pursue FedRAMP High authorizations more frequently.
Given the predictions around agencies elevating their security thresholds, Willie asks Ross whether the pipeline of solutions currently pursuing FedRAMP High authorizations could face disruptions from new program requirements.
Ross believes there will be some temporary slowdowns as changes are absorbed. However, he notes that the goals of the reauthorization are to increase flexibility and accessibility of authorizations. So over time, the new structure aims to accelerate FedRAMP High adoption.
As Ross highlighted, the intent of the FedRAMP reauthorization is to help industry get solutions to market faster. But in the short-term, there could be some complications as vendors have to realign to new standards and processes.
Willie notes that companies like Dynatrace have already begun working towards FedRAMP High in anticipation of rising customer demand. But sudden shifts in requirements could impact those efforts, so he hopes there will be considerations for solutions currently undergoing authorizations.
Roger discusses how zero trust architectures are progressing forward in adoption, even though the concept has lost some of its previous buzz. The zero trust memo is still in place, people are budgeting for zero trust and funding is starting to be allocated towards implementation.
As Willie points out, every agency he works with is developing zero trust strategies and architectures. However, he notes these architectures can be extremely complex, especially when adding in cloud and containerized environments.
Ross echoes Willie's point that there is an increasing movement towards cloud-based environments. This is driving changes to FedRAMP to accommodate the proliferation of SaaS applications.
With more enterprise environments leveraging SaaS apps, complexity is being introduced. Ross predicts that to protect, understand and maintain visibility across such complex environments with many different applications, overarching observability will become a necessity.
The shift towards cloud-based environments and SaaS applications ties back to the FedRAMP changes and predictions from Ross. As agencies move to the cloud and adopt more SaaS apps, they lose visibility and observability.
Willie predicts observability will become "connective tissue" across zero trust architectures to provide that much-needed visibility across various pillars like devices, networks and users.
The Rise of User Experience in Government Systems: "I think we're gonna see more and more, of a focus on user experience because I believe with all the things we're talking about, user experience could be impacted." — Willie Hicks
Roger concurs that visibility is crucial for security because "you can't secure what you can't see." He notes that observability and understanding where data is and what apps are doing will become a prerequisite for achieving zero trust.
The Importance of Data Visibility in Security: "Well, I think it's gonna become table stakes, if you will, when it comes to security, because you can't secure what you can't see." — Roger Cressey
Carolyn highlights how visibility has been embedded in zero trust frameworks from the beginning. However, Willie predicts its importance will be even more prominent in 2024.
Roger highlighted the tremendous upside that AI-enabled customer experience solutions could provide for government agencies in improving efficiency and service delivery. However, he also noted that any negative experiences resulting from these solutions would be heavily scrutinized and amplified. This indicates there may be cautious adoption of AI in government during 2024 as agencies balance potential benefits and risks.
The Importance of Reciprocity in Government Technology: "I just hope they have the wherewithal and the focus to push the right people in the right parts of both the Department of Defense and to the federal civilian side to think about how reciprocity impacts their availability in the marketplace technology or commercial technology solutions out there." — Ross Nodurft
Willie predicted there would be carefully orchestrated success stories around AI implementations, supporting Roger's point. This suggests that while innovation will continue, government agencies will likely roll out AI solutions slowly and target opportunities where impact can be demonstrated.
Roger predicted that defensive cyber capabilities enabled by AI will draw greater attention and interest in 2024. Willie noted that AI is also being used in more advanced cyber attacks. Together, these trends indicate there will be an increased focus on using AI responsibly to enhance security while also defending against malicious uses.
On the commercial side, Ross predicted venture capital investment into AI will accelerate in 2024, driving constant product updates across language models and other platforms. This rapid product innovation seems likely to widen the gap with public sector adoption.
While the panelists disagreed on the likelihood of major AI regulations from Congress in 2024, Willie predicted that high-profile incidents involving AI could build pressure for new laws, even if passage takes time. He and Ross suggested implementation of AI guidance for government agencies is more likely in the near term.
The Future Impacts of AI: "I think that the developers of AI are gonna continue to set the agenda, and the deployers, in other words, all the sectors as well as industry sectors, the developers, the deployers are still gonna be playing catch up." — Roger Cressey
Roger noted that negative experiences with AI in government would also spur calls for regulation. However, he said acting prematurely without understanding the impacts could pose challenges. Together, these perspectives indicate oversight and governance guardrails for AI will increase but could slow adoption if not balanced thoughtfully.
Roger points out the significant disagreement between the House and Senate that could prevent Congress from finding common ground on AI regulation in 2024. The divide relates to whether the focus should be on continuing innovation or implementing more safeguards and oversight. Meaningful AI legislation at a national level would require lengthy deliberation and consensus-building that likely won't occur in an election year.
According to Roger, China's rapid advances in AI development and utilization could light a fire under the U.S. administration and Congress to accelerate American innovation in this area. However, the U.S. policy community also wants to ensure AI progresses responsibly. Roger argues China's AI capabilities could be an impetus for shaping U.S. strategy in 2024, balancing both innovation and risk management.
The Global Race for AI Dominance: "Where China is moving rapidly and creatively on AI development, adoption and deployment will be a jet fuel for motivating the administration and congress to do more regarding how can innovation on the U.S. side regarding AI move quicker." — Roger Cressey
Ross discusses some of the challenges the industry may face in adapting to the changes outlined in the anticipated 2023 FedRAMP reauthorization memo. He notes that while the intent of the memo is to streamline and open up the authorization process to allow more applications into the pipeline faster, implementing these changes could initially cause some disruption.
Ross predicts there may be a "learning curve" as agencies and vendors figure out how the changes impact their specific systems and day-to-day operations. This could temporarily slow things down until the new processes are fully understood. However, Ross expects that after this initial bumpy period, the changes will ultimately enable faster movement of applications through the FedRAMP process.
Ross highlights that the government's aim in revising the FedRAMP authorization process is to make it easier for agencies to access and leverage innovative cloud-based technologies. The memo revisions seek to create multiple pathways for obtaining authorizations, rather than just one narrow pipeline that applications must move through.
Discussing the Future of AI: "We gotta talk about, whether it's AI governance, whether it's innovation in AI, it's AI risks, and really understanding how do we balance all 3 of those in a way while we're still moving forward." — Roger Cressey
The hope is that these process improvements will pave the way for more small and medium cloud-based software companies to get their products authorized for use in government. This will give agencies more options and flexibility in adopting modern solutions. However, Ross cautions that in the short-term there may be some disruptions as outlined above.
In terms of predictions for 2024, Ross expects that the FedRAMP changes, combined with broader cloud migration efforts underway in government, will lead more agencies to request higher baseline security authorizations. Where they may have been comfortable with a FedRAMP Moderate authorization previously, Ross predicts agencies will now ask vendors for FedRAMP High in more and more cases. This will likely impact software providers who will have to adapt their systems and applications to meet the more stringent security controls.
Ross Nodurft is the Executive Director of the Alliance for Digital Innovation (ADI), a coalition of technology companies focused on bringing commercial, cloud-based solutions to the public sector. ADI focuses on promoting policies that enable IT modernization, cybersecurity, smarter acquisition and workforce development. Prior to joining ADI, Ross spent several years working with industry partners on technology and cybersecurity policy and several years in government, both in the executive and legislative branches, including Chief of the Office of Management and Budgets cyber team in the White House.
Roger Cressey is a Partner with Mountain Wave Ventures. He previously served as a Senior Vice President at Booz Allen Hamilton, supporting the firm’s cyber security practice in the Middle East. Prior to joining Booz Allen, he was President and Founder of Good Harbor Consulting LLC, a security and risk management consulting firm.
Mr. Cressey’s government service included senior cyber security and counterterrorism positions in the Clinton and Bush Administrations. At the White House, he served as Chief of Staff of the President’s Critical Infrastructure Protection Board from November 2001 – September 2002. He also served as Deputy for Counterterrorism on the National Security Council staff from November 1999 to November 2001. He was responsible for the coordination and implementation of U.S. counterterrorism policy and managed the U.S. Government's response to multiple terrorism incidents, including the Millennium terror alert, the USS COLE attack, and the September 11th attacks.
Willie Hicks is the Public Sector Chief Technologist for Dynatrace. Willie has spent over a decade orchestrating solutions for some of the most complex network environments, from cloud to cloud native applications and microservices. He understands tracking and making sense of systems and data that has grown beyond human ability. Working across engineering and product management to ensure continued growth and speed innovation, he has implemented Artificial Intelligence and automation solutions over hundreds of environments to tame and secure their data.
On this special So What? episode we go deeper in to some of the top stories being covered on the It’s 5:05! podcast with It’s 5:05! contributing journalist, Tracy Bannon. How are cybersecurity stress tests battling misinformation and aiding in election security? Is AI contributing to election disinformation? How is the CIA using SpyGPT? Come along as Carolyn and Tracy go beyond the headlines to address all these questions and more.
In their conversation, Carolyn and Tracy discuss the imperative nature of both individuals and organizations in embracing robust cybersecurity measures. As we live in an era where data breaches and cyber attacks are on the rise, the implementation of effective security protocols is not just a matter of regulatory compliance, but also about safeguarding the privacy and personal information of users. Tracy emphasizes the continuous need for cybersecurity vigilance and education, highlighting that it is a shared responsibility. By making use of resources like the CISA cybersecurity workbook, Carolyn suggests that individuals and businesses can receive guidance on developing a more secure online presence, which is crucial in a digital ecosystem where even the smallest vulnerability can be exploited.
Tracy expresses concerns over the biases that can be present in AI systems, which can stem from those who design them or the data they are trained on. Such biases have the potential to impact a vast array of decisions and analyses AI makes, leading to outcomes that may not align with the broad spectrum of public interest and democratic values. An important aspect of responsible AI use is ensuring that these technological systems are created and used in a way that is fair and equitable. This means actively working to identify and correct biases and ensuring transparency in AI operations. Plus, constantly checking that AI applications serve the public good without infringing upon civil liberties or creating divisions within society.
Demystifying Cybersecurity: "We need that public understanding, building this culture of security for everybody, by everybody. It becomes a shared thing, which should be something that we're teaching our children as soon as they are old enough to touch a device." — Tracy Bannon
The conversation shifts towards the notion of AI agents handling tasks on behalf of humans, a concept both cutting-edge and rife with potential pitfalls. Carolyn and Tracy discuss both the ease and potential risks of entrusting personal tasks to AI. On one hand, these AI agents can simplify life by managing mundane tasks. Optimizing time and resources, and even curating experiences based on an in-depth understanding of personal preferences. Yet, Tracy questions what the trade-off is, considering the amount of personal data that must be shared for AI to become truly "helpful." This gives rise to larger questions related to the surrender of personal agency in decision-making. The erosion of privacy, and the ever-present threat of such tools being exploited for nefarious purposes.
Tracy introduces the concept of leveraging generative AI tools such as ChatGPT to summarize lengthy documents. This innovative approach provides a way to digest complex material quickly and efficiently. For instance, users can feed a PDF or a website link into ChatGPT and request a summary which the tool will produce by analyzing the text and presenting the key points. Tracy emphasizes this method as a step toward making dense content like government reports or lengthy executive orders, more accessible. She also transitions to discussing CISA's cybersecurity workbook. Illustrating a movement towards the dissemination of important information in a format that a broader audience can understand and apply, not just tech experts. Tracy appreciates the effort by CISA to create resources that resonate with everyone's level of technical knowledge.
The comprehensive guide provided by CISA, Tracy notes, is robust in offering detailed strategies for planning and implementing cyber security measures. The workbook does not shy away from diving deep into the assessment of potential cyber risks. It details leading practices that organizations can adopt. Planning for incident response is a highlighted area, acknowledging that security breaches are not a matter of if but when. The workbook thus serves as an invaluable reference for initiating proactive steps to fortify against cyber threats. This level of comprehensive guidance serves not only as a tool for implementing robust security measures. It is also a learning resource that promotes a widespread understanding of best cybersecurity practices.
Tracy and Carolyn discuss the CIA's plans to potentially introduce generative AI through a program dubbed "SpyGPT." The idea behind this integration is to enable the parsing and understanding of extensive open-source data more efficiently.
Generative AI, similar in concept to models like ChatGPT, could revolutionize how intelligence agencies handle the vast amounts of data they collect. If implemented, this AI would be able to generate new content based on massive datasets. Providing insights that could be invaluable for intelligence processing. Carolyn raises comparisons to traditional methods of intelligence gathering, noting that such technological advancements could have helped in past events had they been available. In response, Tracy emphasizes the historic struggle of intelligence agencies to rapidly sort through surveillance information. A challenge that tools like SpyGPT could mitigate.
A tool like SpyGPT has the potential to rapidly identify patterns and connections within data. This could lead to quicker and more accurate intelligence assessments. Carolyn points to the use of crowdsourcing information during the Boston Marathon bombing as an example of how rapid data correlation and analysis can be critical in national security efforts. The ability to predict and possibly prevent future threats could be significantly enhanced.
The Dangers of Internet Era Propaganda: "I can take any idea, and I can generate vast amounts of text in all kinds of tones, from all different kinds of perspectives, and I can make them pretty ideal for Internet era propaganda." — Tracy Bannon
However, as Tracy notes, the power of such technology is a double-edged sword, raising concerns about privacy, the potential for misuse and ethical implications. The conversation raises the specter of a "Minority Report"-esque future, where predictive technology verges on the invasive. Both Tracy and Carolyn agree on the tremendous responsibilities that come with the implementation of generative AI when it intersects with privacy, civil liberties and security.
Stress testing in the context of election security revolves around rigorously probing the voting system to uncover any flaws or weaknesses. This process requires collaboration between various stakeholders, including the manufacturers of voting machines, software developers and cybersecurity experts. Tracy emphasizes the crucial nature of these simulated attacks or real-world scenarios that help reveal potential points of exploitation within the system. Identifying these vulnerabilities well before an election can give officials the necessary time to address and reinforce weak spots. Ensuring the reliability and resilience of the electoral process against cyber threats.
Tracy discusses the necessity of not just identifying but also openly revealing discovered vulnerabilities within election systems as a means to foster trust among the populace. Transparency in the security measures taken and the clear communication of vulnerabilities found, when managed properly, instill a higher sense of confidence in the electoral system's integrity. This approach also plays a pivotal role in countering misinformation. By proactively conveying the true state of system security and the efforts being taken to remedy issues. It can help to dismantle unfounded claims and skepticism about the election infrastructure from various sectors of society.
Recent advancements in AI and deepfake technology have brought breathtaking capabilities. Primarily the power to manipulate audio and video content with astounding realism. Tracy emphasizes the profound implications of this tech. Specifically pointing to language models such as "Vall-E," which can simulate a person's voice from just a few seconds of audio input.
The Rise of Deepfakes: "Imagine what's gonna happen with the deepfake. Take a right? I can take your video. I can take your voice." — Tracy Bannon
This technology uses sophisticated algorithms to detect nuances in speech patterns. Allowing it to generate new audio that sounds like the targeted individual, effectively putting words into their mouths that they never actually said. This ability extends beyond simple mimicry. It propels the potential for creating audio deepfakes that can be nearly indistinguishable from genuine recordings. Such capabilities raise significant concerns about the reliability of auditory evidence and the ease with which public opinion could be manipulated.
Tracy brings to light the increasingly effortless creation of false personas through AI tools such as ChatGPT, which is an iteration of AI language models capable of generating human-like text. These tools can fabricate compelling narratives and even mimic specific writing styles. It can create non-existent but believable social media profiles or entire personas. Tracy points out how these synthetic entities can be programmed to deliver credible-sounding propaganda, influence political campaigns, or sow discord by spamming internet platforms with targeted misinformation. The creation of these artificial personas signifies a dramatic shift in how information can be disseminated. Posing risks of eroding trust in digital communication and complicating the battle against fake news.
Tracy Bannon is a Senior Principal with MITRE Lab's Advanced Software Innovation Center and a contributor to It’s 5:05! podcast. She is an accomplished software architect, engineer, and DevSecOps advisor having worked across commercial and government clients. She thrives on understanding complex problems and working to deliver mission/business value at the speed. She’s passionate about mentoring and training and enjoys community and knowledge-building with teams, clients, and the next generation. Tracy is a long-time advocate for diversity in technology, helping to narrow the gaps as a mentor, sponsor, volunteer, and friend.
As technology rapidly innovates, it is essential we talk about technology policy. What better way to get in the know than to have an expert break it down for us? Meet Ross Nodurft, the Executive Director of the Alliance for Digital Innovation. Ross dives in, explaining the evolution of FedRAMP controls and the recent, giant, AI Executive Order (EO) from the White House. Listen in to find out what this EO means for the government, the industry and the workforce as the U.S. attempts to implement policy ahead of AI innovation.
When FedRAMP was established over a decade ago, the focus was on managing the accreditation of emerging cloud infrastructure providers to support the initial migration of workloads. The baseline standard was FedRAMP Moderate, which addressed a "good amount" of security controls for less risky systems. However, Ross explains that increasing volumes of more sensitive workloads have moved to the cloud over time - including mission-critical systems and personal data. Consequently, agencies want to step up from moderate to the more stringent requirements of FedRAMP High to protect higher-risk systems. This includes only allowing High-cloud services to interact with other High-cloud applications.
The Evolution of Cloud Computing: "So right now, we're at the point where people are existing in thin clients that have access to targeted applications, but the back end compute power is kept somewhere else. It's just a completely different world that we're in architecturally." — Ross Nodurft
According to Ross, the COVID-19 pandemic massively accelerated enterprise cloud adoption and consumption of SaaS applications. With the abrupt shift to remote work, organizations rapidly deployed commercial solutions to meet new demands. In the federal government, this hastened the transition from earlier focus on cloud platforms to widespread use of SaaS. Ross argues that FedRAMP has not evolved at pace to address the volume and type of SaaS solutions now prevalent across agencies. There is a need to streamline authorization pathways attuned to this expanding ecosystem of applications relying on standardized baseline security controls.
Ross states that as agencies move more sensitive workloads to the cloud, they are stepping up security controls from FedRAMP Moderate to FedRAMP High. Sensitive data includes things like personal HR data or data that could impact markets, as with some of the work USDA does. Willie gives the example of the Department of Education or Federal Student Aid, which may have sensitive data on students that could warrant higher security controls when moved to the cloud.
Ross confirms that is absolutely the case - the trend is for agencies to increase security as they shift more sensitive systems and data to the cloud. Especially with remote work enabled by the pandemic. So agencies with data related to students, constituents, healthcare, financial transactions etc. are deciding to utilize FedRAMP High or tailor Moderate with additional controls when migrating such workloads to ensure proper security and rights protections.
As Ross explains, FedRAMP High means you can only interact with other cloud applications that are also FedRAMP High. So there is segmentation occurring with more sensitive data and workloads being isolated via stricter security controls. However, he notes it is not a "bull rush" to FedRAMP High. Rather agencies are steadily moving in cases where the sensitivity of the data warrants it.
Willie then asks about the costs associated with these stricter cloud security authorizations, given even Moderate is expensive. Ross explains there are currently policy discussions underway about making FedRAMP more streamlined and cost-effective so that innovative commercial solutions can still sell to the government without having to completely re-architect their offerings just for these processes. The goal is balancing the accessibility of cloud solutions with appropriate security based on data sensitivity.
Modernizing Federal Government IT: "We need to stop requiring companies to have their own completely separate over architected environment. We want commercial entities to sell commercially built and designed solutions into the federal government." — Ross Nodurft
Ross states that the AI Executive Order is the biggest and most robust executive order he has seen. He explains that it attempts to get ahead of AI technology development by establishing a framework for future policy and legal development related to AI. Ross elaborates that there will need to be additional regulatory and legal work done, and the order aims to "wrap its arms around" AI enough to build further policy on the initial framework provided.
According to Ross, the order covers a wide range of topics including AI in critical infrastructure, generative AI, immigration reform to support the AI workforce, and government use of AI. He mentions the order addresses critical infrastructure like pipelines, hospitals, transportation systems and more. It also covers immigration policy changes needed to ensure the U.S. has the talent to advance AI. Additionally, it focuses heavily on government consumption and deployment of AI.
The AI executive order tasks the Office of Management and Budget (OMB) with developing guidance for federal agencies on the safe and secure adoption of AI. Specifically, Ross states that the order directs the Federal CIO and other administration officials to establish rules that allow government consumption of AI in a way that protects safety and rights. Before writing this guidance, the order specifies that OMB must consider the impacts of AI on safety-critical infrastructure as well as rights like privacy and fairness.
Ross explains that OMB recently released draft guidance for public comment. He says this draft guidance contains several key components. First, it establishes AI governance requirements, directing every major federal agency to appoint a Chief AI Officer and create an AI council with agency leadership that will oversee adoption. Second, it mandates that agencies take inventory of existing AI use and develop plans detailing how they intend to utilize AI going forward.
According to Ross, a primary governance requirement in the OMB draft guidance is that all major agencies assign a Chief AI Officer to spearhead their efforts. Additionally, he notes that the guidance orders agencies to construct AI councils with membership spanning functions like IT, finance, HR and acquisition. Ross specifies that these councils will be led by the Deputy Secretary and Chief AI Officer of each department.
Ross highlights the need for collaboration between industry and agencies to address issues like prioritization, timing, specifics of compliance, attestation and who pays for and validates assessments. The order pushes the use of AI but lacks specifics that could slow adoption of widely-used technologies with AI. Ross notes this could introduce friction, slowing productive technologies when faster digital services are demanded. Better defining compliance pathways is needed to avoid nervousness using AI.
AI Ethics and Regulation: "You've got to run as close to live testing as possible, you've got to have human people factored into the decision-making engines." — Ross Nodurft
While embracing AI, the order does not detail how to facilitate adoption. Ross says this could cause confusion across agencies. His trade association ADI sees the need to add specifics around governance mechanisms to avoid inconsistencies. The lack of clarity risks friction and slowing AI incorporation, which Ross believes is imperative.
Ross states that there is a quick move towards a digital environment across all services, driven by demand from millennials, Gen X and Gen Z. He emphasizes that everything needs to have an app or digital access now to engage users. Ross then highlights how Dynatrace provides important observability of these new cloud-based architectures, allowing agencies to understand usage, interactions and performance. He argues this is essential to properly managing digital services.
Ross worries that the new AI executive order guidance lacks specifics around compliance, which risks creating friction in adopting widely-used technologies like Dynatrace that have AI components. He states there is uncertainty whether tools like Dynatrace must be inventoried and assessed under the new policy. If so, there are many open questions around prioritization, timing, specific compliance activities, and who pays associated costs. Ross emphasizes that this uncertainty could hinder cloud adoption without more clarity.
Ross stresses that while AI technology enables incredible things, we have full control and responsibility over its uses. He states we must consider processes and safeguards that provide oversight and allow intervention over AI systems. Ross argues we cannot afford to deploy AI blindly, but highlights it is in our power to leverage these technologies to benefit humanity with appropriate guardrails.
Ross asserts today there is greater intention around anticipating risks from emerging technology compared to past eras. He advocates for building off switches and review processes that allow understanding and course correction around new innovations like AI. Ross states this considered approach is essential for nanotechnology, quantum computing and other exponentially advancing fields.
The Influence of Artificial Intelligence in Policy and Legal Development: "But artificial intelligence is now more than ever being built into everything that we do technologically." — Ross Nodurft
Ross disputes the concern that AI will replace jobs, arguing instead it will shift skills required by humans. He provides examples of comparable historical technology shifts requiring new expertise, like transitioning from horses to locomotives. Ross states AI moves job responsibilities in different directions rather than eliminating careers, necessitating learning new tools and approaches.
Ross highlights how the AI executive order establishes agency governance bodies to oversee adoption. He details required personnel like Chief AI Officers that must review and approve AI use. Ross states these processes aim to identify risks in using innovations like AI while still encouraging adoption. He argues this organizational oversight is a new paradigm essential for emerging technologies.
Ross Nodurft is the Executive Director of the Alliance for Digital Innovation (ADI), a coalition of technology companies focused on bringing commercial, cloud-based solutions to the public sector. ADI focuses on promoting policies that enable IT modernization, cybersecurity, smarter acquisition and workforce development. Prior to joining ADI, Ross spent several years working with industry partners on technology and cybersecurity policy and several years in government, both in the executive and legislative branches, including Chief of the Office of Management and Budgets cyber team in the White House.
Have no fear, your new wingman is here! AI is by your side and ready to help you multiply your abilities. Patrick Johnson, Director of the Workforce Innovation Directorate at the DoD CIO discusses how his team is working to further implement AI ethically and safely in areas such as human capital to expedite finding talent. Patrick also shares his passion for building cyclical pipelines to ensure that talent, and ideas, flow seamlessly between the government and private sector. Join us as we dive further into AI’s benefits and how government and industry can be cyber workforce innovation partners.
Patrick states that the Department of Defense's (DoD's) total cyber workforce, comprising military, civilian and industry partner contractors, is around 225,000 people. He notes that the DoD has the biggest gap in the civilian cyber workforce, which makes up about 75,000 people. According to Patrick, one of the key problems when bringing new cybersecurity technologies online is failing to adequately train the existing workforce on how to use and get value from those technologies.
Rather than pursuing full re-skilling of employees which can set them back, Patrick advocates for upskilling the current DoD cyber workforce. This involves assessing talent and capability gaps. Then providing the workforce with the necessary training to perform new technologies appropriately. Patrick states that partnering workforce members with automated processes like AI can help them become more effective by highlighting key info and threats.
The Importance of Training and Upscaling in the Cyber Workforce: "Well, it's great to put new technology on the table. But if you don't take the time to train the workforce you have in the programs or the systems you're bringing online, you lose that effectiveness and you don't really gain the efficiencies or the objectives that you need to be."— Patrick Johnson
Patrick views AI as a partnership with the human workforce rather than a threat. He emphasizes that AI should be seen as a "wingman or wingperson" that boosts productivity and acts as a force multiplier. Patrick explains that AI excels at rote, tedious tasks allowing the human workforce to focus more on creativity.
According to Patrick, AI is adept at attention-to-detail tasks that would be tedious for a human to manually perform. He provides the example of a cybersecurity analyst or defender whose productivity can be enhanced by AI highlighting anomalies in data that they should pay attention to. This allows them to catch more threats and intrusions coming through their systems.
The Rise of AI and the Fear of Job Loss: "AI can expedite that and do it really fast. It's about how do you fit in and use the technology that is there. So for individuals that are bent on just being one thing or doing a particular way, it's gonna be a struggle."— Patrick Johnson
Patrick argues that all organizations are understaffed and says AI is like "adding a person and a half" to your existing workforce. In his view, this boosts productivity significantly if the technology is utilized correctly. He believes AI's capabilities in assisting with repetitive tasks allow human workers to focus more on creative problem-solving.
Patrick explains that AI excels at automating repetitive, detail-oriented tasks, freeing up humans to focus on more creative responsibilities. As AI develops, Patrick believes new industries and opportunities will emerge. He references how industrial automation led to new maintenance jobs. Similarly, current AI advances likely indicate the rise of new industries needing workers to oversee AI systems.
Harnessing Talent in the Digital Age: "It'll work. If it works for cyber, why wouldn't it work for aviation, or why wouldn't it work for logistics? It's gonna work for just about any approach you wanna take."— Patrick Johnson
Willie agrees that true general AI with human-level creativity remains a distant prospect. He characterizes current AI as skilled at rote, non-creative work. While AI can simulate creativity by aggregating data, Willie argues it cannot independently demonstrate innovation as humans do. He believes consciousness and creativity constitute scientific frontiers we are far from unlocking in silicon.
Patrick discusses how there is an ethical piece when it comes to AI and its use in Western societies. He notes that the DoD's Chief Digital and Artificial Intelligence Office, and their principal staff assistant, are really looking hard at the ethical use of AI. Patrick contrasts this to some of the department's peer competitors, without naming specific countries, who are not as worried about using AI ethically. He explains that in Western societies that have operated in a prosperous, peaceful way for almost 90 years, there is more concern about ethics with emerging technology like AI.
Patrick talks about how one of the strengths of the U.S. as a nation is the focus on creativity, innovation and free thinking. He says these characteristics allow new technologies to fully prosper and reach their potential. Unlike in some other systems where there may be more ulterior motives from the state or ruling party that limit capabilities. Patrick notes that some other countries utilize AI for better understanding their citizens, monitoring people and tracking behaviors without as much ethical concern.
Patrick notes that the Defense Department is currently using AI in enclosed systems to improve maintenance schedules and track issues. He explains that this allows them to leverage AI to expedite when certain maintenance actions need to be taken and monitor problems. While the department is still in the early stages of incorporating AI, Patrick emphasizes they are embracing it for these types of automatable tasks rather than avoiding it due to security concerns.
When discussing AI, Patrick acknowledges there are legitimate security worries given the sensitive nature of the Defense Department's systems and environment. However, he states these concerns should not deter the department from bringing AI capabilities to the forefront. Patrick argues the department needs to find ways to ethically and safely integrate AI so it does not pose risks. He mentions this is an area of focus for the Chief Digital and Artificial Intelligence Office.
The Role of AI in Cybersecurity: "It really is about looking at your talent and your gaps and then giving them the training they need to execute the new technology, appropriately."— Patrick Johnson
In terms of human capital functions, Patrick highlights how the department is already employing AI to streamline and automate certain talent management processes. For example, he explains they are using AI-enabled systems to expedite applicant-job matching and make hiring more efficient. Additionally, Patrick notes AI is helping align training offerings and certifications to the workforce skill gaps the department needs to fill. He emphasizes these applications demonstrate the promise of AI in automating tedious tasks that would normally take humans much longer to accomplish manually.
Patrick explains that they are using AI to track metrics like attrition rates, vacancy rates, losses and gains. This allows them to do predictive analysis to project future vacancy rates and take proactive action when needed. For example, Patrick can put up real-time data for leadership showing that if no action is taken, vacancy rates could rise from 17% to 37% in two years. This prompts leadership to address gaps proactively before problems become severe. Patrick envisions AI having an even greater impact by identifying talent gaps across the department and giving the services enough lead time to ramp up training programs accordingly.
To balance workforce and technology, Patrick emphasizes the need to train the current workforce on new systems and technologies rather than expecting them to instantly adapt. He uses the example of implementing Zero Trust security, noting that deploying the technology alone is not enough if the workforce is not properly trained to leverage and maximize it. Patrick believes AI should be viewed as a "wingman" to augment human capabilities rather than replace jobs. Proper AI integration requires change management and culture change around utilizing automation.
The 8140 qualification program tracks skillsets needed to perform critical cyber work roles across the department. By coding the entire military and civilian cyber workforce with work roles rather than just competencies, they gain visibility into the location of talent gaps. Work roles also allow them to incentivize critical positions rapidly. As they collect more workforce data, this program will enable sophisticated predictive analytics to get ahead of future talent and skill deficits.
Mr. Patrick Johnson serves as the Director of the Cyber Workforce Management Directorate in the Office of the Deputy CIO for Resources and Analysis, Department of Defense (DoD) CIO.
In his role as Director, Mr. Johnson leads a dynamic team responsible for the Directorate’s expansive workforce management portfolio and program development supporting the broader talent management lifecycle for the Department’s cyberspace workforce. Directorate initiatives include the DoD Cyber Workforce Framework (DCWF) expansion, training and education program development (Cyber Scholarship, Cyber Exchange, etc.), Cyber Workforce Management Board (CWMB) facilitation, Cyber Excepted Service (CES) Personnel System, and the 8140 policy series implementation which establish enterprise baseline standards and requirements according to DCWF work role(s). At the OSD level, the Cyber Workforce Directorate's role is to leverage authorities and provide Department stakeholders with policies, programs, and tools to effectively recruit and retain a highly skilled cyberspace workforce.
Mr. Johnson previously served as the Chief, DoD Cyber Excepted Service where his leadership played a pivotal role in the development and implementation of the Cyber Excepted Service Personnel System, and ultimately mission expansion into today’s Cyber Workforce Directorate.
Mr. Johnson entered federal service in 2011, following more than 24 years of service in the U.S. Army. Prior to becoming the Director of the DoD CIO Cyber Workforce, Mr. Johnson served in a variety of positions in the Department, rising to his position today from his first role as Intelligence Combat Developer, with the U.S. Army Intelligence and Security Command (INSCOM). In his expansive civil service career Mr. Johnson has also served as Deputy Director, Military Personnel DLA; Cyber Integrator, OSD Personnel and Readiness (P&R); Senior Program Manager (Retention), Deputy Chief of Staff Army G-1.
Mr. Johnson spent his early career in the U.S. Army, serving as a Military Policeman, Protective Service Agent, Military Police Investigator, and Career Counselor culminating in his role as Special Liaison with U.S. Army Intelligence Support Activity within the Joint Special Operations Command (JSOC).
Meet the man on a mission to make software bill of materials (SBOMs) boring. In this So What? episode, Tracy Bannon and Carolyn Ford sit down with Allan Friedman the Senior Advisor and Strategist at the Cybersecurity and Infrastructure Security Agency (CISA). Allan tells us about how he is working to change how all software on the planet is made and sold, no big deal right? Join us as we dive into the world of SBOMs, xBoMs, and Secure by Design.
Allan Friedman explained that there is currently a self-attestation model for SBOMs, where companies can sign a form stating that they have implemented SBOMs, rather than providing the actual SBOM data. This allows flexibility for organizations that are not yet ready to fully comply. However, it means buyers have to trust the attestation rather than seeing the SBOM details directly.
Secure Software Development Model Compliance: "The challenge there is turning the framework back into a compliance model. Because, again, at the end of the day, everyone wants to think about things. Right? Understand your risk, but you still need to make that yes or no decision."— Allan Friedman
Tracy Bannon noted some companies have concerns about sharing their SBOM data with customers, worrying that the customer may not have secure enough practices to properly protect the SBOM. Allan Friedman explained SBOMs do not need to be public - they can be shared privately between supplier and customer. Known unknowns in the SBOM can also help address concerns about revealing proprietary information.
Allan Friedman argued that sophisticated attackers likely do not need the SBOM, as they have other ways to analyze and reverse engineer software. Automated attacks also do not leverage SBOMs. He noted defenders actually need the visibility an SBOM provides into components and dependencies. There may be some risk of exposing attack surface, but the benefits seem to outweigh that.
The Importance of SBOM for Product Security: "If we had this, we had SBOM across our products today, it would save us thousands of hours a year Because whenever the next Log4j comes out, if you have a centralized machine readable, scannable system, It's not that hard." — Allan Friedman
Allan Friedman noted there has been some lobbyist pushback against SBOM mandates, often coming from trade associations funded by companies already implementing SBOMs. He said while healthy debate is good, many of the lobbyist complaints seem misguided or overblown.
Carolyn Ford asked whether AI could help automate SBOM creation, especially for legacy systems. Tracy Bannon cautioned that AI is not yet at the point where it can reliably generate code or understand large complex contexts. AI may eventually assist, but currently is not ready to take on SBOM tasks. As AI is software, it needs to be secured using the same best practices as other code.
Tracy Bannon explained SBOM implementation may be harder for organizations with large legacy codebases and multiple complex or siloed systems. However, even newer companies can struggle if they have not built SBOM processes into their SDLC. Allan Friedman noted while costs exist, especially for older systems, SBOMs ultimately save defender time and money.
Allan Friedman said some organizations view SBOM mandates positively, as it gives them budget and justification to reengineer antiquated processes. Overall, SBOMs provide incentives and reasons to follow modern secure software practices.
Tracy Bannon emphasized that any mandated change involves costs, which need to be acknowledged. But driving adoption of SBOMs and secure development practices is still an important improvement goal. Organizations should be supported in this transition.
Allan explains that the executive order issued requirements that all software sold to the US government would need to meet certain security practices, like having separate development and build environments and using multi-factor authentication. While these may seem basic, turning the NIST framework into concrete compliance requirements has been challenging. The government pushed for a quick definition of SBOMs, while agencies said it would take months. There's a need to balance the push for progress with the realities of implementing changes across complex legacy systems.
Open Source License Tracking: "And if you're an organization, you need to track which open source licenses are you using both in your open source and your code because there are strong rules for some of them."— Allan Friedman
For some parts of the software world, Allan notes that SBOMs are already considered standard practice. Modern developers with continuous integration pipelines can easily generate SBOMs automatically. The challenge is bringing along the organizations still using legacy tools and processes. Widespread adoption will take time. The goal is for SBOMs to become a boring, expected part of software delivery that doesn't require much discussion.
The 2021 cybersecurity executive order mandated the use of SBOMs but didn't define what they were. After pushing for a faster timeline, the government issued a minimum definition of SBOMs within 60 days. NIST then updated their secure software development framework with guidance. The next step is moving from framework to compliance model, with self-attestation as a starting point until more formal requirements are in place across agencies.
The executive order mandated SBOMs but didn't define them, so the government had to quickly issue a minimum definition of what constitutes an SBOM. This was a challenging process that required balancing perspectives from across government and industry. The public and private sectors need a shared understanding of what SBOMs are as adoption spreads.
Allan acknowledges there are concerns from some corporations and suppliers that providing an SBOM could reveal proprietary intellectual property or special sauce in their software products. Many organizations want to avoid exposing their competitive advantage or secret methods. Allan says the SBOMs do not need to be public - they can be shared directly and privately with the customer purchasing the software. There are also ways to designate known unknowns or gaps in the SBOM data.
The Importance of Software Bill of Materials (SBOM): "We're building the plane while we're flying it."— Allan Friedman
Tracy raises the concern she has heard that requiring companies to share SBOMs with customers could potentially expose their intellectual property if those SBOMs are not properly secured. She notes there have been many high-profile data breaches lately. This means vendors may be wary about sharing an SBOM with a customer if they lack confidence in that customer's data security practices. There needs to be trust between the entities exchanging SBOMs.
In response to concerns about IP exposure, Allan argues that for most large software projects, the bulk of what is contained in an SBOM does not represent core proprietary IP or secret sauce. As an example, he says that just listing common third-party libraries used does not reveal a competitive advantage. So fears may be overblown about SBOMs leaking meaningful intellectual property.
Given the valid concerns around proprietary code exposure and SBOM generation limitations, Allan advocates for the concept of designating "known unknowns". This would allow software providers to specify areas of the codebase or supply chain that have incomplete SBOM data due to proprietary restrictions or tooling gaps. Known unknowns enable transparency about the boundaries of SBOM coverage.
Allan Friedman explained that a large percentage of vulnerabilities arise from memory issues. Buffer overflows are a simple example, but there are thousands of variants that allow attackers to execute malicious instructions by tricking a system into accessing attacker-controlled memory regions. This memory unsafety occurs primarily in languages like C and C++ that lack memory safety protections.
Given the risks from memory unsafety, Friedman discussed CISA's vision of pushing more secure software development through the use of memory-safe languages. Languages like Rust and Go provide memory safety protections that prevent common categories of vulnerabilities. However, rewriting major legacy codebases will take time. CISA is exploring partnerships and incentives to accelerate adoption of memory-safe languages over the long term.
Tracy Bannon noted that some organizations, unfortunately, cut budgets by avoiding automated testing in favor of manual testing. But requirements like SBOMs remove excuses to not invest in automated processes and improved engineering.
Tracy Bannon mentioned there are ongoing conversations with the Department of Defense around extending the SBOM concept to data through "data bombs." While AI and algorithms are software, data artifacts like model cards and data cards also need supply chain transparency.
Bannon highlighted that she works with a group managing a complex codebase including not only a substantial amount of ADA, but 13 other languages layered onto the system. This exemplifies the challenges of legacy systems.
Friedman explained that CISA's director and CISO have been pushing the secure by design initiative to make software more inherently secure out of the box. He provided examples like moving away from hardening guides and instead selling software locked down, with optional integration instructions.
Allan Friedman is a Senior Advisor and Strategist at the Cybersecurity and Infrastructure Security Agency (CISA). He coordinates the global cross-sector community efforts around software bill of materials (SBOM). He was previously the Director of Cybersecurity Initiatives at NTIA, leading pioneering work on vulnerability disclosure, SBOM, and other security topics. Prior to joining the Federal government, Friedman spent over a decade as a noted information security and technology policy scholar at Harvard’s Computer Science Department, the Brookings Institution, and George Washington University’s Engineering School. He is the co-author of the popular text Cybersecurity and Cyberwar: What Everyone Needs to Know, has a C.S. degree from Swarthmore College, and a Ph.D. from Harvard University.
In the final, crossover episode of our three-part Halloween series, Eric Monterastelli, Public Sector SE at Delinea, Founder, Crew Chief of Gran Touring Motorsports and Host of the Break/Fix Podcast, joins Carolyn Ford and Tracy Bannon to discuss the scary reality of car security. Is your car spying on you? Can a nefarious actor take over your car? Does your car know your deep personal data like your immigration status, race and more? Hint: It can and it does.
Eric Monterastelli talks about how cars have evolved to include more computing technology, which opens them up to potential attacks. He gives the example of a Jeep that was hacked to shut off while driving, demonstrating the real dangers.
Tracy Bannon contrasts U.S. car manufacturers that use many third-party components versus Tesla's more integrated system. She argues Tesla's approach may lend itself to more car security. The hosts explore different potential attack vectors into vehicles, like Bluetooth connections.
Eric Monterastelli shares findings from a Mozilla report about the wide range of deep personal data that can be collected from cars. Including things like facial expressions, weight, health information and more. The hosts are alarmed by the privacy implications.
Tracy Bannon advocates that car manufacturers need to make cybersecurity a priority alongside traditional safety. She indicates cars are data centers on wheels, collecting information that gets sent back to big cloud data centers. They emphasize the need for vigilance from car owners about what information they allow their vehicles to collect.
Eric discusses the extensive data that is now collected by modern vehicles, especially EVs. He notes that information is gathered on things like stopping distances, brake pressure applied, vehicle speed and overall driving habits. This data is no different than the type of driver performance analysis done in race cars. Automakers are collecting real-world usage data from customer vehicles to analyze driving patterns and vehicle responses. Tracy adds that the average new vehicle contains over 100 different computers and millions of lines of code that are all networked together. This networked data covers areas like powertrain functions, safety features and infotainment systems. All of this interconnected data presents opportunities for tracking very detailed driving behaviors.
Eric cites a concerning report that modern vehicles can potentially collect extremely sensitive personal data simply through normal driving. Including information on immigration status, race, facial expressions, weight, health conditions and even genetic data. He explains that optical facial recognition software could be applied to cameras already present in many vehicles. Other data like weight and health metrics can be gathered from sensors in seats or wearable devices synced to the vehicle. The interconnected nature of modern vehicle computers and far-reaching data collection enables mining of very private user information that goes well beyond basic driving statistics. Carolyn reacts with disbelief at the potential extent of personal data gathering described.
Tracy explained that traditional U.S. car manufacturers have said they use components from hundreds of different distributors and providers. These components were not necessarily created to work together, unlike the approach taken by Tesla. Since traditional manufacturers are buying piece A and knitting it together with piece B, piece C and piece D, there can be integration challenges. The components may not align well since they were not designed under the same umbrella with a holistic approach.
Tracy contrasted the traditional manufacturers' approach with Tesla, which has created everything under one umbrella. Tesla told any component providers what the requirements were and how the components needed to align to what Tesla needed. This holistic approach within Tesla results in more seamlessly integrated and likely more secure vehicles compared to cobbling together components from many different organizations.
Tesla's Privacy Concerns: "But Tesla, there's been reports and there's been investigations showing that they can turn on the cameras inside the car and see what you're doing. They've been spying on people. There's been all sorts of allegations that have been thrown out there." — Eric Monterastelli
Eric and Tracy discussed how having disparate systems talking over a common bus and language can introduce vulnerabilities. While a proprietary closed system like Tesla's may have risks if it is fully hacked. Assembling many components from different providers can also have downsides. There are more potential holes or vulnerabilities when piecing together parts from various organizations. Compared to having everything designed and built under one umbrella.
Eric discusses how newer electric vehicles like Teslas, Ford Mach-Es, and Porsches have a single mainframe that controls and interacts with all the components of the vehicle. In contrast, older cars had separate systems for the engine/drivetrain and infotainment that did not necessarily communicate with each other. For example, in a 2000s Chrysler, the infotainment system running the radio was separate from the encrypted Bosch system controlling the engine. Integrating all these components into one mainframe makes the new electric vehicles more convenient but also introduces potential vulnerabilities.
Tracy elaborates that the average new car today has over 100 different embedded computers. plus modules networked together and communicating via a CAN bus system. So there is one central computer that can interact with the engine, transmission, safety systems and infotainment features. While this integration is designed for efficiency and effectiveness of the software systems, it also means one access point can potentially control multiple components of the car. This is different from older cars where systems were more isolated from each other. The interconnectedness makes modern vehicles potentially more susceptible to cyber attacks.
The Vulnerabilities of Modern Vehicles: "For me, that's a scary reality. And it actually has shied me away from buying the newest of the new cars even though there are some really exciting things out there because what am I opening myself up to, if I buy a Ford Mach-E or a Tesla Model 3 or something else." — Eric Monterastelli
Eric discussed how cars have evolved significantly in engineering since the early 1900s. He highlighted that around 2000, more powerful computing technology like ML and AI computers were integrated into vehicles to make decisions about engine performance and interact with various systems. This advancement allowed for additional "creature comforts" in cars. But also opened them up to potential attacks and vulnerabilities that older cars did not face.
Future of DUI Prevention: "It's gonna become standard issue like power windows and remote locks and things like that where you're not even gonna be able to drive and operate a vehicle if it senses that you're in any way inebriated or under the influence." — Eric Monterastelli
Eric further acknowledged that consolidating disparate systems into one mega computer, while making things more convenient, also introduced vulnerabilities. With everything controlled by one mainframe, the attack surface is larger. He contrasted modern vehicles to cars from the mid-2000s, where engines were still separate from entertainment systems. Now they are fully integrated, which provides more connectivity but less isolation among components.
According to Eric, the rise of electric vehicles has led to even more potential issues, as they rely even more heavily on electrical systems and digital connectivity like over-the-air updates. Features that make EVs exciting also make them more susceptible to cyber threats compared to traditional internal combustion cars. The reality that EVs open owners up to unknown risks has made Eric shy away from the newest vehicles.
Eric compared Tesla's interconnected systems to Porsche's components from various suppliers like Bosch. He said Tesla has full access to proprietary systems through the air, while Porsche uses a CAN bus for disparate systems to communicate. The closed nature of Tesla's system makes it completely open to them.
Tracy added more context, mentioning Porsche is connected to VW and Audi, who work with Bosch for many electromechanical parts like sensors and multifunction interfaces. She reiterated that these disparate systems in Porsche communicate via a CAN bus system.
Eric acknowledged Tracy's point that both brands use a CAN bus for the back-end electrical system. However, he still sees more risks with Tesla having full access to a closed proprietary system through the air versus Porsche's various supplier components that don't directly communicate beyond the CAN bus.
Tracy explained that even after disconnecting your phone from a car's infotainment system, personal data like contacts and GPS history can remain cached in the system. She warned that simply pressing "disconnect" does not purge the infotainment system of your data. Eric added that unless you fully wipe the system, your data remains stored even after trading in or selling your car. He gave the example of someone pulling a used head unit from a junkyard car, and upon powering it up having full access to the previous owner's contacts and address history.
Cyber Security Perspective on Data Collection in Cars: "They can collect deep personal data such as sexual activity, immigration status, race, facial expressions, weight, health, and genetic information while you're driving." — Eric Monterastelli
Tracy shared that her husband takes extensive precautions to prevent others from accessing personal data, such as degaussing old hard drives before disposal. She explained these same precautions should be applied to cars, since simply trading in or scrapping a car does not mean personal data is removed from components like the infotainment system. Eric affirmed this concern, stating that short of an EMP blast, data remains recoverable from the car's memory chips even after the car changes owners. He advised thoroughly wiping car systems before sale to prevent exposing personal information.
Eric Monterastelli is the Public Sector SE at Delinea, Founder and Crew Chief of Gran Touring Motorsports and Host of the Break/Fix Podcast. He has more than 18 years of experience in information technology, specializing in systems engineering, virtualization and software development. His previous stops include Dynatrace, BAE Systems, Raytheon, the Department of Defense, LogRhythm and Symantec, among others.
In the second episode of our 3-part Halloween series, Grant Schneider, Senior Director of Cybersecurity Services at Venable and former federal CISO, discusses the frightening implications of insider threats, how we are protecting critical infrastructure, and what it was like working on cybersecurity in the White House under both President Obama and President Trump.
Grant explained that one of the great things about National Cybersecurity Awareness Month is exactly raising awareness and providing an opportunity to hopefully spend time thinking about and discussing cybersecurity. He noted that for organizations already focused on cybersecurity daily, the awareness month may not raise their awareness much more. However, many organizations don't constantly think about cybersecurity, so for business leaders and executives who may now recognize the existential threat a cyber incident poses, the awareness month offers a chance to have important conversations they may have previously avoided due to lack of understanding.
National Cybersecurity Awareness Month: "You're only one bad kind of cyber incident away from your organization not existing anymore."— Grant Schneider
According to Grant, leaders who don't grasp cybersecurity risks may personally fear initiating conversations to ask what the organization needs to do to address risks. National Cybersecurity Awareness Month provides an opportunity for these leaders to have the necessary conversations and gain education. Grant said the awareness month is a chance to discuss basics, like implementing multifactor authentication, patching and updates. He observed that much of the content produced for the awareness month focuses on cybersecurity fundamentals, so it allows organizations to dedicate time to shoring up basic defenses. Overall, Grant emphasized National Cybersecurity Awareness Month facilitates essential cybersecurity conversations for organizations and leaders who otherwise may not prioritize it consistently.
Grant explains that in the early days of his career at the Defense Intelligence Agency (DIA), insider threat mitigation focused on screening out bad actors during the hiring process. The belief was that malicious insiders were either people with concerning backgrounds trying to get hired, or nation-state actors attempting to plant individuals within the intelligence community. The screening process aimed to identify and reject potentially problematic candidates.
He mentions the possibility of nation-state actors attempting to plant malicious insiders in the intelligence community through the hiring process. This underscores the perceived risk that foreign governments would try to insert spies or saboteurs into the ranks of U.S. intelligence agencies.
Grant then discusses how over time, the nature of insider threats shifted more towards insiders becoming whistleblowers driven by ideology or moral objections. He cites the Manning and Snowden cases as examples of this shift. Rather than foreign plants, these were trusted insiders who went on to leak classified information out of claimed conscience.
While describing this evolution, Grant is careful not to make generalizations condemning all whistleblowers. He maintains that whistleblowing serves an important function in society.
In Snowden's case specifically, Grant characterizes his mindset as believing the intelligence community's lawful work was actually wrong. This led Snowden to take matters into his own hands by leaking classified materials.
Grant emphasized the importance of seeking diversity of experiences, even within one's current job. He advised not constantly changing jobs, as that may look unfavorable on a resume. However, within a role, one should actively volunteer for new projects and tasks that provide exposure to different skills. Being willing to say "yes" and take on unfamiliar work leads to becoming a more versatile, well-rounded employee.
Grant recommended that when presented with new opportunities at work, such as a manager asking for someone to work on a certain project, the best approach is to always say yes. Even if the work does not seem interesting or relevant, accepting the challenge provides a chance to learn new skills. Saying yes demonstrates eagerness to expand one's capabilities.
The Importance of Diversity of Experiences: "Diversity of experiences, and whatever it is you're working on, when your boss, your coworkers say, hey, we're looking for someone to work on this, always say YES. I wanna go work on that as well."— Grant Schneider
According to Grant, embracing diverse experiences allows professionals to build unique skill sets and make themselves stand out. Having broad exposure equips individuals to work effectively on varied teams and projects. It enables adaptability that makes one a more valuable contributor. Grant emphasized that diversity of experience helps shape well-rounded leaders who can thrive in any environment.
Grant suggested viewing one's career progression as a scavenger hunt to collect talents and capabilities. Being strategic and purposeful about pursuing different opportunities maximizes growth. Grant urged professionals to reflect on the skills they want in their toolbox and then leverage jobs and other life experiences to intentionally develop expertise across multiple areas.
As Grant explained, when he first joined DIA, there were no connections to the unclassified internet in the building. Over time, every employee had both unclassified and classified computers to connect to various networks. As more devices were connected to networks, the potential consequences of a cyber incident grew. With more reliance on technology and interconnected systems, a cyberattack could cause major disruptions to operations. Grant noted that this increase in risk led to a greater focus on cybersecurity within both government and private sector organizations.
The Consistency of Approach Towards Technology and Cybersecurity across Administrations: "In my opinion, technology and cybersecurity has not been very politicized. And really going back from Bush to Obama, to Trump and to Biden, in my opinion, we've seen a good bit of consistency around the directions, the people have been headed."— Grant Schneider
Grant discussed how the growing risks from cyber incidents led to the creation of security operations centers focused on monitoring threats. Whereas IT operations teams had previously handled security, cybersecurity emerged as its own discipline requiring specialized skills and 24/7 vigilance. Organizations established dedicated security operations centers tasked with detecting and responding to security events around the clock. This represented a major shift as cybersecurity transitioned from a purely policy function to an operational capability within organizations.
Over the years, cybersecurity evolved from an information security policy role to a distinct operational entity, according to Grant. This transition occurred in both the public sector and private sector as the nature of threats changed. Cybersecurity is now recognized as requiring its own set of skills and continuous monitoring separate from traditional IT operations. Grant noted that this shift has continued with cybersecurity capabilities and staffing growing significantly across sectors.
Grant discussed how there is more and more data available now as compared to the past. He also mentioned how AI tools allow people to analyze and understand this data in new ways. For example, AI can help determine what information or messages are most likely to resonate with someone based on what is already known about their views and preferences. Grant suggested that the combination of more data and better AI-enabled analysis means information can be tailored and targeted to individuals in new ways, for good or bad purposes.
Building on the availability of data and AI tools, Grant noted how messages can now be crafted in a customized way for each person. He said that tools allow understanding of what is believable to each individual. Then messages can be created that align with existing beliefs and preferences, regardless of whether the messages are factually true. Grant gave the example that false information could potentially be spread this way if the content resonates with what someone already thinks.
Grant suggested that technology capabilities enabling tailored messaging are emerging alongside the increased societal acceptance of divisive, controversial and blunt opinions being shared publicly. He noted that norms seem to have changed from when there were more things people didn't express out loud. Grant proposed that this societal shift combined with technological capabilities that can take advantage of divisions creates risks in terms of information manipulation.
Grant Schneider’s entire 30-year career has focused on our nation’s security. Grant spent more than 20 years at the Defense Intelligence Agency, seven of which he served as the CIO. He then spent six years in the Executive Office of the President during the Obama and Trump administrations, focused on all aspects of federal and critical infrastructure cybersecurity. During that time, he served as a Senior Director for Cybersecurity Policy on the National Security Council staff and most recently as the Federal CISO. For the past three years, Grant has served as Senior Director of Cybersecurity Services at Venable, helping companies from across all sectors enhance their cybersecurity programs through the development and implementation of risk management programs as well as assisting with the preparation, response, and recovery from various cyber incidents, including ransomware.
In the first episode of our 3-part Halloween series, Dave Egts, Mulesoft Public Sector Field CTO at Salesforce, details what's scaring the public sector most and how Salesforce is utilizing - and securing - AI to improve customer experience with their Einstein Trust Layer. Additionally, Carolyn and Dave dive into the spooky worlds of brain cell chips, mind-reading AI and more.
Considerations for the Public Sector While Using AI: "As you're going on your AI journey, you've got to be looking at the EULA [End User License Agreement] and making sure that, okay, if I give you data, what are you going to do with it?"
On Bias & Disinformation in Generative AI: "There were some previous studies that show that people are more likely to go with the generative AI results if they trust the company and they trust the model. So it's like, 'Oh, it came from Google, so how can that be wrong?' Or 'I'm trusting the brand,' or 'I'm trusting the model.'"
David Egts is MuleSoft’s first-ever Public Sector field CTO. Outside of MuleSoft, David is the founding co-chair of the WashingtonExec CTO Council, where he advises numerous companies on working with the public sector. David has received numerous industry-wide recognitions, including as an FCW Federal 100 winner, a FedScoop 50 Industry Leadership awardee and one of WashingtonExec’s Top Cloud Executives to Watch. He has won multiple employee honors from Red Hat, Silicon Graphics and Concurrent Technologies Corporation.
Dave & Gunnar Show Episodes
Additional Links
In this So What? episode, Jon Pelson, author of the best-selling book "Wireless Wars," discusses China’s impact on the telecommunications space. He also shares the frightening security concerns around Chinese components in 5G networks and discusses why the FCC's ban on these components may not be enough.
On Huawei's Tower Placement: "Our nuclear missile bases, our special operations command at the nuclear sub base are all served by Huawei cell equipment." I said, 'That's impossible. They have like 0.1% market share. How could they have every nuclear missile site?' I started looking into it. The reason I called the book 'Wireless Wars' is because it's a war that's being fought through what appears to be business means. This is not business." -Jon Pelson
On Why We Should Protect Data: "People say, 'I have nothing to hide.' Especially the younger generation says, 'Look, my privacy, in that regard, is not that important.' I was asked at the end of an interview, 'What would happen if China got control over us the way they're trying to?' I said, 'You don't have to scratch your head and do scenario planning. Look at places where China has control over the population.' -Jon Pelson
Jon Pelson spent nearly 30 years working as a technology executive, including serving as vice president at Lucent Technologies and chief of convergence strategy for British Telecom. His work with China’s telecom industry during this time led Pelson to write his best-selling book "Wireless Wars" China’s Dangerous Domination of 5G and How We’re Fighting Back."
On this special episode, Willie Hicks and Carolyn Ford discuss the Billington Cybersecurity Summit, as well as insights from panels, led by Willie, on workforce automation and zero trust.
On the Human Factor: "I think this is always the case, that the human's usually going to be the weakest link. We're always the weakest link. But that's why that constant reverification is so critical."
On Generative AI: "We can't fear these things like generative AI. We've got to embrace it. We've got to use it. We've got to figure out how to use it and use it right and use it appropriately. But we have to figure out how to use it because you know who's using it? Our adversaries."
Willie Hicks is the Public Sector Chief Technologist for Dynatrace. Willie has spent over a decade orchestrating solutions for some of the most complex network environments, from cloud to cloud native applications and microservices. He understands tracking and making sense of systems and data that has grown beyond human ability. Working across engineering and product management to ensure continued growth and speed innovation, he has implemented Artificial Intelligence and automation solutions over hundreds of environments to tame and secure their data.
Sandi Larsen, Vice President, Global Security Solutions at Dynatrace, joins our host Carolyn Ford to share her perspectives on the relationship between zero trust and defense in depth. She also discusses her storied career, leadership and what it's like to be a woman in technology (although she dislikes the term). Additionally, Sandi shares her advice on identifying mentors, finding your voice and battling imposter syndrome.
On Finding Inspiration: “You just can't sleep on these pivotal people in your career whether they're ahead of you or beside you or even behind you, I’ve been inspired by people that I am mentoring.”
On Having Mentors: “Find mentors, they are just invaluable and will be throughout your whole entire career, no matter what stage you're in. At the beginning, at the middle, later in your career, they will always be indispensable for you.”
On Using Your Voice: “Speak up. Just have a voice. And if that voice in your head is planting doubt, don't listen to it. If it's coaching you on what to say and what not to say, and being wise about that, listen to that. But if it's planting seeds of doubt, you've got to you have to push it aside. And you have to take that step. Because if you don't, you might be missing out on the next best thing.”
Sandi Larsen currently serves as the Vice President of Global Security at Dynatrace. Prior to joining Dynatrace in November 2020, Sandi held various positions, including sales and systems engineering roles in cybersecurity and financial services organizations.
Tom Billington, CEO of Billington CyberSecurity and Producer of the Billington CyberSecurity Summit, joins Carolyn and co-host Mark Senell to discuss the upcoming 14th Annual Billington CyberSecurity Summit, what goes into creating a valuable community for both the government and the commercial sector, and the important topics that will be the basis for this year's conference.
On Founding Billington Cybersecurity Summit: "I really started this business to be distinctly patriotic, to provide a serious dialogue in a way that I felt wasn't really being done at that time...So breaking into the federal cybersecurity community, to be honest, was hard as an entrepreneur. We had to build trusted relationship after trusted relationship. Over the course of 14 years, it's become decidedly easier now, now that we have had the privilege of having those trusted relationships."
On Zero Trust: "Many of the areas that zero trust encompasses have been around since the profession has existed in cybersecurity. But at no other time has the U.S. government proclaimed the importance of this overarching field as it has in the last few years. So it becomes important for the government. It becomes important for the industry leaders who serve them."
On International Cyber Collaboration: "So it's not just the U.S. team sport. It's an international team sport. The partnership with our international allies is crucially important."
Before launching his company in 2010, Tom Billington spent nearly two decades producing hundreds of events, publications and articles for four of the world’s leading media companies: Reader’s Digest, Phillips Business Information, BNA (now Bloomberg BNA) and Thomson Reuters. Now, Tom is the CEO and Founder of Billington CyberSecurity, a leading independent education company founded in 2010 with an exclusive focus on cybersecurity education. Every year, he hosts the Billington Cybersecurity Summit, which is known as the world's leading government summit on cybersecurity with the unique educational mission of convening the who's who in cybersecurity: the senior leadership from the U.S. government, our allied partners, and their industry and academic partners.
Ann Dunkin, Chief Information Officer (CIO) at the U.S. Department of Energy (DOE), joins Carolyn and guest host Willie Hicks to discuss the National Cybersecurity Strategy and what it takes to secure a large agency like the DOE, as well as how agencies balance cybersecurity compliance and risk management. She also highlights the DOE's role in the Partnership for Transatlantic Energy and Climate Cooperation (P-TECCC) and the agency's relationship with its industry partners.
On the Collective Defense: "The principles of collective defense, which underlie the cybersecurity strategy are incredibly important. That concept that we can't individually be safe, we have to work together. Once upon a time, you'd say, oh, if my cybersecurity's better than the guy down the street, they'll go down the street and forget about me. And we just can't do that. We're too interconnected. There's too much work we do together. There's too many interconnections between our systems. We absolutely positively have to develop that collective defense. In addition, part of that collective defense is ensuring that the burden of defense falls to those most able to deliver on that." - Ann Dunkin
On balancing risk vs. compliance: "The reality is we can't do all the compliance. And so we absolutely have to look at risk to prioritize it. But I would argue that you should always look at your risk and balance that against your compliance exercises. Because number one, if you do all the compliance and then you start risk mitigation, you may be missing something big. But number two, because you probably don't have enough money to do all the compliance anyway." - Ann Dunkin
On workforce development: "I firmly believe that we need pathways to move people in between the private and public sectors. And we need to make it easier for people to cycle between those places over the course of their career to leave government, to come back to government and to learn from each other. And also for the government through DOE and through other places to help build a workforce within the government that looks like America. And then to help the rest of America grow their workforce capabilities." - Ann Dunkin
Ann Dunkin serves as the Chief Information Officer at the U.S. Department of Energy, where she manages the Department’s information technology (IT) portfolio and modernization; oversees the Department’s cybersecurity efforts; leads technology innovation and digital transformation; and enables collaboration across the Department. Ms. Dunkin is a published author, most recently of the book Industrial Digital Transformation.
Dr. Aaron Drew, Technical Director for the Supply Chain Management (SCM) Product Line at the U.S. Department of Veterans Affairs Office of Information and Technology, joins Carolyn to discuss the challenges of supply chain, modernization and risk management. Dr. Drew outlines the steps an organization can take to modernize and maximize applications for end users as well as capitalize on data analytics to better prepare our nation for times of need.
On identifying a need for a new tool: "If the tools you had before don't address that shift [in business], that change of dynamics, then that's when we have this gap. That's that delta between how you did business then and how I expect to do business tomorrow that will signify or call that ignition of this solution acquisition process." - Dr. Aaron Drew
On understanding user needs: "Either you are meeting them [users] where they are, which is very important, or you've lived it, which allows you to relate and commiserate with those who are working across a day-to-day basis, that's what's going to bring you organically to the problem. That's going to allow both parties then to own the solution." - Dr. Aaron Drew
Dr. Aaron J. Drew is the Technical Director for the Supply Chain Management (SCM) Product Line at the U.S. Department of Veterans Affairs. Previously, Dr. Drew simultaneously served as the Chief Engineer & Chief Architect for the Financial Management Business Transformation Special Program Office (FMBT-SPO) and the Chief Engineer & Chief Architect for the Supply Chain Modernization Program.
Tracy Bannon, Senior Principal/Software Architect & DevOps Advisor at MITRE, returns to Tech Transforms for our So What segment to discuss all things generative AI. Following Tracy's presentation at the RSA Conference 2023, she and Carolyn discuss everything from software development lifecycle to the potential that various AI models may have.
Definition of generative AI: "Generative AI is under the umbrella of large language models. And a large language model is just that. It is a model where vast amounts of text data have been fed in and it uses statistical analysis to figure out the likelihood that words or phrases go together." - Tracy Bannon
On generative AI models: "It's only as good as the information that's going in, garbage in, garbage out." - Tracy Bannon
Generative AI advice: ''Know that we have to really get focused on the ethics of using these tools. Know that there are big security risks, but get familiar. Get familiar. It isn't going to take your job today. It is going to augment many jobs, but it's not going to take them completely away." - Tracy Bannon
Tracy Bannon is a Senior Principal with MITRE Lab's Advanced Software Innovation Center. She is an accomplished software architect, engineer and DevSecOps advisor having worked across commercial and government clients. She thrives on understanding complex problems and working to deliver mission/business value at the speed. She’s passionate about mentoring and training, and enjoys community and knowledge building with teams, clients and the next generation. Tracy is a long-time advocate for diversity in technology, helping to narrow the gaps as a mentor, sponsor, volunteer and friend.
Alan Gross, Solutions Architect & Tech Lead at Sandia National Laboratories, joins Carolyn to talk about how DevOps is being leveraged to support the Department of Energy's contractor operated research lab. Alan dives into some of the initiatives at Sandia National Laboratories, and how he is applying his personal philosophy around user experience ops, or "UX Ops," to support the mission.
Alan on DevOps: " DevOps is about trying to deliver quickly and learn from your mistakes as fast as you can. So shifting left is part of that philosophy. If you have security issues with your software, you want to know about that as quickly as possible, because if you've already deployed to production, it's almost too late." - Alan Gross
On what advice Alan would give to new developers: "It's about failing fast and failing forward...How quickly can you learn new things, get new code and new products out in front of your users, and understand how they engaged with that." - Alan Gross
Alan works as a full stack developer and technical lead at Sandia National Labs, with six years of experience in web technologies development. He develops within Python, Angular and .NET ecosystems, with a focus on enabling the developer experience at Sandia with novel solutions for the labs’ diverse development, software governance, security and business intelligence needs. Alan leads a team that is committed to reducing technical debt by emphasizing DevSecOps, modern application architecture (such as microservices) and data-driven outcomes.
Paul Scharre, Vice President and Director of Studies, at Center for a New American Security (CNAS), joins Carolyn and Mark to dive into his newest book, Four Battlegrounds: Power in the Age of Artificial Intelligence. From the first time he recognized the power AI could hold, to the ways AI may put us on a path to global peace, Paul offers valuable insight and perspective on the field of artificial intelligence and machine learning.
On Paul's main focus when working at the Pentagon: "How can we use robotics to help create more distance between our service members and threats?" - Paul Scharre
Role of humans in AI: "Having data and computing hardware, having chips alone, doesn't get you to some meaningful AI tool. You also need the human talent" - Paul Scharre
On adversary AI advancement: "Fundamentally, both the US and China are going to have access to AI technology, to robust AI ecosystems, big tech companies, startups within each country, and the bigger challenge is going to be: How does the military take this technology, work with its civilian AI scientists, and then translate this into useful military applications?" - Paul Scharre
Paul Scharre is the Vice President and Director of Studies at the Center for a New American Security. Prior to this role and becoming an award-winning author, Scharre worked in the Office of the Secretary of Defense (OSD) where he played a leading role in establishing policies on unmanned and autonomous systems and emerging weapons technologies. He led the Department of Defense (DoD) working group that drafted DoD Directive 3000.09, establishing the department’s policies on autonomy in weapon systems. He also led DoD efforts to establish policies on intelligence, surveillance, and reconnaissance programs and directed energy technologies.
This week, Michael Edenzon, Co-Founder of Fianu Labs, joins Tech Transforms to talk about why automated governance is so critical to mission success. Michael also provides some great insight into his recently co-authored book Investments Unlimited.
On what counts as evidence in the context of software governance: "Our real focus in that regard is trying to get people to realize that evidence isn't just this random metadata that's captured from here and there, but instead it's going through all of the enrichment and providing all of the context that's necessary for an auditor to come and reproduce those results that you're using to base your enforcement off of." - Michael Edenzon
On how automated governance relates to Authority to Operate: "It [automated governance] is a method for achieving the ATO. So it can accelerate your ATO process and it can help you reach it faster, but what automated governance really is, is a means of achieving continuous ATO." - Michael Edenzon
Michael Edenzon is a senior IT leader and engineer that modernizes and disrupts the technical landscape for highly-regulated organizations. Michael provides technical design, decisioning, and solutioning across complex verticals and leverages continuous learning practices to drive organizational change. He is a fervent advocate for the developer experience and believes that enablement-focused automation is the key to building compliant software at scale.
In this episode of Tech Transforms, Nihal Krishan, tech reporter at FedScoop, discusses how and where the American government is lagging behind in technology, but there is a focus on modernization to improve the situation. We also talk about the need for comprehensive data privacy legislation and how budget caps may impact government agencies' modernization initiatives. Additionally, we explore concerns surrounding TikTok's ownership and data privacy, as well as the addiction and potentially harmful effects of the platform. We also touch on the importance of respecting sources as a journalist and provide a few podcast recommendations. Finally, we look at the challenges in understanding algorithms used by TikTok and how they could be used to promote divisive content. Join us to learn about these transformative topics in the tech world!
Nihal Krishan is a journalist who has covered the controversies surrounding TikTok. He highlights the privacy violations committed by the company when it accessed journalists' personal information to control their narrative. Krishan also acknowledges the legitimate fears surrounding the app since TikTok's parent company is based in China. However, he notes that there is no objective evidence of the Chinese government misusing American data obtained through TikTok. He raises the question of whether American social media companies are any better at safeguarding data than TikTok. Krishan argues that the debate over TikTok highlights the need for data privacy legislation in Congress.
TikTok and the potential for social media manipulation: \"If we allow this to go forth unchecked, it could reach a point where TikTok just continues to get more and more popular. And then they start sowing seeds of discord.\" — Nihal Krishan
\"The Addictive Power of TikTok\": \"It is highly, highly addictive... hours, days, years, it just gets better and better at giving you exactly that little delicious treat that makes your mind go gaga with pleasure or go dark with fear and play at the human mind.\" — Nihal Krishan
The Importance of IT Modernization in Government: \"I think it's important to remember that from the industry's perspective and for many Americans, the American government is still severely lagging behind when it comes to technology.\" — Nihal Krishan
","summary":null,"date_published":"2023-05-11T07:30:00.000-04:00","attachments":[{"url":"https://aphid.fireside.fm/d/1437767933/81d9d6b0-0045-48da-8495-fd87c4613d7f/6af705a1-4c53-46de-995e-41e15da2fa0a.mp3","mime_type":"audio/mpeg","size_in_bytes":51160070,"duration_in_seconds":2131}]},{"id":"375b82ec-47d4-4ade-b49b-21fa21f23427","title":"Episode 59: The Scoop with Nihal Krishan Part 1: ChatGPT","url":"https://techtransforms.fireside.fm/59","content_text":"Nihal Krishan, Tech Reporter at FedScoop joins Carolyn for a special two-part episode to talk about some of the hottest topics in government tech. In Part 1, Nihal gives some eye-opening insight on all things ChatGPT including security, privacy, and national bans.Episode Table of Contents[0:25] Introducing Our Guest, Nihal Krishan[7:39] We Need to Upskill[15:45] How the U.S. Government Is Dealing With ChatGPT[23:00] Stanford University Human Center Artificial Intelligence Index Report of 2023Episode Links and ResourcesEpisode Links and ResourcesNihal KrishanFedScoopStanford University Human Centered Artificial Intelligence Index Report","content_html":"Nihal Krishan, Tech Reporter at FedScoop joins Carolyn for a special two-part episode to talk about some of the hottest topics in government tech. In Part 1, Nihal gives some eye-opening insight on all things ChatGPT including security, privacy, and national bans.
Col. Candice Frost, JIOC Commander at United States Cyber Command joins Carolyn and Mark to talk about her journey as a lifelong-learner, and how she is applying her skills to the innovative work at Cyber Command. From the importance of public-private partnerships, to teaching our kids healthy cyber security habits, Col. Frost offers her valuable insights on how we can all think innovatively and better secure our nation.
Commander Jonathan White, Cloud and Data Branch Chief at the United States Coast Guard joins Carolyn and Mark to talk about the groundbreaking developments his team is doing with C5I. Commander White stresses the importance of public-private partnerships, and gives tips on how agencies can better approach the future of technology.
Stephen Magill, Vice President, Product Innovation at Sonatype dives into the complexities of open source and software security. Find out how government agencies are utilizing open source, and what Sonatype is doing to help secure our most trusted software.
Billy Mitchell, Editor-in-Chief at FedScoop joins Carolyn to discuss surveillance, national intelligence, the benefit of partnerships, and more. Billy gives his perspective on today's hot topics in federal technology, and what he thinks may be coming next.
Dan McCune, Deputy Chief Information Officer at U.S. Department of Veterans Affairs joins Carolyn and Mark to discuss the transformative work happening at the VA. With millions of end users, Dan explains how his dedicated teams are working to make the VA better, faster, and safer for our veterans.
Dimitris Perdikou, Head of Engineering at the UK Home Office, Migration and Borders joins Carolyn and Mark to discuss the innovative undertakings of one of the largest and most successful cloud platforms in the UK. With over 3,000 technical users, and millions of end users, Dimitris sheds some light on his experience with SRE, User Experience, and Service Monitoring.
Jamie Holcombe, Chief Information Officer at USPTO joins Carolyn and special guest host Willie Hicks to talk about Zero Trust, PMO, encryption and more. Listen in to learn about the innovative steps USPTO has taken to develop New Ways of Working.
Willie Hicks, Dynatrace’s Federal Chief Technologist recently appeared on the Federal Tech Podcast. It is such a great interview we wanted to make sure our Tech Transforms audience got to listen. Enjoy this crossover episode with Federal Tech Podcast!
Ep. 42 Vulnerability Management for Federal Systems
","summary":null,"date_published":"2023-01-05T06:30:00.000-05:00","attachments":[{"url":"https://aphid.fireside.fm/d/1437767933/81d9d6b0-0045-48da-8495-fd87c4613d7f/52317a9e-cff2-4ee0-9cc9-9449f03db7ba.mp3","mime_type":"audio/mpeg","size_in_bytes":41691725,"duration_in_seconds":1736}]},{"id":"89ab63ef-8523-4776-99d3-7b86272a9274","title":"Episode 50: So What? Taking A Closer Look with Nicolas Chaillan, Former Air Force Chief Software Officer","url":"https://techtransforms.fireside.fm/50","content_text":"Nicolas Chaillan joins Carolyn and Tracy to shed some light on his experience in the Air Force and gives his thoughts on government movement in the past year. Nicolas talks about the importance of social media privacy and protection. Episode Table of Contents[0:59] Introducing Our Guest, Nicolas Chaillan[10:06] Have We Regressed in Cyber?[17:58] There Is a Reward for Not Taking Risks[24:29] The Worst Thing That Ever Happened Was Agile[31:46] The Amount of Information TikTok Gather[40:17] We Need to Teach the Basics of Life to KidsEpisode Links and ResourcesEpisode Links and ResourcesNicolas ChaillanLinkedInIn goodbye message, Chaillan unloads his frustrations over DoD’s technology culture, processes","content_html":"Nicolas Chaillan joins Carolyn and Tracy to shed some light on his experience in the Air Force and gives his thoughts on government movement in the past year. Nicolas talks about the importance of social media privacy and protection.
John Curran, Executive Editor at MeriTalk joins Carolyn to discuss 2022 technology trends and shares his predictions for federal technology in 2023.
Andrey Zhuk, Federal Security Architect at CTG joins Tech Transforms to unpack the topic every agency is talking about: cybersecurity mandates. Listen in to learn more about Andrey's recent eBook breaking down who mandates affect, why they are important, and how agencies can successfully meet requirements.
Duong Hang, Deputy Director at the Department of Defense Platform One joins Tech Transforms to address a topic that's been circulating recent headlines: Psychological Safety. Listen live as Carolyn and Tracy learn how agencies and organizations can implement psychological safety to improve retention and operations.
Paul Puckett, Director of the Army’s Enterprise Cloud Management Agency joins Tech Transforms to shed some light on one of government technology's most used buzzwords: Zero Trust. Listen in as Carolyn and Tracy learn what it really means to remove implicit trust and how agencies are prioritizing user experience and data protection.
Ross Wilkers, Senior Staff Reporter at Washington Technology talks to Carolyn and Mark about some of the hottest topics in government technology news. With insight on the 2023 Defense Funding Bill, government contracting and Alliant 3, Ross provides a unique perspective on what defense IT teams may see in the coming months.
Amy Belcher, Independent Software Vender Sales and Go To Market Leader at Amazon Web Services joins Tech Transforms to talk about her team's mission to satisfy compliance for agencies across the globe. With speed to deployment, flexibility and security, Amy and her team support organizations maximizing local control and global reach.
Colin Demarest, Defense Networks and Cyber Reporter at C4ISRNET joins Tech Transforms to talk about some of his recent articles focused on 5G, aerial networks, and upcoming Capability Sets. Listen in as Carolyn and Mark learn about the ever-evolving field of defense and what emerging technology can do to support the mission.
Daniel Chenok, Executive Director at IBM Center for The Business of Government joins Carolyn and Mark to talk about the importance of AI in the field. From democratizing data to improving office operations, application research is a key component for any government agency looking to integrate artificial intelligence into their mission.
Rick Stewart, Chief Software Technologist at DLT Solutions joins Tech Transforms to give insight on Open Source, Platform One, and DORA initiatives. Listen in as Carolyn and Mark learn about the importance of focusing on the right metrics when managing security bottlenecks.
Carolyn: Today, we get to talk to Rick Stewart, a good friend. Rick Stewart is a Chief Software Technologist at DLT for more than 34 years. Do you really want me to tell people that Rick? That makes you sound super old?
Rick: No, it has some relation to the old way of doing things, traditional ways.
Carolyn: He knows the old stuff and the new stuff with 34 years of diverse experience in the IT industry. He’s progressing through technical and leadership roles in telecommunications, mobile entertainment, the federal government, and the manufacturing industries. Today, Rick is joining us to talk about DevOps research and assessments, or DORA, a term that is new to me. He’ll also talk about the four key metrics for increasing efficiency and delivering service. He will discuss how Platform One has advanced the cultural transformation to DevOps.
Mark: Welcome Rick. By the way, Rick started this when he was six.
Carolyn: That's right. I'm going, to be honest. I've been in the industry for a while, and I have never heard the term DORA. DevOps Research and Assessments make sense. I just haven't heard the acronym. They have four key metrics for increasing efficiency in delivering service. Those metrics are deployment frequency, lead time for changes, change failure rate, and time to restore to service. Will you unpack those for us?
Rick: It's interesting that you say that because I attend several different events and conferences where we have, especially in the public sector, astute people that have lots of experience.
Rick: They're on this journey of DevOps or in the public sector. It's more DevSecOps, bringing security up as a first-class citizen. They were talking about the things that they capture, the journey that they're on, and their improvements. On one of these occasions, DORA was brought up. I think it may be a Q&A panel. It was surprising that a lot of them didn't know what this organization does, especially being so well versed in the cultural transformation, not knowing some of the things to focus on. I thought it was really important to shine a light on.
Carolyn: Is it a federal organization?
Rick: No, it's more of a community-based organization, an industry-based organization. We've got people like Jez Humble and Gene Kim and others that are involved with this. What they do is, they go out and they do surveys of not just the public sector, but the private sector, all organizations globally. They basically give them surveys and they talk about their experience, where they're at in the spectrum of their journey, and what they have discovered through this analysis. It's a really deep, long analysis.
There's a book called Accelerate that was done by Nicole Ferguson. She has a PhD and took lots of painstaking analysis of these organizations and these teams and asked them a series of questions. What it boiled down to is there are a lot of traditional metrics that have been ingrained in the industry that are useful somewhat, becoming less useful over the years, like lines of code when we're talking about mainframe and the complexity and function points, etc. As the industry has changed into more service-oriented or even micro-service-oriented architectures, those types of metrics are less useful.
Rick: So, when you're talking about a cultural transformation of getting development teams and operations teams working in unison and collaborating together, these four metrics were decidedly important to focus on in order to strive more towards that collaborative effort. These indicate the ability to deliver software with high quality and the ability to rectify any changes or security vulnerabilities and rectify them quickly. I'll go through each one of them. Deployment frequency is how often an organization successfully releases a product to production. A product in this case could be a service, could be any kind of workload, or an application. There are differences to that.
There's an old saying that says, if something is difficult to do, do it more often and you'll get better at it and it will become less difficult. So this deployment frequency talks to that. You have to measure how many times you're deploying a particular change into production. That way, you can, A, determine your impact, the value you're having on your stakeholders, but also the ability to measure how frequently you can deliver that value.
I'll go back and forth between the private and public sectors. The public sector industry days are very interesting to me. It’s not only because that's the space I'm working in, but more importantly, it crystallized the importance of service delivery and frequency and speed. It was a Navy captain that was giving an industry because they wanted to develop a DevOps prototype. One thing that struck me was I can't wait two weeks while I'm in the middle of the Mediterranean, potentially in a firefight, to get a release, a change to an application that's not working properly.
Rick: That manifested for me the importance of focusing on the right things. You have to look at your frequency and where you're deploying these changes. It’s not just through enhancements and value, but to rectify issues, defects, and security vulnerabilities.
Carolyn: Are you seeing the government agencies embrace these four metrics?
Rick: I think they've embraced a hundred different metrics, but the industry is telling them, just like it's telling them to move towards DevOps or DevSecOps, to focus more on these. Get rid of the 300-page system security procedures, that's a waste of time because you're not getting value.
Carolyn: When you say the industry's telling them, who's industry?
Rick: Industry would be the developers that are in the private sector, that are in the Netflixes, the AWSs, the industry leaders, the Googles. Those that can deploy changes and take advantage of disruptive technology and innovative services quickly. They are recognized as thought leaders in terms of what should be a measurement in terms of measuring teams' productivity when they're on this journey to DevSecOps.
Mark: Are these standards something that the DORA organization came up with? Like you talk about the industry standards, do you know where they're getting the standards from?
Rick: The deployment frequency is standard. It's always been around. You mentioned the 34 years. I've known about deployments ever since I started doing software.
Carolyn: But the DORA organization sounds like it has boiled down to these four most important metrics. You're saying from industries like Netflix, like AWS, Amazon.
Rick: Google.
Carolyn: They've looked at best practices, the metrics that really matter, and DORA said, these are the four that matter most.
Rick: They can link back to the collaboration across multiple teams, which is the essence of DevOps or DevSecOps. Because these teams have different disciplines, they have different priorities, they have different measurements within their own teams, and if you can measure that you're getting better at deploying more frequently, it indicates that you're collaborating more with these teams. You're getting more rapid in terms of moving that thought from code to application to delivery quicker.
Mark: Are there metrics that they've come up with to determine what increasing efficiency means? Or are they kind of like work groups that look at thinking through what an organization might be dealing with?
Rick: Well they're looking really at the number, the sheer metric. And they divide it into four different categories of performance. You have your elite performances, I mentioned like the Netflixes, the Googles, etc. They're deploying multiple times a day, which Mark I'm sure you know in the public sector, multiple times a day, it's like a utopia for a public sector entity. They're usually talking once every six months, once every year.
They better make it successful or else they have to marshal all those resources again. You're talking about time, money, not being able to provide value, those types of things. When you're looking at the measurement of the metric itself, you're trying to categorize it to allow you to move up this hierarchy, if you're a low performer, you're maybe doing it once a week or once a month or once every six months. That's not optimum. How do you move up? You try to increase your ability to deploy faster. What does that mean?
Rick: Talk to more groups. Get them into a room. What are the bottlenecks, the areas that need improvement? How do you work together even when you're in a different company? In the public sector, you might have different contractors, and different companies doing various different pieces of this. So it's very important to foster that collaboration so that you can deploy more. That should be the goal. How do I deploy more and faster?
Mark: One of the things that have me thinking is how can organizations strive to get to the next tier of performance in each of these benchmarks?
Rick: Other metrics lead or feed into these four different metrics. For example, your lead time for changes, which is the next metric that they talked about. This is more developer speaking, more technical. When I commit my code saying this has passed all my testing, I've got it through my team. They've looked it over. It's passed all the tests and I've committed that branch or that version of my change onto the main version control. Previously, when you developed a release, a deployment to go to production, everybody, all your developers, would make their changes and be committed to that particular release branch.
That has subsequently changed with this movement towards agile and making things more frequent, smaller deployments where each developer would have their own little branch. Once they finished their little piece of the world and passed all the regression testing, they would commit their code to the branch. Using automation, they would move that change from building the application, through test environments and pre-production, to user's test, getting approval user test, and deploying into production.
Rick: Getting that time faster allows you to deploy more frequently. That one feeds into the other. In order to focus on moving up the chain, you need to apply, in my opinion, more automation. These are very repetitive tasks.
If you've ever developed code before or you've ever developed software, it’s the combination of artistry and engineering in a beautiful dance. Because you're trying to be an artist, you're trying to be creative. You're trying to figure out what's the most elegant way to put something together but there are certain engineering tasks that have to be done. If you don't do them, it will bite you in the rear end later on down the line.
That is, constantly test, constantly scan, and constantly do the mundane tasks that allow your code not only to be elegant but to be maintainable. It’s also correct in terms of requirements and hygienic in terms of not introducing vulnerabilities.
Carolyn: But that mundane consistency, you automate all that?
Rick: Yes. If DevOps, DevSecOps is the movement or the journey, automation is the key ingredient to allow you to move faster.
Carolyn: You feel like these four metrics are sufficient but listening to you talk, there are four big rocks. And then there's a whole bunch of metrics that fall underneath each of them.
Rick: Yes. But they should be feeding into increasing your frequency, decreasing your lead time for changes, and making that smaller. Your change fail rate, you want to make that as small as possible. There are ways that you can do this with automation. Then the time to restore service or the mean time to repair, I've heard mean time to restore, mean time to resolve, mean time to remediate.
Rick: So MTTR, the R is interchangeable, but it means the same thing. The change failure rate is when the DevOps, DevSecOps teams deploy into production. Was that a catastrophic failure such that you had to roll back or remove that change because you're making it worse than what it was before? Speaking of industry, I was in the telecommunications industry. We were doing a lot of white-labeled systems for the wireless industry, all the big ones, the Verizons, the AT&T, etc.
They have very strict procedures on when deployments occur within windows. It's usually between 2:00 AM and 4:00 AM on a Tuesday or a Wednesday, just enough to break up your week and make developers and operations miserable. Between those two times, if there was any failure deploying your new code, no matter how important it was, you back it out. You roll it back and you try again either the next day or the next week or the next window that they had. That gets grueling. What happens if you do have a major catastrophe or a major issue with your system or your new change or your fix? It could take weeks before you can get that out.
Meanwhile, you're not producing any value from enhancements to that application because they stay behind the failed deployment. So you need to reduce that change failure rate, hopefully, to zero and the elite performers do this. They do this with many different methods. One most popular is a blue, green deployment. What they do there is, let's say you have version one of an application and it's running in production. Everything's fine.
Rick: Now you have version two, and you want to enhance it or fix it. You deploy version two alongside your version one deployment. One blue and one green. You can test offline your new version two to ensure that it meets the requirements. It's working properly and it scales all the different operational functional capabilities that it needs to do. Then when you're happy about that, you can switch it over or you can produce a certain amount of traffic to get real traffic to it. So make sure it behaves properly. When it does, you just stop traffic to the old version and put all the traffic to the new version seamlessly with no downtime.
Carolyn: Do developers ever play games in a test environment where they blow it up on purpose so they can see how fast they can restore?
Rick: It should be part of the culture and the methodology that DevOps or DevSecOps teams have. When somebody asked me, I said, "I'm a pessimistic optimist." Meaning I want things to occur properly, but I know Murphy's involved with everything. So, let's test it before we go live because if we don't test it there, it will cause havoc.
Coming from that environment where you get one or two shots, once, twice a week, you want to make sure that you measure twice, cut once. That measure twice is testing in the test environment, and pre-production environment, so that when it gets to production, you're pretty confident that your change will work. It will be resilient enough to maintain production traffic.
Rick: One other point I think is a good one, I've always advocated that pre-production environments should mirror production environments. There's been a drift within the industry in terms of developers. Well, I can develop in this environment and I can push it to this environment. It looks slightly different but I'll maintain some changes here and I'll make it work. Then when it goes in production, it might be a third different environment. That's really a fool's errand, that's going to result in a bad experience. Luckily, there's some automation that makes that gap between the differences between production and pre-production a whole lot easier and a whole lot more narrow.
Mark: Speaking of automation, you've talked about this in blogs. You talked about Platform One and how it leverages new technologies and automation. Can you dig into this a little bit? First, tell our listeners what Platform One is.
Rick: Platform One is an innovative Air Force environment that is built on the Kubernetes orchestration and management framework. Now I'll explain that in a second. The second one is that it requires development teams to deliver their services, and even the tools that develop their services, in containers. Containers are, you can think of them as small virtual machines that only have application needs installed in them.
Mark: Like a modular approach.
Rick: Think of it as a widget. From an operational standpoint, they all look like several different widgets. Each one of those widgets could be a completely different language, dependency, structures, etc. inside. But from an operational capability, it is much more efficient because you can deploy these widgets as independent, generic items.
Rick: You can deploy them using scheduling techniques that make sure that an application's needs are deployed on a host within the Kubernetes environment. It has the appropriate resources to serve that application and enough resources that it can scale if it has too many requests coming to it. It can descale or become less in order to take advantage of resources, etc. But the application itself could be myriad languages or constructs from applications.
It’s really nice in terms of crystallizing or making concrete some of the notions that came out of the agile movement, which was each task that comes across a developer's desk shouldn't always be a Java application per se or pick a language because that's what the operational team can support.
The notion that the best technology should be used for the task at hand really makes a developer's life a lot easier. You can pick maybe a lighter-weight language or an application to create or solve the task. Then deploy it and not worry about the operational risk of not having dependencies or anything that the application needs once it goes further in product pre-production and down into production.
We're talking...
","summary":null,"date_published":"2022-06-22T07:30:00.000-04:00","attachments":[{"url":"https://aphid.fireside.fm/d/1437767933/81d9d6b0-0045-48da-8495-fd87c4613d7f/dd3eafb9-a60f-4d0a-a993-c70bb2ae66fc.mp3","mime_type":"audio/mpeg","size_in_bytes":38235921,"duration_in_seconds":2730}]},{"id":"e2eb8839-4e1a-4a01-9f75-e17463d00a18","title":"Episode 40: Improving the User Experience in a Zero Trust World: Event Recap with Willie Hicks","url":"https://techtransforms.fireside.fm/40","content_text":"Willie Hicks, CTO of Public Sector at Dynatrace joins Carolyn and Mark to unpack the recent ATARC event: Improving the User Experience in a Zero Trust World. At this federal breakfast summit, sponsored by Dynatrace and Amazon Web Services, we heard from some of the most prominent technology leaders focused on Zero Trust including Nicole Willis, Jamie Holcombe, Mickey Iqbal, and more. Listen in as Mark and Willie give highlights and takeaways from the event. Be sure to follow the link in the show notes to see the full event On-demand!Episode Table of Contents[00:30] Guest Speakers at the ATARC Event: Improving the User Experience in a Zero Trust World[07:55] Zero Trust Should Be a User Experience Enabler[14:41] OMB Is Pushing to Move Too Fast[20:05] How to Ensure Zero Trust Does Not Disrupt the Employee User ExperienceEpisode Links and ResourcesWillie HicksSummit On-demandNicole WillisJamie HolcombeMickey IqbalGrant SchneiderTom SuderGuest Speakers at the ATARC Event: Improving the User Experience in a Zero Trust WorldCarolyn: So today we're reviewing top takeaways from ATARC 's Federal Breakfast Summit, Improving the User Experience in a Zero Trust World. Which those two things, user experience, and zero trust, are kind of a direct conflict for me, but we'll get to that. The conference was sponsored by AWS and Dynatrace, and it's available on-demand for our listeners at ATARC.org. Also, we have Willie Hicks, our Federal Chief Technologist at Dynatrace.Willie, you were a keynote speaker at the event. I'm too biased to say you were my favorite so I won't say that. I mean, everybody was really good. Jamie was super exciting. Let me just review who our speakers were. So our keynote speaker around zero trust was Grant Schneider. He brought a really interesting perspective because he's former white house. So he was the senior director of cybersecurity services. So former federal CISO, and now he's in industry at Venable. Then we had our next keynote around the user experience was the very entertaining Jamie Holcomb. He's the CIO at U.S. Patent and Trademark office. And then my favorite, Willie, Federal Chief Technology Officer here at Dynatrace. Then we had a panel that brought the user experience and zero trust together and how we reconcile those two and how they work together. And on that panel, we had Nicole Willis, Chief Technology Officer, OIG, at the U.S. Department of Health and Human Services.Is User Experience Unrelated to Zero Trust?Carolyn: Jamie came back on the panel. We had Mickey Iqbal, he's the Public Sector Solution Architect and Chief Technologist at Amazon Web Services. Willie on the panel. And then we had our moderator, Tom Suder, who's fantastic. He's been in this business so long that he had a lot of really good insights too. Now that I've given our listeners the overview of who participated, first of all, I was thrilled to see that we had a packed room. We had a standing room only, and that was really, really nice to see. It was lovely to have people in person and to be able to interact with one another personally. So, all right, let's get to the first question. Today, Mark, you're less of a co-host. I want to hear your opinions about what your takeaways were from that day. So around the user experience and zero trust, did you have any aha moments? What were your favorite moments? Tell me your feelings about the day.Mark: Well you know, from my perspective, coming from industry and Dynatrace, I think we think of end-user experience as something different related to zero trust. So we think of it differently.Carolyn: And at odds with each other.Mark: Yes. Well, I get the feeling more and more, it's more how the end-user navigates the security protocols and processes to accomplish the end goal. Which is not their problem of zero trust, which would be the agency's problem. How the End-User Navigates the Security ProtocolsMark: And so the agencies think of end-user experience in that light as opposed to we think of it in a different way as it relates to somewhat the same. But how end users are impacted by their interaction with applications on the internet and things like that. So I guess it's a little bit like that.Carolyn: Did you get the sense that's how our government thought leaders that were speaking at the summit? Is that how they think of it? Or do you think that's more about how industry and we as end-users think of it?Mark: I think that's how we think about it. I think they think about it in the former.Willie: Yes. I definitely agree.Carolyn: The government leadership. So Willie, talk to me more about that.Willie: Yes. So I agree. I think it is interesting because I think our panel, and I got to talk to the panel a little bit afterwards as well. I think that Jamie from PTO standpoint and Nicole, just by kind of how they were, not just the keynote, but how we were interacting on the panel, they actually do get it. For example, I got to have a great conversation with Nicole. It was one of those things where she was kind of talking about the service that she was trying to provide to the citizens. Because a lot of people who use HHS services and so forth, Medicare, Medicaid, those kinds of things, they might be older. They might be having a very difficult process to log into a system, to get access to a system, to get your basic information.We’re Protecting the System, Not the User ExperienceWillie: She seemed very sensitive to that, in understanding that we have to have a better user experience. And I think I got that from Jamie but at the same time, we talked about agencies as a whole and the government as a whole. There is an issue, not just zero trust. But even before this real big push for like Shields Up with CISA and all of the zero trust. We build these systems, we put up our authentication and all the things that we're going to do to protect the system, not really factoring in the customer, not really even thinking about it. It's about protecting the system. The idea is about the system, not really about the customer, don't really care. We just want to make sure we protect the system.At the end of it, we might be making the system so difficult that no one can even access it. Nobody wants to take the time, the 45 minutes it takes to set up an ID and jump through all the hurdles to get to an ID. So I think that from a larger standpoint, and just talking on the panel, they admitted that there are a lot of systems out there. A lot of public-facing, citizen-facing systems, and backend systems that need a lot more focus around the customer experience. And again, not just around zero trust, this is just in general about just the basic usability of the system, if that makes sense.Zero Trust Should Be a User Experience EnablerMark: It does, you know, I can't remember if this was in a sidebar conversation after the event or if it was during the event, But they talked about multifactor authentication and how they were almost just forced to take the plunge. And somebody said, \"We're just going to do it.\" At the end of the day, they're like, \"Oh, wow. Okay, this word works. It's not that difficult. It's not that tough for end-users.\"Carolyn: Well, and do you know what’s funny, is when I hear security, so zero trust is all about security to me as an end-user. And whenever I hear security, that makes me feel a little puke-y. Because I think that means that my experience is going to be really awful as an end-user, to your point, Willie. However, Willie, you make the argument at the event that zero trust can and should make the end-user, my user experience, better and make the practitioner's experience better. So there's more than one end user. There's the end-user of the systems, then there's me trying to get into the systems, and can you talk a little bit more about that? And did you get the sense that our government speakers feel the same way? That zero trust really should be a user experience enabler?Willie: Right. So, that's an excellent point. I do agree with that. And I think the panel as a whole agrees with that too. Again, if you look at the principles, the mindset around zero trust, the mindset around architecture, architecting zero trust framework, it's an all encompassing type of scenario. Understanding Your Customer’s User ExperienceWillie: It's not just like we're buying MFA or you get single sign-on and this, this and this, and you've got zero trust. It's really a whole mindset. I think Nicole actually mentioned this. With everything they do, especially with zero trust, they're thinking about user experience at the beginning of the process. So things like multifactor authentication as Mark already pointed out. When you have a robust multifactor setup, that is going to actually enable you to make your end user's life easier. Because once they log in, once they validate, whatever those multiple factors that they use to validate that user, once that I can trust you or you, and the device that you are on is a valid device, then now you can have access to this cloud application. Or you can have access to this internal system or that authentication token can be passed around.There might still be a validation process, but it should be external. You shouldn't see it as the customer. It should all be kind of going on in the background. It's constantly validating you. So I think that idea was there, but also I did counter though, the point that, yes, it should be better. But how do you know it's better if you're not measuring it? If you don't understand today your customer's user experience, how do you know it's gotten better when we implement these new systems? How do you know it hasn't gotten worse? How do you know that there really isn't a problem? I gave an example as part of my keynote. Monitoring User ExperienceWillie: I didn't mention the agency name, but several months ago I tried to set up a multifactor authentication for a system with some of my personal information on it. This was a government system. And after about 45 minutes of filling out a form, putting in my government ID, waiting for an identifying number to come back on my phone, which never showed up. Trying to go back and reestablish and start it over again. Literally after 45 minutes and then the system telling me to call this number to try to do this manually. I was like, \"I'll just go in and do what I need to do.\" So again, do I think either this agency that I was working with just didn't know how bad the customer experience was, or they just didn't care. And my hope is that it's just they didn't know.Mark: I think that's probably it.Carolyn: I think it might be a little bit of both. Because they have to have the security in place. They have to use those systems too.Mark: Yes but they're typically technical people..Carolyn: Yes. So is Willie.Willie: Well yes, but I love the customer, so I always focus on the customer. No, but seriously, that's the one thing. To your point, it might be a little bit of both that and let me take that back. I know from experience, it probably is a little bit of both in that.Making the User Experience EasierWillie: There is this idea that, okay, we have to tolerate some bit of inconvenience to allow us to have a secure system. Now, I think what I went through was the extreme.Carolyn: Is it?Willie: Well, and unfortunately it might not be, but at the end of the day, there is this idea, you have to tolerate this thing. But I also made the point during the keynote that industry has solved some of these. Like if you look at the financial sector, for example. I used the example of trying to set up MFA on this government system versus setting up MFA on my bank account. And when I was forced to do that, obviously they had tested this system 15,000 times. Because when I went in, by the time I was forced to go for my really insecure password and I should have better passwords. But I went from that password to having to set up my MFA, I was thinking it was going to be a long process. The bank was about to put me through this long process. It took me less than 45 seconds. It took me about a minute. Most of that time was me waiting for a response back on my phone. As soon as that was over, now, literally whenever I log in, I get a text message on my phone. I hit a button, I'm logged into the system. Those kinds of things. And I think Jamie even brought up the point that at some point we need to get away from even multifactor and have more biometrics. It should become even easier like we have a thumbprint reader or something like that.OMB Is Pushing to Move Too FastCarolyn: Yes. But I don't want anybody to kill me for my eyeball so they can break into my system.Willie: Yes, you've been watching too much Netflix. I think that was that Thor, one of the Marvel movies?Carolyn: I'm sure it's more than one. So there's an article that cites a study, the article is called How Federal Agencies Can Implement a Secure and User-Friendly Zero Trust Architecture. It states that nearly four out of five federal cybersecurity decision-makers, they know there's an urgency. They want to implement zero trust. However, 87% of them say the white house and the OMB are pushing to move too fast. Mark, I know you have an opinion about this. So talk to me about that pushing to move too fast. Are they? Should they be?Mark: Yes, they should definitely be pushing. I think that the white house has to push fast because I feel like we're probably five years behind where we should be today to feel comfortable. If they don't push, then you're going to have agencies across the government be at different levels of maturity. They're going to be all over the place. So you're going to have gaps and things like that. If you leave it up to the agencies to go at their own pace, it's kind of like the concept of, you don't need it to be a hundred percent perfect, but you need it to be 75% perfect. Then we'll work on the remainder of the 25% that's not perfect and get it there. Done Is Better Than PerfectMark: So we have to push. It was almost like the way agencies adjusted when the pandemic hit, they didn't have a choice. And they had to deal with remote workforce. They had to do it. They had to digitally transform and modernize and it made them do things out of their comfort zone that I think that they have to do.So there needs to be a push. I feel like when you hear experts across the government, talk about this, that it's just got to be a very modular, agile approach to doing it and billing it. So that has technology advances and changes and things change that they can pull things in and out. They can move things around and bring things in that work together and that kind of stuff to get to where they need to be.Carolyn: Yes. Done is better than perfect because perfect never gets done, is one of my favorite quotes. And you just said something, I was going to ask you and Willi. So we think that the white house should push hard. Yes, they're pushing. If they don't, then we're never going to get started. Then you said something about a modular approach to do this well. So is that the sense that we got from our speakers at the summit, is that one of the solutions that we heard from them?Willie: So I'm thinking, and the modular approach or what I took away from the conversation and also with what Mark was saying. I think it was Jamie who has kind of taken this approach of, we need to use kind of agile development methodologies in this process. Minimum Viable SecurityWillie: In the agile mindset, there's this idea of the MVP, the minimum viable product. This is really something that we see a lot of an industry, kind of getting that minimum built product out there to get into the market. Then start iterating through functionality and fixes and so forth as you find them and improve the product rapidly. Rapid improvement of the product.I think what Jamie was kind of alluding to was this idea of minimum viable security, where you've got to start somewhere. We can't just plan and nothing ever gets done. But get the minimum viable out there and then start iterating through basically building that framework with a more agile type process. Also this would impact the end-user. We talked about customer experience. Learning from these first iterations, what worked, what didn't work, how do we make it better? Obviously, you have to make it secure enough. You don't want to just leave the gates open. You don't want to put something out there that is insecure. But we're never going to reach a point where it's just Nirvana, everything's in place. Everything's secure. Nobody's ever going to get into our systems because that's just fallacy. I mean, this is an arms race. As soon as we find some way to, secure a system, there are hundreds and thousands of hackers out there. State-sponsored ones, people living in their basements, whatever, all trying to break into these systems. So it's just kind of back and forth. So we've got to constantly iterate. We've got to constantly build on what's worked in the past and what didn't work in the past. That's kind of what I took away.How to Ensure Zero Trust Does Not Disrupt the Employee User ExperienceMark: I think those are two things that work against each other. Because I have to imagine there's a tremendous amount of pressure on your average federal government agency, CIO and CSO, to do it right, to plan and make sure it's right. Because some of these agencies, they don't have room for error. We've heard this, not just on the panel at the event, but we've heard this from past podcast guests that some of these agencies, they can't fail. The attacker keeps coming at them and they have no margin for error.Carolyn: But isn't that why we do like sandboxing and we set up staging servers and we run the scenarios? Let's fail and fail fast and do it in a safe environment that's not out in the wild. We've addressed this a little bit, but what are the steps to take to ensure that zero trust does not disrupt the employee user experience?Willie: My personal take on it. This is kind of what I talked about in my keynote. First of all, you've got to measure, you've got to observe, you've got to know what your experience is. So observation and testing. Something we are notoriously bad at unfortunately, and we've seen this time and time again where we don't do sufficient testing of a new product, to the user experience. Like if I'm implementing a new authentication system, whatever it might be, test it, have simulations run quality checks....","content_html":"Willie Hicks, CTO of Public Sector at Dynatrace joins Carolyn and Mark to unpack the recent ATARC event: Improving the User Experience in a Zero Trust World. At this federal breakfast summit, sponsored by Dynatrace and Amazon Web Services, we heard from some of the most prominent technology leaders focused on Zero Trust including Nicole Willis, Jamie Holcombe, Mickey Iqbal, and more. Listen in as Mark and Willie give highlights and takeaways from the event. Be sure to follow the link in the show notes to see the full event On-demand!
Carolyn: So today we're reviewing top takeaways from ATARC 's Federal Breakfast Summit, Improving the User Experience in a Zero Trust World. Which those two things, user experience, and zero trust, are kind of a direct conflict for me, but we'll get to that. The conference was sponsored by AWS and Dynatrace, and it's available on-demand for our listeners at ATARC.org. Also, we have Willie Hicks, our Federal Chief Technologist at Dynatrace.
Willie, you were a keynote speaker at the event. I'm too biased to say you were my favorite so I won't say that. I mean, everybody was really good. Jamie was super exciting. Let me just review who our speakers were.
So our keynote speaker around zero trust was Grant Schneider. He brought a really interesting perspective because he's former white house. So he was the senior director of cybersecurity services. So former federal CISO, and now he's in industry at Venable. Then we had our next keynote around the user experience was the very entertaining Jamie Holcomb. He's the CIO at U.S. Patent and Trademark office. And then my favorite, Willie, Federal Chief Technology Officer here at Dynatrace. Then we had a panel that brought the user experience and zero trust together and how we reconcile those two and how they work together. And on that panel, we had Nicole Willis, Chief Technology Officer, OIG, at the U.S. Department of Health and Human Services.
Carolyn: Jamie came back on the panel. We had Mickey Iqbal, he's the Public Sector Solution Architect and Chief Technologist at Amazon Web Services. Willie on the panel. And then we had our moderator, Tom Suder, who's fantastic. He's been in this business so long that he had a lot of really good insights too.
Now that I've given our listeners the overview of who participated, first of all, I was thrilled to see that we had a packed room. We had a standing room only, and that was really, really nice to see. It was lovely to have people in person and to be able to interact with one another personally.
So, all right, let's get to the first question. Today, Mark, you're less of a co-host. I want to hear your opinions about what your takeaways were from that day. So around the user experience and zero trust, did you have any aha moments? What were your favorite moments? Tell me your feelings about the day.
Mark: Well you know, from my perspective, coming from industry and Dynatrace, I think we think of end-user experience as something different related to zero trust. So we think of it differently.
Carolyn: And at odds with each other.
Mark: Yes. Well, I get the feeling more and more, it's more how the end-user navigates the security protocols and processes to accomplish the end goal. Which is not their problem of zero trust, which would be the agency's problem.
Mark: And so the agencies think of end-user experience in that light as opposed to we think of it in a different way as it relates to somewhat the same. But how end users are impacted by their interaction with applications on the internet and things like that. So I guess it's a little bit like that.
Carolyn: Did you get the sense that's how our government thought leaders that were speaking at the summit? Is that how they think of it? Or do you think that's more about how industry and we as end-users think of it?
Mark: I think that's how we think about it. I think they think about it in the former.
Willie: Yes. I definitely agree.
Carolyn: The government leadership. So Willie, talk to me more about that.
Willie: Yes. So I agree. I think it is interesting because I think our panel, and I got to talk to the panel a little bit afterwards as well. I think that Jamie from PTO standpoint and Nicole, just by kind of how they were, not just the keynote, but how we were interacting on the panel, they actually do get it.
For example, I got to have a great conversation with Nicole. It was one of those things where she was kind of talking about the service that she was trying to provide to the citizens. Because a lot of people who use HHS services and so forth, Medicare, Medicaid, those kinds of things, they might be older. They might be having a very difficult process to log into a system, to get access to a system, to get your basic information.
Willie: She seemed very sensitive to that, in understanding that we have to have a better user experience. And I think I got that from Jamie but at the same time, we talked about agencies as a whole and the government as a whole. There is an issue, not just zero trust. But even before this real big push for like Shields Up with CISA and all of the zero trust. We build these systems, we put up our authentication and all the things that we're going to do to protect the system, not really factoring in the customer, not really even thinking about it.
It's about protecting the system. The idea is about the system, not really about the customer, don't really care. We just want to make sure we protect the system.
At the end of it, we might be making the system so difficult that no one can even access it. Nobody wants to take the time, the 45 minutes it takes to set up an ID and jump through all the hurdles to get to an ID. So I think that from a larger standpoint, and just talking on the panel, they admitted that there are a lot of systems out there. A lot of public-facing, citizen-facing systems, and backend systems that need a lot more focus around the customer experience. And again, not just around zero trust, this is just in general about just the basic usability of the system, if that makes sense.
Mark: It does, you know, I can't remember if this was in a sidebar conversation after the event or if it was during the event, But they talked about multifactor authentication and how they were almost just forced to take the plunge. And somebody said, "We're just going to do it." At the end of the day, they're like, "Oh, wow. Okay, this word works. It's not that difficult. It's not that tough for end-users."
Carolyn: Well, and do you know what’s funny, is when I hear security, so zero trust is all about security to me as an end-user. And whenever I hear security, that makes me feel a little puke-y. Because I think that means that my experience is going to be really awful as an end-user, to your point, Willie.
However, Willie, you make the argument at the event that zero trust can and should make the end-user, my user experience, better and make the practitioner's experience better. So there's more than one end user. There's the end-user of the systems, then there's me trying to get into the systems, and can you talk a little bit more about that? And did you get the sense that our government speakers feel the same way? That zero trust really should be a user experience enabler?
Willie: Right. So, that's an excellent point. I do agree with that. And I think the panel as a whole agrees with that too.
Again, if you look at the principles, the mindset around zero trust, the mindset around architecture, architecting zero trust framework, it's an all encompassing type of scenario.
Willie: It's not just like we're buying MFA or you get single sign-on and this, this and this, and you've got zero trust. It's really a whole mindset. I think Nicole actually mentioned this. With everything they do, especially with zero trust, they're thinking about user experience at the beginning of the process.
So things like multifactor authentication as Mark already pointed out. When you have a robust multifactor setup, that is going to actually enable you to make your end user's life easier. Because once they log in, once they validate, whatever those multiple factors that they use to validate that user, once that I can trust you or you, and the device that you are on is a valid device, then now you can have access to this cloud application. Or you can have access to this internal system or that authentication token can be passed around.
There might still be a validation process, but it should be external. You shouldn't see it as the customer. It should all be kind of going on in the background. It's constantly validating you. So I think that idea was there, but also I did counter though, the point that, yes, it should be better. But how do you know it's better if you're not measuring it?
If you don't understand today your customer's user experience, how do you know it's gotten better when we implement these new systems? How do you know it hasn't gotten worse? How do you know that there really isn't a problem? I gave an example as part of my keynote.
Willie: I didn't mention the agency name, but several months ago I tried to set up a multifactor authentication for a system with some of my personal information on it. This was a government system. And after about 45 minutes of filling out a form, putting in my government ID, waiting for an identifying number to come back on my phone, which never showed up. Trying to go back and reestablish and start it over again.
Literally after 45 minutes and then the system telling me to call this number to try to do this manually. I was like, "I'll just go in and do what I need to do." So again, do I think either this agency that I was working with just didn't know how bad the customer experience was, or they just didn't care. And my hope is that it's just they didn't know.
Mark: I think that's probably it.
Carolyn: I think it might be a little bit of both. Because they have to have the security in place. They have to use those systems too.
Mark: Yes but they're typically technical people..
Carolyn: Yes. So is Willie.
Willie: Well yes, but I love the customer, so I always focus on the customer. No, but seriously, that's the one thing. To your point, it might be a little bit of both that and let me take that back. I know from experience, it probably is a little bit of both in that.
Willie: There is this idea that, okay, we have to tolerate some bit of inconvenience to allow us to have a secure system. Now, I think what I went through was the extreme.
Carolyn: Is it?
Willie: Well, and unfortunately it might not be, but at the end of the day, there is this idea, you have to tolerate this thing. But I also made the point during the keynote that industry has solved some of these.
Like if you look at the financial sector, for example. I used the example of trying to set up MFA on this government system versus setting up MFA on my bank account. And when I was forced to do that, obviously they had tested this system 15,000 times. Because when I went in, by the time I was forced to go for my really insecure password and I should have better passwords. But I went from that password to having to set up my MFA, I was thinking it was going to be a long process. The bank was about to put me through this long process. It took me less than 45 seconds. It took me about a minute. Most of that time was me waiting for a response back on my phone.
As soon as that was over, now, literally whenever I log in, I get a text message on my phone. I hit a button, I'm logged into the system. Those kinds of things. And I think Jamie even brought up the point that at some point we need to get away from even multifactor and have more biometrics. It should become even easier like we have a thumbprint reader or something like that.
Carolyn: Yes. But I don't want anybody to kill me for my eyeball so they can break into my system.
Willie: Yes, you've been watching too much Netflix. I think that was that Thor, one of the Marvel movies?
Carolyn: I'm sure it's more than one. So there's an article that cites a study, the article is called How Federal Agencies Can Implement a Secure and User-Friendly Zero Trust Architecture. It states that nearly four out of five federal cybersecurity decision-makers, they know there's an urgency. They want to implement zero trust. However, 87% of them say the white house and the OMB are pushing to move too fast. Mark, I know you have an opinion about this. So talk to me about that pushing to move too fast. Are they? Should they be?
Mark: Yes, they should definitely be pushing. I think that the white house has to push fast because I feel like we're probably five years behind where we should be today to feel comfortable. If they don't push, then you're going to have agencies across the government be at different levels of maturity. They're going to be all over the place.
So you're going to have gaps and things like that. If you leave it up to the agencies to go at their own pace, it's kind of like the concept of, you don't need it to be a hundred percent perfect, but you need it to be 75% perfect. Then we'll work on the remainder of the 25% that's not perfect and get it there.
Mark: So we have to push. It was almost like the way agencies adjusted when the pandemic hit, they didn't have a choice. And they had to deal with remote workforce. They had to do it. They had to digitally transform and modernize and it made them do things out of their comfort zone that I think that they have to do.
So there needs to be a push. I feel like when you hear experts across the government, talk about this, that it's just got to be a very modular, agile approach to doing it and billing it. So that has technology advances and changes and things change that they can pull things in and out. They can move things around and bring things in that work together and that kind of stuff to get to where they need to be.
Carolyn: Yes. Done is better than perfect because perfect never gets done, is one of my favorite quotes. And you just said something, I was going to ask you and Willi. So we think that the white house should push hard. Yes, they're pushing. If they don't, then we're never going to get started. Then you said something about a modular approach to do this well. So is that the sense that we got from our speakers at the summit, is that one of the solutions that we heard from them?
Willie: So I'm thinking, and the modular approach or what I took away from the conversation and also with what Mark was saying. I think it was Jamie who has kind of taken this approach of, we need to use kind of agile development methodologies in this process.
Willie: In the agile mindset, there's this idea of the MVP, the minimum viable product. This is really something that we see a lot of an industry, kind of getting that minimum built product out there to get into the market. Then start iterating through functionality and fixes and so forth as you find them and improve the product rapidly. Rapid improvement of the product.
I think what Jamie was kind of alluding to was this idea of minimum viable security, where you've got to start somewhere. We can't just plan and nothing ever gets done. But get the minimum viable out there and then start iterating through basically building that framework with a more agile type process. Also this would impact the end-user.
We talked about customer experience. Learning from these first iterations, what worked, what didn't work, how do we make it better? Obviously, you have to make it secure enough. You don't want to just leave the gates open. You don't want to put something out there that is insecure. But we're never going to reach a point where it's just Nirvana, everything's in place. Everything's secure. Nobody's ever going to get into our systems because that's just fallacy.
I mean, this is an arms race. As soon as we find some way to, secure a system, there are hundreds and thousands of hackers out there. State-sponsored ones, people living in their basements, whatever, all trying to break into these systems. So it's just kind of back and forth. So we've got to constantly iterate. We've got to constantly build on what's worked in the past and what didn't work in the past. That's kind of what I took away.
Mark: I think those are two things that work against each other. Because I have to imagine there's a tremendous amount of pressure on your average federal government agency, CIO and CSO, to do it right, to plan and make sure it's right. Because some of these agencies, they don't have room for error. We've heard this, not just on the panel at the event, but we've heard this from past podcast guests that some of these agencies, they can't fail. The attacker keeps coming at them and they have no margin for error.
Carolyn: But isn't that why we do like sandboxing and we set up staging servers and we run the scenarios? Let's fail and fail fast and do it in a safe environment that's not out in the wild. We've addressed this a little bit, but what are the steps to take to ensure that zero trust does not disrupt the employee user experience?
Willie: My personal take on it. This is kind of what I talked about in my keynote.
First of all, you've got to measure, you've got to observe, you've got to know what your experience is. So observation and testing. Something we are notoriously bad at unfortunately, and we've seen this time and time again where we don't do sufficient testing of a new product, to the user experience. Like if I'm implementing a new authentication system, whatever it might be, test it, have simulations run quality checks....","summary":null,"date_published":"2022-06-15T07:30:00.000-04:00","attachments":[{"url":"https://aphid.fireside.fm/d/1437767933/81d9d6b0-0045-48da-8495-fd87c4613d7f/df4af8db-1d5b-440f-9d4a-b0d4c6879c15.mp3","mime_type":"audio/mpeg","size_in_bytes":25201480,"duration_in_seconds":1798}]},{"id":"1bdd3f23-a395-42b5-baec-3ec2d55a2320","title":"Episode 39: Hyperautomation with Bob Stevens","url":"https://techtransforms.fireside.fm/39","content_text":"This week, Carolyn is joined again by Bob Stevens, AVP Public Sector at GitLab, this time to talk about the power of hyperautomation. Listen in as Carolyn learns what can be gained through fast, accurate application security. Episode Table of Contents[00:32] What is Hyperautomation[09:02] What Has Changed in HyperautomationEpisode Links and ResourcesBob StevensMalcolm Gladwell: BlinkWhat is HyperautomationCarolyn: I'm excited to welcome back Bob Stevens, Area Vice President of Public Sector at GitLab. Bob is a seasoned veteran in public sector technology with over 36 years of experience.As the AVP at GitLab, he is responsible for helping government organizations become more productive, efficient, and effective. Bob has experience on both the industry and the government side of things. Prior to industry, he served in the United States Air Force as a computer specialist at the White House Communications Agency.Today, we are going to talk about artificial intelligence, machine learning, and what hyperautomation is exactly. Why Bob thinks it will be 2022's biggest trend. Bob, welcome back to Tech Transforms.Bob: I'm happy to be here. Thank you. Appreciate it.Carolyn: I'd like to talk about an episode that you just did with GovExec Daily. And on this episode, you mentioned that hyperautomation will be 2022's biggest trend. I'm going to be honest. I haven't really heard hyperautomation. And I get automation. I can deduce what hyperautomation is, but I would love for you to explain it to me. What's the difference between automation, hyperautomation, DevOps, all of that?Bob: Yes, I mean, it's the strict definition of the word. It's rapidly identifying, vetting in automated processes in order to produce whatever it is that you're working on as fast as you possibly can. And it trends today because if you think about the government space, they have a lot of compliance issues that they need to deal with. The Benefits of HyperautomationBob: If they can automate those compliance processes and ensure that when they build software, in the end it's going to be compliant and they don't have to go back and vet it. I mean, that's going to save them a world of time.Carolyn: Are you talking about missed compliances, automating some of those missed controls? There's 300 of them, I think.Bob: Yes, those. I think you're talking about FedRAMP. Carolyn: Yes. One of. Or authority to operate has all of those. Right? I mean, I don't know all the details.Bob: Yes, no. There's the STIGs. That the government has to put all software through and that's all about compliance. The government has to get the authority to operate, ATOs, for everything that they run.Carolyn: And renew them every two or three years.Bob: Or sooner. It depends on how much of a change occurred in the application. If you can hyperautomate all of that by the use of AI or machine learning. Again, and so by the time you produced that software, all those compliance issues are addressed. You know they're addressed because you've got confidence in the system and the way that it was done. It didn't require as little human intervention as possible, which is unfortunately, where some mistakes are injected.Then you've saved a world of time and you've made life really, really easy for the folks that are doing the development. As well as the folks that are using the applications in the end. Because they don't have to sit and wait to get the authority to operate, which sometimes can take a year.The Bad News: We Haven’t Tried HyperautomationCarolyn: Is the differentiator between automation, DevOps, and hyperautomation really adding in, automating those compliances? And are you telling me that that hasn't happened before now?Bob: Unfortunately, it has not happened. I mean, that's evident by the fact that the government still has to produce ATOs and they still are doing STIGs at the end of the development cycle. Unfortunately, it hasn't happened. I think the government will embrace it and has started to embrace it. And therefore, will embrace hyperautomation, otherwise referred to as DevOps automation. Because it's really during the DevOps process that all that automation occurs. But it is going to continue to have focus.Compliance is just one area. Security is another one. If I can ensure that when I'm done with my software development, it's free of vulnerability or known vulnerabilities. Then again, the developers can help the security folks be more supportive of those applications and getting them out to users faster, rather than having to put them through some other processes or manual processes in the end. Hyperautomation, it's not going to go anywhere. It's only going to build and become more important for everybody.Carolyn: What's made it a thing now? First, my head's still spinning that we haven't automated a lot of these controls. But what's made it a thing now? Are there new tools coming online or did somebody just go, \"Oh, you know what would be a good idea?\"Bob: It's a combination of both. It's the collision of DevOps with compliance built-in. Just having the ability to do that. This gets back to what we spoke about last time, which is the building of a platform, where all 10 aspects of the development life cycle are incorporated into one platform. Misconceptions About How Hyperautomation Can Be UsedBob: And now I can start to include things, like ensuring that code is vulnerability-free when it's complete. Ensuring that I've met all compliance requirements during the process, rather than waiting till the end and doing all the tests. It's a combination of both. It's new tools, new capabilities, as well as the fact that somebody said, \"Hey, wouldn't it be a great idea to combine these?\"Carolyn: Yes. Right. Why haven't we been doing this in like forever? Are there any misconceptions about how hyperautomation can be used?Bob: Well, I'd love to say that it's going to be the end-all, be all for everything, but it's not. It never is. And they'll always require some manual intervention at some point or some additional thought that needs to be required. But that just means we get to continue to iterate on it, which is part of the GitLab culture. We put things out in small batches and then we iterate them in order to get them closer to perfection. Rather than wait for perfection before we introduce whatever it is that we're working on.Carolyn: I think you already kind of answered this, but is there a point where DevOps and hyperautomation overlap? Are they kind of the same thing? Are they two sites? How do they work together?Bob: Yes. I think there's overlap, which is why I was saying that it's also referred to as DevOps automation.Carolyn: Yes. It is the same thing, kind of?Bob: Yes.Carolyn: Okay. You did the interview just this February of 2022 with GovExec Daily. Do you think much has changed in hyperautomation, just even in the last two to three months?What Has Changed in HyperautomationBob: I think it has. I can tell you just from a GitLab perspective, you can now use our tool for some of those compliance, automated compliance processes that we talked about.Carolyn: What kind of lift is that to get, for example, GitLab to make it so the government will accept that automation?Bob: Yes. That's a good question. You know what? I have not been through that process yet. Carolyn: But I would imagine you got to do an ATO kind of process on the automation side, so the government can accept it. Right? Bob: Yes, no, that's true. I mean, they take our software and put it through the ATO process. What tool could you use to put ours through that would give us an ATO in the end? It's to your stacking tools, upon tools, upon tools.Carolyn: Yes. Or maybe it's just eyeballs on it saying, \"Yes, this works.\"Bob: Yes. Again, back to our culture. I mean, transparency is key and we're going to be 100% transparent with the government or any entity that uses our technology. And we're going to show them exactly what's happening under the covers so that they're fully aware and can make their assessments.I already know the government is embracing. Just as an example. I mean, they're required to produce a software bill of materials in the end. Because a developer can pull libraries from anywhere, it's important to build that software bill of materials in order to assure compliance. Well, our tool will build it for you.AI and Machine Learning’s Part in HyperautomationBob: We'll tell you where all those libraries were pulled from and produce the list. So that you don't have to go back or keep track or do some sort of manual process. I can tell you the government has embraced that. I mean, they want that to be an automated process. They don't want somebody going back through what could be hundreds of thousands of lines of code to figure out where did it actually come from?Carolyn: Yes. I mean, talk about a security risk, to not know everything that was involved in building it. And then I would imagine, if you've got a tool that builds your SBOM, it's got to be aware as things get updated. The next version of the software, that's part of it.Bob: Yes. I mean, that's where AI and machine learning really play a major part. Because you're right. We've got to know about every library that can be discovered out there and was written.Carolyn: My chief technologist, Willie Hicks, likes to correct me when I interchange machine learning and AI. Is one used as part of this process more than the other? Do they both have their place? Because you've mentioned both, machine learning and AI. Bob: Yes. I mention them because they're part of hyperautomation. I'm not going to tell you I'm an expert on either one of them. And of course, they can often have different definitions or be used interchangeably. I think to answer your question, I'm going to say it depends. Depends on who you're talking to at that particular time.BlinkCarolyn: That makes sense. Well, we are coming up against time again. I'm going to thank you for your time. But before I let you go, I want to throw some more tech talk questions at you. I won't give you the same tech talk questions that we did last time. Let's go with books. Who was the author that you mentioned last time?Bob: James Patterson.Carolyn: Okay. Do you like Tom Clancy too? Sorry. He makes me think of Tom Clancy.Bob: I have read Tom Clancy. Honestly, he uses too many words, so I don't read.Carolyn: Right? You can skip a whole chapter and not miss the story. But okay, good. On the same page there. But do you have a favorite genre of books? Is it thriller?Bob: Well, it is the criminal thrillers. Those are interesting to me because I guess, maybe that's the way my mind works. I'm trying to figure out what the end is long before I get to the end. I think that's what engages me quickly. I also like any leadership book that can help you be better.Carolyn: Do you have a favorite or some favorites?Bob: Yes. One of my favorites is Malcolm Gladwell’s Blink. I know people like to go to his Tipping Point, but I think Blink is the best one. Blink is really all about you trusting your gut. Because if you've done something for long enough, you're an expert. Therefore, you should trust your instincts. And I don't think that happens all the time. I think people question themselves and others. And I just think that book does a really good job of leading you towards trusting you.IntuitionCarolyn: Yes, I agree. I mean, I think that we have an intuition. That intuition gets a bad rap. That it's not knowledge, but it is. It's knowledge that we've built up over the years that I think we can respond to faster than our neat computers that sit on top of our shoulders can compute. We've got that knowledge somewhere that we've gained over the years. And maybe it is even encoded into us through centuries of our ancestors learning to run from the bear.Bob: Yes. I've heard. For me, it's wisdom. That's what we've gained is wisdom.Carolyn: Yes. There we go. That's a better word.Bob: Yes. We need to trust that wisdom. We also need to impart that wisdom. That's part of our responsibility to our coworkers or our families, friends, whatever, whoever it is that you're engaged with.Carolyn: Well, great. You've inspired me to go back and revisit Blink because it's been a while. Well, Bob, thanks again for joining us and taking the time to share some insights with our listeners. Listeners, thanks for joining us. Please be sure to visit the website for the show notes and references that Bob made. We also want to thank our sponsors Dynatrace. Visit dynatrace.com to learn more about how you can literally transform faster, smarter, and easier. Please share and like this episode. ","content_html":"This week, Carolyn is joined again by Bob Stevens, AVP Public Sector at GitLab, this time to talk about the power of hyperautomation. Listen in as Carolyn learns what can be gained through fast, accurate application security.
Episode Table of Contents
- [00:32] What is Hyperautomation
- [09:02] What Has Changed in Hyperautomation
Episode Links and Resources
What is Hyperautomation
Carolyn: I'm excited to welcome back Bob Stevens, Area Vice President of Public Sector at GitLab. Bob is a seasoned veteran in public sector technology with over 36 years of experience.
As the AVP at GitLab, he is responsible for helping government organizations become more productive, efficient, and effective. Bob has experience on both the industry and the government side of things. Prior to industry, he served in the United States Air Force as a computer specialist at the White House Communications Agency.
Today, we are going to talk about artificial intelligence, machine learning, and what hyperautomation is exactly. Why Bob thinks it will be 2022's biggest trend. Bob, welcome back to Tech Transforms.
Bob: I'm happy to be here. Thank you. Appreciate it.
Carolyn: I'd like to talk about an episode that you just did with GovExec Daily. And on this episode, you mentioned that hyperautomation will be 2022's biggest trend. I'm going to be honest. I haven't really heard hyperautomation. And I get automation. I can deduce what hyperautomation is, but I would love for you to explain it to me. What's the difference between automation, hyperautomation, DevOps, all of that?
Bob: Yes, I mean, it's the strict definition of the word.
It's rapidly identifying, vetting in automated processes in order to produce whatever it is that you're working on as fast as you possibly can. And it trends today because if you think about the government space, they have a lot of compliance issues that they need to deal with.The Benefits of Hyperautomation
Bob: If they can automate those compliance processes and ensure that when they build software, in the end it's going to be compliant and they don't have to go back and vet it. I mean, that's going to save them a world of time.
Carolyn: Are you talking about missed compliances, automating some of those missed controls? There's 300 of them, I think.
Bob: Yes, those. I think you're talking about FedRAMP.
Carolyn: Yes. One of. Or authority to operate has all of those. Right? I mean, I don't know all the details.
Bob: Yes, no. There's the STIGs. That the government has to put all software through and that's all about compliance. The government has to get the authority to operate, ATOs, for everything that they run.
Carolyn: And renew them every two or three years.
Bob: Or sooner. It depends on how much of a change occurred in the application. If you can hyperautomate all of that by the use of AI or machine learning. Again, and so by the time you produced that software, all those compliance issues are addressed. You know they're addressed because you've got confidence in the system and the way that it was done. It didn't require as little human intervention as possible, which is unfortunately, where some mistakes are injected.
Then you've saved a world of time and you've made life really, really easy for the folks that are doing the development. As well as the folks that are using the applications in the end. Because they don't have to sit and wait to get the authority to operate, which sometimes can take a year.The Bad News: We Haven’t Tried Hyperautomation
Carolyn: Is the differentiator between automation, DevOps, and hyperautomation really adding in, automating those compliances? And are you telling me that that hasn't happened before now?
Bob: Unfortunately, it has not happened. I mean, that's evident by the fact that the government still has to produce ATOs and they still are doing STIGs at the end of the development cycle. Unfortunately, it hasn't happened.
I think the government will embrace it and has started to embrace it. And therefore, will embrace hyperautomation, otherwise referred to as DevOps automation. Because it's really during the DevOps process that all that automation occurs. But it is going to continue to have focus.
Compliance is just one area. Security is another one. If I can ensure that when I'm done with my software development, it's free of vulnerability or known vulnerabilities. Then again, the developers can help the security folks be more supportive of those applications and getting them out to users faster, rather than having to put them through some other processes or manual processes in the end. Hyperautomation, it's not going to go anywhere. It's only going to build and become more important for everybody.
Carolyn: What's made it a thing now? First, my head's still spinning that we haven't automated a lot of these controls. But what's made it a thing now? Are there new tools coming online or did somebody just go, \"Oh, you know what would be a good idea?\"
Bob: It's a combination of both. It's the collision of DevOps with compliance built-in. Just having the ability to do that. This gets back to what we spoke about last time, which is the building of a platform, where all 10 aspects of the development life cycle are incorporated into one platform.
Misconceptions About How Hyperautomation Can Be Used
Bob: And now I can start to include things, like ensuring that code is vulnerability-free when it's complete. Ensuring that I've met all compliance requirements during the process, rather than waiting till the end and doing all the tests. It's a combination of both. It's new tools, new capabilities, as well as the fact that somebody said, \"Hey, wouldn't it be a great idea to combine these?\"
Carolyn: Yes. Right. Why haven't we been doing this in like forever? Are there any misconceptions about how hyperautomation can be used?
Bob: Well, I'd love to say that it's going to be the end-all, be all for everything, but it's not. It never is. And they'll always require some manual intervention at some point or some additional thought that needs to be required. But that just means we get to continue to iterate on it, which is part of the GitLab culture. We put things out in small batches and then we iterate them in order to get them closer to perfection. Rather than wait for perfection before we introduce whatever it is that we're working on.
Carolyn: I think you already kind of answered this, but is there a point where DevOps and hyperautomation overlap? Are they kind of the same thing? Are they two sites? How do they work together?
Bob: Yes. I think there's overlap, which is why I was saying that it's also referred to as DevOps automation.
Carolyn: Yes. It is the same thing, kind of?
Bob: Yes.
Carolyn: Okay. You did the interview just this February of 2022 with GovExec Daily. Do you think much has changed in hyperautomation, just even in the last two to three months?
What Has Changed in Hyperautomation
Bob: I think it has. I can tell you just from a GitLab perspective, you can now use our tool for some of those compliance, automated compliance processes that we talked about.
Carolyn: What kind of lift is that to get, for example, GitLab to make it so the government will accept that automation?
Bob: Yes. That's a good question. You know what? I have not been through that process yet.
Carolyn: But I would imagine you got to do an ATO kind of process on the automation side, so the government can accept it. Right?
Bob: Yes, no, that's true. I mean, they take our software and put it through the ATO process. What tool could you use to put ours through that would give us an ATO in the end? It's to your stacking tools, upon tools, upon tools.
Carolyn: Yes. Or maybe it's just eyeballs on it saying, \"Yes, this works.\"
Bob: Yes. Again, back to our culture. I mean, transparency is key and we're going to be 100% transparent with the government or any entity that uses our technology. And we're going to show them exactly what's happening under the covers so that they're fully aware and can make their assessments.
I already know the government is embracing. Just as an example. I mean, they're required to produce a software bill of materials in the end. Because a developer can pull libraries from anywhere, it's important to build that software bill of materials in order to assure compliance. Well, our tool will build it for you.
AI and Machine Learning’s Part in Hyperautomation
Bob: We'll tell you where all those libraries were pulled from and produce the list. So that you don't have to go back or keep track or do some sort of manual process. I can tell you the government has embraced that. I mean, they want that to be an automated process. They don't want somebody going back through what could be hundreds of thousands of lines of code to figure out where did it actually come from?
Carolyn: Yes. I mean, talk about a security risk, to not know everything that was involved in building it. And then I would imagine, if you've got a tool that builds your SBOM, it's got to be aware as things get updated. The next version of the software, that's part of it.
Bob: Yes. I mean, that's where AI and machine learning really play a major part. Because you're right. We've got to know about every library that can be discovered out there and was written.
Carolyn: My chief technologist, Willie Hicks, likes to correct me when I interchange machine learning and AI. Is one used as part of this process more than the other? Do they both have their place? Because you've mentioned both, machine learning and AI.
Bob: Yes. I mention them because they're part of hyperautomation. I'm not going to tell you I'm an expert on either one of them. And of course, they can often have different definitions or be used interchangeably. I think to answer your question, I'm going to say it depends. Depends on who you're talking to at that particular time.
Blink
Carolyn: That makes sense. Well, we are coming up against time again. I'm going to thank you for your time. But before I let you go, I want to throw some more tech talk questions at you. I won't give you the same tech talk questions that we did last time. Let's go with books. Who was the author that you mentioned last time?
Bob: James Patterson.
Carolyn: Okay. Do you like Tom Clancy too? Sorry. He makes me think of Tom Clancy.
Bob: I have read Tom Clancy. Honestly, he uses too many words, so I don't read.
Carolyn: Right? You can skip a whole chapter and not miss the story. But okay, good. On the same page there. But do you have a favorite genre of books? Is it thriller?
Bob: Well, it is the criminal thrillers. Those are interesting to me because I guess, maybe that's the way my mind works. I'm trying to figure out what the end is long before I get to the end. I think that's what engages me quickly. I also like any leadership book that can help you be better.
Carolyn: Do you have a favorite or some favorites?
Bob: Yes. One of my favorites is Malcolm Gladwell’s Blink. I know people like to go to his Tipping Point, but I think Blink is the best one. Blink is really all about you trusting your gut. Because if you've done something for long enough, you're an expert. Therefore, you should trust your instincts. And I don't think that happens all the time. I think people question themselves and others. And I just think that book does a really good job of leading you towards trusting you.
Intuition
Carolyn: Yes, I agree. I mean, I think that we have an intuition. That intuition gets a bad rap. That it's not knowledge, but it is. It's knowledge that we've built up over the years that I think we can respond to faster than our neat computers that sit on top of our shoulders can compute. We've got that knowledge somewhere that we've gained over the years. And maybe it is even encoded into us through centuries of our ancestors learning to run from the bear.
Bob: Yes. I've heard. For me, it's wisdom. That's what we've gained is wisdom.
Carolyn: Yes. There we go. That's a better word.
Bob: Yes.
We need to trust that wisdom. We also need to impart that wisdom. That's part of our responsibility to our coworkers or our families, friends, whatever, whoever it is that you're engaged with.Carolyn: Well, great. You've inspired me to go back and revisit Blink because it's been a while. Well, Bob, thanks again for joining us and taking the time to share some insights with our listeners.
Listeners, thanks for joining us. Please be sure to visit the website for the show notes and references that Bob made. We also want to thank our sponsors Dynatrace. Visit dynatrace.com to learn more about how you can literally transform faster, smarter, and easier. Please share and like this episode.
","summary":null,"date_published":"2022-06-08T07:30:00.000-04:00","attachments":[{"url":"https://aphid.fireside.fm/d/1437767933/81d9d6b0-0045-48da-8495-fd87c4613d7f/72190ead-c3f1-454b-aac4-8a11a93b7959.mp3","mime_type":"audio/mpeg","size_in_bytes":14017181,"duration_in_seconds":1000}]},{"id":"54d5a2a1-04c8-4932-8ca6-ac953608d44f","title":"Episode 38: A Company Culture We Can Trust with Sara Jones","url":"https://techtransforms.fireside.fm/38","content_text":"Sara Jones, CEO of InclusionPro joins Carolyn and Mark to talk about all things diversity, equity, and inclusion. Sara explains gaps in authenticity and perception and gives tech leaders everywhere new goals to strive for when it comes to company culture. Episode Table of Contents[00:54] Why We Always Go Back to Company Culture[10:38] How Leaders Respond to Employees’ Desire[23:03] What Attracts People of Color to Apply[30:54] Why Leaders Avoid the Important Things About Company Culture[41:37] What Technology Can Never ReplaceEpisode Links and ResourcesSara JonesInclusive Research and the Authenticity GapTED Talk: My story of love and loss as a transracial adopteeSheTechSUU Women In TechSorenson CommunicationsAriel AlternativesBattlestar GalacticaWhy We Always Go Back to Company CultureCarolyn: Today I am really happy to have Sara Jones with us. Sara's a friend and we've spoken before. Almost all of our guests, even though we're talking about tech, they always go back to culture. We're going to talk about that with Sara today.Sara Jones is the CEO of InclusionPro. She has over 20 years of experience in technology, business development, law, and leadership. You were a practicing attorney, right Sara?Sara: For 10 years. I'm still recovering.Carolyn: So as the CEO of InclusionPro, her mission is to guide leaders in building inclusive company culture that promotes team performance and team innovation. She's written a book recently called Inclusive Leadership and the Authenticity Gap, that we get to talk about today. Sara: Thank you. And this is a fun opportunity for me to merge my love of technology with diversity, equity, and inclusion. As most folks know, it is pretty hard to do. I've had a couple of decades talking about this, so hopefully, we can share some really great learnings. Most importantly, I think for the folks listening that might be thinking \"DEI again.\"Carolyn: Which stands for?Sara: Diversity, Equity, and Inclusion. A lot of things have shifted. I think a lot of folks come to this type of conversation with the old thinking in mind. I'd just like to invite listeners to get rid of what you know. Just be open to hearing some new thoughts around diversity, equity, inclusions, and things that we're able to do now that we weren't able to do even five years ago. That's my little plug for saying, \"Open-minded today?\"InclusionProCarolyn: That leads really nicely into my first question about being a recovering attorney, your love for tech. What inspired you to create InclusionPro?Sara: InclusionPro is the end of a long 20-year journey having diversity, equity, inclusion as part of my personal career journey. Now, it may not be part of everyone's and a significant part of that is because I did start in patent law. Having an engineering degree and a law degree, put me in an industry that had only 5% women and people of color. I get a lot of people that are like, \"Oh, our industry has no women.\" I'm like, \"Yes, I've been there.\"I actually know what it's like. It's not like I came from academia or some area that was just flushed with a lot of diversity. I have lived this and I understand the impacts of it at a very personal level. But I also have been an executive. I know the challenges of being an executive, those operational aspects and how it really works in business.There's some big misalignments that can happen that we need to talk about when we get to this idea of authenticity. What is the individual need versus the larger organizational needs? Those can be very complex, very hard. I think it's something unique that I've been able to understand over my time. That makes me uniquely positioned to be able to help executives in this journey where most of them haven't been in this conversation.I think white men are more recently joining the conversation, which is very exciting. But you got a lot of employees saying, \"What about social justice? What about this? I'm not seeing this statement. Where's this ERG, where's this, you're not committed.\"How Company Culture Makes It Challenging to Be a LeaderSara: It can be really challenging to be a leader. Being able to frankly, make a full-time living, doing diversity, equity, inclusion, it's not something I could have ever imagined would've happened 20 years ago. Happily, here we are and people are willing to invest the time and energy into doing this. I'm just thrilled that I can do this full-time and bring all that knowledge into the companies.Mark: I'd really like to understand what you think that means and what we're doing. I was a little confused at first by the use of authentic or authenticity here.Carolyn: I'm really interested to know what it means for the employee, for us, for me and why it matters to the bottom line for the company. I think a lot of times, that's what creates change. If it helps the bottom line, then we'll do it. I don't know if there's a tie in there.Sara: What's interesting is that's actually the number one thing that executives want. When I work with an executive team, we actually go through an exercise that asks them, \"What is the thing that you most desire out of all of these strategic outcomes?\" So think about that. That's not actually a bottom-line conversation.I, as an executive and a leader, would really like to be able to do this. It’s not because it's what we've always been saying is the right thing to do. We all know that. Let's just move forward past that because people aren't doing it. At the core, what I find is when you get leaders in a space where they can be self reflective, they actually just want to be themselves.An Angel Double PositionSara: It's so bizarre, but they want to be humanized too. They want to be able to try, and if they may make a mistake, executives get this kind of spotlight on them. We can debate the word unfair, but they have a spotlight on them. Even if they make a small mistake, people are going to notice and be like, \"Those people, they don't get it. How can they be so disconnected?\" Et cetera, et cetera. Imagine what that starts to do as leaders are trying to learn.Let's say you're a white man. You've recently started learning about diversity, equity, inclusion, and you have folks that are expecting you to be perfect at it. That's a lot of pressure for leaders. By the way, I'm not perfect either. So we've created this interesting dynamic, not necessarily recently, but I think for leaders having to be on guard and in this angel double position.Mark: Maybe more so for publicly traded companies.Sara: Yes, public, but even private companies. This is any culture where leaders have this pressure.Carolyn: Even government, I'm thinking about our defense leadership. I feel like they almost can't afford to be authentic.Sara: That's exactly right. Now you're thinking about the give and take of what I am allowed to say. Do I have the freedom to say? How do you shift that? What happens is when you really curate the words that you say, you actually stop communicating. You stop having conversations with people and say, \"If that's the reaction I'm going to get, I'm just not even going to try.\"How Human Connection Stops in the Company CultureSara: So the learning stops, the engagement stops, the human connection stops in the company culture. That's been the whole problem to begin with. If we would just get together in a room, sit down and be able to have conversations, actually knowing and expecting people to make mistakes. Then how do we help people through that and help each other learn?By the way, it's not just white men that are going to make mistakes. It's going to be people of color to make assumptions, it's going to be, LGBTQIA identifying people. We're all going to make mistakes because we're all human. We've created this interesting boundary around what's permissible and what's not permissible. It's really slowed down our ability to change culture within leaders or companies.Now, what I'm not saying is say whatever you want, that's not what I'm saying. What I'm saying is that authenticity, the goal to reach that is really a journey. It's really like \"We're going to help each other. We're going to learn side by side, because I, as the executive, don't know everything. You, as the new employee don't know everything either and it's okay, we're going to help each other out.\"Now it's more of a partnered experience rather than what would be considered a top down. The leaders need to model or grassroots because neither works by itself alone. That's an example of the shift that enables more people within an organization to really be more authentic and reduce the misalignments that can help.Carolyn: Is the authenticity gap more in the leadership or in the employees or everybody?How Leaders Respond to Employees’ DesireSara: I would say it's how leaders respond to employees' desire for more inclusion. There's actually many options available to leaders. If they are not in touch with the way to get that true connection with their employees, they're more likely to create an authenticity gap. They're more likely to have people say, \"They're doing it to check the box. They don't really mean it. They're doing it for marketing reasons, but they don't actually believe it.\" It's that sort of sentiment that you're trying to reduce. There's methods that produce that and there's also methods that create more authenticity.Carolyn: I absolutely see how being authentic is good for your soul. Is it good for your company?Sara: Yes. We're in the great resignation period. We have had some pretty rough business experiences. I think executives are just scrambling right now to figure things out. Some are saying, \"I can't afford right now to do diversity, equity, inclusion.\" In my mind, if you're thinking of diversity, equity, inclusion, as something on top of your day job, you're probably thinking about it wrong in the first place.It's really how we show up, how we make decisions, how we grow the business. It is not about just keeping employees happy. If you're just trying to satiate employees and that's very patronizing and it is felt, they know. They're not dumb. They know when leaders are just doing it to make it seem like they're doing it, but they're not really committed. The teams I work on usually have very genuine interests. I'm actually not working with folks that are just talking the talk. If they're talking the talk, I guarantee they will not hire me.How to Make an ImpactSara: That's just a fundamentally easy thing for me as a DEI consultant, to know who's genuinely committed, who wants to do the work, and who's not interested in doing it. My day-to-day is really more focused on those organizations and what they can do to make an impact.I'm actually seeing the work going on inside of the organization. Some of that's a little bit more invisible to folks on the outside. That's the leadership challenge right there, it’s that communication piece and things like that. I don't necessarily go and approach, and says, \"I look at the executive team or boardroom and I'm diversifying now”. You're going to get a lot of backlash.\"That's absolutely not my approach. From an executive leadership standpoint, we know how hard it is to keep the ship running. Having a lot of changeover at the top is just not smart. So what is the learning, the growth and cap, and capacity we start to build on the leadership team so they can start to make decisions in a more deep, inclusive way? That's when you're going to start to see the real authenticity happen.Sometimes it takes a year or two for change to happen. So if we're looking for immediate change, again it is reactive. What I'm trying to do is get folks to move from reactive to intentional. Again, we went from decades of \"Let's invite a woman to speak and talk about her gender\". How much did that make us mad? We're like, \"Oh my gosh, I have a brain. Please let me showcase my talents, not talk about what it's like to be a woman\".A Company Culture Where a Person of Color Can ThriveSara: We want the same thing as men. It's not really that different, the things that I want for my career versus what a man wants in his career. So whether that's a person of color or anyone, we've got to get people better at seeing genius in a wider range of forms. That's the learning that leaders have to do. It’s to be able to say, you know, cybersecurity experts, don't just look one way. They don't talk one way or solve a problem one way, they actually solve it in a lot of different ways.If they don't have that exposure, if they've not worked with a group of diverse thinkers, they're very unlikely. They're much more likely to hire, like if they really want to diversify, somebody based on an optic characteristic rather than an internal skills. It is ultimately the right way to hire whichever anyone wants.Mark: How do we get more women and minorities involved in STEM early? By the way, getting people involved in STEM early doesn't mean that in a year you're now seeing results. You're probably seeing results a decade later. Something that I'm struggling with, as our company at Dynatrace grow, we are looking for diverse candidates that we would like to hire. I'm looking at the candidate pool and I see a disproportionate amount of white males in the candidate pool in technology.I don't know how I can change that. It's significant. I've worked at companies in the past who are heavily involved in STEM and things like that, but I don't feel we're seeing the results of those efforts in the marketplace now. Maybe we will, and I'll be out of the marketplace by then.The Truth About Company Culture and the Talent PipelineSara: It'll be a decade from now, but how do I handle and deal with these kinds of things that I have to deal with today?Carolyn: What Mark sees anecdotally, I'm guessing that's pretty universal. On the flip side in the marketing world, even though I'm in tech, when I go to hire, most of my peers are women, which I find very interesting. I would say 80, maybe 90% are women.Sara: Here's a couple of thoughts and I guess I'll just get real honest. It's interesting because I've been doing this work for 20 years.The observation of the talent pipeline is very common and it is actually not true. What typically that comment comes from is a lack of self reflection on the company culture. Just because you are not getting candidates means candidates don't want to apply to you. That's just the end.People are like, \"What, why wouldn't they? We're awesome.\" If you're awesome at hiring white men, good for you, A+. But that's where the perception gap comes in. You actually fail at hiring women, you get an F. This is where the leaders have to sit down and start to get really honest with themselves because my network is full of women in tech, full of it.So anecdotally, I could sit here and say, \"I actually know hundreds and thousands of women in technology. You don't know any? So, who's right and who's wrong?\" We both have our life experiences. It's just that I've made the intentional work and decision to include in my personal network, a lot more women in tech. They are there. You just haven't done the work to build your network. So that's the moment of honesty.Authenticity GapSara: Now this is where the authenticity gap comes from. I can say that as an outside consultant. Unless you listen and hear that, and accept the ownership and responsibility instead of deflect and say, \"Well it's because the talent pipeline isn't full, instead of, \"Wow, we are not getting women applying to our company. We are doing something wrong. We're actually really great at targeting white men.\"I've had people say, \"I don't want to change things because I just don't believe in targeting women and people of color.\" I'm like, \"You're already targeting white men.\" That is an interesting statement if all you're hiring is white men because the talent is there. It's just, are you willing to do the work to find it and really bring it into your network in a meaningful way?What happens if you watch the research, people will make a decision before they ever hit the submit application button. Just because you are not getting applicants is not a reflection at all of the true talent pool. Leaders somehow have decided that, \"Oh, well, there's nothing I can do because there's just no talent out there.Mark: I see your point. It's probably up to me to be more active in that process. As I was thinking through your explanation on this, we have an internal resource, a talent recruiting team. They're the ones who get the candidates and bring them to us.Sara: The talent decides to go where they can thrive. If you think about that, why are they choosing not to come to your company? There's something about how you're describing or the interactions where they can't get that sense of thriving.Strategic Risk ManagementSara: It is actually a strategic risk management skill if you think about it. So I have a law degree and an engineering degree. I'm not s**. What we're doing is, we're looking at these cues that companies are giving off.We're making a risk management assessment of \"Is that where I want to spend my time and energy? Is that where I think they're set up to actually help me thrive? Do I really feel like it's going to be an emotionally exhausting place to work?\" Because \"No, thank you. I'm not even going to hit apply.\"BYU did some interesting research where they had job postings and they had one job posting that said, \"Was very neutral.\" They had one job posting that said, \"We really encourage people from all backgrounds, diversity, please apply.\" Then they had another posting that talked about their inclusive culture. Now I'm not saying this exactly right. You know, but Mark, which one do you think got the most submit application clicks? They might not have gotten hired, but they got the most submitted application clicks.Carolyn: What are our choices again?Sara: Neutral. We want all these types of diversity, please. If you meet these diverse identity, care characteristics, please apply. Or the third one is, we have a mission and inclusion. It’s a really important part of our culture and more of that type of statement.Mark: I would assume the latter.Carolyn: Me too. The third one?Sara: You are right. It got more applicants. This is actually a Goldman...","content_html":"Sara Jones, CEO of InclusionPro joins Carolyn and Mark to talk about all things diversity, equity, and inclusion. Sara explains gaps in authenticity and perception and gives tech leaders everywhere new goals to strive for when it comes to company culture.
Episode Table of Contents
- [00:54] Why We Always Go Back to Company Culture
- [10:38] How Leaders Respond to Employees’ Desire
- [23:03] What Attracts People of Color to Apply
- [30:54] Why Leaders Avoid the Important Things About Company Culture
- [41:37] What Technology Can Never Replace
Episode Links and Resources
- Sara Jones
- Inclusive Research and the Authenticity Gap
- TED Talk: My story of love and loss as a transracial adoptee
- SheTech
- SUU Women In Tech
- Sorenson Communications
- Ariel Alternatives
- Battlestar Galactica
Why We Always Go Back to Company Culture
Carolyn: Today I am really happy to have Sara Jones with us. Sara's a friend and we've spoken before. Almost all of our guests, even though we're talking about tech, they always go back to culture. We're going to talk about that with Sara today.
Sara Jones is the CEO of InclusionPro. She has over 20 years of experience in technology, business development, law, and leadership. You were a practicing attorney, right Sara?
Sara: For 10 years. I'm still recovering.
Carolyn: So as the CEO of InclusionPro, her mission is to guide leaders in building inclusive company culture that promotes team performance and team innovation. She's written a book recently called Inclusive Leadership and the Authenticity Gap, that we get to talk about today.
Sara: Thank you. And this is a fun opportunity for me to merge my love of technology with diversity, equity, and inclusion. As most folks know, it is pretty hard to do. I've had a couple of decades talking about this, so hopefully, we can share some really great learnings. Most importantly, I think for the folks listening that might be thinking "DEI again."
Carolyn: Which stands for?
Sara: Diversity, Equity, and Inclusion. A lot of things have shifted. I think a lot of folks come to this type of conversation with the old thinking in mind. I'd just like to invite listeners to get rid of what you know. Just be open to hearing some new thoughts around diversity, equity, inclusions, and things that we're able to do now that we weren't able to do even five years ago. That's my little plug for saying, "Open-minded today?"
InclusionPro
Carolyn: That leads really nicely into my first question about being a recovering attorney, your love for tech. What inspired you to create InclusionPro?
Sara: InclusionPro is the end of a long 20-year journey having diversity, equity, inclusion as part of my personal career journey. Now, it may not be part of everyone's and a significant part of that is because I did start in patent law. Having an engineering degree and a law degree, put me in an industry that had only 5% women and people of color. I get a lot of people that are like, "Oh, our industry has no women." I'm like, "Yes, I've been there."
I actually know what it's like. It's not like I came from academia or some area that was just flushed with a lot of diversity. I have lived this and I understand the impacts of it at a very personal level. But I also have been an executive. I know the challenges of being an executive, those operational aspects and how it really works in business.
There's some big misalignments that can happen that we need to talk about when we get to this idea of authenticity. What is the individual need versus the larger organizational needs? Those can be very complex, very hard. I think it's something unique that I've been able to understand over my time. That makes me uniquely positioned to be able to help executives in this journey where most of them haven't been in this conversation.I think white men are more recently joining the conversation, which is very exciting. But you got a lot of employees saying, "What about social justice? What about this? I'm not seeing this statement. Where's this ERG, where's this, you're not committed."
How Company Culture Makes It Challenging to Be a Leader
Sara: It can be really challenging to be a leader. Being able to frankly, make a full-time living, doing diversity, equity, inclusion, it's not something I could have ever imagined would've happened 20 years ago. Happily, here we are and people are willing to invest the time and energy into doing this. I'm just thrilled that I can do this full-time and bring all that knowledge into the companies.
Mark: I'd really like to understand what you think that means and what we're doing. I was a little confused at first by the use of authentic or authenticity here.
Carolyn: I'm really interested to know what it means for the employee, for us, for me and why it matters to the bottom line for the company. I think a lot of times, that's what creates change. If it helps the bottom line, then we'll do it. I don't know if there's a tie in there.
Sara: What's interesting is that's actually the number one thing that executives want. When I work with an executive team, we actually go through an exercise that asks them, "What is the thing that you most desire out of all of these strategic outcomes?" So think about that. That's not actually a bottom-line conversation.
I, as an executive and a leader, would really like to be able to do this. It’s not because it's what we've always been saying is the right thing to do. We all know that. Let's just move forward past that because people aren't doing it. At the core, what I find is when you get leaders in a space where they can be self reflective, they actually just want to be themselves.An Angel Double Position
Sara: It's so bizarre, but they want to be humanized too. They want to be able to try, and if they may make a mistake, executives get this kind of spotlight on them. We can debate the word unfair, but they have a spotlight on them. Even if they make a small mistake, people are going to notice and be like, "Those people, they don't get it. How can they be so disconnected?" Et cetera, et cetera. Imagine what that starts to do as leaders are trying to learn.
Let's say you're a white man. You've recently started learning about diversity, equity, inclusion, and you have folks that are expecting you to be perfect at it. That's a lot of pressure for leaders. By the way, I'm not perfect either. So we've created this interesting dynamic, not necessarily recently, but I think for leaders having to be on guard and in this angel double position.
Mark: Maybe more so for publicly traded companies.
Sara: Yes, public, but even private companies. This is any culture where leaders have this pressure.
Carolyn: Even government, I'm thinking about our defense leadership. I feel like they almost can't afford to be authentic.
Sara: That's exactly right. Now you're thinking about the give and take of what I am allowed to say. Do I have the freedom to say? How do you shift that? What happens is when you really curate the words that you say, you actually stop communicating. You stop having conversations with people and say, "If that's the reaction I'm going to get, I'm just not even going to try."
How Human Connection Stops in the Company Culture
Sara: So the learning stops, the engagement stops, the human connection stops in the company culture. That's been the whole problem to begin with. If we would just get together in a room, sit down and be able to have conversations, actually knowing and expecting people to make mistakes. Then how do we help people through that and help each other learn?
By the way, it's not just white men that are going to make mistakes. It's going to be people of color to make assumptions, it's going to be, LGBTQIA identifying people. We're all going to make mistakes because we're all human. We've created this interesting boundary around what's permissible and what's not permissible. It's really slowed down our ability to change culture within leaders or companies.Now, what I'm not saying is say whatever you want, that's not what I'm saying. What I'm saying is that authenticity, the goal to reach that is really a journey. It's really like "We're going to help each other. We're going to learn side by side, because I, as the executive, don't know everything. You, as the new employee don't know everything either and it's okay, we're going to help each other out."
Now it's more of a partnered experience rather than what would be considered a top down. The leaders need to model or grassroots because neither works by itself alone. That's an example of the shift that enables more people within an organization to really be more authentic and reduce the misalignments that can help.Carolyn: Is the authenticity gap more in the leadership or in the employees or everybody?
How Leaders Respond to Employees’ Desire
Sara: I would say it's how leaders respond to employees' desire for more inclusion. There's actually many options available to leaders. If they are not in touch with the way to get that true connection with their employees, they're more likely to create an authenticity gap. They're more likely to have people say, "They're doing it to check the box. They don't really mean it. They're doing it for marketing reasons, but they don't actually believe it." It's that sort of sentiment that you're trying to reduce. There's methods that produce that and there's also methods that create more authenticity.
Carolyn: I absolutely see how being authentic is good for your soul. Is it good for your company?
Sara: Yes. We're in the great resignation period. We have had some pretty rough business experiences. I think executives are just scrambling right now to figure things out. Some are saying, "I can't afford right now to do diversity, equity, inclusion." In my mind, if you're thinking of diversity, equity, inclusion, as something on top of your day job, you're probably thinking about it wrong in the first place.
It's really how we show up, how we make decisions, how we grow the business. It is not about just keeping employees happy. If you're just trying to satiate employees and that's very patronizing and it is felt, they know. They're not dumb. They know when leaders are just doing it to make it seem like they're doing it, but they're not really committed. The teams I work on usually have very genuine interests. I'm actually not working with folks that are just talking the talk. If they're talking the talk, I guarantee they will not hire me.How to Make an Impact
Sara: That's just a fundamentally easy thing for me as a DEI consultant, to know who's genuinely committed, who wants to do the work, and who's not interested in doing it. My day-to-day is really more focused on those organizations and what they can do to make an impact.
I'm actually seeing the work going on inside of the organization. Some of that's a little bit more invisible to folks on the outside. That's the leadership challenge right there, it’s that communication piece and things like that. I don't necessarily go and approach, and says, "I look at the executive team or boardroom and I'm diversifying now”. You're going to get a lot of backlash."
That's absolutely not my approach. From an executive leadership standpoint, we know how hard it is to keep the ship running. Having a lot of changeover at the top is just not smart. So what is the learning, the growth and cap, and capacity we start to build on the leadership team so they can start to make decisions in a more deep, inclusive way? That's when you're going to start to see the real authenticity happen.Sometimes it takes a year or two for change to happen. So if we're looking for immediate change, again it is reactive. What I'm trying to do is get folks to move from reactive to intentional. Again, we went from decades of "Let's invite a woman to speak and talk about her gender". How much did that make us mad? We're like, "Oh my gosh, I have a brain. Please let me showcase my talents, not talk about what it's like to be a woman".
A Company Culture Where a Person of Color Can Thrive
Sara: We want the same thing as men. It's not really that different, the things that I want for my career versus what a man wants in his career. So whether that's a person of color or anyone, we've got to get people better at seeing genius in a wider range of forms. That's the learning that leaders have to do. It’s to be able to say, you know, cybersecurity experts, don't just look one way. They don't talk one way or solve a problem one way, they actually solve it in a lot of different ways.
If they don't have that exposure, if they've not worked with a group of diverse thinkers, they're very unlikely. They're much more likely to hire, like if they really want to diversify, somebody based on an optic characteristic rather than an internal skills. It is ultimately the right way to hire whichever anyone wants.
Mark: How do we get more women and minorities involved in STEM early? By the way, getting people involved in STEM early doesn't mean that in a year you're now seeing results. You're probably seeing results a decade later. Something that I'm struggling with, as our company at Dynatrace grow, we are looking for diverse candidates that we would like to hire. I'm looking at the candidate pool and I see a disproportionate amount of white males in the candidate pool in technology.
I don't know how I can change that. It's significant. I've worked at companies in the past who are heavily involved in STEM and things like that, but I don't feel we're seeing the results of those efforts in the marketplace now. Maybe we will, and I'll be out of the marketplace by then.
The Truth About Company Culture and the Talent Pipeline
Sara: It'll be a decade from now, but how do I handle and deal with these kinds of things that I have to deal with today?
Carolyn: What Mark sees anecdotally, I'm guessing that's pretty universal. On the flip side in the marketing world, even though I'm in tech, when I go to hire, most of my peers are women, which I find very interesting. I would say 80, maybe 90% are women.
Sara: Here's a couple of thoughts and I guess I'll just get real honest. It's interesting because I've been doing this work for 20 years.
The observation of the talent pipeline is very common and it is actually not true. What typically that comment comes from is a lack of self reflection on the company culture. Just because you are not getting candidates means candidates don't want to apply to you. That's just the end.People are like, "What, why wouldn't they? We're awesome." If you're awesome at hiring white men, good for you, A+. But that's where the perception gap comes in. You actually fail at hiring women, you get an F. This is where the leaders have to sit down and start to get really honest with themselves because my network is full of women in tech, full of it.
So anecdotally, I could sit here and say, "I actually know hundreds and thousands of women in technology. You don't know any? So, who's right and who's wrong?" We both have our life experiences. It's just that I've made the intentional work and decision to include in my personal network, a lot more women in tech. They are there. You just haven't done the work to build your network. So that's the moment of honesty.
Authenticity Gap
Sara: Now this is where the authenticity gap comes from. I can say that as an outside consultant. Unless you listen and hear that, and accept the ownership and responsibility instead of deflect and say, "Well it's because the talent pipeline isn't full, instead of, "Wow, we are not getting women applying to our company. We are doing something wrong. We're actually really great at targeting white men."
I've had people say, "I don't want to change things because I just don't believe in targeting women and people of color." I'm like, "You're already targeting white men." That is an interesting statement if all you're hiring is white men because the talent is there. It's just, are you willing to do the work to find it and really bring it into your network in a meaningful way?
What happens if you watch the research, people will make a decision before they ever hit the submit application button. Just because you are not getting applicants is not a reflection at all of the true talent pool. Leaders somehow have decided that, "Oh, well, there's nothing I can do because there's just no talent out there.
Mark: I see your point. It's probably up to me to be more active in that process. As I was thinking through your explanation on this, we have an internal resource, a talent recruiting team. They're the ones who get the candidates and bring them to us.
Sara: The talent decides to go where they can thrive. If you think about that, why are they choosing not to come to your company? There's something about how you're describing or the interactions where they can't get that sense of thriving.
Strategic Risk Management
Sara: It is actually a strategic risk management skill if you think about it. So I have a law degree and an engineering degree. I'm not s**. What we're doing is, we're looking at these cues that companies are giving off.
We're making a risk management assessment of "Is that where I want to spend my time and energy? Is that where I think they're set up to actually help me thrive? Do I really feel like it's going to be an emotionally exhausting place to work?" Because "No, thank you. I'm not even going to hit apply."
BYU did some interesting research where they had job postings and they had one job posting that said, "Was very neutral." They had one job posting that said, "We really encourage people from all backgrounds, diversity, please apply." Then they had another posting that talked about their inclusive culture. Now I'm not saying this exactly right. You know, but Mark, which one do you think got the most submit application clicks? They might not have gotten hired, but they got the most submitted application clicks.
Carolyn: What are our choices again?
Sara: Neutral. We want all these types of diversity, please. If you meet these diverse identity, care characteristics, please apply. Or the third one is, we have a mission and inclusion. It’s a really important part of our culture and more of that type of statement.
Mark: I would assume the latter.
Carolyn: Me too. The third one?
Sara: You are right. It got more applicants. This is actually a Goldman...
","summary":null,"date_published":"2022-06-01T07:30:00.000-04:00","attachments":[{"url":"https://aphid.fireside.fm/d/1437767933/81d9d6b0-0045-48da-8495-fd87c4613d7f/ebabacf6-b743-4085-b251-7684277c3ca2.mp3","mime_type":"audio/mpeg","size_in_bytes":39331504,"duration_in_seconds":2808}]},{"id":"89925dd9-1d4d-48b1-af2c-48b9aaa18948","title":"Episode 37: So What? Federal News Roundup on Remote Work with Elizebeth Varghese","url":"https://techtransforms.fireside.fm/37","content_text":"Join us on Tech Transforms Federal News Round-up segment, So What? Hosted by Carolyn Ford and Tracy Bannon. This week, we talk to Elizebeth Varghese, Global and Americas Leader – HR Transformation Client Offerings at IBM about one of the biggest topics in federal news: remote work. Listen in to find out how agencies can implement a smarter protocol, how remote work impacts the trust equation and the role technology can play in the workforce culture. Episode Table of Contents[00:40] The Future of Work for Federal Employees[11:28] Work-Life Balance Expectations in a Remote Work [19:01] Big Push in In-Person Protocol[26:12] Do You Need a Home Office for Remote Work?[32:01] Provide Options to Persuade People to Stay and Junk Remote Work[39:04] The People Who Are Not Approving Remote WorkEpisode Links and ResourcesElizebeth VargheseIBMSouth Asian Youth ActionThree Ways the Future of Work Must Change for Federal EmployeesHybrid work for many is messy and exhaustingWelcome Back to the Office. Isn't This Fun?Thousands of employees are testing a 4-day workweek starting today: ‘It’s inevitable we’ll see bigger companies doing thisSuper Better by Jane McGonigal[Block] Chain ReactionThe Future of Work for Federal EmployeesCarolyn: This month, we're hosting Elizebeth Varghese, Global & America's Leader: Client Offerings in Talent and HR Strategy at IBM. And outside of IBM she's an active board member at South Asian Youth Action, a nonprofit providing after-school programming, education, and college support. She was recognized as Global Top 100 Influencer in HR for 2020. And we are glad to have you joining us today, Elizebeth, to discuss returning to the office, the great resignation, and companies potentially switching to a four-day workweek hybrid, all of that. Welcome Elizebeth, how are you?Elizebeth: Great, thank you so much, Carolyn. Wonderful and delighted to be here. Great to be back on here with Tracy as well, friend from a couple of years ago as we've been going through some of these pandemic podcasts. So thank you for inviting me and I am looking forward to this.Carolyn: Yes, well this one's going to be a fun one and it might get a little heated. I've already seen some stuff on LinkedIn. I'm like, oh, that gets my blood boiling about returning to the office. And I want to start off with a question, there's an article called \"Three ways the future of work must change for federal employees.\" The article states that at the end of the day, we need to have an IT and HR Alliance. This was due to exceptional communication between the agency's chief information officer and HR functions. In your experience, is the relationship between IT and HR something government agencies need to improve on? And industry too?Does the Relationship Between IT and HR Need Improvement?Elizebeth: Now what we've seen, the pandemic is highlighted so nothing new. This was happening for a while. I have to preface it with that. Because I think in lots of our conversations we hear this thing about, hey, this is what the pandemic caused. The pandemic caused a lot of suffering and hardship for many people, but it highlighted things that were in play for many years. And the fact the intersection of HR data and how IT's using it and accessing it has been an eternal problem. It's been going on for many years. But things came to a head when we were forced to be virtual in the federal sector and in the commercial sector. People realized that that intersection hadn't really been explored. It hadn't been addressed. It hadn't been managed in a sufficiently coherent fashion.There were a couple of reasons for that and some folks in the federal sector or commercial, the reason I say that is because this is a universal problem. It's not endemic just to one sector and we should take that. But when the pandemic hit, there were lots of tropes. Even before that around what can be done remotely, what data can be accessed in what fashion, what is secure and not. What the pandemic highlighted is that those issues were not really based upon real cybersecurity issues or access issues or single sign-on issues. They were really managed or impacted by cultural constructs of where work can be done. A great example of this is if you think about our friends on Wall Street, you could not do investment banking or trading from remote work. It's impossible. There were so many reasons for that, all of them good.Subcultures and Subgroups During Remote WorkElizebeth: But come March 15th monitors were shipped to basements in Westport and patios in Westchester county and Wall Street just continued. So we really found that it wasn't, can it be done? It was more of do we want it to be done? I think that is the question that was highlighted through the pandemic in the federal sector as well. Are we really understanding what technology can do and are we using it to really manage HR data? So that's kind of what I've seen. Tracy, would love your thoughts too. I know you've been working at this intersection for a while as well.Tracy: It struck me as strange when the pandemic hit because I've had remote teams. I think it was 2009, 2010 was completely remote work with global teams, everybody geographically dispersed. So it was first nature to me, but I never realized with other IT workers how much they did not get that opportunity. So when we got into the pandemic and I realized different organizations. I changed my job just before the pandemic and what I was starting to realize is how campus-centric or office-centric some of the cultures could be. Even inside a big organization you can have subcultures, subgroups that really do form these tight bonds. Whether it's going out to lunch or whether it's meeting up at the water cooler or what have you, there is or was this sense. It was a cultural sense that they built together. And that was hard for them, hard for everyone to learn, how do I emulate that? How do I replace that now that I am on remote work?How People Collaborate in a Remote Work SetupTracy: So Elizebeth, if you and I are going to walk to the water cooler and we were going to make a deal or we were going to talk about something or some new topic that we want to research, how did people do that? Or how did they start to do that during the pandemic? What did some of the research show on how people are engaging now?Elizebeth: People have engaged, as you said, remotely even before the pandemic. There were virtual teams and there were lots of collaboration tools. But I’ll give you an example. The experience that I have as an IBM employee, much like you Tracy we have employees all around the world working on very complex things. People without having ever met each other or worked in the same room and that was really happening through technologies. Whether it's Slack or chat messages or online Wiki forums. Or what we call Lighthouse at IBM where we share intellectual capital. There were lots of different ways people were connecting. So what happened in the pandemic is that the companies that had some of the cultural constructs around it is okay to engage that way. Or it's common to make friendships or have friendships evolve over distances and remotely, found that they just moved seamlessly into that.The companies that struggled with that, again, were less about having the technology and more about people being used to engaging, forming relationships, forming friendships and collaborative pods without technology. The Question to Ask to See if Remote Work Can Be DoneElizebeth: So again, it's less about the technology and more about how we work together. And I think we see this, I have teenagers, now they're used to texting versus making a phone call. Now if you are used to texting, it's a lot easier to never have a phone, you don't need the call function. So it's really a habit, it's a way we think about how we communicate, how we are comfortable communicating. I think that is a learned behavior.So I've learned to text more because I have teenagers. I call them when I need to but you get my drift. I think similarly in organizations, if you're able to provide different channels and different ways of access, we find that people actually learn and embrace them. They do make deals, they plan vacations without having met each other. We've had experiences where we had kids come in fresh from undergrad or grad, working together in collaborative pods using technology, planning ski trips. Never met each other but a great group that works together. They're all partnering and operating as a team. So it can be done. The question is who chooses to be in that situation? Or who's comfortable with that kind of maybe job interview process? Lots of people are taking jobs in the pandemic and after without ever physically meeting their teams. So I think that would be my challenge to all of us, not the why but the why not? Why can't we do it?Technology Etiquette in Remote Work SetupCarolyn: So I'm like you, Tracy, I've worked remote. I live in Utah and I've supported teams that support the federal government for the past 15 years. So I've worked remote since 2010. Most of the time going into the office occasionally which I always said, when I went into the office, those were the days I didn't get anything done. And what was interesting for me, so this comes back to the culture thing, when everybody went remote was the abuse of the technology. What I mean by that is I felt like we needed to train ourselves in etiquette. Don't text me at three o'clock in the morning. I had to train myself. That's my responsibility to make sure my phone is on silent, do not disturb when I go to bed.But also I was so good and am so good at getting in the zone and really focusing. The Slack messaging and stuff, I nearly lost my mind when everybody went remote. Because it was constant barrage, constant interruption and there was no time. You had to get into the zone, into the flow. And it's definitely gotten better, but what do you think about that? Elizebeth first, do you have anything to say about that? And then Tracy I'd love to hear your thoughts.Elizebeth: That's a great example because actually personally I have the same experience and I think lots of my clients do. Because one, if you're across different time zones, everyone's Slacking you when they're working. So I had to learn, me personally, I had to turn the notifications off. I had to discipline myself to not reply in the moment, but wait and even if I looked at the texts. Because I couldn't bear to not look at it, but tell myself not to. And in some instances I think also, be cognizant. That sometimes we are responding or we are sending a text because I don't want to forget I'm working now and I make a note of it. But the person at the other end is receiving it and thinking, oh my God, I have to reply. It's an unseen, unexpected pressure that we may not be conscious about. Because we are not doing it to get a response back.Work-Life Balance Expectations in a Remote Work Elizebeth: So I think some of those things again require a different way of working. Like you're saying, when do we turn on, when do we turn off? And how much do we really listen to the implications of really having a remote workforce? Both in terms of whether you're in a different time zone or different work-life balance expectations.Tracy: For a long time I have counseled those coming into their careers to be very specific about when they answer emails. Now I know that the first time that they get their corporate phone and it's connected that they're looking at it.I realized that I had a responsibility to not send weekend emails. As a leader, they were immediately responding and I realized that I also had to train myself. Now I still do queue things up when I have time. I have had the blessing of being able to have some latitude with I'm going to focus a little bit more this evening. Because I'm going to go and do something with my daughter tomorrow morning. Had some flexibility. So I have also trained myself to be very specific in my emails. I'm sending this tonight, please don't read or take action till tomorrow. I let them know this is not a rush. If I need somebody, they also know that I'm like a bloodhound and I will find them. We will get ahold of each other if it's truly something that is that much of an emergency.Tailoring Remote Work Culture to Team DynamicsTracy: But you brought up another good point. Prior to the pandemic, except for very close work relationships, those work spouses, I did not text with anybody in the workforce. I would Slack, I would use any of the other tools that were available to me but not that. When the pandemic started, I have two phones now. I never thought that I would be the two phone person. The work phone and the life phone. But I do. One of the reasons that that has become important is the ability, to your point Carolyn, to turn it off and put it over there because I'm now leaving this part.Now that all sounds like that I have a really great division between career and life. For me, it's very intermingled, I'm thinking about it all the time. And so if I know that Carolyn is thinking about it. I might feel okay sending you a Slack message or a text message at six or seven at night. This is when I know that you're out there taking a walk or something. So there is a bit of tailoring after you learn just the culture of it, your individual teams and people. But it's not coming in with rigid expectations, you've got to build that together because each team dynamic is so dramatically different.Hybrid Work ModelCarolyn: Yes. So I want to talk about, the push now is people coming back to the office. So we talked about this already a little bit and there's a bunch of different models that are being proposed. I want to talk about the hybrid work style first. There's an article, it's called \"Hybrid work for many is messy and exhausting.\" And we'll put links to all of these too in the show notes. But it says that about 60% of offices will adopt a hybrid work policy this year. So Elizebeth, what policy changes have you seen within IBM or otherwise surrounding the hybrid work model? It sounds like you guys were already hybrid, to some extent.Elizebeth: Our IBM HR folks are the best folks to answer this question. They've done amazing work over the years for a truly hybrid model because we've had different variations and policies. What we've seen across the board is that organizations are making different kinds of policies. We have seen a trend definitely around the organizations that traditionally did not like remote work. Lots of organizations in financial services are expecting people to be back in the office. Expecting people to be back for a defined number of days and a defined set of days. So people are being quite prescriptive about that, so we're definitely seeing that. And as we've seen in the news, there's also been quite a bit of pushback on some of those prescriptive policies. I think some of that is going to continue to evolve. I don't think that has been completely sorted out.The Optionality of Work in Every IndustryElizebeth: Now I think in the case of the federal government and really honestly every industry, what we're finding is that the optionality of work has increased. We've seen this in news. The smartest kids who were looking at going to become bankers in a particular well-known organization. I won't name. They are maybe thinking, you know what, I don't really care as much for the hours of work and the expectation that I will be in the office so I'm not going to do that. I'm going to go to a startup. Now that plays out in the federal government as well. It has for many years in terms of how do we compete for the best talent? And there's a reason the government does need the best and brightest for practice of national security or science and space exploration, a variety of things.The pivot has really then come to be more around, what's the best way to attract the best talent in our industry? And that's becoming the lens by which policy making is happening. So the one other thing I just wanted to mention, there's an organization again I won't name. But as they looked at the variety of labs that they had across the country, pre-pandemic everybody had to be in the labs doing their work in their teams. But the pandemic required them to obviously be remote and the serendipitous outcome of that was that they found there was a lot more cross-pollination and sharing of information and collaboration across labs which they hadn't had historically. Because people tended to work with their own physical teams. The Real Estate You Need to Give Up for Remote WorkElizebeth: I say that because I think organizations have recognized that there's been much good to come out of the remote work and that the return to work answer is not a simplistic one of just get back into your offices. I'm curious to see what you both have seen too. It's really been an evolving strategy for most people, I think.Tracy: I think that quite a number of people are asking why. If I'm interviewing with you or if I already work with you, just talk to me about the why. Some firms and some government agencies have a tremendous real estate footprint that they own, that they're not renting. They can't give that space up. So if you own that and you have a dramatic dependency on that, what do you do? We're seeing that with higher education right now as well. They've got huge campuses and they found out that we don't necessarily need all the students on campus. What's the balance, what's the change off between it? So I'm finding as we're interviewing, when we talk about work styles, when we talk about hybrid, when we talk about the possibility of being a full teleworker, that's the government term. It came around, I think it became law in 2010 that you could be a teleworker if you could show productivity.Big Push in In-Person ProtocolTracy: But as you are trying to talk it through, there are so many people asking me, well, what is the advantage that I have of being in person? What's the advantage that we will...","content_html":"Join us on Tech Transforms Federal News Round-up segment, So What? Hosted by Carolyn Ford and Tracy Bannon. This week, we talk to Elizebeth Varghese, Global and Americas Leader – HR Transformation Client Offerings at IBM about one of the biggest topics in federal news: remote work. Listen in to find out how agencies can implement a smarter protocol, how remote work impacts the trust equation and the role technology can play in the workforce culture.
Episode Table of Contents
- [00:40] The Future of Work for Federal Employees
- [11:28] Work-Life Balance Expectations in a Remote Work
- [19:01] Big Push in In-Person Protocol
- [26:12] Do You Need a Home Office for Remote Work?
- [32:01] Provide Options to Persuade People to Stay and Junk Remote Work
- [39:04] The People Who Are Not Approving Remote Work
Episode Links and Resources
- Elizebeth Varghese
- IBM
- South Asian Youth Action
- Three Ways the Future of Work Must Change for Federal Employees
- Hybrid work for many is messy and exhausting
- Welcome Back to the Office. Isn't This Fun?
- Thousands of employees are testing a 4-day workweek starting today: ‘It’s inevitable we’ll see bigger companies doing this
- Super Better by Jane McGonigal
- [Block] Chain Reaction
The Future of Work for Federal Employees
Carolyn: This month, we're hosting Elizebeth Varghese, Global & America's Leader: Client Offerings in Talent and HR Strategy at IBM. And outside of IBM she's an active board member at South Asian Youth Action, a nonprofit providing after-school programming, education, and college support.
She was recognized as Global Top 100 Influencer in HR for 2020. And we are glad to have you joining us today, Elizebeth, to discuss returning to the office, the great resignation, and companies potentially switching to a four-day workweek hybrid, all of that. Welcome Elizebeth, how are you?
Elizebeth: Great, thank you so much, Carolyn. Wonderful and delighted to be here. Great to be back on here with Tracy as well, friend from a couple of years ago as we've been going through some of these pandemic podcasts. So thank you for inviting me and I am looking forward to this.
Carolyn: Yes, well this one's going to be a fun one and it might get a little heated. I've already seen some stuff on LinkedIn. I'm like, oh, that gets my blood boiling about returning to the office. And I want to start off with a question, there's an article called "Three ways the future of work must change for federal employees."
The article states that at the end of the day, we need to have an IT and HR Alliance. This was due to exceptional communication between the agency's chief information officer and HR functions. In your experience, is the relationship between IT and HR something government agencies need to improve on? And industry too?
Does the Relationship Between IT and HR Need Improvement?
Elizebeth: Now what we've seen, the pandemic is highlighted so nothing new. This was happening for a while. I have to preface it with that. Because I think in lots of our conversations we hear this thing about, hey, this is what the pandemic caused.
The pandemic caused a lot of suffering and hardship for many people, but it highlighted things that were in play for many years. And the fact the intersection of HR data and how IT's using it and accessing it has been an eternal problem. It's been going on for many years.
But things came to a head when we were forced to be virtual in the federal sector and in the commercial sector. People realized that that intersection hadn't really been explored. It hadn't been addressed. It hadn't been managed in a sufficiently coherent fashion.
There were a couple of reasons for that and some folks in the federal sector or commercial, the reason I say that is because this is a universal problem. It's not endemic just to one sector and we should take that. But when the pandemic hit, there were lots of tropes. Even before that around what can be done remotely, what data can be accessed in what fashion, what is secure and not.
What the pandemic highlighted is that those issues were not really based upon real cybersecurity issues or access issues or single sign-on issues. They were really managed or impacted by cultural constructs of where work can be done.
A great example of this is if you think about our friends on Wall Street, you could not do investment banking or trading from remote work. It's impossible. There were so many reasons for that, all of them good.
Subcultures and Subgroups During Remote Work
Elizebeth: But come March 15th monitors were shipped to basements in Westport and patios in Westchester county and Wall Street just continued. So we really found that it wasn't, can it be done? It was more of do we want it to be done?
I think that is the question that was highlighted through the pandemic in the federal sector as well. Are we really understanding what technology can do and are we using it to really manage HR data? So that's kind of what I've seen. Tracy, would love your thoughts too. I know you've been working at this intersection for a while as well.
Tracy: It struck me as strange when the pandemic hit because I've had remote teams. I think it was 2009, 2010 was completely remote work with global teams, everybody geographically dispersed. So it was first nature to me, but I never realized with other IT workers how much they did not get that opportunity.
So when we got into the pandemic and I realized different organizations. I changed my job just before the pandemic and what I was starting to realize is how campus-centric or office-centric some of the cultures could be.
Even inside a big organization you can have subcultures, subgroups that really do form these tight bonds. Whether it's going out to lunch or whether it's meeting up at the water cooler or what have you, there is or was this sense. It was a cultural sense that they built together. And that was hard for them, hard for everyone to learn, how do I emulate that? How do I replace that now that I am on remote work?
How People Collaborate in a Remote Work Setup
Tracy: So Elizebeth, if you and I are going to walk to the water cooler and we were going to make a deal or we were going to talk about something or some new topic that we want to research, how did people do that? Or how did they start to do that during the pandemic? What did some of the research show on how people are engaging now?
Elizebeth: People have engaged, as you said, remotely even before the pandemic. There were virtual teams and there were lots of collaboration tools. But I’ll give you an example. The experience that I have as an IBM employee, much like you Tracy we have employees all around the world working on very complex things.
People without having ever met each other or worked in the same room and that was really happening through technologies. Whether it's Slack or chat messages or online Wiki forums. Or what we call Lighthouse at IBM where we share intellectual capital. There were lots of different ways people were connecting.
So what happened in the pandemic is that the companies that had some of the cultural constructs around it is okay to engage that way. Or it's common to make friendships or have friendships evolve over distances and remotely, found that they just moved seamlessly into that.
The companies that struggled with that, again, were less about having the technology and more about people being used to engaging, forming relationships, forming friendships and collaborative pods without technology.
The Question to Ask to See if Remote Work Can Be Done
Elizebeth: So again, it's less about the technology and more about how we work together. And I think we see this, I have teenagers, now they're used to texting versus making a phone call. Now if you are used to texting, it's a lot easier to never have a phone, you don't need the call function. So it's really a habit, it's a way we think about how we communicate, how we are comfortable communicating. I think that is a learned behavior.
So I've learned to text more because I have teenagers. I call them when I need to but you get my drift. I think similarly in organizations, if you're able to provide different channels and different ways of access, we find that people actually learn and embrace them. They do make deals, they plan vacations without having met each other.
We've had experiences where we had kids come in fresh from undergrad or grad, working together in collaborative pods using technology, planning ski trips. Never met each other but a great group that works together. They're all partnering and operating as a team.
So it can be done. The question is who chooses to be in that situation? Or who's comfortable with that kind of maybe job interview process? Lots of people are taking jobs in the pandemic and after without ever physically meeting their teams. So I think that would be my challenge to all of us, not the why but the why not? Why can't we do it?Technology Etiquette in Remote Work Setup
Carolyn: So I'm like you, Tracy, I've worked remote. I live in Utah and I've supported teams that support the federal government for the past 15 years. So I've worked remote since 2010. Most of the time going into the office occasionally which I always said, when I went into the office, those were the days I didn't get anything done.
And what was interesting for me, so this comes back to the culture thing, when everybody went remote was the abuse of the technology. What I mean by that is I felt like we needed to train ourselves in etiquette. Don't text me at three o'clock in the morning. I had to train myself. That's my responsibility to make sure my phone is on silent, do not disturb when I go to bed.
But also I was so good and am so good at getting in the zone and really focusing. The Slack messaging and stuff, I nearly lost my mind when everybody went remote. Because it was constant barrage, constant interruption and there was no time.
You had to get into the zone, into the flow. And it's definitely gotten better, but what do you think about that? Elizebeth first, do you have anything to say about that? And then Tracy I'd love to hear your thoughts.
Elizebeth: That's a great example because actually personally I have the same experience and I think lots of my clients do. Because one, if you're across different time zones, everyone's Slacking you when they're working. So I had to learn, me personally, I had to turn the notifications off. I had to discipline myself to not reply in the moment, but wait and even if I looked at the texts. Because I couldn't bear to not look at it, but tell myself not to.
And in some instances I think also, be cognizant. That sometimes we are responding or we are sending a text because I don't want to forget I'm working now and I make a note of it. But the person at the other end is receiving it and thinking, oh my God, I have to reply. It's an unseen, unexpected pressure that we may not be conscious about. Because we are not doing it to get a response back.
Work-Life Balance Expectations in a Remote Work
Elizebeth: So I think some of those things again require a different way of working. Like you're saying, when do we turn on, when do we turn off? And how much do we really listen to the implications of really having a remote workforce? Both in terms of whether you're in a different time zone or different work-life balance expectations.
Tracy: For a long time I have counseled those coming into their careers to be very specific about when they answer emails. Now I know that the first time that they get their corporate phone and it's connected that they're looking at it.
I realized that I had a responsibility to not send weekend emails. As a leader, they were immediately responding and I realized that I also had to train myself. Now I still do queue things up when I have time. I have had the blessing of being able to have some latitude with I'm going to focus a little bit more this evening. Because I'm going to go and do something with my daughter tomorrow morning. Had some flexibility.So I have also trained myself to be very specific in my emails. I'm sending this tonight, please don't read or take action till tomorrow. I let them know this is not a rush. If I need somebody, they also know that I'm like a bloodhound and I will find them. We will get ahold of each other if it's truly something that is that much of an emergency.
Tailoring Remote Work Culture to Team Dynamics
Tracy: But you brought up another good point. Prior to the pandemic, except for very close work relationships, those work spouses, I did not text with anybody in the workforce. I would Slack, I would use any of the other tools that were available to me but not that.
When the pandemic started, I have two phones now. I never thought that I would be the two phone person. The work phone and the life phone. But I do. One of the reasons that that has become important is the ability, to your point Carolyn, to turn it off and put it over there because I'm now leaving this part.
Now that all sounds like that I have a really great division between career and life. For me, it's very intermingled, I'm thinking about it all the time. And so if I know that Carolyn is thinking about it. I might feel okay sending you a Slack message or a text message at six or seven at night. This is when I know that you're out there taking a walk or something.
So there is a bit of tailoring after you learn just the culture of it, your individual teams and people. But it's not coming in with rigid expectations, you've got to build that together because each team dynamic is so dramatically different.
Hybrid Work Model
Carolyn: Yes. So I want to talk about, the push now is people coming back to the office. So we talked about this already a little bit and there's a bunch of different models that are being proposed.
I want to talk about the hybrid work style first. There's an article, it's called "Hybrid work for many is messy and exhausting." And we'll put links to all of these too in the show notes. But it says that about 60% of offices will adopt a hybrid work policy this year. So Elizebeth, what policy changes have you seen within IBM or otherwise surrounding the hybrid work model? It sounds like you guys were already hybrid, to some extent.
Elizebeth: Our IBM HR folks are the best folks to answer this question. They've done amazing work over the years for a truly hybrid model because we've had different variations and policies.
What we've seen across the board is that organizations are making different kinds of policies. We have seen a trend definitely around the organizations that traditionally did not like remote work. Lots of organizations in financial services are expecting people to be back in the office. Expecting people to be back for a defined number of days and a defined set of days.
So people are being quite prescriptive about that, so we're definitely seeing that. And as we've seen in the news, there's also been quite a bit of pushback on some of those prescriptive policies. I think some of that is going to continue to evolve. I don't think that has been completely sorted out.
The Optionality of Work in Every Industry
Elizebeth: Now I think in the case of the federal government and really honestly every industry, what we're finding is that the optionality of work has increased. We've seen this in news. The smartest kids who were looking at going to become bankers in a particular well-known organization. I won't name. They are maybe thinking, you know what, I don't really care as much for the hours of work and the expectation that I will be in the office so I'm not going to do that. I'm going to go to a startup.
Now that plays out in the federal government as well. It has for many years in terms of how do we compete for the best talent? And there's a reason the government does need the best and brightest for practice of national security or science and space exploration, a variety of things.
The pivot has really then come to be more around, what's the best way to attract the best talent in our industry? And that's becoming the lens by which policy making is happening.
So the one other thing I just wanted to mention, there's an organization again I won't name. But as they looked at the variety of labs that they had across the country, pre-pandemic everybody had to be in the labs doing their work in their teams. But the pandemic required them to obviously be remote and the serendipitous outcome of that was that they found there was a lot more cross-pollination and sharing of information and collaboration across labs which they hadn't had historically. Because people tended to work with their own physical teams.
The Real Estate You Need to Give Up for Remote Work
Elizebeth: I say that because I think organizations have recognized that there's been much good to come out of the remote work and that the return to work answer is not a simplistic one of just get back into your offices. I'm curious to see what you both have seen too. It's really been an evolving strategy for most people, I think.
Tracy: I think that quite a number of people are asking why. If I'm interviewing with you or if I already work with you, just talk to me about the why. Some firms and some government agencies have a tremendous real estate footprint that they own, that they're not renting. They can't give that space up. So if you own that and you have a dramatic dependency on that, what do you do?
We're seeing that with higher education right now as well. They've got huge campuses and they found out that we don't necessarily need all the students on campus. What's the balance, what's the change off between it?
So I'm finding as we're interviewing, when we talk about work styles, when we talk about hybrid, when we talk about the possibility of being a full teleworker, that's the government term. It came around, I think it became law in 2010 that you could be a teleworker if you could show productivity.
Big Push in In-Person Protocol
Tracy: But as you are trying to talk it through, there are so many people asking me, well, what is the advantage that I have of being in person? What's the advantage that we will...
","summary":null,"date_published":"2022-05-25T07:30:00.000-04:00","attachments":[{"url":"https://aphid.fireside.fm/d/1437767933/81d9d6b0-0045-48da-8495-fd87c4613d7f/254388fc-e3c5-413d-bc20-42cc1d17b484.mp3","mime_type":"audio/mpeg","size_in_bytes":40765181,"duration_in_seconds":2910}]},{"id":"1b243751-707f-48dd-bf16-9dcb7d1c2ac6","title":"Episode 36: The Speed of the Mission with Bob Stevens","url":"https://techtransforms.fireside.fm/36","content_text":"Bob Stevens, AVP Public Sector at GitLab joins Tech Transforms to talk about the imperative mission of DevOps to combine efficiency, speed and security. With emphasis on empowering teams to fail fast, moving security to the left, and a deep dive into Platform 1, you won't want to miss this episode!Episode Table of Contents[00:27] DevSecOps’ Speed of the Mission[09:02] The Cultural Shift That Needs to Occur to Upgrade the Speed of the Mission[19:21] The Future of DevOpsEpisode Links and ResourcesBob StevensPlatform 1Dateline PodcastAlex Cross Series John WickDevSecOps’ Speed of the MissionCarolyn: This week Bob Stevens, Area Vice President of Public Sector at GitLab is joining me. Bob is a seasoned veteran in public sector technology with over 25 years of experience. As the AVP at GitLab, he is responsible for helping government organizations become more productive, efficient, and effective.Bob also has experience on both the industry and the government side of things. Prior to industry he served in the United States Air Force as a computer specialist at the White House Communications Agency. I am excited today to dive in and talk about the ways that we can use DevOps to modernize and secure government IT, and what the outlook for DevOps is. How are you doing, Bob?Bob: I'm doing great. The weather's getting better in DC, so it's good to see the sun from time to time versus what we've had. But yes, doing fantastic.Carolyn: Well, good to hear it. So let's just dive in. And let's walk through what DevOps is and why implementing these practices is critical to helping modernize and improve government IT?Bob: Great. So I guess DevOps is combining efficiency, speed, and security all into one. And creating software at what I like to refer to as the speed of the mission for the government. The business side is a little different. But for the government, it's all about the mission and you being able to accomplish the mission faster and stay ahead of our adversaries. In the case of DoD and on the civilian side, it’s to ensure that all of the citizens that any given agency supports gets the best possible support that they can. If you look at the organizations like the Veterans Administration. You can imagine they've got a lot of applications that they've written. The Platform the Government Is Looking For to Improve the Speed of the MissionBob: To help the vets accomplish what they need to accomplish in a timely manner. So DevOps really will help them to produce the software at speed, more securely, more efficiently, and provide the most or the best service that they possibly can to all of the veterans out there, just as one example.Carolyn: So, you know Tech Transforms is vendor agnostic. And I would love for you to just take a couple of minutes and talk about how GitLab helps with that. And just what GitLab does. I've read the marketing statements and it's a little nebulous for me. I would love to have you explain what GitLab does and how it's helping agencies achieve this?Bob: I appreciate that you're letting me do this in a vendor-agnostic community. I mean, there are a lot of tools that are required to produce software. But the way that the industry or the government in particular is heading, and you can see this in some of the articles that DoD has recently released. Is they're looking for one platform that encompasses the entire software development life cycle.As you can imagine right now, I know agencies that have anywhere from 14 to 20 different tools that they're using. And the issue with that is that there's developers that like the tool that they like. So they bring their own and they develop their portion of the software. Unfortunately, when it all comes together, it doesn't always work because they've used different tools across the development organization.And so, with the use of a single platform, you can ensure that at the end, everything is going to work. The nice thing is you can continue to bring some of those other tools. Because they integrate with the platform. Speed of the Mission and Security CollideBob: Just as an example, JIRA, the government's using a lot of JIRA. And JIRA integrates with GitLab so that you can use them seamlessly together. So the developers that are using their favorite tools can continue to use some of those. It's just that it's going to be more efficient because in the end you're going to have an application that works out of the box.Also what GitLab is trying to address is moving security to the left. Developers are a lot of times at odds with security folks because developers are tasked with developing code fast. They want to get it done quickly. And security folks want it to be done secure. So sometimes the two collide. But when you're building a single platform and you allow, or you have the ability to move security to the left, which means, when I check in a line of code, I'm going to do a security scan to make sure that I didn't somehow introduce a vulnerability. If I did, I could fix it immediately rather than waiting until the end of the process. Then running security scans and realizing, I may have to go back through hundreds of lines or thousands of lines of code to figure out where that vulnerability was introduced and do the repair.The other thing that I'll tell you is visibility. Not everyone has to be a developer to use the platform or GitLab. You can be in the executive branch and know nothing about how to write code. But you can see the process during the whole time. You can ensure that what's being produced is going to best meet the requirements of the people that it's being produced for. You don't have to wait till the end to produce the app.The Very Important Role of the CIO and CISO in the Speed of the MissionBob: The users start using it. And they're like, \"Oh my God, this is not the way that I wanted this to work.\" Or, \"This doesn't work for me.\" Or, \"It would've been nice to do this.\" It can be integrated during the process so that you can make sure that the application is usable in the end.Carolyn: What you just said helps me understand what GitLab does a lot more than any reading I was going to do on my own. And it certainly sounds like a smarter way to do things. So you've written many articles and often you talk about the need for DevOps, DevSecOps, a big part of it is just cultural. And so is that starting at the CIO level? And if so, what are CIOs doing right now?Bob: I mean, first of all, I have empathy for CIOs because they have so much thrown at them right now. It's incredible. I actually don't know how they are able to get as much done as they do. But having said that, I think most CIOs know that they need to move away from the legacy development waterfall to the agile software development world. And I think they're making gains towards that.Bob: Nothing in the government moves quickly, but moving to agile, it does require a cultural shift. And that's where the CIO or the CISO plays a very important role because they've got to convince the organization that failure is okay. Because when you fast fail, you actually make more progress than waiting till the end. Which is a cultural shift for any organization. That shift has to start at the CIO level. It can't start at the lower levels. The Cultural Shift That Needs to Occur to Upgrade the Speed of the MissionBob: The lower levels have got to be empowered to fast fail to experiment in order to produce the best possible software application that they can.Carolyn: So you talk about this in an article that I just read Modernizing and securing government IT through DevOps. You say that, \"Federal CIOs embarking on a DevOps journey should embrace continuous integration, continuous delivery pipelines to reduce toolchain complexity, management, and maintenance.\" What can CIOs and CISOs do to embrace that statement? Because that's like you said, that's a lot.Bob: It is, yes. And unfortunately they have many more mandates coming at them from OMB and NIST. Even though NIST doesn't generally put out mandates, more guidance. But they're starting to come forward with a few more mandates. And so I don't know how they're keeping up with it. They're doing the best that they can. But it's the cultural shift that needs to occur for the development life cycle. It's also the building of the platform.I say this often, it's not really the money. And I think that CIOs can find money to buy tools. I think it is more of the resources and the cultural shift that needs to occur. And that's where the CIO can really have the influence, is to be able to provide the resources, be able to have the backing at that level for experimentation and fast failure. And it's not necessarily because they can get the Technology Modernization Fund. I mean, upgrading your DevOps world is modernization, so they can tap into funds. It's really the other things that need to be considered for the shift to the new DevOps environment.How Platform 1 Helped in the Speed of the MissionCarolyn: Do you have any good use cases or stories that you can talk about where you've seen this shift happen and this DevOps, this new process, this agile process be implemented?Bob: Yes, sure. I'm going to go back to my Air Force roots, which makes me proud. The building of Platform 1 was a huge shift. And as a result, the Air Force is able to produce software so much faster than they were. And when they produced the applications in the end, they're closer to what the user needs in order to do their job. Because who better to inform the developer about what's required than the person that's going to use the application.As an example, you can imagine there's a lot of software in the F-35, just tons of software. So who's the best person to tell the app developer what they need for flying that jet? It's the pilot. So if they can participate in the DevOps process and they can, in the way that things are designed in Platform One, then it's going to be a more efficient use.Carolyn: Okay. You just said something about Platform One that made some light bulbs go off. That term gets thrown around a lot. I use it a lot. I didn't understand that the end-user was involved that way.Bob: Oh yes. I mean, that's the beauty of building a platform or using a tool like GitLab. They have the visibility, they can see the software as it's being developed and can have input.Carolyn: And they do participate? They'll look at it and say, \"No, that's not going to work?\"End-Users’ Participation in Improving the Speed of the MissionBob: Sure. Yes, absolutely. And that's how you can take the use of an application from months or a year down to weeks or days. The modification of a software package could be done in hours versus the way that it was done in the past. So it's just a lot more efficient way to be able to produce a usable application in the end.Carolyn: Okay. My mind's still spinning on this end-user can say, \"No, that's not going to work.\" So for them to participate, are they actually using the end result somehow? So they use it the way they would really use it in the field, like through a simulator or something so they can test it kind of real life? And then, I mean, how does the pilot test and give feedback?Bob: Yes. Well, a couple of ways. First of all, they have the visibility, they see the code being written. Although they don't necessarily need to understand what each line is, or how to write it.Carolyn: Right. Well, because I would think the pilots, that wouldn't mean anything to them.Bob: Yes. Like you said, they can see the simulation, but they can also see or respond to questions from the developer. They can see what the developer is thinking in regard to what they're producing. So all that's valuable information for them to be able to provide feedback. So again, in the end, the application works as expected and meets the requirement and the mission. It's all about the mission.Carolyn: But spending time answering questions in a chat room about something developers doing. Is that part of their job description? Like every hour or every day they spend an hour responding to developers? How does that work?GuideauxBob: Probably not, a little short story for you. Several years ago, I was in a meeting where a very high-level person in the Air Force said every airman will be a developer. And I thought they were crazy, absolutely crazy. But by producing a platform that allows them to participate, not necessarily write code, but participate, they can all be developers in a manner of speaking. So I think that the Air Force has been able to come as close to accomplishing that as you possibly can. Which of course, again makes me proud. That's not to say the other branches aren't doing the same thing, they are. It's just, the Air Force was out in front of the other branches.Carolyn: Yes. I have a whole new respect for Platform One now. I really did not understand that everybody was participating like that.Bob: And yes. I have to point out Top Gun is the Navy, not the Air Force.Carolyn: Thank you. Well, so in the same article that I referenced earlier, back to Air Force, you talk about Master Sergeant James Crocker. I don't know if you want to share his handle?Bob: He goes by Guideaux.Carolyn: Yes. His story and some of the stats that you shared with his story were pretty beyond impressive. I mean, they're almost like you say, that a hundred years of program time and software release timelines were reduced. You went from three to eight months for that cycle to just one week.Bob: Yes. I mean, it's a great story, and he's built a great software factory. And he continues to run it today. He is a strong, strong advocate for a DevOps platform. And he's proven that it'll work. He continues to do that every day. How Failure Was Embraced to Boost the Speed of the MissionBob: And again, he established the bar for speed to mission, and what they've been able to do there. We're going to continue to support him and get him whatever he needs to be able to help produce the applications the way that they have been for a few years now.Carolyn: I want to revisit what you said about a culture of failing fast. Was he a leader in that? Because to me, that's not something that gets advertised about any of our defense agencies. That you would brag that yes, we fail all the time. That's part of our goal. That's part of our objective. So, if he was one of the first to embrace that, or how does that get embraced? I would imagine it's still resisted a lot to fail.Bob: Well, I mean, yes. I mean, especially in the U.S., the word failure is bad. But it's how we learn and it's how we move forward rapidly. I'm in sales. I'm chartered with selling to the government. And I'm always telling the team whenever they're involved in an opportunity is like, fast fail. If it's not really an opportunity, then move on, because you're going to waste your time. And frankly, you're wasting the government's time. So stop wasting their time.So, it is a big shift. But like I said, Guideaux's definitely one of the people in the military, the Air Force that embraced it. He also had support from executives, which is required across the Air Force. It is a great story and I'm glad it's public so that I can talk about it.The Future of DevOpsCarolyn: Yes, me too. So what do you think the future of DevOps looks like?Bob: It gets back to the building of the platform. Where all tools are integrated and there's no more BYOT.Carolyn: Device. I knew you weren't saying BYOB. Although, maybe we should.Bob: It's really getting the teams to collaborate. Here's another great example of what the Air Force has done. They've put software factories in downtown, in cities, Austin, Salt Lake, many others, where they can find and retain top talent. This, I think is genius. And they've given them an environment that they enjoy working in. I mean, honestly, some of the bases they're old, the buildings are old, nobody wants to go to them. But, if you can go to this nice fancy office in downtown Salt Lake City, then you're going to be a much happier person and more likely to show up and be productive. So, I think that's another thing that DoD has embraced is where they're building the factories, and the talent that they're able to attract and retain as a result of that.Carolyn: Do they allow remote work in these software factories or does it all have to be on-prem?Bob: No, they do. And that's another great thing to point out. Three years ago, if you said to me that the DoD was going to allow people to work at home, I'd say you were crazy. It's never going to happen. But the pandemic forced the issue. And now DoD has embraced it. I think that what they've found is that folks are perhaps more productive than having to commute and being in an office. A lot of good positive lessons learned as a result of remote work. I think that it's going to continue.GitLab Is a Hundred Percent RemoteBob: I don't know if you know this, but GitLab is a hundred percent remote.Carolyn: How long? Is that just because of the pandemic or has that been a while now?Bob: No, it's pretty much since inception. We did have an office for a few short months, which was closed. And I think that was about six or seven years ago now. So, we're quite proud of being an all-remote company, and the way that we've made that work. There's been a lot of papers written on it. There's a lot of great information on our website that can help organizations understand what it takes to be an all-remote company. But one of the strong benefits from it is, if I'm looking for somebody with development skills, they can be anywhere in the world.Carolyn: Exactly. You open up your talent pool just exponentially. And I've worked remote for 10 years and I've had to jump through the hoops and every year, fill out the paperwork. I've worked in government supporting the government mission for over a decade. It was a battle until the last two years. And now it's, everybody gets it.But it's interesting because there's this movement right now to get people back into the office. And I'm just wondering what that's going to do to talent retention? If somebody had told me I had to go back into the office, I don't think I would do it, Bob.Bob: Well, I think there's a negotiation that's occurring now, based on what I'm hearing with the companies that are trying to reestablish the office. There's a lot of pushback from the employees. And it's tough enough to get talent today. You don't want to create any other barriers. What Bob...","content_html":"Bob Stevens, AVP Public Sector at GitLab joins Tech Transforms to talk about the imperative mission of DevOps to combine efficiency, speed and security. With emphasis on empowering teams to fail fast, moving security to the left, and a deep dive into Platform 1, you won't want to miss this episode!
Episode Table of Contents
- [00:27] DevSecOps’ Speed of the Mission
- [09:02] The Cultural Shift That Needs to Occur to Upgrade the Speed of the Mission
- [19:21] The Future of DevOps
Episode Links and Resources
DevSecOps’ Speed of the Mission
Carolyn: This week Bob Stevens, Area Vice President of Public Sector at GitLab is joining me. Bob is a seasoned veteran in public sector technology with over 25 years of experience. As the AVP at GitLab, he is responsible for helping government organizations become more productive, efficient, and effective.
Bob also has experience on both the industry and the government side of things. Prior to industry he served in the United States Air Force as a computer specialist at the White House Communications Agency. I am excited today to dive in and talk about the ways that we can use DevOps to modernize and secure government IT, and what the outlook for DevOps is. How are you doing, Bob?
Bob: I'm doing great. The weather's getting better in DC, so it's good to see the sun from time to time versus what we've had. But yes, doing fantastic.
Carolyn: Well, good to hear it. So let's just dive in. And let's walk through what DevOps is and why implementing these practices is critical to helping modernize and improve government IT?
Bob: Great. So I guess DevOps is combining efficiency, speed, and security all into one. And creating software at what I like to refer to as the speed of the mission for the government. The business side is a little different. But for the government, it's all about the mission and you being able to accomplish the mission faster and stay ahead of our adversaries. In the case of DoD and on the civilian side, it’s to ensure that all of the citizens that any given agency supports gets the best possible support that they can. If you look at the organizations like the Veterans Administration. You can imagine they've got a lot of applications that they've written.
The Platform the Government Is Looking For to Improve the Speed of the Mission
Bob: To help the vets accomplish what they need to accomplish in a timely manner. So DevOps really will help them to produce the software at speed, more securely, more efficiently, and provide the most or the best service that they possibly can to all of the veterans out there, just as one example.
Carolyn: So, you know Tech Transforms is vendor agnostic. And I would love for you to just take a couple of minutes and talk about how GitLab helps with that. And just what GitLab does. I've read the marketing statements and it's a little nebulous for me. I would love to have you explain what GitLab does and how it's helping agencies achieve this?
Bob: I appreciate that you're letting me do this in a vendor-agnostic community. I mean, there are a lot of tools that are required to produce software. But the way that the industry or the government in particular is heading, and you can see this in some of the articles that DoD has recently released. Is they're looking for one platform that encompasses the entire software development life cycle.
As you can imagine right now, I know agencies that have anywhere from 14 to 20 different tools that they're using. And the issue with that is that there's developers that like the tool that they like. So they bring their own and they develop their portion of the software. Unfortunately, when it all comes together, it doesn't always work because they've used different tools across the development organization.
And so, with the use of a single platform, you can ensure that at the end, everything is going to work. The nice thing is you can continue to bring some of those other tools. Because they integrate with the platform.
Speed of the Mission and Security Collide
Bob: Just as an example, JIRA, the government's using a lot of JIRA. And JIRA integrates with GitLab so that you can use them seamlessly together. So the developers that are using their favorite tools can continue to use some of those. It's just that it's going to be more efficient because in the end you're going to have an application that works out of the box.
Also what GitLab is trying to address is moving security to the left. Developers are a lot of times at odds with security folks because developers are tasked with developing code fast. They want to get it done quickly. And security folks want it to be done secure. So sometimes the two collide.But when you're building a single platform and you allow, or you have the ability to move security to the left, which means, when I check in a line of code, I'm going to do a security scan to make sure that I didn't somehow introduce a vulnerability. If I did, I could fix it immediately rather than waiting until the end of the process. Then running security scans and realizing, I may have to go back through hundreds of lines or thousands of lines of code to figure out where that vulnerability was introduced and do the repair.
The other thing that I'll tell you is visibility. Not everyone has to be a developer to use the platform or GitLab. You can be in the executive branch and know nothing about how to write code. But you can see the process during the whole time. You can ensure that what's being produced is going to best meet the requirements of the people that it's being produced for. You don't have to wait till the end to produce the app.
The Very Important Role of the CIO and CISO in the Speed of the Mission
Bob: The users start using it. And they're like, "Oh my God, this is not the way that I wanted this to work." Or, "This doesn't work for me." Or, "It would've been nice to do this." It can be integrated during the process so that you can make sure that the application is usable in the end.
Carolyn: What you just said helps me understand what GitLab does a lot more than any reading I was going to do on my own. And it certainly sounds like a smarter way to do things. So you've written many articles and often you talk about the need for DevOps, DevSecOps, a big part of it is just cultural. And so is that starting at the CIO level? And if so, what are CIOs doing right now?
Bob: I mean, first of all, I have empathy for CIOs because they have so much thrown at them right now. It's incredible. I actually don't know how they are able to get as much done as they do. But having said that, I think most CIOs know that they need to move away from the legacy development waterfall to the agile software development world. And I think they're making gains towards that.
Bob: Nothing in the government moves quickly, but moving to agile, it does require a cultural shift. And that's where the CIO or the CISO plays a very important role because they've got to convince the organization that failure is okay.Because when you fast fail, you actually make more progress than waiting till the end. Which is a cultural shift for any organization. That shift has to start at the CIO level. It can't start at the lower levels.
The Cultural Shift That Needs to Occur to Upgrade the Speed of the Mission
Bob: The lower levels have got to be empowered to fast fail to experiment in order to produce the best possible software application that they can.
Carolyn: So you talk about this in an article that I just read Modernizing and securing government IT through DevOps. You say that, "Federal CIOs embarking on a DevOps journey should embrace continuous integration, continuous delivery pipelines to reduce toolchain complexity, management, and maintenance." What can CIOs and CISOs do to embrace that statement? Because that's like you said, that's a lot.
Bob: It is, yes. And unfortunately they have many more mandates coming at them from OMB and NIST. Even though NIST doesn't generally put out mandates, more guidance. But they're starting to come forward with a few more mandates. And so I don't know how they're keeping up with it. They're doing the best that they can. But it's the cultural shift that needs to occur for the development life cycle. It's also the building of the platform.
I say this often, it's not really the money. And I think that CIOs can find money to buy tools. I think it is more of the resources and the cultural shift that needs to occur. And that's where the CIO can really have the influence, is to be able to provide the resources, be able to have the backing at that level for experimentation and fast failure. And it's not necessarily because they can get the Technology Modernization Fund. I mean, upgrading your DevOps world is modernization, so they can tap into funds. It's really the other things that need to be considered for the shift to the new DevOps environment.
How Platform 1 Helped in the Speed of the Mission
Carolyn: Do you have any good use cases or stories that you can talk about where you've seen this shift happen and this DevOps, this new process, this agile process be implemented?
Bob: Yes, sure. I'm going to go back to my Air Force roots, which makes me proud. The building of Platform 1 was a huge shift. And as a result, the Air Force is able to produce software so much faster than they were. And when they produced the applications in the end, they're closer to what the user needs in order to do their job. Because who better to inform the developer about what's required than the person that's going to use the application.
As an example, you can imagine there's a lot of software in the F-35, just tons of software. So who's the best person to tell the app developer what they need for flying that jet? It's the pilot. So if they can participate in the DevOps process and they can, in the way that things are designed in Platform One, then it's going to be a more efficient use.
Carolyn: Okay. You just said something about Platform One that made some light bulbs go off. That term gets thrown around a lot. I use it a lot. I didn't understand that the end-user was involved that way.
Bob: Oh yes. I mean, that's the beauty of building a platform or using a tool like GitLab. They have the visibility, they can see the software as it's being developed and can have input.
Carolyn: And they do participate? They'll look at it and say, "No, that's not going to work?"
End-Users’ Participation in Improving the Speed of the Mission
Bob: Sure. Yes, absolutely. And that's how you can take the use of an application from months or a year down to weeks or days. The modification of a software package could be done in hours versus the way that it was done in the past. So it's just a lot more efficient way to be able to produce a usable application in the end.
Carolyn: Okay. My mind's still spinning on this end-user can say, "No, that's not going to work." So for them to participate, are they actually using the end result somehow? So they use it the way they would really use it in the field, like through a simulator or something so they can test it kind of real life? And then, I mean, how does the pilot test and give feedback?
Bob: Yes. Well, a couple of ways. First of all, they have the visibility, they see the code being written. Although they don't necessarily need to understand what each line is, or how to write it.
Carolyn: Right. Well, because I would think the pilots, that wouldn't mean anything to them.
Bob: Yes. Like you said, they can see the simulation, but they can also see or respond to questions from the developer. They can see what the developer is thinking in regard to what they're producing. So all that's valuable information for them to be able to provide feedback. So again, in the end, the application works as expected and meets the requirement and the mission. It's all about the mission.
Carolyn: But spending time answering questions in a chat room about something developers doing. Is that part of their job description? Like every hour or every day they spend an hour responding to developers? How does that work?
Guideaux
Bob: Probably not, a little short story for you. Several years ago, I was in a meeting where a very high-level person in the Air Force said every airman will be a developer. And I thought they were crazy, absolutely crazy. But by producing a platform that allows them to participate, not necessarily write code, but participate, they can all be developers in a manner of speaking.
So I think that the Air Force has been able to come as close to accomplishing that as you possibly can. Which of course, again makes me proud. That's not to say the other branches aren't doing the same thing, they are. It's just, the Air Force was out in front of the other branches.
Carolyn: Yes. I have a whole new respect for Platform One now. I really did not understand that everybody was participating like that.
Bob: And yes. I have to point out Top Gun is the Navy, not the Air Force.
Carolyn: Thank you. Well, so in the same article that I referenced earlier, back to Air Force, you talk about Master Sergeant James Crocker. I don't know if you want to share his handle?
Bob: He goes by Guideaux.
Carolyn: Yes. His story and some of the stats that you shared with his story were pretty beyond impressive. I mean, they're almost like you say, that a hundred years of program time and software release timelines were reduced. You went from three to eight months for that cycle to just one week.
Bob: Yes. I mean, it's a great story, and he's built a great software factory. And he continues to run it today. He is a strong, strong advocate for a DevOps platform. And he's proven that it'll work. He continues to do that every day.
How Failure Was Embraced to Boost the Speed of the Mission
Bob: And again, he established the bar for speed to mission, and what they've been able to do there. We're going to continue to support him and get him whatever he needs to be able to help produce the applications the way that they have been for a few years now.
Carolyn: I want to revisit what you said about a culture of failing fast. Was he a leader in that? Because to me, that's not something that gets advertised about any of our defense agencies. That you would brag that yes, we fail all the time. That's part of our goal. That's part of our objective. So, if he was one of the first to embrace that, or how does that get embraced? I would imagine it's still resisted a lot to fail.
Bob: Well, I mean, yes. I mean, especially in the U.S., the word failure is bad. But it's how we learn and it's how we move forward rapidly. I'm in sales. I'm chartered with selling to the government.
And I'm always telling the team whenever they're involved in an opportunity is like, fast fail. If it's not really an opportunity, then move on, because you're going to waste your time. And frankly, you're wasting the government's time. So stop wasting their time.So, it is a big shift. But like I said, Guideaux's definitely one of the people in the military, the Air Force that embraced it. He also had support from executives, which is required across the Air Force. It is a great story and I'm glad it's public so that I can talk about it.
The Future of DevOps
Carolyn: Yes, me too. So what do you think the future of DevOps looks like?
Bob: It gets back to the building of the platform. Where all tools are integrated and there's no more BYOT.
Carolyn: Device. I knew you weren't saying BYOB. Although, maybe we should.
Bob: It's really getting the teams to collaborate. Here's another great example of what the Air Force has done. They've put software factories in downtown, in cities, Austin, Salt Lake, many others, where they can find and retain top talent. This, I think is genius.
And they've given them an environment that they enjoy working in. I mean, honestly, some of the bases they're old, the buildings are old, nobody wants to go to them. But, if you can go to this nice fancy office in downtown Salt Lake City, then you're going to be a much happier person and more likely to show up and be productive. So, I think that's another thing that DoD has embraced is where they're building the factories, and the talent that they're able to attract and retain as a result of that.
Carolyn: Do they allow remote work in these software factories or does it all have to be on-prem?
Bob: No, they do. And that's another great thing to point out. Three years ago, if you said to me that the DoD was going to allow people to work at home, I'd say you were crazy. It's never going to happen. But the pandemic forced the issue. And now DoD has embraced it. I think that what they've found is that folks are perhaps more productive than having to commute and being in an office. A lot of good positive lessons learned as a result of remote work. I think that it's going to continue.
GitLab Is a Hundred Percent Remote
Bob: I don't know if you know this, but GitLab is a hundred percent remote.
Carolyn: How long? Is that just because of the pandemic or has that been a while now?
Bob: No, it's pretty much since inception. We did have an office for a few short months, which was closed. And I think that was about six or seven years ago now. So, we're quite proud of being an all-remote company, and the way that we've made that work.
There's been a lot of papers written on it. There's a lot of great information on our website that can help organizations understand what it takes to be an all-remote company. But one of the strong benefits from it is, if I'm looking for somebody with development skills, they can be anywhere in the world.
Carolyn: Exactly. You open up your talent pool just exponentially. And I've worked remote for 10 years and I've had to jump through the hoops and every year, fill out the paperwork. I've worked in government supporting the government mission for over a decade. It was a battle until the last two years. And now it's, everybody gets it.
But it's interesting because there's this movement right now to get people back into the office. And I'm just wondering what that's going to do to talent retention? If somebody had told me I had to go back into the office, I don't think I would do it, Bob.
Bob: Well, I think there's a negotiation that's occurring now, based on what I'm hearing with the companies that are trying to reestablish the office. There's a lot of pushback from the employees. And it's tough enough to get talent today. You don't want to create any other barriers.
What Bob...","summary":null,"date_published":"2022-05-18T07:30:00.000-04:00","attachments":[{"url":"https://aphid.fireside.fm/d/1437767933/81d9d6b0-0045-48da-8495-fd87c4613d7f/42477a33-764c-4fe6-9c6e-33681efb994c.mp3","mime_type":"audio/mpeg","size_in_bytes":25837966,"duration_in_seconds":1844}]},{"id":"347578d3-bf36-4383-9ec3-b3040ed9f61f","title":"Episode 35: Observability Explained with Mike Maciag","url":"https://techtransforms.fireside.fm/35","content_text":"Mike Maciag, Chief Marketing Officer at Dynatrace joins Tech Transforms to talk about the power of observability. Careful monitoring is of paramount importance for any successful operation, and observability can take your agency to the next level. Listen in as Carolyn and Mark get some tips and tricks for improving cybersecurity posture with the most accurate technology.Episode Table of Contents[00:31] The Vital Role That Observability Plays in IT[10:40] Observability: When You’re Asking the Systems to Share[22:48] The President’s Memo on User Experience[34:01] Let Machines Do the Stuff That Doesn’t MatterEpisode Links and ResourcesMike MaciagDynatraceAmerican Moon ShotThe Vital Role That Observability Plays in ITCarolyn: Today, we get to welcome Mike Maciag, who is Chief Marketing Officer of Dynatrace. One of our own, one of the clan is here with us today. And as CMO, Mike is responsible for Dynatrace's global marketing organization. We're really excited to hear his expert opinion on observability and the vital role that it plays in IT, and especially the cloud.Mike: Thank you, Carolyn. Mark, nice to be with you both today. And I know this is a long time in coming, but I'm excited to be sitting down and talking to you today.Carolyn: We've been able to talk to a few of our guests a little bit about APM. And just recently we talked to a former CIO at VA. He is very bullish on APM, and he talked a lot about the advances that they were able to make in the VA with APM. Just that at least within the VA, APM moved from a nice to have to a must-have. And what I'd really like to hear you talk about, just to dive right in, Mike, is so there's the APM part. But then in my mind and I might be positioning this wrong. In my mind, I think that observability is like APM 2.0. But can you speak to that APM versus observability? What's the difference?Mike: As long as we're talking about terms, we might want to mix monitoring in there as well. All terms that are thrown around, is it monitoring, is it APM, is it observability? And it's changed, it's changed a lot. Let me start with the simplest definition, then maybe we can unpack it from there. Think of observability as the umbrella term, as the broadest umbrella term that goes above all of this. Monitoring, APM, ObservabilityMike: Observability fully includes APM, and observability also subsumes monitoring, both of the things that we've been doing. There are kind of two megatrends in the industry that have been driving this move towards observability. One is the move to the cloud.More and more systems are moving to cloud architectures, probably more important digitally native architectures. We're going from monolithic systems that we could understand, that we could see, that we could touch. We could understand what's happening with them into cloud increasingly complex, even multi-cloud architectures that are driven by microservices and the like.The reason for that movement is it has made digital transformation, application development faster and easier in that regard. Which is this digital transformation fundamentally looking at everything that I've been doing in every aspects of my business. Whether it be on the front end or in the services I provide. Whether it be on the front end or in the backend machine to machine conversations is happening in cloud architectures. And we're trying to figure out how we can automate more of it and things are happening that way.Does that make sense, just from a starting point, from observability’s umbrella, fully subsumed monitoring, fully subsumed APM, kind of in that the drivers being cloud and digital transformation making that happen. And I can get into more details.Mark: That absolutely hits the mark. And we also say end-user performance or experience.Mike: That's right. Carolyn: Yes, that sets me straight. Because me saying that observability is APM 2.0 is wrong. APM, like you said, it's underneath observability. It might be, I guess, one way into implementing an observability platform into your organization, but it's not all of it.Where the User Touches the ApplicationsMike: Yes. When you say observability, kind of what pops into my mind is thinking through there's APM, there is infrastructure monitoring as part of that, what's going on in the infrastructure that's underneath it. There's, as Mark was kind of alluding to, digital experience management. Where does the end-user fit into this? And kind of making that happen.Then you have increasingly even elements of systems that are achieving what they need to achieve have security in there as well. Because really, we think about a world where software works perfectly. The expectation is that we live in a world where software works perfectly. Now, that's a vision. It's a long way coming. But to make that happen on an end-to-end basis, you really need to bring all of those things in there.APM, I often think about as the high ground in this, because APM is where the user touches the applications. It's where the business needs meet the IT needs of what's happening. And it's kind of what people can touch in that area. It's a very interesting place to enter. That obviously is an important part of it. But it's absolutely essential to have the infrastructure that's monitored underneath it and the user experience. At least specifically as you may kind of thought.Mark: You mentioned a couple of different things. And in the federal market, there's two things. And if we have time, maybe we can talk about these. But one is the executive order that the president came out with at the end of the calendar year around end-user experience. It was something very new that we had seen coming out of the government. So maybe we can talk about that maybe a little bit later if we had time. Infrastructure Monitoring Is ObservabilityMark: But the second one, and you mentioned security, was zero-trust. The whole cybersecurity, and of course everybody's trying to figure out ways that they can improve their security posture. And people like Carolyn and I figure out how we can tap into the cybersecurity budgets that have been allocated to that.Carolyn: Well, okay, for our listeners, I want to back up just a little bit and define APM. It's application performance monitoring. You made me realize that we didn't define that, Mike. Because when you said there's the infrastructure monitoring too. You're right, in my mind, application performance monitoring includes infrastructure monitoring, but not necessarily. That would be the observability.Mike: Yes. Carolyn, just to not get too inside baseball and Dynatrace, I understand why you think about it that way. Because our APM does in fact include. We think of APM as full-stack. It goes all the way down to the infrastructure that it's monitoring. When people work with Dynatrace, they're getting that as part of included. So absolutely makes sense why you kind of giving your steeping of Dynatrace kind of thinks of it that way. The rest of the world does not, by the way.They think of APM and infrastructure as two different things. You basically buy those off cardless. We don't think they can be separated. Because what you want to be able to do, I mean, the goal here is to simplify cloud complexity to the point where you can get a precise root cause answer if something were to go wrong. And drill all the way down to, \"Here's a specific line of code that's making that happen.\" Or, \"Here's the piece of infrastructure that's making that happen.\"How Can We Better Position the Concepts of Observability and FederalMike: Let's say it's in a Kubernetes environment, just a container that spun down in a second. But it does that 60 times an hour, you need to be able to find that as it comes and goes. That's why you need to have full-stack as you kind of think about that.Mark: You said some interesting things there, Mike, and I want to dig into this a little bit deeper. Because in the federal space, we feel like we're three to five years behind the commercial market. And the use of these concepts of observability, even APM, we rarely see RFPs coming out that have APM listed in it.We might see infrastructure monitoring, we might see other terminology like that, but we rarely see these concepts. And the government has been in this transformation for years, moving to the cloud. Some agencies have had more success than others. Can we talk a little bit about how we might be able to better position the concepts and terminology of observability and federal better?Mike: You mentioned three to five years behind, debatable exactly how many years. But the curve that the commercial space has gone through increasingly seems to be exactly the curve that the federal space is on. Which is with the moves towards moving to the cloud, whether they be trusted clouds or public clouds. The same kind of breakup of monolithic architectures has taken place.When you break up the monolithic architectures, speed and scalability come with that, and flexibility come with that. And the other truth that I think you'll run into is complexity also comes with that. Guess what, no one, and I'm guessing the federal government is the same, is getting additional resources to monitor this in the old way.Observability: When You’re Asking the Systems to ShareMike: The idea that a system should be able to be monitored. You can understand whether the system is up or down and they go figure it out from their monitoring health. When you move into observability, what you're doing is you're asking the systems themselves to share, to become observable, to put out data that says, \"Hey, here's what's going on with me\". And so that it can begin to understand in that way.That's the purpose of trying to simplify that complexity. So that when you don't have greater resources to get your jobs done, you can still stay on top of it. The last thing that people want to do is get bogged down in monitoring and not be able to innovate. And be able to drive those new apps that are driving better services for citizens that are driving more security in DoD-oriented areas, et cetera. That's where this idea of observability is.I'll even go one step further than that. Observability today does not include the concepts of intelligence and automation, but we think it should. And that's because this overwhelming amount of data that's being generated by these systems is really beyond the capability to the old ways. Where I'm going to put some data up on dashboards.I can look at the dashboards and figure out what's going on and have a good sense of what's going on. It's just not possible to stay on top of it that way. We think about it as moving to a world where we're providing answers. The answers are allowing people to automate more and get more out of their teams.Mark: Well, that's a good answer.What the World Is Lacking in Terms of SecurityMark: We'll get that out to the sales team right away. One of the things that you mentioned that we run into is security. Some of the customers that we have, have a very different or stringent, higher stringent security requirements than others. Obviously, as you can imagine. That's maybe a level of complexity we run into. It's certainly an issue. We see that come out a lot. Is that the same kind of answer that we would provide about security?Mike: Yes. One of the things that we're seeing more and more of kind of in the security sphere is how do you think about security in real-time and finding precisely identifying security issues in production? We have all kinds of things in the world that try and keep the bad guys out, or the bad actors, or the bad code out. We have even more things in the world that test, and says, \"Okay. Before I do a check-in, kind of do a static code analysis on this and understand whether it's got known vulnerabilities in it.\"What the world has been lacking has been the idea of, \"Okay, so now there's something out there. How do I know who has it, or what systems have it, and how do I precisely identify it and make it happen?\" Log4Shell helped us see this kind of in very specific ways, later not as large of an issue. But Log4Shell showed the same thing. Which is all of a sudden there was a zero-day exploit that was out there. Or it was a zero-day exploit that was discovered in a very popular open-source package that could be manipulated. In the entire world, they find it and fix it overnight. Identifying Vulnerability Through ObservabilityMike: By providing observability on the whole stack and understanding where it existed, our customers at Dynatrace were able to find that instantaneously. The minute it was identified as a vulnerability, we could show specifically what was going on and at least helped people with the, \"How am I going to get to the point where I know exactly what happened and I can close that door as fast as I possibly can?\"Now, as we move on, it gets to, \"Okay, great. Now let's move it into, 'I'm going to take automatic action and do a remediation on that.'\" And there's more and more of that going on. But security is playing an increasingly large role in this. We should really be talking about DevSecOps teams to correct myself, are increasingly expected to build security into the applications and in the infrastructure, and setting up and ensure through things like what we're doing.Carolyn: How do you see observability fitting into DevSecOps?Mike: It's an absolutely essential piece of it, and here's why. DevSecOps, just in the broadest, most simple terms is the idea that responsibility for all of this shifts left. When I say shift left, it used to be we'd write monolithic code, we'd throw it over the wall. The people would operate the code on the other side of it. And there'd be this finger-pointing game of, \"It didn't work well. What I gave you worked. Your system must be messed up,\" et cetera.The DevSecOps at the broadest sense is let's shift that responsibility left and give development the responsibility to build operability into reliability, resiliency into the product, as well as building the security of the product from the beginning. How Observability Fit Into DevSecOpsMike: To make that happen, you need to provide the instrumentation so that they know what's happening in production. Or what would happen in production when I put it in production.Then if I can provide precise root cause and get it to the next level of like, \"Not only did this go wrong, or could it go wrong, or there was a slowdown, but here's specifically why,\" I can go fix it faster. I want to be able to make this happen. And really the purpose behind all of this is the world wants and expects flawless and secure interactions. Whether that's a machine to a person or whether that's a machine to a machine, you expect it to be flawless.That's a fair expectation. And as we go more and more digital with the world, and that's kind of the whole idea of digital transformation. That's why we expect this flawless result. In the commercial sector, it may be in many ways more forgiving than elements of the federal sector, where you guys are talking in your audience sense.The idea of having something go wrong or making a wrong assumption in software that the interaction doesn't go right can be immense. It hits not hundreds, not thousands of users, but tens of thousands to millions, to hundreds of millions of citizens.Mark: Well, it could be life dependent. I mean, and the DoD in the IC space where mission criticality means the life or death, it couldn't get any more gray than that.Making Decisions With Precise Accuracy Is RequiredMike: Yes, that's absolutely right. A big part of this then is all of this data that these modern systems are putting out, it's like, okay, how do you take that data and you turn it into an answer so that you know specifically what's happening? And then once I have, if I can get my answers precise enough, how do I then automate based on that? So that I can get to a point of being able to automate as things go on?Mark, to kind of go on your life and death scenario, it's like sometimes I talk about this from a self-driving car's perspective. Which is it's a car needs to observe everything that's going on in its environment in real-time to kind of make it happen. What's it like outside, what's the speed limit, where am I on the road? Are there other issues to deal with? But then it needs to make decisions, and it needs to make decisions with precise accuracy.In order to automate, you need to be able to make decisions with precise accuracy. You can't approach a crosswalk in a self-driving car if that day ever comes, and be unsure whether it's a shadow or a pedestrian. You just can't and you need to get down to that. It's no different than IT, and it's no different in the observability space. Which is if you're going to automate remediation and allow people to innovate, that's going to have to happen with very precise root cause and a positive AI that's kind of underneath it and those types of things.Mark: Well, that's a great example of that, kind of putting in it context so everybody can understand. Monitoring Versus ObservabilityMark: Carolyn, if it's okay with you, I know that Mike started tapping into this whole DevSecOps concept and I wanted to ask a question about that. Maybe you could peel in and back a little bit further, Mike. And so in a recent article by Dark Reading, you stated that today's rapid pace of innovation coupled with the complexity of modern software development has elevated the need for automated orchestration.Mike: Yes.Mark: Can you talk a little bit about this and how do you see this changing for us?Mike: Yes. I remember the entire context of the article. But I certainly kind of understand the subject and kind of what we're talking about that way. This complexity curve is not going to stop. As we go from monolithic architectures to cloud architectures. As we go to containers and microservices, as we go to multi-cloud, as we go to huge scale. These systems, we go to change that just does not stop. It's kind of a constant change. These systems are all generating immense amounts of data. Both in the variety that they're generating, the volume that they're generating in the speed at which they're doing it. Basically what it says is things have to change in the way that you manage your systems.We started at the top of this as monitoring versus observability. That's a good example of we just need to think, kind of change our mindsets as we're going to go through that. You have to change the way that the teams work as well. And that is getting the teams from reactive, \"Hey, I've got a problem. How do I go fix it?\" Observability DataMike: To proactive looking and observability data, and anticipating what problems are going to come up and how do I address them before they impact end-users. Otherwise, people would just be completely buried and there'll be...","content_html":"
Mike Maciag, Chief Marketing Officer at Dynatrace joins Tech Transforms to talk about the power of observability. Careful monitoring is of paramount importance for any successful operation, and observability can take your agency to the next level. Listen in as Carolyn and Mark get some tips and tricks for improving cybersecurity posture with the most accurate technology.
Episode Table of Contents
- [00:31] The Vital Role That Observability Plays in IT
- [10:40] Observability: When You’re Asking the Systems to Share
- [22:48] The President’s Memo on User Experience
- [34:01] Let Machines Do the Stuff That Doesn’t Matter
Episode Links and Resources
The Vital Role That Observability Plays in IT
Carolyn: Today, we get to welcome Mike Maciag, who is Chief Marketing Officer of Dynatrace. One of our own, one of the clan is here with us today. And as CMO, Mike is responsible for Dynatrace's global marketing organization. We're really excited to hear his expert opinion on observability and the vital role that it plays in IT, and especially the cloud.
Mike: Thank you, Carolyn. Mark, nice to be with you both today. And I know this is a long time in coming, but I'm excited to be sitting down and talking to you today.
Carolyn: We've been able to talk to a few of our guests a little bit about APM. And just recently we talked to a former CIO at VA. He is very bullish on APM, and he talked a lot about the advances that they were able to make in the VA with APM. Just that at least within the VA, APM moved from a nice to have to a must-have. And what I'd really like to hear you talk about, just to dive right in, Mike, is so there's the APM part. But then in my mind and I might be positioning this wrong. In my mind, I think that observability is like APM 2.0. But can you speak to that APM versus observability? What's the difference?
Mike: As long as we're talking about terms, we might want to mix monitoring in there as well. All terms that are thrown around, is it monitoring, is it APM, is it observability? And it's changed, it's changed a lot. Let me start with the simplest definition, then maybe we can unpack it from there. Think of observability as the umbrella term, as the broadest umbrella term that goes above all of this.
Monitoring, APM, Observability
Mike: Observability fully includes APM, and observability also subsumes monitoring, both of the things that we've been doing. There are kind of two megatrends in the industry that have been driving this move towards observability. One is the move to the cloud.More and more systems are moving to cloud architectures, probably more important digitally native architectures. We're going from monolithic systems that we could understand, that we could see, that we could touch. We could understand what's happening with them into cloud increasingly complex, even multi-cloud architectures that are driven by microservices and the like.
The reason for that movement is it has made digital transformation, application development faster and easier in that regard. Which is this digital transformation fundamentally looking at everything that I've been doing in every aspects of my business. Whether it be on the front end or in the services I provide. Whether it be on the front end or in the backend machine to machine conversations is happening in cloud architectures. And we're trying to figure out how we can automate more of it and things are happening that way.
Does that make sense, just from a starting point, from observability’s umbrella, fully subsumed monitoring, fully subsumed APM, kind of in that the drivers being cloud and digital transformation making that happen. And I can get into more details.
Mark: That absolutely hits the mark. And we also say end-user performance or experience.
Mike: That's right.
Carolyn: Yes, that sets me straight. Because me saying that observability is APM 2.0 is wrong. APM, like you said, it's underneath observability. It might be, I guess, one way into implementing an observability platform into your organization, but it's not all of it.
Where the User Touches the Applications
Mike: Yes. When you say observability, kind of what pops into my mind is thinking through there's APM, there is infrastructure monitoring as part of that, what's going on in the infrastructure that's underneath it. There's, as Mark was kind of alluding to, digital experience management. Where does the end-user fit into this? And kind of making that happen.
Then you have increasingly even elements of systems that are achieving what they need to achieve have security in there as well. Because really, we think about a world where software works perfectly. The expectation is that we live in a world where software works perfectly. Now, that's a vision. It's a long way coming. But to make that happen on an end-to-end basis, you really need to bring all of those things in there.
APM, I often think about as the high ground in this, because APM is where the user touches the applications. It's where the business needs meet the IT needs of what's happening. And it's kind of what people can touch in that area. It's a very interesting place to enter. That obviously is an important part of it. But it's absolutely essential to have the infrastructure that's monitored underneath it and the user experience. At least specifically as you may kind of thought.Mark: You mentioned a couple of different things. And in the federal market, there's two things. And if we have time, maybe we can talk about these. But one is the executive order that the president came out with at the end of the calendar year around end-user experience. It was something very new that we had seen coming out of the government. So maybe we can talk about that maybe a little bit later if we had time.
Infrastructure Monitoring Is Observability
Mark: But the second one, and you mentioned security, was zero-trust. The whole cybersecurity, and of course everybody's trying to figure out ways that they can improve their security posture. And people like Carolyn and I figure out how we can tap into the cybersecurity budgets that have been allocated to that.
Carolyn: Well, okay, for our listeners, I want to back up just a little bit and define APM. It's application performance monitoring. You made me realize that we didn't define that, Mike. Because when you said there's the infrastructure monitoring too. You're right, in my mind, application performance monitoring includes infrastructure monitoring, but not necessarily. That would be the observability.
Mike: Yes. Carolyn, just to not get too inside baseball and Dynatrace, I understand why you think about it that way. Because our APM does in fact include. We think of APM as full-stack. It goes all the way down to the infrastructure that it's monitoring. When people work with Dynatrace, they're getting that as part of included. So absolutely makes sense why you kind of giving your steeping of Dynatrace kind of thinks of it that way. The rest of the world does not, by the way.
They think of APM and infrastructure as two different things. You basically buy those off cardless. We don't think they can be separated. Because what you want to be able to do, I mean, the goal here is to simplify cloud complexity to the point where you can get a precise root cause answer if something were to go wrong. And drill all the way down to, "Here's a specific line of code that's making that happen." Or, "Here's the piece of infrastructure that's making that happen."
How Can We Better Position the Concepts of Observability and Federal
Mike: Let's say it's in a Kubernetes environment, just a container that spun down in a second. But it does that 60 times an hour, you need to be able to find that as it comes and goes. That's why you need to have full-stack as you kind of think about that.
Mark: You said some interesting things there, Mike, and I want to dig into this a little bit deeper. Because in the federal space, we feel like we're three to five years behind the commercial market. And the use of these concepts of observability, even APM, we rarely see RFPs coming out that have APM listed in it.
We might see infrastructure monitoring, we might see other terminology like that, but we rarely see these concepts. And the government has been in this transformation for years, moving to the cloud. Some agencies have had more success than others. Can we talk a little bit about how we might be able to better position the concepts and terminology of observability and federal better?
Mike: You mentioned three to five years behind, debatable exactly how many years. But the curve that the commercial space has gone through increasingly seems to be exactly the curve that the federal space is on. Which is with the moves towards moving to the cloud, whether they be trusted clouds or public clouds. The same kind of breakup of monolithic architectures has taken place.
When you break up the monolithic architectures, speed and scalability come with that, and flexibility come with that. And the other truth that I think you'll run into is complexity also comes with that. Guess what, no one, and I'm guessing the federal government is the same, is getting additional resources to monitor this in the old way.Observability: When You’re Asking the Systems to Share
Mike: The idea that a system should be able to be monitored. You can understand whether the system is up or down and they go figure it out from their monitoring health.
When you move into observability, what you're doing is you're asking the systems themselves to share, to become observable, to put out data that says, "Hey, here's what's going on with me". And so that it can begin to understand in that way.That's the purpose of trying to simplify that complexity. So that when you don't have greater resources to get your jobs done, you can still stay on top of it. The last thing that people want to do is get bogged down in monitoring and not be able to innovate. And be able to drive those new apps that are driving better services for citizens that are driving more security in DoD-oriented areas, et cetera. That's where this idea of observability is.
I'll even go one step further than that. Observability today does not include the concepts of intelligence and automation, but we think it should. And that's because this overwhelming amount of data that's being generated by these systems is really beyond the capability to the old ways. Where I'm going to put some data up on dashboards.
I can look at the dashboards and figure out what's going on and have a good sense of what's going on. It's just not possible to stay on top of it that way. We think about it as moving to a world where we're providing answers. The answers are allowing people to automate more and get more out of their teams.
Mark: Well, that's a good answer.
What the World Is Lacking in Terms of Security
Mark: We'll get that out to the sales team right away. One of the things that you mentioned that we run into is security. Some of the customers that we have, have a very different or stringent, higher stringent security requirements than others. Obviously, as you can imagine. That's maybe a level of complexity we run into. It's certainly an issue. We see that come out a lot. Is that the same kind of answer that we would provide about security?
Mike: Yes. One of the things that we're seeing more and more of kind of in the security sphere is how do you think about security in real-time and finding precisely identifying security issues in production? We have all kinds of things in the world that try and keep the bad guys out, or the bad actors, or the bad code out. We have even more things in the world that test, and says, "Okay. Before I do a check-in, kind of do a static code analysis on this and understand whether it's got known vulnerabilities in it."
What the world has been lacking has been the idea of, "Okay, so now there's something out there. How do I know who has it, or what systems have it, and how do I precisely identify it and make it happen?" Log4Shell helped us see this kind of in very specific ways, later not as large of an issue. But Log4Shell showed the same thing. Which is all of a sudden there was a zero-day exploit that was out there. Or it was a zero-day exploit that was discovered in a very popular open-source package that could be manipulated. In the entire world, they find it and fix it overnight.
Identifying Vulnerability Through Observability
Mike: By providing observability on the whole stack and understanding where it existed, our customers at Dynatrace were able to find that instantaneously. The minute it was identified as a vulnerability, we could show specifically what was going on and at least helped people with the, "How am I going to get to the point where I know exactly what happened and I can close that door as fast as I possibly can?"
Now, as we move on, it gets to, "Okay, great. Now let's move it into, 'I'm going to take automatic action and do a remediation on that.'" And there's more and more of that going on. But security is playing an increasingly large role in this. We should really be talking about DevSecOps teams to correct myself, are increasingly expected to build security into the applications and in the infrastructure, and setting up and ensure through things like what we're doing.
Carolyn: How do you see observability fitting into DevSecOps?
Mike: It's an absolutely essential piece of it, and here's why. DevSecOps, just in the broadest, most simple terms is the idea that responsibility for all of this shifts left. When I say shift left, it used to be we'd write monolithic code, we'd throw it over the wall. The people would operate the code on the other side of it. And there'd be this finger-pointing game of, "It didn't work well. What I gave you worked. Your system must be messed up," et cetera.
The DevSecOps at the broadest sense is let's shift that responsibility left and give development the responsibility to build operability into reliability, resiliency into the product, as well as building the security of the product from the beginning.How Observability Fit Into DevSecOps
Mike: To make that happen, you need to provide the instrumentation so that they know what's happening in production. Or what would happen in production when I put it in production.
Then if I can provide precise root cause and get it to the next level of like, "Not only did this go wrong, or could it go wrong, or there was a slowdown, but here's specifically why," I can go fix it faster. I want to be able to make this happen. And really the purpose behind all of this is the world wants and expects flawless and secure interactions. Whether that's a machine to a person or whether that's a machine to a machine, you expect it to be flawless.
That's a fair expectation. And as we go more and more digital with the world, and that's kind of the whole idea of digital transformation. That's why we expect this flawless result. In the commercial sector, it may be in many ways more forgiving than elements of the federal sector, where you guys are talking in your audience sense.
The idea of having something go wrong or making a wrong assumption in software that the interaction doesn't go right can be immense. It hits not hundreds, not thousands of users, but tens of thousands to millions, to hundreds of millions of citizens.
Mark: Well, it could be life dependent. I mean, and the DoD in the IC space where mission criticality means the life or death, it couldn't get any more gray than that.
Making Decisions With Precise Accuracy Is Required
Mike: Yes, that's absolutely right. A big part of this then is all of this data that these modern systems are putting out, it's like, okay, how do you take that data and you turn it into an answer so that you know specifically what's happening? And then once I have, if I can get my answers precise enough, how do I then automate based on that? So that I can get to a point of being able to automate as things go on?
Mark, to kind of go on your life and death scenario, it's like sometimes I talk about this from a self-driving car's perspective. Which is it's a car needs to observe everything that's going on in its environment in real-time to kind of make it happen. What's it like outside, what's the speed limit, where am I on the road? Are there other issues to deal with? But then it needs to make decisions, and it needs to make decisions with precise accuracy.
In order to automate, you need to be able to make decisions with precise accuracy. You can't approach a crosswalk in a self-driving car if that day ever comes, and be unsure whether it's a shadow or a pedestrian. You just can't and you need to get down to that.It's no different than IT, and it's no different in the observability space. Which is if you're going to automate remediation and allow people to innovate, that's going to have to happen with very precise root cause and a positive AI that's kind of underneath it and those types of things.
Mark: Well, that's a great example of that, kind of putting in it context so everybody can understand.
Monitoring Versus Observability
Mark: Carolyn, if it's okay with you, I know that Mike started tapping into this whole DevSecOps concept and I wanted to ask a question about that. Maybe you could peel in and back a little bit further, Mike. And so in a recent article by Dark Reading, you stated that today's rapid pace of innovation coupled with the complexity of modern software development has elevated the need for automated orchestration.
Mike: Yes.
Mark: Can you talk a little bit about this and how do you see this changing for us?
Mike: Yes. I remember the entire context of the article. But I certainly kind of understand the subject and kind of what we're talking about that way. This complexity curve is not going to stop. As we go from monolithic architectures to cloud architectures. As we go to containers and microservices, as we go to multi-cloud, as we go to huge scale. These systems, we go to change that just does not stop. It's kind of a constant change.
These systems are all generating immense amounts of data. Both in the variety that they're generating, the volume that they're generating in the speed at which they're doing it. Basically what it says is things have to change in the way that you manage your systems.
We started at the top of this as monitoring versus observability. That's a good example of we just need to think, kind of change our mindsets as we're going to go through that. You have to change the way that the teams work as well. And that is getting the teams from reactive, "Hey, I've got a problem. How do I go fix it?"
Observability Data
Mike: To proactive looking and observability data, and anticipating what problems are going to come up and how do I address them before they impact end-users. Otherwise, people would just be completely buried and there'll be...
","summary":null,"date_published":"2022-05-11T07:30:00.000-04:00","attachments":[{"url":"https://aphid.fireside.fm/d/1437767933/81d9d6b0-0045-48da-8495-fd87c4613d7f/6f516efb-6f6e-4d63-ac1e-da5f85d9964f.mp3","mime_type":"audio/mpeg","size_in_bytes":38972489,"duration_in_seconds":2782}]},{"id":"e1e28992-a7a7-4ea0-acc4-8a72c91c8bd7","title":"Episode 34: Threat Team Purple with Richard Ford","url":"https://techtransforms.fireside.fm/34","content_text":"Richard Ford, Chief Technology Officer at Praetorian joins Tech Transforms to talk about the cyber security threat landscape. Red team versus Blue team is a common and effective threat protection practice, but what could cyber security experts gain from team Purple? Listen in as Carolyn and Mark learn about the importance of managing your attack surface, implementing multi-factor authentication, and protecting against cyber phishing attacks. Episode Table of Contents[00:30] Our Biggest Cybersecurity Threat in the Last Quarter[07:39] Which Is Easier: Defense or Offense[16:40] Why Do We Need Single Sign-on[24:54] The Team Purple IdeaEpisode Links and ResourcesRichard FordPraetorianThe Clothes in the WardrobeSauces and ShapesEssentials of Classic Italian CookingGame ChangerOur Biggest Cybersecurity Threat in the Last QuarterCarolyn: So today our guest is actually an old friend, Richard Ford, who is Chief Technology Officer at Praetorian. For over 25 years, Richard has been able to design and implement NextGen product strategies and provide customers with the best threat detection available. Today, we're going to talk to Richard about the cyber threat landscape and what a good defense looks like. Richard: Hi, it's nice to be back on a call with you Carolyn, and Mark, it's good to see you.Carolyn: Yes, really good to have you today. So let's just jump right in. I want to know what your view is, what are our biggest cybersecurity threats? What does the cyber security threat landscape look like and how do we defend ourselves from it? So there's like three-part question there.Richard: So, we're starting with an easy question. I think the threat landscape is incredibly messy and I think that the most important part to think about is change. So if you think about just the last quarter or two that we've gone through you had, like log4shell someone we're all running around looking for log4j vulnerabilities. Then it's Spring4Shell, which wasn't as serious, but was still pretty nasty if you were impacted. The problem, we have this tremendous rate of change so the thing that was important to you yesterday may not be the thing that's important to you today. It's unlikely to be the thing that's most important for you tomorrow. So when we think about the threat landscape, the first thing to say is, if I give you an answer, it's like looking at a single, still image from a movie and telling you've watched the movie, right?Cyber Security Threat LandscapeRichard: Then as soon as we go click, you know that threat landscape will change. With that said, I do think there are some common themes that keep coming back, right? So there's a threat we have around being desperately short of people. There's a threat around, we don't know what assets we have. Even if we did know what assets we have, we don't know what they're running. Then the business conditions are driving us forward so quickly that it's difficult to keep security on the front burner. It sometimes drops to the back burner so we don't think about security as much. Perhaps, as how do I meet these business objectives that we have. I think this has created this sort of very unpleasant, perfect storm that will keep us well on our toes. I don't know, for the next couple of decades, it feels like.Carolyn: So when you say that we're constantly moving forward, changing, at the same time, I mean, are we still dealing with like SolarWinds? So as we're having to look to the future, we're still dealing with all the shit that's happened even a year, two years ago. Is that true, or like, are we good? We took care of it?Richard: No, it's definitely correct right, so all vulnerabilities never really go away. So you have all those things sort of trailing behind you like the comet has a tail, and new stuff coming at you. I think to be a successful CISO or to operate the business successfully, what you need to be really good at is prioritization. So it's about dealing with what is the biggest risk for you right now. Cyber Threat Landscape Varies Depending on Who You Are and What You DoRichard: And I think that leads us to a very important point that we talk about cyber threat landscape. But it's different depending on who you are and what you do. So the biggest risk, for example, for government might be very different than critical infrastructure, might be very different for sort of mom and pop SME that's sort of operating the corner store. Each one of these has a different threat landscape that they live in, different risks and different risks to the business.Not only that, but yes, this is all additive. So we still see scams for all vulnerabilities as we look at our threat intel. I remember going back a few years, there were viruses that used to trigger on certain days of the month or certain months of the year. For years afterwards, you would see these viruses fire up and start scanning things. Which means that there were still people out there who were still infected, which is just stunning to me.Carolyn: Ah, the good old days when we knew the day that it was going to happen, the day of the month it was going to happen.Richard: Yes exactly. I still remember the old Michelangelo virus, right? When it was like a trigger day was coming and everyone was counting down to what would happen on Michelangelo day. But I guess that just shows my age or perhaps the more positive spin is my longevity in the industry.Carolyn: Your experience.How Richard’s Experience on the Offensive Side Affected His Approach to the Defensive Cybersecurity LandscapeMark: So speaking of experience, Richard, you have an interesting background. Because you have experience in both the offensive cybersecurity landscape and the defensive cybersecurity landscape. So can you talk a little bit about how your experience working on the offensive side has impacted or affected your approach to the defensive cybersecurity landscape?Richard: Yes, so I think the offensive and defensive sides that are so intimately related, it's like thinking about two sides of a piece of paper. They're really one, you can't peel one side off a piece of paper, at least not very effectively. So I think that to play a good defense, you have to have mastered offense. I think we were chatting earlier, as we thought this through and we were talking about chess. It would be like me saying I was a chess master, but I can only play the white side of the board. I'm not very good at playing black or I'm a master at black. I'm not really very good with my white opening systems.You have to be good at both to really be rounded out. I use chess as an analogy because it's an adversarial game and that's exactly the sort of wrestling around we do in the attacker space. So I don't think you can truly be good at defense without understanding the ways of the attacker. I don't think you can be a great attacker without having a good understanding of the pain that your attacks cause to defenders. Because there are things I can do as the attacker that make certain defenses untenable, even if they're effective. In the sense that they stop me from getting in, but I can make it so it's really hard to use. Maybe I make it noisy for you.Which Is Easier: Defense or OffenseMark: Well, is it easier to play offense or is it easier to play defense?Richard: Oh, that's definitely an easy question. Yes. So I'll say that I've never really lost playing offense. I'm sad to say that playing defender is much harder and we can talk about why, but it's definitely easier to be on the offensive side.Carolyn: Let's talk about why.Richard: Well, I mean, step one, it's more fun, right? Who doesn't like going on the offense. It's that adrenaline rush when you sort of manage to get your exploit past some of these defenses. But I think the other thing is that if you're a business, you have this very large attack surface, right? And all of it has to be secure and it has to be secure all the time.So if you think about a pen test, a pen test might tell you that your attack surface at 7:55 PM on a Tuesday in April is perfect right? Can't get it. But an administrator spins up a box for testing or you miss patching something because a new vulnerability came out at 8:00 PM and suddenly you're vulnerable again. So as an attacker, I'm pretty good at finding vulnerabilities today. But if I don't find a vulnerability today and it gets me into your system. I'll wait till tomorrow and I'll nail your system tomorrow. You have to be good 365 days a year, 24 hours a day. I have to be good once and I can just wait for you to slip up.Mark: Do you guys do this in your current role? Do you play these games? You know, red team, blue team kind of thing?We Are Not Taking Advantage of Team PurpleRichard: Yes, we absolutely do. Praetorian is a company, it’s a mix of product offering and services offerings. Our services offerings, we absolutely do red and blue teaming with some pretty large customers. One of the things that people don't take advantage of enough is a purple team, right? Which makes it less adversarial. So the thing with the red team is we're coming in, we're going to root your network. That's fun and there is value for the customer. But it's very adversarial. You're trying to catch me, I'm trying to wear.What's really fun is a purple team where we're working on both sides of the line. We're working with the blue team to see if we can see it. And we're working as a red team to see if we can get it and that's a little bit more of a collaborative game. So there's a lot of opportunity for knowledge transfer and learning to our customers. It's not just about, can we get in? Because we pretty much always do, it's about did you see it? And how can you improve your defenses so that when you're breached that way next time, you do better?I think purple teams are actually underutilized in the industry. They do move away from this adversarial game to more of a collaborative game. I think they're more fun in some ways, too, and they have better business value.Carolyn: Would you say that the purple team is where your own employees would fall? Like you've got your unintentional insider. You've got your admin that spins up some server that you didn't even know was coming and creates this vulnerability. So is that like, just as you're describing, I haven't heard the term purple team.Do Employees Fall Under Team Purple?Carolyn: But as you were talking about it, it made me think that's where we live as employees. Is that a fair statement?Richard: Kind of. I mean, I think there's a lot of unintentional harm that we do as employees. A lot of well-intentioned moves lead to security risks. But a purple team is sort of when you blend, obviously, from the name. A red team where you've got a group of people who's trying to get in. Blue team, a group of people who's trying to stop you from getting in where you blend those. So it's more about, did you see the attack? It's about improving the defenses and the resilience of the system. As much as it is about breaching the system.Mark: So, Richard, you've seen this kind of play out across government agencies and commercial industry. Who's better at it? Commercial or government?Richard: So I think it's really hard to lump any large group of people into buckets, right?Mark: He just went right down the middle. He went purple.Richard: Yes. I mean, I think they have very different challenges for a start, right? But I think businesses range from really very, very good to really very, very bad . There are some targets that come across our radar when we're on the offensive side of the world where we're like, oh, that's a really hard target. These folks really know their onions, they really know what they're doing. We're going to have to pull out our A-game to find a win. There are other companies where it's like shooting fish in a barrel where the barrel is big and only contains fish.Who’s Better in Playing Team Purple, Government or CommercialRichard: Now the government is different. The government, especially when we're talking about the federal government, it's shocking to say this, it's a little bit more organized. Because there are certain standards that they're required to adhere to. So there's more sort of governance. Now, there are still different levels within the government and especially when you get into state government and sort of governmental agencies that have complicated missions, NASA would be a good one if we want to chat about that because they have some very interesting mission requirements.But I'd say, in some ways, the government is a little bit more homogenous than the top end. Some of our intelligence agencies, they have pretty solid security. The fact that you can legislate and you can enforce does make some of that a little bit easier. The flip side is that it's very difficult for the government to compete on salary with a top salary in an industry. So there's a sort of constant sucking sound from the business side of the house pulling top talent away from the government. So they definitely have challenges around staffing.Mark: Well, you talked about staffing, this is the, like the second time you brought up people. As a challenge, can you talk a little bit about that? What you've seen, how maybe it can be addressed or how you've done that in the past?Richard: Let's define the problem. Cybersecurity people are really expensive and they're hard to come by and they're hard to retain. If I was a mercenary, I could flip my job every 12 months and probably have a very nice raise sort of built into my paycheck and that's a problem. What the Industry Can Do to Win as DefendersRichard: There are only two ways to solve for that. You either need to get more people or you need to use technology to get better productivity out of the people that you have. The right thing to do of course, is both. You need to take that sort of left-hand and that right-hand approach. I think there's some interesting things that we can do in both that will dramatically improve the outcomes that we have as an industry.Carolyn: Going back to being a defender. You know me, Richard, I like you to just tell me like how we fix this. So give me the McDonald's version, like top three things that government, industry can do for some quick wins as defenders.Richard: So I think that it all starts the really honest assessment of where you are in your maturity. So there's no one size fits all. Especially in the business world, there are small companies who don't have endpoint protection. Or they're not following anything that's remotely like best practice with understanding even where they are. They haven't even asked the question of what is my cyber maturity?So I think all these discussions start with a good measure of where are you on that curve because where you are defines what you should do. With that said, I think that most businesses get breached because of software rot. That's something that's hanging out there and it's unpatched and you don't even know you have it.So managing your attack surface is incredibly important. I think moving to things like single sign-on and multifactor is incredibly important. And I think having a robust set of defenses around phishing, which is the sort of easiest, common way here.Why Do We Need Single Sign-onCarolyn: Still number one way, right?Richard: Yes.Carolyn: Like still today. It is the number one way.Richard: Yes. I mean, because people are people and computers can be quite difficult to break. But getting somebody to send me 500 Steam gift cards because I texted them can be quite easy, right? Especially if you take your time in target selection. From a mathematical standpoint, if you think about it like a game, there's no cost of predation. If I text every one of your employees say, \"Hey, this is Nathan, the CEO, can you call me back? I want you to buy some gift cards for surprise for accounting\" and boy will accounting be surprised. You know, all it takes is one person to go, \"Oh, it's the CEO. I'm so excited about that.\"Carolyn: Yes, no, I just had this conversation with my mom this morning. I said, \"Mom, there are people praying on our need to help with Ukraine right now. You're going to get asked for money from people who are bad people and who are stealing it and are not. But we're in this state of emergency right now where we all feel like we need to help. So we forget this good hygiene of don't respond to that.\"Richard: Yes, exactly. So that's why I would say things like single sign-on a multifactor go hand in hand with phishing because they can reduce some of the risks of being successful.Carolyn: Okay, but help me with single sign-on. Again, like I know it's good but if all my passwords are in one place, if they hack the single sign-on, then I'm really screwed. So tell me why it's more secure?Why Single Sign-on Is SecureRichard: So, as I like to remind customers, one ring to rule them all did not work out very well for Sauron in Lord of the Rings, right? So yes, you have a single point, that's scary. And if we wind back to the news cycle, we just had a little bit of an Okta scare. Which was a really interesting story. I mean, it was a third-party issue, it wasn't core Okta, but it was still pretty scary. It made people think a lot about the value of single sign-on. But what you're doing is you're trading one set of risks for another set of risks, right? So the question is, if you don't have single sign-on, you probably have either password reuse run rampant. Or you have people getting breached because they gave up their username and passwords, they're not using multifactor. So in the sign-on, yes, you're putting your eggs in one basket, but then you need to watch that basket really carefully.Carolyn: Oh, the multi-factor thing. That's key, right?Richard: Yes. Multifactor is really important nowadays. I mean, we've all been sort of speculating about the death of the password for years. One day that prediction in a threat report's going to come true. Or we're finally going to get rid of usernames and passwords and do something that's a little bit more sophisticated. But the reality is, I think, we're stuck with it for a while, but yes, multifactor is a way to buy down risk around account breach. The Things You Can Do to Buy Down the...","content_html":"Richard Ford, Chief Technology Officer at Praetorian joins Tech Transforms to talk about the cyber security threat landscape. Red team versus Blue team is a common and effective threat protection practice, but what could cyber security experts gain from team Purple? Listen in as Carolyn and Mark learn about the importance of managing your attack surface, implementing multi-factor authentication, and protecting against cyber phishing attacks.
Episode Table of Contents
- [00:30] Our Biggest Cybersecurity Threat in the Last Quarter
- [07:39] Which Is Easier: Defense or Offense
- [16:40] Why Do We Need Single Sign-on
- [24:54] The Team Purple Idea
Episode Links and Resources
- Richard Ford
- Praetorian
- The Clothes in the Wardrobe
- Sauces and Shapes
- Essentials of Classic Italian Cooking
- Game Changer
Our Biggest Cybersecurity Threat in the Last Quarter
Carolyn: So today our guest is actually an old friend, Richard Ford, who is Chief Technology Officer at Praetorian. For over 25 years, Richard has been able to design and implement NextGen product strategies and provide customers with the best threat detection available. Today, we're going to talk to Richard about the cyber threat landscape and what a good defense looks like.
Richard: Hi, it's nice to be back on a call with you Carolyn, and Mark, it's good to see you.
Carolyn: Yes, really good to have you today. So let's just jump right in. I want to know what your view is, what are our biggest cybersecurity threats? What does the cyber security threat landscape look like and how do we defend ourselves from it? So there's like three-part question there.
Richard: So, we're starting with an easy question. I think the threat landscape is incredibly messy and I think that the most important part to think about is change. So if you think about just the last quarter or two that we've gone through you had, like log4shell someone we're all running around looking for log4j vulnerabilities. Then it's Spring4Shell, which wasn't as serious, but was still pretty nasty if you were impacted.
The problem, we have this tremendous rate of change so the thing that was important to you yesterday may not be the thing that's important to you today. It's unlikely to be the thing that's most important for you tomorrow. So when we think about the threat landscape, the first thing to say is, if I give you an answer, it's like looking at a single, still image from a movie and telling you've watched the movie, right?Cyber Security Threat Landscape
Richard: Then as soon as we go click, you know that threat landscape will change. With that said, I do think there are some common themes that keep coming back, right? So there's a threat we have around being desperately short of people. There's a threat around, we don't know what assets we have. Even if we did know what assets we have, we don't know what they're running.
Then the business conditions are driving us forward so quickly that it's difficult to keep security on the front burner. It sometimes drops to the back burner so we don't think about security as much. Perhaps, as how do I meet these business objectives that we have. I think this has created this sort of very unpleasant, perfect storm that will keep us well on our toes. I don't know, for the next couple of decades, it feels like.
Carolyn: So when you say that we're constantly moving forward, changing, at the same time, I mean, are we still dealing with like SolarWinds? So as we're having to look to the future, we're still dealing with all the shit that's happened even a year, two years ago. Is that true, or like, are we good? We took care of it?
Richard: No, it's definitely correct right, so all vulnerabilities never really go away. So you have all those things sort of trailing behind you like the comet has a tail, and new stuff coming at you.
I think to be a successful CISO or to operate the business successfully, what you need to be really good at is prioritization. So it's about dealing with what is the biggest risk for you right now.Cyber Threat Landscape Varies Depending on Who You Are and What You Do
Richard: And I think that leads us to a very important point that we talk about cyber threat landscape. But it's different depending on who you are and what you do. So the biggest risk, for example, for government might be very different than critical infrastructure, might be very different for sort of mom and pop SME that's sort of operating the corner store. Each one of these has a different threat landscape that they live in, different risks and different risks to the business.
Not only that, but yes, this is all additive. So we still see scams for all vulnerabilities as we look at our threat intel. I remember going back a few years, there were viruses that used to trigger on certain days of the month or certain months of the year. For years afterwards, you would see these viruses fire up and start scanning things. Which means that there were still people out there who were still infected, which is just stunning to me.
Carolyn: Ah, the good old days when we knew the day that it was going to happen, the day of the month it was going to happen.
Richard: Yes exactly. I still remember the old Michelangelo virus, right? When it was like a trigger day was coming and everyone was counting down to what would happen on Michelangelo day. But I guess that just shows my age or perhaps the more positive spin is my longevity in the industry.
Carolyn: Your experience.
How Richard’s Experience on the Offensive Side Affected His Approach to the Defensive Cybersecurity Landscape
Mark: So speaking of experience, Richard, you have an interesting background. Because you have experience in both the offensive cybersecurity landscape and the defensive cybersecurity landscape. So can you talk a little bit about how your experience working on the offensive side has impacted or affected your approach to the defensive cybersecurity landscape?
Richard: Yes, so I think the offensive and defensive sides that are so intimately related, it's like thinking about two sides of a piece of paper. They're really one, you can't peel one side off a piece of paper, at least not very effectively.
So I think that to play a good defense, you have to have mastered offense.I think we were chatting earlier, as we thought this through and we were talking about chess. It would be like me saying I was a chess master, but I can only play the white side of the board. I'm not very good at playing black or I'm a master at black. I'm not really very good with my white opening systems.
You have to be good at both to really be rounded out. I use chess as an analogy because it's an adversarial game and that's exactly the sort of wrestling around we do in the attacker space. So I don't think you can truly be good at defense without understanding the ways of the attacker.
I don't think you can be a great attacker without having a good understanding of the pain that your attacks cause to defenders. Because there are things I can do as the attacker that make certain defenses untenable, even if they're effective. In the sense that they stop me from getting in, but I can make it so it's really hard to use. Maybe I make it noisy for you.Which Is Easier: Defense or Offense
Mark: Well, is it easier to play offense or is it easier to play defense?
Richard: Oh, that's definitely an easy question. Yes. So I'll say that I've never really lost playing offense. I'm sad to say that playing defender is much harder and we can talk about why, but it's definitely easier to be on the offensive side.
Carolyn: Let's talk about why.
Richard: Well, I mean, step one, it's more fun, right? Who doesn't like going on the offense. It's that adrenaline rush when you sort of manage to get your exploit past some of these defenses. But I think the other thing is that if you're a business, you have this very large attack surface, right? And all of it has to be secure and it has to be secure all the time.
So if you think about a pen test, a pen test might tell you that your attack surface at 7:55 PM on a Tuesday in April is perfect right? Can't get it. But an administrator spins up a box for testing or you miss patching something because a new vulnerability came out at 8:00 PM and suddenly you're vulnerable again.
So as an attacker, I'm pretty good at finding vulnerabilities today. But if I don't find a vulnerability today and it gets me into your system. I'll wait till tomorrow and I'll nail your system tomorrow. You have to be good 365 days a year, 24 hours a day. I have to be good once and I can just wait for you to slip up.Mark: Do you guys do this in your current role? Do you play these games? You know, red team, blue team kind of thing?
We Are Not Taking Advantage of Team Purple
Richard: Yes, we absolutely do. Praetorian is a company, it’s a mix of product offering and services offerings. Our services offerings, we absolutely do red and blue teaming with some pretty large customers. One of the things that people don't take advantage of enough is a purple team, right? Which makes it less adversarial. So the thing with the red team is we're coming in, we're going to root your network. That's fun and there is value for the customer. But it's very adversarial. You're trying to catch me, I'm trying to wear.
What's really fun is a purple team where we're working on both sides of the line. We're working with the blue team to see if we can see it. And we're working as a red team to see if we can get it and that's a little bit more of a collaborative game.
So there's a lot of opportunity for knowledge transfer and learning to our customers. It's not just about, can we get in? Because we pretty much always do, it's about did you see it? And how can you improve your defenses so that when you're breached that way next time, you do better?
I think purple teams are actually underutilized in the industry. They do move away from this adversarial game to more of a collaborative game. I think they're more fun in some ways, too, and they have better business value.Carolyn: Would you say that the purple team is where your own employees would fall? Like you've got your unintentional insider. You've got your admin that spins up some server that you didn't even know was coming and creates this vulnerability. So is that like, just as you're describing, I haven't heard the term purple team.
Do Employees Fall Under Team Purple?
Carolyn: But as you were talking about it, it made me think that's where we live as employees. Is that a fair statement?
Richard: Kind of. I mean, I think there's a lot of unintentional harm that we do as employees. A lot of well-intentioned moves lead to security risks. But a purple team is sort of when you blend, obviously, from the name. A red team where you've got a group of people who's trying to get in. Blue team, a group of people who's trying to stop you from getting in where you blend those. So it's more about, did you see the attack? It's about improving the defenses and the resilience of the system. As much as it is about breaching the system.
Mark: So, Richard, you've seen this kind of play out across government agencies and commercial industry. Who's better at it? Commercial or government?
Richard: So I think it's really hard to lump any large group of people into buckets, right?
Mark: He just went right down the middle. He went purple.
Richard: Yes. I mean, I think they have very different challenges for a start, right? But I think businesses range from really very, very good to really very, very bad . There are some targets that come across our radar when we're on the offensive side of the world where we're like, oh, that's a really hard target. These folks really know their onions, they really know what they're doing. We're going to have to pull out our A-game to find a win. There are other companies where it's like shooting fish in a barrel where the barrel is big and only contains fish.
Who’s Better in Playing Team Purple, Government or Commercial
Richard: Now the government is different. The government, especially when we're talking about the federal government, it's shocking to say this, it's a little bit more organized. Because there are certain standards that they're required to adhere to. So there's more sort of governance.
Now, there are still different levels within the government and especially when you get into state government and sort of governmental agencies that have complicated missions, NASA would be a good one if we want to chat about that because they have some very interesting mission requirements.
But I'd say, in some ways, the government is a little bit more homogenous than the top end. Some of our intelligence agencies, they have pretty solid security. The fact that you can legislate and you can enforce does make some of that a little bit easier. The flip side is that it's very difficult for the government to compete on salary with a top salary in an industry. So there's a sort of constant sucking sound from the business side of the house pulling top talent away from the government. So they definitely have challenges around staffing.
Mark: Well, you talked about staffing, this is the, like the second time you brought up people. As a challenge, can you talk a little bit about that? What you've seen, how maybe it can be addressed or how you've done that in the past?
Richard: Let's define the problem. Cybersecurity people are really expensive and they're hard to come by and they're hard to retain. If I was a mercenary, I could flip my job every 12 months and probably have a very nice raise sort of built into my paycheck and that's a problem.
What the Industry Can Do to Win as Defenders
Richard: There are only two ways to solve for that. You either need to get more people or you need to use technology to get better productivity out of the people that you have. The right thing to do of course, is both. You need to take that sort of left-hand and that right-hand approach. I think there's some interesting things that we can do in both that will dramatically improve the outcomes that we have as an industry.
Carolyn: Going back to being a defender. You know me, Richard, I like you to just tell me like how we fix this. So give me the McDonald's version, like top three things that government, industry can do for some quick wins as defenders.
Richard: So I think that it all starts the really honest assessment of where you are in your maturity. So there's no one size fits all. Especially in the business world, there are small companies who don't have endpoint protection. Or they're not following anything that's remotely like best practice with understanding even where they are. They haven't even asked the question of what is my cyber maturity?
So I think all these discussions start with a good measure of where are you on that curve because where you are defines what you should do. With that said, I think that most businesses get breached because of software rot. That's something that's hanging out there and it's unpatched and you don't even know you have it.So managing your attack surface is incredibly important. I think moving to things like single sign-on and multifactor is incredibly important. And I think having a robust set of defenses around phishing, which is the sort of easiest, common way here.
Why Do We Need Single Sign-on
Carolyn: Still number one way, right?
Richard: Yes.
Carolyn: Like still today. It is the number one way.
Richard: Yes. I mean, because people are people and computers can be quite difficult to break. But getting somebody to send me 500 Steam gift cards because I texted them can be quite easy, right? Especially if you take your time in target selection. From a mathematical standpoint, if you think about it like a game, there's no cost of predation. If I text every one of your employees say, "Hey, this is Nathan, the CEO, can you call me back? I want you to buy some gift cards for surprise for accounting" and boy will accounting be surprised. You know, all it takes is one person to go, "Oh, it's the CEO. I'm so excited about that."
Carolyn: Yes, no, I just had this conversation with my mom this morning. I said, "Mom, there are people praying on our need to help with Ukraine right now. You're going to get asked for money from people who are bad people and who are stealing it and are not. But we're in this state of emergency right now where we all feel like we need to help. So we forget this good hygiene of don't respond to that."
Richard: Yes, exactly. So that's why I would say things like single sign-on a multifactor go hand in hand with phishing because they can reduce some of the risks of being successful.
Carolyn: Okay, but help me with single sign-on. Again, like I know it's good but if all my passwords are in one place, if they hack the single sign-on, then I'm really screwed. So tell me why it's more secure?
Why Single Sign-on Is Secure
Richard: So, as I like to remind customers, one ring to rule them all did not work out very well for Sauron in Lord of the Rings, right? So yes, you have a single point, that's scary. And if we wind back to the news cycle, we just had a little bit of an Okta scare. Which was a really interesting story. I mean, it was a third-party issue, it wasn't core Okta, but it was still pretty scary. It made people think a lot about the value of single sign-on. But what you're doing is you're trading one set of risks for another set of risks, right?
So the question is, if you don't have single sign-on, you probably have either password reuse run rampant. Or you have people getting breached because they gave up their username and passwords, they're not using multifactor. So in the sign-on, yes, you're putting your eggs in one basket, but then you need to watch that basket really carefully.Carolyn: Oh, the multi-factor thing. That's key, right?
Richard: Yes. Multifactor is really important nowadays. I mean, we've all been sort of speculating about the death of the password for years. One day that prediction in a threat report's going to come true. Or we're finally going to get rid of usernames and passwords and do something that's a little bit more sophisticated. But the reality is, I think, we're stuck with it for a while, but yes, multifactor is a way to buy down risk around account breach.
The Things You Can Do to Buy Down the...","summary":null,"date_published":"2022-05-04T07:30:00.000-04:00","attachments":[{"url":"https://aphid.fireside.fm/d/1437767933/81d9d6b0-0045-48da-8495-fd87c4613d7f/4b7ab6b5-f961-4c27-887d-b2f841423234.mp3","mime_type":"audio/mpeg","size_in_bytes":30405562,"duration_in_seconds":2170}]},{"id":"f302d53e-4469-4f3c-982b-d9cbe2b7c39e","title":"Episode 33: So What? Tech Transforms Federal News Round-up with Katy Craig","url":"https://techtransforms.fireside.fm/33","content_text":"Join us on Tech Transforms Federal News Round-up segment, So What? Hosted by Carolyn Ford and Tracy Bannon. This week, we talk to Katy Craig, retired Navy Chief, now Adjunct Faculty at National University, & Director, Security Architecture at Aquia, Inc. about some of the biggest news in the federal space. Listen in to hear her thoughts around deep fakes, non-traditional warfare, and President Biden's recently released announcement to protect against cyber attacks.Episode Table of Contents[00:25] Monthly Federal News Roundup [02:20] Federal News #1: President Biden’s Cyber Security Fact Sheet[10:12] The Catalyst[14:24] Federal News #2: Zelenskyy’s Deepfake [20:55] Federal News #3: The Threat Model[25:26] Federal News #4: Russia Is Running Out of Storage SpaceEpisode Links and ResourcesKaty CraigAquiaFact SheetOrder 14028 Monthly Federal News Roundup Carolyn: This week, we are launching our newest series, 'So what?' It is Tech Transforms' federal news roundup. Every month, Tracy Bannon, senior principal at MITRE joins me to unpack some of the biggest trending news topics in federal technology. Tracy, we've been trying to do this, make this happen for a while. I am so happy that this is our inaugural episode. Tracy: Thank you. I'm really excited because there's so much incredible stuff going on and we keep talking and now we want to talk with others and I'm doubly excited to have a good friend and mentor with us today for our first episode, Katy Craig.Carolyn: Yes, and Katy is a return guest. We've had her in the past on Tech Transforms and Katy is Acquia's chief of staff, cyber security expert, and retired Navy chief. Today, we're going to talk about, really the number one headline in the news these days. We keep hearing terms like nontraditional warfare, which is essentially the fifth domain of cyber, and President Biden's recent cyber security fact sheet. And just what it all means, like why is it all happening right now? And I want to just go straight to President Biden's recent announcement, this fact sheet that is. It's titled 'Act Now to Protect Against Potential Cyberattacks'. I want to go to you Tracy, and just unpack this for us. What does it mean?Federal News #1: President Biden’s Cyber Security Fact SheetTracy: So I believe it was March 21st, the White House released this set of guidance and it is really practical, general guidance. And it really is focused on two different areas. It's kind of like for everybody, for corporate America back up your data, use multifactor authentication, encrypt your data. There's also a call to arms, to tech companies and software organizations that says, you know what, there's a NIST standard and we have an order out here, it's order 14028. We can provide all the links later. But those two things, they're saying we got to get real about this. And the reason that it came out now is that we need to hear it now with all of the things that are going on in the Ukraine. It was an opportune time. We've had all kinds of security incidents and breaches and other things over the last year or two, but there are some shockers that are coming to the surface that made this very timely for the White House to release this guidance.Carolyn: So you really feel like this guidance came out because of the war in Ukraine?Tracy: I think it was probably teed up before that, probably for quite a while. None of goes very quickly. Any kind of guidance that comes out in this way has good generalized information. I would've put it out a year or two ago at least, if not before that. So for me, a little late to the game, but I'll take late because it's there and we've got to have a full-court press around this. A Call to Federal Agencies, Industry, & CommercialTracy: I'll say the one thing that I found super curious in the entire set of materials was that there is a call that says, \"Hey, all of you corporations, doesn't matter how big or small you are, get to know your local FBI field office or your CISA regional office.\" Which is your, I think it's cyber security and infrastructure security agency. I thought that was curious because it kind of meant to me, it was kind of a leading indicator that there might be more that's on the horizon that we're not anticipating, if I need to have a relationship with the FBI.Carolyn: Interesting, this is a call to our federal agencies and to industry to commercial.Tracy: It is absolutely. The first section is a call to corporate America. Hey, corporations do this and get to know your FBI field offices. The second part of it is all around tech companies and software companies. He doesn't necessarily directly say, \"Hey you government agencies, hey DoD, hey IRS, hey any of your organizations.\" It's for the population. This is a broad sweeping set of recommendations.Carolyn: Katy, do you want to comment on the significance of the timing and just this announcement in general?Katy: Yes. I agree with Tracy that I think it's probably been in the works for some time, better late than never. I think the encouragement for agency or organizations and industry to reach out to CISA and FBI speaks to both pre-positioning for if something else does happen and we have to coordinate. It will be helpful for organizations to know their local FBI and CISA rep.Executive Order 14028Katy: But it ties back to the executive order that he released on zero trust, 14028, Tracy mentioned. There's guidance in there for government agencies to encourage vulnerability reports. Almost like if you find something vulnerable in our site or any of our systems or services, please tell us. So this move toward transparency, it's new and it's not yet been codified. Don't forget, there are still some states where if you report a bug in a website, they can arrest you for violating computer privacy statutes and regulations. So this is very curious because it's kind of out ahead of the legislation, but it really does point to, we need to be transparent. We can't have silos. We have to share the information across, especially if we're worried about critical infrastructure, like we are.Carolyn: Okay. You've talked about this a lot, Katy, about trust in culture, our work environment culture, and you just said that if I report a bug, I can get arrested. How is this going to work? If we're being called to, if we see something, say something, and oh, by the way, you might get arrested. Did I just interpret that wrong?Katy: No, you didn't. That's the conflict that currently exists and why government and the administration is making it very explicit and overt. Please get to know CISA, get to know FBI. I'm sure there's federal encouragement across the states to update their cyber legislation. Federal News #2: Now Is When We Need More TrustKaty: Because the law currently is like, if you hack, or if you use a system not for the intent that it was meant to be used for, the laws are currently written to punish the person who got in. So it's a sticky wicket, something that I'm sure they're thinking about. But to me, that's what I hear the president saying. Like, we know that we have been very discouraging in the past when you let us know we had vulnerabilities in our systems. That time's over. We want to encourage, we want to have bug bounties, we want to splash on our pages that say, \"If you find anything, let us know.\" And so I think that's really what's being discussed here. It's time for us to be more trusting and transparent between industry and government.Carolyn: Okay. I see. So this fact sheet is hopefully a way to build some trust back.Katy: It restates what's in executive order 14028, which encourages more transparency, which tells the federal government, you will be more welcoming to vulnerability report. So that is the direction we have to go in if we expect industry to do this with us. with the government. Tracy: I mean, at the core center of this is getting back to trust, trust, and trust. Which is boy, that's quite a commodity right now. And I don't mean that in a negative way. I mean, it's hard to come by trust and trustworthiness at all different levels, interpersonal, corporate, governmental, government to government. It is messier than it has ever been. And yet now is when we need more trust than we've ever had, or at least the scaffolding to provide us with that trust. The CatalystTracy: I kind of think that's where you're going, Katy, is that this gives some scaffolding. If we're going to be transparent, this gives more scaffolding to people to react.Katy: Yes. I mean you think about private industries, they're not required to. And so what incentives do they have to be open about a vulnerability they've discovered, right? So it's going to take some time for policy and legislation to catch up, but I agree. The scaffolding, it needs to be in place so at least there's a means and a method for sharing the information, especially if something major happens.Tracy: And do you think any part of this was driven by, the timing of this was driven by what we're seeing in the Ukraine or any other catalyst moment?Katy: Yes, I do, I think we've seen this before this isn't new, right? We can think about the last time critical infrastructure was brought down by cyber. There's been several incidents in recent history. I mean, we saw the signs, the intel was there, and when Russia annexed the Crimea, they used cyber also. I think all of us are seeing the impacts of the Russian invasion in Ukraine. Some of the coverage, how certain American social media companies like immediately shut down. The fact that so much of our world economy is supported by cyber, by the networks, by internet protocol traffic, logistics is impacted, all of it. There's so many ways to hurt a state or a country. And cyber is a very low barrier to entry now. How Important Is the Fifth DomainKaty: And it's kind of like, what can you trust if anybody can get in there and start mucking around with your networks? I think the fact that Russia and Ukraine are at war, it's obviously a catalyst for why president Biden is paying more attention to the fifth domain, in my opinion.Carolyn: How important is the fifth domain in any war, but specifically right now with the Ukraine?Tracy: I think it's front and center. We're watching what's happening on the ground. We are seeing new technologies like the usage of drones, and so we're seeing six gen and other UASS. So the autonomous vehicles, unmanned autonomous vehicles. But at the end of the day, we're also seeing this dramatic impact on the different pieces of cyber, how we can impact the population, how we can impact the country, how we can shake the foundations in very different ways. It's not only mucking with the network as Katy would say, it's not just that. Also, it's being able to find different ways to affect people groups. It's interesting, my daughter did some studies in how social media could help as there's new government uprisings. And she was looking in the middle east a number of years ago, and I paid attention to it a little bit, but didn't apply it in my day to day. Until this Ukraine thing popped up on the horizon and we started to realize how much you could influence a population.I mean, think about the deepfake that came out in March about Zelenskyy. It was very poorly done, thank heavens, and he had already prepared for it. But here he is in this deepfake. Federal News #2: Zelenskyy’s DeepfakeTracy: If you're not familiar with what a deepfake is, they can sample enough of your different recordings of you and your voice to be able to put together an algorithm of you saying something. And there have been some famous ones of Tom Cruise and other people that are wonderful and fun. This wasn't wonderful or fun. This was Zelenskyy saying, \"Hey, countrymen, we're going to surrender.\" And he very quickly, immediately shot back so there was that fast credibility. It was poor quality, and he immediately was credible to come and say, \"This is bunk. This is not me.\"But just imagine, imagine as those deepfakes get better and better, that's got to scare people. Not just from a government perspective, but that has to scare corporate America as well. Katy, are you seeing people concerned about deepfakes or doing anything to obfuscate or to protect themselves or, what do we do about that piece? That's such a scare. For me, I normally don't believe something. I go and look at it. Well, now I'm going to look at it and now I find out that my reality is bunk.Katy: Yes. I'm scared too. I don't even know how to respond. I mean my mind is churning like how would I validate it? Because I usually believe my eyes. I'm like you, I go and look it up. I want to validate what I'm being told or what I'm reading. And so these deepfakes are super concerning. I know that there are people who are less skeptical than I am, who just believe what they see or what they hear. I mean, like even in my own family. So I do get very, very worried about that type of technology in the hands of very skilled propagandists.How Cyber Ties Into the Kinetic Part of WarfareTracy: There are a couple of companies that I'm learning about who are debunking deepfakes. They've got algorithmic techniques that they can figure out very quickly if it was manipulated.Katy: Fantastic. That's what's wonderful about cyber, right? Something happens that we didn't know or didn't have before, and maybe it's used for bad. So up springs a counter force to fight for good. And so that's how the cyber domain keeps evolving. We don't even know yet what the future's going to hold really.Carolyn: So yes, we talk about the deepfakes and they are very scary. And then I think about guys on the ground that are fighting with guns and dying. How does cyber tie into the kinetic part of warfare? So we hear this untraditional, nontraditional warfare. I was like, that's not right. So deepfakes definitely like the psychological part of it is devastating, but I feel like there's a tie into the kinetic part of it too, from the cyber angle. Can either of you, Katy, can you speak to that?Katy: Everything's enabled by cyber, so it's not any different for armies and navies either. And you know, like Tracy was mentioning unmanned craft, autonomous vehicles, that is the future of warfare. When you think about like Navy ships out in flotillas, they chat. I mean to be sure there are fallback methods. But when you think about GPS and timing and how easily you can take down a force's ability to fight back by attacking a logistics chain. Or disrupting their air traffic control, all the systems, all the infrastructure that is facilitated by cyber then becomes part of the battlefield.Lower Barrier to EntryKaty: And so the fifth domain, cyber, being added to sea, airspace, and land that's in there for quite a while. I think DoD has been dealing with cyber as a war-fighting domain for well over 10 years. So now it's almost like in a lot of ways, it's still the same as the other wars in the past. It's just, we have better means and greater reach and technology is just making the battlefield and the war smaller. But psychological operations, propaganda, misinformation, those have always been part of the approach.Carolyn: And easier to do because of cyber.Tracy: It is easier.Katy: Low barrier to entry.Tracy: It's a much lower barrier to entry. Again, going back to the deepfake mentality, before it might have been a leaflet or a pamphlet, right? A couple of generations ago. I could choose to read that and say, it's bunk or it's real. But it's much harder when you are looking for right, we used to turn on the TV to get on news and the news was true. Now, what do we turn to? And I'm not talking about news sources. I mean, what if that deepfake, getting people to identify that as early as possible.And Katy, you brought up something else about trying to reduce the number of humans on the battlefield. It brought to mind an example of a cybersecurity, one of many, many, many cybersecurity risks. If we're thinking about a drone, for example, if we're thinking about the ability to have unmanned weapons. So there's talk about what that's going to look like in the future. Federal News #3: The Threat ModelTracy: There are a number of different protocols that are being discussed on what you can and cannot do. But imagine the situation where they send an armed drone to take out a tank. From a cyber perspective, somebody taps into that and changes the algorithm. So it's not really seeking a tank. It's now seeking a school bus.That potential is hyper-scary from that perspective when we think about tapping into networks. So the core of all of this, our ability to rapidly identify, predict, identify, and to deal with cyber is an amazing thing that we have to double down on. And I know, Katy you've been in this space for a long time dealing with that. But how does that change or do you think it changes? Do you think it amplifies what we're doing these days from a ZTA and from looking at the threat modeling? Does it change the threat model? Does it make it bigger?Katy: Absolutely. It does make the surface bigger, but arming an autonomous vehicle with live ordinance and then pointing it at an adversary's infrastructure or enemy armored vehicle, I don't know how soon we're going to get there. There's just so much like international laws about armed conflict that I think would have to be revisited. It's still kind of a gray area when we cross from cyber to kinetic. Whether or not the nation is justified and you in escalating to kinetic, for example. Even today we're not really responding or hacking back. If someone hacks us, we say we're defending forward. We All Live in The Same House Katy: Nobody's really stepped out there yet to clearly define how using cyber with kinetic impacts, how that's changing the laws of armed conflict. I don't think we're going to be able to answer that today either. But it's definitely introducing far more complexity and it's moving so much faster than we can actually codify and update laws and policies and treaties.Tracy: And I think it's going to depend on the different nations, right? The different actors in all of this. My question kind of came from some reading I was doing. I read a book recently called 'The Kill Chain'. I think it's by Cameron Boozer. I'll find the name and post it out. But that led me on a little bit of an afternoon Google chase one day, trying to understand. And there have been some recent tests by China that would point to them preparing and trying to figure out how they would do this....","content_html":"
Join us on Tech Transforms Federal News Round-up segment, So What? Hosted by Carolyn Ford and Tracy Bannon. This week, we talk to Katy Craig, retired Navy Chief, now Adjunct Faculty at National University, & Director, Security Architecture at Aquia, Inc. about some of the biggest news in the federal space. Listen in to hear her thoughts around deep fakes, non-traditional warfare, and President Biden's recently released announcement to protect against cyber attacks.
Episode Table of Contents
- [00:25] Monthly Federal News Roundup
- [02:20] Federal News #1: President Biden’s Cyber Security Fact Sheet
- [10:12] The Catalyst
- [14:24] Federal News #2: Zelenskyy’s Deepfake
- [20:55] Federal News #3: The Threat Model
- [25:26] Federal News #4: Russia Is Running Out of Storage Space
Episode Links and Resources
Monthly Federal News Roundup
Carolyn: This week, we are launching our newest series, 'So what?' It is Tech Transforms' federal news roundup. Every month, Tracy Bannon, senior principal at MITRE joins me to unpack some of the biggest trending news topics in federal technology. Tracy, we've been trying to do this, make this happen for a while. I am so happy that this is our inaugural episode.
Tracy: Thank you. I'm really excited because there's so much incredible stuff going on and we keep talking and now we want to talk with others and I'm doubly excited to have a good friend and mentor with us today for our first episode, Katy Craig.
Carolyn: Yes, and Katy is a return guest. We've had her in the past on Tech Transforms and Katy is Acquia's chief of staff, cyber security expert, and retired Navy chief. Today, we're going to talk about, really the number one headline in the news these days.
We keep hearing terms like nontraditional warfare, which is essentially the fifth domain of cyber, and President Biden's recent cyber security fact sheet. And just what it all means, like why is it all happening right now? And I want to just go straight to President Biden's recent announcement, this fact sheet that is. It's titled 'Act Now to Protect Against Potential Cyberattacks'. I want to go to you Tracy, and just unpack this for us. What does it mean?
Federal News #1: President Biden’s Cyber Security Fact Sheet
Tracy: So I believe it was March 21st, the White House released this set of guidance and it is really practical, general guidance. And it really is focused on two different areas. It's kind of like for everybody, for corporate America back up your data, use multifactor authentication, encrypt your data. There's also a call to arms, to tech companies and software organizations that says, you know what, there's a NIST standard and we have an order out here, it's order 14028. We can provide all the links later.
But those two things, they're saying we got to get real about this. And the reason that it came out now is that we need to hear it now with all of the things that are going on in the Ukraine. It was an opportune time. We've had all kinds of security incidents and breaches and other things over the last year or two, but there are some shockers that are coming to the surface that made this very timely for the White House to release this guidance.Carolyn: So you really feel like this guidance came out because of the war in Ukraine?
Tracy: I think it was probably teed up before that, probably for quite a while. None of goes very quickly. Any kind of guidance that comes out in this way has good generalized information. I would've put it out a year or two ago at least, if not before that. So for me, a little late to the game, but I'll take late because it's there and we've got to have a full-court press around this.
A Call to Federal Agencies, Industry, & Commercial
Tracy: I'll say the one thing that I found super curious in the entire set of materials was that there is a call that says, "Hey, all of you corporations, doesn't matter how big or small you are, get to know your local FBI field office or your CISA regional office." Which is your, I think it's cyber security and infrastructure security agency. I thought that was curious because it kind of meant to me, it was kind of a leading indicator that there might be more that's on the horizon that we're not anticipating, if I need to have a relationship with the FBI.
Carolyn: Interesting, this is a call to our federal agencies and to industry to commercial.
Tracy: It is absolutely. The first section is a call to corporate America. Hey, corporations do this and get to know your FBI field offices. The second part of it is all around tech companies and software companies. He doesn't necessarily directly say, "Hey you government agencies, hey DoD, hey IRS, hey any of your organizations." It's for the population. This is a broad sweeping set of recommendations.
Carolyn: Katy, do you want to comment on the significance of the timing and just this announcement in general?
Katy: Yes. I agree with Tracy that I think it's probably been in the works for some time, better late than never. I think the encouragement for agency or organizations and industry to reach out to CISA and FBI speaks to both pre-positioning for if something else does happen and we have to coordinate. It will be helpful for organizations to know their local FBI and CISA rep.
Executive Order 14028
Katy: But it ties back to the executive order that he released on zero trust, 14028, Tracy mentioned. There's guidance in there for government agencies to encourage vulnerability reports. Almost like if you find something vulnerable in our site or any of our systems or services, please tell us.
So this move toward transparency, it's new and it's not yet been codified. Don't forget, there are still some states where if you report a bug in a website, they can arrest you for violating computer privacy statutes and regulations.So this is very curious because it's kind of out ahead of the legislation, but it really does point to, we need to be transparent. We can't have silos. We have to share the information across, especially if we're worried about critical infrastructure, like we are.
Carolyn: Okay. You've talked about this a lot, Katy, about trust in culture, our work environment culture, and you just said that if I report a bug, I can get arrested. How is this going to work? If we're being called to, if we see something, say something, and oh, by the way, you might get arrested. Did I just interpret that wrong?
Katy: No, you didn't. That's the conflict that currently exists and why government and the administration is making it very explicit and overt. Please get to know CISA, get to know FBI. I'm sure there's federal encouragement across the states to update their cyber legislation.
Federal News #2: Now Is When We Need More Trust
Katy: Because the law currently is like, if you hack, or if you use a system not for the intent that it was meant to be used for, the laws are currently written to punish the person who got in.
So it's a sticky wicket, something that I'm sure they're thinking about. But to me, that's what I hear the president saying. Like, we know that we have been very discouraging in the past when you let us know we had vulnerabilities in our systems. That time's over. We want to encourage, we want to have bug bounties, we want to splash on our pages that say, "If you find anything, let us know." And so I think that's really what's being discussed here. It's time for us to be more trusting and transparent between industry and government.Carolyn: Okay. I see. So this fact sheet is hopefully a way to build some trust back.
Katy: It restates what's in executive order 14028, which encourages more transparency, which tells the federal government, you will be more welcoming to vulnerability report. So that is the direction we have to go in if we expect industry to do this with us. with the government.
Tracy: I mean, at the core center of this is getting back to trust, trust, and trust. Which is boy, that's quite a commodity right now. And I don't mean that in a negative way. I mean, it's hard to come by trust and trustworthiness at all different levels, interpersonal, corporate, governmental, government to government. It is messier than it has ever been. And yet now is when we need more trust than we've ever had, or at least the scaffolding to provide us with that trust.
The Catalyst
Tracy: I kind of think that's where you're going, Katy, is that this gives some scaffolding. If we're going to be transparent, this gives more scaffolding to people to react.
Katy: Yes. I mean you think about private industries, they're not required to. And so what incentives do they have to be open about a vulnerability they've discovered, right? So it's going to take some time for policy and legislation to catch up, but I agree. The scaffolding, it needs to be in place so at least there's a means and a method for sharing the information, especially if something major happens.
Tracy: And do you think any part of this was driven by, the timing of this was driven by what we're seeing in the Ukraine or any other catalyst moment?
Katy: Yes, I do, I think we've seen this before this isn't new, right? We can think about the last time critical infrastructure was brought down by cyber. There's been several incidents in recent history. I mean, we saw the signs, the intel was there, and when Russia annexed the Crimea, they used cyber also. I think all of us are seeing the impacts of the Russian invasion in Ukraine.
Some of the coverage, how certain American social media companies like immediately shut down. The fact that so much of our world economy is supported by cyber, by the networks, by internet protocol traffic, logistics is impacted, all of it. There's so many ways to hurt a state or a country. And cyber is a very low barrier to entry now.
How Important Is the Fifth Domain
Katy: And it's kind of like, what can you trust if anybody can get in there and start mucking around with your networks? I think the fact that Russia and Ukraine are at war, it's obviously a catalyst for why president Biden is paying more attention to the fifth domain, in my opinion.
Carolyn: How important is the fifth domain in any war, but specifically right now with the Ukraine?
Tracy: I think it's front and center. We're watching what's happening on the ground. We are seeing new technologies like the usage of drones, and so we're seeing six gen and other UASS. So the autonomous vehicles, unmanned autonomous vehicles. But at the end of the day, we're also seeing this dramatic impact on the different pieces of cyber, how we can impact the population, how we can impact the country, how we can shake the foundations in very different ways.
It's not only mucking with the network as Katy would say, it's not just that. Also, it's being able to find different ways to affect people groups. It's interesting, my daughter did some studies in how social media could help as there's new government uprisings. And she was looking in the middle east a number of years ago, and I paid attention to it a little bit, but didn't apply it in my day to day. Until this Ukraine thing popped up on the horizon and we started to realize how much you could influence a population.
I mean, think about the deepfake that came out in March about Zelenskyy. It was very poorly done, thank heavens, and he had already prepared for it. But here he is in this deepfake.
Federal News #2: Zelenskyy’s Deepfake
Tracy: If you're not familiar with what a deepfake is, they can sample enough of your different recordings of you and your voice to be able to put together an algorithm of you saying something.And there have been some famous ones of Tom Cruise and other people that are wonderful and fun. This wasn't wonderful or fun. This was Zelenskyy saying, "Hey, countrymen, we're going to surrender." And he very quickly, immediately shot back so there was that fast credibility. It was poor quality, and he immediately was credible to come and say, "This is bunk. This is not me."
But just imagine, imagine as those deepfakes get better and better, that's got to scare people. Not just from a government perspective, but that has to scare corporate America as well. Katy, are you seeing people concerned about deepfakes or doing anything to obfuscate or to protect themselves or, what do we do about that piece? That's such a scare. For me, I normally don't believe something. I go and look at it. Well, now I'm going to look at it and now I find out that my reality is bunk.
Katy: Yes. I'm scared too. I don't even know how to respond. I mean my mind is churning like how would I validate it? Because I usually believe my eyes. I'm like you, I go and look it up. I want to validate what I'm being told or what I'm reading. And so these deepfakes are super concerning. I know that there are people who are less skeptical than I am, who just believe what they see or what they hear. I mean, like even in my own family. So I do get very, very worried about that type of technology in the hands of very skilled propagandists.
How Cyber Ties Into the Kinetic Part of Warfare
Tracy: There are a couple of companies that I'm learning about who are debunking deepfakes. They've got algorithmic techniques that they can figure out very quickly if it was manipulated.
Katy: Fantastic. That's what's wonderful about cyber, right? Something happens that we didn't know or didn't have before, and maybe it's used for bad. So up springs a counter force to fight for good. And so that's how the cyber domain keeps evolving. We don't even know yet what the future's going to hold really.
Carolyn: So yes, we talk about the deepfakes and they are very scary. And then I think about guys on the ground that are fighting with guns and dying. How does cyber tie into the kinetic part of warfare? So we hear this untraditional, nontraditional warfare. I was like, that's not right. So deepfakes definitely like the psychological part of it is devastating, but I feel like there's a tie into the kinetic part of it too, from the cyber angle. Can either of you, Katy, can you speak to that?
Katy: Everything's enabled by cyber, so it's not any different for armies and navies either. And you know, like Tracy was mentioning unmanned craft, autonomous vehicles, that is the future of warfare. When you think about like Navy ships out in flotillas, they chat. I mean to be sure there are fallback methods. But when you think about GPS and timing and how easily you can take down a force's ability to fight back by attacking a logistics chain. Or disrupting their air traffic control, all the systems, all the infrastructure that is facilitated by cyber then becomes part of the battlefield.
Lower Barrier to Entry
Katy: And so the fifth domain, cyber, being added to sea, airspace, and land that's in there for quite a while. I think DoD has been dealing with cyber as a war-fighting domain for well over 10 years. So now it's almost like in a lot of ways, it's still the same as the other wars in the past. It's just, we have better means and greater reach and technology is just making the battlefield and the war smaller. But psychological operations, propaganda, misinformation, those have always been part of the approach.
Carolyn: And easier to do because of cyber.
Tracy: It is easier.
Katy: Low barrier to entry.
Tracy: It's a much lower barrier to entry. Again, going back to the deepfake mentality, before it might have been a leaflet or a pamphlet, right? A couple of generations ago. I could choose to read that and say, it's bunk or it's real. But it's much harder when you are looking for right, we used to turn on the TV to get on news and the news was true. Now, what do we turn to? And I'm not talking about news sources. I mean, what if that deepfake, getting people to identify that as early as possible.
And Katy, you brought up something else about trying to reduce the number of humans on the battlefield. It brought to mind an example of a cybersecurity, one of many, many, many cybersecurity risks. If we're thinking about a drone, for example, if we're thinking about the ability to have unmanned weapons. So there's talk about what that's going to look like in the future.
Federal News #3: The Threat Model
Tracy: There are a number of different protocols that are being discussed on what you can and cannot do. But imagine the situation where they send an armed drone to take out a tank. From a cyber perspective, somebody taps into that and changes the algorithm. So it's not really seeking a tank. It's now seeking a school bus.
That potential is hyper-scary from that perspective when we think about tapping into networks. So the core of all of this, our ability to rapidly identify, predict, identify, and to deal with cyber is an amazing thing that we have to double down on. And I know, Katy you've been in this space for a long time dealing with that. But how does that change or do you think it changes? Do you think it amplifies what we're doing these days from a ZTA and from looking at the threat modeling? Does it change the threat model? Does it make it bigger?
Katy: Absolutely. It does make the surface bigger, but arming an autonomous vehicle with live ordinance and then pointing it at an adversary's infrastructure or enemy armored vehicle, I don't know how soon we're going to get there. There's just so much like international laws about armed conflict that I think would have to be revisited. It's still kind of a gray area when we cross from cyber to kinetic. Whether or not the nation is justified and you in escalating to kinetic, for example.
Even today we're not really responding or hacking back. If someone hacks us, we say we're defending forward.We All Live in The Same House
Katy: Nobody's really stepped out there yet to clearly define how using cyber with kinetic impacts, how that's changing the laws of armed conflict. I don't think we're going to be able to answer that today either. But it's definitely introducing far more complexity and it's moving so much faster than we can actually codify and update laws and policies and treaties.
Tracy: And I think it's going to depend on the different nations, right? The different actors in all of this. My question kind of came from some reading I was doing. I read a book recently called 'The Kill Chain'. I think it's by Cameron Boozer. I'll find the name and post it out.
But that led me on a little bit of an afternoon Google chase one day, trying to understand. And there have been some recent tests by China that would point to them preparing and trying to figure out how they would do this....
","summary":null,"date_published":"2022-04-27T07:30:00.000-04:00","attachments":[{"url":"https://aphid.fireside.fm/d/1437767933/81d9d6b0-0045-48da-8495-fd87c4613d7f/6ecb0243-d3cc-4145-8469-c03449685f7b.mp3","mime_type":"audio/mpeg","size_in_bytes":30416199,"duration_in_seconds":2171}]},{"id":"91187d5f-d8fd-401b-a573-bd1b6f7a616c","title":"Episode 32: Women in Tech Part 2 with Space Force's Jazmin Furtado and U.S. Army's Kris Saling","url":"https://techtransforms.fireside.fm/32","content_text":"Listen in for part 2 of our women's panel with Kris Saling, Chief Analytics Officer for the Army Talent Management Task Force and Director of People Analytics in the office of the Assistant Secretary of the Army (Manpower & Reserve Affairs), and Jazmin Furtado, Liaison at AI Accelerator and Data Strategy Lead at US Space Force. In this episode, Carolyn, Kris, and Jazmin get real about the power of the collective, emerging solutions, and the importance to assess and provide within federal government technology. Episode Table of Contents[00:31] Meditation Is Really Good[07:40] Where Are We Going With AI[13:14] Are Women in Tech Paid Equal Like Their Male Counterparts[20:40] Tell People How Much You’re MakingEpisode Links and ResourcesKris SalingJazmin FurtadoM&RASpace ForceMarket Connections SurveyMeditation Is Really GoodCarolyn: We are in part two of our women in technology panel, with Kris Saling, Deputy Director of Army People Analytics, and Captain Jazmin Furtado a Data Strategy Lead at the US Space Force and Space Force Liaison at the MIT AI Accelerator.On today's episode, we're going to dive more into government technology in general. I get Kris and Jazmin to do a little fortune-telling on where tech is headed. What advancements they've seen in their careers. And we get real with some salary talk. Just a little reminder, the views of Kris and Jazmin are their own and do not necessarily reflect the views of their agencies. Now let's get to it on Tech Transforms with our women panel. I know that meditation is really good for the monks that live in caves in India. And I know that I should probably do it. Until I saw the science behind it and what it can really do for my brain. I dabbled in it. I never fully embraced it. And once I started understanding why it was working and that there was true science behind it, man, I'm all in. I'm just thinking of just one example of things that are good for me in my life, that I've been able to embrace and bring into my life because I understand them. I understand how they work rather than like you said, Kris, the leadership saying, \"No, we don't give a shit about how you got there. Just give us the answer.\"Make The Process More EfficientCarolyn: But now you're getting people who really want to understand why. I would imagine that the program for the answers that you've been spoonfeeding them. The programs are becoming a lot more powerful and effective. Because the people who are taking those in the past spoonfed answers. Now really understanding them can truly implement them at a level that is a lot more powerful. Is that true?Kris: I would say that's definitely true because we're working on a couple of projects right now where we are trying to integrate machine learning into promotions and selections as a decision support tool. I'd never in a million years, would've thought we'd get a chance to work on that data and introduce something that is an algorithm into a just intrinsically human process. But we have enough people thinking along this vein. We have enough people looking at the data we've collected about how we read records and how we read files. And they're like, \"There's got to be an easier way to do this. There's got to be something we can do to support the board, to pull out the key insights. To package them differently, to display them differently, to sort.\" And they came to us with the question of how can we make this process more efficient?And I just came back with exactly what the computer is supposed to do. It doesn't get tired, it doesn't get bored. Its attention doesn't wonder, and it can read things a whole heck of a lot faster than we can. So let's see how we can crunch your data a little bit better into more digestible packages for you to review. A Long Way to Go For AIKris: So we keep the human in the process. We keep that comfort level, but now the humans have enough comfort with the machine process. It's not quite human-machine teaming yet. I'm hoping that we'll get to some true instances of human-machine teaming. But we've got an algorithm producing a product that's digestible and a receiver on the other end that trusts it.Carolyn: So you guys both heavily involved in AI, Jazmin, what are the advances that you see coming up in AI? Be my fortune teller for a minute. What is the landscape looking like in the next year, three years, even five years. Where's it going?Jazmin: I guess currently what we're seeing is a lot of actually pretty narrow cases of AI. I would say AI is at its current state, not as pervasive in all industries, as we probably would expect. It’s definitely very prominent in a select few industries. But there's quite a few businesses and just overall industries too, that just haven't embraced it to the same extent. And so we still have a long way to go until we see AI really integrated with a lot of our day-to-day work.Carolyn: Why do you think that is? I don't want to derail. I want you to come back to that, but why?Jazmin: So I think there's still nervousness by some groups that haven't used it or not as familiar with it. They are not sure how to use it. Or they don't know how it could immediately benefit their operations. Because they don't see the parallels or they don't understand how those parallels could apply in their day-to-day work. So that's a piece.A Legitimate ConcernJazmin: Also I think the lack of policy and regulation on AI technology. How to utilize and integrate AI technology into your business also scares a lot of people like, \"Am I going to be sued? That's a legitimate concern. To what extent can I use this?And it's also seen as an extra investment if I'm not using it now. I don't know exactly how it's going to benefit me. It's a coin toss if that's really going to help in the long term. I think some people may think of it like that. Then why would I put up that investment now, if what I'm doing is working for me for the meantime. So there's that near-term view as well.Carolyn: So we conducted a survey. I worked with Market Connections to pull IT mission owners within the DoD and Fed CIV. And we asked them some of these questions. So what you just said, from your own experience is backed by the data, which we all love. Just that some of the biggest barriers that we saw IT mission owners site for not embracing AI.First, they thought it was super important and then they needed it. But they hadn't implemented it. And they didn't really have plans to implement it, partly because they're scared of it. They don't understand it. There's a big learning curve. There's a perceived expense. And their challenges, interestingly enough, were finding root cause and accomplishing everything that needed to be accomplished with a limited staff. I'm just sitting there going, \"Hey, I can do this for you and you're not implementing it.\" So what you just said, like I said, has been validated. I'm sure not just by the survey that I did, but by others. So back to where are we going with AI? Where Are We Going With AIJazmin: I think we're seeing a lot of pretty big breakthroughs in AI technology in the industries that AI's really being embraced. I think we all know about autonomous vehicles, for example.Carolyn: Really are we going there?Jazmin: I think it's just a matter of time. Carolyn: Well, am I going to get an iron man suit then? Because that's what I really want.Jazmin: That may be a little bit further away. Flying, like individual flying capability is a little bit further away for transportation purposes than recreational. But the autonomous vehicle I think gives technology or just autonomy there in navigation I think is advancing. I think it is, that will be pretty transformative in terms of our job landscape. What we do on a regular basis. How much time is spent driving tour or driving to places, whether it be leisure, for business, and having that free time. I think a lot of people would buy into having that free time. Of course, there's still things to work out in that arena. But when that's ironed out, I think that'll be a pretty big breakthrough.I don't know if it's more near term or not. But the concept of the metaverse. I think AI is going to be very important there. AI is very foundational to both of these areas. But I think with the metaverse it's going to provide opportunities for a lot of advancements in AI technology in terms of how it's utilized. With the creation of the metaverse, I know the concepts are still really new. But the potential for it to gather a lot of data and be able to create virtual world. Exciting and Terrifying Possibilities With AIJazmin: It's going to be leveraging AI in ways that it wasn't thought of before. So I think those are really great areas for breakthroughs in AI.Carolyn: Yes. And think about what it can do to the diversity and inclusion arena. Because we can be whatever we want in the metaverse. I can be a woman, but I can also be a lion if I want.Jazmin: And interact. I know the possibilities are exciting, but also equally terrifying.Carolyn: Yes. A little bit.Jazmin: There’s so much unknown in that. But can't discount the impact that AI and technology is going to have in these arenas. Of course with great power comes great responsibility sort of thing. But I don't think there's any stopping it. It's just a matter of who's going to be at the table to help shape and mold those technologies. The who is the biggest part of it.Carolyn: Yes. So Kris, you were nodding your head a lot and really a lot when it came to the metaverse. So what are you seeing? What's your prediction?Kris: Oh goodness. It's hard to top things that Jazmin listed out. Those are kind of the ones that are top of mind. Looking in the personal space, one of the things we're studying is the psychology of human-machine teaming. I don't think it's science fiction I think a lot of it's happening right now, even with our limited AI. Since we have a lot of folks using virtual assistance of some kind to do any number of different functions.Human-Machine TeamingKris: We have virtual chat. We have all these different types of things that we're already interacting with. And we've done a lot of exploration of what the ethics look like in this. I think that's the piece that's going to come up fast because the technology is just going to explode. We have tremendous innovators. Both for better or for worse are going to go out and develop amazing things. I think if we don't think about how we're going to use these things and how we're going to expect them to interact with us. I just have a policy letter out for staffing on the use of personnel data for various purposes and various roles. And one of the roles we had to include was autonomous systems. What kind of data about our personnel are we going to share with these autonomous systems? Because they're going to be making decisions about how they interact with us.So I see a lot of interesting things happening in that space. But it's one of the things we've got to get through simulation. We've got to get through the world of what if and figure out how we want these things to interact. What kind of capabilities we need to build in our humans to interact with them. Because I think restraining technology at this point, just Jazmin said, it's not happening.Carolyn: Let's go back to Spiderman. With great power comes great responsibility. And I am so grateful that I am looking at two leaders in this space that I truly believe have our best interests. Our world, our children's best interest at heart and are going to use this power for good. Are Women in Tech Paid Equal Like Their Male CounterpartsCarolyn: But I want to come back around to something that we talked about in our last episode. That's just the disparities that we've noticed in the workforce as a woman, challenges that we've run into. So statistics say that we are still not being paid. I hate that we're coming back to pay. But this is an important topic. That we are still not being paid the same as our male counterparts. Now I would hope that in the government, that might be better. But let me just ask you both. Do you think, do you believe that you are being paid exactly what your male counterparts are being paid? Kris, let's start with you.Kris: We're not going to take the cheaters' rule out and say that because of law and statute, we have to be.Carolyn: Yes.Kris: So I think the bigger question is, it's not a monetary cost. It's an opportunity cost more than anything. I'm going to talk both about women and minorities progressing through the system. We see different kind of fall off points where we fail to retain them and we fail to progress. And when we look at it, it's not because of any kind of overt bias or anything that we could fix easily with policy. It's because they're not being brought in.Again, kind of coming back to that topic about bringing into the network, bringing into the mentorship, bringing into the opportunities. They're either in branches or functions that don't typically get some of the all-star opportunities that allow them to progress rapidly. Or there are other things that kind of contribute to that opportunity cost. An Opportunity CostKris: So I think there are people who are moving through the space. There are people with very good reputations who are moving through the data space, especially. But I think as an organization, we kind of have to figure out how to broaden the talent bench that we're pulling from. So that we don't overly constrain who we're pulling from, for some of those opportunity positions.Carolyn: You've seen that with the data that you're looking at, this is not anecdotal. This is not just, this is what I think is happening. This is what you're seeing at a very macro level with the data, the opportunity.Kris: Yes, anytime we see the disparities, it's like we can almost directly pull back and look at who's in the organization? What functions are they performing? And as an army, we are very focused on command channels. And then anything that kind of falls in as staff or key enabler. Just even with the word enabler, you kind of classify that as secondary. It's something that is supporting my main effort. We've been trying to challenge that a little bit. Just looking at what the future of warfare, multi-domain operations, enjoying all domain operations look like. There's a lot of digital in those domains. And a lot of the functional areas, a lot of the talent sets that we need are I think going to become a lot more front and center. If they haven't already. I think not at the risk of sounding a little bit doom and gloom, but we really need to focus on those areas. I would say we are, but I can't stop beating the drum to focus on those areas.Are There Missed Opportunities for Being a Woman in Tech?Carolyn: Do you personally think Kris that you've had missed opportunities throughout your career because you're a woman?Kris: I wouldn't say because I'm a woman per se. I think it's more just because I'm an ORSA, I'm an Operations Research and Systems Analyst. And I'm not on a command track. So I've been lucky. I've had commanders who have seen some of the stuff that I do. They’ve seen my value and pulled me into positions where I can exercise that. But that's not true throughout my career field. So I don't necessarily want to say, \"Hey, look what the Army's doing.\" Because they've empowered me to do all this stuff. I was like on one data point and I'm not a representative sample.Carolyn: Yes. And just for listeners that maybe aren't familiar and you too correct me if I'm wrong. But especially in the DoD, the pay scale is whatever your rank is, that's what you get paid. It doesn't matter if you're a man or a woman or a person of color. And that's why Kris, it was a very good point that it's the opportunity that there's the disparity in. Because theoretically, that pay has to be the same across the board. Jazmin, how about you, as far as pay goes, we just kind of level set that, but have you noticed missed opportunities or anything else through your career?Jazmin: So I've actually seen quite a few people in the technology realm. And I think this is echoing a lot of what Kris was saying in that, a lot of the incentives for tech professionals in the military are not equal. Or they're not at the same level as maybe more operational roles. Monetary Incentives for Serving LongerJazmin: So as in like the air force gives you incentives. Pilots, you have incentives to stay in for a little longer, you get a little, I don't want to say carrots. But there are some monetary incentives to stay in and serve for longer. If some folks are trying to get out after their commitment. But you don't necessarily see that same incentive structure at all is different depending on what sort of career fields you're in.And I think there is an effort and you see it in various ways that the services to try to flag people that do have technology specializations or technology backgrounds to try to focus on certain tech fields and operations research was one of them. To try to provide incentives for folks to stay in these fields. So we're seeing a little bit more. But it's definitely not as ingrained as the incentive structure that we see more in the operational community. I think that does play a role in that disparity, not so much from a gender specific realm, but from a job perspective, from a stem point of view.But I think all of these, the various disparities we see really can be combated in part by increased transparency. So exactly what Kris is doing and providing the analysis and providing that information out to the masses of what the challenges are and leave it to the individual to determine what to do with it.How is it going? This is hopefully unbiased. So this analysis, this is the information, this is the data, do with it as how you see fit. And that provides incentive for those that are being assessed to make sure that they are making the necessary changes to provide.Tell People How Much You’re MakingJazmin: Or to better their own organization in the long term and change their policies or procedures or incentive structure. To be able to keep and attract the talent that they need, which we need to attract the minority diverse fields.So I think transparency not just on the analysis front, but also on just the pay, just to get broadly speaking outside the government, there are more and more applications now where you can see how much someone in your career field's making. And I think some people want to hold that close and like, \"Oh, I don't want to share what I'm making.\" I'm very much a proponent. Tell people how much you're making. Mentor people, tell them how much they should be expecting to make in these career fields? Because if you don't have that...","content_html":"Listen in for part 2 of our women's panel with Kris Saling, Chief Analytics Officer for the Army Talent Management Task Force and Director of People Analytics in the office of the Assistant Secretary of the Army (Manpower & Reserve Affairs), and Jazmin Furtado, Liaison at AI Accelerator and Data Strategy Lead at US Space Force. In this episode, Carolyn, Kris, and Jazmin get real about the power of the collective, emerging solutions, and the importance to assess and provide within federal government technology.
Episode Table of Contents
- [00:31] Meditation Is Really Good
- [07:40] Where Are We Going With AI
- [13:14] Are Women in Tech Paid Equal Like Their Male Counterparts
- [20:40] Tell People How Much You’re Making
Episode Links and Resources
Meditation Is Really Good
Carolyn: We are in part two of our women in technology panel, with Kris Saling, Deputy Director of Army People Analytics, and Captain Jazmin Furtado a Data Strategy Lead at the US Space Force and Space Force Liaison at the MIT AI Accelerator.
On today's episode, we're going to dive more into government technology in general. I get Kris and Jazmin to do a little fortune-telling on where tech is headed. What advancements they've seen in their careers. And we get real with some salary talk. Just a little reminder, the views of Kris and Jazmin are their own and do not necessarily reflect the views of their agencies. Now let's get to it on Tech Transforms with our women panel.
I know that meditation is really good for the monks that live in caves in India. And I know that I should probably do it. Until I saw the science behind it and what it can really do for my brain. I dabbled in it. I never fully embraced it. And once I started understanding why it was working and that there was true science behind it, man, I'm all in. I'm just thinking of just one example of things that are good for me in my life, that I've been able to embrace and bring into my life because I understand them. I understand how they work rather than like you said, Kris, the leadership saying, "No, we don't give a shit about how you got there. Just give us the answer."
Make The Process More Efficient
Carolyn: But now you're getting people who really want to understand why. I would imagine that the program for the answers that you've been spoonfeeding them. The programs are becoming a lot more powerful and effective. Because the people who are taking those in the past spoonfed answers. Now really understanding them can truly implement them at a level that is a lot more powerful. Is that true?
Kris: I would say that's definitely true because we're working on a couple of projects right now where we are trying to integrate machine learning into promotions and selections as a decision support tool. I'd never in a million years, would've thought we'd get a chance to work on that data and introduce something that is an algorithm into a just intrinsically human process.
But we have enough people thinking along this vein. We have enough people looking at the data we've collected about how we read records and how we read files. And they're like, "There's got to be an easier way to do this. There's got to be something we can do to support the board, to pull out the key insights. To package them differently, to display them differently, to sort." And they came to us with the question of how can we make this process more efficient?
And I just came back with exactly what the computer is supposed to do. It doesn't get tired, it doesn't get bored. Its attention doesn't wonder, and it can read things a whole heck of a lot faster than we can. So let's see how we can crunch your data a little bit better into more digestible packages for you to review.
A Long Way to Go For AI
Kris: So we keep the human in the process. We keep that comfort level, but now the humans have enough comfort with the machine process. It's not quite human-machine teaming yet. I'm hoping that we'll get to some true instances of human-machine teaming. But we've got an algorithm producing a product that's digestible and a receiver on the other end that trusts it.
Carolyn: So you guys both heavily involved in AI, Jazmin, what are the advances that you see coming up in AI? Be my fortune teller for a minute. What is the landscape looking like in the next year, three years, even five years. Where's it going?
Jazmin: I guess currently what we're seeing is a lot of actually pretty narrow cases of AI. I would say AI is at its current state, not as pervasive in all industries, as we probably would expect. It’s definitely very prominent in a select few industries. But there's quite a few businesses and just overall industries too, that just haven't embraced it to the same extent. And so we still have a long way to go until we see AI really integrated with a lot of our day-to-day work.
Carolyn: Why do you think that is? I don't want to derail. I want you to come back to that, but why?
Jazmin: So I think there's still nervousness by some groups that haven't used it or not as familiar with it. They are not sure how to use it. Or they don't know how it could immediately benefit their operations. Because they don't see the parallels or they don't understand how those parallels could apply in their day-to-day work. So that's a piece.
A Legitimate Concern
Jazmin: Also I think the lack of policy and regulation on AI technology. How to utilize and integrate AI technology into your business also scares a lot of people like, "Am I going to be sued? That's a legitimate concern. To what extent can I use this?
And it's also seen as an extra investment if I'm not using it now. I don't know exactly how it's going to benefit me. It's a coin toss if that's really going to help in the long term. I think some people may think of it like that. Then why would I put up that investment now, if what I'm doing is working for me for the meantime. So there's that near-term view as well.
Carolyn: So we conducted a survey. I worked with Market Connections to pull IT mission owners within the DoD and Fed CIV. And we asked them some of these questions. So what you just said, from your own experience is backed by the data, which we all love. Just that some of the biggest barriers that we saw IT mission owners site for not embracing AI.
First, they thought it was super important and then they needed it. But they hadn't implemented it. And they didn't really have plans to implement it, partly because they're scared of it. They don't understand it. There's a big learning curve. There's a perceived expense. And their challenges, interestingly enough, were finding root cause and accomplishing everything that needed to be accomplished with a limited staff.
I'm just sitting there going, "Hey, I can do this for you and you're not implementing it." So what you just said, like I said, has been validated. I'm sure not just by the survey that I did, but by others. So back to where are we going with AI?
Where Are We Going With AI
Jazmin: I think we're seeing a lot of pretty big breakthroughs in AI technology in the industries that AI's really being embraced. I think we all know about autonomous vehicles, for example.
Carolyn: Really are we going there?
Jazmin: I think it's just a matter of time.
Carolyn: Well, am I going to get an iron man suit then? Because that's what I really want.
Jazmin: That may be a little bit further away. Flying, like individual flying capability is a little bit further away for transportation purposes than recreational. But the autonomous vehicle I think gives technology or just autonomy there in navigation I think is advancing.
I think it is, that will be pretty transformative in terms of our job landscape. What we do on a regular basis. How much time is spent driving tour or driving to places, whether it be leisure, for business, and having that free time. I think a lot of people would buy into having that free time. Of course, there's still things to work out in that arena. But when that's ironed out, I think that'll be a pretty big breakthrough.
I don't know if it's more near term or not. But the concept of the metaverse. I think AI is going to be very important there. AI is very foundational to both of these areas. But I think with the metaverse it's going to provide opportunities for a lot of advancements in AI technology in terms of how it's utilized. With the creation of the metaverse, I know the concepts are still really new. But the potential for it to gather a lot of data and be able to create virtual world.
Exciting and Terrifying Possibilities With AI
Jazmin: It's going to be leveraging AI in ways that it wasn't thought of before. So I think those are really great areas for breakthroughs in AI.
Carolyn: Yes. And think about what it can do to the diversity and inclusion arena. Because we can be whatever we want in the metaverse. I can be a woman, but I can also be a lion if I want.
Jazmin: And interact. I know the possibilities are exciting, but also equally terrifying.
Carolyn: Yes. A little bit.
Jazmin: There’s so much unknown in that. But can't discount the impact that AI and technology is going to have in these arenas. Of course with great power comes great responsibility sort of thing. But I don't think there's any stopping it. It's just a matter of who's going to be at the table to help shape and mold those technologies. The who is the biggest part of it.
Carolyn: Yes. So Kris, you were nodding your head a lot and really a lot when it came to the metaverse. So what are you seeing? What's your prediction?
Kris: Oh goodness. It's hard to top things that Jazmin listed out. Those are kind of the ones that are top of mind. Looking in the personal space, one of the things we're studying is the psychology of human-machine teaming. I don't think it's science fiction I think a lot of it's happening right now, even with our limited AI. Since we have a lot of folks using virtual assistance of some kind to do any number of different functions.
Human-Machine Teaming
Kris: We have virtual chat. We have all these different types of things that we're already interacting with. And we've done a lot of exploration of what the ethics look like in this. I think that's the piece that's going to come up fast because the technology is just going to explode. We have tremendous innovators. Both for better or for worse are going to go out and develop amazing things.
I think if we don't think about how we're going to use these things and how we're going to expect them to interact with us. I just have a policy letter out for staffing on the use of personnel data for various purposes and various roles. And one of the roles we had to include was autonomous systems. What kind of data about our personnel are we going to share with these autonomous systems? Because they're going to be making decisions about how they interact with us.
So I see a lot of interesting things happening in that space. But it's one of the things we've got to get through simulation. We've got to get through the world of what if and figure out how we want these things to interact. What kind of capabilities we need to build in our humans to interact with them. Because I think restraining technology at this point, just Jazmin said, it's not happening.
Carolyn: Let's go back to Spiderman. With great power comes great responsibility. And I am so grateful that I am looking at two leaders in this space that I truly believe have our best interests. Our world, our children's best interest at heart and are going to use this power for good.
Are Women in Tech Paid Equal Like Their Male Counterparts
Carolyn: But I want to come back around to something that we talked about in our last episode. That's just the disparities that we've noticed in the workforce as a woman, challenges that we've run into. So statistics say that we are still not being paid. I hate that we're coming back to pay. But this is an important topic. That we are still not being paid the same as our male counterparts. Now I would hope that in the government, that might be better. But let me just ask you both. Do you think, do you believe that you are being paid exactly what your male counterparts are being paid? Kris, let's start with you.
Kris: We're not going to take the cheaters' rule out and say that because of law and statute, we have to be.
Carolyn: Yes.
Kris: So I think the bigger question is, it's not a monetary cost. It's an opportunity cost more than anything. I'm going to talk both about women and minorities progressing through the system. We see different kind of fall off points where we fail to retain them and we fail to progress. And when we look at it, it's not because of any kind of overt bias or anything that we could fix easily with policy. It's because they're not being brought in.Again, kind of coming back to that topic about bringing into the network, bringing into the mentorship, bringing into the opportunities. They're either in branches or functions that don't typically get some of the all-star opportunities that allow them to progress rapidly. Or there are other things that kind of contribute to that opportunity cost.
An Opportunity Cost
Kris: So I think there are people who are moving through the space. There are people with very good reputations who are moving through the data space, especially. But I think as an organization, we kind of have to figure out how to broaden the talent bench that we're pulling from. So that we don't overly constrain who we're pulling from, for some of those opportunity positions.
Carolyn: You've seen that with the data that you're looking at, this is not anecdotal. This is not just, this is what I think is happening. This is what you're seeing at a very macro level with the data, the opportunity.
Kris: Yes, anytime we see the disparities, it's like we can almost directly pull back and look at who's in the organization? What functions are they performing? And as an army, we are very focused on command channels. And then anything that kind of falls in as staff or key enabler. Just even with the word enabler, you kind of classify that as secondary. It's something that is supporting my main effort.
We've been trying to challenge that a little bit. Just looking at what the future of warfare, multi-domain operations, enjoying all domain operations look like. There's a lot of digital in those domains. And a lot of the functional areas, a lot of the talent sets that we need are I think going to become a lot more front and center. If they haven't already. I think not at the risk of sounding a little bit doom and gloom, but we really need to focus on those areas. I would say we are, but I can't stop beating the drum to focus on those areas.
Are There Missed Opportunities for Being a Woman in Tech?
Carolyn: Do you personally think Kris that you've had missed opportunities throughout your career because you're a woman?
Kris: I wouldn't say because I'm a woman per se. I think it's more just because I'm an ORSA, I'm an Operations Research and Systems Analyst. And I'm not on a command track. So I've been lucky. I've had commanders who have seen some of the stuff that I do. They’ve seen my value and pulled me into positions where I can exercise that. But that's not true throughout my career field. So I don't necessarily want to say, "Hey, look what the Army's doing." Because they've empowered me to do all this stuff. I was like on one data point and I'm not a representative sample.
Carolyn: Yes. And just for listeners that maybe aren't familiar and you too correct me if I'm wrong. But especially in the DoD, the pay scale is whatever your rank is, that's what you get paid. It doesn't matter if you're a man or a woman or a person of color. And that's why Kris, it was a very good point that it's the opportunity that there's the disparity in. Because theoretically, that pay has to be the same across the board. Jazmin, how about you, as far as pay goes, we just kind of level set that, but have you noticed missed opportunities or anything else through your career?
Jazmin: So I've actually seen quite a few people in the technology realm. And I think this is echoing a lot of what Kris was saying in that, a lot of the incentives for tech professionals in the military are not equal. Or they're not at the same level as maybe more operational roles.
Monetary Incentives for Serving Longer
Jazmin: So as in like the air force gives you incentives. Pilots, you have incentives to stay in for a little longer, you get a little, I don't want to say carrots. But there are some monetary incentives to stay in and serve for longer. If some folks are trying to get out after their commitment. But you don't necessarily see that same incentive structure at all is different depending on what sort of career fields you're in.
And I think there is an effort and you see it in various ways that the services to try to flag people that do have technology specializations or technology backgrounds to try to focus on certain tech fields and operations research was one of them. To try to provide incentives for folks to stay in these fields. So we're seeing a little bit more. But it's definitely not as ingrained as the incentive structure that we see more in the operational community. I think that does play a role in that disparity, not so much from a gender specific realm, but from a job perspective, from a stem point of view.
But I think all of these, the various disparities we see really can be combated in part by increased transparency. So exactly what Kris is doing and providing the analysis and providing that information out to the masses of what the challenges are and leave it to the individual to determine what to do with it.
How is it going? This is hopefully unbiased. So this analysis, this is the information, this is the data, do with it as how you see fit. And that provides incentive for those that are being assessed to make sure that they are making the necessary changes to provide.
Tell People How Much You’re Making
Jazmin: Or to better their own organization in the long term and change their policies or procedures or incentive structure. To be able to keep and attract the talent that they need, which we need to attract the minority diverse fields.
So I think transparency not just on the analysis front, but also on just the pay, just to get broadly speaking outside the government, there are more and more applications now where you can see how much someone in your career field's making. And I think some people want to hold that close and like, "Oh, I don't want to share what I'm making." I'm very much a proponent.
Tell people how much you're making. Mentor people, tell them how much they should be expecting to make in these career fields? Because if you don't have that...","summary":null,"date_published":"2022-04-20T07:30:00.000-04:00","attachments":[{"url":"https://aphid.fireside.fm/d/1437767933/81d9d6b0-0045-48da-8495-fd87c4613d7f/92f75ec9-d0db-4e33-bda8-2887994b2522.mp3","mime_type":"audio/mpeg","size_in_bytes":21881717,"duration_in_seconds":1562}]},{"id":"755dbdcd-f97b-4f6f-b363-120ef52e5ff4","title":"Episode 31: Women in Tech Part 1 with Space Force's Jazmin Furtado and U.S. Army's Kris Saling","url":"https://techtransforms.fireside.fm/31","content_text":"Women in tech unite on this special episode of Tech Transforms featuring Kris Saling, Chief Analytics Officer for the Army Talent Management Task Force and Director of People Analytics in the office of the Assistant Secretary of the Army (Manpower & Reserve Affairs), and Jazmin Furtado, Liaison at AI Accelerator and Data Strategy Lead at US Space Force. Carolyn, Kris and Jazmin discuss the impact of self-awareness and the importance of data education and fostering change when it comes to government technology. Episode Table of Contents[00:27] Introducing the Women in Tech: Kris Saling & Captain Jazmin Furtado[10:32 ] Take It From a Human Approach[17:27] Pulling Other Women in Tech Into the Circle[24:45] Women in Tech Are Influencing One Another[30:14] Women in Tech Are Making Sure They’re Helping EverybodyEpisode Links and ResourcesKris SalingJazmin FurtadoM&RASpace ForceIntroducing the Women in Tech: Kris Saling & Captain Jazmin FurtadoCarolyn: This week we are going full girl power, so Mark got uninvited. Today we have our Women In Tech panel featuring a couple of guests who have previously been on our show, Kris Saling, Deputy Director of Army People Analytics, and Captain Jazmin Furtado, a Data Strategy Lead at the U.S. Space Force and Space Force Liaison at the MIT AI Accelerator. Welcome back Jazmin and Kris to Tech Transforms to talk about your journeys in government technology.I'm really excited to talk to both of you again, but before we get into that let me do a little housekeeping. So I just want to remind our listeners that the views of both Kris and Jazmin are their own and do not necessarily reflect the views of their agencies. I'm just going to say that for myself, too. Because I warned this, too, before we started. I'm like, \"I got some stuff I need to get out.\" And I want to be able to talk freely today.Let's start talking about challenges that both of you have faced being a woman in the technology space. The fact that we even have to say, \"Being a woman in the government technology space,\" other than, we're in the technology space and we kick ass. I hate that we have to do that but I still feel like we do. I'm already getting up on my soapbox. But, let's start with you, Kris. Some of the challenges that you've faced.Kris: So, it's one of those where I don't want to say there aren't any challenges. But I've encountered so many of these challenges throughout my career. I just hit 20 years last summer, I'm going to hit 21 years this coming summer. Yes, it's almost the summer again.Kris Saling’s Challenges for Being One of the Women in TechKris: So it's been a long time of sitting there with the typical, the anxieties, the imposter anxiety, the \"What is my balance between being assertive. And how do I not come off as, \"Insert your,\" kind of \"The common anxieties\"? It really hasn't been all that different. I've been trying to figure out the right balance of how to present different things. How to present facts so that they are listened to. How to present data to an audience where not only do we have the schism between having an audience that's operational and I'm on the technical side. But sometimes it's very obvious that I know quite a bit more about the subject than the people I'm talking to.I think one of the biggest challenges is I really didn't get to know myself and how I wanted to present these things. Because I was very much fixed on how to present that particular image until I really got into data education and started teaching people. That really helped me find a balance in how I wanted to talk about very technical subjects, both with a technical and a lay audience.So I won't say it's overcome all the challenges. You still go out a lot of times, still the only woman sitting in the room. I do have a little bit of a reputation now that I can trade on. So I come into the room with a certain amount of that reputation. But I've seen a lot of cases where that hasn't been the case. Where people have come in and haven't quite known how to throw all those and hold their ground in areas where they're competent. How we make the opportunities to do that because that's where other opportunities come from.Captain Furtado Shares Her Perspective on Being Part of the Women in TechCarolyn: Jazmin, have you felt that?Jazmin: Yes, so a lot of the same things. I'm very aware of how I may be coming across. And depending on the level I'm speaking at, I have to maybe change the way I present something. Because I'm having to always pick apart and analyze what makes that person tick. I'm not saying that's maybe something specific to women. I feel like maybe everyone has to do that to some extent.But of course, I only know from my perspective how much of my time goes into not just the content but just my body language, my tone, the inflection in my voice, the pacing of my words. Because a lot is taken away already from visuals and the unspoken. So there's already a front that I put on and that I present to people when I walk into a room. And there's already preconceived notions of who I am and what I can do. So having to overcome those is maybe an extra thing that others may not need to.But I've thought about this a lot and I try to think about the other's perspective. I've come to realize that a lot of times, most of the times, there's not necessarily any ill intent behind how people perceive others. Maybe there's an audience that is not conscious of their own biases. I think it's beneficial for all of us to check ourselves and check the comments that we make in the workplace. Because things that may be seen as teasing or something that's lighthearted may actually be eating away at the mutual respect that you have for another person. They may eat into the other person's credibility as a professional, as a leader.The Imposter Syndrome Experienced by Women in TechJazmin: So please be cognizant of these comments because these small things, especially in a public forum, they start eating away at that. And it's not appropriate in the workplace to be making these side comments and thinking that there's no consequence. So just as an input, I guess, for everyone out there, when you're speaking just be aware of your slang or colloquial. Be aware of the unintended consequences of some of the things that are being said.Carolyn: I'm just going to admit this right upfront. I have found myself through my career. Because I've been in technology for 20 years now. Often the only woman in the room. I've felt like a little bit of an imposter. I started out in product management, definitely felt like an imposter there. Because I was interpreting what developers were saying, trying to understand what users needed. I was always the only woman in a sea of men. Then when I moved to marketing I suffered another kind of imposter syndrome where I thought, \"I'm not really in the tech field, but I am.\" Like, \"I need to be able to tell this story.\"This is taking a really long time to get to my point. Throughout my career as I look back, I've noticed that I have done things and portrayed myself in a way and used language that I thought would make me fit in more, drink too much, swear like a sailor. But I have to say I love swearing. So I've just embraced that as part of what I really like and no longer consider that me attempting to fit in with the boys because I just like to swear. But other things, even what you were just saying Jazmin about being cognizant of slurs.Fight Like a GirlCarolyn: I grew up with a cold war Army dad. Believe me, I have some slurs. And I didn't even realize how offensive they were until pretty recently. Some of the stuff that has come out of my mouth, I'm like, \"I can't believe I said that,\" and towards women. I used to say, \"Fight like a girl\" all the time as an insult, not as props. So have either of you noticed that?Kris: So I think there's a lot of that, that's part and parcel. I've enjoyed my later years of being a little more senior ranking and a little more salty overall, of being able to call that out. And to stop people when they're making statements, or even making assumptions about anything having to do with women. Like, certain programs should be marketed this way towards women. That's usually where I start throwing things at them figuratively because we're virtual. But try to at least get their attention and say, \"Hey, guys, you just othered an entire 50% of the population, 17% of the Active Army population. But that still is a large percentage of people that you just said, 'All of these people think the same way.'\"One of the principles that we've been working on in talent management is getting away from the one-size-fits-all method of work and method of leadership. And that has really lent itself to fostering a lot of these discussions about how we work. In the Army at least, it's 1.4 million people when you consider all three components in our civilians, and they're all different and everybody is different.Carolyn: Oh, so take it from a human approach, is that what you're saying?Take It From a Human ApproachKris: Shocking, isn't it? As opposed to the industrial model that we employed over the past 50 years where everybody is interchangeable. And we don't see you as a human. We see you as some kind of a cog categorized by your grade and your career field. Instead, let's look at you as a person. Let's do some, shocking again, human-centric design, and let's start seeing people as people for capabilities. Rather than what we assume comes with and based on people's personal biases.They make a lot of assumptions that people come with a lot of baggage. So I think we're making some progress. Again, when I say we're making some progress it's like we're starting here. We know it still goes on heavily throughout the organization. But we're getting our foot in the door there.Carolyn: So you're not going to admit to anything that you've done in the past?Kris: Oh, you mean as far as things I've said or things I've done?Kris: I just spent 12 years as a combat engineer. So that was the first 12 years of my army, work hard, play hard, swear hard, still swear hard. I have to remember sometimes that I'm in an office building.Carolyn: Did you go into combat to prove something?Kris: I graduated from West Point in 2001 and all the women that I trained with there, all the women I met in my officer basic course in our first unit, we always were under pressure to prove that we belonged. It was always the, \"Oh, we're going to prove that we can do this and we can do that thing.\" But it was always earning your place and proving you belonged, which was a heck of a lot of pressure.Women in Tech Experience a Lot of PressureCarolyn: Yes, the first has to be better, stronger, the first always has to. So what about you, Jazmin? Are you going to admit anything?Jazmin: Well, I can't actually think of any examples but I know it has happened to me. And I don't think anyone ever perfects the self-policing of the agency. Check yourself before you make statements. But as long as the intent is there and the effort, at least, in some regard have measured. And the progress is being seen and being able to proactively catch things before you say something. Or recognize that a topic may not be the best one, maybe there's another topic to bring up, it's great.I think in my previous job I didn't really appreciate the role that a person that's put in a leadership position or authority has over that culture. It's the little things that a leader does. The topics they bring up, the things that they decide to talk about just in a forum. What topic? Are you just going to talk about one topic all the time? Maybe sports, the stereotypical one. Who are you leading? Get to know them. What are the things that they're interested in and then as a leader, make sure that you can represent your team and their interests, and talk to them and connect to them in a way that is more comfortable for them.So when I was at Kessel and I actually saw that quite a bit. There's a lot of these cultures that are pushing for psychological safety and the training that comes with it. And seeing it more in the workplace, making me more aware, it makes me take a look, \"Oh, what are things I said before.\" An Environment of Psychological SafetyJazmin: And I'm still trying to think of an example but nothing comes to mind right now. But yes, I think those trainings have been really great because the people in specific roles have a big part to play in that.Kris: Jazmin, if I can jump on one of the things you said about talking about the same topics all the time and here's how people connect. We've talked about that a lot in the return to the office, the people who are pressing for it and the people who aren't. A lot of the people who are pressing for it, we're finding some commonalities in the ways that they want to connect. And a lot of the workforce that they have who doesn't want to come back hasn't connected with what they feel like that office culture is.So I think when you start talking about providing an environment of psychological safety and providing an office identity that people can connect to. How do we connect ourselves with that culture? We really have to think about that if we want people to maintain that connection, both remotely and when they come back to the office. Or if they come back to the office. I'm a big proponent of remote work. I just have to throw that in there.Jazmin: Yes, and definitely it has to be very proactive. It's a lot of work to do that. And it takes people out of their comfort zones to push for certain topics, push for events, push for these kinds of forums to happen. It doesn't just happen by itself, you can't just will it. So yes, it's really great to hear.Women in Tech to Fostering ChangeCarolyn: So I'm going to put us all on the spot a little bit to foster this change. Because the truth is, at a macro level we are still grossly in the minority. So what have we done personally to help foster this change? Maybe an easier question is what have you seen leaders do to help foster this change or have they? Or are we still missing this? So, Kris, I know this is a focus for you because it's your job. What do you recommend? What's happening?Kris: Are we talking about just making more opportunities, more mentorship? I'm going to guess, all.Carolyn: All of it, is that where we start, just making more opportunities and how do we do that? I think what we're doing right now is an important thing because we're talking about it.Kris: I think we're talking about it and we have three women in tech in this conversation who have been imminently successful in their own domains. And we've all been in domains where there's not a whole heck of a lot of us. We've had mentors who are male who have come in, who have seen something in us. Who have seen those qualities and have provided advice, who have provided guidance.And every time, at least lately since I've been more aware of it, I've had a mentor provide that guidance. I've encouraged them to think about, \"Why are you providing me that guidance? Is it because of this particular thing, that particular thing?\" Let's reach out and look at all the people you have in your mentorship circle and figure out who's not there. What are the other kind of opportunities? Pulling Other Women in Tech Into the CircleKris: And I've started learning to ask myself, I need to be better about it, it's like, \"Who else can I pull into that circle?\"Carolyn: So are you mentoring then? Even officially, unofficially, you find people to mentor as well.Kris: I do. I've had a lot of people talk to me. Because I work in a very interesting niche. There are a lot of people who try to figure out what exactly my job categories are. Because we're doing all the things, people analytics, we're doing talent management for the Army's data workforce. We're doing data education and there's been a lot of focus on just, \"Who's going to take over the programs? Who's coming up?\" Because they know at some point or another I'm going to retire. I'm going to go do something else. And I'm going to go start other projects. I'm going to try to carry on the somewhat entrepreneurial frame that I've looked at things in the Army with some other venture.So I look around like, \"Okay, who's coming up? Who's got interest in some of the same projects I'm working on? Who really wants to foster change? How can I bring them in and get them some of those connections and get them some of the experiences working with the different types of projects and project leads and leaders.\" And as I'm doing that I really want to make sure that I'm bringing in all of those perspectives. That I'm bringing in not just more of the same. Because we want new perspectives. We as an organization have said very emphatically that we want change. Now we just need to prove it by bringing in people who can make the change and who see things differently.Good Mentor vs Bad MentorCarolyn: Well I love that you have a mentor and that you are mentoring. Jazmin, have you had mentors, male or female? Do you participate in some official or unofficial mentoring?Jazmin: So I have had quite a few great mentors. I've had a couple of pretty bad supervisors take on leadership roles. I think what has distinguished them is the good mentor, the people that I really look up to listen. They figure out what motivates me. They really try to find what am I really looking for out of my career. And they don't look at what can I provide to their organization right now. That makes all the difference when you're not seen as just someone that outputs and delivers products.I think the people that have been great mentors look at the potential that I can provide in the long term. And that being able to give me those opportunities that feed my own personal and professional growth does both things. It both helps myself and it helps the organization. Because I'm being put in the best capacity and being put to best use in the organization. So like I said, I've had the opposite as well where folks are just, how do I say this? I am in this organization for two years. As much time as they can put into me doing that one and one job only, and my scope is this big, there's no way for me to say anything else around it. Because that role is really important to the organization and they need me to do X, Y, Z. And those are positions that I do not thrive in.Women in Tech Are Helping Each OtherJazmin: But from a mentorship or from a supervisory standpoint, if you don't get to know your people then you're going to realize the limitations that you put on yourself and your organization as a result, so, yes. In terms of me mentoring other people, I have found LinkedIn to be great. This is not a plug but it's the only way actually that I get to talk to people outside of my realm here. There are some events that I'll speak at via recruiting events or...","content_html":"Women in tech unite on this special episode of Tech Transforms featuring Kris Saling, Chief Analytics Officer for the Army Talent Management Task Force and Director of People Analytics in the office of the Assistant Secretary of the Army (Manpower & Reserve Affairs), and Jazmin Furtado, Liaison at AI Accelerator and Data Strategy Lead at US Space Force. Carolyn, Kris and Jazmin discuss the impact of self-awareness and the importance of data education and fostering change when it comes to government technology.
Episode Table of Contents
- [00:27] Introducing the Women in Tech: Kris Saling & Captain Jazmin Furtado
- [10:32 ] Take It From a Human Approach
- [17:27] Pulling Other Women in Tech Into the Circle
- [24:45] Women in Tech Are Influencing One Another
- [30:14] Women in Tech Are Making Sure They’re Helping Everybody
Episode Links and Resources
Introducing the Women in Tech: Kris Saling & Captain Jazmin Furtado
Carolyn: This week we are going full girl power, so Mark got uninvited. Today we have our Women In Tech panel featuring a couple of guests who have previously been on our show, Kris Saling, Deputy Director of Army People Analytics, and Captain Jazmin Furtado, a Data Strategy Lead at the U.S. Space Force and Space Force Liaison at the MIT AI Accelerator. Welcome back Jazmin and Kris to Tech Transforms to talk about your journeys in government technology.
I'm really excited to talk to both of you again, but before we get into that let me do a little housekeeping. So I just want to remind our listeners that the views of both Kris and Jazmin are their own and do not necessarily reflect the views of their agencies. I'm just going to say that for myself, too. Because I warned this, too, before we started. I'm like, "I got some stuff I need to get out." And I want to be able to talk freely today.
Let's start talking about challenges that both of you have faced being a woman in the technology space. The fact that we even have to say, "Being a woman in the government technology space," other than, we're in the technology space and we kick ass. I hate that we have to do that but I still feel like we do. I'm already getting up on my soapbox. But, let's start with you, Kris. Some of the challenges that you've faced.
Kris: So, it's one of those where I don't want to say there aren't any challenges. But I've encountered so many of these challenges throughout my career. I just hit 20 years last summer, I'm going to hit 21 years this coming summer. Yes, it's almost the summer again.
Kris Saling’s Challenges for Being One of the Women in Tech
Kris: So it's been a long time of sitting there with the typical, the anxieties, the imposter anxiety, the "What is my balance between being assertive. And how do I not come off as, "Insert your," kind of "The common anxieties"? It really hasn't been all that different. I've been trying to figure out the right balance of how to present different things. How to present facts so that they are listened to. How to present data to an audience where not only do we have the schism between having an audience that's operational and I'm on the technical side. But sometimes it's very obvious that I know quite a bit more about the subject than the people I'm talking to.
I think one of the biggest challenges is I really didn't get to know myself and how I wanted to present these things. Because I was very much fixed on how to present that particular image until I really got into data education and started teaching people. That really helped me find a balance in how I wanted to talk about very technical subjects, both with a technical and a lay audience.So I won't say it's overcome all the challenges. You still go out a lot of times, still the only woman sitting in the room. I do have a little bit of a reputation now that I can trade on. So I come into the room with a certain amount of that reputation. But I've seen a lot of cases where that hasn't been the case. Where people have come in and haven't quite known how to throw all those and hold their ground in areas where they're competent. How we make the opportunities to do that because that's where other opportunities come from.
Captain Furtado Shares Her Perspective on Being Part of the Women in Tech
Carolyn: Jazmin, have you felt that?
Jazmin: Yes, so a lot of the same things. I'm very aware of how I may be coming across. And depending on the level I'm speaking at, I have to maybe change the way I present something. Because I'm having to always pick apart and analyze what makes that person tick. I'm not saying that's maybe something specific to women. I feel like maybe everyone has to do that to some extent.
But of course, I only know from my perspective how much of my time goes into not just the content but just my body language, my tone, the inflection in my voice, the pacing of my words. Because a lot is taken away already from visuals and the unspoken. So there's already a front that I put on and that I present to people when I walk into a room. And there's already preconceived notions of who I am and what I can do. So having to overcome those is maybe an extra thing that others may not need to.
But I've thought about this a lot and I try to think about the other's perspective. I've come to realize that a lot of times, most of the times, there's not necessarily any ill intent behind how people perceive others. Maybe there's an audience that is not conscious of their own biases.
I think it's beneficial for all of us to check ourselves and check the comments that we make in the workplace. Because things that may be seen as teasing or something that's lighthearted may actually be eating away at the mutual respect that you have for another person. They may eat into the other person's credibility as a professional, as a leader.The Imposter Syndrome Experienced by Women in Tech
Jazmin: So please be cognizant of these comments because these small things, especially in a public forum, they start eating away at that. And it's not appropriate in the workplace to be making these side comments and thinking that there's no consequence. So just as an input, I guess, for everyone out there, when you're speaking just be aware of your slang or colloquial. Be aware of the unintended consequences of some of the things that are being said.
Carolyn: I'm just going to admit this right upfront. I have found myself through my career. Because I've been in technology for 20 years now. Often the only woman in the room. I've felt like a little bit of an imposter. I started out in product management, definitely felt like an imposter there. Because I was interpreting what developers were saying, trying to understand what users needed. I was always the only woman in a sea of men. Then when I moved to marketing I suffered another kind of imposter syndrome where I thought, "I'm not really in the tech field, but I am." Like, "I need to be able to tell this story."
This is taking a really long time to get to my point. Throughout my career as I look back, I've noticed that I have done things and portrayed myself in a way and used language that I thought would make me fit in more, drink too much, swear like a sailor. But I have to say I love swearing. So I've just embraced that as part of what I really like and no longer consider that me attempting to fit in with the boys because I just like to swear. But other things, even what you were just saying Jazmin about being cognizant of slurs.
Fight Like a Girl
Carolyn: I grew up with a cold war Army dad. Believe me, I have some slurs. And I didn't even realize how offensive they were until pretty recently. Some of the stuff that has come out of my mouth, I'm like, "I can't believe I said that," and towards women. I used to say, "Fight like a girl" all the time as an insult, not as props. So have either of you noticed that?
Kris: So I think there's a lot of that, that's part and parcel. I've enjoyed my later years of being a little more senior ranking and a little more salty overall, of being able to call that out. And to stop people when they're making statements, or even making assumptions about anything having to do with women. Like, certain programs should be marketed this way towards women.
That's usually where I start throwing things at them figuratively because we're virtual. But try to at least get their attention and say, "Hey, guys, you just othered an entire 50% of the population, 17% of the Active Army population. But that still is a large percentage of people that you just said, 'All of these people think the same way.'"
One of the principles that we've been working on in talent management is getting away from the one-size-fits-all method of work and method of leadership. And that has really lent itself to fostering a lot of these discussions about how we work. In the Army at least, it's 1.4 million people when you consider all three components in our civilians, and they're all different and everybody is different.
Carolyn: Oh, so take it from a human approach, is that what you're saying?
Take It From a Human Approach
Kris: Shocking, isn't it? As opposed to the industrial model that we employed over the past 50 years where everybody is interchangeable. And we don't see you as a human. We see you as some kind of a cog categorized by your grade and your career field. Instead, let's look at you as a person. Let's do some, shocking again, human-centric design, and let's start seeing people as people for capabilities. Rather than what we assume comes with and based on people's personal biases.
They make a lot of assumptions that people come with a lot of baggage. So I think we're making some progress. Again, when I say we're making some progress it's like we're starting here. We know it still goes on heavily throughout the organization. But we're getting our foot in the door there.
Carolyn: So you're not going to admit to anything that you've done in the past?
Kris: Oh, you mean as far as things I've said or things I've done?
Kris: I just spent 12 years as a combat engineer. So that was the first 12 years of my army, work hard, play hard, swear hard, still swear hard. I have to remember sometimes that I'm in an office building.
Carolyn: Did you go into combat to prove something?
Kris: I graduated from West Point in 2001 and all the women that I trained with there, all the women I met in my officer basic course in our first unit, we always were under pressure to prove that we belonged. It was always the, "Oh, we're going to prove that we can do this and we can do that thing." But it was always earning your place and proving you belonged, which was a heck of a lot of pressure.
Women in Tech Experience a Lot of Pressure
Carolyn: Yes, the first has to be better, stronger, the first always has to. So what about you, Jazmin? Are you going to admit anything?
Jazmin: Well, I can't actually think of any examples but I know it has happened to me. And I don't think anyone ever perfects the self-policing of the agency. Check yourself before you make statements. But as long as the intent is there and the effort, at least, in some regard have measured. And the progress is being seen and being able to proactively catch things before you say something. Or recognize that a topic may not be the best one, maybe there's another topic to bring up, it's great.
I think in my previous job I didn't really appreciate the role that a person that's put in a leadership position or authority has over that culture. It's the little things that a leader does. The topics they bring up, the things that they decide to talk about just in a forum. What topic? Are you just going to talk about one topic all the time? Maybe sports, the stereotypical one. Who are you leading? Get to know them. What are the things that they're interested in and then as a leader, make sure that you can represent your team and their interests, and talk to them and connect to them in a way that is more comfortable for them.
So when I was at Kessel and I actually saw that quite a bit. There's a lot of these cultures that are pushing for psychological safety and the training that comes with it. And seeing it more in the workplace, making me more aware, it makes me take a look, "Oh, what are things I said before."
An Environment of Psychological Safety
Jazmin: And I'm still trying to think of an example but nothing comes to mind right now. But yes, I think those trainings have been really great because the people in specific roles have a big part to play in that.
Kris: Jazmin, if I can jump on one of the things you said about talking about the same topics all the time and here's how people connect. We've talked about that a lot in the return to the office, the people who are pressing for it and the people who aren't. A lot of the people who are pressing for it, we're finding some commonalities in the ways that they want to connect. And a lot of the workforce that they have who doesn't want to come back hasn't connected with what they feel like that office culture is.
So I think when you start talking about providing an environment of psychological safety and providing an office identity that people can connect to. How do we connect ourselves with that culture? We really have to think about that if we want people to maintain that connection, both remotely and when they come back to the office. Or if they come back to the office. I'm a big proponent of remote work. I just have to throw that in there.
Jazmin: Yes, and definitely it has to be very proactive. It's a lot of work to do that. And it takes people out of their comfort zones to push for certain topics, push for events, push for these kinds of forums to happen. It doesn't just happen by itself, you can't just will it. So yes, it's really great to hear.
Women in Tech to Fostering Change
Carolyn: So I'm going to put us all on the spot a little bit to foster this change. Because the truth is, at a macro level we are still grossly in the minority. So what have we done personally to help foster this change? Maybe an easier question is what have you seen leaders do to help foster this change or have they? Or are we still missing this? So, Kris, I know this is a focus for you because it's your job. What do you recommend? What's happening?
Kris: Are we talking about just making more opportunities, more mentorship? I'm going to guess, all.
Carolyn: All of it, is that where we start, just making more opportunities and how do we do that? I think what we're doing right now is an important thing because we're talking about it.
Kris: I think we're talking about it and we have three women in tech in this conversation who have been imminently successful in their own domains. And we've all been in domains where there's not a whole heck of a lot of us. We've had mentors who are male who have come in, who have seen something in us. Who have seen those qualities and have provided advice, who have provided guidance.
And every time, at least lately since I've been more aware of it, I've had a mentor provide that guidance. I've encouraged them to think about, "Why are you providing me that guidance? Is it because of this particular thing, that particular thing?" Let's reach out and look at all the people you have in your mentorship circle and figure out who's not there. What are the other kind of opportunities?
Pulling Other Women in Tech Into the Circle
Kris: And I've started learning to ask myself, I need to be better about it, it's like, "Who else can I pull into that circle?"
Carolyn: So are you mentoring then? Even officially, unofficially, you find people to mentor as well.
Kris: I do. I've had a lot of people talk to me. Because I work in a very interesting niche. There are a lot of people who try to figure out what exactly my job categories are. Because we're doing all the things, people analytics, we're doing talent management for the Army's data workforce. We're doing data education and there's been a lot of focus on just, "Who's going to take over the programs? Who's coming up?" Because they know at some point or another I'm going to retire. I'm going to go do something else. And I'm going to go start other projects. I'm going to try to carry on the somewhat entrepreneurial frame that I've looked at things in the Army with some other venture.
So I look around like, "Okay, who's coming up? Who's got interest in some of the same projects I'm working on? Who really wants to foster change? How can I bring them in and get them some of those connections and get them some of the experiences working with the different types of projects and project leads and leaders." And as I'm doing that I really want to make sure that I'm bringing in all of those perspectives. That I'm bringing in not just more of the same. Because we want new perspectives. We as an organization have said very emphatically that we want change. Now we just need to prove it by bringing in people who can make the change and who see things differently.
Good Mentor vs Bad Mentor
Carolyn: Well I love that you have a mentor and that you are mentoring. Jazmin, have you had mentors, male or female? Do you participate in some official or unofficial mentoring?
Jazmin: So I have had quite a few great mentors. I've had a couple of pretty bad supervisors take on leadership roles. I think what has distinguished them is the good mentor, the people that I really look up to listen. They figure out what motivates me. They really try to find what am I really looking for out of my career. And they don't look at what can I provide to their organization right now. That makes all the difference when you're not seen as just someone that outputs and delivers products.
I think the people that have been great mentors look at the potential that I can provide in the long term. And that being able to give me those opportunities that feed my own personal and professional growth does both things. It both helps myself and it helps the organization. Because I'm being put in the best capacity and being put to best use in the organization.
So like I said, I've had the opposite as well where folks are just, how do I say this? I am in this organization for two years. As much time as they can put into me doing that one and one job only, and my scope is this big, there's no way for me to say anything else around it. Because that role is really important to the organization and they need me to do X, Y, Z. And those are positions that I do not thrive in.
Women in Tech Are Helping Each Other
Jazmin: But from a mentorship or from a supervisory standpoint, if you don't get to know your people then you're going to realize the limitations that you put on yourself and your organization as a result, so, yes. In terms of me mentoring other people, I have found LinkedIn to be great. This is not a plug but it's the only way actually that I get to talk to people outside of my realm here. There are some events that I'll speak at via recruiting events or...
","summary":null,"date_published":"2022-04-13T07:30:00.000-04:00","attachments":[{"url":"https://aphid.fireside.fm/d/1437767933/81d9d6b0-0045-48da-8495-fd87c4613d7f/c2233982-aa20-44ba-8804-df85de6cda14.mp3","mime_type":"audio/mpeg","size_in_bytes":34771204,"duration_in_seconds":2482}]},{"id":"1cbcca05-5566-4315-883d-2325fbebd374","title":"Episode 30: Monitor Applications with Empathy with Bill James","url":"https://techtransforms.fireside.fm/30","content_text":"What does it mean for an agency to monitor applications with empathy to achieve successful mission outcomes? Bill James is the President of Federal Business LLC and FedSmarts LLC. He is also a former Deputy Assistant Secretary of Development and Operations in the Office of Information and Technology at the Department of Veterans Affairs. He joins Carolyn and Mark to talk about the importance of application monitoring, culture, and empathy when executing a mission. Episode Table of Contents[00:30] Introducing Our Guest, Bill James[09:29] The Onus of the User Experience[20:33] Applications Monitoring Is Integrated into the VA ProcessEpisode Links and ResourcesBill JamesFedSmarts LLCFederal Business LLCDepartment of Veterans AffairsIntroducing Our Guest, Bill JamesCarolyn: So today, our guest is Bill James. He is president of Federal Business LLC. In his previous role as Deputy Assistant Secretary of Development and Operations in the office of Information and Technology at the Department of Veterans Affairs, Bill led the VA's largest information technology organization to deliver enterprise-wide technology products and services to veterans. He has been able to carry those skills into his current role as president of Federal Business LLC. And today, we're going to get Bill's perspective on why Application Performance Monitoring or APM is no longer a luxury, but a necessity. And he just recently put out a blog that, I'm going to nerd out here, I really like the blog. It's easy to understand.One of the things he says in it, or some of the perspectives we're going to get from him, is how APM for VA software applications is necessary now and critical for the future. And how it helps the VA, and I'm going to throw in there, like any organization, any agency, avoid or recover from outages, increase VA OIT productivity and observability, offer insights into investments needed for innovation and understand and improve the customer experience of veterans. I love that last bit. The customer experience. Bill: Thank you very much, Carolyn and Mark. I'm really happy to be here today, and you've touched one of my hot buttons. I'm really interested in all of it, how the technology ultimately relates and improves the end-user experience. Specifically and particularly, our veterans. And that's why I loved working at the VA so much.Focus On Veterans’ ExperienceCarolyn: Well, and that topic I feel like is especially timely Mark. Especially with the presidential executive order around user experience. I mean, you're kind on the cutting edge, Bill. I mean, you've been doing this before it was cool. You've been worried about the customer experience.Bill: That's right. I grew up as a programmer, a coder, and as a mathematician. It was always interesting to me how we could build a code and write it. And we thought our job was done when we hit the end card, back in the day when we had punch cards. But that wall, was frankly was a false wall, and what we never thought through, I think clearly enough into what that code actually did for the end-user. So I think with the new executive order and clearly the focus on the veterans' experience in the VA, that wall came crumbling down for me particularly. It was really a great place to work and a great place to exercise this whole idea of customer experience from the IT perspective specifically.Carolyn: We're definitely going to dive more into that. Before we go there, for our listeners that may not be as familiar with application performance monitoring or APM, will you give us a quick definition of what that is?Bill: Yes. It's the heartbeat of your systems, and specifically of software. So, many folks have gone to the doctor or seen these electrocardiograms, where they put these things on your chest and you have the little needle that draws how your heartbeat beat is beating. What Is Application Performance MonitoringBill: Software needs that very same type of telemetry, where it can show everybody it's alive, it's working, it's working well. And then you can also take that very same monitoring capability and say, \"Well, okay, fine. You think your software's working well in the black little box, how is the user experiencing it?\"So your software may be working, but the user network may be down so the user can't see the software, even if the software's running. This end to end understanding of what is working and how does it relate through all of the layers of technology to the end-user, and having the tools that really give you a dashboard to allow you to see that from a management perspective, see that monitoring data from a management perspective, that's APM. So in my view, it's the software EKG.Mark: I think this is a very fascinating topic, not just because we work at Dynatrace, but because of what you've said and what I've read in your articles. I have seen resistance across other agencies, to adopt and to look at the world the way that you have described it. Why is that happening? Can you help us understand why we see this across other agencies?Bill: I think that a lot of it is cultural. I used to say, and I still believe this, that DevOps equals empathy. And it's not just empathy for the end-user, but Dev and Ops, and the other phrase, DevSecOps, the development, the security, and the operations, grew up as stovepipes in the IT world. Empathy: Monitor Applications and Care About Your NeighborBill: And they still operate that way in a lot of ways. So empathy means you care about your neighbor. You care about the other parts of your organization and you obviously very much so, care about the end-user. I think every organization, every federal agency, every company, needs to first of all, think about who your customers are. But secondly, internally, think about, how can our culture be inclusive and empathetic in the sense that, I don't live in a stovepipe, everything that I do affects somebody else.It's more than just soft words because you can measure that and you should be able to monitor that. Which takes us right back down to, from a software perspective, the application performance monitoring. I want the software folks to care at three o'clock in the morning, if their software application goes down, I want them to be the first one to get the phone call, \"Hey, your code broke.\" And then the blog, I quoted my YBI YOI \"You built it, you own it, right?\" You don't drop and run. Once you build that code, you own it forever. And not only do you own it, but you own it with your partners, the security partners, and the operations partners. So I think APM gives that foundation for everyone to share a common view of what's going on. Therefore it begins to break down those stovepipes.Carolyn: That goes back to what I mentioned before. One of the most important benefits to me of the DevSecOps is that everybody becomes responsible for that user experience. We take the onus off of the user. You gave an analogy of the airline pilot. I'm going to let you share that analogy.The Aha Moment to Monitor ApplicationsBill: Yes. So the idea is, imagine if you were a passenger on an airline and the pilot announced \"I have no instruments in the cockpit, so please let me know if one of our engines stopped running.\" You're asking the passengers to let you know, because \"Hey, I'm flying blind and I sure hope everything works out, but if it doesn't, please let me know.\" I mean, that's silly. But that's how IT used to work, and to a large degree, in VA, it's very different now, we've changed, come a long way. But we have plenty of instruments that monitored networks and plenty of instruments that monitored computers. And of course, we had thermometers and data centers. We have all sorts of instrumentation around the computing part, but we didn't have much instrumentation or monitoring on the software part.So the ops had a lot of instrumentation, not so much the Dev, not so much the applications. And so, when we came up to the delivery of the software supporting the mission act in June of 2019, I was nervous. Because we didn't have what we needed from a software monitoring perspective. We scrambled and cobbled together, a lot of things, but it's come a long way since then. And that was that aha moment for me really, it's the, \"Oh my gosh. We don't have the instrumentation, the monitoring observability that we need on this code.\"Carolyn: Well, I love what you say in the blog. I'm just going to read directly from the blog here. The software folks needed to feel like they were part of a larger team, the mission, right?Bill: Yes.The Onus of the User ExperienceCarolyn: That was responsible for the end-users experience. So we take the onus off of the passengers, to let me know if there's an engine out and we own that. And it seems like, especially within government, the onus of the user experience has been on the end-user a lot and partly because where else are they going to go, right?Bill: Exactly right. Trouble tickets, that was the way that the software folks knew when their application was down, was when a trouble ticket was issued by a user. \"Hey, this is not working.\" And so it's like the pilot, when a passenger, raises his hand, \"Hey, one of the engines is out.\" That shouldn't be the first time you hear that. You should beat your users to the punch in terms of knowing what's going down when a disc drive is filling up or when some application is having problems and it has to be taken the entire perspective, from the code to the end-user. We have to be observant of what's going on. And so exactly right. It's really, really critically important that we take measure of what's happening in our infrastructure and how our users are affected.Carolyn: So, you mentioned that at the VA, you saw a lack of APM, the lack of APM exposed a cultural crack. What do you mean by that? Unpack the cultural crack that you saw?Missing to Monitor Applications May Result in Cultural CrackBill: Right. So as the deputy secretary for DevOps, I saw both sides. I saw the development and then I saw the operations. And when you have a lot of the metrics and the instrumentation on the ops side, and very little on the dev side, to me, it exposes a responsibility gap. And to your point, this is a joint responsibility and the whole idea of product management, which is something that the VA has pivoted to as opposed to project management, when you move to product management. That product idea includes everybody, your user, the inside developers, your operations. It is the manifestation in a lot of ways of this DevOps or agile way of life and way of developing and operating code. So the cultural divide that I saw was that the software folks and I'm one of them by the way, would write the code, and what I call drop and run. They'd write the code and they would expect the operations teams to run it. Well, that's great.And when things break, the software folks are the ones, in some cases, if there's a bug or some security exposure or something, they're the ones that get called. But the responsibility was pretty much on the operations side of the fence. So from a cultural perspective, I wanted to balance that. So everybody had a role, Dev, Ops and the user, nothing like having a great champion, a business champion who owns the operational responsibility of the outcomes, for example, of a specific piece of software. But if you have that great team and they're bound together, that's the essence of a product team, as opposed to a project team where you have milestones and you have an end, right? We’re All in This TogetherBill: Every project has an end, but that's not, in the software business, that's exactly the point. It does not end. You as a project manager for building an application, you build the application, and your responsibility doesn't end there and you get to move on to another project.Yes. You get to move on to another project, but your responsibility for the previous project does not end. It endures. And you are now part of a team with the operations and the security and the end-user, to make sure that the end-user experience is good and frankly, great.So that idea that we're all in this together, that we are a holistic team, not just chunks or pieces in a series of milestones, or that we are all in it together, forever together in service of the veterans. So that's a very passionate thing about anybody who works at the VA. Everybody that has heard me talk about that before, that working at the VA is like no other agency. Their purpose is so clear, like no other company, and it's so noble. You feel good about working there and you get passionate about providing the services to the veterans that they've earned. So when you tie that fantastic noble objective, with the toolsets and the culture being able to deliver it, it's just a fantastic experience for me.The Culture in the Veterans AffairsMark: Bill, do you feel like, obviously the culture helps with the mission because your end users are veterans and you want to support veterans, et cetera. So, I completely get that. Do you think having everything under your purview when you were there, helped make that happen, as opposed to maybe some other organizations within government?Bill: Yes. I think yes. And I don't get the credit for that. We have some fantastic leadership, that moves VA in that direction. Frankly, we had some fantastic technology support. VA has a great digital service team there. They brought a lot of great new ideas. APM was one of them. I give them credit for that. My friend, Steve Vito says, \"Lead with your ears, not with your mouth. Everybody was born with two ears, one mouth, use them in that ratio.\" But in order to adopt those ideas, you have to be open to listening to them. Then from that perspective, having a DevOps organization, now it's DevSecOps organization, you do have all the levers in front of you to knit the culture and the toolsets and the objectives together. Frankly, that was really one of the reasons why we could do what we were able to do in VA and why they've continued to move ahead in a lot of great ways since that point. I think a lot of other agencies, they absolutely should look at this DevOps model or the DevSecOps model and consider that. The other thing that's different that the VA had, that all the other agencies don't, is that we have a strong CIO in the VA, and they had the financial accountability and authority that was viewed in the CIO role, by the Clinger-Cohen Act. The Challenge to Monitor Applications in DoDBill: A lot of other agencies don't have that single accountability from a budget perspective. So when you have the culture, you have the purpose and you have the ability to control the finances with a single governance model, that makes your life a whole lot easier. A lot of agencies don' have those very same authorities and powers imbued into the organization. So I think those are all necessary pieces of the puzzle.Mark: Do you think that your colleagues on the DoD side of the house struggle with that? Because there's not that connection between the DevSecOps side of the house and maybe the mission owner, you wouldn't say line of business, but the mission owner?Bill: I think so. As an IT person, it's hard, like in the DoD, for you to see the outcomes of your activity. So you might be writing a line of code, and maybe if you're in the air force, for example, you may have six or seven layers removed from still on target or some mission outcome. So it can be more difficult in organizations like DoD than in an agency like VA where the purpose is so absolutely very clear and crystal clear. We build kiosks or at least the software for kiosks that our veteran touches. That's very close to you as an IT person and you can see the outcomes directly, not so much in DoD, your outcomes are farther away and it's harder for you to see.The Old Waterfall ModelBill: Having said all that. I do believe that the idea of tying your operators and the users, for example, an air force pilot let's take the software person and the hardware, the operations infrastructure person, tying those three legs of the stool together, I think, produces the aha moments that you don't otherwise get when you live in your own little stovepipes. And so I would absolutely recommend that.Mark: When you were on that side of the world, were they creating software factories at that time?Bill: Yes, there were a few software factories, but it was still the old waterfall model. And so the software factories produced code that someone else implemented and operated. And so the software factories that the VA is building and a lot frankly, everybody's thinking about the idea of virtual software factories. But if you do that in an agile sense, in a DevOps sense, you get very different outcomes. So let's build something today, that's fully instrumented and fully secure. But let's build and deliver something today as opposed to plan to deliver something perfect, maybe never. So the whole waterfall model I think really builds and frankly constructs a lot of these cultural boundaries that we try to erase in the DevOps. And so, back to the APM, it doesn't matter what you build, and it doesn't matter what process you use if you don't know how it operates. If you have no observability, no insights into whether it's up or down, no understanding if it's alive or Dev. Two in the morning, I want to be able to not literally, but figuratively hear that heartbeat of the application that my code is running. And so it puts a smile on your face and you can sleep comfortably. Applications Monitoring Is Integrated into the VA ProcessBill: But if it's not, I want to be the first to know. So that's a critical piece of operation, frankly. And it's something that ties you as a software builder to the operation in ways that frankly you don't get into in a waterfall model.Carolyn: Do you think that the VA has now baked APM into their process? Like they're using it?Bill: Yes. Policy-wise, yes. Tools wise. Yes, I think culturally, we still, the VA have a way to go. I mean, we made huge progress. I mean it’s night and day difference. But I think there's still a way to go there. The software inventory in a VA is huge. 800 to a thousand applications in the VA software inventory. A lot of that code is legacy code that has been and still works and runs OnPrem. And they still turn out the goods and batched jobs like it has for years. So now you've got these applications. And I think a lot of agencies do these applications that are very successful in what they do and what they accomplish. How do you go back into those and introduce modern tools? Say like APM, how do you move, what I call the electronic alligator clips? How do you attach those to these old legacy...","content_html":"What does it mean for an agency to monitor applications with empathy to achieve successful mission outcomes? Bill James is the President of Federal Business LLC and FedSmarts LLC. He is also a former Deputy Assistant Secretary of Development and Operations in the Office of Information and Technology at the Department of Veterans Affairs. He joins Carolyn and Mark to talk about the importance of application monitoring, culture, and empathy when executing a mission.
Episode Table of Contents
- [00:30] Introducing Our Guest, Bill James
- [09:29] The Onus of the User Experience
- [20:33] Applications Monitoring Is Integrated into the VA Process
Episode Links and Resources
Introducing Our Guest, Bill James
Carolyn: So today, our guest is Bill James. He is president of Federal Business LLC. In his previous role as Deputy Assistant Secretary of Development and Operations in the office of Information and Technology at the Department of Veterans Affairs, Bill led the VA's largest information technology organization to deliver enterprise-wide technology products and services to veterans.
He has been able to carry those skills into his current role as president of Federal Business LLC. And today, we're going to get Bill's perspective on why Application Performance Monitoring or APM is no longer a luxury, but a necessity. And he just recently put out a blog that, I'm going to nerd out here, I really like the blog. It's easy to understand.
One of the things he says in it, or some of the perspectives we're going to get from him, is how APM for VA software applications is necessary now and critical for the future. And how it helps the VA, and I'm going to throw in there, like any organization, any agency, avoid or recover from outages, increase VA OIT productivity and observability, offer insights into investments needed for innovation and understand and improve the customer experience of veterans. I love that last bit. The customer experience.
Bill: Thank you very much, Carolyn and Mark. I'm really happy to be here today, and you've touched one of my hot buttons. I'm really interested in all of it, how the technology ultimately relates and improves the end-user experience. Specifically and particularly, our veterans. And that's why I loved working at the VA so much.
Focus On Veterans’ Experience
Carolyn: Well, and that topic I feel like is especially timely Mark. Especially with the presidential executive order around user experience. I mean, you're kind on the cutting edge, Bill. I mean, you've been doing this before it was cool. You've been worried about the customer experience.
Bill: That's right. I grew up as a programmer, a coder, and as a mathematician. It was always interesting to me how we could build a code and write it. And we thought our job was done when we hit the end card, back in the day when we had punch cards.
But that wall, was frankly was a false wall, and what we never thought through, I think clearly enough into what that code actually did for the end-user. So I think with the new executive order and clearly the focus on the veterans' experience in the VA, that wall came crumbling down for me particularly. It was really a great place to work and a great place to exercise this whole idea of customer experience from the IT perspective specifically.
Carolyn: We're definitely going to dive more into that. Before we go there, for our listeners that may not be as familiar with application performance monitoring or APM, will you give us a quick definition of what that is?
Bill: Yes. It's the heartbeat of your systems, and specifically of software. So, many folks have gone to the doctor or seen these electrocardiograms, where they put these things on your chest and you have the little needle that draws how your heartbeat beat is beating.
What Is Application Performance Monitoring
Bill: Software needs that very same type of telemetry, where it can show everybody it's alive, it's working, it's working well. And then you can also take that very same monitoring capability and say, "Well, okay, fine. You think your software's working well in the black little box, how is the user experiencing it?"
So your software may be working, but the user network may be down so the user can't see the software, even if the software's running. This end to end understanding of what is working and how does it relate through all of the layers of technology to the end-user, and having the tools that really give you a dashboard to allow you to see that from a management perspective, see that monitoring data from a management perspective, that's APM. So in my view, it's the software EKG.Mark: I think this is a very fascinating topic, not just because we work at Dynatrace, but because of what you've said and what I've read in your articles. I have seen resistance across other agencies, to adopt and to look at the world the way that you have described it. Why is that happening? Can you help us understand why we see this across other agencies?
Bill: I think that a lot of it is cultural. I used to say, and I still believe this, that DevOps equals empathy. And it's not just empathy for the end-user, but Dev and Ops, and the other phrase, DevSecOps, the development, the security, and the operations, grew up as stovepipes in the IT world.
Empathy: Monitor Applications and Care About Your Neighbor
Bill: And they still operate that way in a lot of ways. So empathy means you care about your neighbor. You care about the other parts of your organization and you obviously very much so, care about the end-user.
I think every organization, every federal agency, every company, needs to first of all, think about who your customers are. But secondly, internally, think about, how can our culture be inclusive and empathetic in the sense that, I don't live in a stovepipe, everything that I do affects somebody else.It's more than just soft words because you can measure that and you should be able to monitor that. Which takes us right back down to, from a software perspective, the application performance monitoring. I want the software folks to care at three o'clock in the morning, if their software application goes down, I want them to be the first one to get the phone call, "Hey, your code broke."
And then the blog, I quoted my YBI YOI "You built it, you own it, right?" You don't drop and run. Once you build that code, you own it forever. And not only do you own it, but you own it with your partners, the security partners, and the operations partners. So I think APM gives that foundation for everyone to share a common view of what's going on. Therefore it begins to break down those stovepipes.Carolyn: That goes back to what I mentioned before. One of the most important benefits to me of the DevSecOps is that everybody becomes responsible for that user experience. We take the onus off of the user. You gave an analogy of the airline pilot. I'm going to let you share that analogy.
The Aha Moment to Monitor Applications
Bill: Yes. So the idea is, imagine if you were a passenger on an airline and the pilot announced "I have no instruments in the cockpit, so please let me know if one of our engines stopped running." You're asking the passengers to let you know, because "Hey, I'm flying blind and I sure hope everything works out, but if it doesn't, please let me know." I mean, that's silly.
But that's how IT used to work, and to a large degree, in VA, it's very different now, we've changed, come a long way. But we have plenty of instruments that monitored networks and plenty of instruments that monitored computers. And of course, we had thermometers and data centers. We have all sorts of instrumentation around the computing part, but we didn't have much instrumentation or monitoring on the software part.
So the ops had a lot of instrumentation, not so much the Dev, not so much the applications. And so, when we came up to the delivery of the software supporting the mission act in June of 2019, I was nervous. Because we didn't have what we needed from a software monitoring perspective. We scrambled and cobbled together, a lot of things, but it's come a long way since then. And that was that aha moment for me really, it's the, "Oh my gosh. We don't have the instrumentation, the monitoring observability that we need on this code."
Carolyn: Well, I love what you say in the blog. I'm just going to read directly from the blog here. The software folks needed to feel like they were part of a larger team, the mission, right?
Bill: Yes.
The Onus of the User Experience
Carolyn: That was responsible for the end-users experience. So we take the onus off of the passengers, to let me know if there's an engine out and we own that. And it seems like, especially within government, the onus of the user experience has been on the end-user a lot and partly because where else are they going to go, right?
Bill: Exactly right. Trouble tickets, that was the way that the software folks knew when their application was down, was when a trouble ticket was issued by a user. "Hey, this is not working." And so it's like the pilot, when a passenger, raises his hand, "Hey, one of the engines is out." That shouldn't be the first time you hear that.
You should beat your users to the punch in terms of knowing what's going down when a disc drive is filling up or when some application is having problems and it has to be taken the entire perspective, from the code to the end-user. We have to be observant of what's going on.And so exactly right. It's really, really critically important that we take measure of what's happening in our infrastructure and how our users are affected.
Carolyn: So, you mentioned that at the VA, you saw a lack of APM, the lack of APM exposed a cultural crack. What do you mean by that? Unpack the cultural crack that you saw?
Missing to Monitor Applications May Result in Cultural Crack
Bill: Right. So as the deputy secretary for DevOps, I saw both sides. I saw the development and then I saw the operations. And when you have a lot of the metrics and the instrumentation on the ops side, and very little on the dev side, to me, it exposes a responsibility gap.
And to your point, this is a joint responsibility and the whole idea of product management, which is something that the VA has pivoted to as opposed to project management, when you move to product management. That product idea includes everybody, your user, the inside developers, your operations. It is the manifestation in a lot of ways of this DevOps or agile way of life and way of developing and operating code.
So the cultural divide that I saw was that the software folks and I'm one of them by the way, would write the code, and what I call drop and run. They'd write the code and they would expect the operations teams to run it. Well, that's great.
And when things break, the software folks are the ones, in some cases, if there's a bug or some security exposure or something, they're the ones that get called. But the responsibility was pretty much on the operations side of the fence. So from a cultural perspective, I wanted to balance that. So everybody had a role, Dev, Ops and the user, nothing like having a great champion, a business champion who owns the operational responsibility of the outcomes, for example, of a specific piece of software.
But if you have that great team and they're bound together, that's the essence of a product team, as opposed to a project team where you have milestones and you have an end, right?
We’re All in This Together
Bill: Every project has an end, but that's not, in the software business, that's exactly the point. It does not end. You as a project manager for building an application, you build the application, and your responsibility doesn't end there and you get to move on to another project.
Yes. You get to move on to another project, but your responsibility for the previous project does not end. It endures. And you are now part of a team with the operations and the security and the end-user, to make sure that the end-user experience is good and frankly, great.
So that idea that we're all in this together, that we are a holistic team, not just chunks or pieces in a series of milestones, or that we are all in it together, forever together in service of the veterans. So that's a very passionate thing about anybody who works at the VA. Everybody that has heard me talk about that before, that working at the VA is like no other agency. Their purpose is so clear, like no other company, and it's so noble.You feel good about working there and you get passionate about providing the services to the veterans that they've earned. So when you tie that fantastic noble objective, with the toolsets and the culture being able to deliver it, it's just a fantastic experience for me.
The Culture in the Veterans Affairs
Mark: Bill, do you feel like, obviously the culture helps with the mission because your end users are veterans and you want to support veterans, et cetera. So, I completely get that. Do you think having everything under your purview when you were there, helped make that happen, as opposed to maybe some other organizations within government?
Bill: Yes. I think yes. And I don't get the credit for that. We have some fantastic leadership, that moves VA in that direction. Frankly, we had some fantastic technology support. VA has a great digital service team there. They brought a lot of great new ideas. APM was one of them. I give them credit for that.
My friend, Steve Vito says, "Lead with your ears, not with your mouth. Everybody was born with two ears, one mouth, use them in that ratio." But in order to adopt those ideas, you have to be open to listening to them. Then from that perspective, having a DevOps organization, now it's DevSecOps organization, you do have all the levers in front of you to knit the culture and the toolsets and the objectives together. Frankly, that was really one of the reasons why we could do what we were able to do in VA and why they've continued to move ahead in a lot of great ways since that point.
I think a lot of other agencies, they absolutely should look at this DevOps model or the DevSecOps model and consider that. The other thing that's different that the VA had, that all the other agencies don't, is that we have a strong CIO in the VA, and they had the financial accountability and authority that was viewed in the CIO role, by the Clinger-Cohen Act.
The Challenge to Monitor Applications in DoD
Bill: A lot of other agencies don't have that single accountability from a budget perspective. So when you have the culture, you have the purpose and you have the ability to control the finances with a single governance model, that makes your life a whole lot easier. A lot of agencies don' have those very same authorities and powers imbued into the organization. So I think those are all necessary pieces of the puzzle.
Mark: Do you think that your colleagues on the DoD side of the house struggle with that? Because there's not that connection between the DevSecOps side of the house and maybe the mission owner, you wouldn't say line of business, but the mission owner?
Bill: I think so. As an IT person, it's hard, like in the DoD, for you to see the outcomes of your activity. So you might be writing a line of code, and maybe if you're in the air force, for example, you may have six or seven layers removed from still on target or some mission outcome. So it can be more difficult in organizations like DoD than in an agency like VA where the purpose is so absolutely very clear and crystal clear. We build kiosks or at least the software for kiosks that our veteran touches. That's very close to you as an IT person and you can see the outcomes directly, not so much in DoD, your outcomes are farther away and it's harder for you to see.
The Old Waterfall Model
Bill: Having said all that. I do believe that the idea of tying your operators and the users, for example, an air force pilot let's take the software person and the hardware, the operations infrastructure person, tying those three legs of the stool together, I think, produces the aha moments that you don't otherwise get when you live in your own little stovepipes. And so I would absolutely recommend that.
Mark: When you were on that side of the world, were they creating software factories at that time?
Bill: Yes, there were a few software factories, but it was still the old waterfall model. And so the software factories produced code that someone else implemented and operated. And so the software factories that the VA is building and a lot frankly, everybody's thinking about the idea of virtual software factories. But if you do that in an agile sense, in a DevOps sense, you get very different outcomes.
So let's build something today, that's fully instrumented and fully secure. But let's build and deliver something today as opposed to plan to deliver something perfect, maybe never. So the whole waterfall model I think really builds and frankly constructs a lot of these cultural boundaries that we try to erase in the DevOps.
And so, back to the APM, it doesn't matter what you build, and it doesn't matter what process you use if you don't know how it operates. If you have no observability, no insights into whether it's up or down, no understanding if it's alive or Dev. Two in the morning, I want to be able to not literally, but figuratively hear that heartbeat of the application that my code is running. And so it puts a smile on your face and you can sleep comfortably.Applications Monitoring Is Integrated into the VA Process
Bill: But if it's not, I want to be the first to know. So that's a critical piece of operation, frankly. And it's something that ties you as a software builder to the operation in ways that frankly you don't get into in a waterfall model.
Carolyn: Do you think that the VA has now baked APM into their process? Like they're using it?
Bill: Yes. Policy-wise, yes. Tools wise. Yes, I think culturally, we still, the VA have a way to go. I mean, we made huge progress. I mean it’s night and day difference. But I think there's still a way to go there. The software inventory in a VA is huge. 800 to a thousand applications in the VA software inventory. A lot of that code is legacy code that has been and still works and runs OnPrem. And they still turn out the goods and batched jobs like it has for years.
So now you've got these applications. And I think a lot of agencies do these applications that are very successful in what they do and what they accomplish. How do you go back into those and introduce modern tools? Say like APM, how do you move, what I call the electronic alligator clips? How do you attach those to these old legacy...
","summary":null,"date_published":"2022-04-06T07:30:00.000-04:00","attachments":[{"url":"https://aphid.fireside.fm/d/1437767933/81d9d6b0-0045-48da-8495-fd87c4613d7f/8a8b984d-14cf-490a-adf5-ed6d03f6f684.mp3","mime_type":"audio/mpeg","size_in_bytes":28047543,"duration_in_seconds":2002}]},{"id":"cf73118b-18b9-48ec-9502-3ca72653d60d","title":"Episode 29: Consolidation, Innovation and Perspective with Eric Trexler","url":"https://techtransforms.fireside.fm/29","content_text":"Consolidation, innovation, and perspective all need to work together in government IT according to Eric Trexler, VP of Global Governments and Critical Infrastructure Sales at Forcepoint. IT acts as an enabler of business in the challenging landscape of government technology. Listen in to find out what Eric believes the United States IT space should be focusing on in order to stay ahead of the adversaries. Episode Table of Contents[00:25] All About Innovation with Eric Trexler[10:39] An Enabler of the Business[18:27] We Haven’t Seen Consolidation[21:37] Choosing Fiefdom Over Consolidation and Innovation[27:49] The Commercial Component of Innovation[32:32] There Are Productivity Gains Out of InnovationEpisode Links and ResourcesEric TrexlerForcepointTo the Point Cyber SecurityThink AgainThe GeneralsAll About Innovation with Eric TrexlerCarolyn: Today, our guest is Eric Trexler, Vice President of Global Governments and critical infrastructure at Forcepoint. Eric is an expert in the technology industry with more than 25 years of experience with both the public and private sectors. And Eric and I used to host To The Point Cybersecurity podcast together. So today is actually a real treat for me to see your face again, Eric. So, good morning.Eric: Good morning. And it's bizarre being back on the air with you, Carolyn.Carolyn: So, today, we're going to talk about the perplexing and growing cost of cybercrime and how we can shift the paradigm. But before we jump into that, Eric, you have actually a pretty fascinating background. So, can you just tell us a little bit about your journey?Eric: My journey in IT? Or where would you like me to start?Carolyn: Let's not go all the way back to birth. Let's start at your Airborne Ranger days. How about that? And then how you got to where you are today. So yes, technology.Eric: So, I was an aimless kid at about 17 with no potential to pay for college. No easy path at the time. And I said, I'm joining the army against my mother's wishes to become an Airborne Ranger.The Requirement to Be a Navy SEALCarolyn: At 17?Eric: Yes. She had to sign the paperwork so I could join the delayed entry program. The military throws at you when you have a high ASVAB score, that's the entrance. And I had a high ASVAB score. So, I saw the Navy and they wanted me to be a nuclear engineer. And I just wanted to be a Navy SEAL back in the day before people knew what the Navy SEALs were. But you had to pick a rating, I believe they call it in the Navy. So, I'm sitting in front of the recruiter, and he's like, \"Okay, but what do you want to do?\" And I'm a dumb kid, I'm 17 years old. \"I want to be a Navy SEAL.\" \"Well, you can't do that. You have to have a rating. You have to have this skill at trade.\" And nothing, absolutely nothing was interesting to me.So, I left. I went to the army recruiter and enlisted. Because they'd let me be an airborne, I was unassigned airborne, technically. How I became an Airborne Ranger? I didn't want to be normal and I was in jump school and talked to a gentleman and I didn't want to wear chemical gear. This was right at the end of the first Gulf War, and everybody was running around in MOPP suits. If you remember that MOPP suits? Hot, heavy, you can't see.MOPP GearMark: You can't breathe.Eric: Same reason I didn't want to be in a tank or a ship or a plane. I wanted to be on my feet and I wanted to be able to move. And I was like, \"I don't want to wear MOPP gear.\" The guy said, \"Here's what you do.\" And that's what I did. So, I literally made the choice because I did not want to wear a helmet and I didn't want to wear MOPP gear.Carolyn: You sound like my six-year-old niece, how she chooses what she wants to do is whatever that doesn't require shoes.Eric: I was probably about as evolved at that point in time. Mark, you know what it's like to be a 17-year-old boy. I mean, you're really pretty low on the intelligent decision-making maturity scale, right?Mark: Maturity scale.Eric: I mean, you're just not there. It was a great choice and it's how I got into IT. Because in about '92 or so I started building computers. And we got a computer in probably '94. The first computer in my unit to run, just to manifest for drops, exercises. It was literally an electronic typewriter, the way these guys thought about it. I’m with a bunch of infantrymen. I was the only guy in the unit who had new computers, the only guy, I built them for gaming. So, I volunteered for college. I said, \"If you allow me to set up college courses for the detachment, 60 person volunteer detachment I was in, I will work in the operations department with a computer.\" And that's what I did and my career just took off from there.The Journey From Army to UniversityCarolyn: How long were you in the army?Eric: Four years, 17 weeks, and I think four days or something with my contract.Carolyn: And then where did you go?Eric: University of Maryland. So, it was a great ride. It was even before the amazing benefits the government gives you in the GI Bill today. The GI Bill in army college plan to go to a college fund. It was like $28,000 for four years of service. That was the optimal breakpoint. You could do five or six, but you really didn't get a lot. You got to like 32,000. And my goal was to go to college.Mark: Did you go to college full time or did you kind of dual shift at school and work at the same time?Eric: So, I probably got about a year in the military when I moved into operations and ran, I didn't run but I did a lot of the operations work with a couple of V6s. At the time I was an E-5. But then, when I went to college, I went full time and I worked somewhere about 40 hours a week. I had a kid. My first son was born at 20. So, I'm out of the military at about 22, and I had to keep the lights on. And I had to get my college education and get moving. So, I was working full time and I was working and I was going to school. I was doing probably 21 credit hours a semester on average.The Innovation to Get Serious in LifeMark: Yes, that'll make you grow up.Eric: It's interesting. I have three boys and I think the maturity level as you watch them and their friends. Twenty-five is the magic age, in my opinion, plus or minus three years for maturity in boys, that's just Eric's principle here. Unless you have a kid at 20 and you're in the military and you don't have a lot of help. And then, you grow up really quickly. I stopped going to Nashville every weekend for parties and concerts. I stopped drinking. It was time to get serious about life and take on the responsibilities that I had. It was good.Carolyn: What was your first job out of college?Eric: So, I bartended a little bit until I got a job at Microsystems working on, I was a QA test engineer for all of two weeks. I don't think I ever told you this.Carolyn: No, I'm learning new things.Eric: It was absolutely miserable. I was the worst QA test engineer ever. So, I'm IT savvy. I can build computers. I've been building computers for years. I know the Windows operating system. I'm pretty good at what I'm doing for that age and that period of time in life. I couldn't sit still. I kept talking to the developers. I'm supposed to sit there and run test routines all day and look, I had a bank of three monitors, and I literally could not sit still. Two weeks later, I was like, \"This isn't working.\" And my boss at the time, I can't remember her last name. It was Melissa. She was awesome. She says, \"You're right.\" And we had customer service problems.From Traditional Apples to AppleEric: So, we took an employee kitchen. We moved a bunch of computers and tables into it. And we became like an R&D faction that helped customer support issues. So, we got all the hardest issues because we sat in R&D. And it worked great for the company. It worked great for the customers, and most importantly, for me. Because I was always talking to people and fixing problems and doing things as opposed to watching automated test scripts build all day. It was the most boring job ever for me. Actually, I sorted apples once for a day and my grandfather was a produce farmer. And he took me to this amazing job. I think it paid four bucks an hour to sort apples, and that was probably worse than the testing, Carolyn.Carolyn: Worse than QA?Eric: Yes, at least with the QA, I have computers.Mark: I thought you were talking about the Apple computers.Eric: No, I'm talking like Macintosh and ROM, and the traditional apples in Pennsylvania. And just moving on a conveyor belt and sorting and checking apples all day was like the most mindless activity and it just did not work for me. But you're getting a lot out of me that I would say many close family members and friends have never even heard.Carolyn: All right. So, which brings us to today. Well, before you came to Forcepoint, were you at McAfee right before Forcepoint?McAfee to ForcepointEric: Yes. So, I worked at Micros and I got my MCSE. I was really good at databases. And I went to Sybase at that point, great database company. I had a friend bring me over. And then, I went to EMC after that and learned storage area networking at the best of the best. So, I've got database IT storage background servers, I built them. And then I went to Salesforce.com for a two-year PhD in the CloudThis was a great experience and it was challenging at the same time based on the customers and the sheer growth there. That's all they cared about. So, then I went to McAfee and really took up the InfoSec or cybersecurity side of the business, which I've been doing for the last 12 years and it drives me crazy. Because we get further and further and further behind the adversary.Mark: That's interesting that you bring up the whole Salesforce thing, because they were probably one of the first software service companies that were out there.Eric: Certainly, at scale. And the scale there right now, Mark, is, I was looking the other day. I have a couple of friends there and I had lunch with a friend. I mean, what they're doing today, I could have never imagined in the 2008, 2010 timeframe.An Enabler of the BusinessCarolyn: So, Eric, you and I have been talking about cybercrime, cybersecurity for a while now. And you've written some recent articles, and you've been talking about it. I want to talk about the problem of cybercrime. And you just mentioned that we're getting further and further behind. And when you and I talked earlier, it just reminded me of the Alice in Wonderland quote, when she's in the Red Queen's race and the Red Queen tells her, \"We have to run faster and harder here just to stay in place.\" And Alice is like, \"Well, that's stupid.\" So, let's talk about the massive amounts of money that we're spending on cybercrime and cybersecurity, and what needs to change.Eric: Yes, I can talk to some of that. I certainly do not have the answers on what needs to change. I thought you put that quote in because of me. Because it's actually something that my old CTO and CMO at McAfee wrote in a book called The Second Economy. They quote Alice, in that specific quote, in the context of cybersecurity.So, we're just talking about my career, up until 2010, when I really joined cybersecurity, hardcore for the first time. I'd always build things. IT is an enabler of the business, it builds things to make business run better, faster, cheaper, whatever it may be, but it's an enabler of the business. First Mover AdvantageEric: And you're always growing and building things. The problem with cybersecurity is you're getting further and further behind. You're not necessarily building things to make things better. You are kind of putting things together to try to prevent things from getting worse. It's almost the flip side of the coin, if you think of it that way.Mark: Eric, do you think that the fact that we're getting further and further behind is a function of the discipline of cybersecurity and that we're just behind there? Or is it the fact that adversaries like China, Russia, Iran, are investing more? And General IT like encryption quantum computing or artificial intelligence and stuff like that. Is it more a function of that or the discipline of cybersecurity?Eric: I really think it's both, Mark. So, when you understand the rules of the cybersecurity world, the adversary gets first mover advantage. They get to decide every single time how they want to attack you, how often they want to attack you. They essentially get an unlimited number of tries. Because it's risk and treasure. When you look at it, what's the risk versus the opportunity? That's the probability of cyber there and the risk is very low. You don't see a lot of people going to jail, you don't see a lot of people losing money in cybersecurity, you see them gaining. At the nation state level, you don't see a lot of sanctions and things like that, because of cybersecurity action. It's almost like there are no red lines, and they're just taken for granted.Innovation and ConsolidationEric: And if we're going to go into a country and surveil their networks, or our adversary steal our IP all the time, it's almost accepted, unfortunately, these days. So, you've got the adversary first-mover advantage, they get as many tries as they want. There are no silver bullets here. And then you look at the defender side, we don't have enough people, depending on who you look at data-wise, where cybersec.org is good. They'll show you we're probably a million-plus people behind on the cybersecurity side of just being able to hire. We don't seem to innovate and that's an interesting comment, if you're me, in an industry that has four or 5000 players.But that leads to my next point, we don't consolidate. The industry really hasn't consolidated. If you look at most of IT, look at storage or I mentioned databases or operating systems or even networking, there are usually two or three key players. We don't have that. And then, when you look at the incentive side of the equation for the defender. If you pick a tool, a cool tool, I'm going to take you back to 2012, sandboxing. Sandboxing was the end all be all as FireEye at the time. Kind of took what was in academic labs and productized it and marketed the hell out of it. Palo Alto did the same thing with the next-gen firewall to iterate on the firewall side. You take a tool that's really hot and really cool as an IT operator, a security operator, and you buy it and bring it into the business while you're doing pretty well.A Quick Innovation of the AdversaryEric: What's the efficacy rate? We're probably not able to measure that as businesses, most people don't care. And you just deployed a cool tool in 2012, called sandboxing. Well, the adversary quickly innovated around that. They had the ability to look for sandboxing, am I running in a virtual machine, is my malware running in a virtual machine. They put in things like time delays, which are really easy. The sandbox isn't going to sit there for 30 hours and wait for your malware to activate, it's going to look for it to activate right away. So, I'll just put a seven-day delay in and you can quickly innovate around that. And that's okay. But the defenders aren't any much better for it, let's put it that way.Now, if you're the person on the team who brought in that tool, you can probably go to a bank or another company and say, \"Well, look at my resume. This is exactly what I did. Regardless of effectiveness, I can do the same thing for you and get a huge increase.\" Because we all know or I think most people know, the only people really making money in cyber, in general, are the employees. But if you're on the defender side, if you're on the attacker side, if you're on the vendor side, maybe you could argue government employees aren't making as much as they could be. That would be accurate. But the employees are making the money. A lot of cybersecurity companies still today run at a loss.There’s No Innovation Since 2012Eric: So, we've got all these dynamics in the market that make it a really hostile environment, when as a business owner, or a network, cybersecurity defender or whatever it may be, you're just trying to protect information. You're just trying to protect business. It's a tough space. And it's equally as easy for the adversary. If they want to steal something, if they want to make money, it's a pretty low risk, not so hostile environment. It's perplexed. It's really why I stay here. I'm not an IT anymore. I'm not building things really. We're falling further and further behind. I think there's an answer, but we don't have it yet. And to me, that's the ultimate puzzle that maybe by the end of my life, I'll have some clues to how to solve it. Well, I'm certainly not solving it. Carolyn: So, you said a couple of things that I want you to unpack a little bit for me. So, you said in cybersecurity, we don't consolidate. What would that look like if we did? And then, you said something that really got me. You said we don't innovate. Are you suggesting we haven't innovated since the sandbox in 2012?Eric: I'm not, but I'm thinking about it in a maybe a different way. We Haven’t Seen ConsolidationCarolyn: What would the consolidation look like?Eric: So, there are four or 5000 companies, right? We haven't consolidated like most of IT, like most businesses do. Michael Porter talks about industry clustering, and we've seen clustering, but we haven't seen consolidation.Mark: If we have, well, half a dozen. We have half a dozen kind of players in our market compared to the cybersecurity space, four or 5000 is crazy.Eric: Pick any space and they're probably 10 to 20 larger organizations. And there are dozens to hundreds of startups. And I think the market drives in that direction with venture capital, the private equity, all the investment, all the hype. The fact that you can launch a product. I mean, Splunk, I don't remember when they even became profitable. They were operating at a major loss. Not to pick on Splunk, there are majority of companies who do this. And look at the stock price and look at how they took off because they were going for market share.Here I am at the time 2010, I left McAfee in 2018, the beginning of it. We were profitable, I believe the whole time. Not an interesting company, didn't have the funding we wanted to innovate the way we wanted to. It wasn't interesting in the...","content_html":"Consolidation, innovation, and perspective all need to work together in government IT according to Eric Trexler, VP of Global Governments and Critical Infrastructure Sales at Forcepoint. IT acts as an enabler of business in the challenging landscape of government technology. Listen in to find out what Eric believes the United States IT space should be focusing on in order to stay ahead of the adversaries.
Episode Table of Contents
- [00:25] All About Innovation with Eric Trexler
- [10:39] An Enabler of the Business
- [18:27] We Haven’t Seen Consolidation
- [21:37] Choosing Fiefdom Over Consolidation and Innovation
- [27:49] The Commercial Component of Innovation
- [32:32] There Are Productivity Gains Out of Innovation
Episode Links and Resources
All About Innovation with Eric Trexler
Carolyn: Today, our guest is Eric Trexler, Vice President of Global Governments and critical infrastructure at Forcepoint. Eric is an expert in the technology industry with more than 25 years of experience with both the public and private sectors. And Eric and I used to host To The Point Cybersecurity podcast together. So today is actually a real treat for me to see your face again, Eric. So, good morning.
Eric: Good morning. And it's bizarre being back on the air with you, Carolyn.
Carolyn: So, today, we're going to talk about the perplexing and growing cost of cybercrime and how we can shift the paradigm. But before we jump into that, Eric, you have actually a pretty fascinating background. So, can you just tell us a little bit about your journey?
Eric: My journey in IT? Or where would you like me to start?
Carolyn: Let's not go all the way back to birth. Let's start at your Airborne Ranger days. How about that? And then how you got to where you are today. So yes, technology.
Eric: So, I was an aimless kid at about 17 with no potential to pay for college. No easy path at the time. And I said, I'm joining the army against my mother's wishes to become an Airborne Ranger.
The Requirement to Be a Navy SEAL
Carolyn: At 17?
Eric: Yes. She had to sign the paperwork so I could join the delayed entry program. The military throws at you when you have a high ASVAB score, that's the entrance. And I had a high ASVAB score. So, I saw the Navy and they wanted me to be a nuclear engineer. And I just wanted to be a Navy SEAL back in the day before people knew what the Navy SEALs were. But you had to pick a rating, I believe they call it in the Navy.
So, I'm sitting in front of the recruiter, and he's like, "Okay, but what do you want to do?" And I'm a dumb kid, I'm 17 years old. "I want to be a Navy SEAL." "Well, you can't do that. You have to have a rating. You have to have this skill at trade." And nothing, absolutely nothing was interesting to me.
So, I left. I went to the army recruiter and enlisted. Because they'd let me be an airborne, I was unassigned airborne, technically. How I became an Airborne Ranger? I didn't want to be normal and I was in jump school and talked to a gentleman and I didn't want to wear chemical gear. This was right at the end of the first Gulf War, and everybody was running around in MOPP suits. If you remember that MOPP suits? Hot, heavy, you can't see.
MOPP Gear
Mark: You can't breathe.
Eric: Same reason I didn't want to be in a tank or a ship or a plane. I wanted to be on my feet and I wanted to be able to move. And I was like, "I don't want to wear MOPP gear." The guy said, "Here's what you do." And that's what I did. So, I literally made the choice because I did not want to wear a helmet and I didn't want to wear MOPP gear.
Carolyn: You sound like my six-year-old niece, how she chooses what she wants to do is whatever that doesn't require shoes.
Eric: I was probably about as evolved at that point in time. Mark, you know what it's like to be a 17-year-old boy. I mean, you're really pretty low on the intelligent decision-making maturity scale, right?
Mark: Maturity scale.
Eric: I mean, you're just not there. It was a great choice and it's how I got into IT. Because in about '92 or so I started building computers. And we got a computer in probably '94. The first computer in my unit to run, just to manifest for drops, exercises. It was literally an electronic typewriter, the way these guys thought about it. I’m with a bunch of infantrymen.
I was the only guy in the unit who had new computers, the only guy, I built them for gaming. So, I volunteered for college. I said, "If you allow me to set up college courses for the detachment, 60 person volunteer detachment I was in, I will work in the operations department with a computer." And that's what I did and my career just took off from there.
The Journey From Army to University
Carolyn: How long were you in the army?
Eric: Four years, 17 weeks, and I think four days or something with my contract.
Carolyn: And then where did you go?
Eric: University of Maryland. So, it was a great ride. It was even before the amazing benefits the government gives you in the GI Bill today. The GI Bill in army college plan to go to a college fund. It was like $28,000 for four years of service. That was the optimal breakpoint. You could do five or six, but you really didn't get a lot. You got to like 32,000. And my goal was to go to college.
Mark: Did you go to college full time or did you kind of dual shift at school and work at the same time?
Eric: So, I probably got about a year in the military when I moved into operations and ran, I didn't run but I did a lot of the operations work with a couple of V6s. At the time I was an E-5. But then, when I went to college, I went full time and I worked somewhere about 40 hours a week. I had a kid. My first son was born at 20. So, I'm out of the military at about 22, and I had to keep the lights on. And I had to get my college education and get moving. So, I was working full time and I was working and I was going to school. I was doing probably 21 credit hours a semester on average.
The Innovation to Get Serious in Life
Mark: Yes, that'll make you grow up.
Eric: It's interesting. I have three boys and I think the maturity level as you watch them and their friends. Twenty-five is the magic age, in my opinion, plus or minus three years for maturity in boys, that's just Eric's principle here. Unless you have a kid at 20 and you're in the military and you don't have a lot of help. And then, you grow up really quickly. I stopped going to Nashville every weekend for parties and concerts. I stopped drinking. It was time to get serious about life and take on the responsibilities that I had. It was good.
Carolyn: What was your first job out of college?
Eric: So, I bartended a little bit until I got a job at Microsystems working on, I was a QA test engineer for all of two weeks. I don't think I ever told you this.
Carolyn: No, I'm learning new things.
Eric: It was absolutely miserable. I was the worst QA test engineer ever. So, I'm IT savvy. I can build computers. I've been building computers for years. I know the Windows operating system. I'm pretty good at what I'm doing for that age and that period of time in life. I couldn't sit still. I kept talking to the developers. I'm supposed to sit there and run test routines all day and look, I had a bank of three monitors, and I literally could not sit still. Two weeks later, I was like, "This isn't working." And my boss at the time, I can't remember her last name. It was Melissa. She was awesome. She says, "You're right." And we had customer service problems.
From Traditional Apples to Apple
Eric: So, we took an employee kitchen. We moved a bunch of computers and tables into it. And we became like an R&D faction that helped customer support issues. So, we got all the hardest issues because we sat in R&D. And it worked great for the company. It worked great for the customers, and most importantly, for me.
Because I was always talking to people and fixing problems and doing things as opposed to watching automated test scripts build all day. It was the most boring job ever for me. Actually, I sorted apples once for a day and my grandfather was a produce farmer. And he took me to this amazing job. I think it paid four bucks an hour to sort apples, and that was probably worse than the testing, Carolyn.
Carolyn: Worse than QA?
Eric: Yes, at least with the QA, I have computers.
Mark: I thought you were talking about the Apple computers.
Eric: No, I'm talking like Macintosh and ROM, and the traditional apples in Pennsylvania. And just moving on a conveyor belt and sorting and checking apples all day was like the most mindless activity and it just did not work for me. But you're getting a lot out of me that I would say many close family members and friends have never even heard.
Carolyn: All right. So, which brings us to today. Well, before you came to Forcepoint, were you at McAfee right before Forcepoint?
McAfee to Forcepoint
Eric: Yes. So, I worked at Micros and I got my MCSE. I was really good at databases. And I went to Sybase at that point, great database company. I had a friend bring me over. And then, I went to EMC after that and learned storage area networking at the best of the best. So, I've got database IT storage background servers, I built them. And then I went to Salesforce.com for a two-year PhD in the Cloud
This was a great experience and it was challenging at the same time based on the customers and the sheer growth there. That's all they cared about. So, then I went to McAfee and really took up the InfoSec or cybersecurity side of the business, which I've been doing for the last 12 years and it drives me crazy. Because we get further and further and further behind the adversary.
Mark: That's interesting that you bring up the whole Salesforce thing, because they were probably one of the first software service companies that were out there.
Eric: Certainly, at scale. And the scale there right now, Mark, is, I was looking the other day. I have a couple of friends there and I had lunch with a friend. I mean, what they're doing today, I could have never imagined in the 2008, 2010 timeframe.
An Enabler of the Business
Carolyn: So, Eric, you and I have been talking about cybercrime, cybersecurity for a while now. And you've written some recent articles, and you've been talking about it. I want to talk about the problem of cybercrime. And you just mentioned that we're getting further and further behind. And when you and I talked earlier, it just reminded me of the Alice in Wonderland quote, when she's in the Red Queen's race and the Red Queen tells her, "We have to run faster and harder here just to stay in place." And Alice is like, "Well, that's stupid." So, let's talk about the massive amounts of money that we're spending on cybercrime and cybersecurity, and what needs to change.
Eric: Yes, I can talk to some of that. I certainly do not have the answers on what needs to change. I thought you put that quote in because of me. Because it's actually something that my old CTO and CMO at McAfee wrote in a book called The Second Economy. They quote Alice, in that specific quote, in the context of cybersecurity.
So, we're just talking about my career, up until 2010, when I really joined cybersecurity, hardcore for the first time. I'd always build things.
IT is an enabler of the business, it builds things to make business run better, faster, cheaper, whatever it may be, but it's an enabler of the business.First Mover Advantage
Eric: And you're always growing and building things. The problem with cybersecurity is you're getting further and further behind. You're not necessarily building things to make things better. You are kind of putting things together to try to prevent things from getting worse. It's almost the flip side of the coin, if you think of it that way.
Mark: Eric, do you think that the fact that we're getting further and further behind is a function of the discipline of cybersecurity and that we're just behind there? Or is it the fact that adversaries like China, Russia, Iran, are investing more? And General IT like encryption quantum computing or artificial intelligence and stuff like that. Is it more a function of that or the discipline of cybersecurity?
Eric: I really think it's both, Mark.
So, when you understand the rules of the cybersecurity world, the adversary gets first mover advantage. They get to decide every single time how they want to attack you, how often they want to attack you. They essentially get an unlimited number of tries. Because it's risk and treasure.When you look at it, what's the risk versus the opportunity? That's the probability of cyber there and the risk is very low. You don't see a lot of people going to jail, you don't see a lot of people losing money in cybersecurity, you see them gaining. At the nation state level, you don't see a lot of sanctions and things like that, because of cybersecurity action. It's almost like there are no red lines, and they're just taken for granted.
Innovation and Consolidation
Eric: And if we're going to go into a country and surveil their networks, or our adversary steal our IP all the time, it's almost accepted, unfortunately, these days. So, you've got the adversary first-mover advantage, they get as many tries as they want. There are no silver bullets here. And then you look at the defender side, we don't have enough people, depending on who you look at data-wise, where cybersec.org is good. They'll show you we're probably a million-plus people behind on the cybersecurity side of just being able to hire. We don't seem to innovate and that's an interesting comment, if you're me, in an industry that has four or 5000 players.
But that leads to my next point, we don't consolidate. The industry really hasn't consolidated. If you look at most of IT, look at storage or I mentioned databases or operating systems or even networking, there are usually two or three key players. We don't have that.And then, when you look at the incentive side of the equation for the defender. If you pick a tool, a cool tool, I'm going to take you back to 2012, sandboxing. Sandboxing was the end all be all as FireEye at the time. Kind of took what was in academic labs and productized it and marketed the hell out of it. Palo Alto did the same thing with the next-gen firewall to iterate on the firewall side. You take a tool that's really hot and really cool as an IT operator, a security operator, and you buy it and bring it into the business while you're doing pretty well.
A Quick Innovation of the Adversary
Eric: What's the efficacy rate? We're probably not able to measure that as businesses, most people don't care. And you just deployed a cool tool in 2012, called sandboxing. Well, the adversary quickly innovated around that. They had the ability to look for sandboxing, am I running in a virtual machine, is my malware running in a virtual machine. They put in things like time delays, which are really easy.
The sandbox isn't going to sit there for 30 hours and wait for your malware to activate, it's going to look for it to activate right away. So, I'll just put a seven-day delay in and you can quickly innovate around that. And that's okay. But the defenders aren't any much better for it, let's put it that way.
Now, if you're the person on the team who brought in that tool, you can probably go to a bank or another company and say, "Well, look at my resume. This is exactly what I did. Regardless of effectiveness, I can do the same thing for you and get a huge increase." Because we all know or I think most people know, the only people really making money in cyber, in general, are the employees.
But if you're on the defender side, if you're on the attacker side, if you're on the vendor side, maybe you could argue government employees aren't making as much as they could be. That would be accurate. But the employees are making the money. A lot of cybersecurity companies still today run at a loss.
There’s No Innovation Since 2012
Eric: So, we've got all these dynamics in the market that make it a really hostile environment, when as a business owner, or a network, cybersecurity defender or whatever it may be, you're just trying to protect information. You're just trying to protect business. It's a tough space.
And it's equally as easy for the adversary. If they want to steal something, if they want to make money, it's a pretty low risk, not so hostile environment. It's perplexed. It's really why I stay here. I'm not an IT anymore. I'm not building things really. We're falling further and further behind. I think there's an answer, but we don't have it yet. And to me, that's the ultimate puzzle that maybe by the end of my life, I'll have some clues to how to solve it. Well, I'm certainly not solving it.
Carolyn: So, you said a couple of things that I want you to unpack a little bit for me. So, you said in cybersecurity, we don't consolidate. What would that look like if we did? And then, you said something that really got me. You said we don't innovate. Are you suggesting we haven't innovated since the sandbox in 2012?
Eric: I'm not, but I'm thinking about it in a maybe a different way.
We Haven’t Seen Consolidation
Carolyn: What would the consolidation look like?
Eric: So, there are four or 5000 companies, right? We haven't consolidated like most of IT, like most businesses do. Michael Porter talks about industry clustering, and we've seen clustering, but we haven't seen consolidation.
Mark: If we have, well, half a dozen. We have half a dozen kind of players in our market compared to the cybersecurity space, four or 5000 is crazy.
Eric: Pick any space and they're probably 10 to 20 larger organizations. And there are dozens to hundreds of startups. And I think the market drives in that direction with venture capital, the private equity, all the investment, all the hype. The fact that you can launch a product. I mean, Splunk, I don't remember when they even became profitable. They were operating at a major loss. Not to pick on Splunk, there are majority of companies who do this. And look at the stock price and look at how they took off because they were going for market share.
Here I am at the time 2010, I left McAfee in 2018, the beginning of it. We were profitable, I believe the whole time. Not an interesting company, didn't have the funding we wanted to innovate the way we wanted to. It wasn't interesting in the...
","summary":null,"date_published":"2022-03-30T07:30:00.000-04:00","attachments":[{"url":"https://aphid.fireside.fm/d/1437767933/81d9d6b0-0045-48da-8495-fd87c4613d7f/9972d907-51ac-4b25-b350-4078f0026d81.mp3","mime_type":"audio/mpeg","size_in_bytes":43585639,"duration_in_seconds":3112}]},{"id":"fea5c65c-040e-4db8-bb85-36c2dd977d9e","title":"Episode 28: Unparalleled Innovation with Jennifer Ewbank, Deputy Director for Digital Innovation at Central Intelligence Agency","url":"https://techtransforms.fireside.fm/28","content_text":"Jennifer Ewbank, Deputy Director for Digital Innovation at Central Intelligence Agency joins Carolyn and Mark to talk about the unparalleled work in integration and integration she and her teams are doing. Jennifer talks about the importance of partnerships in IT, data and cybersecurity and how Digital Innovations, the newest branch of the CIA, is transforming security. Episode Table of Contents[00:58] Jennifer’s Opinions on DDI’s Unparalleled Innovation[08:35] Integration of Digital Capabilities and Unparalleled Innovation[16:06] Unparalleled Innovation on Cloud Computing[24:04] Unparalleled Innovation in the Digital Landscape[32:00] Applying Unparalleled Innovation Into Our Mission[39:44] A Space Nerd With Unparalleled InnovationEpisode Links and ResourcesJennifer EwbankCIA.govFull Digital NationThe Party2034The Girl With Seven NamesJennifer’s Opinions on DDI’s Unparalleled InnovationCarolyn: Today, our guest is Jennifer Ewbank, Deputy Director of CIA for Digital Innovation, also known as DDI. Jennifer is responsible for accelerating the development and integration of digital and cyber capabilities across all of the CIA's mission areas. We're so excited to hear from you today, Jennifer, and get your opinions on the DDI and its contributions to the CIA.Jennifer: Thank you so much for the invitation, I'm really excited about our conversation today. I love nothing more than sharing a little bit about the great work that the men and women of the CIA are doing on behalf of the American people. To talk about how this intelligence landscape is changing dramatically along with the digital transformation we see around the world.We're here on the 1st of March. I wanted to acknowledge that, as we have a conversation today about one of these topics I love tremendously. It's really critically important for the intelligence business, it is taking place against the backdrop of events unfolding in Eastern Europe. So, just about a week ago, Russian troops invaded a sovereign nation and brought war back to the European continent in a completely unprovoked act.I just wanted to assure anyone who might be listening to the podcast that the CIA is intensely focused on our national security around the world. We're focused on that crisis and working as part of an integrated US government team to do what we can to bring about a rapid end to these senseless hostilities and the return of Russian troops to the Russian Federation.Unparalleled Innovation on What Matters MostJennifer: I just wanted to ensure, whenever people listen to this, that they understand that we are focused on what matters most at the moment. I'm taking a few minutes out of an otherwise very hectic day to talk about this topic. It’s really important from a strategic perspective but is perhaps not the most urgent topic on our plates today.Carolyn: Honestly, what you do is integral and so important to everything that you just mentioned. Let me see if I can get the words out right but in supporting the sovereign nation. What you do with the digital side of things and this mission, that cyber domain is incredibly important.Jennifer: Yes, we've seen it play out a bit so far in unprovoked attacks on Ukrainian entities. Our role, sometimes, may not be known to those outside of the intelligence community and that's most of America. We work for the US government, we work for the US people, absolutely. But we also support our allies and partners around the globe. Any major challenge requires those partnerships to succeed. Anyway, that was my little PSA at the beginning.Carolyn: Let's talk about your story. Let's talk more about your background, your role at the CIA. Describe the position and what the DDI is.Jennifer: I can't imagine that most people would know what it is. I certainly knew very little about the CIA before joining it. Generally speaking, I lead the Directorate of Digital Innovation at CIA. It’s one of the five large directorates that comprise the whole of CIA. Some of these are going to be a lot more familiar to your audience and your listeners.Intelligence OperationsJennifer: The first is the Directorate of Operations. They conduct intelligence operations and information all around the globe. They work very closely with our partners and allies in all those countries.Our Directorate of Analysis, they produce what we call all source analysis. Taking information from all over the place and weaving it together and producing objective analysis to inform policymakers about the key issues of the day and strategic issues. Our Directorate of Support is a truly extraordinary, probably an unparalleled innovation anywhere else organization. They do everything to keep this business running on a global scale.So, it is HR, finance, logistics, medical services, anything you could possibly imagine and a global enterprise. Then we have our Directorate of Science and Technology which is probably our closest cousins in the organization. They develop technological capabilities to support our intelligence collection mission around the globe.You might think of Q and Bond films but without as many high-speed chases or deadly firefights. Then there's DDI, the part that I oversee. If we think about the DS and T, our Directorate of Science and Technology, primarily focused on technology with a physical manifestation, we are that counterpart in the virtual or digital world. In essence, all the ones and zeros for the organization.We are the agency's newest directorate and our mission spans are really broad spans. We've got data, data science, artificial intelligence, enterprise information technology, cyber security, cyber collection, cyber analysis and open source intelligence to support the CIA's mission in all aspects. We also have another really important role, we have established DDI University. That is a learning enterprise dedicated to raising the digital acumen of the CIA workforce as a whole.Leverage the Unparalleled InnovationJennifer: So that we actually have a workforce that's ready to leverage all of these capabilities, whether they're technological experts or not. In terms of my background, I did come to this role through a non-traditional path. My own career spans well over three decades. Initially, as a foreign service officer with the State Department serving overseas with our diplomatic corps. Then later, and for the bulk of this time with the CIA but in the Directorate of Operations.That is the organization that is posted all around the globe, working with our foreign partners, collecting insights that we feed into our analytic products here in Washington. Prior to this current role, there were a couple of key roles, I think, were formative. They do inform how I approach this job. One was spending the majority of my time overseas and serving as a chief of station. That is the officer that's charged with leading these integrated teams in the field. I do have, let's say a favorite job. I'm not supposed to have favorite jobs but I do along the way.One of those roles was working in Washington overseeing all of the CIA's engagements inside the United States. Think about all of our partnerships with intelligence community counterparts, with US government departments and agencies, and with academia. But most importantly, I think for our conversation today, with the US private sector and industry, finding those valuable partnerships for both sides.It's only six years old at this point. The DDI, as you call it, is, I would say, changing the very way we approach the intelligence mission. We're focused on this deep and meaningful integration of digital capabilities across all of the CIA's mission areas.Integration of Digital Capability and Unparalleled InnovationJennifer: My role as deputy director of CIA for digital innovation is just that, the integration of digital capabilities across the entire mission. In that role, I have the opportunity, the pleasure of leading probably the most talented, creative and mission-focused workforce that I've ever seen.Mark: You hit on a few things there. In a recent article that you did with the Cipher Brief, you mentioned how the DDI approaches partnerships with industry to create innovation hubs. Well, you didn't mention that but you talked a little bit about industry partnerships. Can you talk a little bit about how that partnership has helped contribute to the mission of partners harnessing data and artificial intelligence?Jennifer: For context, and maybe this is implied in what I've said already, but DDI's work driving innovation and forging closer partnerships with industry is really essential to the future success of the CIA. Our focus continues to be on identifying those best in breed, cutting edge capabilities, commercially available solutions and exploring how we could rapidly leverage those to meet our evolving mission requirements.There was a really great article on unparalleled innovation a few years ago in the MIT Sloan Management Review. It had an important line in there and it said, quote, long term organizational success depends on developing and implementing new ideas. It's funny because it's complete common sense. You would think, \"Well, how is that not known?\"But in any large organization, I think, surprisingly, it's an easy thing to forget. For us, recent research that we've explored really identifies a need to find new ways to enable what has been called an adaptive space.Networks and Organizational StructuresJennifer: It’s thinking about networks and organizational structures that allow information, resources, and ideas to flow across in a way that can foster unparalleled innovation. For us, that often starts with small entrepreneurial teams and then later, bigger programs and structures.That's what we're trying to do at DDI and that's one of the many areas where the industry is tremendously a helpful partner. Our outreach and connections with the industry are helping us do this. We’re finding new ways to bring in new ideas and rapidly put them in the hands of our officers to enable success in our mission.We are partnering with companies in the industry to create the so-called adaptive spaces that allow us to rapidly experiment. To do so in a flexible, often unclassified, laboratory environment and that's what I mentioned about the innovation hubs. Those environments allow us to test out new ideas and capabilities to fail fast, to iterate, to rinse and repeat and innovate ultimately.Artificial intelligence is a critical piece of that but I would say it's not the only one. It is an important one because industry's leading development is in that space. But our partnerships are more than, let's say, sharing the latest algorithm or model. Although that's important, it's also about working smarter and working side by side to create and deliver solutions to protect national security.Just a last thing because I think it's an important disclaimer. DDI isn't alone in this, there are other elements of the agency that are working in these new spaces. Not long ago, we created CIA Labs which was a really exciting effort to reimagine how we engage with industry and national labs in particular.We Are Home to Unparalleled InnovationCarolyn: I love that quote from the article. To your point, it seems like it's a no-brainer. Yes, you've got to constantly be bringing in new ideas or, to quote my dad, there's more than one way to skin a cat. We have to remember that and it's so easy to forget. I love that your team, it sounds like, not only embraces this idea, but you're setting up these environments to foster and grow the ideas. It sounds like you're sandboxing.Like you said, fail quickly, rinse and repeat, all of that in a very safe environment that can then go out. It brings me back to this point of all the mission areas. So, you're responsible for pushing out this digital innovation to all CIA mission areas. How do you see technology evolving in the CIA and government agencies overall? Six years your department's been around, right? What have you seen?Jennifer: Certainly, we have been on this digital journey much like many other organizations. I like to think we're a little bit ahead of some in the government, though it's not a race. We just happened to get in the race a little bit earlier. Sit back just a little bit to say that one of our strengths as a country is that we are home to unparalleled innovation.That is one of our greatest strengths as a nation, what industry brings and new capabilities. We were talking about phones earlier. I look no further than the phone in my handbag to see how technology has evolved dramatically in the past 10 years. Then think about where it's going to go in the next 10 years, it's almost unimaginable.How Technology and Unparalleled Innovation Is EvolvingJennifer: I'll take one little slight tangent, when we're thinking about how technology is evolving, its use, its focus in government. I think it would be a real mistake and some people do this.It would be a real mistake to think about this whole second machine age and digital transformation as some sort of a fancy modernization effort. I think about elastic cloud computing, big data, the internet of things, artificial intelligence, and machine learning. These things are transforming the day-to-day life in America. In many ways, they're doing the same to the intelligence mission.Our digital journey, as I said, it's well underway but we have a long way to go. I think the next few years are going to bring tremendous change. And so, I think about what's coming, this is my sense based on the work that we're doing. I see the maturation of AI capabilities across the intelligence community. With that, an ability to really harness the true power of data for us, we save for operational advantage and analytic insights.I see AI and automation in particular taking routine tasks off our daily calendars. They’re freeing up time and mental energy for officers to devote to higher order cognitive functions. The things that only a human brain could do but are tied up with the drudgery of routine business. I see for us and many others the expanded use of augmented and virtual reality. If you think about the intelligence mission and what we're required to do all around the globe, different cultures, different languages, different environments, you name it, AR and VR can be really powerful tools in that mission.Unparalleled Innovation on Cloud ComputingJennifer: Cloud computing, of course, continues to be the foundation on which we're building all of this. But by thinking about how things are changing, we're going to need to develop new, let's say, forms of edge computing. To enable this processing at the edge and, for us, the edge is global so that's a real challenge.Another one that folks may not think about, but just as with any organization that is devoted to work all around the globe, further refining and building our natural language processing models is going to be really critical. Particularly, as we want to embrace this flood of open source information that's so readily available on the internet and you name it.We're going to have to be able to collect it, translate it, structure it, tag it, filter it, prioritize it, add in your verb and do that all at scale and at machine speed. One of the last things I'll mention as an emerging area for us is digital twins. Thinking about all these other capabilities, digital twins might actually give us a really productive and cost-effective environment in which to experiment, innovate, fail, et cetera and do so in a safer environment.Mark: What do you mean by digital twin? You mean like high availability backup?Jennifer: I'm not a huge expert on this but setting up what's, in essence, a digital record of some other issue, event, place, you name it. Then using that in a sandbox environment to explore how you would really tackle this challenge.Carolyn: When you do this digital twin stuff and even the sandboxing, this is a little bit of a tangent.MetaverseCarolyn: I'm fascinated by the metaverse coming online and augmented reality and virtual reality. Have you got to play with that?Jennifer: I have played a little bit with VR, for sure. People are excited about showing off what they're doing. It has been eye-opening. You think about putting yourself in the position of another person's perspective. It's been powerful for lots of things. These are early days in the space. But it might put me in a different physical environment where I can become familiar with a different country, different environment, et cetera.It's great for foreign language practice, that's great. It's interesting just in terms of the inclusive and positive management environment we want to create, it also has applications in that cross-cultural organizational way. Put yourself in the mindset, in the person of somebody that you're trying to understand, empathize, support. What is it like to be blind?Mark: Or psychological.Jennifer: What is it like to be deaf, to experience it as best you can? VR can do that. There’s one thing that I also want to mention, just because the CIA is unique in this area. I think it's valuable for our partners elsewhere to think about this. Just as we are focused on leveraging these new technologies and bringing them to our complex mission, we also do so against a backdrop of adversaries who are investing in the same technologies and deploying increasingly aggressive versions.Think cyber-attacks that we see these days, think ransomware, think supply chain attacks. There are a lot of other actors out there who are leveraging these same capabilities and doing so in a way that is not in our national security interests.Monitor and Control an Unparalleled InnovationJennifer: There's a subset of these actors, whose governments I would characterize as digital autocracies. They're developing and deploying these capabilities first to monitor and control their own societies. Their own societies end up being the guinea pigs for this experimentation. Those capabilities can easily be projected around the globe at adversaries like us.If I think about that balance for us, we need to leverage or, let's say, understand, deploy these capabilities to support our mission. We need to defend against their use by adversaries seeking to do us, the US, our...","content_html":"Jennifer Ewbank, Deputy Director for Digital Innovation at Central Intelligence Agency joins Carolyn and Mark to talk about the unparalleled work in integration and integration she and her teams are doing. Jennifer talks about the importance of partnerships in IT, data and cybersecurity and how Digital Innovations, the newest branch of the CIA, is transforming security.
Episode Table of Contents
- [00:58] Jennifer’s Opinions on DDI’s Unparalleled Innovation
- [08:35] Integration of Digital Capabilities and Unparalleled Innovation
- [16:06] Unparalleled Innovation on Cloud Computing
- [24:04] Unparalleled Innovation in the Digital Landscape
- [32:00] Applying Unparalleled Innovation Into Our Mission
- [39:44] A Space Nerd With Unparalleled Innovation
Episode Links and Resources
Jennifer’s Opinions on DDI’s Unparalleled Innovation
Carolyn: Today, our guest is Jennifer Ewbank, Deputy Director of CIA for Digital Innovation, also known as DDI. Jennifer is responsible for accelerating the development and integration of digital and cyber capabilities across all of the CIA's mission areas. We're so excited to hear from you today, Jennifer, and get your opinions on the DDI and its contributions to the CIA.
Jennifer: Thank you so much for the invitation, I'm really excited about our conversation today. I love nothing more than sharing a little bit about the great work that the men and women of the CIA are doing on behalf of the American people. To talk about how this intelligence landscape is changing dramatically along with the digital transformation we see around the world.
We're here on the 1st of March. I wanted to acknowledge that, as we have a conversation today about one of these topics I love tremendously. It's really critically important for the intelligence business, it is taking place against the backdrop of events unfolding in Eastern Europe. So, just about a week ago, Russian troops invaded a sovereign nation and brought war back to the European continent in a completely unprovoked act.
I just wanted to assure anyone who might be listening to the podcast that the CIA is intensely focused on our national security around the world. We're focused on that crisis and working as part of an integrated US government team to do what we can to bring about a rapid end to these senseless hostilities and the return of Russian troops to the Russian Federation.Unparalleled Innovation on What Matters Most
Jennifer: I just wanted to ensure, whenever people listen to this, that they understand that we are focused on what matters most at the moment. I'm taking a few minutes out of an otherwise very hectic day to talk about this topic. It’s really important from a strategic perspective but is perhaps not the most urgent topic on our plates today.
Carolyn: Honestly, what you do is integral and so important to everything that you just mentioned. Let me see if I can get the words out right but in supporting the sovereign nation. What you do with the digital side of things and this mission, that cyber domain is incredibly important.
Jennifer: Yes, we've seen it play out a bit so far in unprovoked attacks on Ukrainian entities. Our role, sometimes, may not be known to those outside of the intelligence community and that's most of America. We work for the US government, we work for the US people, absolutely. But we also support our allies and partners around the globe. Any major challenge requires those partnerships to succeed. Anyway, that was my little PSA at the beginning.
Carolyn: Let's talk about your story. Let's talk more about your background, your role at the CIA. Describe the position and what the DDI is.
Jennifer: I can't imagine that most people would know what it is. I certainly knew very little about the CIA before joining it. Generally speaking, I lead the Directorate of Digital Innovation at CIA. It’s one of the five large directorates that comprise the whole of CIA. Some of these are going to be a lot more familiar to your audience and your listeners.
Intelligence Operations
Jennifer: The first is the Directorate of Operations. They conduct intelligence operations and information all around the globe. They work very closely with our partners and allies in all those countries.
Our Directorate of Analysis, they produce what we call all source analysis. Taking information from all over the place and weaving it together and producing objective analysis to inform policymakers about the key issues of the day and strategic issues. Our Directorate of Support is a truly extraordinary, probably an unparalleled innovation anywhere else organization. They do everything to keep this business running on a global scale.
So, it is HR, finance, logistics, medical services, anything you could possibly imagine and a global enterprise. Then we have our Directorate of Science and Technology which is probably our closest cousins in the organization. They develop technological capabilities to support our intelligence collection mission around the globe.
You might think of Q and Bond films but without as many high-speed chases or deadly firefights. Then there's DDI, the part that I oversee. If we think about the DS and T, our Directorate of Science and Technology, primarily focused on technology with a physical manifestation, we are that counterpart in the virtual or digital world. In essence, all the ones and zeros for the organization.
We are the agency's newest directorate and our mission spans are really broad spans. We've got data, data science, artificial intelligence, enterprise information technology, cyber security, cyber collection, cyber analysis and open source intelligence to support the CIA's mission in all aspects. We also have another really important role, we have established DDI University. That is a learning enterprise dedicated to raising the digital acumen of the CIA workforce as a whole.Leverage the Unparalleled Innovation
Jennifer: So that we actually have a workforce that's ready to leverage all of these capabilities, whether they're technological experts or not. In terms of my background, I did come to this role through a non-traditional path. My own career spans well over three decades. Initially, as a foreign service officer with the State Department serving overseas with our diplomatic corps. Then later, and for the bulk of this time with the CIA but in the Directorate of Operations.
That is the organization that is posted all around the globe, working with our foreign partners, collecting insights that we feed into our analytic products here in Washington. Prior to this current role, there were a couple of key roles, I think, were formative. They do inform how I approach this job. One was spending the majority of my time overseas and serving as a chief of station. That is the officer that's charged with leading these integrated teams in the field. I do have, let's say a favorite job. I'm not supposed to have favorite jobs but I do along the way.
One of those roles was working in Washington overseeing all of the CIA's engagements inside the United States. Think about all of our partnerships with intelligence community counterparts, with US government departments and agencies, and with academia. But most importantly, I think for our conversation today, with the US private sector and industry, finding those valuable partnerships for both sides.
It's only six years old at this point. The DDI, as you call it, is, I would say, changing the very way we approach the intelligence mission. We're focused on this deep and meaningful integration of digital capabilities across all of the CIA's mission areas.Integration of Digital Capability and Unparalleled Innovation
Jennifer: My role as deputy director of CIA for digital innovation is just that, the integration of digital capabilities across the entire mission. In that role, I have the opportunity, the pleasure of leading probably the most talented, creative and mission-focused workforce that I've ever seen.
Mark: You hit on a few things there. In a recent article that you did with the Cipher Brief, you mentioned how the DDI approaches partnerships with industry to create innovation hubs. Well, you didn't mention that but you talked a little bit about industry partnerships. Can you talk a little bit about how that partnership has helped contribute to the mission of partners harnessing data and artificial intelligence?
Jennifer: For context, and maybe this is implied in what I've said already, but DDI's work driving innovation and forging closer partnerships with industry is really essential to the future success of the CIA. Our focus continues to be on identifying those best in breed, cutting edge capabilities, commercially available solutions and exploring how we could rapidly leverage those to meet our evolving mission requirements.
There was a really great article on unparalleled innovation a few years ago in the MIT Sloan Management Review. It had an important line in there and it said, quote, long term organizational success depends on developing and implementing new ideas. It's funny because it's complete common sense. You would think, "Well, how is that not known?"
But in any large organization, I think, surprisingly, it's an easy thing to forget. For us, recent research that we've explored really identifies a need to find new ways to enable what has been called an adaptive space.
Networks and Organizational Structures
Jennifer: It’s thinking about networks and organizational structures that allow information, resources, and ideas to flow across in a way that can foster unparalleled innovation. For us, that often starts with small entrepreneurial teams and then later, bigger programs and structures.
That's what we're trying to do at DDI and that's one of the many areas where the industry is tremendously a helpful partner. Our outreach and connections with the industry are helping us do this. We’re finding new ways to bring in new ideas and rapidly put them in the hands of our officers to enable success in our mission.
We are partnering with companies in the industry to create the so-called adaptive spaces that allow us to rapidly experiment. To do so in a flexible, often unclassified, laboratory environment and that's what I mentioned about the innovation hubs. Those environments allow us to test out new ideas and capabilities to fail fast, to iterate, to rinse and repeat and innovate ultimately.
Artificial intelligence is a critical piece of that but I would say it's not the only one. It is an important one because industry's leading development is in that space. But our partnerships are more than, let's say, sharing the latest algorithm or model. Although that's important, it's also about working smarter and working side by side to create and deliver solutions to protect national security.Just a last thing because I think it's an important disclaimer. DDI isn't alone in this, there are other elements of the agency that are working in these new spaces. Not long ago, we created CIA Labs which was a really exciting effort to reimagine how we engage with industry and national labs in particular.
We Are Home to Unparalleled Innovation
Carolyn: I love that quote from the article. To your point, it seems like it's a no-brainer. Yes, you've got to constantly be bringing in new ideas or, to quote my dad, there's more than one way to skin a cat. We have to remember that and it's so easy to forget. I love that your team, it sounds like, not only embraces this idea, but you're setting up these environments to foster and grow the ideas. It sounds like you're sandboxing.
Like you said, fail quickly, rinse and repeat, all of that in a very safe environment that can then go out. It brings me back to this point of all the mission areas. So, you're responsible for pushing out this digital innovation to all CIA mission areas. How do you see technology evolving in the CIA and government agencies overall? Six years your department's been around, right? What have you seen?
Jennifer: Certainly, we have been on this digital journey much like many other organizations. I like to think we're a little bit ahead of some in the government, though it's not a race. We just happened to get in the race a little bit earlier. Sit back just a little bit to say that one of our strengths as a country is that we are home to unparalleled innovation.
That is one of our greatest strengths as a nation, what industry brings and new capabilities. We were talking about phones earlier. I look no further than the phone in my handbag to see how technology has evolved dramatically in the past 10 years. Then think about where it's going to go in the next 10 years, it's almost unimaginable.How Technology and Unparalleled Innovation Is Evolving
Jennifer: I'll take one little slight tangent, when we're thinking about how technology is evolving, its use, its focus in government. I think it would be a real mistake and some people do this.
It would be a real mistake to think about this whole second machine age and digital transformation as some sort of a fancy modernization effort. I think about elastic cloud computing, big data, the internet of things, artificial intelligence, and machine learning. These things are transforming the day-to-day life in America. In many ways, they're doing the same to the intelligence mission.
Our digital journey, as I said, it's well underway but we have a long way to go. I think the next few years are going to bring tremendous change. And so, I think about what's coming, this is my sense based on the work that we're doing. I see the maturation of AI capabilities across the intelligence community. With that, an ability to really harness the true power of data for us, we save for operational advantage and analytic insights.
I see AI and automation in particular taking routine tasks off our daily calendars. They’re freeing up time and mental energy for officers to devote to higher order cognitive functions. The things that only a human brain could do but are tied up with the drudgery of routine business. I see for us and many others the expanded use of augmented and virtual reality. If you think about the intelligence mission and what we're required to do all around the globe, different cultures, different languages, different environments, you name it, AR and VR can be really powerful tools in that mission.Unparalleled Innovation on Cloud Computing
Jennifer: Cloud computing, of course, continues to be the foundation on which we're building all of this. But by thinking about how things are changing, we're going to need to develop new, let's say, forms of edge computing. To enable this processing at the edge and, for us, the edge is global so that's a real challenge.
Another one that folks may not think about, but just as with any organization that is devoted to work all around the globe, further refining and building our natural language processing models is going to be really critical. Particularly, as we want to embrace this flood of open source information that's so readily available on the internet and you name it.We're going to have to be able to collect it, translate it, structure it, tag it, filter it, prioritize it, add in your verb and do that all at scale and at machine speed. One of the last things I'll mention as an emerging area for us is digital twins. Thinking about all these other capabilities, digital twins might actually give us a really productive and cost-effective environment in which to experiment, innovate, fail, et cetera and do so in a safer environment.
Mark: What do you mean by digital twin? You mean like high availability backup?
Jennifer: I'm not a huge expert on this but setting up what's, in essence, a digital record of some other issue, event, place, you name it. Then using that in a sandbox environment to explore how you would really tackle this challenge.
Carolyn: When you do this digital twin stuff and even the sandboxing, this is a little bit of a tangent.
Metaverse
Carolyn: I'm fascinated by the metaverse coming online and augmented reality and virtual reality. Have you got to play with that?
Jennifer: I have played a little bit with VR, for sure. People are excited about showing off what they're doing. It has been eye-opening. You think about putting yourself in the position of another person's perspective. It's been powerful for lots of things. These are early days in the space. But it might put me in a different physical environment where I can become familiar with a different country, different environment, et cetera.
It's great for foreign language practice, that's great. It's interesting just in terms of the inclusive and positive management environment we want to create, it also has applications in that cross-cultural organizational way. Put yourself in the mindset, in the person of somebody that you're trying to understand, empathize, support. What is it like to be blind?
Mark: Or psychological.
Jennifer: What is it like to be deaf, to experience it as best you can? VR can do that. There’s one thing that I also want to mention, just because the CIA is unique in this area. I think it's valuable for our partners elsewhere to think about this. Just as we are focused on leveraging these new technologies and bringing them to our complex mission, we also do so against a backdrop of adversaries who are investing in the same technologies and deploying increasingly aggressive versions.
Think cyber-attacks that we see these days, think ransomware, think supply chain attacks. There are a lot of other actors out there who are leveraging these same capabilities and doing so in a way that is not in our national security interests.Monitor and Control an Unparalleled Innovation
Jennifer: There's a subset of these actors, whose governments I would characterize as digital autocracies. They're developing and deploying these capabilities first to monitor and control their own societies. Their own societies end up being the guinea pigs for this experimentation. Those capabilities can easily be projected around the globe at adversaries like us.
If I think about that balance for us, we need to leverage or, let's say, understand, deploy these capabilities to support our mission. We need to defend against their use by adversaries seeking to do us, the US, our...
","summary":null,"date_published":"2022-03-23T07:30:00.000-04:00","attachments":[{"url":"https://aphid.fireside.fm/d/1437767933/81d9d6b0-0045-48da-8495-fd87c4613d7f/9bff85ec-561c-4019-90f1-d0b5f3d3356a.mp3","mime_type":"audio/mpeg","size_in_bytes":39135509,"duration_in_seconds":2794}]},{"id":"51cce85c-97ec-4916-b44b-661b2d84310e","title":"Episode 27: Government Technology In Sight with Mike Gruss","url":"https://techtransforms.fireside.fm/27","content_text":"Mike Gruss, Editor-in-chief at Sightline Media Group has eyes on news related to all things DOD. He and his reporters are asking the smart questions when it comes to government defense technology. IT savvy leadership, user experience, and gamification are just some of the topics Mike unpacks in this episode of Tech Transforms.Episode Table of Contents[00:38] The Biggest Trending Topics in Government Technology[09:11] The Lethality of Government Technology[20:05] Predictions for Government Technology in 2022[31:22] How the Government Technology Is Put TogetherEpisode Links and ResourcesMike GrussSightline Media GroupDoDThe Biggest Trending Topics in Government TechnologyCarolyn: Today we get to talk to Mike Gruss, editor-in-chief at Sightline Media Group. He’ll discuss some of the hottest topics in the IT industry. Sightline Media Group is the leading news organization covering military, defense, public sector, federal technology, C4ISR, and cyber defense. Today, Mike unpacks some of the biggest trending topics in government technology. We also get his perspective on the DoDs advancement in technology.Mike, I love having you on the show because you have such a broad knowledge. You really have your finger on the pulse of what's happening in the government. So you're over a lot of publications. Can you tell our listeners briefly about your role as editor in chief of Sightline Media Group and the different publications you oversee?Mike: Sightline oversees a number of brands, as you mentioned. I like to think of us as the largest national security newsroom in the country. We have two or three different buckets that our publications fall into. What we've really concentrated on the last year or so is working collaboratively across the newsroom. You may recognize specific brands, but I think our reporters are working across several brands or across the newsroom.There's the military times brands, which are Military Times, Army Times, Air Force Times, Navy Times, and Marine Corps Times. Those are geared toward the troops and you'll see those publications, obviously online. They're available at commissaries, and then there's also our business to government groups.What’s Happening With the Government TechnologyMike: Those are publications like defense news, which covers the defense industry and what's happening at the Pentagon and on Capitol Hill, the business and politics of defense acquisitions. And also C4ISR net, which focuses more on that network warfare aspect of the defense industry. The last publication we have is Federal Times. It focuses on the federal workforce and what they need and what's happening there on a day-to-day basis.It's a lot, but we have a really passionate and skilled newsroom that thinks hard about these issues. They work really hard to get scoops up and to get enterprise news stories that will help people understand what's happening at their job and make better decisions every day at work.Carolyn: I love the specialization. Obviously, you get a lot of stories that are going to be broad across. But when you take it and get specific to the mission of the different branches and the different missions, I really appreciate that.Mike: I don't like to use the word expert because I think it's overused. But I'd say all of our reporters have a tremendous amount of knowledge in their field. They work really hard to ask smart questions, to be able to explain issues clearly and to know the nuances. I think that comes through in our reporting.Carolyn: I definitely agree and I would absolutely use the word expert. Talk about your perspective on how the DoDs are making advancements in government technology. Do you think they're taking the right steps right now?Mike: This is a difficult question and I think there's such a push-pull that we have to do here. I'm curious how you think of it too.What DoD Has to Do With ITMike: On one hand, I think we have to recognize the complexity of what particularly DoD has to do when it comes to IT. They have to be the most secure, for example. If they are not secure, no one's going to give them a pass. No one's going to say, \"Whoops, you missed that part. You didn't patch that, you didn't have that working. Oh, well.\"That's not going to happen. We give them no leeway and that's how it should be. They have a tremendous budget to make sure they have no leeway. On the other hand, I get, I wouldn't say frustrated, but I think sometimes we're expected to celebrate advancements that industry made 10, 15 years ago.Carolyn: Are you thinking of something specific?Mike: I think cloud is the one that probably comes to mind first. But I think when you also talk about bringing your own device, you talk about even telework. These are things that many major corporations across the country figured these ideas out years and years ago. I think to say, \"Well look at us. We did this.\" It's like, \"Okay. You shouldn't get so much credit for doing it.\"At the same time, I started with, there is that complexity of doing it at the size and scale they do it and with the level of security they do it. That's where I have this push and pull where I'm always careful of saying things like, \"All right. This is a step forward for them, but are we judging them on the right scale?\" I think that's where I sometimes have questions.Mark: You bring up something really interesting. It brings to mind the executive order on user experience that's come out.Executive OrderMark: When I think of the DoD, I think of, \"Okay. There's an element of the DoD that fights wars, protects the country. That's one element of it.\" But then there's the other element of luck. Making it easy for the people who work in the Department of Defense to actually live their lives, get healthcare, make sure that they're being paid. All these things seem to dovetail on that. I wanted to get your thoughts around that executive order. Are you guys tackling that at this juncture?Mike: Yes, I think we're watching. I can't speak specifically to that executive order but I think those are the types of issues that we're constantly grappling with. And I wouldn't necessarily disagree with you that there's two separate schools of thought on IT in DoD. A couple of years ago, and you saw this, there was this, in the maddest era, everyone wanted to speak his language and use the same glossary of terms he did.I very clearly remember being at a DISA event where someone said, \"No. Sending an email promotes lethality.\" You're like, \"Come on. Email is not lethal.\" Similarly, we have to draw the line. Yes, every little bit contributes to kinetic war operation, if you want to think about it that way. But I have a hard time pulling the thread that far where I'm like, \"Okay. Email is lethality.\"Mark: DoD looks at the world. You mentioned the commercial sector, which I've worked in both and I 100% agree with you. I think that the commercial world has adopted technologies much faster. They're ahead of the game. Of course, they also have employees, which the DoD has, which is their end-user.The Lethality of Government TechnologyMark: Unless it's an enemy, then they're the end-user of lethality, so to speak. But in the commercial world, they do have customers that they have to cater to, which I think the DoD maybe has neglected.Mike: Yes. Maybe to your point, it doesn't think of its employees as customers and that's probably one of the issues.Carolyn: I've been learning recently about ATOs, Authority to Operate. In my brain, I thought an ATO got a stamp and they got to use the application. Like once they got the ATO, it's done. Not the case. I am baffled and the thought of what they have to go through on a regular basis to maintain that ATO, like thousands of hours per application is just unwieldy to me. It makes me sick to my stomach. I'm like, \"That's about when I would quit,\" when I had to go through that ATO again. So they have that. I'd like to put you on the spot here a little bit. What has DoD excelled in that maybe the commercial world hasn't in technology?Mike: That's a great question. I'm not sure. I'd be curious what you guys think of this too. There's part of me that thinks from a security standpoint that as much as that's an area where it slows them down and they're critiqued for, I think in many instances they seem to have gotten it right. So let's take, for example, Solar Winds. There was a vulnerability there and it seems from what we know, and obviously, I don't know everything. But from what I've read and what our reporters have said, other government agencies were hurt or were more vulnerable.Who Have Been Hit With VulnerabilityMike: DoD seems to have been done okay there. They knew there were attempts. But it seems like everything that's been said publicly, and the best that our reporters can tell is that because of the strength of their network, they were able to withstand this. I think there's part of me that is skeptical like, \"Well wait a minute. What did you guys do differently than everyone else did?\" But we also have to give them credit for that. We look at the companies across the world that were hit with that vulnerability.Mark: I think that bar is so high. There's no alternative. It's table stakes. They had to do it right. Maybe they suffered in some ways, adaptability or agility, but they had to deliver on it. My gut feeling would tell me, and I don't know this. I'm speculating like most of us that the ability to wage war is an area where technology is something they do well. But that doesn't necessarily help a lot of the day-to-day IT workings of the Department of Defense.Carolyn: But what I hear you saying is the mission of the DoD is to protect and defend and they excel at it. I like that.Mike: To use Mark's word and I think he's absolutely right there, the agility. There is a trade-off, you can't have it both ways. You can't excel in this area and also there's zero room for error. There is a trade-off. I think maybe what the conversation that's happening now is that trade-off, are those trade-offs kind of balanced or aligned the way that they should be?Zero Trust and ThunderdomeMark: I'm a great straight man. So speaking of zero trust, can you give us your thoughts on zero trust and maybe even touch on the Thunderdome?Mike: Yes. I think the Thunderdome Award is interesting from DISA, but I guess I have a couple of questions. We see these, and I'm coming off way more skeptical than I really am doing this podcast. I think that's the rolling plan. We see these cybersecurity philosophies come up every couple of years. I'm blanking on the name, but the risk framework we heard about a couple of years ago, I think all these ideas evolved. We're not too far away from where we were maybe five or 10 years ago, but this is just the most natural evolution of that.I think, as a late person and so many of these ideas I relate back to my home or my own personal security. I'm like, \"Oh, well this makes sense that this is how zero trust operates. I don't want someone else speaking to my bluetooth speaker that's on right now.\" And I don't want to say its name or I don't want someone else turning on the lights in my house or something. That all makes sense, someone accessing my bank account.I guess the couple of questions I have right now are like, how will this work in the future? How will it work with legacy systems? As we have these legacy systems throughout DoD, I guess one, will they be able to be upgraded to work with the zero trust architecture? Two, how will they do that and, again, what's the trade-off there? How much are you going to pay?How Much Work Is Going to Take To Build Government TechnologyMike: How much work is that going to take to make sure that every element of a new destroyer works with that zero trust architecture? I think that's difficult. The other question I have is we're obviously moving into this new world where everything's connected and the program is called JADC2.But this sensor to shooter where you use any sensor in the world connected to any shooter in the world, how does zero trust architecture work with that? How does it work with international alliances? I feel like they're big ideas, but again, this is something where zero trust only works if it's working with everyone. So I feel like there's still a lot of room for explanation and improvement. It seems like it's the right path for now and getting everyone on board and making it kind of the universal approach.It’s what we've seen the last what, 12, 18 months. Maybe there's been more concerted effort during that time to get everyone on the same page here. It feels like this is the way that it's going to go and this is the way it's going to work. Not just DoD, but also industry is kind of on board with this idea, which is what you need.Mark: Feels that way to me too.Mike: Maybe in the next two or three years, we'll see the next evolution of whatever this is and we'll be talking about something else.Mark: It feels to me that cyber security generally is a weapon system that needs to be invested in like you would invest in warfare capabilities like the F35. It needs that type of investment.Politics or Scare TacticsMark: Certainly, it seems like, and I don't know how much this is politics or scare tactics or what, but that our adversaries are looking at it that way. Using it as a means to disrupt what we do and take our eye off the ball, wherever that may be going. It just feels that way.I also feel like zero trust is a current path that should change. This should all change every couple of years. Certainly, the landscape is changing so fast. It can't be something that we say, \"This is what we're going to do for the next 15 years.\"Carolyn: So Thunderdome, aside from being an awesome name, to be honest is a little perplexing to me. Maybe I've just been in this industry too long, but I feel like we've been talking about zero trust for a decade. It's been a big push for the DoD for at least five years. When I read about Thunderdome, the way I understand it is we're going to build out a prototype. I thought we already had that. So I'm a little confused. I would love to hear your thoughts on that.Mike: I think the most recent word was more for specific prototypes involving specific technologies. I would say generally the idea has been out there. It's been adopted and we've seen it be a top priority for the IT leaders. I think maybe now some of the questions are, how do you implement that philosophy? What are the tools in place to make sure that everything is working as expected? That's how I'm reading some of these more recent contract announcements in this area.Predictions for Government Technology in 2022Carolyn: That actually helps me. I would love to get your predictions. So what are your predictions for government technology in 2022?Mike: I thought a little bit about this and you can tell, some are more surprising than others. The first one is, I think we're going to see IT savvy leaders, and that doesn't necessarily mean just IT leaders. IT savvy leaders are going to have a bigger seat at the table or will be invited to the table where maybe they weren't in the past. I think that's something that's been happening the last couple of years, but that's going to continue to evolve at a faster and faster rate.Carolyn: Are you thinking more of DoD specifically or is this across the government?Mike: I think it's probably happening across the government. I spend most of my time on DoD issues. I'd say what's going to happen, but let me give you an example. I was at a breakfast in October and there was a general officer. Someone who's been around for a while and been promoted a number of times. He said, \"Only in the last six months did I fully understand what data as ammunition means.\" I thought, \"Wow. How could you have only heard or really grasped that in the last six months?\"I've covered national security for about 10 years. I feel like that's been an idea the entire time. That's why I say IT savvy leaders who have really adopted and embraced the data first mentality, I think they will get promoted more and have a seat at the table. Whereas maybe folks who are a little more, I don't know if the right word is data hesitant, not data curious, won't.Government Technology Faces a Little Language BarrierCarolyn: Do you think that it might be a semantic thing? We've got a little language barrier going on because our DoD leaders, like Intel, are king. I think that they would all agree with that, and data is Intel. Is it a language barrier?Mark: Or is it culture?Mike: It's probably a lot of both. I don't think the culture has been there. When people say data they're like, \"Oh, I'm not an IT person or I'm not this person.\" I just think that's not the way the world works anymore. Like everyone's a data person.Mark: Do you see any shift in that culture of late? A lot of the military shifts seem like every 18, 24 months and have new jobs. Maybe IT is not a place where that should be done. Do you see any of that?Mike: I see it evolving the last couple of cycles to use the idea you're talking about. It feels, from where I sit, that there's been some more savvy folks, but not just in the IT departments or not the IT like the CIO's offices. I’d say it's across the board that we're seeing. My prediction is I expect that to continue to happen faster and faster. I think the other thing that's related to that I expect to see less of is, I just wrote down patience with IT.So I expect that when there are problems, there's not going to be the folks who do so much of that now. I don't know if you guys followed this, but last week there was a letter from an air force officer that went viral. The hashtag was “fix our computers”.Money, Time, and Red Tape in Government TechnologyMike: I hope I got that right. It’s all about how much money, time, and red tape is being wasted just because basic functions don't work. If you're seeing that type of very public outburst, I don't say that pejoratively, the complaints were merited. But if you're seeing that happen at the officer level from folks who are running tech incubators, imagine what's happening by folks who don't feel empowered to speak out. I think the patience there is very thin.Senior leaders are going to say, \"We just can't operate this way anymore.\" I don't want to put too much weight on it, but you saw the air force CIO. You saw other CIOs weigh in on LinkedIn and say, \"You're absolutely right. We got to fix this. Here's some of the steps we're taking.\" If that conversation becomes public in that way, I think the patience may be worn out.Mark: It's an interesting perspective. I didn't think of it that way.Carolyn: They're demanding a user experience. I just saw a tweet from Nick Chaillan that said, \"Would it be faster to list everything that is not broken?\" No.Mike: I think he was part of this. We've seen it with some of the Navy IT leaders...","content_html":"Mike Gruss, Editor-in-chief at Sightline Media Group has eyes on news related to all things DOD. He and his reporters are asking the smart questions when it comes to government defense technology. IT savvy leadership, user experience, and gamification are just some of the topics Mike unpacks in this episode of Tech Transforms.
Episode Table of Contents
- [00:38] The Biggest Trending Topics in Government Technology
- [09:11] The Lethality of Government Technology
- [20:05] Predictions for Government Technology in 2022
- [31:22] How the Government Technology Is Put Together
Episode Links and Resources
The Biggest Trending Topics in Government Technology
Carolyn: Today we get to talk to Mike Gruss, editor-in-chief at Sightline Media Group. He’ll discuss some of the hottest topics in the IT industry. Sightline Media Group is the leading news organization covering military, defense, public sector, federal technology, C4ISR, and cyber defense. Today, Mike unpacks some of the biggest trending topics in government technology. We also get his perspective on the DoDs advancement in technology.
Mike, I love having you on the show because you have such a broad knowledge. You really have your finger on the pulse of what's happening in the government. So you're over a lot of publications. Can you tell our listeners briefly about your role as editor in chief of Sightline Media Group and the different publications you oversee?
Mike: Sightline oversees a number of brands, as you mentioned. I like to think of us as the largest national security newsroom in the country. We have two or three different buckets that our publications fall into. What we've really concentrated on the last year or so is working collaboratively across the newsroom. You may recognize specific brands, but I think our reporters are working across several brands or across the newsroom.
There's the military times brands, which are Military Times, Army Times, Air Force Times, Navy Times, and Marine Corps Times. Those are geared toward the troops and you'll see those publications, obviously online. They're available at commissaries, and then there's also our business to government groups.
What’s Happening With the Government Technology
Mike: Those are publications like defense news, which covers the defense industry and what's happening at the Pentagon and on Capitol Hill, the business and politics of defense acquisitions. And also C4ISR net, which focuses more on that network warfare aspect of the defense industry. The last publication we have is Federal Times. It focuses on the federal workforce and what they need and what's happening there on a day-to-day basis.
It's a lot, but we have a really passionate and skilled newsroom that thinks hard about these issues. They work really hard to get scoops up and to get enterprise news stories that will help people understand what's happening at their job and make better decisions every day at work.Carolyn: I love the specialization. Obviously, you get a lot of stories that are going to be broad across. But when you take it and get specific to the mission of the different branches and the different missions, I really appreciate that.
Mike: I don't like to use the word expert because I think it's overused. But I'd say all of our reporters have a tremendous amount of knowledge in their field. They work really hard to ask smart questions, to be able to explain issues clearly and to know the nuances. I think that comes through in our reporting.
Carolyn: I definitely agree and I would absolutely use the word expert. Talk about your perspective on how the DoDs are making advancements in government technology. Do you think they're taking the right steps right now?
Mike: This is a difficult question and I think there's such a push-pull that we have to do here. I'm curious how you think of it too.
What DoD Has to Do With IT
Mike: On one hand, I think we have to recognize the complexity of what particularly DoD has to do when it comes to IT. They have to be the most secure, for example. If they are not secure, no one's going to give them a pass. No one's going to say, "Whoops, you missed that part. You didn't patch that, you didn't have that working. Oh, well."
That's not going to happen. We give them no leeway and that's how it should be. They have a tremendous budget to make sure they have no leeway. On the other hand, I get, I wouldn't say frustrated, but I think sometimes we're expected to celebrate advancements that industry made 10, 15 years ago.
Carolyn: Are you thinking of something specific?
Mike: I think cloud is the one that probably comes to mind first. But I think when you also talk about bringing your own device, you talk about even telework. These are things that many major corporations across the country figured these ideas out years and years ago. I think to say, "Well look at us. We did this." It's like, "Okay. You shouldn't get so much credit for doing it."
At the same time, I started with, there is that complexity of doing it at the size and scale they do it and with the level of security they do it. That's where I have this push and pull where I'm always careful of saying things like, "All right. This is a step forward for them, but are we judging them on the right scale?" I think that's where I sometimes have questions.
Mark: You bring up something really interesting. It brings to mind the executive order on user experience that's come out.
Executive Order
Mark: When I think of the DoD, I think of, "Okay. There's an element of the DoD that fights wars, protects the country. That's one element of it." But then there's the other element of luck. Making it easy for the people who work in the Department of Defense to actually live their lives, get healthcare, make sure that they're being paid. All these things seem to dovetail on that. I wanted to get your thoughts around that executive order. Are you guys tackling that at this juncture?
Mike: Yes, I think we're watching. I can't speak specifically to that executive order but I think those are the types of issues that we're constantly grappling with. And I wouldn't necessarily disagree with you that there's two separate schools of thought on IT in DoD. A couple of years ago, and you saw this, there was this, in the maddest era, everyone wanted to speak his language and use the same glossary of terms he did.
I very clearly remember being at a DISA event where someone said, "No. Sending an email promotes lethality." You're like, "Come on. Email is not lethal." Similarly, we have to draw the line. Yes, every little bit contributes to kinetic war operation, if you want to think about it that way. But I have a hard time pulling the thread that far where I'm like, "Okay. Email is lethality."
Mark: DoD looks at the world. You mentioned the commercial sector, which I've worked in both and I 100% agree with you. I think that the commercial world has adopted technologies much faster. They're ahead of the game. Of course, they also have employees, which the DoD has, which is their end-user.
The Lethality of Government Technology
Mark: Unless it's an enemy, then they're the end-user of lethality, so to speak. But in the commercial world, they do have customers that they have to cater to, which I think the DoD maybe has neglected.
Mike: Yes. Maybe to your point, it doesn't think of its employees as customers and that's probably one of the issues.
Carolyn: I've been learning recently about ATOs, Authority to Operate. In my brain, I thought an ATO got a stamp and they got to use the application. Like once they got the ATO, it's done. Not the case. I am baffled and the thought of what they have to go through on a regular basis to maintain that ATO, like thousands of hours per application is just unwieldy to me. It makes me sick to my stomach. I'm like, "That's about when I would quit," when I had to go through that ATO again. So they have that. I'd like to put you on the spot here a little bit. What has DoD excelled in that maybe the commercial world hasn't in technology?
Mike: That's a great question. I'm not sure. I'd be curious what you guys think of this too. There's part of me that thinks from a security standpoint that as much as that's an area where it slows them down and they're critiqued for, I think in many instances they seem to have gotten it right. So let's take, for example, Solar Winds. There was a vulnerability there and it seems from what we know, and obviously, I don't know everything. But from what I've read and what our reporters have said, other government agencies were hurt or were more vulnerable.
Who Have Been Hit With Vulnerability
Mike: DoD seems to have been done okay there. They knew there were attempts. But it seems like everything that's been said publicly, and the best that our reporters can tell is that because of the strength of their network, they were able to withstand this. I think there's part of me that is skeptical like, "Well wait a minute. What did you guys do differently than everyone else did?" But we also have to give them credit for that. We look at the companies across the world that were hit with that vulnerability.
Mark: I think that bar is so high. There's no alternative. It's table stakes. They had to do it right. Maybe they suffered in some ways, adaptability or agility, but they had to deliver on it. My gut feeling would tell me, and I don't know this. I'm speculating like most of us that the ability to wage war is an area where technology is something they do well. But that doesn't necessarily help a lot of the day-to-day IT workings of the Department of Defense.
Carolyn: But what I hear you saying is the mission of the DoD is to protect and defend and they excel at it. I like that.
Mike: To use Mark's word and I think he's absolutely right there, the agility. There is a trade-off, you can't have it both ways. You can't excel in this area and also there's zero room for error. There is a trade-off. I think maybe what the conversation that's happening now is that trade-off, are those trade-offs kind of balanced or aligned the way that they should be?
Zero Trust and Thunderdome
Mark: I'm a great straight man. So speaking of zero trust, can you give us your thoughts on zero trust and maybe even touch on the Thunderdome?
Mike: Yes. I think the Thunderdome Award is interesting from DISA, but I guess I have a couple of questions. We see these, and I'm coming off way more skeptical than I really am doing this podcast. I think that's the rolling plan. We see these cybersecurity philosophies come up every couple of years. I'm blanking on the name, but the risk framework we heard about a couple of years ago, I think all these ideas evolved. We're not too far away from where we were maybe five or 10 years ago, but this is just the most natural evolution of that.
I think, as a late person and so many of these ideas I relate back to my home or my own personal security. I'm like, "Oh, well this makes sense that this is how zero trust operates. I don't want someone else speaking to my bluetooth speaker that's on right now." And I don't want to say its name or I don't want someone else turning on the lights in my house or something. That all makes sense, someone accessing my bank account.
I guess the couple of questions I have right now are like, how will this work in the future? How will it work with legacy systems? As we have these legacy systems throughout DoD, I guess one, will they be able to be upgraded to work with the zero trust architecture? Two, how will they do that and, again, what's the trade-off there? How much are you going to pay?How Much Work Is Going to Take To Build Government Technology
Mike: How much work is that going to take to make sure that every element of a new destroyer works with that zero trust architecture? I think that's difficult. The other question I have is we're obviously moving into this new world where everything's connected and the program is called JADC2.
But this sensor to shooter where you use any sensor in the world connected to any shooter in the world, how does zero trust architecture work with that? How does it work with international alliances? I feel like they're big ideas, but again, this is something where zero trust only works if it's working with everyone. So I feel like there's still a lot of room for explanation and improvement. It seems like it's the right path for now and getting everyone on board and making it kind of the universal approach.
It’s what we've seen the last what, 12, 18 months. Maybe there's been more concerted effort during that time to get everyone on the same page here. It feels like this is the way that it's going to go and this is the way it's going to work. Not just DoD, but also industry is kind of on board with this idea, which is what you need.
Mark: Feels that way to me too.
Mike: Maybe in the next two or three years, we'll see the next evolution of whatever this is and we'll be talking about something else.
Mark: It feels to me that cyber security generally is a weapon system that needs to be invested in like you would invest in warfare capabilities like the F35. It needs that type of investment.
Politics or Scare Tactics
Mark: Certainly, it seems like, and I don't know how much this is politics or scare tactics or what, but that our adversaries are looking at it that way. Using it as a means to disrupt what we do and take our eye off the ball, wherever that may be going. It just feels that way.
I also feel like zero trust is a current path that should change. This should all change every couple of years. Certainly, the landscape is changing so fast. It can't be something that we say, "This is what we're going to do for the next 15 years."
Carolyn: So Thunderdome, aside from being an awesome name, to be honest is a little perplexing to me. Maybe I've just been in this industry too long, but I feel like we've been talking about zero trust for a decade. It's been a big push for the DoD for at least five years. When I read about Thunderdome, the way I understand it is we're going to build out a prototype. I thought we already had that. So I'm a little confused. I would love to hear your thoughts on that.
Mike: I think the most recent word was more for specific prototypes involving specific technologies. I would say generally the idea has been out there. It's been adopted and we've seen it be a top priority for the IT leaders. I think maybe now some of the questions are, how do you implement that philosophy? What are the tools in place to make sure that everything is working as expected? That's how I'm reading some of these more recent contract announcements in this area.
Predictions for Government Technology in 2022
Carolyn: That actually helps me. I would love to get your predictions. So what are your predictions for government technology in 2022?
Mike: I thought a little bit about this and you can tell, some are more surprising than others. The first one is, I think we're going to see IT savvy leaders, and that doesn't necessarily mean just IT leaders. IT savvy leaders are going to have a bigger seat at the table or will be invited to the table where maybe they weren't in the past. I think that's something that's been happening the last couple of years, but that's going to continue to evolve at a faster and faster rate.
Carolyn: Are you thinking more of DoD specifically or is this across the government?
Mike: I think it's probably happening across the government. I spend most of my time on DoD issues. I'd say what's going to happen, but let me give you an example. I was at a breakfast in October and there was a general officer. Someone who's been around for a while and been promoted a number of times. He said, "Only in the last six months did I fully understand what data as ammunition means." I thought, "Wow. How could you have only heard or really grasped that in the last six months?"
I've covered national security for about 10 years. I feel like that's been an idea the entire time. That's why I say IT savvy leaders who have really adopted and embraced the data first mentality, I think they will get promoted more and have a seat at the table. Whereas maybe folks who are a little more, I don't know if the right word is data hesitant, not data curious, won't.Government Technology Faces a Little Language Barrier
Carolyn: Do you think that it might be a semantic thing? We've got a little language barrier going on because our DoD leaders, like Intel, are king. I think that they would all agree with that, and data is Intel. Is it a language barrier?
Mark: Or is it culture?
Mike: It's probably a lot of both. I don't think the culture has been there. When people say data they're like, "Oh, I'm not an IT person or I'm not this person." I just think that's not the way the world works anymore. Like everyone's a data person.
Mark: Do you see any shift in that culture of late? A lot of the military shifts seem like every 18, 24 months and have new jobs. Maybe IT is not a place where that should be done. Do you see any of that?
Mike: I see it evolving the last couple of cycles to use the idea you're talking about. It feels, from where I sit, that there's been some more savvy folks, but not just in the IT departments or not the IT like the CIO's offices. I’d say it's across the board that we're seeing. My prediction is I expect that to continue to happen faster and faster. I think the other thing that's related to that I expect to see less of is, I just wrote down patience with IT.
So I expect that when there are problems, there's not going to be the folks who do so much of that now. I don't know if you guys followed this, but last week there was a letter from an air force officer that went viral. The hashtag was “fix our computers”.
Money, Time, and Red Tape in Government Technology
Mike: I hope I got that right. It’s all about how much money, time, and red tape is being wasted just because basic functions don't work. If you're seeing that type of very public outburst, I don't say that pejoratively, the complaints were merited. But if you're seeing that happen at the officer level from folks who are running tech incubators, imagine what's happening by folks who don't feel empowered to speak out. I think the patience there is very thin.
Senior leaders are going to say, "We just can't operate this way anymore." I don't want to put too much weight on it, but you saw the air force CIO. You saw other CIOs weigh in on LinkedIn and say, "You're absolutely right. We got to fix this. Here's some of the steps we're taking." If that conversation becomes public in that way, I think the patience may be worn out.
Mark: It's an interesting perspective. I didn't think of it that way.
Carolyn: They're demanding a user experience. I just saw a tweet from Nick Chaillan that said, "Would it be faster to list everything that is not broken?" No.
Mike: I think he was part of this. We've seen it with some of the Navy IT leaders...
","summary":null,"date_published":"2022-03-16T07:30:00.000-04:00","attachments":[{"url":"https://aphid.fireside.fm/d/1437767933/81d9d6b0-0045-48da-8495-fd87c4613d7f/0e7fdf94-1f36-461f-b972-3256ece4a250.mp3","mime_type":"audio/mpeg","size_in_bytes":31922278,"duration_in_seconds":2279}]},{"id":"ba439bbf-0c64-4214-a4fe-950dd6f3d4ea","title":"Episode 26: Unstoppable Women of Web3: Learn and Be Curious with Sandy Carter","url":"https://techtransforms.fireside.fm/26","content_text":"Sandy Carter, Unstoppable Domains SVP and Channel Chief again joins Carolyn and Mark, this time to discuss the importance of diversity in technology. She gives us an exciting inside look at her event, Unstoppable Women of Web3. Sandy walks the walk when it comes to getting women and girls involved in tech. Follow her on social media to get the latest updates!Episode Table of Contents[00:55] The Vision for Unstoppable Women[05:42] Unstoppable Women Are Learning About IOT and Machines[11:09] A Dream to Start the Groundswell With Unstoppable WomenEpisode Links and ResourcesSandy CarterUnstoppable DomainsUnstoppable Women of Web3Web3The Vision for Unstoppable WomenCarolyn: So we have Sandy Carter back. The last time we talked to her, she gave me the 101 on Web3 and FTs, crypto. My head's still swimming a little bit but I'm actually really excited about it. She did a great job and one of the key things that Sandy talked about was for Web3 to be the vision that she has for it and to be really strong, it needs diversity.Today, we're back with Sandy Carter, renowned technologist, bestselling author, and current senior VP at Unstoppable Domains. She's one of the leading pioneers in the digital business and also a former Fortune 25 business executive. She is a leader focused on helping companies with innovation and digital transformation through culture and technology like AI and the internet of things. So let's jump into it. As an advocate for diversity and women in technology and your involvement within girls in tech, what advice would you give to women pursuing roles in technology today?Sandy: There's a couple of things. Technology is moving at such a pace that I think you need to develop this learn and be curious notion. Probably, what you're studying today in school or what you're doing today at your job will change significantly.Top Jobs Today for Unstoppable WomenSandy: I was on the diversity group for the World Economic Forum and one of the interesting pieces of data that they shared with us was that the top jobs today in technology didn't exist five years ago. So unless you're going to be stuck in an old legacy role which will decline over time, you've got to be continuously learning and curious about what's coming so that you're ready to go in a lot of those new areas and those new fields.Carolyn: How do we stay current? Getting a degree is a good foundation and things are changing so often. What are some conferences or certifications that you would recommend for women in tech?Sandy: There is a lot of really good material out there. There's so many classes and things that you can take just to refresh yourself, like YouTube. One of the things I do is to dedicate time every week. I mark an hour in my calendar every week. It probably could be more, but at least, an hour every week to check out something that I don't know about. Maybe it's quantum computing or spatial computing or a new thing that's happening in Web3. I'm always constantly on that front edge.I still remember when I was with IBM and I got selected to lead a lot of our artificial intelligence work. People were like, \"Wow, you're so lucky to get to do artificial intelligence.\" I would say, \"No, I'm not lucky. I've been studying this. I took two classes at MIT. I've been playing around with this. I was learning and being curious about it so that when this opportunity came, I was ready.\"Where We Are Today With TechnologySandy: So if you're just doing your day job today, I don't think it's enough. In fact, I have two daughters and they love Alice in Wonderland. One of the parts I love so much about that book is, Alice said, \"I had to run twice as fast just to stay in place.\" And that's where we are today with technology. I think you can't just focus on your current role. You always had to be learning about what that next role might be or might hold.Mark: You got your degree in computer science at Duke University. It's not surprising to me that you're the innovator and entrepreneur that you are in this arena. But how do we get women involved in technology at a younger age? How do we get them started with Math and Science so that by the time that they get to college or they get into the professional world, they're already teed up for this?Sandy: I think there's a couple of ways that we do that. One, I love what Girls in Tech are doing and truth in advertising. I am Chairman of the board for Girls in Tech. One of the things we do at Girls in Tech is host workshops and hackathons for the younger generation but we make it relevant to what they like. For example, a lot of young girls like fashion. So, we did a fashion tech hackathon. They get to create a ring with an IoT sensor in it and if you press the sensor, it would call for their parents. It was beautiful. The ring was beautiful and so they were all really interested in it.Unstoppable Women Are Learning About IoT and MachinesSandy: As they were learning about the ring, they were learning about IoT and machine learning. We put it in an application that was right for them. The other thing we did at AWS is teaching reinforcement learning which is even a higher level of artificial intelligence. We created a race car, it was called Deep Racer. It has IoT sensors around it and it races around a racetrack. You know a lot of young girls like to race cars. It's fun. We had kids all over the world racing these cars.What they were really doing is learning again, IoT technology, cloud technology, and AI. I think it's about us putting it into their language. I’d also say when I lived in New York. We fought really hard to get computer science to be mandatory in high school. I also think there are policy issues for states. I just saw the governor of Colorado when we had an event in EatDenver. He says he wanted his state to be the number one digital state. Miami wants to be the city of crypto. In order to do that, you have to train your kids, the next generation at earlier ages, as well.Mark: How do we do this at scale? How do we get the groundswell really moving across the country to do this? Maybe we can do it in pockets but I think we've really got to generate a groundswell.Sandy: That brings me to an announcement that we are going to be unleashing on March 8th which is International Women's Day. Obviously, a lot of women are mothers and aunts. They have an impact on the next generation and themselves as well.The Next Generation of TechnologySandy: As we started looking at Web3 which is the next generation of technology, we started noticing that there is already a discrepancy in a lot of the numbers and a lot of what's happening. For example, only 15% of bitcoin holders today are women.There are about 150 top crypto companies, only five are women. Men invest in this Web3 space so much more prevalently than others. Only 9% of women say they even understand Web3. So we're going to announce on March 8th this thing called Unstoppable Women of Web3. The whole mission is going to be around making this Web3 accessible for all. We want to help them with the first step. We're going to give away 10 million dollars of free domains as the entry point for Web3, and we're going to be action-oriented. We've got education that's launching, networking that's launching. We have real-life events and virtual events that are launching to help women support women in this mission.Now part of this, we're going to do a one-hour YouTube live session on March 8th. We're also going to host a 24-hour Twitter space with a different guest speaker sometimes every half an hour. So it's a big ordeal. One of the things I'm really excited about, for example, Nyla Hayes. I don't know if you guys know her. She's 13-years-old. She is a young woman who started creating an NFT collection of her art. They're called the Long Neck Ladies. She's made millions and millions of dollars.How Unstoppable Women Accomplish Things at a Young AgeSandy: She is Times' first artist in residence and she's going to do one of those Twitter spaces on how she accomplished this when she was 12. Now she's 13. How did she accomplish this at a young age? We're going to have women talk about what blockchain is. What is decentralization and what is digital identity? All the elements of Web3 and why we think the future of Web3 is female-focused. There's tons there.We're hoping, our mission and our goal is to create that groundswell. That will begin on March 8th with all this education. We've partnered with over 57 different companies, big companies, small companies, Web3 companies from Google and Deloitte to folks like blockchain.com and BlockFi. Some of them work really well, and of course, Unstoppable Domains, to make this happen. I feel that if we all come together to be action-oriented, to have the 8th be that first push of the groundswell, this will continue.We're also going to publish a top 100 inspirational women of Web3 and we're going to do a speakers bureau of women. The reason I want to do that is, I was announced as keynoting at South by Southwest on what Web3 is. You would not believe the number of people coming out of the woodwork now who want me to come speak because they want diversity. They're like, \"How do we find other women doing this?\" Well, we're going to create a speakers bureau so more women can be front and center.A Dream to Start the Groundswell With Unstoppable WomenSandy: So sorry that was a long-winded answer but I am so excited about what we're doing. My dream is that we do start that groundswell with all of these unstoppable women that will just expand and expand and expand.Mark: It seems to me that at many universities and colleges throughout the United States, the number of women that are enrolled in schools might be over 50% across the board. But I really would like to see a lot of that moving to data science, computer science, those types of schools. So I appreciate the insight on it.Carolyn: Honestly, I'm having chills as Sandy's talking because we talk about the need for diversity. We talk about the need to get more women in tech and girls in tech and we know the stats. We've got somebody who's walking the walk. I mean you're doing it. So I am so excited to get this out to our listeners.Thank you for sharing this with us. We will get these links out to all of these different things that you mentioned so people can go. Do you want to give us your top three things to do right now for everyone, not just women? Top three that we can do to be involved.Sandy: First, I would just say number one is to have that desire to learn. It is hard but make sure that you attend one of these Twitter spaces. They're half an hour, an hour investment of time and you'll just get excited. You can ask questions and just learn.Discord and TelegramSandy: Twitter spaces work a little differently, it's a link where you can set a reminder on Twitter. It’s a little different but I'll share those with you. Then for the YouTube live, we'll do a YouTube live that's one hour on what is Web3. Just like the last session that we did on what is Web3, that's a whole hour on all the details with visuals. I'm a very visual learner and so that will be a visual. We'll get you that link right away so that you can help people do that.The second one is, I would say just interact. Both of you are asking questions today and I think that interaction is how you learn. It's also how you figure out who some of your trusted advisors are so when you need to ask a question, you can do that. There are also two tools that most Web3 people use, Discord and Telegram. If you're not on those, you could go explore them.Then the third thing, I think you have to experience it. You have to play with it. If it's Web3, you can't learn it in a book and then talk about it credibly. You've got to do it. You're going to run into challenges like I did. I ran into challenges too and I consider myself pretty techy. Setting up your domain, linking it to a wallet, figuring out how to buy Eth or bitcoin is a daunting experience. But once you go through it, you'll get hooked on it and what we call it as going down the rabbit hole. Then you want more and more.How Unstoppable Women Develop Their SkillsSandy: That would be my three things: learn, interact, and play. I think that's really how you develop a set of skills that are hands-on.Carolyn: I'll give a fourth. Again, follow Sandy Carter on LinkedIn. I know that you share your word of the day and you share insights that you have. That's a really easy way for our listeners to get involved and to learn. Thank you so much for your time today, Sandy. I really appreciate you taking time out of your busy schedule for us.Sandy: Thank you for the honor of being on your podcast as well. I really appreciate it. Thank you, both, for helping me to evangelize what's happening on March 8th. I really do want it to be all of us working together to push this agenda forward.Carolyn: Absolutely. Thanks to our listeners for joining us today. Please like and share this episode, this is an important one. We will talk to you next week on Tech Transforms sponsored by Dynatrace.","content_html":"Sandy Carter, Unstoppable Domains SVP and Channel Chief again joins Carolyn and Mark, this time to discuss the importance of diversity in technology. She gives us an exciting inside look at her event, Unstoppable Women of Web3. Sandy walks the walk when it comes to getting women and girls involved in tech. Follow her on social media to get the latest updates!
Episode Table of Contents
- [00:55] The Vision for Unstoppable Women
- [05:42] Unstoppable Women Are Learning About IOT and Machines
- [11:09] A Dream to Start the Groundswell With Unstoppable Women
Episode Links and Resources
The Vision for Unstoppable Women
Carolyn: So we have Sandy Carter back. The last time we talked to her, she gave me the 101 on Web3 and FTs, crypto. My head's still swimming a little bit but I'm actually really excited about it. She did a great job and one of the key things that Sandy talked about was for Web3 to be the vision that she has for it and to be really strong, it needs diversity.
Today, we're back with Sandy Carter, renowned technologist, bestselling author, and current senior VP at Unstoppable Domains. She's one of the leading pioneers in the digital business and also a former Fortune 25 business executive. She is a leader focused on helping companies with innovation and digital transformation through culture and technology like AI and the internet of things.
So let's jump into it. As an advocate for diversity and women in technology and your involvement within girls in tech, what advice would you give to women pursuing roles in technology today?
Sandy: There's a couple of things. Technology is moving at such a pace that I think you need to develop this learn and be curious notion. Probably, what you're studying today in school or what you're doing today at your job will change significantly.
Top Jobs Today for Unstoppable Women
Sandy: I was on the diversity group for the World Economic Forum and one of the interesting pieces of data that they shared with us was that the top jobs today in technology didn't exist five years ago. So unless you're going to be stuck in an old legacy role which will decline over time, you've got to be continuously learning and curious about what's coming so that you're ready to go in a lot of those new areas and those new fields.
Carolyn: How do we stay current? Getting a degree is a good foundation and things are changing so often. What are some conferences or certifications that you would recommend for women in tech?
Sandy: There is a lot of really good material out there. There's so many classes and things that you can take just to refresh yourself, like YouTube.
One of the things I do is to dedicate time every week. I mark an hour in my calendar every week. It probably could be more, but at least, an hour every week to check out something that I don't know about. Maybe it's quantum computing or spatial computing or a new thing that's happening in Web3. I'm always constantly on that front edge.I still remember when I was with IBM and I got selected to lead a lot of our artificial intelligence work. People were like, \"Wow, you're so lucky to get to do artificial intelligence.\" I would say, \"No, I'm not lucky. I've been studying this. I took two classes at MIT. I've been playing around with this. I was learning and being curious about it so that when this opportunity came, I was ready.\"
Where We Are Today With Technology
Sandy: So if you're just doing your day job today, I don't think it's enough. In fact, I have two daughters and they love Alice in Wonderland. One of the parts I love so much about that book is, Alice said, \"I had to run twice as fast just to stay in place.\"
And that's where we are today with technology. I think you can't just focus on your current role. You always had to be learning about what that next role might be or might hold.Mark: You got your degree in computer science at Duke University. It's not surprising to me that you're the innovator and entrepreneur that you are in this arena. But how do we get women involved in technology at a younger age? How do we get them started with Math and Science so that by the time that they get to college or they get into the professional world, they're already teed up for this?
Sandy: I think there's a couple of ways that we do that. One, I love what Girls in Tech are doing and truth in advertising. I am Chairman of the board for Girls in Tech. One of the things we do at Girls in Tech is host workshops and hackathons for the younger generation but we make it relevant to what they like. For example, a lot of young girls like fashion. So, we did a fashion tech hackathon.
They get to create a ring with an IoT sensor in it and if you press the sensor, it would call for their parents. It was beautiful. The ring was beautiful and so they were all really interested in it.
Unstoppable Women Are Learning About IoT and Machines
Sandy: As they were learning about the ring, they were learning about IoT and machine learning. We put it in an application that was right for them. The other thing we did at AWS is teaching reinforcement learning which is even a higher level of artificial intelligence. We created a race car, it was called Deep Racer. It has IoT sensors around it and it races around a racetrack. You know a lot of young girls like to race cars. It's fun. We had kids all over the world racing these cars.
What they were really doing is learning again, IoT technology, cloud technology, and AI. I think it's about us putting it into their language. I’d also say when I lived in New York. We fought really hard to get computer science to be mandatory in high school. I also think there are policy issues for states. I just saw the governor of Colorado when we had an event in EatDenver. He says he wanted his state to be the number one digital state. Miami wants to be the city of crypto. In order to do that, you have to train your kids, the next generation at earlier ages, as well.
Mark: How do we do this at scale? How do we get the groundswell really moving across the country to do this? Maybe we can do it in pockets but I think we've really got to generate a groundswell.
Sandy: That brings me to an announcement that we are going to be unleashing on March 8th which is International Women's Day. Obviously, a lot of women are mothers and aunts. They have an impact on the next generation and themselves as well.
The Next Generation of Technology
Sandy: As we started looking at Web3 which is the next generation of technology, we started noticing that there is already a discrepancy in a lot of the numbers and a lot of what's happening. For example, only 15% of bitcoin holders today are women.
There are about 150 top crypto companies, only five are women. Men invest in this Web3 space so much more prevalently than others. Only 9% of women say they even understand Web3. So we're going to announce on March 8th this thing called Unstoppable Women of Web3. The whole mission is going to be around making this Web3 accessible for all. We want to help them with the first step.We're going to give away 10 million dollars of free domains as the entry point for Web3, and we're going to be action-oriented. We've got education that's launching, networking that's launching. We have real-life events and virtual events that are launching to help women support women in this mission.
Now part of this, we're going to do a one-hour YouTube live session on March 8th. We're also going to host a 24-hour Twitter space with a different guest speaker sometimes every half an hour. So it's a big ordeal. One of the things I'm really excited about, for example, Nyla Hayes. I don't know if you guys know her. She's 13-years-old. She is a young woman who started creating an NFT collection of her art. They're called the Long Neck Ladies. She's made millions and millions of dollars.
How Unstoppable Women Accomplish Things at a Young Age
Sandy: She is Times' first artist in residence and she's going to do one of those Twitter spaces on how she accomplished this when she was 12. Now she's 13. How did she accomplish this at a young age? We're going to have women talk about what blockchain is. What is decentralization and what is digital identity? All the elements of Web3 and why we think the future of Web3 is female-focused. There's tons there.
We're hoping, our mission and our goal is to create that groundswell. That will begin on March 8th with all this education. We've partnered with over 57 different companies, big companies, small companies, Web3 companies from Google and Deloitte to folks like blockchain.com and BlockFi. Some of them work really well, and of course, Unstoppable Domains, to make this happen. I feel that if we all come together to be action-oriented, to have the 8th be that first push of the groundswell, this will continue.
We're also going to publish a top 100 inspirational women of Web3 and we're going to do a speakers bureau of women. The reason I want to do that is, I was announced as keynoting at South by Southwest on what Web3 is. You would not believe the number of people coming out of the woodwork now who want me to come speak because they want diversity. They're like, \"How do we find other women doing this?\" Well, we're going to create a speakers bureau so more women can be front and center.
A Dream to Start the Groundswell With Unstoppable Women
Sandy: So sorry that was a long-winded answer but I am so excited about what we're doing. My dream is that we do start that groundswell with all of these unstoppable women that will just expand and expand and expand.
Mark: It seems to me that at many universities and colleges throughout the United States, the number of women that are enrolled in schools might be over 50% across the board. But I really would like to see a lot of that moving to data science, computer science, those types of schools. So I appreciate the insight on it.
Carolyn: Honestly, I'm having chills as Sandy's talking because we talk about the need for diversity. We talk about the need to get more women in tech and girls in tech and we know the stats. We've got somebody who's walking the walk. I mean you're doing it. So I am so excited to get this out to our listeners.
Thank you for sharing this with us. We will get these links out to all of these different things that you mentioned so people can go. Do you want to give us your top three things to do right now for everyone, not just women? Top three that we can do to be involved.
Sandy: First, I would just say number one is to have that desire to learn. It is hard but make sure that you attend one of these Twitter spaces. They're half an hour, an hour investment of time and you'll just get excited. You can ask questions and just learn.
Discord and Telegram
Sandy: Twitter spaces work a little differently, it's a link where you can set a reminder on Twitter. It’s a little different but I'll share those with you. Then for the YouTube live, we'll do a YouTube live that's one hour on what is Web3. Just like the last session that we did on what is Web3, that's a whole hour on all the details with visuals. I'm a very visual learner and so that will be a visual. We'll get you that link right away so that you can help people do that.
The second one is, I would say just interact. Both of you are asking questions today and I think that interaction is how you learn. It's also how you figure out who some of your trusted advisors are so when you need to ask a question, you can do that. There are also two tools that most Web3 people use, Discord and Telegram. If you're not on those, you could go explore them.
Then the third thing, I think you have to experience it. You have to play with it. If it's Web3, you can't learn it in a book and then talk about it credibly. You've got to do it. You're going to run into challenges like I did. I ran into challenges too and I consider myself pretty techy. Setting up your domain, linking it to a wallet, figuring out how to buy Eth or bitcoin is a daunting experience. But once you go through it, you'll get hooked on it and what we call it as going down the rabbit hole. Then you want more and more.
How Unstoppable Women Develop Their Skills
Sandy: That would be my three things: learn, interact, and play. I think that's really how you develop a set of skills that are hands-on.Carolyn: I'll give a fourth. Again, follow Sandy Carter on LinkedIn. I know that you share your word of the day and you share insights that you have. That's a really easy way for our listeners to get involved and to learn. Thank you so much for your time today, Sandy. I really appreciate you taking time out of your busy schedule for us.
Sandy: Thank you for the honor of being on your podcast as well. I really appreciate it. Thank you, both, for helping me to evangelize what's happening on March 8th. I really do want it to be all of us working together to push this agenda forward.
Carolyn: Absolutely. Thanks to our listeners for joining us today. Please like and share this episode, this is an important one. We will talk to you next week on Tech Transforms sponsored by Dynatrace.
","summary":null,"date_published":"2022-03-07T06:30:00.000-05:00","attachments":[{"url":"https://aphid.fireside.fm/d/1437767933/81d9d6b0-0045-48da-8495-fd87c4613d7f/d54dad92-ffde-4cc9-8db7-460ce301b2e1.mp3","mime_type":"audio/mpeg","size_in_bytes":13586003,"duration_in_seconds":969}]},{"id":"101e4f92-9eec-4ea5-971a-c22f8a1e1c2a","title":"Episode 25: Web3: The Start of the Power with Sandy Carter","url":"https://techtransforms.fireside.fm/25","content_text":"Sandy Carter, SVP and Channel Chief at Unstoppable Domains and former Vice President at Amazon Web Services talks about the groundbreaking work she is doing with Web3. Listen in to get more information on Web3 capabilities and hear about the chaotic creation that Unstoppable Domains is taking on.Episode Table of Contents[00:53] A Leading Pioneer in Web3 and Digital Transformation[08:280] A Hot Topic Element of Web3[15:12] Women Are Getting Involved With Web3[23:04] What Web3 Means for the GovernmentEpisode Links and ResourcesSandy CarterUnstoppable DomainsUnstoppable Women of Web3UberA Leading Pioneer in Web3 and Digital TransformationCarolyn: Today, we're talking to Sandy Carter, and I'm excited to have her all to myself. Sandy is a renowned technologist, bestselling author, and current senior VP at Unstoppable Domains. She is one of the leading pioneers in the digital business, and a former Fortune 25 business executive. She’s a leader focused on helping companies with innovative and digital transformation through culture and technology, like AI and Internet of Things. Sandy, you have an incredible background. You've been with IBM, recently with Amazon Web Services, and now you're working with Unstoppable Domains. I would love for you to tell us your story. What is the journey that you've had with your career? How did you get to Unstoppable Domains, and what is it?Sandy: Well, it's really interesting. You'll notice in all of my companies, IBM, and then you missed a startup. I had a startup in between and then AWS, and then now a startup with Unstoppable. All of those companies were on the leading or bleeding edge of technology. At the time I was at IBM, we were bleeding edge for social media and business, which was that Web 2.0 era. I then went to form my own company and I was doing artificial intelligence. In fact, I thought it was so cool.I was doing like a Myers-Brigg on companies to determine their culture so that we can match them with the right innovation tactic. That way, they didn't go and try something that didn't fit their culture, because culture eats strategy for lunch.Developing the Right Processes for Web3Sandy: Then I moved on to Amazon, and Amazon was all about the cloud, another tech transformation that was going on. I learned so much from each of these companies. Leadership principles from Amazon and how to develop the right processes and mechanisms from IBM. From my startup, how to be really scrappy and to do things that 80/20 rule; not perfect, but good. Good for the customer, valuable for the customer, but not necessarily reaching that perfection mark.When Web3 started out, I was really interested in it. I’ve done some blockchain at Amazon Web Services and I was fascinated with the new technology. So I started doing all of these side projects on NFT, setting up my wallet, doing all this stuff on the side. It turned out that a company approached me called Unstoppable Domains. I was fascinated by what they were doing in the marketplace. They’re focused on digital identity and how, in the Web3 world, you take your identity with you. It's not linked with a particular application.I thought that was fascinating given my history. Looking at Web3, I was like, why would I keep doing these side projects when I could do this full time? So, I came on with Unstoppable. The founding team is great, the portfolio of products is really fascinating to me, and the partners are all the who's who of Web3. So, here I am and I'm having a blast.Web3 Centralization and DecentralizationCarolyn: You talked about several things that are a little baffling to me. First of all, Web3. I'm embarrassed to say that I really haven’t heard that term until I knew that you were a guest. I started looking at some stuff that you've talked about, and I was like, okay, what is this? So, I read some articles over the weekend and I'm still not sure exactly what it is. It's decentralization and centralization and then decentralization.Sandy: I would define Web3 in one word, and that would be an ownership model. When I say an ownership model, if you think about it, let's take Uber for example. I was an early user of Uber. I’ve told all my friends about it because I was living in Silicon Valley. I was Ubering all over when Uber was just in San Francisco and Silicon Valley. So, I was attracting new users and I got value because my friends thought I gave them something of value. But now, Uber is worth about $50 billion and I didn't get any of that financial benefit. I was providing and attracting users for Uber, but the extraction of value came from Uber itself. Web3 turns that on its head. You’re now not a user of the application, you are a member. You have ownership rights in what you're doing. Web3 really introduces that real ownership model to the internet that combines economics, art, game theory, and technology in a very interesting way.The Five Essential Elements of Web3Sandy: Web3, essentially Web3 means that something is built on what I would call five essential elements. One, it is decentralized. You said decentralization, or at least partially decentralized, meaning there's no one company who owns all the servers, all the infrastructure. It is decentralized or at least partially decentralized.Two, there has to be a digital identity that travels with you. Think about today. You go to sign into LinkedIn, you use one ID. Then you go over to Instagram, you're using a different ID. When you go into TikTok, you're using a different ID. But I can now take my digital identity, which I've built with Unstoppable Domains, sandy.crypto.I can take that identity and I can enter a metaverse. With that same identity, I can enter DeFi, decentralized finance with Cook Financial. And with that same identity, I can enter a game like Decentraland or Sandbox. That same identity travels with me, it's all built on the blockchain. That's the third assumption for Web3; decentralized digital identity built on the blockchain. It's trustless, meaning that there is no in-between.I sign a smart contract directly with the person I am purchasing. There's not a bank or a lawyer or anything in between. It financially benefits the members because remember, we have members now. So if I buy an NFT, like a Lazy Lion, I now own that Lazy Lion. I can now create a t-shirt with that Lazy Lion, and that t-shirt could enable me, for example, to create my own business. It's really all about that ownership model.A Hot Topic Element of Web3Carolyn: This reminds me of something that I worked on years ago. I worked for Novell. I'm sure that you know who that company is, even though it really doesn't exist anymore. I was working with developers on a digital identity or a digital wallet, and it didn't go anywhere. It’s a hot topic and it was innovative and cutting edge. It sounds like, is it the blockchain that has enabled it to actually be secure and be something now?Sandy: Blockchain is one of the underpinning technologies and blockchain does allow that transparency and that interoperability. It does help with that ownership too. Make it immutable. It can't be changed for sure. So, it is an element in Web3, just like we talked about those five elements. It has to be decentralized or at least partially decentralized. You have a transportable digital identity. It's built on blockchain, it is trustless and it financially benefits users. Blockchain is definitely a part of the equation.Carolyn: If we were in a Web3 world and Uber's just coming online like it did when you were an evangelist for Uber, you evangelizing Uber to your friends and would give you shares? You would have some kind of ownership in Uber and you would reap the benefits of this $50 billion company?Sandy: I could, yes, absolutely. There is this concept of fractional ownership, and fractional ownership means that whether it is a piece of art or a company or a piece of real estate, you can have a fractionalized ownership of that. For example, NFTs allow for fractional ownership of any digital native asset.Things That Happen in Web3 Sandy: People can own a portion of something that otherwise they might not have been able to afford. It extends beyond art, like a Lazy Lion or a Bored Ape. Of course, the use of NFTs and blockchain enable you to prove ownership, and you do that today. I have a friend of mine who collects Chanel purses. Of course, if you're going to spend that much money on a purse you want it verified.My mom used to be a Boston Red Sox fan. I guess she still is a Boston Red Sox fan and she collects Ted Williams. I don’t even know who he is, but he's an old-time baseball player. She owns that baseball card and she had it authenticated, verified that it's real. It's the same thing that happens in Web3 with that verification.Carolyn: Does the creator of the asset or the company have to say, \"Yes, I want to buy into this Web3 idea and have this fractionalized ownership\"?Sandy: Yes. If you're a company like Parcel, Parcel is doing Web3 real estate. Or if you look at some NFTs, not all NFTs that are art are fractional ownership. Some of them, I buy and it's outright mine. I own it, I can do whatever I want to with it. Some I buy into it and the artist gets a fractional piece of that forever. If I go and produce a t-shirt and I sell the t-shirt for $10, then maybe the artist gets $1. I get $9 in perpetuity because I'm now a part-owner and they're the creator of it.When Will We Be in the Web3 WorldSandy: This is why a lot of people in music love it. A lot of them today, when they sign on to agents and all these companies, the amount they end up getting is so small. In fact, this weekend I was listening to an artist. They said, \"Look, based on the digitalization of music today, after everybody takes their cut my cut is pennies. So I have to do t-shirts, concerts, and ads, because I don't make enough money on my music, which I really should be making the money on.\"Carolyn: When will we be in this Web3 world, or are we already dipping our toes?Sandy: We're at the very early stages. I would say, we are super early. The tech right now can be very expensive. Think about the gas fees that you have to pay sometimes. A gas fee is not like the gas for your car. The gas fee that you're paying is for the permission to use those decentralized servers. In a centralized world, a company's paying for that. They're going to get the benefit of that too. They are going to get the financial benefit of it. In this new Web3 world, which is decentralized, that gas fee is what you're paying to use a part of that decentralized network. That can be expensive today, and it may not be completely ready. If you think about it, blockchain, there's thousands of articles. Is blockchain scalable yet? Not quite yet, but it will be. I would say that we're in the dial-up phase of Web3. What's that movie? There's a movie, and you can hear the AOL sound of the modem.Carolyn: Oh, You've Got Mail?The Chaotic Creation of Web3Sandy: You've Got Mail, that's right. So think about that sound right now, and you think about Web3, we're in that early stage of it. Or as someone said this weekend at EatDenver, \"We're baking a pie and the pie's in the oven. You don't want to take the pie out too early because you can't really consume it. It's not done.\" We're in that early stage of Web3, and that's why I wanted to jump in early.I like that early stage, I like that chaotic creation for a couple of reasons, and I just love the tech. I just consume and dive into the tech. But also, because I believe that at the start of this new era of Web3, I want the new era to be diverse. I believe that's what's going to make it more innovative. If we look at the past Web1, Web2, it has not been a diverse group of people shaping the future of it.Carolyn: Meaning there's a few big companies that own all the servers and the services?Sandy: Maybe a lot of men that shape the company. Maybe white men that shape it, not a diverse group of people who are inputting all of their ideas. I think that diversity; diversity of thought, of any kind, is important, having people from multiple countries. Just look at Web3. It is being created in Africa. I was just on the phone this morning with an African company that's doing phenomenal things. They're going to impact what we're doing here.How Women Are Getting Involved With Web3Sandy: Women are getting involved; not at a fast enough rate, but we're going to try to fix that. I was just speaking with Eman who started the Ancient Warriors NFT collection. He focuses on black and brown artists. Now we've got everybody coming in early into the pot. I can feel that pot being mixed up and stirred by so many diverse ideas. The diversity of thought ideas is only going to make it more innovative and more powerful.Carolyn: As you're talking, I'm thinking about baking a cake. I’m thinking, if you only put flour in the cake, you don't have a cake and that's the same with these innovations. Without the diversity, you just don't get the cake. So, I love that. I want to ask about the metaverse.We got some advertisements, some creepy ones, to be honest, with the Super Bowl around the metaverse. When I think of the metaverse, I think about things like Ready Player One where I'm an avatar. There was a movie with Bruce Willis, I think it's called Surrogate. Have you seen that?Sandy: I have.Carolyn: They physically never leave their house. They have a replica of them that they control from a console. These are the kind of things I think about with metaverse. Then last week, I was sick. By the end of the week, I wasn't sick enough not to take a meeting, but I was still sick enough that I looked like I'd been chewed on by wolves.A Metaverse MeetingCarolyn: And so, I didn't want to get on video but I thought, \"You know what would be super awesome? It’s if I could do a metaverse meeting and I could go with the perfect outfit and the perfect hair and show up as my perfect self.\" These are the things that spin around in my head with the metaverse. I would love to hear what the metaverse really is from you.Sandy: It's simply an online digital environment and you are inhabiting that new land as an avatar. You access it through virtual reality or augmented reality. A lot of gamers are already doing this today, if you think about the metaverse. But I like to think about the metaverse in terms of layers. Maybe it's from my tech background. So I see Web3, that decentralized access, that ownership model, being the base or the foundation of a metaverse. That is then dependent on the blockchain for trust, for that secure value exchange, which I then think will be governed by DAOs.We haven't talked about DAOs yet, but DAOs are, again, another voting experience done with tokens. It’s a dynamic governance model of which the metaverse sets. The metaverse is really that digital experience and the worlds, but it requires a DAO structure, blockchain for trust and Web3. The interesting thing is, when we talk about the metaverse and we talk about Web3, I think we're talking about the same direction because the metaverse requires Web3 to really deliver on its promises in the marketplace today.Carolyn: Is Unstoppable Domains building that foundation then, for the metaverse with Web3?Unstoppable DomainsSandy: So Unstoppable Domains is building your digital identity, which is represented as your domain. Think about it as the domain with super powers, unlike the domain of a Web2 world. When I say super powers, I mean it's user-owned and controlled, so there's no renewal fees. You own it. It's back to that ownership. It is decentralized because it's created on that blockchain.Any third party can read it and resolve that name without anybody's permission, not even ours. Others can build tools and applications on it, like metaverses, as they move forward. For example, the Atlantis metaverse is built on top of our digital identity. Cook Finance, that's DeFi, is built on top of it. Parcel, which is doing real estate in the 3D world, is built on top of it. What that enables you to do is to travel with that digital identity. For me, that's really cool because if you think about your digital identity, that travels with you. It travels with you to any application. It's your wallet, it's your healthcare data, it's your education records, it's your finance. It is basically you.Carolyn: It sounds scary. If somebody hacked that, then they have access to me.Sandy: Think about how many people hack you today. It already happened today. So let's think about the hack as one thing. Today, people are selling your information to companies so that they can market to you. People sell, oh, Carolyn just bought a house. I'm going to sell that data to someone so that they can market to her differently because she just bought a house. Carolyn just graduated from college. Because I know that, I'm going to market to you differently.Protect People’s PrivacySandy: Today, that information is not even considered a hack. That's considered their right to share that information, it's not considered your right to that information. It’s their right to that information. It is the whole reason why Europe set up GDPR; to protect people's privacy. If you think about it, in the future, digital identity is going to be much more important than it is today. It will be used in all sorts of apps that we can't even imagine today.I believe that it's extremely important that ownership and those rights sit in the hands of you, not in the hands of a government or a corporation. That would be more scary, if another person had all of my information. Now, in order to achieve this vision I think there's got to be a lot of things that happen. We've got to have a way to protect it. You pointed it out right away, you need to have that be secure.We've got to make it easier. There's a lot of things right now that we need to work on in the Web3 world. One of those is ease of use and UI. Though I consider myself pretty techy, it's hard for me. I could not imagine my parents trying it right now. It's too hard. I do believe if you are a designer sitting out there or you do UX, it's going to become more and more important due to the rate of adoption that we get that ease of use correctly and we do it very fast.What Web3 Means for the GovernmentSandy: Today, it's too hard. I think that if digital identity is going to be what it is, we have to make it easier for everybody to participate in it.Carolyn: What does Web3 and everything we've been talking about mean for the government?Sandy: It's really interesting because governments are reacting in different ways to this. If you think about it, some governments like El Salvador, they've gone all in. They now use bitcoin and crypto....","content_html":"Sandy Carter, SVP and Channel Chief at Unstoppable Domains and former Vice President at Amazon Web Services talks about the groundbreaking work she is doing with Web3. Listen in to get more information on Web3 capabilities and hear about the chaotic creation that Unstoppable Domains is taking on.
Episode Table of Contents
- [00:53] A Leading Pioneer in Web3 and Digital Transformation
- [08:280] A Hot Topic Element of Web3
- [15:12] Women Are Getting Involved With Web3
- [23:04] What Web3 Means for the Government
Episode Links and Resources
A Leading Pioneer in Web3 and Digital Transformation
Carolyn: Today, we're talking to Sandy Carter, and I'm excited to have her all to myself. Sandy is a renowned technologist, bestselling author, and current senior VP at Unstoppable Domains. She is one of the leading pioneers in the digital business, and a former Fortune 25 business executive. She’s a leader focused on helping companies with innovative and digital transformation through culture and technology, like AI and Internet of Things.
Sandy, you have an incredible background. You've been with IBM, recently with Amazon Web Services, and now you're working with Unstoppable Domains. I would love for you to tell us your story. What is the journey that you've had with your career? How did you get to Unstoppable Domains, and what is it?
Sandy: Well, it's really interesting. You'll notice in all of my companies, IBM, and then you missed a startup. I had a startup in between and then AWS, and then now a startup with Unstoppable. All of those companies were on the leading or bleeding edge of technology. At the time I was at IBM, we were bleeding edge for social media and business, which was that Web 2.0 era. I then went to form my own company and I was doing artificial intelligence. In fact, I thought it was so cool.
I was doing like a Myers-Brigg on companies to determine their culture so that we can match them with the right innovation tactic. That way, they didn't go and try something that didn't fit their culture, because culture eats strategy for lunch.Developing the Right Processes for Web3
Sandy: Then I moved on to Amazon, and Amazon was all about the cloud, another tech transformation that was going on. I learned so much from each of these companies. Leadership principles from Amazon and how to develop the right processes and mechanisms from IBM. From my startup, how to be really scrappy and to do things that 80/20 rule; not perfect, but good. Good for the customer, valuable for the customer, but not necessarily reaching that perfection mark.
When Web3 started out, I was really interested in it. I’ve done some blockchain at Amazon Web Services and I was fascinated with the new technology. So I started doing all of these side projects on NFT, setting up my wallet, doing all this stuff on the side. It turned out that a company approached me called Unstoppable Domains. I was fascinated by what they were doing in the marketplace. They’re focused on digital identity and how, in the Web3 world, you take your identity with you. It's not linked with a particular application.
I thought that was fascinating given my history. Looking at Web3, I was like, why would I keep doing these side projects when I could do this full time? So, I came on with Unstoppable. The founding team is great, the portfolio of products is really fascinating to me, and the partners are all the who's who of Web3. So, here I am and I'm having a blast.
Web3 Centralization and Decentralization
Carolyn: You talked about several things that are a little baffling to me. First of all, Web3. I'm embarrassed to say that I really haven’t heard that term until I knew that you were a guest. I started looking at some stuff that you've talked about, and I was like, okay, what is this? So, I read some articles over the weekend and I'm still not sure exactly what it is. It's decentralization and centralization and then decentralization.
Sandy: I would define Web3 in one word, and that would be an ownership model. When I say an ownership model, if you think about it, let's take Uber for example. I was an early user of Uber. I’ve told all my friends about it because I was living in Silicon Valley. I was Ubering all over when Uber was just in San Francisco and Silicon Valley. So, I was attracting new users and I got value because my friends thought I gave them something of value. But now, Uber is worth about $50 billion and I didn't get any of that financial benefit.
I was providing and attracting users for Uber, but the extraction of value came from Uber itself. Web3 turns that on its head. You’re now not a user of the application, you are a member. You have ownership rights in what you're doing. Web3 really introduces that real ownership model to the internet that combines economics, art, game theory, and technology in a very interesting way.The Five Essential Elements of Web3
Sandy: Web3, essentially Web3 means that something is built on what I would call five essential elements. One, it is decentralized. You said decentralization, or at least partially decentralized, meaning there's no one company who owns all the servers, all the infrastructure. It is decentralized or at least partially decentralized.
Two, there has to be a digital identity that travels with you. Think about today. You go to sign into LinkedIn, you use one ID. Then you go over to Instagram, you're using a different ID. When you go into TikTok, you're using a different ID. But I can now take my digital identity, which I've built with Unstoppable Domains, sandy.crypto.
I can take that identity and I can enter a metaverse. With that same identity, I can enter DeFi, decentralized finance with Cook Financial. And with that same identity, I can enter a game like Decentraland or Sandbox. That same identity travels with me, it's all built on the blockchain. That's the third assumption for Web3; decentralized digital identity built on the blockchain. It's trustless, meaning that there is no in-between.
I sign a smart contract directly with the person I am purchasing. There's not a bank or a lawyer or anything in between. It financially benefits the members because remember, we have members now. So if I buy an NFT, like a Lazy Lion, I now own that Lazy Lion. I can now create a t-shirt with that Lazy Lion, and that t-shirt could enable me, for example, to create my own business. It's really all about that ownership model.
A Hot Topic Element of Web3
Carolyn: This reminds me of something that I worked on years ago. I worked for Novell. I'm sure that you know who that company is, even though it really doesn't exist anymore. I was working with developers on a digital identity or a digital wallet, and it didn't go anywhere. It’s a hot topic and it was innovative and cutting edge. It sounds like, is it the blockchain that has enabled it to actually be secure and be something now?
Sandy: Blockchain is one of the underpinning technologies and blockchain does allow that transparency and that interoperability. It does help with that ownership too. Make it immutable. It can't be changed for sure. So, it is an element in Web3, just like we talked about those five elements. It has to be decentralized or at least partially decentralized. You have a transportable digital identity. It's built on blockchain, it is trustless and it financially benefits users. Blockchain is definitely a part of the equation.
Carolyn: If we were in a Web3 world and Uber's just coming online like it did when you were an evangelist for Uber, you evangelizing Uber to your friends and would give you shares? You would have some kind of ownership in Uber and you would reap the benefits of this $50 billion company?
Sandy: I could, yes, absolutely. There is this concept of fractional ownership, and fractional ownership means that whether it is a piece of art or a company or a piece of real estate, you can have a fractionalized ownership of that. For example, NFTs allow for fractional ownership of any digital native asset.
Things That Happen in Web3
Sandy: People can own a portion of something that otherwise they might not have been able to afford. It extends beyond art, like a Lazy Lion or a Bored Ape. Of course, the use of NFTs and blockchain enable you to prove ownership, and you do that today. I have a friend of mine who collects Chanel purses. Of course, if you're going to spend that much money on a purse you want it verified.
My mom used to be a Boston Red Sox fan. I guess she still is a Boston Red Sox fan and she collects Ted Williams. I don’t even know who he is, but he's an old-time baseball player. She owns that baseball card and she had it authenticated, verified that it's real. It's the same thing that happens in Web3 with that verification.
Carolyn: Does the creator of the asset or the company have to say, "Yes, I want to buy into this Web3 idea and have this fractionalized ownership"?
Sandy: Yes. If you're a company like Parcel, Parcel is doing Web3 real estate. Or if you look at some NFTs, not all NFTs that are art are fractional ownership. Some of them, I buy and it's outright mine. I own it, I can do whatever I want to with it. Some I buy into it and the artist gets a fractional piece of that forever. If I go and produce a t-shirt and I sell the t-shirt for $10, then maybe the artist gets $1. I get $9 in perpetuity because I'm now a part-owner and they're the creator of it.
When Will We Be in the Web3 World
Sandy: This is why a lot of people in music love it. A lot of them today, when they sign on to agents and all these companies, the amount they end up getting is so small. In fact, this weekend I was listening to an artist. They said, "Look, based on the digitalization of music today, after everybody takes their cut my cut is pennies. So I have to do t-shirts, concerts, and ads, because I don't make enough money on my music, which I really should be making the money on."
Carolyn: When will we be in this Web3 world, or are we already dipping our toes?
Sandy: We're at the very early stages. I would say, we are super early. The tech right now can be very expensive. Think about the gas fees that you have to pay sometimes. A gas fee is not like the gas for your car. The gas fee that you're paying is for the permission to use those decentralized servers. In a centralized world, a company's paying for that. They're going to get the benefit of that too. They are going to get the financial benefit of it.
In this new Web3 world, which is decentralized, that gas fee is what you're paying to use a part of that decentralized network. That can be expensive today, and it may not be completely ready. If you think about it, blockchain, there's thousands of articles. Is blockchain scalable yet? Not quite yet, but it will be. I would say that we're in the dial-up phase of Web3. What's that movie? There's a movie, and you can hear the AOL sound of the modem.
Carolyn: Oh, You've Got Mail?
The Chaotic Creation of Web3
Sandy: You've Got Mail, that's right. So think about that sound right now, and you think about Web3, we're in that early stage of it. Or as someone said this weekend at EatDenver, "We're baking a pie and the pie's in the oven. You don't want to take the pie out too early because you can't really consume it. It's not done." We're in that early stage of Web3, and that's why I wanted to jump in early.
I like that early stage, I like that chaotic creation for a couple of reasons, and I just love the tech. I just consume and dive into the tech. But also, because I believe that at the start of this new era of Web3, I want the new era to be diverse. I believe that's what's going to make it more innovative. If we look at the past Web1, Web2, it has not been a diverse group of people shaping the future of it.Carolyn: Meaning there's a few big companies that own all the servers and the services?
Sandy: Maybe a lot of men that shape the company. Maybe white men that shape it, not a diverse group of people who are inputting all of their ideas. I think that diversity; diversity of thought, of any kind, is important, having people from multiple countries. Just look at Web3. It is being created in Africa. I was just on the phone this morning with an African company that's doing phenomenal things. They're going to impact what we're doing here.
How Women Are Getting Involved With Web3
Sandy: Women are getting involved; not at a fast enough rate, but we're going to try to fix that. I was just speaking with Eman who started the Ancient Warriors NFT collection. He focuses on black and brown artists. Now we've got everybody coming in early into the pot. I can feel that pot being mixed up and stirred by so many diverse ideas. The diversity of thought ideas is only going to make it more innovative and more powerful.
Carolyn: As you're talking, I'm thinking about baking a cake. I’m thinking, if you only put flour in the cake, you don't have a cake and that's the same with these innovations. Without the diversity, you just don't get the cake. So, I love that. I want to ask about the metaverse.
We got some advertisements, some creepy ones, to be honest, with the Super Bowl around the metaverse. When I think of the metaverse, I think about things like Ready Player One where I'm an avatar. There was a movie with Bruce Willis, I think it's called Surrogate. Have you seen that?
Sandy: I have.
Carolyn: They physically never leave their house. They have a replica of them that they control from a console. These are the kind of things I think about with metaverse. Then last week, I was sick. By the end of the week, I wasn't sick enough not to take a meeting, but I was still sick enough that I looked like I'd been chewed on by wolves.
A Metaverse Meeting
Carolyn: And so, I didn't want to get on video but I thought, "You know what would be super awesome? It’s if I could do a metaverse meeting and I could go with the perfect outfit and the perfect hair and show up as my perfect self." These are the things that spin around in my head with the metaverse. I would love to hear what the metaverse really is from you.
Sandy: It's simply an online digital environment and you are inhabiting that new land as an avatar. You access it through virtual reality or augmented reality. A lot of gamers are already doing this today, if you think about the metaverse. But I like to think about the metaverse in terms of layers. Maybe it's from my tech background. So I see Web3, that decentralized access, that ownership model, being the base or the foundation of a metaverse. That is then dependent on the blockchain for trust, for that secure value exchange, which I then think will be governed by DAOs.
We haven't talked about DAOs yet, but DAOs are, again, another voting experience done with tokens. It’s a dynamic governance model of which the metaverse sets. The metaverse is really that digital experience and the worlds, but it requires a DAO structure, blockchain for trust and Web3. The interesting thing is, when we talk about the metaverse and we talk about Web3, I think we're talking about the same direction because the metaverse requires Web3 to really deliver on its promises in the marketplace today.
Carolyn: Is Unstoppable Domains building that foundation then, for the metaverse with Web3?
Unstoppable Domains
Sandy: So Unstoppable Domains is building your digital identity, which is represented as your domain. Think about it as the domain with super powers, unlike the domain of a Web2 world. When I say super powers, I mean it's user-owned and controlled, so there's no renewal fees. You own it. It's back to that ownership. It is decentralized because it's created on that blockchain.
Any third party can read it and resolve that name without anybody's permission, not even ours. Others can build tools and applications on it, like metaverses, as they move forward. For example, the Atlantis metaverse is built on top of our digital identity. Cook Finance, that's DeFi, is built on top of it. Parcel, which is doing real estate in the 3D world, is built on top of it.
What that enables you to do is to travel with that digital identity. For me, that's really cool because if you think about your digital identity, that travels with you. It travels with you to any application. It's your wallet, it's your healthcare data, it's your education records, it's your finance. It is basically you.Carolyn: It sounds scary. If somebody hacked that, then they have access to me.
Sandy: Think about how many people hack you today. It already happened today. So let's think about the hack as one thing. Today, people are selling your information to companies so that they can market to you. People sell, oh, Carolyn just bought a house. I'm going to sell that data to someone so that they can market to her differently because she just bought a house. Carolyn just graduated from college. Because I know that, I'm going to market to you differently.
Protect People’s Privacy
Sandy: Today, that information is not even considered a hack. That's considered their right to share that information, it's not considered your right to that information. It’s their right to that information. It is the whole reason why Europe set up GDPR; to protect people's privacy. If you think about it, in the future, digital identity is going to be much more important than it is today. It will be used in all sorts of apps that we can't even imagine today.
I believe that it's extremely important that ownership and those rights sit in the hands of you, not in the hands of a government or a corporation. That would be more scary, if another person had all of my information. Now, in order to achieve this vision I think there's got to be a lot of things that happen. We've got to have a way to protect it. You pointed it out right away, you need to have that be secure.We've got to make it easier. There's a lot of things right now that we need to work on in the Web3 world. One of those is ease of use and UI. Though I consider myself pretty techy, it's hard for me. I could not imagine my parents trying it right now. It's too hard. I do believe if you are a designer sitting out there or you do UX, it's going to become more and more important due to the rate of adoption that we get that ease of use correctly and we do it very fast.
What Web3 Means for the Government
Sandy: Today, it's too hard. I think that if digital identity is going to be what it is, we have to make it easier for everybody to participate in it.
Carolyn: What does Web3 and everything we've been talking about mean for the government?
Sandy: It's really interesting because governments are reacting in different ways to this. If you think about it, some governments like El Salvador, they've gone all in. They now use bitcoin and crypto....
","summary":null,"date_published":"2022-03-02T06:30:00.000-05:00","attachments":[{"url":"https://aphid.fireside.fm/d/1437767933/81d9d6b0-0045-48da-8495-fd87c4613d7f/5e4a5405-b4e7-4223-b3f3-cebc20fa0ae2.mp3","mime_type":"audio/mpeg","size_in_bytes":24951375,"duration_in_seconds":1781}]},{"id":"a9a094ab-6488-4b5f-aada-cad95c55be3e","title":"Episode 24: On The Record with Rayvn Manuel","url":"https://techtransforms.fireside.fm/24","content_text":"American culture and history is meant to be shared, according to senior application developer at the National Museum of African American History and Culture, and Army veteran Rayvn Manuel. She talks with Carolyn and Mark about some of her goals in her work at the Smithsonian and the importance of sharing our stories and understanding our history. Episode Table of Contents[00:36] On the Record With an Army Veteran[09:18] A Change of Name on the Record[16:35] Growing up in a Lot of RacismEpisode Links and ResourcesRayvn ManuelNMAAHCRenaissance FairOn the Record With an Army VeteranCarolyn: We had the pleasure of speaking with Rayvn Manuel in November of last year. She’s a senior application developer at the National Museum of African American History and Culture and an army veteran.Following our regular recorded episode, Rayvn spoke to us about her opinion on some topics surrounding our history and culture in America. I went to the museum. When I got there, I felt a little bit like an intruder. It’s like I had no right to be there. Can you talk about that? Have you talked to other people who have felt that?Rayvn: Yes, I have. One of my really good friends, Chelsea, we were talking. I make costumes, and I make costumes for Renaissance Fair.Carolyn: I want to see pictures.Rayvn: I don't even let my kids see pictures of me in my costumes, but I love it. I was making her costume and she was just telling me how uncomfortable she feels. She's not African American, she's Caucasian American. She was telling me how she is confused about what to do because she has so much empathy for what's going on with Black Lives Matter.There are certain people in the African American community that will embrace people who are trying to understand. Then there are also other people who actually will make you feel like you feel, Carolyn. It’s like, you'll never understand so don't even try to understand. She's like, \"Well, what do I do? So I don't want to come like I'm condescending and I don't want to feel like whatever.\" I think that what you do, part of that is guilt.A Big HeartRayvn: That you feel some sort of guilt for something that you had nothing or have anything to do with. You have a big heart and so much empathy that you just want to understand. Not only understand, because I don't think I could ever understand anyone that went through the Holocaust. I didn't feel like I didn't belong in that museum because it was an experience that I wanted to see. And I was in the army and I was stationed, actually, in Germany.I went to Dachau, and that is a place to get a better understanding of the culture, of the society. That culture and that society makes up our culture and our society, and we engage. I engage. In New York, I engaged with people who had grandparents that had to deal with things from the fallout from the Holocaust. I learned that my grandmother, this hurt me to my soul, this is why I became what's called woke.My grandmother told me that they were in North Carolina, her and my mom. My mom was little, and my uncle, they were not allowed to sit in the front of the bus. Up until that point I understood that that's what happened. I understood that from an educational perspective. When my grandmother told me about her and my mother, things changed.Mark: It became personal. Rayvn: Yes, I did. I couldn't because that's the generation before me. You can't feel that you don't belong. Because wherever your background is and where most of us are all mutts most of it, we're totally mixed.Carolyn: I'm a complete mutt.Your Background Is Your History on the RecordRayvn: I am, too. My father's side is Portuguese.Carolyn: Well, I feel like your eyes are green, aren't they?Rayvn: They're blue-ish, but they change colors depending on what I'm wearing. Whatever your background is, that's going to be your history. Ford is actually British, isn't it? That's what it'd be, probably.Carolyn: Well, it traces all the way back to Ireland.Rayvn: There's a story there. If there was a museum, probably somewhere in England or Ireland, that would be your people. That would be something you could embrace, but would you want people to know what your people went through? That's what the museum is about. It's letting people know what our people went through.Carolyn: I didn't feel like anybody was putting that on me. It was my story, and it was really hard. I went with my friend who's also a Caucasian. Surprisingly, we were one of the few Caucasian people in the museum at the time. I felt like it was so hard to get tickets. I was like, I'm stealing a seat that maybe somebody else should get first. There was all of that story going on.Rayvn: I definitely see that, but it is what it is. It is where we are. It's where we came from. If those things didn't happen, then other things wouldn't have happened. If you would've asked me, who was my favorite person, a human being, would have been Dr. King and my grandfather. Dr. King wasn't about African Americans only, he was about everybody. He wanted everybody to experience this type of freedom.How Things Are GoingRayvn: I'm not quite sure what's going to happen. That's actually my thing. It's like, what's happening, how are things going? I don't know and I don't want to be pessimistic and say that it's going to continue down this bad path.Mark: I think we live in the microcosm of what's happening every minute, and social media amplifies it. I feel that way, too. So I try to say, look, because I want to be positive. I got to step back and say, try to think of things in a bigger picture. In the political environment today, this is so caustic. I get so branched with it. It's like, you know what? If you could only step back and say, \"In a couple of years.\"Carolyn: Read The Broken Earth series.Rayvn: Is it dystopian?Carolyn: A little bit.Mark: She does this every time. She waits until we're done and then she goes, \"Okay, we're done.\" Then she asks these really good questions, and we get this really good stuff going on.Carolyn: We can use it if, Rayvn, you're okay to use it.Rayvn: Oh, yes.Carolyn: It was a hard question for me to ask.Mark: I think it's great stuff.Rayvn: I think it's a great question. There are people, lots of people, who feel like you do. Mark, where are you from? You have a great accent.Mark: I'm from North Carolina. Senell, as you were talking about, you asked Ford, and I wanted to tell my story, but I didn't want to interrupt. It's a made-up name. My grandfather came over from Italy and his name was Simeoni.A Change of Name on the RecordMark: He came over, stowed away on a ship to America when he was 13 years old. The ship went to New York. He wanted to see America so he got off the ship in New York City. Then he went and checked things out. When he came back, the ship was gone. He never went home. They got an interpreter. They figured out he had a brother that had come over to America years before and put him on a train so they shipped him off. He never went home, and he changed his name, his religion, everything.Carolyn: Why did he change his name?Mark: Back then, at the turn of the century, Italian wasn't as cool and chic as it is today.Rayvn: As of now, being Italian is cool.Mark: You were prejudiced against. He didn't want to be Italian, he wanted to be American, so he didn't allow Italian to be spoken in the home. Whenever they would get together with their Italian relatives, they'd all speak Italian. My dad didn’t because my grandfather said, you are American. Speak English. That's my story.Carolyn: See, we're keeping that in. People's stories are incredible.Rayvn: They're people's stories. I know. You would speak Italian with a North Carolina accent. I wonder what that sounded like?Mark: I really don't speak Italian, I never learned it. I learned how to speak Southern, though.Rayvn: Yes, you do Southern really well. It's like smooth Southern, it's just in there and you don't even know you're doing it.Mark: Well, I've been up here for a long time.Culture ShockRayvn: From a New York perspective, when I went to the military, it was the first time I even dealt with the south. I was in South Carolina, to whatever that horrible base is. It was in Columbia. Fort Jackson, South Carolina.Mark: It's a culture shock, I bet.Rayvn: It was. First of all, I was in an all-girl Catholic school for high school. I didn't grow up around African Americans. Carolyn, your story's actually my story. I feel uncomfortable around African Americans, except for the people I work with. A lot of African Americans think that I am not being true to my race because my mom's big thing was education. We went to school. I didn't learn slang because I wasn't allowed to go outside. If you talk to me slang, I have no idea what you're saying.I read a lot and I'm just like that. So I feel uncomfortable around African Americans because I feel like they judge me. When I went to South Carolina, wowzers. First, I was scared to death because I knew that I was below the Mason-Dixon. I was like, this is below the Mason-Dixon, I think I know that this is it. In the military, it was in the '90s, they were actually racist. Everybody was racist. African Americans did not hang out with Caucasian Americans. I had no group because it was so segregated.Mark: I hear you there. I grew up in North Carolina. After college, I moved to Richmond. Richmond feels more Southern to me than where I grew up, in North Carolina. It was bizarre.A Lot of Racial History on the RecordRayvn: I've been to Richmond. Richmond gives me a weird feeling. I don't know what it is about that place but it has a weird feeling to it.Mark: That's an interesting perspective. It's definitely got a lot of history. It has a lot of racial history because Richmond was the capital of the Confederacy but it's also got a very cool vibe that you may not get on the surface. Virginia Commonwealth University is an art university. It’s a big art school. There's a lot of cool vibe that interlaces through there that you don't catch on the surface. When you drive through, you're not seeing any of that but when you live there, you can get into that vibe. There’s a lot of really cool restaurants, ethnic restaurants, and you're like, \"Oh, I didn't see that coming.\"Rayvn: I didn't know that. I have to spend a weekend there then.Mark: If it creeps you out, don't go.Rayvn: I don't know. Hampton, Virginia, creeps me out. My friend lives there. I'm like, \"Oh, this place is scary.\" It's actually really scary sometimes because when you know that there's that racial tension, you just don't know. I told my sister and my daughter that I was practicing what I would do if a cop stopped me because I went for a walk around my friend's neighborhood, and they're very rich. It was one of those neighborhoods.The next neighborhood was not so rich and the socioeconomic status was a little bit lower. If I get stopped by a cop or some cop comes to me, what am I going to do? I was going to scream my head off and say, \"Don't hurt me.\" Raise my hand, whatever.The Civil Rights Movement on the RecordRayvn: I was so scared. I was like, \"Why are you so scared?\" That's where we are. It's just, I don't know. I like your positive attitude about it, Mark.Mark: Well, it's self-preservation otherwise, I get too stressed out. I try to say, \"Look at the world, look at things.\" And I can imagine what people felt like in the moment during the civil rights movement, about how they felt about different things. You need to look at it now. You're like, \"Look at the big picture.\" All this positive change that took place and all these good things that you're like, \"Yes.\" But living in the moment, it wouldn't have been like that at all. It would have been a very intense situation. I try to think things will get better over time.Rayvn: They are getting better over time. It's just incremental.Carolyn: We're spiraling. I have one more question for you before we let you go, were you in the army?Rayvn: Yes.Carolyn: Do you mind if we use that in your title?Rayvn: Absolutely not. Very proud of it.Mark: Carolyn's dad was in the army.Carolyn: Yes. When you were talking about how racist it was, my dad's my hero. I love him but he was horribly racist. The phrases that I grew up saying, I didn't know what they meant. They were part of my vocabulary because my dad used them all. It’s really funny because he also had really close friends of different ethnic backgrounds, different colors, and he was still intensely racist. I didn't know that, as a kid. Looking back, I'm like, \"Oh, wow.\"Growing Up in a Lot of RacismMark: Looking back, I can see a lot of that growing up in North Carolina. I see a lot of that with how I was raised and just the area that I grew up in.Carolyn: We didn't know.Rayvn: You know what? My grandmother, while I was growing up in the Bronx, was there. I'd be like, \"Oh Nana, I met blah, blah, blah.\" Her first question was always what color they were. I was like, why does that matter? Now I know why because she grew up in the era of Emmett Till. She was in that era. It took me awhile to understand why.Mark: Living in the moment, it's got to be a different experience. I was listening to Bill Maher talk about this recently on his show, we're making progress. We're making progress. I think people are, I'm not going to say enlightened.Carolyn: But we are.Mark: Do we want to call ourselves enlightened with progress?Carolyn: Look at this conversation that we're having now. This is progress.Rayvn: This is progress because we can have this conversation and be okay with it. It's great to be comfortable with it.Mark: It is what we are. It‘s part of the world we live in, so let's embrace it.We Can’t Change What’s on the RecordRayvn: It is. To bring it all round, the whole purpose of our museum is to make those uncomfortable conversations happen. To be able to, here it is, this is not pretty, we can't change it. Let's just talk about it and figure out how we move forward because what we've been doing isn't working, apparently.Carolyn: I love that. We're using that on the record too.Rayvn: Just use everything. You're awesome.Mark: Well, this was great. Thanks, Rayvn.Carolyn: We cannot thank you enough for your service to our country, and dedication to representing our history. We hope you enjoyed this episode of Tech Transforms. Please like, and follow us on social media. We'll be back next week. ","content_html":"American culture and history is meant to be shared, according to senior application developer at the National Museum of African American History and Culture, and Army veteran Rayvn Manuel. She talks with Carolyn and Mark about some of her goals in her work at the Smithsonian and the importance of sharing our stories and understanding our history.
Episode Table of Contents
- [00:36] On the Record With an Army Veteran
- [09:18] A Change of Name on the Record
- [16:35] Growing up in a Lot of Racism
Episode Links and Resources
On the Record With an Army Veteran
Carolyn: We had the pleasure of speaking with Rayvn Manuel in November of last year. She’s a senior application developer at the National Museum of African American History and Culture and an army veteran.
Following our regular recorded episode, Rayvn spoke to us about her opinion on some topics surrounding our history and culture in America. I went to the museum. When I got there, I felt a little bit like an intruder. It’s like I had no right to be there. Can you talk about that? Have you talked to other people who have felt that?
Rayvn: Yes, I have. One of my really good friends, Chelsea, we were talking. I make costumes, and I make costumes for Renaissance Fair.
Carolyn: I want to see pictures.
Rayvn: I don't even let my kids see pictures of me in my costumes, but I love it. I was making her costume and she was just telling me how uncomfortable she feels. She's not African American, she's Caucasian American. She was telling me how she is confused about what to do because she has so much empathy for what's going on with Black Lives Matter.
There are certain people in the African American community that will embrace people who are trying to understand. Then there are also other people who actually will make you feel like you feel, Carolyn. It’s like, you'll never understand so don't even try to understand.She's like, \"Well, what do I do? So I don't want to come like I'm condescending and I don't want to feel like whatever.\" I think that what you do, part of that is guilt.
A Big Heart
Rayvn: That you feel some sort of guilt for something that you had nothing or have anything to do with. You have a big heart and so much empathy that you just want to understand. Not only understand, because I don't think I could ever understand anyone that went through the Holocaust. I didn't feel like I didn't belong in that museum because it was an experience that I wanted to see. And I was in the army and I was stationed, actually, in Germany.
I went to Dachau, and that is a place to get a better understanding of the culture, of the society. That culture and that society makes up our culture and our society, and we engage. I engage. In New York, I engaged with people who had grandparents that had to deal with things from the fallout from the Holocaust. I learned that my grandmother, this hurt me to my soul, this is why I became what's called woke.
My grandmother told me that they were in North Carolina, her and my mom. My mom was little, and my uncle, they were not allowed to sit in the front of the bus. Up until that point I understood that that's what happened. I understood that from an educational perspective. When my grandmother told me about her and my mother, things changed.
Mark: It became personal.
Rayvn: Yes, I did. I couldn't because that's the generation before me. You can't feel that you don't belong. Because wherever your background is and where most of us are all mutts most of it, we're totally mixed.
Carolyn: I'm a complete mutt.
Your Background Is Your History on the Record
Rayvn: I am, too. My father's side is Portuguese.
Carolyn: Well, I feel like your eyes are green, aren't they?
Rayvn: They're blue-ish, but they change colors depending on what I'm wearing. Whatever your background is, that's going to be your history. Ford is actually British, isn't it? That's what it'd be, probably.
Carolyn: Well, it traces all the way back to Ireland.
Rayvn: There's a story there. If there was a museum, probably somewhere in England or Ireland, that would be your people. That would be something you could embrace, but would you want people to know what your people went through? That's what the museum is about. It's letting people know what our people went through.Carolyn: I didn't feel like anybody was putting that on me. It was my story, and it was really hard. I went with my friend who's also a Caucasian. Surprisingly, we were one of the few Caucasian people in the museum at the time. I felt like it was so hard to get tickets. I was like, I'm stealing a seat that maybe somebody else should get first. There was all of that story going on.
Rayvn: I definitely see that, but it is what it is. It is where we are. It's where we came from. If those things didn't happen, then other things wouldn't have happened. If you would've asked me, who was my favorite person, a human being, would have been Dr. King and my grandfather. Dr. King wasn't about African Americans only, he was about everybody. He wanted everybody to experience this type of freedom.
How Things Are Going
Rayvn: I'm not quite sure what's going to happen. That's actually my thing. It's like, what's happening, how are things going? I don't know and I don't want to be pessimistic and say that it's going to continue down this bad path.
Mark: I think we live in the microcosm of what's happening every minute, and social media amplifies it. I feel that way, too. So I try to say, look, because I want to be positive. I got to step back and say, try to think of things in a bigger picture. In the political environment today, this is so caustic. I get so branched with it. It's like, you know what? If you could only step back and say, \"In a couple of years.\"
Carolyn: Read The Broken Earth series.
Rayvn: Is it dystopian?
Carolyn: A little bit.
Mark: She does this every time. She waits until we're done and then she goes, \"Okay, we're done.\" Then she asks these really good questions, and we get this really good stuff going on.
Carolyn: We can use it if, Rayvn, you're okay to use it.
Rayvn: Oh, yes.
Carolyn: It was a hard question for me to ask.
Mark: I think it's great stuff.
Rayvn: I think it's a great question. There are people, lots of people, who feel like you do. Mark, where are you from? You have a great accent.
Mark: I'm from North Carolina. Senell, as you were talking about, you asked Ford, and I wanted to tell my story, but I didn't want to interrupt. It's a made-up name. My grandfather came over from Italy and his name was Simeoni.
A Change of Name on the Record
Mark: He came over, stowed away on a ship to America when he was 13 years old. The ship went to New York. He wanted to see America so he got off the ship in New York City. Then he went and checked things out. When he came back, the ship was gone. He never went home. They got an interpreter. They figured out he had a brother that had come over to America years before and put him on a train so they shipped him off. He never went home, and he changed his name, his religion, everything.
Carolyn: Why did he change his name?
Mark: Back then, at the turn of the century, Italian wasn't as cool and chic as it is today.
Rayvn: As of now, being Italian is cool.
Mark: You were prejudiced against. He didn't want to be Italian, he wanted to be American, so he didn't allow Italian to be spoken in the home. Whenever they would get together with their Italian relatives, they'd all speak Italian. My dad didn’t because my grandfather said, you are American. Speak English. That's my story.
Carolyn: See, we're keeping that in. People's stories are incredible.
Rayvn: They're people's stories. I know. You would speak Italian with a North Carolina accent. I wonder what that sounded like?
Mark: I really don't speak Italian, I never learned it. I learned how to speak Southern, though.
Rayvn: Yes, you do Southern really well. It's like smooth Southern, it's just in there and you don't even know you're doing it.
Mark: Well, I've been up here for a long time.
Culture Shock
Rayvn: From a New York perspective, when I went to the military, it was the first time I even dealt with the south. I was in South Carolina, to whatever that horrible base is. It was in Columbia. Fort Jackson, South Carolina.
Mark: It's a culture shock, I bet.
Rayvn: It was. First of all, I was in an all-girl Catholic school for high school. I didn't grow up around African Americans. Carolyn, your story's actually my story. I feel uncomfortable around African Americans, except for the people I work with. A lot of African Americans think that I am not being true to my race because my mom's big thing was education. We went to school. I didn't learn slang because I wasn't allowed to go outside. If you talk to me slang, I have no idea what you're saying.
I read a lot and I'm just like that. So I feel uncomfortable around African Americans because I feel like they judge me. When I went to South Carolina, wowzers. First, I was scared to death because I knew that I was below the Mason-Dixon. I was like, this is below the Mason-Dixon, I think I know that this is it. In the military, it was in the '90s, they were actually racist. Everybody was racist. African Americans did not hang out with Caucasian Americans. I had no group because it was so segregated.Mark: I hear you there. I grew up in North Carolina. After college, I moved to Richmond. Richmond feels more Southern to me than where I grew up, in North Carolina. It was bizarre.
A Lot of Racial History on the Record
Rayvn: I've been to Richmond. Richmond gives me a weird feeling. I don't know what it is about that place but it has a weird feeling to it.
Mark: That's an interesting perspective. It's definitely got a lot of history. It has a lot of racial history because Richmond was the capital of the Confederacy but it's also got a very cool vibe that you may not get on the surface. Virginia Commonwealth University is an art university. It’s a big art school. There's a lot of cool vibe that interlaces through there that you don't catch on the surface. When you drive through, you're not seeing any of that but when you live there, you can get into that vibe. There’s a lot of really cool restaurants, ethnic restaurants, and you're like, \"Oh, I didn't see that coming.\"
Rayvn: I didn't know that. I have to spend a weekend there then.
Mark: If it creeps you out, don't go.
Rayvn: I don't know. Hampton, Virginia, creeps me out. My friend lives there. I'm like, \"Oh, this place is scary.\" It's actually really scary sometimes because when you know that there's that racial tension, you just don't know. I told my sister and my daughter that I was practicing what I would do if a cop stopped me because I went for a walk around my friend's neighborhood, and they're very rich. It was one of those neighborhoods.
The next neighborhood was not so rich and the socioeconomic status was a little bit lower. If I get stopped by a cop or some cop comes to me, what am I going to do? I was going to scream my head off and say, \"Don't hurt me.\" Raise my hand, whatever.
The Civil Rights Movement on the Record
Rayvn: I was so scared. I was like, \"Why are you so scared?\" That's where we are. It's just, I don't know. I like your positive attitude about it, Mark.
Mark: Well, it's self-preservation otherwise, I get too stressed out. I try to say, \"Look at the world, look at things.\" And I can imagine what people felt like in the moment during the civil rights movement, about how they felt about different things. You need to look at it now. You're like, \"Look at the big picture.\" All this positive change that took place and all these good things that you're like, \"Yes.\" But living in the moment, it wouldn't have been like that at all. It would have been a very intense situation. I try to think things will get better over time.
Rayvn: They are getting better over time. It's just incremental.
Carolyn: We're spiraling. I have one more question for you before we let you go, were you in the army?
Rayvn: Yes.
Carolyn: Do you mind if we use that in your title?
Rayvn: Absolutely not. Very proud of it.
Mark: Carolyn's dad was in the army.
Carolyn: Yes. When you were talking about how racist it was, my dad's my hero. I love him but he was horribly racist. The phrases that I grew up saying, I didn't know what they meant. They were part of my vocabulary because my dad used them all. It’s really funny because he also had really close friends of different ethnic backgrounds, different colors, and he was still intensely racist. I didn't know that, as a kid. Looking back, I'm like, \"Oh, wow.\"
Growing Up in a Lot of Racism
Mark: Looking back, I can see a lot of that growing up in North Carolina. I see a lot of that with how I was raised and just the area that I grew up in.
Carolyn: We didn't know.
Rayvn: You know what? My grandmother, while I was growing up in the Bronx, was there. I'd be like, \"Oh Nana, I met blah, blah, blah.\" Her first question was always what color they were. I was like, why does that matter? Now I know why because she grew up in the era of Emmett Till. She was in that era. It took me awhile to understand why.
Mark: Living in the moment, it's got to be a different experience. I was listening to Bill Maher talk about this recently on his show, we're making progress. We're making progress. I think people are, I'm not going to say enlightened.
Carolyn: But we are.
Mark: Do we want to call ourselves enlightened with progress?
Carolyn: Look at this conversation that we're having now. This is progress.
Rayvn: This is progress because we can have this conversation and be okay with it. It's great to be comfortable with it.
Mark: It is what we are. It‘s part of the world we live in, so let's embrace it.
We Can’t Change What’s on the Record
Rayvn: It is. To bring it all round, the whole purpose of our museum is to make those uncomfortable conversations happen. To be able to, here it is, this is not pretty, we can't change it. Let's just talk about it and figure out how we move forward because what we've been doing isn't working, apparently.
Carolyn: I love that. We're using that on the record too.
Rayvn: Just use everything. You're awesome.
Mark: Well, this was great. Thanks, Rayvn.
Carolyn: We cannot thank you enough for your service to our country, and dedication to representing our history. We hope you enjoyed this episode of Tech Transforms. Please like, and follow us on social media. We'll be back next week.
","summary":null,"date_published":"2022-02-23T06:30:00.000-05:00","attachments":[{"url":"https://aphid.fireside.fm/d/1437767933/81d9d6b0-0045-48da-8495-fd87c4613d7f/77873a89-2d58-4df4-8944-1851ddc5aec3.mp3","mime_type":"audio/mpeg","size_in_bytes":15956666,"duration_in_seconds":1138}]},{"id":"3ccb8ed7-3289-4c97-90d6-646ac51ca1e7","title":"Episode 23: Cybersecurity News Round Up with Willie Hicks","url":"https://techtransforms.fireside.fm/23","content_text":"Willie Hicks, CTO of Public Sector at Dynatrace, joins Carolyn and Mark to discuss the top Cybersecurity news stories so far in 2022. Willie offers his expert opinion on the White House Executive Order on Improving the Digital Government Experience, the recent Log4j vulnerability, and the Pentagon's new Zero Trust office. Episode Table of Contents[00:43] Unpacking the Biggest Headlines in Cybersecurity News[08:21] Major Catastrophe[16:03] Cybersecurity News Highlights the Highest Level of Vulnerability[23:59] A Quantum Shift in Cybersecurity NewsEpisode Links and ResourcesWillie HicksExecutive OrderWillie Hicks Article on Zero TrustLog4jUnpacking the Biggest Headlines in Cybersecurity NewsCarolyn: Today we talked to Willie Hicks, Dynatrace public sector CTO. He’ll unpack some of the biggest headlines of late from the Executive Order on Transforming Federal Customer Experience and Service Delivery to Log4j. I know Willie, you're so sick of this topic, but we're going to cover it anyway, and then Zero Trust Thunderdome Awards. I want to go first to the Executive Order requiring improving the digital government experience. Willie, will you give us the big takeaways from this Executive Order? What does it mean for our agencies?Willie: First of all, I think that the Executive Order on Transforming is transforming the federal customer experience. It is going to impact the agencies, but I also think it's going to impact the digital citizens of the day, the real customers of the federal government. I think President Biden reiterated this, it’s supposed to be a government for the people, by the people.We're trying to put people back into the equation. I think the big takeaway for me is that the federal government is coming back into or getting to a point where they're really understanding that customer experience, well, they already understood it. But they’re really starting to internalize and figure out how to make customer experience like the customer experience most citizens expect to see with anybody who shops on Amazon, anyone who does a Google search.A Fundamental Shift in Customer ExperienceWillie: They expect, with the push of a button, that they got all the groceries shipped to them the next day or the same day. That kind of experience you do not get with the federal government today. I think that we're seeing a fundamental shift now, not just that kind of digital experience, but I think across the board. Like when you even walk into a brick or a mortar building, when you interface on the phone with a government employee, I think we're going to start, hopefully, seeing more customer-focused, customer-centric type attitudes.This is really long overdue. I've been in this business for many years. I remember one of my early visits to a federal agency that will remain nameless, but I was speaking to this agency about what we call our digital user experience. How we need to focus on the real metric who's the end user. Right now, you are focused on the back end. You're focused on, is the server up or down? Is this process running? Do I have availability for this device? No one's actually really looking at the end user. So how do you know they are getting a good experience? Not only are the systems running, but are they running efficiently? Are they getting transactions back in a timely manner, or are they frustrated?I remember one engineer saying, \"Well, why does that matter?\" I'm like, \"It does matter because they're your number one responsibility. That is who pays your salary.\" This person, an engineer, actually said to me, \"Well, there's not another X agency. It's not like they're going to go somewhere else. This isn't Amazon or another commercial entity. If it doesn't work, they'll come back later.\" That was the response. And I was like, wow!Smooth Government TransactionsCarolyn: It makes me think of when my dad died a few years ago. We wanted to give him a full military burial, but we couldn't find the papers that we needed. He had shown me where everything was except these particular papers that we had to have to get him this burial. We spent hours and hours online trying to track them down. But, we never did, we never were able to find them. Ultimately, it came down to us, calling Camp Williams and saying, \"Colonel Ford is gone and we need some help.\"They stepped up and did it, and it was awesome. Fast forward to today, I'm in Utah and we've got billboards all over saying something about finding my cash.gov. I was like, all right, I'll bite, I want to see how easy this is. You guys, it was so slick. In 10 minutes I put in my name, I think I put in my address. There was a quick database search and it said, \"Oh yes, you've got money here from these closed old accounts. We'll send you a check.\" A week later I got a check. I'm still blown away that I did a government transaction and it happened that smoothly.Willie: Unfortunately, that's been the exception not the rule except for certain agencies that I work with. I work closely with organizations like the VA. To your point, the VA has been making a lot of great strides to improve their customer service, their image and so forth. A lot of that is around, I think, customer experience. Or I should say the veteran experience and making sure that they're putting veterans first.The Cybersecurity News Features How Backend Systems WorkWillie: They're putting a lot of investment there to understand not just how their backend systems are working, but how the actual end-users are performing, how quickly that transaction took.Carolyn: But to your engineer's point, why now? He's right. We have to have these services. We're just going to come back later or we're going to give up.Willie: Well, I would say right now, why now? It’s because to be quite frank, that's the wrong attitude. At the end of the day, that person was right. It's not like I can fire this agency and say I'm going to take my business elsewhere. But there are ways we can speak at the voting booth, calling our senators and our representatives. Getting those types of attitudes changed by having them hold in front of Congress and ask, \"Why are you treating my constituents that way? We pay your salaries, so we expect the same kind of response that they would get from any other service.\" I think that's what we're seeing with the administration today. They focus on the need to bring the people back into the equation, and that the citizenry understands that they are our most important priority. We treat you that way in everything you do. If at the state level, it’s going to the DMV, which I think everyone dreads, hopefully this will translate down to the states.But going to the Social Security Office to get a new Social Security Card or going to, in worst-case scenarios, I think this is even going to translate into disasters. How quickly do I get disaster relief? How quickly do I get relief because I just lost everything from a flood?Major CatastropheWillie: When there’s a major catastrophe, how do I get to the right organization to help me just making sure I have the right avenues? I've seen reports lately where agencies, due to COVID, were slow to respond. They were slow to get PPE out and things like that. Those things, they are customer service. But there are consequences also to bad customer service. People don't get the services they need and they get sicker because they don't have that. They don't do that.Mark: This is a confidence in government issues, Willie.Willie: 100%.Mark: I hope that this Executive Order has the staying power that generates money to put behind it. I mean, really it's a nonpartisan political issue that impacts all citizens. However, I think it's being leveraged a little bit politically. I do feel whatever administration is going to implement services and things like that, that they're putting out there for citizens to take advantage of, you have to have confidence. The citizen has to have confidence that the government can actually deliver. If you can't even access the application and the information online then you lose confidence that the government knows what they're doing.Carolyn: Before we leave this topic, are there any teeth to this Executive Order? Are there deadlines? I mean what is it other than saying, \"Yes, we need to do better.\"Willie: Yes. That is always the issue that we have, how's this going to be implemented? How is this going to be upheld? Because unfortunately, it is an EO, it's an Executive Order. It is not codified in law. It's not like there was a bill passed on customer service.Hard Deadlines on Cybersecurity News and UpdatesWillie: Although there are ancillary bills that do cover some of these topics, I think of nothing that's more all encompassing as what we're seeing in the EO. So, does it have teeth? We'll see. Right now, I don't know of any hard deadlines that are imposed. I think they're really putting a framework in place to do all of these things. I'm sure the administration wants to be able to report by the end of the term to make sure that they are seeing progress. My hope in all of this is that, in this period of time, even without the teeth, agencies will be forced to think about these things. They will be forced to internalize some of these things. Moving forward, regardless of administration, these ideals are self propagated throughout the agencies. These continue on regardless of the law and regardless of what's in place. At the end of the day, there are certain things that should be done just because they're the right thing and not because it's a law. It’s not because someone has to tell you to do it.Carolyn: We've started the conversation, which is a really good thing. So, all right, let's go to Log4j. Just school me, what is it?Willie: I won't bore everyone with the details, but I think because everyone's really probably heard a lot about this. You've heard of Log4j, Log4Shell. In a nutshell, it's an extremely critical, extremely severe vulnerability in a component. It’s a module of what's called Apache, a kind of server technology that is utilized.Carolyn: That everybody has.Full Court PressWillie: That a lot of people have. Probably, I've seen millions, maybe billions of instances of this module that is distributed across multiple platforms. It could be in embedded devices, it might be in servers. Honestly, the scope and scale of it is unprecedented. That's why there was this full-court press.Carolyn: Unprecedented beyond SolarWinds?Willie: I think, I won't mix the two per se because with SolarWinds, we've got documented attacks. We know that our adversaries have taken advantage of this. They were lying in wait in some of these systems for months. They’re slowly making moves, lateral movements and so forth when they get into the system. With Log4j, I think it's still early to find out the true impact of it.At the end of the day, I think from a scale standpoint, yes, because SolarWinds is a commercial product that agencies trusted. They brought it in-house and they left it behind the gates. Unfortunately, supply chain issues were there, which allowed for some malicious code to be in that product that was almost like a Trojan Horse. It was brought behind the gates, and then they were able to take advantage of that.Log4j on the other hand, was a vulnerability in the code, but that was propagated over not just a few 100 customers or 1000 customers. I don't know SolarWinds' customer base, but whatever that customer base was, versus something that was just distributed across millions of devices. So really different scales.Carolyn: Who did the Log4j?Willie: Well, it's a vulnerability. It wasn't like a supply chain issue. As far as we know, it wasn't like somebody planted this.Security VulnerabilityWillie: It’s just something that has been there for a while, just a security vulnerability that wasn't accounted for. Once it was discovered, it was figured out you could use this. You could exploit this to take over a machine. So basically to get remote code execution capability, so you could run remotely.Mark: That was open source wasn't it?Willie: Yes. So there's a whole other conversation we can have. I don't want to get into that about open source and so forth. Although open source has its merits and its benefits because a lot of eyes are on it, sometimes these things still happen. It also depends on the open source. Some open source projects are very well maintained, and very well scrutinized.People are always looking at it, tinkering with it, understanding when they find a vulnerability like Log4j they quickly bubble that up. There are some open source projects that aren't so well maintained, but people still use them. But the vulnerabilities don't come out as quickly.Carolyn: We're a month into this. Have we got it under control? Do we have our arms around it? What did agencies do to manage this?Willie: I would say, well, that's a loaded question. Do we have our arms around it? I would say we are, well, let's just talk about what happened. Because I can even speak from a company, from my perspective on what our company has done around this. Immediately after at least it became public, I think it was December 9th that this was released or became known, this was escalated to the highest levels.Cybersecurity News Highlights the Highest Level of VulnerabilityWillie: CISA made this a highest-level vulnerability. They instructed agencies to start immediate searches of their systems. I personally know of agencies we worked with where they might have had a team of 100 people plus over weekends. They were going through servers, looking for unfortunately, sometimes looking manually for this vulnerable code to remediate it. We quickly got our hands around it from that standpoint.Is there still Log4j out there that we haven't caught? Of course. I know we haven't gotten to eradicate every bit of vulnerable code. But, there was a very concerted effort, especially at the federal government level. I know at the commercial level, the corporate level, and the private sector, there was an equally frantic push to get this taken care of because it is a major vulnerability. You don't want someone with the ability to remotely execute code on your servers. They could do anything they want at that point then once they get into the system.I would say that, time will tell how well we got our hands wrapped around it. From our standpoint, we were able to quickly analyze our code to quickly find out where our vulnerabilities were. We’re able to quickly notify our customers, our government partners, and agencies of what our vulnerabilities were, and how we were remediating them quickly. We had patches out, I think on that day, to make sure our systems were patched. I think our SaaS environment was doing that. We quickly accelerated our testing cycles to make sure that we didn't break or blow up anything when we applied the patches.Mark: You're also helping our customers with their application security module. Identify those vulnerabilities, yes.Core CapabilityWillie: That was the internal, but from an external standpoint as Mark accurately pointed out, I was saying earlier that some of our customers were manually looking for this. Luckily, for our customers that have agents deployed and had observability by Dynatrace, we actually had a capability that is core to our platform called AppSec. It’s designed just for this, to look for vulnerability.Within 10 minutes of the announcement, our databases were updated with this vulnerability signature and pushed out to all of our customers that were connected online. Then for those customers that received that, they immediately, who were using the AppSec module, they immediately started getting flags all over the place of where this module was.Those people who had AppSec and had our agents fully deployed didn't have hundreds of people. They were going to their Dynatrace consoles and were seeing all of the vulnerable systems. Then we actually had remediation steps built into the platform where they could see what they needed to do to remediate that. We were able to take that from a multitude of people down to the team that was monitoring the system.Then we distribute that information to the admin teams or to the automation teams so they could use Ansible or whatever they were using to automate the remediation of that. It’s really powerful when you have that visibility, that observability into the system. There was no better example of how important it is for any type of DevSecOps organization. We can talk about it from a zero trust standpoint. I can even talk about it from just understanding the build of your systems.The Last Big Boulder Cybersecurity NewsWillie: There's all this talk about bringing legislation around companies. Having a software bill of materials, SBOMs, built in as part of their products so you can see exactly what components are in software. It’s something we don't normally do in the industry. Having that observability so you might not have that SBOM, but we can light up and say, this is how that application is built and all the components. Really invaluable.Carolyn: Let's go to our last topic, the last Big Boulder news item, which is the Zero Trust Thunderdome contract. I'm going to be honest when I read this seven million contract developed, to develop zero trust architecture, I thought this was already happening. So what is the significance of Thunderdome?Willie: I will preface this by saying I'm not a security expert, but I can talk to it from my industry perspective. But the Thunderdome award, which I like the name by the way, is seven million dollars. It's just a prototype to prove out the schemes and the technologies that they're going to be using. They’re technologies that DESO wants to use to build out their zero trust architectures or to validate the zero trust architectures that they've been developing.To your point, there are pockets of the DoD. There are pockets of the service branches that have been already investing in zero trust. So, you look at programs like Platform One where this is already being built into the platform. It was part of what was really, I think, revolutionary about the Platform One environment and what they were trying to do at Platform One. This was already being built-in in DESO.What Happened With Log4JWillie: The DoD had already been investigating this for, I'm sure, several years. But I think what happened with Log4j, SolarWinds, all the ransomware attacks, the administration basically has put a stake in the...","content_html":"Willie Hicks, CTO of Public Sector at Dynatrace, joins Carolyn and Mark to discuss the top Cybersecurity news stories so far in 2022. Willie offers his expert opinion on the White House Executive Order on Improving the Digital Government Experience, the recent Log4j vulnerability, and the Pentagon's new Zero Trust office.
Episode Table of Contents
- [00:43] Unpacking the Biggest Headlines in Cybersecurity News
- [08:21] Major Catastrophe
- [16:03] Cybersecurity News Highlights the Highest Level of Vulnerability
- [23:59] A Quantum Shift in Cybersecurity News
Episode Links and Resources
Unpacking the Biggest Headlines in Cybersecurity News
Carolyn: Today we talked to Willie Hicks, Dynatrace public sector CTO. He’ll unpack some of the biggest headlines of late from the Executive Order on Transforming Federal Customer Experience and Service Delivery to Log4j. I know Willie, you're so sick of this topic, but we're going to cover it anyway, and then Zero Trust Thunderdome Awards.
I want to go first to the Executive Order requiring improving the digital government experience. Willie, will you give us the big takeaways from this Executive Order? What does it mean for our agencies?
Willie: First of all, I think that the Executive Order on Transforming is transforming the federal customer experience. It is going to impact the agencies, but I also think it's going to impact the digital citizens of the day, the real customers of the federal government. I think President Biden reiterated this, it’s supposed to be a government for the people, by the people.
We're trying to put people back into the equation. I think the big takeaway for me is that the federal government is coming back into or getting to a point where they're really understanding that customer experience, well, they already understood it. But they’re really starting to internalize and figure out how to make customer experience like the customer experience most citizens expect to see with anybody who shops on Amazon, anyone who does a Google search.A Fundamental Shift in Customer Experience
Willie: They expect, with the push of a button, that they got all the groceries shipped to them the next day or the same day. That kind of experience you do not get with the federal government today. I think that we're seeing a fundamental shift now, not just that kind of digital experience, but I think across the board. Like when you even walk into a brick or a mortar building, when you interface on the phone with a government employee, I think we're going to start, hopefully, seeing more customer-focused, customer-centric type attitudes.
This is really long overdue. I've been in this business for many years. I remember one of my early visits to a federal agency that will remain nameless, but I was speaking to this agency about what we call our digital user experience. How we need to focus on the real metric who's the end user. Right now, you are focused on the back end. You're focused on, is the server up or down? Is this process running? Do I have availability for this device? No one's actually really looking at the end user. So how do you know they are getting a good experience? Not only are the systems running, but are they running efficiently? Are they getting transactions back in a timely manner, or are they frustrated?I remember one engineer saying, "Well, why does that matter?" I'm like, "It does matter because they're your number one responsibility. That is who pays your salary." This person, an engineer, actually said to me, "Well, there's not another X agency. It's not like they're going to go somewhere else. This isn't Amazon or another commercial entity. If it doesn't work, they'll come back later." That was the response. And I was like, wow!
Smooth Government Transactions
Carolyn: It makes me think of when my dad died a few years ago. We wanted to give him a full military burial, but we couldn't find the papers that we needed. He had shown me where everything was except these particular papers that we had to have to get him this burial. We spent hours and hours online trying to track them down. But, we never did, we never were able to find them. Ultimately, it came down to us, calling Camp Williams and saying, "Colonel Ford is gone and we need some help."
They stepped up and did it, and it was awesome. Fast forward to today, I'm in Utah and we've got billboards all over saying something about finding my cash.gov. I was like, all right, I'll bite, I want to see how easy this is. You guys, it was so slick. In 10 minutes I put in my name, I think I put in my address. There was a quick database search and it said, "Oh yes, you've got money here from these closed old accounts. We'll send you a check." A week later I got a check. I'm still blown away that I did a government transaction and it happened that smoothly.
Willie: Unfortunately, that's been the exception not the rule except for certain agencies that I work with. I work closely with organizations like the VA. To your point, the VA has been making a lot of great strides to improve their customer service, their image and so forth. A lot of that is around, I think, customer experience. Or I should say the veteran experience and making sure that they're putting veterans first.
The Cybersecurity News Features How Backend Systems Work
Willie: They're putting a lot of investment there to understand not just how their backend systems are working, but how the actual end-users are performing, how quickly that transaction took.
Carolyn: But to your engineer's point, why now? He's right. We have to have these services. We're just going to come back later or we're going to give up.
Willie: Well, I would say right now, why now? It’s because to be quite frank, that's the wrong attitude. At the end of the day, that person was right. It's not like I can fire this agency and say I'm going to take my business elsewhere. But there are ways we can speak at the voting booth, calling our senators and our representatives. Getting those types of attitudes changed by having them hold in front of Congress and ask, "Why are you treating my constituents that way? We pay your salaries, so we expect the same kind of response that they would get from any other service."
I think that's what we're seeing with the administration today. They focus on the need to bring the people back into the equation, and that the citizenry understands that they are our most important priority. We treat you that way in everything you do. If at the state level, it’s going to the DMV, which I think everyone dreads, hopefully this will translate down to the states.
But going to the Social Security Office to get a new Social Security Card or going to, in worst-case scenarios, I think this is even going to translate into disasters. How quickly do I get disaster relief? How quickly do I get relief because I just lost everything from a flood?
Major Catastrophe
Willie: When there’s a major catastrophe, how do I get to the right organization to help me just making sure I have the right avenues? I've seen reports lately where agencies, due to COVID, were slow to respond. They were slow to get PPE out and things like that. Those things, they are customer service. But there are consequences also to bad customer service. People don't get the services they need and they get sicker because they don't have that. They don't do that.
Mark: This is a confidence in government issues, Willie.
Willie: 100%.
Mark: I hope that this Executive Order has the staying power that generates money to put behind it. I mean, really it's a nonpartisan political issue that impacts all citizens. However, I think it's being leveraged a little bit politically. I do feel whatever administration is going to implement services and things like that, that they're putting out there for citizens to take advantage of, you have to have confidence. The citizen has to have confidence that the government can actually deliver. If you can't even access the application and the information online then you lose confidence that the government knows what they're doing.
Carolyn: Before we leave this topic, are there any teeth to this Executive Order? Are there deadlines? I mean what is it other than saying, "Yes, we need to do better."
Willie: Yes. That is always the issue that we have, how's this going to be implemented? How is this going to be upheld? Because unfortunately, it is an EO, it's an Executive Order. It is not codified in law. It's not like there was a bill passed on customer service.
Hard Deadlines on Cybersecurity News and Updates
Willie: Although there are ancillary bills that do cover some of these topics, I think of nothing that's more all encompassing as what we're seeing in the EO. So, does it have teeth? We'll see. Right now, I don't know of any hard deadlines that are imposed. I think they're really putting a framework in place to do all of these things. I'm sure the administration wants to be able to report by the end of the term to make sure that they are seeing progress.
My hope in all of this is that, in this period of time, even without the teeth, agencies will be forced to think about these things. They will be forced to internalize some of these things. Moving forward, regardless of administration, these ideals are self propagated throughout the agencies. These continue on regardless of the law and regardless of what's in place. At the end of the day, there are certain things that should be done just because they're the right thing and not because it's a law. It’s not because someone has to tell you to do it.Carolyn: We've started the conversation, which is a really good thing. So, all right, let's go to Log4j. Just school me, what is it?
Willie: I won't bore everyone with the details, but I think because everyone's really probably heard a lot about this. You've heard of Log4j, Log4Shell. In a nutshell, it's an extremely critical, extremely severe vulnerability in a component. It’s a module of what's called Apache, a kind of server technology that is utilized.
Carolyn: That everybody has.
Full Court Press
Willie: That a lot of people have. Probably, I've seen millions, maybe billions of instances of this module that is distributed across multiple platforms. It could be in embedded devices, it might be in servers. Honestly, the scope and scale of it is unprecedented. That's why there was this full-court press.
Carolyn: Unprecedented beyond SolarWinds?
Willie: I think, I won't mix the two per se because with SolarWinds, we've got documented attacks. We know that our adversaries have taken advantage of this. They were lying in wait in some of these systems for months. They’re slowly making moves, lateral movements and so forth when they get into the system. With Log4j, I think it's still early to find out the true impact of it.
At the end of the day, I think from a scale standpoint, yes, because SolarWinds is a commercial product that agencies trusted. They brought it in-house and they left it behind the gates. Unfortunately, supply chain issues were there, which allowed for some malicious code to be in that product that was almost like a Trojan Horse. It was brought behind the gates, and then they were able to take advantage of that.
Log4j on the other hand, was a vulnerability in the code, but that was propagated over not just a few 100 customers or 1000 customers. I don't know SolarWinds' customer base, but whatever that customer base was, versus something that was just distributed across millions of devices. So really different scales.
Carolyn: Who did the Log4j?
Willie: Well, it's a vulnerability. It wasn't like a supply chain issue. As far as we know, it wasn't like somebody planted this.
Security Vulnerability
Willie: It’s just something that has been there for a while, just a security vulnerability that wasn't accounted for. Once it was discovered, it was figured out you could use this. You could exploit this to take over a machine. So basically to get remote code execution capability, so you could run remotely.
Mark: That was open source wasn't it?
Willie: Yes. So there's a whole other conversation we can have. I don't want to get into that about open source and so forth. Although open source has its merits and its benefits because a lot of eyes are on it, sometimes these things still happen. It also depends on the open source. Some open source projects are very well maintained, and very well scrutinized.
People are always looking at it, tinkering with it, understanding when they find a vulnerability like Log4j they quickly bubble that up. There are some open source projects that aren't so well maintained, but people still use them. But the vulnerabilities don't come out as quickly.
Carolyn: We're a month into this. Have we got it under control? Do we have our arms around it? What did agencies do to manage this?
Willie: I would say, well, that's a loaded question. Do we have our arms around it? I would say we are, well, let's just talk about what happened. Because I can even speak from a company, from my perspective on what our company has done around this. Immediately after at least it became public, I think it was December 9th that this was released or became known, this was escalated to the highest levels.
Cybersecurity News Highlights the Highest Level of Vulnerability
Willie: CISA made this a highest-level vulnerability. They instructed agencies to start immediate searches of their systems. I personally know of agencies we worked with where they might have had a team of 100 people plus over weekends. They were going through servers, looking for unfortunately, sometimes looking manually for this vulnerable code to remediate it. We quickly got our hands around it from that standpoint.
Is there still Log4j out there that we haven't caught? Of course. I know we haven't gotten to eradicate every bit of vulnerable code. But, there was a very concerted effort, especially at the federal government level. I know at the commercial level, the corporate level, and the private sector, there was an equally frantic push to get this taken care of because it is a major vulnerability. You don't want someone with the ability to remotely execute code on your servers. They could do anything they want at that point then once they get into the system.
I would say that, time will tell how well we got our hands wrapped around it. From our standpoint, we were able to quickly analyze our code to quickly find out where our vulnerabilities were. We’re able to quickly notify our customers, our government partners, and agencies of what our vulnerabilities were, and how we were remediating them quickly. We had patches out, I think on that day, to make sure our systems were patched. I think our SaaS environment was doing that. We quickly accelerated our testing cycles to make sure that we didn't break or blow up anything when we applied the patches.Mark: You're also helping our customers with their application security module. Identify those vulnerabilities, yes.
Core Capability
Willie: That was the internal, but from an external standpoint as Mark accurately pointed out, I was saying earlier that some of our customers were manually looking for this. Luckily, for our customers that have agents deployed and had observability by Dynatrace, we actually had a capability that is core to our platform called AppSec. It’s designed just for this, to look for vulnerability.
Within 10 minutes of the announcement, our databases were updated with this vulnerability signature and pushed out to all of our customers that were connected online. Then for those customers that received that, they immediately, who were using the AppSec module, they immediately started getting flags all over the place of where this module was.
Those people who had AppSec and had our agents fully deployed didn't have hundreds of people. They were going to their Dynatrace consoles and were seeing all of the vulnerable systems. Then we actually had remediation steps built into the platform where they could see what they needed to do to remediate that. We were able to take that from a multitude of people down to the team that was monitoring the system.
Then we distribute that information to the admin teams or to the automation teams so they could use Ansible or whatever they were using to automate the remediation of that. It’s really powerful when you have that visibility, that observability into the system. There was no better example of how important it is for any type of DevSecOps organization. We can talk about it from a zero trust standpoint. I can even talk about it from just understanding the build of your systems.
The Last Big Boulder Cybersecurity News
Willie: There's all this talk about bringing legislation around companies. Having a software bill of materials, SBOMs, built in as part of their products so you can see exactly what components are in software. It’s something we don't normally do in the industry. Having that observability so you might not have that SBOM, but we can light up and say, this is how that application is built and all the components. Really invaluable.
Carolyn: Let's go to our last topic, the last Big Boulder news item, which is the Zero Trust Thunderdome contract. I'm going to be honest when I read this seven million contract developed, to develop zero trust architecture, I thought this was already happening. So what is the significance of Thunderdome?
Willie: I will preface this by saying I'm not a security expert, but I can talk to it from my industry perspective. But the Thunderdome award, which I like the name by the way, is seven million dollars. It's just a prototype to prove out the schemes and the technologies that they're going to be using. They’re technologies that DESO wants to use to build out their zero trust architectures or to validate the zero trust architectures that they've been developing.
To your point, there are pockets of the DoD. There are pockets of the service branches that have been already investing in zero trust. So, you look at programs like Platform One where this is already being built into the platform. It was part of what was really, I think, revolutionary about the Platform One environment and what they were trying to do at Platform One. This was already being built-in in DESO.
What Happened With Log4J
Willie: The DoD had already been investigating this for, I'm sure, several years. But I think what happened with Log4j, SolarWinds, all the ransomware attacks, the administration basically has put a stake in the...
","summary":null,"date_published":"2022-02-16T06:30:00.000-05:00","attachments":[{"url":"https://aphid.fireside.fm/d/1437767933/81d9d6b0-0045-48da-8495-fd87c4613d7f/cccc612d-faa2-454a-a55d-6fcf90872c48.mp3","mime_type":"audio/mpeg","size_in_bytes":22037350,"duration_in_seconds":1573}]},{"id":"25df256f-8c21-4ecd-94d7-46651ddb720e","title":"Episode 22: Unbelievable Lessons with Greg Crabb Former Chief Information Security Officer of the US Postal Service","url":"https://techtransforms.fireside.fm/22","content_text":"What does it take to secure 160 million Americans privacy? Greg Crabb, former Chief Information Security Officer at US Postal Service joins Tech Transforms to talk about his experiences from his time as Projects Coordinator for International Fraud to his role in the 2020 US Presidential Election. Episode Table of Contents[00:42] Greg Crabb in the House, Founder of 10-8 Cyber[10:33] Good Guys Get Together With Greg Crabb[20:05] They Want To Do the Right Thing[29:32] Greg Crabb Had a Long, Deep, and Intense ServiceEpisode Links and ResourcesGreg CrabbUSPSFBISecret ServiceEuropolInterpolAQAPCISAEbayChief of Police ConferenceHurricane ElectricLexisNexisSergey PavlovichJames WoolseyDamitri GlubophOrange RevolutionRussian FSBSolar WindsChris KrebbsMatt HeartmanAmazonCADJen LimbDelivering HappinessAdam GrantGreg Crabb in the House, Founder of 10-8 CyberCarolyn: Today, our guest is a rockstar. His background just blew me away. Greg Crabb, founder of 10-8 Cyber and strategic advisor to several organizations, but that doesn't even scratch the tip of the iceberg of who our guest is today. Greg: Thank you, Carolyn. I enjoy the opportunity to chat.Carolyn: You recently retired after 20 years with the US Postal Service where you wore many hats. From being a project coordinator for international fraud, assistant director of economic crimes, you ended your career as the chief information security officer and vice president of USPS. That's the very tip of the iceberg of your career. I want to kick it over to you and have you tell us your story.Greg: The mission of my life has been to protect others and drive benefits for society. I was grateful enough to have the opportunity to retire last year after 30 years of federal service. When I joined the postal service in the mid-90s, I spent the first several years of my career being an auditor. I was responsible for the old electronic data processing controls portion of the financial audit. There I learned an amazing amount of information about how computers work, mainframes, networking, and all that sort of thing.In 2000, I transitioned to spend seven years investigating the origins of Eastern European organized cyber crime. That was an amazing experience. I got the opportunity to really attack an organized crime group. It was based out of Ukraine and had splinters all over the world. I worked with Europol and Interpol, the Secret Service, the FBI, and many other organizations in between.Bigger and Better Things for Greg CrabbGreg: In about 2005, I moved to Washington to take on bigger and better things. Then in 2010, the international supply chain was attacked with some parcel bombs from AQAP. AQAP put PETN, it's the liquid explosive that we all know as why we can't carry water bottles onto airplanes. It completely changed the security model of how international supply chains work for moving parcels. I spent a number of years working with an international community of 190 countries to develop new standards. Worked with civil aviation authorities to properly secure the supply chain from a commercial aviation perspective for parcel security.In 2014, I got tapped to respond to a pretty significant breach at the US Postal Service. In that moment, I transitioned from being the law enforcement officer who was the hunter to the chief information security officer who was the hunted and responsible for an amazing network. I was grateful to provide security for 160 million delivery points, private communications, and parcels for all of America for six years. As we talked before the show, I was really grateful to have the opportunity to help protect the 2020 election. It was just an amazing collaboration with the folks at CISA and many other organizations across the country in order to pull that off.Carolyn: Can you talk about what you did to prepare for that? Talk about pressure. You'd been preparing for 20 years.Greg: I had been preparing. I wouldn’t have been as successful in protecting the technology assets the postal service relied on to move 70 million ballots if I had not had those experiences.Greg Crabb Is Dealing With Eastern European Organized Cyber CrimeGreg: I’ve been dealing with Eastern European organized cyber crime and understanding what it takes in order to protect a network from everything. From disinformation campaigns to all of the technical details that are necessary to secure a network. Where do you want to start? From an application security perspective for the organization, from an OT security perspective, all of the technology that was necessary in order to be able to move the ballots were in the consideration.Carolyn: It's interesting because when I think of the US Postal Service. I'm not going to lie, it's a little boring.Mark: You think of physical security, OT.Carolyn: It's a letter and you're moving a physical thing. But like all the cyber that was involved in it, is it the processes that you were securing, the databases?Greg: It was everything. From the delivery scanner, the letter carrier that is driving by your house every day, securing that scanner to know that your ballot was in the mail, to all of the operational technology that exists. Now, imagine big warehouses larger than big football stadiums, where mail processing is made. Huge pieces of equipment were down to your address. All the packages come in and we sort them down to each delivery point.In total, I was responsible for the protection of 1.2 million technology assets. Petabytes and petabytes of data relative to package tracking and those kinds of things. Only 630,000 employees are necessary in order to be able to deliver that mission and interact with all those technology points.Mark: That's just at the federal level. I can only imagine the collaboration across states and everything must have been massive.A Massive Enterprise Focused on CollaborationGreg: I did not have the responsibility of dealing with each of the states. The postal service, in order to be able to secure the election, is a massive enterprise focused on all of the collaboration, developing standards on how mail pieces are supposed to be formed. There's a lot to make sure that everything gets delivered on time. If the ballots aren't there, they don't get counted. That was something that not only my role as chief information security officer but my security partner, who was the chief postal inspector, was out all over the country in facilities. Basically, just making sure that each of the communities were getting their ballots in a timely manner from all of our delivery operations.Mark: I know you've done a lot of work with cyber crime and you've worked with adversaries, I guess, as well. I’m curious to know how you've seen this whole landscape transform over the years.Greg: I started working in organized cyber crime investigations in 2000. I was asked to help the FBI with a case coming out, or some significant amount of fraud against eBay, coming out of Ukraine. It took me several years to wrap my arms around it. I was ultimately able to arrest a number of folks from Ukraine and other Eastern European countries that were involved in this. But really, I had the opportunity to sit down and talk with a lot of investigators from Eastern European countries.We had a conference in Warsaw a number of years ago. These were early days. They talked about how they started to see car smuggling gangs that were based in Eastern Europe starting to have technology equipment in the vehicles where they were getting arrested.Good Guys Get Together With Greg CrabbGreg: Eastern European car smuggling gangs would basically get caught in Poland with stolen cars. They popped the trunks and there would be a bunch of technology equipment, credit card skimmers, and other technology that's necessary in order to be able to commit those types of crimes.There was a conference. Good guys get together and do the International Association of Chiefs of Police Conference and those types of things. But in 2001, there was a conference in Odessa where a bunch of criminals got together. They referred to it as, \"The First International Carders' Conference.\" The members of that meeting became my targets.Carolyn: How did you find out about it?Greg: I had the good fortune of one of the criminals that I was investigating had hacked into a server in San Jose, California. At the time, I was based in Northern California. The data center was on my drive into the office. He was sending all of his communications through that server. I intercepted 40,000 of his email messages.Carolyn: How did you find that?Greg: Long story. It was just tracing IP addresses and getting back to the source of where all of his communications were coming from. They all sourced to this particular server. The company was called Hurricane Electric in Fremont, California. I worked with the US Attorney's Office and the victim to get approval to go in and review my suspect's messages on a daily basis. So I had this unbelievable wiretap on this criminal and all of his email messages. Not only facilitating his crime but with all of his cohorts in crime who were doing these activities.Greg Crabb With Eastern Law EnforcementGreg: One thing led to another and I learned about this International Carders' Conference based in Odessa and basically focused on this group. That led me to the opportunity to really work with Eastern European law enforcement officers. I had occasion to work with the Russian FSB and the Ukrainian MVD, and even law enforcement officers in Belarus. I proudly display the hat there from my colleague in Minsk, Belarus. Unfortunately, he was actually arrested for working with me. We went to the country in '05. The suspect had a website. The banner on the website said that their objective was to take the United States back to the time of 1929.Fortunately, the Belarusian law enforcement officers were willing to work with us until the government got involved after we left. From the computer equipment in that case in Minsk, we recovered over 55,000 full infos. These are victims in the United States where they've got their mother's maiden name, their social security number, all of the answers to the questions that are necessary for those knowledge-based questions. He had hacked into LexisNexis, and his hack was actually the subject of a congressional debate. The subject's name was Sergey Pavlovich.It was interesting to be able to work with all of those folks and deal with not only, on a personal relationship, the police officers but then the governments from a not-so-friendly perspective. I was never invited back to Belarus again, I was stupid enough to try to go back to Belarus. But I think the US embassy was smart enough not to let me in. Those experiences were foundational for me to understand what's necessary in order to be able to counter what we see from a law enforcement perspective.What James Woolsey Taught Greg CrabbGreg: Like James Woolsey taught me, there's little difference between a Russian businessman, a Russian politician, and a Russian organized crime figure. They're one and the same, like the people that organized that International Carders' Conference in Odessa, I look at where we are in the political world today with Ukraine and Russia, and the United States. And I started going to Kyiv in November of 2003, trying to get the guy's name was Dmitry Golubov. Dmitry Golubov arrested.He was one of the key organizers of this conference, responsible for massive amounts of fraud against financial institutions and online companies. It was very difficult. He was protected by the police in Odessa. They were on the payroll. It really came down to the Orange Revolution. In early 2005, late 2004 to 2005, there was a highly contested election in Ukraine. The first election was called by the international community to be fraud, and a second election was made. It was very close from a decision perspective.You might remember that the candidate that won was actually poisoned by the Russian FSB in Switzerland while he was traveling there. He won. When he took power, the Ukrainian MVD asked for me to come over and actually present my case. I got an opportunity to go over and brief my case to the Minister of Interior to Ukraine. Two weeks later, they arrested Dmitry Golubov.Mark: In London, the UK?Greg: No, it was in Ukraine. It was in Odessa. I do stop for a second. The Orange Revolution was extremely important in Ukraine. It was really that turning point in the history of Ukraine where they went Western leaning, they were looking to democracy.Why the US Embassy Was Giddy When Ukrainians Invited Greg CrabbGreg: They were looking to, how can they become more westernized? At the time, when the Ukrainians asked me to come over, the US embassy was giddy. We actually have a government that's interested in working with the US.I remember going with the special agent that was the FBI leg-att there in Kyiv, Ukraine. His name was John Boles. We drove over to the briefing with the Minister of Interior to Ukraine. He was so excited that we were going to present this case. Then for them to actually, the Ukrainians, to go and arrest Golubov was unbelievable. I was invited back over after the arrest to again do something that had never been done before. Boles was really excited.I was the first US law enforcement officer to ever be asked to interview a Ukrainian on Ukrainian soil. Albeit, we went to jail. He told us to buzz off, but so be it. It was a great turning point in our relations. Now when you see what's going on in the international community, I can only pray for the folks in Ukraine to be able to maintain their democracy and keep the coalition here, or the West to be able to help them.Mark: Given all of the things that are top in the news right now, this is really interesting. Ukraine is in the news every day.Greg: Unfortunately, we weren't able to present our case in Ukrainian court against Golubov. I won't say it was corruption, but after some time the case was dismissed. Several years later, Dmitry Golubov actually became a member of Ukrainian parliament. And you're just, \"That's the way the world works, people.\"Carolyn: The James Woolsey quote holds true.They Want To Do the Right ThingGreg: Exactly. You know it. I saw it firsthand. I've seen it again and again in my interactions with folks that are over in Eastern Europe. On an individual level, I was able to form some amazing personal relationships with law enforcement officers. They want to do the right thing, but governments, politics, and corruption are difficult things to overcome. I think that's where we really need to continue to focus and understand. Thank you for letting me take a little walk down history lane. I think all of those lessons are important today to understand what we face from an organizational national security perspective for the country.Mark: When I think of cyber crime, cybersecurity, I think of technology, bits, and bytes. I think of leveraging cutting-edge kinds of technologies and the way people do what they do. I'm really curious to know because you've talked about a couple of things which makes me think really just grassroots intel, spy versus spy. How much of this world is HUMINT or human intel as opposed to the technology piece?Greg: Technology's just an instrument to the motives of the actors. I think that one of the things that, as we look forward and we look at the attacks like SolarWinds and you name the Eastern European-based attacks that we've seen, they're all motivated by the objectives of either greed or control. Or I often recall, and this is a supply chain story. It's going to start a little weird. One of my colleagues in Eastern Europe always used to say, \"Mr. Greg Crabb, trust no one. Not your wife, not your girlfriend and not your lover.\"Supply Chain Related StoryGreg: How could that possibly be a supply chain-related quote? I knew all three of his, by the way. His wife, wonderful mother of his children, awesome. Girlfriend was just beautiful. His lover, she was smoking hot. But what he would always talk about is that from a mass surveillance society, you need to understand your relations. You need to understand your most trusted intimate relations in order to keep them controlled.I think when we see the types of attacks with SolarWinds and the other supply chain attacks that we're seeing in software development lifecycle, we need to understand that mass surveillance is a technique that is used in those cultures. We need to understand and account for it in our information security practices. There's bits of the story that I've left out there, but you can get the main point.Carolyn: I feel like we're...","content_html":"What does it take to secure 160 million Americans privacy? Greg Crabb, former Chief Information Security Officer at US Postal Service joins Tech Transforms to talk about his experiences from his time as Projects Coordinator for International Fraud to his role in the 2020 US Presidential Election.
Episode Table of Contents
- [00:42] Greg Crabb in the House, Founder of 10-8 Cyber
- [10:33] Good Guys Get Together With Greg Crabb
- [20:05] They Want To Do the Right Thing
- [29:32] Greg Crabb Had a Long, Deep, and Intense Service
Episode Links and Resources
- Greg Crabb
- USPS
- FBI
- Secret Service
- Europol
- Interpol
- AQAP
- CISA
- Ebay
- Chief of Police Conference
- Hurricane Electric
- LexisNexis
- Sergey Pavlovich
- James Woolsey
- Damitri Gluboph
- Orange Revolution
- Russian FSB
- Solar Winds
- Chris Krebbs
- Matt Heartman
- Amazon
- CAD
- Jen Limb
- Delivering Happiness
- Adam Grant
Greg Crabb in the House, Founder of 10-8 Cyber
Carolyn: Today, our guest is a rockstar. His background just blew me away. Greg Crabb, founder of 10-8 Cyber and strategic advisor to several organizations, but that doesn't even scratch the tip of the iceberg of who our guest is today.
Greg: Thank you, Carolyn. I enjoy the opportunity to chat.
Carolyn: You recently retired after 20 years with the US Postal Service where you wore many hats. From being a project coordinator for international fraud, assistant director of economic crimes, you ended your career as the chief information security officer and vice president of USPS. That's the very tip of the iceberg of your career. I want to kick it over to you and have you tell us your story.
Greg: The mission of my life has been to protect others and drive benefits for society. I was grateful enough to have the opportunity to retire last year after 30 years of federal service. When I joined the postal service in the mid-90s, I spent the first several years of my career being an auditor. I was responsible for the old electronic data processing controls portion of the financial audit. There I learned an amazing amount of information about how computers work, mainframes, networking, and all that sort of thing.
In 2000, I transitioned to spend seven years investigating the origins of Eastern European organized cyber crime. That was an amazing experience. I got the opportunity to really attack an organized crime group. It was based out of Ukraine and had splinters all over the world. I worked with Europol and Interpol, the Secret Service, the FBI, and many other organizations in between.
Bigger and Better Things for Greg Crabb
Greg: In about 2005, I moved to Washington to take on bigger and better things. Then in 2010, the international supply chain was attacked with some parcel bombs from AQAP. AQAP put PETN, it's the liquid explosive that we all know as why we can't carry water bottles onto airplanes. It completely changed the security model of how international supply chains work for moving parcels. I spent a number of years working with an international community of 190 countries to develop new standards. Worked with civil aviation authorities to properly secure the supply chain from a commercial aviation perspective for parcel security.
In 2014, I got tapped to respond to a pretty significant breach at the US Postal Service. In that moment, I transitioned from being the law enforcement officer who was the hunter to the chief information security officer who was the hunted and responsible for an amazing network. I was grateful to provide security for 160 million delivery points, private communications, and parcels for all of America for six years. As we talked before the show, I was really grateful to have the opportunity to help protect the 2020 election. It was just an amazing collaboration with the folks at CISA and many other organizations across the country in order to pull that off.Carolyn: Can you talk about what you did to prepare for that? Talk about pressure. You'd been preparing for 20 years.
Greg: I had been preparing. I wouldn’t have been as successful in protecting the technology assets the postal service relied on to move 70 million ballots if I had not had those experiences.
Greg Crabb Is Dealing With Eastern European Organized Cyber Crime
Greg: I’ve been dealing with Eastern European organized cyber crime and understanding what it takes in order to protect a network from everything. From disinformation campaigns to all of the technical details that are necessary to secure a network. Where do you want to start? From an application security perspective for the organization, from an OT security perspective, all of the technology that was necessary in order to be able to move the ballots were in the consideration.
Carolyn: It's interesting because when I think of the US Postal Service. I'm not going to lie, it's a little boring.
Mark: You think of physical security, OT.
Carolyn: It's a letter and you're moving a physical thing. But like all the cyber that was involved in it, is it the processes that you were securing, the databases?
Greg: It was everything. From the delivery scanner, the letter carrier that is driving by your house every day, securing that scanner to know that your ballot was in the mail, to all of the operational technology that exists. Now, imagine big warehouses larger than big football stadiums, where mail processing is made. Huge pieces of equipment were down to your address. All the packages come in and we sort them down to each delivery point.
In total, I was responsible for the protection of 1.2 million technology assets. Petabytes and petabytes of data relative to package tracking and those kinds of things. Only 630,000 employees are necessary in order to be able to deliver that mission and interact with all those technology points.Mark: That's just at the federal level. I can only imagine the collaboration across states and everything must have been massive.
A Massive Enterprise Focused on Collaboration
Greg: I did not have the responsibility of dealing with each of the states. The postal service, in order to be able to secure the election, is a massive enterprise focused on all of the collaboration, developing standards on how mail pieces are supposed to be formed. There's a lot to make sure that everything gets delivered on time. If the ballots aren't there, they don't get counted. That was something that not only my role as chief information security officer but my security partner, who was the chief postal inspector, was out all over the country in facilities. Basically, just making sure that each of the communities were getting their ballots in a timely manner from all of our delivery operations.
Mark: I know you've done a lot of work with cyber crime and you've worked with adversaries, I guess, as well. I’m curious to know how you've seen this whole landscape transform over the years.
Greg: I started working in organized cyber crime investigations in 2000. I was asked to help the FBI with a case coming out, or some significant amount of fraud against eBay, coming out of Ukraine. It took me several years to wrap my arms around it. I was ultimately able to arrest a number of folks from Ukraine and other Eastern European countries that were involved in this. But really, I had the opportunity to sit down and talk with a lot of investigators from Eastern European countries.
We had a conference in Warsaw a number of years ago. These were early days. They talked about how they started to see car smuggling gangs that were based in Eastern Europe starting to have technology equipment in the vehicles where they were getting arrested.
Good Guys Get Together With Greg Crabb
Greg: Eastern European car smuggling gangs would basically get caught in Poland with stolen cars. They popped the trunks and there would be a bunch of technology equipment, credit card skimmers, and other technology that's necessary in order to be able to commit those types of crimes.
There was a conference. Good guys get together and do the International Association of Chiefs of Police Conference and those types of things. But in 2001, there was a conference in Odessa where a bunch of criminals got together. They referred to it as, "The First International Carders' Conference." The members of that meeting became my targets.
Carolyn: How did you find out about it?
Greg: I had the good fortune of one of the criminals that I was investigating had hacked into a server in San Jose, California. At the time, I was based in Northern California. The data center was on my drive into the office. He was sending all of his communications through that server. I intercepted 40,000 of his email messages.
Carolyn: How did you find that?
Greg: Long story. It was just tracing IP addresses and getting back to the source of where all of his communications were coming from. They all sourced to this particular server. The company was called Hurricane Electric in Fremont, California. I worked with the US Attorney's Office and the victim to get approval to go in and review my suspect's messages on a daily basis. So I had this unbelievable wiretap on this criminal and all of his email messages. Not only facilitating his crime but with all of his cohorts in crime who were doing these activities.
Greg Crabb With Eastern Law Enforcement
Greg: One thing led to another and I learned about this International Carders' Conference based in Odessa and basically focused on this group. That led me to the opportunity to really work with Eastern European law enforcement officers. I had occasion to work with the Russian FSB and the Ukrainian MVD, and even law enforcement officers in Belarus. I proudly display the hat there from my colleague in Minsk, Belarus. Unfortunately, he was actually arrested for working with me. We went to the country in '05. The suspect had a website. The banner on the website said that their objective was to take the United States back to the time of 1929.
Fortunately, the Belarusian law enforcement officers were willing to work with us until the government got involved after we left. From the computer equipment in that case in Minsk, we recovered over 55,000 full infos. These are victims in the United States where they've got their mother's maiden name, their social security number, all of the answers to the questions that are necessary for those knowledge-based questions. He had hacked into LexisNexis, and his hack was actually the subject of a congressional debate. The subject's name was Sergey Pavlovich.
It was interesting to be able to work with all of those folks and deal with not only, on a personal relationship, the police officers but then the governments from a not-so-friendly perspective. I was never invited back to Belarus again, I was stupid enough to try to go back to Belarus. But I think the US embassy was smart enough not to let me in. Those experiences were foundational for me to understand what's necessary in order to be able to counter what we see from a law enforcement perspective.
What James Woolsey Taught Greg Crabb
Greg: Like James Woolsey taught me, there's little difference between a Russian businessman, a Russian politician, and a Russian organized crime figure. They're one and the same, like the people that organized that International Carders' Conference in Odessa, I look at where we are in the political world today with Ukraine and Russia, and the United States. And I started going to Kyiv in November of 2003, trying to get the guy's name was Dmitry Golubov. Dmitry Golubov arrested.
He was one of the key organizers of this conference, responsible for massive amounts of fraud against financial institutions and online companies. It was very difficult. He was protected by the police in Odessa. They were on the payroll. It really came down to the Orange Revolution. In early 2005, late 2004 to 2005, there was a highly contested election in Ukraine. The first election was called by the international community to be fraud, and a second election was made. It was very close from a decision perspective.
You might remember that the candidate that won was actually poisoned by the Russian FSB in Switzerland while he was traveling there. He won. When he took power, the Ukrainian MVD asked for me to come over and actually present my case. I got an opportunity to go over and brief my case to the Minister of Interior to Ukraine. Two weeks later, they arrested Dmitry Golubov.
Mark: In London, the UK?
Greg: No, it was in Ukraine. It was in Odessa. I do stop for a second. The Orange Revolution was extremely important in Ukraine. It was really that turning point in the history of Ukraine where they went Western leaning, they were looking to democracy.
Why the US Embassy Was Giddy When Ukrainians Invited Greg Crabb
Greg: They were looking to, how can they become more westernized? At the time, when the Ukrainians asked me to come over, the US embassy was giddy. We actually have a government that's interested in working with the US.
I remember going with the special agent that was the FBI leg-att there in Kyiv, Ukraine. His name was John Boles. We drove over to the briefing with the Minister of Interior to Ukraine. He was so excited that we were going to present this case. Then for them to actually, the Ukrainians, to go and arrest Golubov was unbelievable. I was invited back over after the arrest to again do something that had never been done before. Boles was really excited.
I was the first US law enforcement officer to ever be asked to interview a Ukrainian on Ukrainian soil. Albeit, we went to jail. He told us to buzz off, but so be it. It was a great turning point in our relations. Now when you see what's going on in the international community, I can only pray for the folks in Ukraine to be able to maintain their democracy and keep the coalition here, or the West to be able to help them.Mark: Given all of the things that are top in the news right now, this is really interesting. Ukraine is in the news every day.
Greg: Unfortunately, we weren't able to present our case in Ukrainian court against Golubov. I won't say it was corruption, but after some time the case was dismissed. Several years later, Dmitry Golubov actually became a member of Ukrainian parliament. And you're just, "That's the way the world works, people."
Carolyn: The James Woolsey quote holds true.
They Want To Do the Right Thing
Greg: Exactly. You know it. I saw it firsthand. I've seen it again and again in my interactions with folks that are over in Eastern Europe. On an individual level, I was able to form some amazing personal relationships with law enforcement officers. They want to do the right thing, but governments, politics, and corruption are difficult things to overcome. I think that's where we really need to continue to focus and understand. Thank you for letting me take a little walk down history lane. I think all of those lessons are important today to understand what we face from an organizational national security perspective for the country.
Mark: When I think of cyber crime, cybersecurity, I think of technology, bits, and bytes. I think of leveraging cutting-edge kinds of technologies and the way people do what they do. I'm really curious to know because you've talked about a couple of things which makes me think really just grassroots intel, spy versus spy. How much of this world is HUMINT or human intel as opposed to the technology piece?
Greg: Technology's just an instrument to the motives of the actors. I think that one of the things that, as we look forward and we look at the attacks like SolarWinds and you name the Eastern European-based attacks that we've seen, they're all motivated by the objectives of either greed or control. Or I often recall, and this is a supply chain story. It's going to start a little weird. One of my colleagues in Eastern Europe always used to say, "Mr. Greg Crabb, trust no one. Not your wife, not your girlfriend and not your lover."Supply Chain Related Story
Greg: How could that possibly be a supply chain-related quote? I knew all three of his, by the way. His wife, wonderful mother of his children, awesome. Girlfriend was just beautiful. His lover, she was smoking hot. But what he would always talk about is that from a mass surveillance society, you need to understand your relations. You need to understand your most trusted intimate relations in order to keep them controlled.
I think when we see the types of attacks with SolarWinds and the other supply chain attacks that we're seeing in software development lifecycle, we need to understand that mass surveillance is a technique that is used in those cultures. We need to understand and account for it in our information security practices. There's bits of the story that I've left out there, but you can get the main point.Carolyn: I feel like we're...
","summary":null,"date_published":"2022-02-09T06:30:00.000-05:00","attachments":[{"url":"https://aphid.fireside.fm/d/1437767933/81d9d6b0-0045-48da-8495-fd87c4613d7f/973393ba-15aa-4e93-a092-d7beeebd14f9.mp3","mime_type":"audio/mpeg","size_in_bytes":33113126,"duration_in_seconds":2363}]},{"id":"0bc31cdc-c07d-45f5-9acc-e7ee05f533e1","title":"Episode 21: Securing Our Nation with Pete Tseronis, Former CTO of the US Department of Energy and US Department of Education","url":"https://techtransforms.fireside.fm/21","content_text":"Technology is paramount when it comes to securing our nation according to Pete Tseronis, CEO of Dots and Bridges, former CTO of the US Department of Energy and US Department of Education. On this episode of Tech Transforms, Pete explains the critical role technology plays in our lives, and how innovation underpins that foundation.Episode Table of Contents[00:38] Pete Tseronis: From Fed to Dots and Bridges[05:50] Why It Matters To Translate the Tech[12:22] Who Are Keeping the Lights On[22:00] How Pete Tseronis Responds to the Mission[29:33] Information at Your FingertipsEpisode Links and ResourcesPete TseronisDots and BridgesDepartment of EnergyDepartment of EducationCSFCybersecurity Mandata 14028Infrastructure BillRoadboticsTipping PointEntrepreneur Roller CoasterThink and Grow RichThought of the DayRay Kurzweil - SingularityPete Tseronis: From Fed to Dots and BridgesCarolyn: Our guest today has got quite the pedigree, Pete Tseronis, CEO of Dots and Bridges. Before Dots and Bridges, Pete served as a Cabinet-level federal CTO, not once, but twice. First at the US Department of Education for eight years, and then at the US Department of Energy for seven and a half years. Before those two, he was actually with the DoD since the beginning of things. Pete: It's nice to be on the other side of the mic. I have all the respect in the world for what you're doing, in addition to your other jobs and incredible pedigree you have. But I love the conversations and it's a treat to be able to tell my story a little bit, at least.Carolyn: Your unique perspective on technology and federal agencies, as well as from the commercial side, it's going to be a great conversation. Let's just start with your story. Will you give us an overview of Dots and Bridges and how it came about? Then share your journey in the government and where you are now.Pete: I tell folks I can do five hours or I can do it in about a minute. But there's about 32 years there, wrapped up. I'm a Washingtonian native. I grew up in the Washington DC area, in the suburbs of Maryland, Montgomery County and went to high school in Washington DC. It took me to Villanova University for my undergrad, where I studied liberal arts and communications. I wanted to be a sports broadcaster.Pete Tseronis Had the Coolest Job in the WorldPete: I’m 54, and I do have a nine-year-old. So a little bit of a late bloomer. Four kids, a great wife from Pittsburgh, and yes, I have an Australian Labradoodle named Phineas Maximus Tseronis. So that is my life, my family. I came out of college, I ended up back here in DC, and interned at the Pentagon. One day, I woke up and I'm working in the Pentagon. I thought it was the coolest thing in the world. Didn't have a plan to work for the government. I didn't know much about it, even though it was in my backyard. But it put me on my journey.The time was '91. I had the chance, when I was working as a civilian, the Department of the Army, to dabble in some of the work that the DARPA community was working on. The internet work was what it was called. Before I knew it, I had a bug, an itch that I scratched. And I was like, \"This is going to be a big deal.\" I was that guy typing in on a text-based, character-based, if you will, screen: www.espn.com. I'm like, \"Whoa, I can see all this news before it's in the paper tomorrow.\"The itch was there. I said, \"I'm going to go learn this internet thing.\" At that point, it was three years at DoD. I had a chance to move over to the Department of Education and do some computer security work. That was becoming a thing, like if you're going to use this tool, security matters. So we'll talk a little bit about that today and its evolution, but I jumped back to school.Pete Tseronis Got the Coolest Education for Three YearsPete: I enrolled at Johns Hopkins University and got my master's degree in telecommunications. I’ve wanted to know how this worked. How do you type something in and then it's there on your screen? That was the coolest education for three years. Every time I'd go back to class, it was like the material we learned was outdated. For three years it was like all of us were growing up in this IT world.So I finished school while I was working. By the time I came out, the Clinger-Cohen Act had passed, 1996-ish. The federal government had chief information officers, CIOs. You were a thing, you weren't an IT director. Not that there's anything wrong with that, but you were actually a C-level. I said, \"Well, maybe that's what I'll be.\"So I tried it. At least, I went on that path. I found myself very interested in wanting to leverage what I learned in grad school. That was, well, you got to get into a data center and see how it really works. I ended up at the Department of Education, being a director. But really, running the data center with an incredibly talented group of folks that run circles around me. But they were my on-the-job training experts, firewall guys and gals, circuit folks, server people.It was a real education on how to learn this stuff, this geek speaks, but then I have to go talk about it to my federal community. By the time I was making a decision on, “Do I want to be a tech guy, like the geeky side which is a compliment, or a propeller head?“Why It Matters To Translate the TechPete: “Do I want to go down the management route and stay in this government, as I was being promoted every couple of years?“ I got up to a SES status by the time I left. Then I found myself on a speaking circuit, talking about technology. I was asked frequently to work with the Office of Management and Budget, an arm of the White House executive branch, to translate the tech and why it matters. Maybe I wasn't a sports broadcaster, but I definitely loved getting in front of an audience and doing a bit of that educational component.So in '08 I felt like it was time to do something different. I was appointed CTO. But in '08 it was like, \"Well, what do they do? What's a CTO? We all know a CIO is such and such,\" and I didn't care. I called myself a connective tissue officer because I just loved bringing people together, convening, having conversations. Never, for the life of me, act or feel as though I was the smartest guy in the room. I was learning constantly in a world that was just moving at a clip.In '08 I had an opportunity to come over to the DoE. I got to be blunt, it was the coolest, and it still is, job I've ever had. But I didn't really know what I was getting into. I didn't know much about the Department of Energy, or the Department of Science as it's called. But we can speak for hours on just the complexity of that institution. It was not just the Department of Energy circa 1977 when it was made a Cabinet-level agency, it was the former Atomic Energy Commission.Pete Tseronis Caught a BugPete: It's truly where some of the brightest minds, for years, dating back to the Manhattan Project, to autonomous vehicles today, with our national laboratories. It is this brain power, that if you have a chance to work there or visit, you walk out of there just feeling like, \"Oh my gosh, I can't wait to come back.\" At least, I did and I had a great run. That was eight years. I caught my passion and bug there for, “How does all this technology impact humanity? Why are we spending billions of dollars on research and development? Where is it going and how does it impact me and humanity globally?”In 2015, I hit that ceiling. I was not in the government for the money. I realized, \"Well, I'm not going to be able to really go much higher. So maybe I better go out and figure out what all this education can do in terms of hanging a shingle.\" I started Dots and Bridges. My wife gets all the credit for the name. I try to be cute at times, and then ultimately she said, \"What's the big deal? What'd you do for 25 years?\" I said, \"Well, hon, it was a dot-connecting bridge builder.\" She goes, \"Be Dots and Bridges. People get that. Connect dots, build bridges, that's what you did.\" So that was it. Six years and a few months later I'm living the dream, working my tail off. I didn't retire from the government, I miss it. But being here in the Beltway and having this global community now, whether it's smart cities or critical infrastructure or cyber physical systems, I continuously learn and teach wherever I can and within bandwidth.Pete Tseronis Had Critical Roles in the GovernmentPete: I make sure that I'm there for my family first and foremost. I love what I do.Mark: It's a fascinating history. You had the opportunity to have critical roles in the government, in areas that are really impactful to society today. So helping the greater good. Those are certainly two organizations in your roles that are fabulous, and so is Dots and Bridges. How does that work? Having now been on both sides of the fence, how do you think you can help organizations, industry, the country, and its citizens be more effective in that transformation? Is it on the Dots and Bridges side or is it on the government side? What are the different dynamics there?Pete: The short answer is, when people say, \"Oh, you're in the industry now.\" I'm like, \"Yes, I took an exit off the highway of being a Fed, and I'm enjoying it. But I'm going to get back on that road.\" I say as of late, \"I'm probably going to end back up in the government again someday. I miss it.\" There's something about the 25 years of why you do it. People use this phrase, \"I love the mission. I serve the mission.\" And I dig it. I get it.But the impact of that mission that you're serving, or the mission impact of what you're doing, is really what hit me late in my career. I remember waking up one day at the Department of Education. Somebody asked me, \"All this data center stuff you do and all this technology, how is that helping the Office of such-and-such at the Department of Education?\" I honestly was like, \"I have no idea.\"The Epiphanic Moment of Pete TseronisPete: That was the moment, or epiphany, that I went, \"It's one thing to be a tech person. But to know how it's impacting students, or teachers, or educators, or rural America.\" Something I said to myself, \"If I don't know that, shame on me.\"When I came to Energy, the first thing I did was, \"I'm going to learn this mission. It's going to take a while. I am going to travel to the national labs, all 17, as best I can. I'm going to understand why all these agencies, why the government even exists to serve our country and the world.\"One way I’d like to answer part of your question is, it's a yin yang thing. There's an opportunity for all of us to understand the role of the mission. There are 450+ agencies in the federal government. There's not 32, there's not 24. Every one of them has a mission, from the Smithsonian, to the National Nuclear Security Administration, to the Environmental Management Office at DoE, to the USDA.Think about that as a technologist, a guy who was sold to for so many years. One of the questions I used to say to every industry partner that came in was, \"Do you know what it is I'm doing in my role, in a $30-some billion agency, a CTO, to serve the mission.\"That's when I realized there was a gap. I'm translating why it matters. How zero trust can impact our nation's 16 critical sectors, how distributed energy makes sense and doesn't make it about fossil versus renewable. But the technology, the one thing I say is never the problem, it's how we are implementing it.Who Are Keeping the Lights OnPete: Your C-level, or the people in the data centers, in the basement, or the outsourced folks at these big large institutions, do you know that they're the ones keeping the lights on? Technology is agnostic. How you explain it to people is critical in terms of adoption. If we don't do it, that's where the inertia is created. It takes forever for us to realize the benefits of what technology's promise is.Carolyn: You've said something a few times. I think what your focus is, is how to make life better for our kids, for our country, for the world. You actually mentioned smart cities. I'm fascinated by the idea. From what little I've read, there's a lot of potential with smart cities. The smart cities are a big step towards our environmental problems and improving our lives, for ourselves and for future generations. Can you talk about smart cities? What did you do in the Department of Energy with them? Start with what a smart city is?Pete: Technology, humanity, and culture. It's interchangeable. Technology, we know we need it. Humanity, we want to live longer. I know we won't be here forever. We're not in the era of the matrix, from what I understand, even though it's a great movie. The machines, that's the futurist comment. But there's hope. We're living longer, but we need our air clean. We need our water treated properly, we need our cars to be safer.I'm looking at my list here. You brought up smart cities, what makes up a smart city? Well there are 16 sectors that are deemed the critical sectors. Their assets, systems and networks, whether physical or virtual, are considered so vital to the United States.16 Sectors Everybody Should Be Aware OfPete: Their incapacitation or destruction would have a debilitating effect on security; national economic security, national public health or safety, or any combination thereof. Straight from the DHS CISA website, there are 16 sectors that everybody should be aware of that should relate to our lives. They’re the energy sector, food and agriculture, financial, and government facilities. Those are the foundations for cities. It's our streets, it's our water, it's our air.We love when we get, at least I do, a snowy day. But then when you can't shower, or you can't eat, or you can't get food, then you realize that Mother Nature is in control of some of this. Why are we not a more resilient city? We saw it happen in Texas last year with the freezing temperatures, and people died. The goal is safety, public safety. I always say, \"Bad stuff happens, we realize how resilient or non-resilient, how we need to improve when a bridge collapses. Or somebody says, 'How did we not know?' or a tsunami hits.\"So smart cities don't one day appear, a smart city is not smart because you put a sensor on a traffic light. A smart city is people getting smart, from city officials to those that have to make the investment in the technology to then deploy it. Then to figure out where's the data, how do I distill it, and is it protected? Yes, the world we live in, data is the new oil, data is the fuel, data is compromised. When that happens, we saw what happened in Colonial this year. We can shut down an East Coast pipeline because of ransomware.Pete Tseronis Puts the Word “Smart” in FrontPete: Smart cities eight years ago were more like a smart grid. How do we make the grid smarter? Or how do we put technology on our power grid so that it stays up longer? So when bad things happen, people don't freeze to death, or there's a blackout and there are looting instances or traffic accidents?The word \"smart\" is something I put in front of a lot of things: smart agriculture, smart water, smart air. It's really just the application of technologies and sensors to communicate, to tell us in real-time where things are at risk. I'd like to think that our most critical sectors, that critical infrastructure, that $1.2 trillion is now being made available as a result of the infrastructure bill. It will go towards making sure that the very things we need, the water, the air, the food, the bridges, the planes, trains, are safe.Carolyn: So to be a smart city, they have to check the box that they're monitoring. That they're being smarter about critical infrastructure and at least three or four different areas. I still am unclear how you get qualified as a smart city.Pete: There is no single definition. If you think of smart cities, it's the people. It's reexamining the process by which we do certain things to know how technology can make it better. I'll just use an example of potholes. There's a great company in Pittsburgh, RoadBotics, that, with a phone, takes pictures and sends them into the cloud. They're now detecting where all the potholes are. Why are some repaired overnight and others don't get repaired? It's about equity, societal and economic value.A Smart City Defined by Pete TseronisPete: A smart city involves tech. It also involves people becoming smarter about the tech and what those risks are and implications of deploying it in a city.Carolyn: Is there a green component? Or is it more about being resilient as a city?Pete: I like the word sustainability and resilience a lot. You bring up a great point. The reason there's this, let's look at distributed energies and microgrids and low Earth orbit satellites. Let's use wind power. It's just to say, if the coal burning and the nuclear power, it's not one or the other. We need a resilient grid so that when it goes down, it doesn't stay down.Carolyn: Diversity.Pete: Yes. And that's not sustainable in, \"Oh, sustainable, I think of greenhouse gas emissions and carbon footprints.\" Yes and no. It's like, we don't want it to be down for a long time. That's why you'll see these days that cities want to be smarter, secure, and sustainable. On the flip side, it's reliable, resilient, and flexible.How do you do that? We have to look at the integration of renewable and fossil fuels and nuclear power. At the end of the day, you flip a switch on, you want the lights to turn on. You turn on your water, you want it to be clear, not brown. Then you get in your car, you want to know, even...","content_html":"Technology is paramount when it comes to securing our nation according to Pete Tseronis, CEO of Dots and Bridges, former CTO of the US Department of Energy and US Department of Education. On this episode of Tech Transforms, Pete explains the critical role technology plays in our lives, and how innovation underpins that foundation.
Episode Table of Contents
- [00:38] Pete Tseronis: From Fed to Dots and Bridges
- [05:50] Why It Matters To Translate the Tech
- [12:22] Who Are Keeping the Lights On
- [22:00] How Pete Tseronis Responds to the Mission
- [29:33] Information at Your Fingertips
Episode Links and Resources
- Pete Tseronis
- Dots and Bridges
- Department of Energy
- Department of Education
- CSF
- Cybersecurity Mandata 14028
- Infrastructure Bill
- Roadbotics
- Tipping Point
- Entrepreneur Roller Coaster
- Think and Grow Rich
- Thought of the Day
- Ray Kurzweil - Singularity
Pete Tseronis: From Fed to Dots and Bridges
Carolyn: Our guest today has got quite the pedigree, Pete Tseronis, CEO of Dots and Bridges. Before Dots and Bridges, Pete served as a Cabinet-level federal CTO, not once, but twice. First at the US Department of Education for eight years, and then at the US Department of Energy for seven and a half years. Before those two, he was actually with the DoD since the beginning of things.
Pete: It's nice to be on the other side of the mic. I have all the respect in the world for what you're doing, in addition to your other jobs and incredible pedigree you have. But I love the conversations and it's a treat to be able to tell my story a little bit, at least.
Carolyn: Your unique perspective on technology and federal agencies, as well as from the commercial side, it's going to be a great conversation. Let's just start with your story. Will you give us an overview of Dots and Bridges and how it came about? Then share your journey in the government and where you are now.
Pete: I tell folks I can do five hours or I can do it in about a minute. But there's about 32 years there, wrapped up. I'm a Washingtonian native. I grew up in the Washington DC area, in the suburbs of Maryland, Montgomery County and went to high school in Washington DC. It took me to Villanova University for my undergrad, where I studied liberal arts and communications. I wanted to be a sports broadcaster.
Pete Tseronis Had the Coolest Job in the World
Pete: I’m 54, and I do have a nine-year-old. So a little bit of a late bloomer. Four kids, a great wife from Pittsburgh, and yes, I have an Australian Labradoodle named Phineas Maximus Tseronis. So that is my life, my family. I came out of college, I ended up back here in DC, and interned at the Pentagon. One day, I woke up and I'm working in the Pentagon. I thought it was the coolest thing in the world. Didn't have a plan to work for the government. I didn't know much about it, even though it was in my backyard. But it put me on my journey.
The time was '91. I had the chance, when I was working as a civilian, the Department of the Army, to dabble in some of the work that the DARPA community was working on. The internet work was what it was called. Before I knew it, I had a bug, an itch that I scratched. And I was like, "This is going to be a big deal." I was that guy typing in on a text-based, character-based, if you will, screen: www.espn.com. I'm like, "Whoa, I can see all this news before it's in the paper tomorrow."
The itch was there. I said, "I'm going to go learn this internet thing." At that point, it was three years at DoD. I had a chance to move over to the Department of Education and do some computer security work. That was becoming a thing, like if you're going to use this tool, security matters. So we'll talk a little bit about that today and its evolution, but I jumped back to school.
Pete Tseronis Got the Coolest Education for Three Years
Pete: I enrolled at Johns Hopkins University and got my master's degree in telecommunications. I’ve wanted to know how this worked. How do you type something in and then it's there on your screen? That was the coolest education for three years. Every time I'd go back to class, it was like the material we learned was outdated. For three years it was like all of us were growing up in this IT world.
So I finished school while I was working. By the time I came out, the Clinger-Cohen Act had passed, 1996-ish. The federal government had chief information officers, CIOs. You were a thing, you weren't an IT director. Not that there's anything wrong with that, but you were actually a C-level. I said, "Well, maybe that's what I'll be."
So I tried it. At least, I went on that path. I found myself very interested in wanting to leverage what I learned in grad school. That was, well, you got to get into a data center and see how it really works. I ended up at the Department of Education, being a director. But really, running the data center with an incredibly talented group of folks that run circles around me. But they were my on-the-job training experts, firewall guys and gals, circuit folks, server people.
It was a real education on how to learn this stuff, this geek speaks, but then I have to go talk about it to my federal community. By the time I was making a decision on, “Do I want to be a tech guy, like the geeky side which is a compliment, or a propeller head?“
Why It Matters To Translate the Tech
Pete: “Do I want to go down the management route and stay in this government, as I was being promoted every couple of years?“ I got up to a SES status by the time I left. Then I found myself on a speaking circuit, talking about technology. I was asked frequently to work with the Office of Management and Budget, an arm of the White House executive branch, to translate the tech and why it matters. Maybe I wasn't a sports broadcaster, but I definitely loved getting in front of an audience and doing a bit of that educational component.
So in '08 I felt like it was time to do something different. I was appointed CTO. But in '08 it was like, "Well, what do they do? What's a CTO? We all know a CIO is such and such," and I didn't care. I called myself a connective tissue officer because I just loved bringing people together, convening, having conversations. Never, for the life of me, act or feel as though I was the smartest guy in the room. I was learning constantly in a world that was just moving at a clip.
In '08 I had an opportunity to come over to the DoE. I got to be blunt, it was the coolest, and it still is, job I've ever had. But I didn't really know what I was getting into. I didn't know much about the Department of Energy, or the Department of Science as it's called. But we can speak for hours on just the complexity of that institution. It was not just the Department of Energy circa 1977 when it was made a Cabinet-level agency, it was the former Atomic Energy Commission.Pete Tseronis Caught a Bug
Pete: It's truly where some of the brightest minds, for years, dating back to the Manhattan Project, to autonomous vehicles today, with our national laboratories. It is this brain power, that if you have a chance to work there or visit, you walk out of there just feeling like, "Oh my gosh, I can't wait to come back." At least, I did and I had a great run. That was eight years. I caught my passion and bug there for, “How does all this technology impact humanity? Why are we spending billions of dollars on research and development? Where is it going and how does it impact me and humanity globally?”
In 2015, I hit that ceiling. I was not in the government for the money. I realized, "Well, I'm not going to be able to really go much higher. So maybe I better go out and figure out what all this education can do in terms of hanging a shingle." I started Dots and Bridges. My wife gets all the credit for the name. I try to be cute at times, and then ultimately she said, "What's the big deal? What'd you do for 25 years?" I said, "Well, hon, it was a dot-connecting bridge builder." She goes, "Be Dots and Bridges. People get that. Connect dots, build bridges, that's what you did." So that was it.
Six years and a few months later I'm living the dream, working my tail off. I didn't retire from the government, I miss it. But being here in the Beltway and having this global community now, whether it's smart cities or critical infrastructure or cyber physical systems, I continuously learn and teach wherever I can and within bandwidth.Pete Tseronis Had Critical Roles in the Government
Pete: I make sure that I'm there for my family first and foremost. I love what I do.
Mark: It's a fascinating history. You had the opportunity to have critical roles in the government, in areas that are really impactful to society today. So helping the greater good. Those are certainly two organizations in your roles that are fabulous, and so is Dots and Bridges. How does that work? Having now been on both sides of the fence, how do you think you can help organizations, industry, the country, and its citizens be more effective in that transformation? Is it on the Dots and Bridges side or is it on the government side? What are the different dynamics there?
Pete: The short answer is, when people say, "Oh, you're in the industry now." I'm like, "Yes, I took an exit off the highway of being a Fed, and I'm enjoying it. But I'm going to get back on that road." I say as of late, "I'm probably going to end back up in the government again someday. I miss it." There's something about the 25 years of why you do it. People use this phrase, "I love the mission. I serve the mission." And I dig it. I get it.
But the impact of that mission that you're serving, or the mission impact of what you're doing, is really what hit me late in my career. I remember waking up one day at the Department of Education. Somebody asked me, "All this data center stuff you do and all this technology, how is that helping the Office of such-and-such at the Department of Education?" I honestly was like, "I have no idea."
The Epiphanic Moment of Pete Tseronis
Pete: That was the moment, or epiphany, that I went, "It's one thing to be a tech person. But to know how it's impacting students, or teachers, or educators, or rural America." Something I said to myself, "If I don't know that, shame on me."
When I came to Energy, the first thing I did was, "I'm going to learn this mission. It's going to take a while. I am going to travel to the national labs, all 17, as best I can. I'm going to understand why all these agencies, why the government even exists to serve our country and the world."
One way I’d like to answer part of your question is, it's a yin yang thing. There's an opportunity for all of us to understand the role of the mission. There are 450+ agencies in the federal government. There's not 32, there's not 24. Every one of them has a mission, from the Smithsonian, to the National Nuclear Security Administration, to the Environmental Management Office at DoE, to the USDA.
Think about that as a technologist, a guy who was sold to for so many years. One of the questions I used to say to every industry partner that came in was, "Do you know what it is I'm doing in my role, in a $30-some billion agency, a CTO, to serve the mission."
That's when I realized there was a gap. I'm translating why it matters. How zero trust can impact our nation's 16 critical sectors, how distributed energy makes sense and doesn't make it about fossil versus renewable. But the technology, the one thing I say is never the problem, it's how we are implementing it.Who Are Keeping the Lights On
Pete: Your C-level, or the people in the data centers, in the basement, or the outsourced folks at these big large institutions, do you know that they're the ones keeping the lights on? Technology is agnostic. How you explain it to people is critical in terms of adoption. If we don't do it, that's where the inertia is created. It takes forever for us to realize the benefits of what technology's promise is.
Carolyn: You've said something a few times. I think what your focus is, is how to make life better for our kids, for our country, for the world. You actually mentioned smart cities. I'm fascinated by the idea. From what little I've read, there's a lot of potential with smart cities. The smart cities are a big step towards our environmental problems and improving our lives, for ourselves and for future generations. Can you talk about smart cities? What did you do in the Department of Energy with them? Start with what a smart city is?
Pete: Technology, humanity, and culture. It's interchangeable. Technology, we know we need it. Humanity, we want to live longer. I know we won't be here forever. We're not in the era of the matrix, from what I understand, even though it's a great movie. The machines, that's the futurist comment. But there's hope. We're living longer, but we need our air clean. We need our water treated properly, we need our cars to be safer.
I'm looking at my list here. You brought up smart cities, what makes up a smart city? Well there are 16 sectors that are deemed the critical sectors. Their assets, systems and networks, whether physical or virtual, are considered so vital to the United States.
16 Sectors Everybody Should Be Aware Of
Pete: Their incapacitation or destruction would have a debilitating effect on security; national economic security, national public health or safety, or any combination thereof. Straight from the DHS CISA website, there are 16 sectors that everybody should be aware of that should relate to our lives. They’re the energy sector, food and agriculture, financial, and government facilities. Those are the foundations for cities. It's our streets, it's our water, it's our air.
We love when we get, at least I do, a snowy day. But then when you can't shower, or you can't eat, or you can't get food, then you realize that Mother Nature is in control of some of this. Why are we not a more resilient city? We saw it happen in Texas last year with the freezing temperatures, and people died. The goal is safety, public safety. I always say, "Bad stuff happens, we realize how resilient or non-resilient, how we need to improve when a bridge collapses. Or somebody says, 'How did we not know?' or a tsunami hits."
So smart cities don't one day appear, a smart city is not smart because you put a sensor on a traffic light. A smart city is people getting smart, from city officials to those that have to make the investment in the technology to then deploy it. Then to figure out where's the data, how do I distill it, and is it protected? Yes, the world we live in, data is the new oil, data is the fuel, data is compromised. When that happens, we saw what happened in Colonial this year. We can shut down an East Coast pipeline because of ransomware.Pete Tseronis Puts the Word “Smart” in Front
Pete: Smart cities eight years ago were more like a smart grid. How do we make the grid smarter? Or how do we put technology on our power grid so that it stays up longer? So when bad things happen, people don't freeze to death, or there's a blackout and there are looting instances or traffic accidents?
The word "smart" is something I put in front of a lot of things: smart agriculture, smart water, smart air. It's really just the application of technologies and sensors to communicate, to tell us in real-time where things are at risk. I'd like to think that our most critical sectors, that critical infrastructure, that $1.2 trillion is now being made available as a result of the infrastructure bill. It will go towards making sure that the very things we need, the water, the air, the food, the bridges, the planes, trains, are safe.Carolyn: So to be a smart city, they have to check the box that they're monitoring. That they're being smarter about critical infrastructure and at least three or four different areas. I still am unclear how you get qualified as a smart city.
Pete: There is no single definition. If you think of smart cities, it's the people. It's reexamining the process by which we do certain things to know how technology can make it better. I'll just use an example of potholes. There's a great company in Pittsburgh, RoadBotics, that, with a phone, takes pictures and sends them into the cloud. They're now detecting where all the potholes are. Why are some repaired overnight and others don't get repaired? It's about equity, societal and economic value.
A Smart City Defined by Pete Tseronis
Pete: A smart city involves tech. It also involves people becoming smarter about the tech and what those risks are and implications of deploying it in a city.
Carolyn: Is there a green component? Or is it more about being resilient as a city?
Pete: I like the word sustainability and resilience a lot. You bring up a great point. The reason there's this, let's look at distributed energies and microgrids and low Earth orbit satellites. Let's use wind power. It's just to say, if the coal burning and the nuclear power, it's not one or the other. We need a resilient grid so that when it goes down, it doesn't stay down.
Carolyn: Diversity.
Pete: Yes. And that's not sustainable in, "Oh, sustainable, I think of greenhouse gas emissions and carbon footprints." Yes and no. It's like, we don't want it to be down for a long time. That's why you'll see these days that cities want to be smarter, secure, and sustainable. On the flip side, it's reliable, resilient, and flexible.
How do you do that? We have to look at the integration of renewable and fossil fuels and nuclear power. At the end of the day, you flip a switch on, you want the lights to turn on. You turn on your water, you want it to be clear, not brown. Then you get in your car, you want to know, even...","summary":null,"date_published":"2022-02-02T06:30:00.000-05:00","attachments":[{"url":"https://aphid.fireside.fm/d/1437767933/81d9d6b0-0045-48da-8495-fd87c4613d7f/3d558446-f811-4111-8586-e0b684a8fb61.mp3","mime_type":"audio/mpeg","size_in_bytes":27631802,"duration_in_seconds":1972}]},{"id":"300677f1-0072-4499-a778-cc19f4f85ceb","title":"Episode 20: Transformative Data with NTIS's Chakib Chraibi","url":"https://techtransforms.fireside.fm/20","content_text":"With transformative technologies such as AI and Machine Learning, government agencies can help achieve goals, detect fraud, and create data-driven strategies. Chief Data Scientist and ODS Acting Associate Director at NTIS, US Department of Commerce Chakib Chraibi joins tech transforms to discuss his insights on helping the US Federal agencies and citizens use data to enhance any mission. Episode Table of Contents[00:53] Delivering Transformative Data Solutions[09:00] AI Has Very Transformative Data and Technology[18:12] How Transformative Data Identifies Fraudsters[29:10] Virtual RealityEpisode Links and ResourcesChakib ChraibiNTISData StrategyImmersive Van Gogh BaudelaireDeep Learning with PythonDelivering Transformative Data SolutionsCarolyn: Today, we got to talk to Dr. Chakib Chraibi. He’s the Chief Data Scientist in the US Department of Commerce, National Technical Information Service, or NTIS, and acting associate director for the Office of Data Services. He provides expertise and assistance to government agencies in harnessing innovative technologies and delivering data-driven solutions to achieve mission impact within the NTIS framework. Chakib, welcome to Tech Transforms.Let's start with a brief overview of your role at NTIS as well as the role of NTIS within government agencies.Chakib: NTIS is a bureau within the US Department of Commerce. We want to think about NTIS as the best-kept secret in government. What I'm going to say about NTIS is going to resonate with a lot of our listeners. NTIS is a very interesting agency that is focused on data science and data innovation. It was created shortly after the Second World War.The main task at that point was to gather all the information collected from the Second World War that dealt with technical research, et cetera. It became a repository of information for the government. They dealt with any technical papers or publications from the civilian side. But in the 1990s, the internet happened. And so, we're still doing that. We have one of the largest libraries. We're continuing collecting that information, but Congress has thought about focusing us on a different mission at that time. It is actually a great idea, and which is about data science.Our Main Focus at NTISChakib: Currently, that's our main focus at NTIS. We provide a unique pathway for federal agencies towards innovation and digital transformation. We have an authority from Congress that allows us to seek out their partners from the industry, from academic institutions, nonprofits, to help federal agencies address national data center challenges.It's available to all federal agencies seeking an agile capacity to scale. It has quick access to private sector ingenuity, and expertise, to meet critical mission data priorities. We also use a very innovative framework. It’s based on agile methodology to be able to harness emerging and cutting-edge technologies. We operate outside the Federal Acquisition Regulation, outside of FAR.It’s in the innovation space, and it's really exciting. Whenever you want to innovate, you are not sure about how to go about it. All federal agencies want to be effective and efficient in accomplishing their missions and addressing data priorities. But, sometimes they don't know how to go about it. They have an idea about the business problems and what they want to achieve, but they don't have all the details, and the steps to go about it. That's because that's part of any innovative work that you're going to do. That is where we can help them with.We have a very agile framework where they can come and discuss their business problems with us at a very high level and what they want to achieve. What is their mission? What's the most important thing that they want to accomplish? Based on that conversation, we can actually develop a problem statement. It’s a very high level scope statement that tries to address data innovation goals they want to achieve.A Free-Flowing Discussion on Transformative DataChakib: Once done, we reach out to our partners. We actually have a whiteboard session that is open to anyone. It's a very free-flowing discussion based on design thinking. Discussing what the objectives are and what they want to accomplish, what problems they want to solve, etcetera. That helps us refine the scope statement, and then complete that statement with our partners. We have a selection process, like a review that goes on to finalize the partners that will be involved in conducting that project.We already have more than 45 partners from the industry. Of course, we have the big ones like IBM, Booz Allen, and universities like Stanford. There are smaller enterprise companies from Silicon Valley that are focused on very specific aspects of data science and artificial intelligence. They are part of our list of partners. The good thing is that, these partners can still partner with others. We don't expect everyone to know everything about anything. As long as they are the major players, they can partner up with others to complete the project.Mark: How does industry engage with your organization? Do you and your organization determine what technologies and industry partners are getting involved with some of the things that you're working on?Chakib: We have a notice in the Federal Register, asking for any company. We focus on and also encourage minority-owned businesses to apply, to become a partner, and we have a specific criteria. Our criteria is related to data innovation. If you can provide some value to the government in terms of data science, machine learning, artificial intelligence, and the related emerging technologies, we encourage them to apply.Transformative Data Providing Specific ValueChakib: We have a process where we have them evaluated by people from NTIS, as well as outside NTIS from the federal government that volunteer. They help us evaluate if they are providing specific value and meeting some criteria that we define in the notice. After that process, they become partners. Once they are a partner, then they will be able to compete for a project that we bring in.Carolyn: You guys are like a technology innovation playground. You get an idea, you help the agency or group scope it, and then you put it into action. When you put it into action, do you actually implement it within the agency or do you have a lab that you model it in first?Chakib: We are a very small agency. We are more like a broker. What we do is reach out to federal agencies and let them know about our services. We tell them, \"If you're having difficulties innovating data in a data framework, then come with us.\" The advantage in working with us is, we have been involved in several projects already with several departments and federal agencies. We have experience with what federal agencies are trying to achieve, the challenges that they encounter, and the type of solutions they should seek out.When we talk with them, we always ask them about what their mission is and what they're trying to accomplish. We ask about the challenges that they are encountering and the support they need from us. That's how we start. We start with a specific problem. We can discuss later how we advise federal agencies to go about artificial intelligence. That’s an amazing topic there. It’s an interesting area to discuss.AI Has Very Transformative Data and TechnologyChakib: AI is a very transformative technology. It does require a big investment from federal agencies. As an AI expert, I tell them, \"Get involved right away because the data doesn't stop, it keeps coming. Then it needs to be processed, accessed, cleaned, and prepared to be used.\" The models that you're going to develop based on that data, if they are predictive models, they're also iterative models. They need to be refined over the years, as soon as they're deployed and monitored. The sooner, the better.Carolyn: When you say the sooner, the better for AI engagement, what specifically are you talking about with AI? Is there a specific technology that you recommend that they start with?Chakib: I wrote a paper recently about the challenges and opportunities in the federal government, and the type of model they should use. I'm not saying that is the perfect model, but let me just try to identify some of the guidelines that I identified. In that model, I try to identify the challenges that all federal agencies encounter. The first challenge and the most important and the most immediate one is about data. We are moving from federal agencies in the IT infrastructure.We used to have legacy-based applications, so we have a siloed application. So we had the data basically fed in a specific application, and things were going well at that time. That was really what you needed to do to accomplish a specific task. But if you want to really take advantage of data, that's one of our roles at NTIS. It’s to foster and encourage agencies to use data as a strategic asset for evidence-based decisions, to be more efficient, to enhance their processes.An Aggregation of Transformative DataChakib: All of these need an aggregation of data from different sources, internal and external. The first thing is to switch the model of thinking and the model of operation from siloed application into a more integrated data framework. It will come together whenever it is needed and with the flexibility that is required to address specific problems within the federal government.Mark: Do you typically need a government agency or a customer to engage, to drive some of the work and innovation that you are working on? Or do you have the flexibility or the autonomy to do the innovation on your own and then take it to federal agencies where they might be doing some stuff like that?Chakib: It is the former. The agency actually leads the project. That’s a great thing because they are really the subject matter experts. They're the ones that are really working on the specific aspects, and they know what works and what doesn't work. So they do it in collaboration, of course, with the partner, but they have to lead the project.Carolyn: Without revealing national secrets, is there a favorite project that you've worked on that you can think of?Chakib: I can tell you the department agencies that we worked with. But, of course, I cannot be very specific about what we do. Some of them have agreed to allow us to publicize that. So, I'll focus more on those. One of the projects is the USAID Presidential Malaria Initiative. The goal of the project is to control and eliminate malaria.We are now going over a pandemic that has been one of the worst calamities in the history of humanity. But malaria has been around for several centuries.An Important ProjectChakib: It’s a subtle life-threatening disease as well. It is caused by a parasite which transmits it to people through the bites of infected female mosquitoes. It's preventable and curable. In 2019, there were about 409,000 estimated deaths from malaria, 67% of that were children aged under five years old.This is really an important project for us because we want to help USAID and the US government. We want to help the countries that are affected by malaria throughout the world and save lives. In our work, we have helped USAID design and build a platform that they call the Malaria Data Integration and Visualization for Eradication platform, with the help of a partner. It includes storage and organization of malaria and related data, literally in different formats, different structures, and different languages.The goal is to aggregate all that information, collect it, integrate it, and then help them do better evidence-based decision-making. Predict and identify high-risk areas based on geospatial and weighted data. Better manage the preventive supplies, such as mosquito nets or insect repellents. Eventually, to implement some low-cost malaria competitive solution in resource struck area to machine learning tools. This is an important project that ultimately has an amazing outcome.At the same time, it's also a model for other agencies about how it's important to combine the data, how even geospatial or geographic data can be combined, protected, and secured, and providing self-service capabilities. That is what we always try to encourage federal agencies to do within a program or within a region where the program is applied. To provide them with user-centered, self-service capabilities that allow them to enter the data, process the data, and do the initial cleaning and preparation for the data.Technology Is Transforming LivesMark: It sounds like we need to connect you up with some of our friends over at CMS because they're dealing with this thing. They probably could use your help, Chakib.Carolyn: What your department is doing is just what I love to talk about. Technology, literally, is transforming and saving lives. We’re using technology and data to do better.Chakib: The pandemic has been a calamity and one of the worst disasters. But the silver lining is that it has helped accelerate digital transformation across all industries, definitely in the government. That is definitely a momentum to be using technologies to achieve our goals. Actually, we're working with HHS-OIG in one of the projects that we are developing. This is our eighth year working with them. We started many years back. It is an interesting example to discuss because it shows the progression of what federal agencies are bound to do to benefit from artificial intelligence and machine learning capabilities.The issue that they had is that they were working in siloes. Then they had the data in different areas of the country. But fraud exists in California as well as in Florida and they usually use similar patterns. So, why don't we bring that knowledge together, aggregate it, and help everyone take advantage of others' experiences? One of the aspects that we helped them with is to use sentiment analysis. Use social media posts to include them as part of the information that the investigators and auditors need to better identify fraud patterns.Carolyn: You look at their social media to detect their mood, where they might be leaning politically or otherwise?How Transformative Data Identifies FraudstersChakib: We try to identify if there is any pattern. One thing that the fraudsters do is that they keep moving. They create a company and they keep moving. The underlying patterns are there, they keep repeating them. But they have become more and more sophisticated.The advantage of using machine learning is that we can actually be on top of those. You can predict what type of new patterns that they're going to develop instead of just using simple rules that were used before. Where they say, \"Okay, if you see this and that, then let's look into it.\" Now, we can actually have the machine learning algorithm model tell us in advance, \"Okay, this is the type of pattern that I see. I believe, with a certain level of confidence, that this might be fraudulent.\"That's the fact that we see in the future of machine learning and artificial intelligence, it’s working very closely with human beings. It's an augmented artificial intelligence. What we do with HHS is that, when an investigator or an auditor comes in, we try to make their life easier. We spend a lot of time automating the tasks that should be automated, because they're tedious. There's no need for a human being to do that unless just to check if they're correct or not.Then, we try to surface which cases can be the most beneficial for the American people, for the taxpayers. So which one will give us a better return based on the time that the investigator units spent, because we have limited resources. All of those are really important in terms of trying to address the fraud and wasted abuse within the government in general.Incredible Tools for Complex IssuesChakib: But in HHS, we’re using these incredible tools that help us basically sift through the data, identify the patterns, and surface some areas that we need to focus more time on as human beings.Mark: Those are complex issues that you guys are working through in a lot of different areas. It's fascinating work that you all are doing. You have a very long and distinguished academic career. How do you perceive some of the differences in working in the academic world, compared with the government world?Chakib: I started in the industry with one of the largest computer companies. Then I moved to academia where I really enjoyed it a lot. The difference between academia and government is very little because it's all about service-oriented, mission-based activities. I joined the government because I really love the NTIS model, what we do. I'm fascinated by these fields that are exploding, which are data science, machine learning, and artificial intelligence.I strongly believe that this is not just another technology. It's a transformative technology that's going to directly affect us in many ways. I see my goal, and that's why I'm very active in social media. My participation is to inform the public about this awesome power that is AI.One aspect that's related is that I started in academia. I'm also working on the side of looking into it. Participating in some forums that try to foster collaboration between government industry and academia, for instance, called Responsible AI. We're trying to look at how we can make sure that AI is actually applied the way we intend it to. Without bias or being harmful to us in some way, short term or long term.Commerce Data StrategyChakib: It's such a complex issue. Then, at the Department of Commerce, we actually published a Commerce Data Strategy late last year. One of our action plans is to develop some data ethics that we're going to use at the Department of Commerce. As part of the Federal Data Strategy, there is a push to make sure that we understand how AI and the data we use can impact any application we do. We try to prevent and mitigate any issue that relates to equity or bias. So, that's very important as well.Carolyn: You've reminded me of something that I've heard other data scientists and other AI experts say. AI is going to make us more human because it will free us from the menial, over-repetitive tasks that we don't really need to do. If we can be freed from those, it gives us more space and more time to devote to innovation and ideas. I would love to hear your thoughts on...","content_html":"With transformative technologies such as AI and Machine Learning, government agencies can help achieve goals, detect fraud, and create data-driven strategies. Chief Data Scientist and ODS Acting Associate Director at NTIS, US Department of Commerce Chakib Chraibi joins tech transforms to discuss his insights on helping the US Federal agencies and citizens use data to enhance any mission.
Episode Table of Contents
- [00:53] Delivering Transformative Data Solutions
- [09:00] AI Has Very Transformative Data and Technology
- [18:12] How Transformative Data Identifies Fraudsters
- [29:10] Virtual Reality
Episode Links and Resources
Delivering Transformative Data Solutions
Carolyn: Today, we got to talk to Dr. Chakib Chraibi. He’s the Chief Data Scientist in the US Department of Commerce, National Technical Information Service, or NTIS, and acting associate director for the Office of Data Services. He provides expertise and assistance to government agencies in harnessing innovative technologies and delivering data-driven solutions to achieve mission impact within the NTIS framework. Chakib, welcome to Tech Transforms.
Let's start with a brief overview of your role at NTIS as well as the role of NTIS within government agencies.
Chakib: NTIS is a bureau within the US Department of Commerce. We want to think about NTIS as the best-kept secret in government. What I'm going to say about NTIS is going to resonate with a lot of our listeners. NTIS is a very interesting agency that is focused on data science and data innovation. It was created shortly after the Second World War.
The main task at that point was to gather all the information collected from the Second World War that dealt with technical research, et cetera. It became a repository of information for the government. They dealt with any technical papers or publications from the civilian side. But in the 1990s, the internet happened. And so, we're still doing that. We have one of the largest libraries. We're continuing collecting that information, but Congress has thought about focusing us on a different mission at that time. It is actually a great idea, and which is about data science.
Our Main Focus at NTIS
Chakib: Currently, that's our main focus at NTIS. We provide a unique pathway for federal agencies towards innovation and digital transformation. We have an authority from Congress that allows us to seek out their partners from the industry, from academic institutions, nonprofits, to help federal agencies address national data center challenges.
It's available to all federal agencies seeking an agile capacity to scale. It has quick access to private sector ingenuity, and expertise, to meet critical mission data priorities. We also use a very innovative framework. It’s based on agile methodology to be able to harness emerging and cutting-edge technologies. We operate outside the Federal Acquisition Regulation, outside of FAR.
It’s in the innovation space, and it's really exciting. Whenever you want to innovate, you are not sure about how to go about it. All federal agencies want to be effective and efficient in accomplishing their missions and addressing data priorities. But, sometimes they don't know how to go about it. They have an idea about the business problems and what they want to achieve, but they don't have all the details, and the steps to go about it. That's because that's part of any innovative work that you're going to do. That is where we can help them with.
We have a very agile framework where they can come and discuss their business problems with us at a very high level and what they want to achieve. What is their mission? What's the most important thing that they want to accomplish? Based on that conversation, we can actually develop a problem statement. It’s a very high level scope statement that tries to address data innovation goals they want to achieve.A Free-Flowing Discussion on Transformative Data
Chakib: Once done, we reach out to our partners. We actually have a whiteboard session that is open to anyone. It's a very free-flowing discussion based on design thinking. Discussing what the objectives are and what they want to accomplish, what problems they want to solve, etcetera. That helps us refine the scope statement, and then complete that statement with our partners. We have a selection process, like a review that goes on to finalize the partners that will be involved in conducting that project.
We already have more than 45 partners from the industry. Of course, we have the big ones like IBM, Booz Allen, and universities like Stanford. There are smaller enterprise companies from Silicon Valley that are focused on very specific aspects of data science and artificial intelligence. They are part of our list of partners. The good thing is that, these partners can still partner with others. We don't expect everyone to know everything about anything. As long as they are the major players, they can partner up with others to complete the project.
Mark: How does industry engage with your organization? Do you and your organization determine what technologies and industry partners are getting involved with some of the things that you're working on?
Chakib: We have a notice in the Federal Register, asking for any company. We focus on and also encourage minority-owned businesses to apply, to become a partner, and we have a specific criteria. Our criteria is related to data innovation. If you can provide some value to the government in terms of data science, machine learning, artificial intelligence, and the related emerging technologies, we encourage them to apply.
Transformative Data Providing Specific Value
Chakib: We have a process where we have them evaluated by people from NTIS, as well as outside NTIS from the federal government that volunteer. They help us evaluate if they are providing specific value and meeting some criteria that we define in the notice. After that process, they become partners. Once they are a partner, then they will be able to compete for a project that we bring in.
Carolyn: You guys are like a technology innovation playground. You get an idea, you help the agency or group scope it, and then you put it into action. When you put it into action, do you actually implement it within the agency or do you have a lab that you model it in first?
Chakib: We are a very small agency. We are more like a broker. What we do is reach out to federal agencies and let them know about our services. We tell them, "If you're having difficulties innovating data in a data framework, then come with us."
The advantage in working with us is, we have been involved in several projects already with several departments and federal agencies. We have experience with what federal agencies are trying to achieve, the challenges that they encounter, and the type of solutions they should seek out.
When we talk with them, we always ask them about what their mission is and what they're trying to accomplish. We ask about the challenges that they are encountering and the support they need from us. That's how we start. We start with a specific problem. We can discuss later how we advise federal agencies to go about artificial intelligence. That’s an amazing topic there. It’s an interesting area to discuss.AI Has Very Transformative Data and Technology
Chakib: AI is a very transformative technology. It does require a big investment from federal agencies. As an AI expert, I tell them, "Get involved right away because the data doesn't stop, it keeps coming. Then it needs to be processed, accessed, cleaned, and prepared to be used." The models that you're going to develop based on that data, if they are predictive models, they're also iterative models. They need to be refined over the years, as soon as they're deployed and monitored. The sooner, the better.
Carolyn: When you say the sooner, the better for AI engagement, what specifically are you talking about with AI? Is there a specific technology that you recommend that they start with?
Chakib: I wrote a paper recently about the challenges and opportunities in the federal government, and the type of model they should use. I'm not saying that is the perfect model, but let me just try to identify some of the guidelines that I identified. In that model, I try to identify the challenges that all federal agencies encounter. The first challenge and the most important and the most immediate one is about data. We are moving from federal agencies in the IT infrastructure.
We used to have legacy-based applications, so we have a siloed application. So we had the data basically fed in a specific application, and things were going well at that time. That was really what you needed to do to accomplish a specific task. But if you want to really take advantage of data, that's one of our roles at NTIS. It’s to foster and encourage agencies to use data as a strategic asset for evidence-based decisions, to be more efficient, to enhance their processes.An Aggregation of Transformative Data
Chakib: All of these need an aggregation of data from different sources, internal and external. The first thing is to switch the model of thinking and the model of operation from siloed application into a more integrated data framework. It will come together whenever it is needed and with the flexibility that is required to address specific problems within the federal government.
Mark: Do you typically need a government agency or a customer to engage, to drive some of the work and innovation that you are working on? Or do you have the flexibility or the autonomy to do the innovation on your own and then take it to federal agencies where they might be doing some stuff like that?
Chakib: It is the former. The agency actually leads the project. That’s a great thing because they are really the subject matter experts. They're the ones that are really working on the specific aspects, and they know what works and what doesn't work. So they do it in collaboration, of course, with the partner, but they have to lead the project.
Carolyn: Without revealing national secrets, is there a favorite project that you've worked on that you can think of?
Chakib: I can tell you the department agencies that we worked with. But, of course, I cannot be very specific about what we do. Some of them have agreed to allow us to publicize that. So, I'll focus more on those. One of the projects is the USAID Presidential Malaria Initiative. The goal of the project is to control and eliminate malaria.
We are now going over a pandemic that has been one of the worst calamities in the history of humanity. But malaria has been around for several centuries.
An Important Project
Chakib: It’s a subtle life-threatening disease as well. It is caused by a parasite which transmits it to people through the bites of infected female mosquitoes. It's preventable and curable. In 2019, there were about 409,000 estimated deaths from malaria, 67% of that were children aged under five years old.
This is really an important project for us because we want to help USAID and the US government. We want to help the countries that are affected by malaria throughout the world and save lives. In our work, we have helped USAID design and build a platform that they call the Malaria Data Integration and Visualization for Eradication platform, with the help of a partner. It includes storage and organization of malaria and related data, literally in different formats, different structures, and different languages.
The goal is to aggregate all that information, collect it, integrate it, and then help them do better evidence-based decision-making. Predict and identify high-risk areas based on geospatial and weighted data. Better manage the preventive supplies, such as mosquito nets or insect repellents. Eventually, to implement some low-cost malaria competitive solution in resource struck area to machine learning tools. This is an important project that ultimately has an amazing outcome.At the same time, it's also a model for other agencies about how it's important to combine the data, how even geospatial or geographic data can be combined, protected, and secured, and providing self-service capabilities. That is what we always try to encourage federal agencies to do within a program or within a region where the program is applied. To provide them with user-centered, self-service capabilities that allow them to enter the data, process the data, and do the initial cleaning and preparation for the data.
Technology Is Transforming Lives
Mark: It sounds like we need to connect you up with some of our friends over at CMS because they're dealing with this thing. They probably could use your help, Chakib.
Carolyn: What your department is doing is just what I love to talk about. Technology, literally, is transforming and saving lives. We’re using technology and data to do better.
Chakib: The pandemic has been a calamity and one of the worst disasters. But the silver lining is that it has helped accelerate digital transformation across all industries, definitely in the government. That is definitely a momentum to be using technologies to achieve our goals. Actually, we're working with HHS-OIG in one of the projects that we are developing. This is our eighth year working with them. We started many years back. It is an interesting example to discuss because it shows the progression of what federal agencies are bound to do to benefit from artificial intelligence and machine learning capabilities.
The issue that they had is that they were working in siloes. Then they had the data in different areas of the country. But fraud exists in California as well as in Florida and they usually use similar patterns. So, why don't we bring that knowledge together, aggregate it, and help everyone take advantage of others' experiences? One of the aspects that we helped them with is to use sentiment analysis. Use social media posts to include them as part of the information that the investigators and auditors need to better identify fraud patterns.
Carolyn: You look at their social media to detect their mood, where they might be leaning politically or otherwise?
How Transformative Data Identifies Fraudsters
Chakib: We try to identify if there is any pattern. One thing that the fraudsters do is that they keep moving. They create a company and they keep moving. The underlying patterns are there, they keep repeating them. But they have become more and more sophisticated.
The advantage of using machine learning is that we can actually be on top of those. You can predict what type of new patterns that they're going to develop instead of just using simple rules that were used before. Where they say, "Okay, if you see this and that, then let's look into it." Now, we can actually have the machine learning algorithm model tell us in advance, "Okay, this is the type of pattern that I see. I believe, with a certain level of confidence, that this might be fraudulent."That's the fact that we see in the future of machine learning and artificial intelligence, it’s working very closely with human beings. It's an augmented artificial intelligence. What we do with HHS is that, when an investigator or an auditor comes in, we try to make their life easier. We spend a lot of time automating the tasks that should be automated, because they're tedious. There's no need for a human being to do that unless just to check if they're correct or not.
Then, we try to surface which cases can be the most beneficial for the American people, for the taxpayers. So which one will give us a better return based on the time that the investigator units spent, because we have limited resources. All of those are really important in terms of trying to address the fraud and wasted abuse within the government in general.
Incredible Tools for Complex Issues
Chakib: But in HHS, we’re using these incredible tools that help us basically sift through the data, identify the patterns, and surface some areas that we need to focus more time on as human beings.
Mark: Those are complex issues that you guys are working through in a lot of different areas. It's fascinating work that you all are doing. You have a very long and distinguished academic career. How do you perceive some of the differences in working in the academic world, compared with the government world?
Chakib: I started in the industry with one of the largest computer companies. Then I moved to academia where I really enjoyed it a lot. The difference between academia and government is very little because it's all about service-oriented, mission-based activities. I joined the government because I really love the NTIS model, what we do. I'm fascinated by these fields that are exploding, which are data science, machine learning, and artificial intelligence.
I strongly believe that this is not just another technology. It's a transformative technology that's going to directly affect us in many ways. I see my goal, and that's why I'm very active in social media. My participation is to inform the public about this awesome power that is AI.One aspect that's related is that I started in academia. I'm also working on the side of looking into it. Participating in some forums that try to foster collaboration between government industry and academia, for instance, called Responsible AI. We're trying to look at how we can make sure that AI is actually applied the way we intend it to. Without bias or being harmful to us in some way, short term or long term.
Commerce Data Strategy
Chakib: It's such a complex issue. Then, at the Department of Commerce, we actually published a Commerce Data Strategy late last year. One of our action plans is to develop some data ethics that we're going to use at the Department of Commerce. As part of the Federal Data Strategy, there is a push to make sure that we understand how AI and the data we use can impact any application we do. We try to prevent and mitigate any issue that relates to equity or bias. So, that's very important as well.
Carolyn: You've reminded me of something that I've heard other data scientists and other AI experts say. AI is going to make us more human because it will free us from the menial, over-repetitive tasks that we don't really need to do. If we can be freed from those, it gives us more space and more time to devote to innovation and ideas. I would love to hear your thoughts on...
","summary":null,"date_published":"2022-01-26T06:30:00.000-05:00","attachments":[{"url":"https://aphid.fireside.fm/d/1437767933/81d9d6b0-0045-48da-8495-fd87c4613d7f/f5531f30-d73f-4be0-9864-c5d2b9d4505e.mp3","mime_type":"audio/mpeg","size_in_bytes":29768409,"duration_in_seconds":2124}]},{"id":"6052fbb8-4b90-45f0-8244-7e7939ca636b","title":"Episode 19: Intuition and Experience with US Army's Kris Saling","url":"https://techtransforms.fireside.fm/19","content_text":"In an AI driven world, the role of intuition and experience can be hard to define. Kris Saling, Chief Analytics Officer for the Army Talent Management Task Force and Director of People Analytics in the office of the Assistant Secretary of the Army M&RA joins Tech Transforms to give insight on talent management within government agencies.Episode Table of Contents[00:41] The Analytic and Technology of Talent Management[07:35] Ensuring Unbiased Data Talent Management[16:28] Talent Management Prediction Vectors[22:21] Quality of Life[31:58] Talent Management in AI Analytics[38:39] How Do We Ensure Trust in Talent Management Episode Links and ResourcesKris SalingM&RAArmy - Talent ManagementFootprintsArthur Conan DoyleBe Data LiterateBalance MythMad ScientistMore Intelligent TomorrowGame ChangerThe Analytic and Technology of Talent ManagementCarolyn: Kris Saling is Deputy Director Army, People Analytics, and the Chief Analytics Officer for the Army Talent Management Task Force. She coordinates analytic and technology solutions, rights policy, and resources innovation to promote data-driven decision-making across the Army's people enterprise. Kris, welcome to Tech Transforms.Kris: Thanks so much, and I'm really happy to be here. This is going to be fun.Carolyn: So I want to start off with a two-part question. Let's start with the awesome poster behind you, of Sherlock Holmes. Tell us the story behind that.Kris: There are a bunch of stories behind that. The big one is people ask me why I went into data science out of all the things I could have gotten into. My usual answer for them is because I read too much Arthur Conan Doyle when I was growing up. I just love the idea of sifting through all this information, finding clues, and solving problems, and that just persisted.That's up there for some motivation, but also a huge Robert Downey Jr. fan. He established a smart AI, a corporation that specializes in sustainability work through AI. It's called Footprints. He took the whole Tony Stark thing and decided he was going to make that his real life.Carolyn: I'm loving him even more. I've always been a big fan. How can you not be?Kris: Yes, save the planet through AI, how can you not love that?Carolyn: Before we move on to your job, do you have a favorite Arthur Conan Doyle story? What's your favorite Sherlock Holmes?A Long and Unusual StoryKris: There's so many of them that stick, but I'm trying to remember the title of it. It's one of the first ones where he first meets Watson and just some of their banter. It is a really long and unusual story. Half of the story is a flashback where he's talking to the perpetrator, one of these crimes. He is talking about his migration across the wild west frontier. Going to have to try and remember what that was, but it's just the meeting between him and Watson.Just the dynamic of this very straight-laced professional, trying to sit there and figure out what the heck he has in this certifiably, insane new roommate. But the fact that they connect on the intellectual level, it just makes that dynamic all kinds of fun.Carolyn: Do you remember?Mark: It's like Jarvis.Carolyn: Do you remember how old you were when you first got hooked? Your first story?Kris: 12 or 13 I think?Carolyn: So now we know what inspired you to get into the line of work that you're in? Mark and I are really intrigued by your titles. Is it HR or is it operations? It's super cool. You have a quote that says you're leveraging AI to leverage AI. Will you unpack what it is that you do to include how the USA fits in?Kris: I have two bosses. One of them is the assistant secretary of the army for manpower and reserve affairs. The other is the director of the army talent management task force. In both of my roles, I essentially have the same portfolio.Applying Talent Management in People AnalyticsKris: My short way of explaining it is it's all things talent data and data talent. So doing a lot to revitalize how the army is looking at its personnel management systems. I’m going from just transactional human capital type work to actual people analytics. We're starting to look at not just quantity analytics, but quality distribution employment. How do we optimize performance, but then also how do we do targeted retention to keep our top talent? Those kinds of problems.On the data talent side, I run a planning team that looks at the army data workforce. I've run this for about two years now. We look at how we do talent management for the folks who are doing everything. From our very high-end analytics, building AI solutions, doing very high-end data architecture to just what does basic data literacy look like for them? So all of that fits within this really broad portfolio.I've been really fortunate that my bosses have allowed me to essentially build my portfolio. They just come at me and we're giving you some free space to think about what the army needs to understand about its people and what kind of talent we need to make that happen. So go play and I swear this has been my favorite job in the army, it's so much fun.Mark: Who are your customers then? Are your customers commanders over certain areas and then you're looking to help them as far as how they field their organization? Or it's not really operational or logistics type stuff?Kris: Oh it is. One of the projects we have ongoing right now is a campaign of learning where we are.Data Talent ManagementKris: We’re trying to see how far down in the operational army we push data talent and how we build the supporting architecture. How do we build the supporting environments that we need in order to do analytics at that level? Also, how do we make it accessible? But then, how do we train up not just the data professionals who are going to be working at that level, but also the commanders to interpret the information and turn it into action, into decisions?Mark: When you talk about the architecture, is that the architecture of the human capital and the resources that you're providing to do whatever the mission would be?Kris: There's some of that. Some of it is process engineering, the rest is actual data architecture. Have we developed our pipelines in order to be able to push data safely and securely to these organizations that haven't previously had access? They've had to send RFIs or requests for information up higher.We don't want them to have to send in a request 48 hours, two weeks, whatever it is later, they get some analysis that you've all seen the requirements model where it's like playing telephone. The more steps you have in between the person who actually needs something and the person who's going to deliver it, the more it gets garbled.We want to be able to have commanders ask their questions to the right kind of talent to interpret it appropriately. Understand what is needed in the data and be able to engineer that solution. Now, it might just be a couple of folks and at that point of the question point of origin, basically with reach back capability up in the higher ranks.Ensuring Unbiased Data Talent ManagementKris: But again, we're still campaigning and learning. We're experimenting with what works best and what's the best use of our talent.Carolyn: Do you have challenges with ensuring that the AI is unbiased?Kris: That's a challenge everywhere. The idea that AI is ever going to be unbiased is like saying that humans are ever going to be unbiased because we all use biases.Carolyn: It's really just an extension of us.Kris: It's only as good as the decisions made by the people who program it or the decisions it's learning from. The way you get around bias in AI is the same way you get around bias in an organization. You bring in a lot of diverse perspectives, you bring in a lot of quality control. And you ask a lot of the “what if” questions.So you have to go back through and essentially triage the model when you're developing either a machine learning model, deep learning model, or you have AI making those decisions and those recommendations. But part of that is going back through and looking at what the model's keying in on. Is it actually making decisions based on stuff you want it to be making decisions? Do you need to hide some of the variables?There's an example I used. There was an AI that somebody created a few years ago to predict winners of the academy awards. It turned out, it was just keying in on anything Daniel Dan Lewis was in. It’s just like, \"Okay, granted that is correlated.\" But we don't want you predicting based on this. He might turn into a lemon.From the End Game BackwardsMark: You mentioned in a recent interview that you look at the problem from the end game backwards. This builds on the question we just asked because it seems like a very difficult thing to do. If you start with the end game, then aren't you basically saying this is the outcome we want to see? How do you create the algorithm to give you something that well? You don't know and you don't want to necessarily point it to the answer. But you want to see what you might be able to get out of it without doing that.Kris: It's beginning with the end in mind. When we start looking at the outcomes we want to generate, we have to focus on something. Train the model and sometimes that focus is a proxy for what we actually want it to focus on. More and more, we're getting our folks to build things using very modular, reusable, very tailor-able code. If we decide we want it to do business in a different way, we want it to key in on something differently. Then that's fairly easy to go in and modify.We're doing this right now with some of the predictive tools we're looking at for performance. The way we're looking at performance is based on how the army currently measures performance. But we have a number of efforts going on to change through our campaign of assessments on how we measure performance. We need that to be something we can iterate on later. One of the things that we've keyed in over time for the army has been that there's no more end states.How Intuition and Experience Helps in Process ImprovementKris: We're not going to plan toward an end state. Something isn't just like a one and done, this is continual. We've got to keep upgrading, and we've got to keep developing. We have to keep this thing adaptive and learning. So if we get more traction on that, then we generate more of a flavor process improvement.Carolyn: Your job sounds really broad. I heard you say you use AI to source new talent, retain talent, and help identify talent who's going to be best on this or that mission. Identify talents who should be on these different teams.Kris: That last one is something we're trying to get to. We're doing a lot of job competency studies right now to see what's actually required for different positions. We don't have that in the granular level of data that I'm looking for to be able to make some of those recommendations. What I envision out of our marketplace is eventually, you get a recommendation engine, it starts looking like Amazon. Since you like this job, you might also like these. Since you did this job, these might be the next best for you based on your capabilities.So we have an effort right now to basically make an intelligent individual development plan where folks can go through. See where their skills might best lead them or pick goal positions down the way. This can show them, \"Okay, here are the gaps in your current resume.\" My eventual dream for that is here are the gaps in your resume, would you like to sign up for a class? Would you like to take a self-initiated assessment or to talk to your career coach? All these different ways that we can help them bridge that gap.Where the Army Needs To BeMark: It sounds like you're working with the leadership of the army to determine this is where the army needs to be in 5, 10 years down the road.Kris: That was the charter they gave me. It's just like, \"Okay, what do we need to know about the army? What's your 10-year life plan?\" I'm like, \"Oh this is going to be fun.\"Carolyn: I had never really thought about using the AI for this purpose. It makes sense and I'm wondering about your role, how new is this job? For other organizations, even in the commercial world, is this a thing? Or is this a thing that you're creating right now?Kris: This particular job is one created for the army. I've been in and out of the MNRA for the past six years which is unusual for an army officer. Normally the PCS has a lot. But I started out in the G1, the Army's director and personnel working on how we actually use our data. How we collude all of it together out of all of the different systems we have spread throughout the army in a way where we can rapidly access it and utilize it to solve problems.We put together what was at the time called the Human Capital Big Data Plan. It just basically directed consolidation of all our personnel data into this massive data warehouse that we house out in Monterey with the research facilitation lab. From there, we've grown a number of different initiatives. We started using this data in creative ways. We've really started to see the gaps between what we need, as far as data, to answer our questions.Asking the Right QuestionsKris: We see what we don't have and basically if we are asking the right questions. I noticed, I didn't quite address this, the leveraging at leveraging AI to leverage A? AI takes a lot of data so we are making more data. We're using natural language processing and optical character recognition. A whole bunch of other techniques that fall underneath advanced analytics umbrella to go through and read old evaluations. Read files, transcripts, and all of the stuff that we have that's sitting in TIF files in our repositories at human resources command. We’re trying to turn that into more usable information.Carolyn: How much data are you crunching every day?Kris: A lot.Mark: Is this more of a future state for us? Is this a state now where we're able to take advantage of this?Kris: This is now, this argument. We have this argument with future commands, a lot. It's like AI is not the future, AI is now because right now at RFL, we’re supervising seven separate AI projects. We're actually using an IBM Watson implementation and a couple of other things to do AI projects and predictive modeling. One of those that we mentioned before was retention prediction.Hopefully this February, March, it's already been tested for a trial. We're just waiting to get it up and accessible. The RPMA, the Retention Prediction Model Army, we've got this in partnership with the Institute For Defense Analysis. We're just putting it into our systems and getting it hooked up to all the right data feeds. But it creates an individual vector of attrition for every active duty person right now.Talent Management Prediction VectorsKris: We can say based on this quarter, next quarter out to 20 years from now, what's the likelihood we're going to retain this person. That's cool, but the best part of it is not just the individual aspect. It makes it really easy for us to combine that data. Look at those prediction vectors by demographics, by particular skill sets, by commissioning source, by a point of recession.We can really figure out trends in who's staying and who's going. Where we need to do some targeted retention efforts if we're going to keep the right talent that we need for the future. We're also trying to develop some algorithms to help us figure that out of our marketplace. We want to have something that looks like LinkedIn's talent insights, where you start seeing demand go up for certain skills.You've got your human resources professional. Well, this person also needs to have a background in analytics now because we're seeing all these things. We wanted to pop up in the marketplace and tell a commander, \"Hey, we're starting to see this demand signal here. Do you want to add this to your request?\" Yes they do. I also want to be able to funnel that information to our schoolhouses as we're developing the training talent. So that they know, \"Hey, this is an increasing demand in your field. You need to make sure that we have this in the program of instruction.\"Carolyn: Do you collaborate?Mark: Are you looking across the army into the warfighter needs? Are you talking more like IT and some of the different skill sets like that?Project RIDGWAYKris: No, our best client in the campaign of learning right now is the 18th airborne corps in the 82nd air board division. They're doing Project RIDGWAY which is their move toward becoming an AI-driven corp and division. They have a number of different exercises that have gone on through that process to test how they're going to use this information. To see what they need to automate, how it's going to change their business processes and their decision flow.We're looking at supporting them with this talent. But then, we're also looking at how we do it at the high level. What does the leading edge for these capabilities look like? We've got army research labs working on this. We have the AI integration center of Carnegie Mellon looking at this. Also, we have a future command doing a lot of great data science work. We have the center for army analysis. And we have a lot of folks who are really digging in and looking at what the future looks like.Carolyn: You're collaborating a lot within DoD and Carnegie Mellon. What about industry at large? You mentioned LinkedIn insights. Do you collaborate with industry?Kris: Frequently. We're actually trying to leverage some of the collaboration with academia and industry that our air force partners have done so far. I talk a lot to the guys who found a digital university. They have a lot of networks going with both academic partners and industry partners and how they're developing their curriculum for their advanced analysts. I do have some other partnerships going on with various vendors that we're trying to...","content_html":"In an AI driven world, the role of intuition and experience can be hard to define. Kris Saling, Chief Analytics Officer for the Army Talent Management Task Force and Director of People Analytics in the office of the Assistant Secretary of the Army M&RA joins Tech Transforms to give insight on talent management within government agencies.
Episode Table of Contents
- [00:41] The Analytic and Technology of Talent Management
- [07:35] Ensuring Unbiased Data Talent Management
- [16:28] Talent Management Prediction Vectors
- [22:21] Quality of Life
- [31:58] Talent Management in AI Analytics
- [38:39] How Do We Ensure Trust in Talent Management
Episode Links and Resources
- Kris Saling
- M&RA
- Army - Talent Management
- Footprints
- Arthur Conan Doyle
- Be Data Literate
- Balance Myth
- Mad Scientist
- More Intelligent Tomorrow
- Game Changer
The Analytic and Technology of Talent Management
Carolyn: Kris Saling is Deputy Director Army, People Analytics, and the Chief Analytics Officer for the Army Talent Management Task Force. She coordinates analytic and technology solutions, rights policy, and resources innovation to promote data-driven decision-making across the Army's people enterprise. Kris, welcome to Tech Transforms.
Kris: Thanks so much, and I'm really happy to be here. This is going to be fun.
Carolyn: So I want to start off with a two-part question. Let's start with the awesome poster behind you, of Sherlock Holmes. Tell us the story behind that.
Kris: There are a bunch of stories behind that. The big one is people ask me why I went into data science out of all the things I could have gotten into. My usual answer for them is because I read too much Arthur Conan Doyle when I was growing up. I just love the idea of sifting through all this information, finding clues, and solving problems, and that just persisted.
That's up there for some motivation, but also a huge Robert Downey Jr. fan. He established a smart AI, a corporation that specializes in sustainability work through AI. It's called Footprints. He took the whole Tony Stark thing and decided he was going to make that his real life.
Carolyn: I'm loving him even more. I've always been a big fan. How can you not be?
Kris: Yes, save the planet through AI, how can you not love that?
Carolyn: Before we move on to your job, do you have a favorite Arthur Conan Doyle story? What's your favorite Sherlock Holmes?
A Long and Unusual Story
Kris: There's so many of them that stick, but I'm trying to remember the title of it. It's one of the first ones where he first meets Watson and just some of their banter. It is a really long and unusual story. Half of the story is a flashback where he's talking to the perpetrator, one of these crimes. He is talking about his migration across the wild west frontier. Going to have to try and remember what that was, but it's just the meeting between him and Watson.
Just the dynamic of this very straight-laced professional, trying to sit there and figure out what the heck he has in this certifiably, insane new roommate. But the fact that they connect on the intellectual level, it just makes that dynamic all kinds of fun.
Carolyn: Do you remember?
Mark: It's like Jarvis.
Carolyn: Do you remember how old you were when you first got hooked? Your first story?
Kris: 12 or 13 I think?
Carolyn: So now we know what inspired you to get into the line of work that you're in? Mark and I are really intrigued by your titles. Is it HR or is it operations? It's super cool. You have a quote that says you're leveraging AI to leverage AI. Will you unpack what it is that you do to include how the USA fits in?
Kris: I have two bosses. One of them is the assistant secretary of the army for manpower and reserve affairs. The other is the director of the army talent management task force. In both of my roles, I essentially have the same portfolio.
Applying Talent Management in People Analytics
Kris: My short way of explaining it is it's all things talent data and data talent. So doing a lot to revitalize how the army is looking at its personnel management systems. I’m going from just transactional human capital type work to actual people analytics. We're starting to look at not just quantity analytics, but quality distribution employment. How do we optimize performance, but then also how do we do targeted retention to keep our top talent? Those kinds of problems.
On the data talent side, I run a planning team that looks at the army data workforce. I've run this for about two years now. We look at how we do talent management for the folks who are doing everything. From our very high-end analytics, building AI solutions, doing very high-end data architecture to just what does basic data literacy look like for them? So all of that fits within this really broad portfolio.
I've been really fortunate that my bosses have allowed me to essentially build my portfolio. They just come at me and we're giving you some free space to think about what the army needs to understand about its people and what kind of talent we need to make that happen. So go play and I swear this has been my favorite job in the army, it's so much fun.
Mark: Who are your customers then? Are your customers commanders over certain areas and then you're looking to help them as far as how they field their organization? Or it's not really operational or logistics type stuff?
Kris: Oh it is. One of the projects we have ongoing right now is a campaign of learning where we are.
Data Talent Management
Kris: We’re trying to see how far down in the operational army we push data talent and how we build the supporting architecture. How do we build the supporting environments that we need in order to do analytics at that level? Also, how do we make it accessible? But then, how do we train up not just the data professionals who are going to be working at that level, but also the commanders to interpret the information and turn it into action, into decisions?
Mark: When you talk about the architecture, is that the architecture of the human capital and the resources that you're providing to do whatever the mission would be?
Kris: There's some of that. Some of it is process engineering, the rest is actual data architecture. Have we developed our pipelines in order to be able to push data safely and securely to these organizations that haven't previously had access? They've had to send RFIs or requests for information up higher.
We don't want them to have to send in a request 48 hours, two weeks, whatever it is later, they get some analysis that you've all seen the requirements model where it's like playing telephone. The more steps you have in between the person who actually needs something and the person who's going to deliver it, the more it gets garbled.
We want to be able to have commanders ask their questions to the right kind of talent to interpret it appropriately. Understand what is needed in the data and be able to engineer that solution. Now, it might just be a couple of folks and at that point of the question point of origin, basically with reach back capability up in the higher ranks.
Ensuring Unbiased Data Talent Management
Kris: But again, we're still campaigning and learning. We're experimenting with what works best and what's the best use of our talent.
Carolyn: Do you have challenges with ensuring that the AI is unbiased?
Kris: That's a challenge everywhere. The idea that AI is ever going to be unbiased is like saying that humans are ever going to be unbiased because we all use biases.
Carolyn: It's really just an extension of us.
Kris: It's only as good as the decisions made by the people who program it or the decisions it's learning from.
The way you get around bias in AI is the same way you get around bias in an organization. You bring in a lot of diverse perspectives, you bring in a lot of quality control. And you ask a lot of the “what if” questions.So you have to go back through and essentially triage the model when you're developing either a machine learning model, deep learning model, or you have AI making those decisions and those recommendations. But part of that is going back through and looking at what the model's keying in on. Is it actually making decisions based on stuff you want it to be making decisions? Do you need to hide some of the variables?
There's an example I used. There was an AI that somebody created a few years ago to predict winners of the academy awards. It turned out, it was just keying in on anything Daniel Dan Lewis was in. It’s just like, "Okay, granted that is correlated." But we don't want you predicting based on this. He might turn into a lemon.
From the End Game Backwards
Mark: You mentioned in a recent interview that you look at the problem from the end game backwards. This builds on the question we just asked because it seems like a very difficult thing to do. If you start with the end game, then aren't you basically saying this is the outcome we want to see? How do you create the algorithm to give you something that well? You don't know and you don't want to necessarily point it to the answer. But you want to see what you might be able to get out of it without doing that.
Kris: It's beginning with the end in mind. When we start looking at the outcomes we want to generate, we have to focus on something. Train the model and sometimes that focus is a proxy for what we actually want it to focus on. More and more, we're getting our folks to build things using very modular, reusable, very tailor-able code. If we decide we want it to do business in a different way, we want it to key in on something differently. Then that's fairly easy to go in and modify.
We're doing this right now with some of the predictive tools we're looking at for performance. The way we're looking at performance is based on how the army currently measures performance. But we have a number of efforts going on to change through our campaign of assessments on how we measure performance. We need that to be something we can iterate on later. One of the things that we've keyed in over time for the army has been that there's no more end states.How Intuition and Experience Helps in Process Improvement
Kris: We're not going to plan toward an end state. Something isn't just like a one and done, this is continual. We've got to keep upgrading, and we've got to keep developing. We have to keep this thing adaptive and learning. So if we get more traction on that, then we generate more of a flavor process improvement.
Carolyn: Your job sounds really broad. I heard you say you use AI to source new talent, retain talent, and help identify talent who's going to be best on this or that mission. Identify talents who should be on these different teams.
Kris: That last one is something we're trying to get to. We're doing a lot of job competency studies right now to see what's actually required for different positions. We don't have that in the granular level of data that I'm looking for to be able to make some of those recommendations. What I envision out of our marketplace is eventually, you get a recommendation engine, it starts looking like Amazon. Since you like this job, you might also like these. Since you did this job, these might be the next best for you based on your capabilities.
So we have an effort right now to basically make an intelligent individual development plan where folks can go through. See where their skills might best lead them or pick goal positions down the way. This can show them, "Okay, here are the gaps in your current resume." My eventual dream for that is here are the gaps in your resume, would you like to sign up for a class? Would you like to take a self-initiated assessment or to talk to your career coach? All these different ways that we can help them bridge that gap.
Where the Army Needs To Be
Mark: It sounds like you're working with the leadership of the army to determine this is where the army needs to be in 5, 10 years down the road.
Kris: That was the charter they gave me. It's just like, "Okay, what do we need to know about the army? What's your 10-year life plan?" I'm like, "Oh this is going to be fun."
Carolyn: I had never really thought about using the AI for this purpose. It makes sense and I'm wondering about your role, how new is this job? For other organizations, even in the commercial world, is this a thing? Or is this a thing that you're creating right now?
Kris: This particular job is one created for the army. I've been in and out of the MNRA for the past six years which is unusual for an army officer. Normally the PCS has a lot. But I started out in the G1, the Army's director and personnel working on how we actually use our data. How we collude all of it together out of all of the different systems we have spread throughout the army in a way where we can rapidly access it and utilize it to solve problems.
We put together what was at the time called the Human Capital Big Data Plan. It just basically directed consolidation of all our personnel data into this massive data warehouse that we house out in Monterey with the research facilitation lab. From there, we've grown a number of different initiatives. We started using this data in creative ways. We've really started to see the gaps between what we need, as far as data, to answer our questions.Asking the Right Questions
Kris: We see what we don't have and basically if we are asking the right questions. I noticed, I didn't quite address this, the leveraging at leveraging AI to leverage A? AI takes a lot of data so we are making more data. We're using natural language processing and optical character recognition. A whole bunch of other techniques that fall underneath advanced analytics umbrella to go through and read old evaluations. Read files, transcripts, and all of the stuff that we have that's sitting in TIF files in our repositories at human resources command. We’re trying to turn that into more usable information.
Carolyn: How much data are you crunching every day?
Kris: A lot.
Mark: Is this more of a future state for us? Is this a state now where we're able to take advantage of this?
Kris: This is now, this argument. We have this argument with future commands, a lot. It's like AI is not the future, AI is now because right now at RFL, we’re supervising seven separate AI projects. We're actually using an IBM Watson implementation and a couple of other things to do AI projects and predictive modeling. One of those that we mentioned before was retention prediction.
Hopefully this February, March, it's already been tested for a trial. We're just waiting to get it up and accessible. The RPMA, the Retention Prediction Model Army, we've got this in partnership with the Institute For Defense Analysis. We're just putting it into our systems and getting it hooked up to all the right data feeds. But it creates an individual vector of attrition for every active duty person right now.
Talent Management Prediction Vectors
Kris: We can say based on this quarter, next quarter out to 20 years from now, what's the likelihood we're going to retain this person. That's cool, but the best part of it is not just the individual aspect. It makes it really easy for us to combine that data. Look at those prediction vectors by demographics, by particular skill sets, by commissioning source, by a point of recession.
We can really figure out trends in who's staying and who's going. Where we need to do some targeted retention efforts if we're going to keep the right talent that we need for the future. We're also trying to develop some algorithms to help us figure that out of our marketplace. We want to have something that looks like LinkedIn's talent insights, where you start seeing demand go up for certain skills.You've got your human resources professional. Well, this person also needs to have a background in analytics now because we're seeing all these things. We wanted to pop up in the marketplace and tell a commander, "Hey, we're starting to see this demand signal here. Do you want to add this to your request?" Yes they do. I also want to be able to funnel that information to our schoolhouses as we're developing the training talent. So that they know, "Hey, this is an increasing demand in your field. You need to make sure that we have this in the program of instruction."
Carolyn: Do you collaborate?
Mark: Are you looking across the army into the warfighter needs? Are you talking more like IT and some of the different skill sets like that?
Project RIDGWAY
Kris: No, our best client in the campaign of learning right now is the 18th airborne corps in the 82nd air board division. They're doing Project RIDGWAY which is their move toward becoming an AI-driven corp and division. They have a number of different exercises that have gone on through that process to test how they're going to use this information. To see what they need to automate, how it's going to change their business processes and their decision flow.
We're looking at supporting them with this talent. But then, we're also looking at how we do it at the high level. What does the leading edge for these capabilities look like? We've got army research labs working on this. We have the AI integration center of Carnegie Mellon looking at this. Also, we have a future command doing a lot of great data science work. We have the center for army analysis. And we have a lot of folks who are really digging in and looking at what the future looks like.Carolyn: You're collaborating a lot within DoD and Carnegie Mellon. What about industry at large? You mentioned LinkedIn insights. Do you collaborate with industry?
Kris: Frequently. We're actually trying to leverage some of the collaboration with academia and industry that our air force partners have done so far. I talk a lot to the guys who found a digital university. They have a lot of networks going with both academic partners and industry partners and how they're developing their curriculum for their advanced analysts. I do have some other partnerships going on with various vendors that we're trying to...
","summary":null,"date_published":"2022-01-19T06:30:00.000-05:00","attachments":[{"url":"https://aphid.fireside.fm/d/1437767933/81d9d6b0-0045-48da-8495-fd87c4613d7f/9b31ae77-83a1-4fe3-a719-ee94d972280f.mp3","mime_type":"audio/mpeg","size_in_bytes":37544385,"duration_in_seconds":2680}]},{"id":"a1d91f84-c25d-4a98-9280-d358cca3d994","title":"Episode 18: Supply Chain from Fuel to Forces with Scott Hume","url":"https://techtransforms.fireside.fm/18","content_text":"Logistics of supply chain could be the difference in a successful mission for on the ground forces or the cyber warfighter. Scott Hume, managing director of operations in contested environments at MITRE, speaks to the importance of tactical planning and innovation to assist our troops. Carolyn and Mark discover the best ways industry can assist the warfighter.Episode Table of Contents[00:47] Globally Contested Logistics Strategy[07:17] Supply Chain Challenges[13:47] Constant Intellectual Property[21:28] Globally Contested Supply Chain[30:27] Robot DogsEpisode Links and ResourcesScott HumeMITREGlobally Contested Logistics StrategyCarolyn: Today's guest, Scott Hume, is the managing director of operations in contested environments at MITRE. Scott has been with MITRE for more than 20 years. He’s responsible for shaping the company's globally contested logistics strategy, particularly for one of its sponsors, the US Air Force.Today we're going to talk to Scott about how our government and our military enhance their capabilities in contested environments through partnerships with industry and academia. We’ll also discuss how the industry can best connect with the DOD to help safeguard our nation and support our military.Let's start out Scott with how MITRE does a lot of work with the Department of Defense. Can you tell us what areas and with which military branches you do work with?Scott: Let me first start out because some of the audience may not be aware of MITRE. In fact, when I came to MITRE over 20 years ago, I was disappointed that we weren't the company that made soccer balls and soccer cleats. I quickly learned that MITRE operates R&D centers for the government. One in particular is the Department of Defense, which is our National Security Engineering Center.Particularly of the 20 years, I spent the majority working with the Air Force. But MITRE works across all branches of the Department of Defense as well as the combatant command and the joint Chief of Staff. Throughout the Air Force, I always say that I've had seven different careers. At MITRE, I've been able to work in IT, cyber, command and control, programs, as well as counter improvised explosive devices. So counter IEDs during the war on terrorism.Remembering Pearl HarborCarolyn: What area of the military and the branches are you working with?Scott: Primarily I'm working with the Air Force, leading an opportunity to develop MITRE's globally contested logistics. Let me break that apart for you. When we talk about logistics, it's really anything from fuel, water, ammunition to food. It’s getting equipment as well as our forces to the locations that they're going to have to fight in.The contested pieces, I'll pause for a second and remember the day of December 7th, 80 years ago. So on this day today, an adversary decided to bomb Pearl Harbor and our forces there. That was the last time that we actually were in a contested environment across the globe. Where we didn't have freedom of maneuver, freedom of navigation and we're in that environment today with our pure adversaries.We no longer have the full freedom to move our forces or supplies, like some would call the greatest generation. Perhaps we can meet that same call as we look at how to, first of all, develop the capabilities our DoD needs to deter that fight with a pure adversary. But if that pure adversary chooses to fight, we have the capabilities to win and execute that fight. If you look at the logistics piece of it, it goes all the way back to the Napoleon wars.Napoleon once was quoted as saying, \"Logistics wins the wars.\" MITRE is not a logistics company nor are we looking to get into that business. We're looking at how we provide our system engineering and integration expertise to this domain. If you read the 2018 national defense strategy, you don't have to read the classified version. There's an unclassified version that's out there.Understand Logistics and Supply ChainScott: You quickly will understand that logistics is our underbelly. The way that the DoD has positioned itself for conflicts, it takes months. We move massive amounts of material and it's analogous to the way the Hume family goes on vacation. Whether it's two days or two weeks, our suburb is packed with everything that we might need.That's how the logistics community is when we go to these conflicts. You saw that in some of the withdrawal of Iraq. Why did we have all of that equipment? Some of it may not have been necessary. Because we plan and go to war by doing, \"What if this happens? Well, then I need that piece of device.\"Mark: Is that because of the reality of geography that we're typically fighting wars across oceans and that's just challenging in its nature?Scott: Moving equipment, fuel, water, I believe 80% of it is fuel and water, and that's a huge challenge. Also as you brought up, our conflicts over the last have been more of a way game. But we will get into this. I'll contest that there's a home game fight to this with a pure adversary, especially if we talk about cyber and other EW, electronic warfare and other things.Carolyn: You said that the logistics are our underbelly. Do you think that's true for other adversaries or is it really unique to us?Scott: It becomes more of a logistical challenge when you're fighting in an away game. So if you're fighting and it's a home game for you, you have more access to your supplies. That itself is a challenge.Supply Chain ChallengesScott: If we look at our pure adversaries, whether it's China or Russia, if we focus on China, you're looking at the tyranny of distance across water that we would have to rapidly move supplies, whether that's sealift or airlift.And then just things we can learn from going through this past pandemic, our supply chain challenges. If we look at the cyberattack on the gas pipeline in the Southeast just recently, that starts to get you thinking about this home fight. We will fight in all domains, whether it's air, land, sea. There'll be a fight in space as well as cyber.So if you want to cause chaos or slow our movement down, a cyberattack on our critical infrastructure in the United States would severely impact this fight. If there was a fight, they talk about war of annihilation, a war of attrition, or a war of exhaustion, I don't think we're looking at annihilation as I don't think anyone would escalate up to nuclear level kind of thing.Attrition could happen. A conflict with a pure adversary becomes a war of exhaustion. If you can exhaust our capabilities to resupply our forces, that's crucial. Then look at using all avenues and fighting in all domains.If you think about this logistics piece, I'll start within our own United States. How do we get, not only the defense industry base, but our manufacturing up to the speed that we would need to be able to manufacture goods and supplies? And how do you protect them from those cyber attacks? Many of our traditional logistics suppliers don't have SIPRNet. They don't even have NIPRNet. So they communicate in the open. How would we protect that?How Do We Protect the Supply ChainScott: You have to get those supplies into the theater, the challenge in and of itself. Then how do you get those supplies and protect those supplies? How do you get those supplies down to the tactical edge for when they need it in a matter of days?Carolyn: I feel like you explained what contested environments mean, but I'm not 100% sure. Figuring out how to secure the supply chain, secure the communication lines, is that what you do?Scott: That's one aspect that MITRE's looking at, working with our DoD sponsors. There's also the contested piece. I talked about jammers. They will jam our communication so we won't be able to communicate. We mentioned a fight in space. So imagine not being able to have our satellites or have satellite communications.Our peer adversaries have radar technology that will be able to detect our fighters, detect our Navy as well. We won't be able to just kind of roll in onto the country of one of these peer adversaries and just go deploy the Army like we did when we went to Iraq or went through Afghanistan.Mark: You hit on so much stuff here, Scott. We could spend an entire week unpacking this. Those different domains probably are massive efforts.Scott: When I describe that from the industry base to theater supply to the tactical edge, most people say, I'm describing one of the most complex system engineering problems that this country faces within the DoD. It's not an elephant that I'm talking about. It is a herd of elephants. How do you decompose each one of those?Many Facets of Those ElephantsScott: There's many facets for each one of those elephants that we have to look at. That's one of the values that MITRE brings. We try to look at these hard complex engineering problems holistically from that defense industry base or even small businesses, or academia. Look at how they could help, all the way to that warfighter at the tactical edge on an island in the Pacific.Mark: Are you specifically working with the Air Force or is it a broader kind of audience that you're having these conversations with?Scott: It's broader. I primarily work with the Air Force. But in this case, when we're talking about globally contested logistics, it's broader DoD. It's beyond the DoD as well because we need to look at our allies and partners. So how do we work with the state department? I talked about the home game aspect of this. It's working with the Department of Homeland Security as well.We call it a great power competition in this competition phase. There are aspects of commerce and treasury that are involved as well, diplomacy. The military is just one aspect of this. There's all of the government that needs to be looking at this.Mark: It feels like a multidimensional or four-dimensional arena that we're trying to manage and use to our advantage.Carolyn: How does industry help with this? Mark and I are on the industry side. What are best practices for industry to support our military and to help with these problems?Scott: If we break it up in certain aspects, let's talk about the supply chain aspect. How do we protect our supply chain, how do we protect our businesses from cyber attacks that are involved here?Constant Intellectual PropertyScott: We don't have constant intellectual property being evacuated by our competitors. From that aspect, how do we look at leveraging new technologies like autonomous drones, things like that? Perhaps it's an unmanned aircraft or even sea vessel that is delivering a logistics package on that island in the Pacific. How do we look at technology from that aspect of it?Then also looking at aspects of 3D printing, additive manufacturing. Imagine if you actually could quickly 3D print a part in the middle of the Pacific so that you could get a plane back up and running. Instead of having to wait for it to be shipped to you or flown to you. There's a lot of different technology spaces that could apply here.Carolyn: How does the DoD prefer that industry engage? What's the best way?Scott: There are avenues which industry can engage with the DoD. You can always look for requests for information, RFIs if they have or requests for proposals through the acquisition community. But I would say one way that industry can engage is also through MITRE.MITRE's role is to be that bridge between industry and the DoD in this case. I'm on LinkedIn, you can find me on LinkedIn for our folks. They can reach out and connect there. There are many aspects where industry can play here again to help from all aspects of globally contested logistics.Mark: Thinking about the supply chain and all the challenges we seem to be having in civilian life.Carolyn: Just getting our Christmas stuff.Mark: So the military has TRANSCOM. Aren't they like military logistics? Isn't that their charter?Aggregating the Supply ChainMark: I wonder if Secretary Buttigieg is working with the military to help them with stuff like this. It just seems like that's a perfect area where those two entities can work together to try to solve problems.Scott: No criticism with TRANSCOM, but TRANSCOM has been used to doing logistics in permissive environments. They've had months to aggregate supplies.Mark: Not days and weeks?Scott: Again, not to be critical of it because there are some great things that TRANSCOM did, but disaggregating our supplies in Afghanistan was a huge challenge for them. There's a cultural aspect of how we do things differently. There are concepts of operations that need to be rethinked.How do we analyze our data to be more predictive on our logistics front, and be more predictive on the health of our aircraft or rotary vehicles? There's a lot of aspects in the supply chain whether through the pandemic or the supply chains that we're all facing in our lives now. It's all something that we, both industry, academia and others, can really rethink about how we do our logistics differently.Mark: Can you spend a minute or two delving a little bit into the cyber side of this to talk a little bit about this whole concept of the contested logistics, as it relates to the cyber side of it.Scott: I see the cyber side of it will definitely be a huge play in this. So many of our industry bases have some network defense capability. But probably not the most latest or many companies don't even have a cyber framework that they're following.The Attack FrameworkScott: MITRE has what we call the Attack Framework, which is readily available off of mitre.org. It talks about how industry can leverage different policies, procedures, or capabilities that they should be looking at protecting their business from multi-facets.Mark: Are you talking about more of the defense industrial base or all like industry?Scott: I would recommend all industries. In particular, our defense industry base, which they are looking at. Our financial institutions are heavily involved in cyber protection. But if you look at the supply chain where we have minerals that we must need, are those minds protecting their network? Probably not.It hadn't occurred to them to think about those. That raw material, where it's getting manufactured, if you shut down that factory through a cyber attack, imagine the impact that could have.Mark: Have you found or heard about industry's willingness to participate in this collaboration or do you find that industry resists this?Scott: From a cyber protection perspective or from contested logistics?Mark: Just working with the military.Scott: There's been some hesitation for some of their industry-base. I would say the non-traditional defense industry base to work with the military. The military has gone on a campaign to open those doors more to small businesses and other nontraditional industry bases.I hope to see our fellow patriots stand up and want to work with the military. From a cyber perspective, cyber has become more pervasive in our society. With all the different attacks that have happened, you're seeing the industry base really step up there.What Contested Logistics Supply Chain MeansScott: When we're talking about globally contested logistics, we spent five minutes just having me describe to you what contested logistics really meant. There's an awareness campaign that a lot of folks just aren't aware of. The environment or future environment in which the military would have to conduct operations.Carolyn: MITRE facilitates this between industry and government. Can you talk about how MITRE would go about developing options to deter attacks on the supply chain, cyber, critical infrastructure? What does that look like for you? Like a day in the life of Scott.Scott: MITRE's role is one, making sure that we can help our DoD capture what those challenges and problems are. What kind of requirements are they looking for, whether it's both operational requirements or technical requirements? The MITRE, often we would start to look at what a prototype might look like to help flush out those requirements.That's where we can really look with, partner with industry to see if there's technology that can be integrated into those prototypes. Often, it's not just one capability or one piece of software or hardware. It's often looking at it from a systems of systems approach.MITRE's role is looking from a system engineering perspective. It’s looking at how we integrate different capabilities to maybe solve that challenge space for the DoD.Carolyn: When you say prototype, it’s like you're developing an architecture or a process or a plan rather than a single prototype. Am I interpreting that right?Scott: It could go from an architecture framework. It could also be an actual no hands-on prototype, not one that MITRE produces or sustains. We're not in that business but one that could just help visualize what a system of systems could do.The Coolest PrototypeScott: I wouldn't even call it a .1 version. It's more of a 0.2 version. Those in the software world would know. That's something that helps the DoD then understand what the requirements are. How they could use those systems and then be able to go through the acquisition process.Carolyn: What's the coolest prototype you've ever worked on?Scott: One of the coolest ones I did is called Localize. The premise behind this was when I was working counter IED. So counter improvised explosive devices. The premise about Localize is it was using your phone. It was allowing Iraqi citizens to let US forces know where these IEDs were being hidden, whether it was under the ground, in a building. The premise behind it was instead of trying to find a needle in the haystack, the IED being the needle, you turn the haystack into sensors to tell you where that needle or that counter IED is.Carolyn: What do you mean it uses your phone?Scott: This was an app that MITRE developed, prototyped, and actually transitioned it to industry to produce it.Carolyn: It sniffed out IEDs?Scott: It allowed citizens to report IEDs.Carolyn: You crowdsourced?Scott: Yes. It was an earlier version of crowdsourcing because this was back in 2005.Carolyn: So you're saying MITRE invented that term crowdsourcing? I'm just kidding.Mark: MITRE invented the term raid parties.Scott: That's a thought of how MITRE has a concept that we're thinking we're working with a DoD. They're like, \"How do we get this concept?\" So we build a little bit of a prototype and then see if it can be operationally used.A Technology TransitionScott: And then do a technology transition to an industry partner to take it further, build upon it, produce it, and maintain and sustain it. But that was one of my favorite prototypes that I worked on.We integrated the early use of facial recognition software on it, which we were able to integrate as well. It allowed our force protection folks to be able to test out, if there was someone that was of...","content_html":"Logistics of supply chain could be the difference in a successful mission for on the ground forces or the cyber warfighter. Scott Hume, managing director of operations in contested environments at MITRE, speaks to the importance of tactical planning and innovation to assist our troops. Carolyn and Mark discover the best ways industry can assist the warfighter.
Episode Table of Contents
- [00:47] Globally Contested Logistics Strategy
- [07:17] Supply Chain Challenges
- [13:47] Constant Intellectual Property
- [21:28] Globally Contested Supply Chain
- [30:27] Robot Dogs
Episode Links and Resources
Globally Contested Logistics Strategy
Carolyn: Today's guest, Scott Hume, is the managing director of operations in contested environments at MITRE. Scott has been with MITRE for more than 20 years. He’s responsible for shaping the company's globally contested logistics strategy, particularly for one of its sponsors, the US Air Force.
Today we're going to talk to Scott about how our government and our military enhance their capabilities in contested environments through partnerships with industry and academia. We’ll also discuss how the industry can best connect with the DOD to help safeguard our nation and support our military.
Let's start out Scott with how MITRE does a lot of work with the Department of Defense. Can you tell us what areas and with which military branches you do work with?
Scott: Let me first start out because some of the audience may not be aware of MITRE. In fact, when I came to MITRE over 20 years ago, I was disappointed that we weren't the company that made soccer balls and soccer cleats. I quickly learned that MITRE operates R&D centers for the government. One in particular is the Department of Defense, which is our National Security Engineering Center.
Particularly of the 20 years, I spent the majority working with the Air Force. But MITRE works across all branches of the Department of Defense as well as the combatant command and the joint Chief of Staff. Throughout the Air Force, I always say that I've had seven different careers. At MITRE, I've been able to work in IT, cyber, command and control, programs, as well as counter improvised explosive devices. So counter IEDs during the war on terrorism.
Remembering Pearl Harbor
Carolyn: What area of the military and the branches are you working with?
Scott: Primarily I'm working with the Air Force, leading an opportunity to develop MITRE's globally contested logistics. Let me break that apart for you. When we talk about logistics, it's really anything from fuel, water, ammunition to food. It’s getting equipment as well as our forces to the locations that they're going to have to fight in.
The contested pieces, I'll pause for a second and remember the day of December 7th, 80 years ago. So on this day today, an adversary decided to bomb Pearl Harbor and our forces there. That was the last time that we actually were in a contested environment across the globe. Where we didn't have freedom of maneuver, freedom of navigation and we're in that environment today with our pure adversaries.
We no longer have the full freedom to move our forces or supplies, like some would call the greatest generation. Perhaps we can meet that same call as we look at how to, first of all, develop the capabilities our DoD needs to deter that fight with a pure adversary. But if that pure adversary chooses to fight, we have the capabilities to win and execute that fight. If you look at the logistics piece of it, it goes all the way back to the Napoleon wars.
Napoleon once was quoted as saying, "Logistics wins the wars." MITRE is not a logistics company nor are we looking to get into that business. We're looking at how we provide our system engineering and integration expertise to this domain. If you read the 2018 national defense strategy, you don't have to read the classified version. There's an unclassified version that's out there.
Understand Logistics and Supply Chain
Scott: You quickly will understand that logistics is our underbelly. The way that the DoD has positioned itself for conflicts, it takes months. We move massive amounts of material and it's analogous to the way the Hume family goes on vacation. Whether it's two days or two weeks, our suburb is packed with everything that we might need.
That's how the logistics community is when we go to these conflicts. You saw that in some of the withdrawal of Iraq. Why did we have all of that equipment? Some of it may not have been necessary. Because we plan and go to war by doing, "What if this happens? Well, then I need that piece of device."
Mark: Is that because of the reality of geography that we're typically fighting wars across oceans and that's just challenging in its nature?
Scott: Moving equipment, fuel, water, I believe 80% of it is fuel and water, and that's a huge challenge. Also as you brought up, our conflicts over the last have been more of a way game. But we will get into this. I'll contest that there's a home game fight to this with a pure adversary, especially if we talk about cyber and other EW, electronic warfare and other things.
Carolyn: You said that the logistics are our underbelly. Do you think that's true for other adversaries or is it really unique to us?
Scott: It becomes more of a logistical challenge when you're fighting in an away game. So if you're fighting and it's a home game for you, you have more access to your supplies. That itself is a challenge.
Supply Chain Challenges
Scott: If we look at our pure adversaries, whether it's China or Russia, if we focus on China, you're looking at the tyranny of distance across water that we would have to rapidly move supplies, whether that's sealift or airlift.
And then just things we can learn from going through this past pandemic, our supply chain challenges. If we look at the cyberattack on the gas pipeline in the Southeast just recently, that starts to get you thinking about this home fight. We will fight in all domains, whether it's air, land, sea. There'll be a fight in space as well as cyber.
So if you want to cause chaos or slow our movement down, a cyberattack on our critical infrastructure in the United States would severely impact this fight. If there was a fight, they talk about war of annihilation, a war of attrition, or a war of exhaustion, I don't think we're looking at annihilation as I don't think anyone would escalate up to nuclear level kind of thing.
Attrition could happen. A conflict with a pure adversary becomes a war of exhaustion. If you can exhaust our capabilities to resupply our forces, that's crucial. Then look at using all avenues and fighting in all domains.
If you think about this logistics piece, I'll start within our own United States. How do we get, not only the defense industry base, but our manufacturing up to the speed that we would need to be able to manufacture goods and supplies? And how do you protect them from those cyber attacks? Many of our traditional logistics suppliers don't have SIPRNet. They don't even have NIPRNet. So they communicate in the open. How would we protect that?
How Do We Protect the Supply Chain
Scott: You have to get those supplies into the theater, the challenge in and of itself. Then how do you get those supplies and protect those supplies? How do you get those supplies down to the tactical edge for when they need it in a matter of days?
Carolyn: I feel like you explained what contested environments mean, but I'm not 100% sure. Figuring out how to secure the supply chain, secure the communication lines, is that what you do?
Scott: That's one aspect that MITRE's looking at, working with our DoD sponsors. There's also the contested piece. I talked about jammers. They will jam our communication so we won't be able to communicate. We mentioned a fight in space. So imagine not being able to have our satellites or have satellite communications.
Our peer adversaries have radar technology that will be able to detect our fighters, detect our Navy as well. We won't be able to just kind of roll in onto the country of one of these peer adversaries and just go deploy the Army like we did when we went to Iraq or went through Afghanistan.
Mark: You hit on so much stuff here, Scott. We could spend an entire week unpacking this. Those different domains probably are massive efforts.
Scott: When I describe that from the industry base to theater supply to the tactical edge, most people say, I'm describing one of the most complex system engineering problems that this country faces within the DoD. It's not an elephant that I'm talking about. It is a herd of elephants. How do you decompose each one of those?
Many Facets of Those Elephants
Scott: There's many facets for each one of those elephants that we have to look at. That's one of the values that MITRE brings. We try to look at these hard complex engineering problems holistically from that defense industry base or even small businesses, or academia. Look at how they could help, all the way to that warfighter at the tactical edge on an island in the Pacific.
Mark: Are you specifically working with the Air Force or is it a broader kind of audience that you're having these conversations with?
Scott: It's broader. I primarily work with the Air Force. But in this case, when we're talking about globally contested logistics, it's broader DoD. It's beyond the DoD as well because we need to look at our allies and partners. So how do we work with the state department? I talked about the home game aspect of this. It's working with the Department of Homeland Security as well.
We call it a great power competition in this competition phase. There are aspects of commerce and treasury that are involved as well, diplomacy. The military is just one aspect of this. There's all of the government that needs to be looking at this.
Mark: It feels like a multidimensional or four-dimensional arena that we're trying to manage and use to our advantage.
Carolyn: How does industry help with this? Mark and I are on the industry side. What are best practices for industry to support our military and to help with these problems?
Scott: If we break it up in certain aspects, let's talk about the supply chain aspect. How do we protect our supply chain, how do we protect our businesses from cyber attacks that are involved here?
Constant Intellectual Property
Scott: We don't have constant intellectual property being evacuated by our competitors. From that aspect, how do we look at leveraging new technologies like autonomous drones, things like that? Perhaps it's an unmanned aircraft or even sea vessel that is delivering a logistics package on that island in the Pacific. How do we look at technology from that aspect of it?
Then also looking at aspects of 3D printing, additive manufacturing. Imagine if you actually could quickly 3D print a part in the middle of the Pacific so that you could get a plane back up and running. Instead of having to wait for it to be shipped to you or flown to you. There's a lot of different technology spaces that could apply here.
Carolyn: How does the DoD prefer that industry engage? What's the best way?
Scott: There are avenues which industry can engage with the DoD. You can always look for requests for information, RFIs if they have or requests for proposals through the acquisition community. But I would say one way that industry can engage is also through MITRE.
MITRE's role is to be that bridge between industry and the DoD in this case. I'm on LinkedIn, you can find me on LinkedIn for our folks. They can reach out and connect there. There are many aspects where industry can play here again to help from all aspects of globally contested logistics.
Mark: Thinking about the supply chain and all the challenges we seem to be having in civilian life.
Carolyn: Just getting our Christmas stuff.
Mark: So the military has TRANSCOM. Aren't they like military logistics? Isn't that their charter?
Aggregating the Supply Chain
Mark: I wonder if Secretary Buttigieg is working with the military to help them with stuff like this. It just seems like that's a perfect area where those two entities can work together to try to solve problems.
Scott: No criticism with TRANSCOM, but TRANSCOM has been used to doing logistics in permissive environments. They've had months to aggregate supplies.
Mark: Not days and weeks?
Scott: Again, not to be critical of it because there are some great things that TRANSCOM did, but disaggregating our supplies in Afghanistan was a huge challenge for them. There's a cultural aspect of how we do things differently. There are concepts of operations that need to be rethinked.
How do we analyze our data to be more predictive on our logistics front, and be more predictive on the health of our aircraft or rotary vehicles? There's a lot of aspects in the supply chain whether through the pandemic or the supply chains that we're all facing in our lives now. It's all something that we, both industry, academia and others, can really rethink about how we do our logistics differently.
Mark: Can you spend a minute or two delving a little bit into the cyber side of this to talk a little bit about this whole concept of the contested logistics, as it relates to the cyber side of it.
Scott: I see the cyber side of it will definitely be a huge play in this. So many of our industry bases have some network defense capability. But probably not the most latest or many companies don't even have a cyber framework that they're following.
The Attack Framework
Scott: MITRE has what we call the Attack Framework, which is readily available off of mitre.org. It talks about how industry can leverage different policies, procedures, or capabilities that they should be looking at protecting their business from multi-facets.
Mark: Are you talking about more of the defense industrial base or all like industry?
Scott: I would recommend all industries. In particular, our defense industry base, which they are looking at. Our financial institutions are heavily involved in cyber protection. But if you look at the supply chain where we have minerals that we must need, are those minds protecting their network? Probably not.
It hadn't occurred to them to think about those. That raw material, where it's getting manufactured, if you shut down that factory through a cyber attack, imagine the impact that could have.
Mark: Have you found or heard about industry's willingness to participate in this collaboration or do you find that industry resists this?
Scott: From a cyber protection perspective or from contested logistics?
Mark: Just working with the military.
Scott: There's been some hesitation for some of their industry-base. I would say the non-traditional defense industry base to work with the military. The military has gone on a campaign to open those doors more to small businesses and other nontraditional industry bases.
I hope to see our fellow patriots stand up and want to work with the military. From a cyber perspective, cyber has become more pervasive in our society. With all the different attacks that have happened, you're seeing the industry base really step up there.
What Contested Logistics Supply Chain Means
Scott: When we're talking about globally contested logistics, we spent five minutes just having me describe to you what contested logistics really meant. There's an awareness campaign that a lot of folks just aren't aware of. The environment or future environment in which the military would have to conduct operations.
Carolyn: MITRE facilitates this between industry and government. Can you talk about how MITRE would go about developing options to deter attacks on the supply chain, cyber, critical infrastructure? What does that look like for you? Like a day in the life of Scott.
Scott: MITRE's role is one, making sure that we can help our DoD capture what those challenges and problems are. What kind of requirements are they looking for, whether it's both operational requirements or technical requirements? The MITRE, often we would start to look at what a prototype might look like to help flush out those requirements.
That's where we can really look with, partner with industry to see if there's technology that can be integrated into those prototypes. Often, it's not just one capability or one piece of software or hardware. It's often looking at it from a systems of systems approach.
MITRE's role is looking from a system engineering perspective. It’s looking at how we integrate different capabilities to maybe solve that challenge space for the DoD.
Carolyn: When you say prototype, it’s like you're developing an architecture or a process or a plan rather than a single prototype. Am I interpreting that right?
Scott: It could go from an architecture framework. It could also be an actual no hands-on prototype, not one that MITRE produces or sustains. We're not in that business but one that could just help visualize what a system of systems could do.
The Coolest Prototype
Scott: I wouldn't even call it a .1 version. It's more of a 0.2 version. Those in the software world would know. That's something that helps the DoD then understand what the requirements are. How they could use those systems and then be able to go through the acquisition process.
Carolyn: What's the coolest prototype you've ever worked on?
Scott: One of the coolest ones I did is called Localize. The premise behind this was when I was working counter IED. So counter improvised explosive devices. The premise about Localize is it was using your phone. It was allowing Iraqi citizens to let US forces know where these IEDs were being hidden, whether it was under the ground, in a building. The premise behind it was instead of trying to find a needle in the haystack, the IED being the needle, you turn the haystack into sensors to tell you where that needle or that counter IED is.
Carolyn: What do you mean it uses your phone?
Scott: This was an app that MITRE developed, prototyped, and actually transitioned it to industry to produce it.
Carolyn: It sniffed out IEDs?
Scott: It allowed citizens to report IEDs.
Carolyn: You crowdsourced?
Scott: Yes. It was an earlier version of crowdsourcing because this was back in 2005.
Carolyn: So you're saying MITRE invented that term crowdsourcing? I'm just kidding.
Mark: MITRE invented the term raid parties.
Scott: That's a thought of how MITRE has a concept that we're thinking we're working with a DoD. They're like, "How do we get this concept?" So we build a little bit of a prototype and then see if it can be operationally used.
A Technology Transition
Scott: And then do a technology transition to an industry partner to take it further, build upon it, produce it, and maintain and sustain it. But that was one of my favorite prototypes that I worked on.
We integrated the early use of facial recognition software on it, which we were able to integrate as well. It allowed our force protection folks to be able to test out, if there was someone that was of...
","summary":null,"date_published":"2022-01-05T06:30:00.000-05:00","attachments":[{"url":"https://aphid.fireside.fm/d/1437767933/81d9d6b0-0045-48da-8495-fd87c4613d7f/547b9665-aade-4b7b-b809-187c14444f13.mp3","mime_type":"audio/mpeg","size_in_bytes":34181191,"duration_in_seconds":2440}]},{"id":"f0bd1146-9eab-4cde-a667-76fb66973baa","title":"Episode 17: Solving the People Problem with Retired Navy Chief Katy Craig","url":"https://techtransforms.fireside.fm/17","content_text":"\"Technology is easy: Everyone is doing it, culture is the challenge” says retired Navy Chief, now Defense Consultant, & Cyber Educator at Deloitte, Katy Craig. When it comes to implementing new technology, a trusting environment can make all the difference. In this episode, Carolyn and Mark learn why prioritizing people is always a step in the right direction. Episode Table of Contents[00:48] Helping Teams Accelerate[09:34] The Point of the Mission[20:08] Better Minds on People Problem[29:09] Technology Is Transforming People ProblemEpisode Links and ResourcesKaty Craig LinkedInDeloitteZero Trust: An Enterprise GuideMinority Report4 Stages of Psychological SafetyBlack MirrorThe DevOps HandbookThe Phoenix ProjectThe Unicorn ProjectThe Goal: The Process of Ongoing ImprovementHelping Teams AccelerateCarolyn: Our guest today is Katy Craig, a retired Navy chief. She's now a defense consultant and cyber educator at Deloitte. We're going to talk about her work, helping teams accelerate to deliver value safely and securely to customers.She provides guidance on tools, technologies, and methods such as cloud security, agile methods, SDX, Zero Trust, and DevOps practices. One of my favorite topics and Mark's as well, is shifting security left for DevSecOps and continuous everything. Today, we're going to dial into how she helps teams embrace a DevSecOps culture, some of the biggest pitfalls, as well as best practices.I read something on your bio and I was like, \"I love that!\" You say in your bio, \"Technology is easy. Everyone is doing it. Culture is the challenge and where I can help most.\" Talk to us about that.Katy: I'm trying to think if I can legally hashtag it, the people, s*. I actually Googled it. Somebody did back in the '90s after President Clinton said, \"It's the economy, s.\" Somebody actually said, \"It's the people, s*.\" But I want to bring it back into the lexicon and into the vernacular. Because a lot of these buzzwords that we're hearing in the zeitgeist, DevOps, I need to go buy some agile.We're going to do some DevOps. They're selling Zero Trust, let's go buy that. It is rarely turnkey solutions out of the box. It's rarely the technology that all these vendors are selling on the internet and promising it’s going to be the panacea.People Problem You Have to Deal WithKaty: No matter how great your tool, your weapon, or your process, if the people don't embrace it, they aren't brought along, and aren't included in deciding that's the tool we're going to use, that's the process we're going to embrace, they're going to fight you. They're not going to adopt it.Maybe even in a bureaucracy, they might eventually go along to get along, but it will be delayed. It will be less of a quality approach. It's always going to come down to the people. We always have to remember that our reason for being here, for being in tech, for doing all this work has to come back to the people. I always go back to Gene Roddenberry and Star Trek. I'm a Trekker, sort of directive. You can do no harm.What are the Boston Dynamics people doing? I worry about the robots. It's got to come back to the people. If we're doing this tech and pursuing all these areas, it's got to come back to: is it going to be good for the people? Is it going to make our lives better, make the planet better, or our country better? That's why I say, \"You know what, everybody's out there peddling technology. Promising that if you install my platform, I'm going to solve all your cyber problems.\" It's just not true.Mark: Are you talking about the mission? Or are you talking about getting the people on board with the technology to be able to leverage and use it? Is it the people as it relates to the mission, or is it the people as it relates to getting them on board with the technology, and how it can help them?Unique People Problem of the MilitaryKaty: It does go to the unique problem of military teams, for example. We have administrative control and operational control. Then we have organizations in the military that acquire their technology. They decide whether to make or buy the technology to serve the warfighters who are operating the technology. Those separations are real. They're part of the challenge because of how they're organized, regulated, supervised, overseen. They spawn bureaucracy.So the people, in their way, the policymakers need to understand that they themselves have a lot to unlearn. That takes a lot. It takes so much vulnerability in ourselves to say, \"I need to relearn how to do acquisition.\" Using taxpayer appropriations to buy this capability is different in 2021 than it was in 1970, A1 Abrams containerized application.We can't levy the same amount of oversight. The speed, there's so much delay in that type of bureaucratic oversight. For software, we can't move that slowly. So for the people to embrace that there is a new way of us living and fighting and being in the world during great power competition. You'll hear the military leadership talk about how we've got great powers rising and near-peer adversaries. There's a lot of saber-rattling.They need to understand those people, policy makers, legislators, government leaders, that the way that they look at acquisition and technology needs to change. The users, the war fighters, are actually ahead. They are aware of what could be, the art of the possible. They’re playing 4K UHD video games online with multi million players. They know what technology can support and do. They're used to using game controllers, joysticks, and getting information very quickly.One Person Can’t Solve a People ProblemKaty: Getting the warfighters, that group of people, to embrace the technology is easier in a way. What we need to do to help those people understand that bureaucrats are victims too. It's not like one person can come up in a bureaucracy and change it all.Carolyn: You said prime directive. Do no harm.Katy: Star Trek.Carolyn: We can lose sight of what this is really all about, the reason we do all this. Yes, there's the mission. But the whole point of the mission is to make our lives, our families' lives, the Earth, to make it better for us. To be happy, to be healthy, the prime directive. As you were talking, I'm like, \"Oh, I can get so focused on: Well, is this about the mission? Or is this about technology?\" But what it's all about is us.Katy: And helping us, the warfighter, the program manager, the citizens, and the family. We send volunteers off to join the military. It's not a job. They raise their right hand, swear under oath, give up certain rights and privileges, and do very dangerous work for us. The whole idea and goal really, if you adopt the people first concept, is let's not shed any blood at all. Let's avoid war.Carolyn: Peacekeepers.Katy: Let's keep the sea lanes open. I know the Navy, and so the Navy mission is one that's most clear in my mind. Let's support democracy worldwide and try not to allow human rights violations. Let us do good for the environment, just all those noble things that are supposed to bring all of us up as people.The Point of the MissionKaty: I always come back to the person, the humanity of the situation. Acknowledging that they have their hopes, dreams, aspirations, no matter who they are. Working side by side, or serving alongside, or delivering to a customer, all people, we all should consider the person first.Carolyn: That is the point of the mission. That gets me to these things that you educate on.Mark: That was an incredibly rich answer. We could peel that bad boy back for the entire discussion today. You were hitting on so many different things. If I can dig in to just more of a specific thing. Explain to us the importance of DevSecOps to someone in the military.Carolyn: What you do with educating at Deloitte. With the DevSecOps, why is that important and how do you explain it?Katy: It depends, and that's the standard cybersecurity answer. It depends on the audience and who's asking the question. Why is DevSecOps important to me? It's the government authority, the government program manager, the mission to accomplish your mission, and delivering capability within cost scheduled performance. Let's do it fast, but let's do it safely.We bring it down a little bit lower to the program managers on the contractor side. Why do I have to do DevSecOps and why is this important to me? These cyber people that you've got on the team, they're very expensive. We don't have enough of them and they don't scale. So we're going to try and use the technology to automate some of the routine tests and scans. So that your limited fill-in-the-blank engineer can do more on this product.It’s Important to Communicate a People ProblemKaty: For the developer themselves, who doesn't know anything about security and probably has never been incentivized to care about delivering security features, it's important to communicate to her if you build in this control. If you build in this check for multi-factor authentication, then down the line, to the left and the right, in the linear pipeline of delivering software, then we don't have to test for it further down the right. So depending on who's asking in the organization, why should I care about DevOps, or DevSecOps, that determines how you address the response.Mark: Is this any different for the military or outside the military?Katy: Yes. The example I just gave you was the last team that I was on for a military organization.Carolyn: Is it hard to get them to buy into the idea of DevSecOps? Does it add a lot to their workload?Katy: What I find in bureaucracies is the bureaucrats are incentivized to go along. The bureaucracy is there. Everything about the incentives support the bureaucracy and the bureaucratic processes. When you try to tell a government client, maybe a two or three-star admiral, we shouldn't plan to do that gigantic operational test two years from now.We really should be building in the six week sprint little tests. And we really should not worry about all the outputs and all the requirements that you need to know so that you can brief them up to your higher level authority. We need to remember that going outside of that process usually results in negative consequences.Embracing DevSecOpsCarolyn: Is that the culture now? I've been in this world of people that I'm surrounded by all the time, really embracing DevSecOps. So with what you just described to me, I hope I don't offend too many people, but it sounds very archaic. Is that really still the culture?Katy: It is, absolutely. You have to remember that Kessel Run, Platform One, these are all huge paradigm-shifting successes. They get a lot of media coverage. It's easy for us to conflate those successes with, okay, it's enterprise-wide, everyone's practicing it. No. We are absolutely not. Depending on who happens to be in charge determines risk aversion, risk tolerance.If I'm a two or three-star admiral and I don't like being the first person out there, let me try this, then I'm risk-averse. I'll be like, \"No, I don't want to take that approach. We'll follow the documented process.\" That official over there is going to audit our stuff. We've got to back up our schedule 90 days for that because everybody in the bureaucracy has to overlay their checks.Self-licking ice cream cones, justify my work and my job because this is how I'm incentivized. This is how the organization has hired us. These are the standard operating procedures. My performance reviews and merits and promotions depend on how well I do this process. Everything about it fights the change. That's why you see this.Mark: That change happens about every two to three years.Katy: No.Mark: Well, that leadership swaps out.Carolyn: The leadership changed. I think you're saying those are the bureaucrats.People Problem Is Subject to BureaucracyKaty: Yes. I don't mean bureaucrats as an epithet. I’m using them as people who are subject to bureaucracy. Even in large corporations, there can be bureaucracies, and “red tape”. This is how we do it. It's not that anything intentionally started off maliciously, or ineffective, or inefficient.But what we know in real life and on the ground is, if the people don't embrace the change, if the people don't think it's a good idea, if the people don't support that shift or pivot, it's not going to happen. Or it's going to take a long time. They may even outwait you.Carolyn: Is that where you have to start? Really at the top, at the bureaucratic level, and get the leadership to buy in and have that initiative come down? Have you done it both ways, top-down, bottom-up? Which works better?Katy: Again, cyber answer, it depends. It depends on the organization, and the openness of the organization. To bring it back to the people, it depends on the people that you're working with. The change has to start simultaneously top-down and bottom-up. We do have these, we see these pockets of innovation and small groups of military organizations like the Navy in San Diego.I'm familiar that there are some engineering organizations that are experimenting with building strong, safe, psychologically trusting teams. They're workshopping, taking new approaches to communicating and collaborating. Making the best use of what we've learned over the forced remote work during the pandemic.Better Minds on People ProblemKaty: They're realizing now, I don't need my team for nine hours, butts in seats outside my door. We can do this remotely and we can get better minds on the problem. Actually, we can use this to our advantage to increase our diversity and bring more people to help us solve this problem. If only we can get out of our way. Let's unlearn all these old ways and try to embrace what Silicon Valley has proven.They proved that you can do it better and faster and safer, as long as we remember we're not Silicon Valley. This is the US Military or the federal government, and citizens and taxpayer dollars. We can take what they're doing, the best of it, but we can pragmatically apply it. Keeping in mind the people that we're talking about and what those people need to do their jobs, to protect us.Carolyn: When you go in to set up, to help implement and educate on embracing DevSecOps, what are some of the best practices? Or let's look at something really pragmatic here. Where do you begin? What do you see as best practices for these teams that actually started out super rough, but then, they really embraced this philosophy and they do it well?Katy: My experience has proved that if you get to know the people on your team as individuals, try to remove all the transactional stuff, it's not I need you because you're an awesome coder. I really want to get to know you because you're my teammate. We're working together to solve this, or accomplish this mission. I don't know if it's a blessing or a curse, but what I do know is military leadership.Know Your SailorsKaty: I was an Army brat and then I joined the Navy when I was 18. I’ve been a chief in the world's finest navy, and part of a mess, a chief's mess, that teaches and encourages and lives, “get to know your people.” Your job is to know your sailors. I do this on the teams too.Know your teammates and know what's important to them. Where did they come from, and where do they want to go? And remember it. It's important because you're trying to make authentic, genuine, personal connections. So that you two together can do better work to deliver on the mission. Remember who they are and what they want because you probably know somebody who can help them.That six degrees of separation comes into play, and that's what chiefs do. The mess is worldwide. It's like I know a chief on that ship, or I know the master chief over there. My guy is transferring. Let me connect them. Do that with your teams. Encourage them to get to know each other. As a leader, facilitate that with ice breakers and fun.Carolyn: Do you do that? As a consultant, do you do things to facilitate this?Katy: I encourage things like books, happy hours, and getting to know each other. I recommend 15-minute coffee talks, and for the teams to get together. In tough times, when we're facing what seems insurmountable challenges, that's when you really get an opportunity to get your team to bond. There's this term in the military, we call it trauma bonding. I know that maybe other industries refer to it for things like Stockholm syndrome and kidnappers.Mark: Healthcare professionals.Difficult Challenges and People ProblemKaty: Yes. But really difficult challenges can be traumatic. In the military, you're faced with those quite frequently. Getting through those types of challenges can form a bond that will last your entire life on both sides. I'm not saying anything as heavy or as serious as that is going to happen with every connection that you make, but it could.Even in the tough times, if you work together, the better you know your team and you know you can rely on them, and they have your back and you have theirs, the more successes you get through. You can build those types of lasting relationships, even in the industry.Mark: When it comes to implementing DevSecOps in the military, or the Navy in this case, what pitfalls have you found or have you come across?Katy: It's the separation of authorities. When you think about how the military's organized and the authority is, and where they get their money, and all the congressional oversight on how the money is spent, we can't negate the importance of it. Your tax dollars, my tax dollars, are very important that they spend it wisely in the way that...","content_html":""Technology is easy: Everyone is doing it, culture is the challenge” says retired Navy Chief, now Defense Consultant, & Cyber Educator at Deloitte, Katy Craig. When it comes to implementing new technology, a trusting environment can make all the difference. In this episode, Carolyn and Mark learn why prioritizing people is always a step in the right direction.
Episode Table of Contents
- [00:48] Helping Teams Accelerate
- [09:34] The Point of the Mission
- [20:08] Better Minds on People Problem
- [29:09] Technology Is Transforming People Problem
Episode Links and Resources
- Katy Craig LinkedIn
- Deloitte
- Zero Trust: An Enterprise Guide
- Minority Report
- 4 Stages of Psychological Safety
- Black Mirror
- The DevOps Handbook
- The Phoenix Project
- The Unicorn Project
- The Goal: The Process of Ongoing Improvement
Helping Teams Accelerate
Carolyn: Our guest today is Katy Craig, a retired Navy chief. She's now a defense consultant and cyber educator at Deloitte. We're going to talk about her work, helping teams accelerate to deliver value safely and securely to customers.
She provides guidance on tools, technologies, and methods such as cloud security, agile methods, SDX, Zero Trust, and DevOps practices. One of my favorite topics and Mark's as well, is shifting security left for DevSecOps and continuous everything. Today, we're going to dial into how she helps teams embrace a DevSecOps culture, some of the biggest pitfalls, as well as best practices.
I read something on your bio and I was like, "I love that!" You say in your bio, "Technology is easy. Everyone is doing it. Culture is the challenge and where I can help most." Talk to us about that.
Katy: I'm trying to think if I can legally hashtag it, the people, s*. I actually Googled it. Somebody did back in the '90s after President Clinton said, "It's the economy, s." Somebody actually said, "It's the people, s*." But I want to bring it back into the lexicon and into the vernacular. Because a lot of these buzzwords that we're hearing in the zeitgeist, DevOps, I need to go buy some agile.
We're going to do some DevOps. They're selling Zero Trust, let's go buy that. It is rarely turnkey solutions out of the box. It's rarely the technology that all these vendors are selling on the internet and promising it’s going to be the panacea.
People Problem You Have to Deal With
Katy: No matter how great your tool, your weapon, or your process, if the people don't embrace it, they aren't brought along, and aren't included in deciding that's the tool we're going to use, that's the process we're going to embrace, they're going to fight you. They're not going to adopt it.
Maybe even in a bureaucracy, they might eventually go along to get along, but it will be delayed. It will be less of a quality approach. It's always going to come down to the people. We always have to remember that our reason for being here, for being in tech, for doing all this work has to come back to the people. I always go back to Gene Roddenberry and Star Trek. I'm a Trekker, sort of directive. You can do no harm.What are the Boston Dynamics people doing? I worry about the robots. It's got to come back to the people. If we're doing this tech and pursuing all these areas, it's got to come back to: is it going to be good for the people? Is it going to make our lives better, make the planet better, or our country better? That's why I say, "You know what, everybody's out there peddling technology. Promising that if you install my platform, I'm going to solve all your cyber problems." It's just not true.
Mark: Are you talking about the mission? Or are you talking about getting the people on board with the technology to be able to leverage and use it? Is it the people as it relates to the mission, or is it the people as it relates to getting them on board with the technology, and how it can help them?
Unique People Problem of the Military
Katy: It does go to the unique problem of military teams, for example. We have administrative control and operational control. Then we have organizations in the military that acquire their technology. They decide whether to make or buy the technology to serve the warfighters who are operating the technology. Those separations are real. They're part of the challenge because of how they're organized, regulated, supervised, overseen. They spawn bureaucracy.
So the people, in their way, the policymakers need to understand that they themselves have a lot to unlearn. That takes a lot. It takes so much vulnerability in ourselves to say, "I need to relearn how to do acquisition." Using taxpayer appropriations to buy this capability is different in 2021 than it was in 1970, A1 Abrams containerized application.
We can't levy the same amount of oversight. The speed, there's so much delay in that type of bureaucratic oversight. For software, we can't move that slowly. So for the people to embrace that there is a new way of us living and fighting and being in the world during great power competition. You'll hear the military leadership talk about how we've got great powers rising and near-peer adversaries. There's a lot of saber-rattling.
They need to understand those people, policy makers, legislators, government leaders, that the way that they look at acquisition and technology needs to change. The users, the war fighters, are actually ahead. They are aware of what could be, the art of the possible. They’re playing 4K UHD video games online with multi million players. They know what technology can support and do. They're used to using game controllers, joysticks, and getting information very quickly.One Person Can’t Solve a People Problem
Katy: Getting the warfighters, that group of people, to embrace the technology is easier in a way. What we need to do to help those people understand that bureaucrats are victims too. It's not like one person can come up in a bureaucracy and change it all.
Carolyn: You said prime directive. Do no harm.
Katy: Star Trek.
Carolyn: We can lose sight of what this is really all about, the reason we do all this. Yes, there's the mission. But the whole point of the mission is to make our lives, our families' lives, the Earth, to make it better for us. To be happy, to be healthy, the prime directive. As you were talking, I'm like, "Oh, I can get so focused on: Well, is this about the mission? Or is this about technology?" But what it's all about is us.
Katy: And helping us, the warfighter, the program manager, the citizens, and the family. We send volunteers off to join the military. It's not a job. They raise their right hand, swear under oath, give up certain rights and privileges, and do very dangerous work for us. The whole idea and goal really, if you adopt the people first concept, is let's not shed any blood at all. Let's avoid war.
Carolyn: Peacekeepers.
Katy: Let's keep the sea lanes open. I know the Navy, and so the Navy mission is one that's most clear in my mind. Let's support democracy worldwide and try not to allow human rights violations. Let us do good for the environment, just all those noble things that are supposed to bring all of us up as people.
The Point of the Mission
Katy: I always come back to the person, the humanity of the situation. Acknowledging that they have their hopes, dreams, aspirations, no matter who they are. Working side by side, or serving alongside, or delivering to a customer, all people, we all should consider the person first.
Carolyn: That is the point of the mission. That gets me to these things that you educate on.
Mark: That was an incredibly rich answer. We could peel that bad boy back for the entire discussion today. You were hitting on so many different things. If I can dig in to just more of a specific thing. Explain to us the importance of DevSecOps to someone in the military.
Carolyn: What you do with educating at Deloitte. With the DevSecOps, why is that important and how do you explain it?
Katy: It depends, and that's the standard cybersecurity answer. It depends on the audience and who's asking the question. Why is DevSecOps important to me? It's the government authority, the government program manager, the mission to accomplish your mission, and delivering capability within cost scheduled performance. Let's do it fast, but let's do it safely.
We bring it down a little bit lower to the program managers on the contractor side. Why do I have to do DevSecOps and why is this important to me? These cyber people that you've got on the team, they're very expensive. We don't have enough of them and they don't scale. So we're going to try and use the technology to automate some of the routine tests and scans. So that your limited fill-in-the-blank engineer can do more on this product.
It’s Important to Communicate a People Problem
Katy: For the developer themselves, who doesn't know anything about security and probably has never been incentivized to care about delivering security features, it's important to communicate to her if you build in this control. If you build in this check for multi-factor authentication, then down the line, to the left and the right, in the linear pipeline of delivering software, then we don't have to test for it further down the right. So depending on who's asking in the organization, why should I care about DevOps, or DevSecOps, that determines how you address the response.
Mark: Is this any different for the military or outside the military?
Katy: Yes. The example I just gave you was the last team that I was on for a military organization.
Carolyn: Is it hard to get them to buy into the idea of DevSecOps? Does it add a lot to their workload?
Katy: What I find in bureaucracies is the bureaucrats are incentivized to go along. The bureaucracy is there. Everything about the incentives support the bureaucracy and the bureaucratic processes. When you try to tell a government client, maybe a two or three-star admiral, we shouldn't plan to do that gigantic operational test two years from now.
We really should be building in the six week sprint little tests. And we really should not worry about all the outputs and all the requirements that you need to know so that you can brief them up to your higher level authority. We need to remember that going outside of that process usually results in negative consequences.Embracing DevSecOps
Carolyn: Is that the culture now? I've been in this world of people that I'm surrounded by all the time, really embracing DevSecOps. So with what you just described to me, I hope I don't offend too many people, but it sounds very archaic. Is that really still the culture?
Katy: It is, absolutely. You have to remember that Kessel Run, Platform One, these are all huge paradigm-shifting successes. They get a lot of media coverage. It's easy for us to conflate those successes with, okay, it's enterprise-wide, everyone's practicing it. No. We are absolutely not. Depending on who happens to be in charge determines risk aversion, risk tolerance.
If I'm a two or three-star admiral and I don't like being the first person out there, let me try this, then I'm risk-averse. I'll be like, "No, I don't want to take that approach. We'll follow the documented process." That official over there is going to audit our stuff. We've got to back up our schedule 90 days for that because everybody in the bureaucracy has to overlay their checks.
Self-licking ice cream cones, justify my work and my job because this is how I'm incentivized. This is how the organization has hired us. These are the standard operating procedures. My performance reviews and merits and promotions depend on how well I do this process. Everything about it fights the change. That's why you see this.
Mark: That change happens about every two to three years.
Katy: No.
Mark: Well, that leadership swaps out.
Carolyn: The leadership changed. I think you're saying those are the bureaucrats.
People Problem Is Subject to Bureaucracy
Katy: Yes. I don't mean bureaucrats as an epithet. I’m using them as people who are subject to bureaucracy. Even in large corporations, there can be bureaucracies, and “red tape”. This is how we do it. It's not that anything intentionally started off maliciously, or ineffective, or inefficient.
But what we know in real life and on the ground is, if the people don't embrace the change, if the people don't think it's a good idea, if the people don't support that shift or pivot, it's not going to happen. Or it's going to take a long time. They may even outwait you.Carolyn: Is that where you have to start? Really at the top, at the bureaucratic level, and get the leadership to buy in and have that initiative come down? Have you done it both ways, top-down, bottom-up? Which works better?
Katy: Again, cyber answer, it depends. It depends on the organization, and the openness of the organization. To bring it back to the people, it depends on the people that you're working with. The change has to start simultaneously top-down and bottom-up. We do have these, we see these pockets of innovation and small groups of military organizations like the Navy in San Diego.
I'm familiar that there are some engineering organizations that are experimenting with building strong, safe, psychologically trusting teams. They're workshopping, taking new approaches to communicating and collaborating. Making the best use of what we've learned over the forced remote work during the pandemic.
Better Minds on People Problem
Katy: They're realizing now, I don't need my team for nine hours, butts in seats outside my door. We can do this remotely and we can get better minds on the problem. Actually, we can use this to our advantage to increase our diversity and bring more people to help us solve this problem. If only we can get out of our way. Let's unlearn all these old ways and try to embrace what Silicon Valley has proven.
They proved that you can do it better and faster and safer, as long as we remember we're not Silicon Valley. This is the US Military or the federal government, and citizens and taxpayer dollars. We can take what they're doing, the best of it, but we can pragmatically apply it. Keeping in mind the people that we're talking about and what those people need to do their jobs, to protect us.
Carolyn: When you go in to set up, to help implement and educate on embracing DevSecOps, what are some of the best practices? Or let's look at something really pragmatic here. Where do you begin? What do you see as best practices for these teams that actually started out super rough, but then, they really embraced this philosophy and they do it well?
Katy: My experience has proved that if you get to know the people on your team as individuals, try to remove all the transactional stuff, it's not I need you because you're an awesome coder. I really want to get to know you because you're my teammate. We're working together to solve this, or accomplish this mission. I don't know if it's a blessing or a curse, but what I do know is military leadership.
Know Your Sailors
Katy: I was an Army brat and then I joined the Navy when I was 18. I’ve been a chief in the world's finest navy, and part of a mess, a chief's mess, that teaches and encourages and lives, “get to know your people.” Your job is to know your sailors. I do this on the teams too.
Know your teammates and know what's important to them. Where did they come from, and where do they want to go? And remember it. It's important because you're trying to make authentic, genuine, personal connections. So that you two together can do better work to deliver on the mission. Remember who they are and what they want because you probably know somebody who can help them.That six degrees of separation comes into play, and that's what chiefs do. The mess is worldwide. It's like I know a chief on that ship, or I know the master chief over there. My guy is transferring. Let me connect them. Do that with your teams. Encourage them to get to know each other. As a leader, facilitate that with ice breakers and fun.
Carolyn: Do you do that? As a consultant, do you do things to facilitate this?
Katy: I encourage things like books, happy hours, and getting to know each other. I recommend 15-minute coffee talks, and for the teams to get together. In tough times, when we're facing what seems insurmountable challenges, that's when you really get an opportunity to get your team to bond. There's this term in the military, we call it trauma bonding. I know that maybe other industries refer to it for things like Stockholm syndrome and kidnappers.
Mark: Healthcare professionals.
Difficult Challenges and People Problem
Katy: Yes. But really difficult challenges can be traumatic. In the military, you're faced with those quite frequently. Getting through those types of challenges can form a bond that will last your entire life on both sides. I'm not saying anything as heavy or as serious as that is going to happen with every connection that you make, but it could.
Even in the tough times, if you work together, the better you know your team and you know you can rely on them, and they have your back and you have theirs, the more successes you get through. You can build those types of lasting relationships, even in the industry.Mark: When it comes to implementing DevSecOps in the military, or the Navy in this case, what pitfalls have you found or have you come across?
Katy: It's the separation of authorities. When you think about how the military's organized and the authority is, and where they get their money, and all the congressional oversight on how the money is spent, we can't negate the importance of it. Your tax dollars, my tax dollars, are very important that they spend it wisely in the way that...
","summary":null,"date_published":"2021-12-08T06:30:00.000-05:00","attachments":[{"url":"https://aphid.fireside.fm/d/1437767933/81d9d6b0-0045-48da-8495-fd87c4613d7f/d4cb8856-9e90-43e7-8ef7-eb3cdbf375b5.mp3","mime_type":"audio/mpeg","size_in_bytes":29738273,"duration_in_seconds":2123}]},{"id":"8a87b764-b6d9-46e0-978c-7908621e62cd","title":"Episode 16: On the Record with Lonye Ford","url":"https://techtransforms.fireside.fm/16","content_text":"Lonye Ford, CEO of Arlo Solutions speaks to some of the challenges she faces as a woman in the government technology workforce. Lonye has had success and challenges from her time at the U.S. Air Force help desk, to her current role of CEO at Arlo Solutions. Carolyn and Mark get a uniquely human perspective surrounding government technology.Episode Table of Contents[01:18] Bringing the Women in Technology Together[06:24] Women in Technology Are Creating Their Own Lane[09:36] Issues Women in Technology Have to Deal WithEpisode Links and ResourcesLinkedInLonye Ford Brings the Team TogetherCarolyn: Today, we have Lonye Ford, CEO of ARLO Solutions. Lonye served for over 10 years in the US Air Force. Thank you for your service, Lonye. She was named one of the Top 50 in Tech Visionary at InterCon 2021.You talked about your superpower which is to get the teams, all these experts with these egos, to come together. I'm wondering, when you walk in a room you have to be a little bit disarming. You look super young, you're a woman and you're African-American. When you walk into a room, do you think those things help you with bringing the teams together? Have you seen it played against you?Lonye: It's so important to ask those questions. To be honest, I have been feeling weird about addressing that directly. You come up in the military and you don't talk about sex, religion, color. Now, I'm asking a lot of diversity questions this year, because diversity has really been pushed to the forefront. It's really the first time I have been asked those questions before. We talk about it, but not in the open forum.I'm getting more comfortable with addressing it. When I first started, it did not help me. It was very difficult to gain respect. So when I walked into the room, I would tell people I had to be over-prepared.Not Because I’m a WomanCarolyn: Dismissed because of the way you look. Tracy and I talked about this a little bit. I want to be known for what I can do, not because I'm a woman. So I haven't even wanted to address those questions. It's like you know what, it's not about me being a woman. It's about me being capable.Lonye: I struggle with that. I'm going to give you an example. We're in an award for Moxie Group for DC, we're finalists. The category that we're in is women owned. My partner went back and she said, \"Actually, I don't want to be in this category.\" That's how much we struggle with it. She was like, \"I don't want to be in this category.\" We went back and forth. She's like, \"Why would we get an award based on our gender?\" So then, we went back and explained, this is where we're struggling too. I told her to think about the message also, that people are trying to integrate and highlight the work that women are doing. Is it perfect? No. Sometimes it'll come across as odd. No, but you also don't want to always push back when someone is trying so hard, explain to them. And then, we're still competing with other women.But her thing is, \"I don't want to compete with other women, I want to compete with everyone. I don't want to be put in that category.\" I'd say that we struggle with that, too. We do.Lonye Ford Probes for the IntentCarolyn: I don't want to be on a panel for women in technology. I want to be on a panel for superheroes in technology.Lonye: It's important if we think about the intent. Personally, I don't. But if you think about it, if our intent is to serve and to provide this ability, there are a lot of women and young women that are looking at that. That has a very positive impact on them. So if you take out how you feel about it and if you look at it more as, \"How am I serving the community,\" that'll help us change. We'll continue to mature. Right now, people are trying.People are trying to integrate women and highlight women. The intent is right. As we mature, we start saying, \"Hey, guy that's running this, maybe it's better to integrate us in this way,\" or have us join the panel. \"Oh, well we have these talks.\" Once you gain that visibility, now different organizations are reaching out.I started a lot on the different H.E.R. Talks, it was March, Women's Month. A lot of people asked me to come and speak. But, what happened was other folks in Tech Talks and MITRE, and those things, they heard me. Now they reached out separately. That may have been the kickoff to my conversations, so that provided visibility. If they hadn't done that woman talk, I may have even gotten that visibility.Lonye Ford Created Her Own Lane and SpaceLonye: But anyway, I get what you're saying. It was very difficult coming into the Air Force, doing cyber. I’ve started in tech, a very technical domain, very difficult to gain respect. I remember when I first started, I would go back and forth. I’ve started acting more like the man because I tried to assimilate. I did a lot of performing in the beginning because I never saw anyone that looked like me that was doing what I was doing. Never, almost, until this day.So you really have to create your own lane and space, and it's difficult. You have to have a strong belief system that you can do it because a lot of times, you are the first. A lot of times, people don't make it easy. They may not trust your feedback or what you're doing, just because of their own preconceived notions. It's difficult.The way I've done it is I've been able to not take things personally. I'm very direct. I am the type of person that reflects what you do. So I may say, \"Okay,\" and it sometimes makes people uncomfortable. If I'm in a room and things get out of hand, I'm the person to say, \"Okay everyone, let's take a pause. Let's just pause for a second, think about how we're speaking to one another.\"Pause and ReassessLonye: I don't care what the room looks like, I don't care what the dynamics of the room is. And I don't care if it's the SES in there. I don't care if it's an airman base. When you make people pause and reassess themselves, or allow someone to speak, or I'll jump in even at the defense of another woman. \"Okay, all this person to speak.\"But again, it's very difficult. It's still difficult. I am the CEO of my own company and I still have a difficult time with my own employees. All of my employees are very senior level folks as well, men. So I still have a difficult time with that, too.Carolyn: You're probably still one of the only women in the room.Lonye: Yes. Now, the difference is, because I've been in this field so long, at this point I'm invited to the room. Maybe leading the room, and sitting at the head of the table. It makes it a lot easier, where I am now. But for women that's coming up, it's still difficult. I understand what they're putting out about diversity and that's true.But it's very difficult to change people's mind frames. These are people. It's just regular individual people that came from whatever their background is. They have been in technology for 40 years, running it. How do you change that?Lonye Ford Asks What Issues Women Have in TechCarolyn: Coming back to that culture thing again. I have a book for you, it's called Soundtracks. It's by John Acuff. When I said, \"Well, I don't want to be on a woman's panel. I want to be on a superhero's panel,\" you were like, \"Well, let's change the perspective. Let's change what I think about it.\" I'm like, \"Yes, cybersecurity has its own month, we celebrate that.\" You don't say, \"We want to be like everybody else.\" Let's celebrate that we have Women's Month. I love that.Lonye: It is really about the message that we're sending to all the other women and you are a superhero. Why not celebrate that? Our path is different. It is tougher in some spaces, there's a different perspective. People want to hear that perspective and sometimes you can't talk to that perspective. We're really not speaking that perspective on shared panels. So they want to focus on, \"Okay, what issues do women have in tech.\" It's okay to talk about that. But, I get it. It is difficult.Mark: Do you think that it starts with promoting women in STEM at an early age and getting them involved in the field? When I came into this field, there weren't that many women that were doing this.Carolyn: There still aren't. We outnumber you today.Mark: There's more than there used to be but it still is an issue.Lonye Ford Couldn’t Imagine a Woman in CyberLonye: Promoting women in STEM, that's the reason that I do like the women panels. What I struggled with was I did not have access or I did not see people like me. That's really the reason that I like the women's panels. I couldn't even imagine a woman in cybersecurity, I couldn’t even imagine a woman leading cyber. And I couldn't imagine a woman leading a meeting related to technology and cyber.I had never seen that, not even leading a meeting, not even sitting at the head of a table with technical talks. The benefit to those is exposure. At a young age, they need to be exposed. Whether it's STEM training, whether it's through seeing it, whether it's Google, whether they are looking at a panel.Carolyn: It's just reminding me of your non-profit passion. It seems like this might be part of it, UrbanPromise.Lonye: UrbanPromise, that's a group that's out of Camden. My business partner actually came up through UrbanPromise. They get the young kids, at a very young age. Then they walk the journey with them through school, to getting them in college. Even now, we raise money, and we go out and donate that money to kids. We call it gap funding.So they may have gotten money to go to college but they can't get a laptop. It could be that they don't have appropriate clothes. They have some things that are due to the administration, so it pays for those types of activities. But, it's not specific to women, it's more the minority population in general. It's just going to be, to change that for women, again exposure.Individual People Change the WorldLonye: I'm a person, I don't believe in the big bang theory. Individual people change the world, one action at a time. For us women, it’s through that exposure and taking the time to speak to other young girls. That could mean that I just go to a high school that's in my neighborhood. Then say, \"Hey, guess what, I'll give a talk.\" Out of 400 students, maybe two will resonate with you.Each of us individually, helping with the exposure will be very helpful to getting more women and girls into STEM. People get a lot of the technology and geeks speak. It's unique when you can come from the human aspect of technology.Carolyn: Thank you for thinking of the time to share your insights with us. Thank you to our listeners for joining Tech Transforms.","content_html":"Lonye Ford, CEO of Arlo Solutions speaks to some of the challenges she faces as a woman in the government technology workforce. Lonye has had success and challenges from her time at the U.S. Air Force help desk, to her current role of CEO at Arlo Solutions. Carolyn and Mark get a uniquely human perspective surrounding government technology.
Episode Table of Contents
- [01:18] Bringing the Women in Technology Together
- [06:24] Women in Technology Are Creating Their Own Lane
- [09:36] Issues Women in Technology Have to Deal With
Episode Links and Resources
Lonye Ford Brings the Team Together
Carolyn: Today, we have Lonye Ford, CEO of ARLO Solutions. Lonye served for over 10 years in the US Air Force. Thank you for your service, Lonye. She was named one of the Top 50 in Tech Visionary at InterCon 2021.
You talked about your superpower which is to get the teams, all these experts with these egos, to come together. I'm wondering, when you walk in a room you have to be a little bit disarming. You look super young, you're a woman and you're African-American. When you walk into a room, do you think those things help you with bringing the teams together? Have you seen it played against you?
Lonye: It's so important to ask those questions. To be honest, I have been feeling weird about addressing that directly. You come up in the military and you don't talk about sex, religion, color. Now, I'm asking a lot of diversity questions this year, because diversity has really been pushed to the forefront. It's really the first time I have been asked those questions before. We talk about it, but not in the open forum.
I'm getting more comfortable with addressing it. When I first started, it did not help me. It was very difficult to gain respect. So when I walked into the room, I would tell people I had to be over-prepared.
Not Because I’m a Woman
Carolyn: Dismissed because of the way you look. Tracy and I talked about this a little bit. I want to be known for what I can do, not because I'm a woman. So I haven't even wanted to address those questions. It's like you know what, it's not about me being a woman. It's about me being capable.
Lonye: I struggle with that. I'm going to give you an example. We're in an award for Moxie Group for DC, we're finalists. The category that we're in is women owned. My partner went back and she said, \"Actually, I don't want to be in this category.\" That's how much we struggle with it. She was like, \"I don't want to be in this category.\" We went back and forth. She's like, \"Why would we get an award based on our gender?\" So then, we went back and explained, this is where we're struggling too.
I told her to think about the message also, that people are trying to integrate and highlight the work that women are doing. Is it perfect? No. Sometimes it'll come across as odd. No, but you also don't want to always push back when someone is trying so hard, explain to them. And then, we're still competing with other women.But her thing is, \"I don't want to compete with other women, I want to compete with everyone. I don't want to be put in that category.\" I'd say that we struggle with that, too. We do.
Lonye Ford Probes for the Intent
Carolyn: I don't want to be on a panel for women in technology. I want to be on a panel for superheroes in technology.
Lonye: It's important if we think about the intent. Personally, I don't. But if you think about it, if our intent is to serve and to provide this ability, there are a lot of women and young women that are looking at that. That has a very positive impact on them.
So if you take out how you feel about it and if you look at it more as, \"How am I serving the community,\" that'll help us change. We'll continue to mature. Right now, people are trying.People are trying to integrate women and highlight women. The intent is right. As we mature, we start saying, \"Hey, guy that's running this, maybe it's better to integrate us in this way,\" or have us join the panel. \"Oh, well we have these talks.\" Once you gain that visibility, now different organizations are reaching out.
I started a lot on the different H.E.R. Talks, it was March, Women's Month. A lot of people asked me to come and speak. But, what happened was other folks in Tech Talks and MITRE, and those things, they heard me. Now they reached out separately. That may have been the kickoff to my conversations, so that provided visibility. If they hadn't done that woman talk, I may have even gotten that visibility.
Lonye Ford Created Her Own Lane and Space
Lonye: But anyway, I get what you're saying. It was very difficult coming into the Air Force, doing cyber. I’ve started in tech, a very technical domain, very difficult to gain respect. I remember when I first started, I would go back and forth. I’ve started acting more like the man because I tried to assimilate. I did a lot of performing in the beginning because I never saw anyone that looked like me that was doing what I was doing. Never, almost, until this day.
So you really have to create your own lane and space, and it's difficult. You have to have a strong belief system that you can do it because a lot of times, you are the first. A lot of times, people don't make it easy. They may not trust your feedback or what you're doing, just because of their own preconceived notions. It's difficult.The way I've done it is I've been able to not take things personally. I'm very direct. I am the type of person that reflects what you do. So I may say, \"Okay,\" and it sometimes makes people uncomfortable. If I'm in a room and things get out of hand, I'm the person to say, \"Okay everyone, let's take a pause. Let's just pause for a second, think about how we're speaking to one another.\"
Pause and Reassess
Lonye: I don't care what the room looks like, I don't care what the dynamics of the room is. And I don't care if it's the SES in there. I don't care if it's an airman base. When you make people pause and reassess themselves, or allow someone to speak, or I'll jump in even at the defense of another woman. \"Okay, all this person to speak.\"
But again, it's very difficult. It's still difficult. I am the CEO of my own company and I still have a difficult time with my own employees. All of my employees are very senior level folks as well, men. So I still have a difficult time with that, too.
Carolyn: You're probably still one of the only women in the room.
Lonye: Yes. Now, the difference is, because I've been in this field so long, at this point I'm invited to the room. Maybe leading the room, and sitting at the head of the table. It makes it a lot easier, where I am now. But for women that's coming up, it's still difficult. I understand what they're putting out about diversity and that's true.
But it's very difficult to change people's mind frames. These are people. It's just regular individual people that came from whatever their background is. They have been in technology for 40 years, running it. How do you change that?Lonye Ford Asks What Issues Women Have in Tech
Carolyn: Coming back to that culture thing again. I have a book for you, it's called Soundtracks. It's by John Acuff. When I said, \"Well, I don't want to be on a woman's panel. I want to be on a superhero's panel,\" you were like, \"Well, let's change the perspective. Let's change what I think about it.\" I'm like, \"Yes, cybersecurity has its own month, we celebrate that.\" You don't say, \"We want to be like everybody else.\" Let's celebrate that we have Women's Month. I love that.
Lonye: It is really about the message that we're sending to all the other women and you are a superhero. Why not celebrate that? Our path is different. It is tougher in some spaces, there's a different perspective. People want to hear that perspective and sometimes you can't talk to that perspective. We're really not speaking that perspective on shared panels. So they want to focus on, \"Okay, what issues do women have in tech.\" It's okay to talk about that. But, I get it. It is difficult.
Mark: Do you think that it starts with promoting women in STEM at an early age and getting them involved in the field? When I came into this field, there weren't that many women that were doing this.
Carolyn: There still aren't. We outnumber you today.
Mark: There's more than there used to be but it still is an issue.
Lonye Ford Couldn’t Imagine a Woman in Cyber
Lonye: Promoting women in STEM, that's the reason that I do like the women panels. What I struggled with was I did not have access or I did not see people like me. That's really the reason that I like the women's panels. I couldn't even imagine a woman in cybersecurity, I couldn’t even imagine a woman leading cyber. And I couldn't imagine a woman leading a meeting related to technology and cyber.
I had never seen that, not even leading a meeting, not even sitting at the head of a table with technical talks. The benefit to those is exposure. At a young age, they need to be exposed. Whether it's STEM training, whether it's through seeing it, whether it's Google, whether they are looking at a panel.
Carolyn: It's just reminding me of your non-profit passion. It seems like this might be part of it, UrbanPromise.
Lonye: UrbanPromise, that's a group that's out of Camden. My business partner actually came up through UrbanPromise. They get the young kids, at a very young age. Then they walk the journey with them through school, to getting them in college. Even now, we raise money, and we go out and donate that money to kids. We call it gap funding.
So they may have gotten money to go to college but they can't get a laptop. It could be that they don't have appropriate clothes. They have some things that are due to the administration, so it pays for those types of activities. But, it's not specific to women, it's more the minority population in general. It's just going to be, to change that for women, again exposure.
Individual People Change the World
Lonye: I'm a person, I don't believe in the big bang theory.
Individual people change the world, one action at a time. For us women, it’s through that exposure and taking the time to speak to other young girls. That could mean that I just go to a high school that's in my neighborhood. Then say, \"Hey, guess what, I'll give a talk.\" Out of 400 students, maybe two will resonate with you.Each of us individually, helping with the exposure will be very helpful to getting more women and girls into STEM. People get a lot of the technology and geeks speak. It's unique when you can come from the human aspect of technology.
Carolyn: Thank you for thinking of the time to share your insights with us. Thank you to our listeners for joining Tech Transforms.
","summary":null,"date_published":"2021-12-01T06:30:00.000-05:00","attachments":[{"url":"https://aphid.fireside.fm/d/1437767933/81d9d6b0-0045-48da-8495-fd87c4613d7f/0fb9a333-abd8-4546-971f-d5840fbb7962.mp3","mime_type":"audio/mpeg","size_in_bytes":11470687,"duration_in_seconds":818}]},{"id":"f66ee7a2-ca24-427e-9643-10f1dbb57bef","title":"Episode 15: Looking Forward: 2022 Predictions with Willie Hicks, Lonye Ford, Jazmin Furtado, Rayvn Manuel, and Tracy Bannon","url":"https://techtransforms.fireside.fm/15","content_text":"On this special episode of Tech Transforms, Carolyn and Mark look to the new year with trends and predictions for government technology. Willie Hicks Public Sector CTO at Dynatrace, Lonye Ford CEO at ARLO Solutions, Jazmin Furtado Military Captain at Space Force, Rayvn Manuel, Senior Application Developer at NMAAHC and Tracy Bannon, Senior Principal / Software Architect & DevOps Strategic Advisor at MITRE talk about their predictions as we move into 2022. Episode Table of Contents[00:32] Willie Hicks’ 2022 Predictions for Government Technology[09:07] Lonye’s 2022 Predictions on the Acquisition Process[17:09] Jazmin’s 2022 Predictions for This Day and Age[21:31] Rayvn’s 2022 Predictions in Technology Will Never Be the Same[24:03] Tracy Bannon’s 2022 Predictions on New TechnologyEpisode Links and ResourcesWillie Hicks - CTO of Public Sector at Dynatrace Lonye Ford - CEO of ARLO Solutions Jazmin Furtado - Military Officer at Space ForceRayvn Manuel - Senior Application Developer at NMAAHCTracy Bannon - Senior Principal/ Software Architect & DevOps Strategic Advisor at MITRE, ambassador for the DevOps InstituteWillie Hicks’ 2022 Predictions for Government TechnologyCarolyn: Today, we have a special episode to cover some topics of tomorrow. We asked a few of our guests their predictions for the U.S. Government technology in 2022. First, we have Willie Hicks, public sector CTO at Dynatrace. The AI arms race. Will you talk about that a little bit and talk about where you see the U.S.' position in the AI arms race? I know this ties into the massive, National Security Commission's on Artificial Intelligence final report.Willie: Yes. The term AI arms race is actually in academia and industry, it's a debated term. Are we in an arms race? Some people are more purists when they think of an arms race. You think about the Cold War, you think about past arms races. There are certain criteria around that. Like the money that's being spent on, if you think of a conventional type arms race, both sides.Or multiple sides are investing millions, billions of dollars on arms, on different weapon systems, on trying to keep up, or keeping a step ahead of the adversary. You could argue two things. One, that you don't see that kind of spending today in AI, at least from the government. You do see spending across the board, industry-wise, a higher increase on spending. But some would argue that just by that definition, it's not really an arms race.You can make the argument that AI itself is not a weapon. AI is a tool that could be used to make weapons more lethal, more effective, but in itself, AI is not a weapon. By the textbook, there's some debate if there is, but let's just set all that aside to answer your question.How to Stay AdvancedWillie: Leave out spending. There is definitely increased competition. If we want to say that there is a race from a technology standpoint, that's from industry and from the government, and that's underway today. We see that daily in the advances and the money that's being spent in AI. But also you see that in the national security report that you had mentioned. There are a lot of studies going on.How do we technologically stay advanced or ahead of our adversaries? Or, at least, we've got to make sure that we stay on top because at the end of the day, AI could be just like anything. AI could be used for many wonderful things. Like I was saying in medical applications, we saw this during COVID. People often think about, \"Wow, the vaccines that we have, they came out really rapidly.\"Some people say not fast enough, but how long vaccines usually take? It came out very rapidly. A lot of that is due to some new techniques for the whole RNA type of vaccine. But also, there was a lot of AI. There was a lot of compute horsepower that went behind the analysis of a lot of these drugs, a lot of the virus, DNA strains and all that.There is a lot of good. But then, AI, this technology arms race, this competition could also be used by state actors. I even hesitate and sometimes I don't even like to think about it. It could make war more lethal, more kinetic. Let's just say it can make weapon systems run out of control. We're not going to the Skynet world where things just take over. But what you could have is what we've seen today, which is fascinating.2022 Predictions on AIWillie: We have seen AI being used in things like drones that can be sent to a target, loiter around, scanning the system. Waiting for his target to come in range and then go and attack that target. That arms raise is to be able to not only have those same capabilities but also counter those capabilities.Also in the cyber front, how do we protect our power grids? How do we protect our water systems? AI is being deployed in all of these ways to attack us in multiple different ways.Carolyn: Is AI being used to protect as well?Willie: It's definitely and defensively being used.Mark: You mentioned the National Security Commission on Artificial Intelligence's final report a couple of times here. I wanted to ask you if you had a couple of takeaways from that?Willie: That is a pretty beefy document and a lot to go through. But at the end of the day, there were some really good takeaways. Honestly, there were some, no-brainers in there. Number one in my mind, we've got to increase funding and research. This goes back to a question you asked earlier about the arms race. One reason you might not want to call it an arms race is because a lot of money is not being put into it by the government.Mark: It's got to be an arms race if there's money, if there's not money.Willie: Let's just cut to the chase. There needs to be more funding of research, public and private. One thing that I found interesting is that we need to address the talent and diversity deficit in AI. More importantly, we need to address how to develop an internal government talent to meet these challenges.Diversity in AIWillie: I say diversity because I mentioned AI systems being able to recognize targets. To be able to look for certain things and understand patterns, and then respond to those patterns. So some might argue that we need diversity in thinking in AI.Some argue that AI systems themselves aren't inherently biased because they're programmed by humans. But if humans are programming some of their biases, even indirectly into the system, they're not recognizing targets. They're not really factoring things like skin tone and how people look.Carolyn: Yes, they are inherently biased because they're being programmed by humans.Willie: I'm trying to be tactful about it, but at the end of the day, that is a very important part of the report. We need to have that diversity of talent and we need more, I shouldn't say better, but we need more talent in this field. Also, I found it interesting that the report called out. This is something dear to me. They're calling out agencies, the government, especially.They're focused on the IC needs to really start leveraging AI to more fully automate tasks. Things that are repetitive, things that are prone to error, things that could be tasked well to an AI. Those things need to be looked at for more automation through AI systems. So those are some of the bigger takeaways that I saw. But also most importantly, more industry outreach and partnering.Carolyn: Thank you Willie. Next, we ask Lonye Ford, CEO of Arlo Solutions. What are your predictions? You've talked about a lot of things, like a cyber security integrator. What are your predictions for cyber security in the next year? We're coming up on the end of the year. We all love a good prediction.Lonye’s 2022 Predictions on the Acquisition ProcessLonye: I only speak to the government. In the next year, I hope that we see more of our cyber experts in the acquisition process. Working with the acquisition teams to build out these statements of work and those types of things for these program offices. I’d love to see that. I think that we'll continue to see more automation, the government wants speed.Cyber from an authorized perspective, is not a speedy process. We're going to start finding ways as our cyber workforce works with our developers to integrate. You hear people say bake it in, grow it in. But to really focus on doing that in real life, not just a cliche term, “how do we do that”?I'm seeing now that the cyber is working more with the developers on the technology side. My prediction, again, I told you I'm optimistic that it’s going to mature. We're going to start moving more of that cyber work to the left so that you're not trying to prove things to me via a document. Once we get to the end of this gravy train and you're baking that in, the developers are understanding the responsibilities from a cyber perspective. So, I would love to see that.I know we're going to see a lot of focus on supply chain rightfully so. That truly needs to be a focus in the government. I see it from an internal perspective. It's a real issue. Supply chain and software supply chain too. I'm not just talking about hardware. Based on the executive orders and those types of things that's coming out, there's going to be a major focus on supply chain. That would be my prediction.2022 Predictions From the DoD PerspectiveLonye: I hope to see from the air force and for DoD, I work mostly in the air force. From the DoD perspective, we went through a time in cyber where everything was decentralized. A lot of the workforce was decentralized. Each program has their own cyber and doing their own thing. They're spending their money on cyber. It's time to centralize some of that. I don't mean take away the decision making from other agencies. But I do think that the workforce, to understand cyber and cloud and DevSecOps is slim.The air force and DoD in general is paying for all these different pockets of cyber expertise. I'm including myself, I'm a vendor and I'm in those pockets. But you're hiring all these different vendors to do cyber for all these different programs that are doing it differently, that truly don't understand DevSecOps.They're learning on the government's dime too, and there's no centralization of it. If we centralize training, if we start centralizing some of this and then from our expertise, our experts out to these different program offices, that will be a win too. I hope to see more centralization in that as well.Carolyn: Leverage each other's wisdom. I heard about acquisition, better processes up front, DevSecOps, supply chain, and then to centralize. That's a shift from 20 years ago.Lonye: We really shifted, decentralized. The workforce is so slim and there is a lot of competition. We were just talking about the D.C. area once the Amazons are coming in, there's competition in the workforce. So people, the cyber workforce because it's so popular right now, they have a lot of options. We have to find a way to use our workforce as smartly as possible.DecentralizationCarolyn: Now it's interesting that you brought up this whole decentralization thing. It seemed like working in the DoD arena, that was the strength. I understand why they would do that. I don't think this has been a common thought that the civilian side of the house is in some ways ahead of the game. They are more centralized in their approach on some of this stuff than the DoD. It may be because of the nature of what they do, they're very siloed.Lonye: I agree. Money and funding makes a big difference. In industry, at the company there's someone at the top that's controlling how they spend their funds. That person's going to look at everything from an enterprise perspective. DoD, internal too to the government, the way that the money is farmed out to the different agencies, that they can come up with their own solutions in their own workforce. That's what they're doing.They are building solutions that work specifically for them. We do, we try our best to be more focused on enterprise, but it's tough. We're looking at a diverse need from someone who needs to work on CE and may work on the air conditions for a DoD. Someone else may be focused on jets, someone else may be focused on providing typical IT.Their needs are so vast and different that it is hard to centralize that from a funding and a solutions perspective. It's difficult, but where we could centralize is the cybersecurity support because that support shouldn't change. Whether I'm assessing it, or authorizing it, I say all the time, \"You can put anything in front of me.\"The Right FrameworkLonye: I can show you how to assess and authorize code going to the F35, or how to assess and authorize your air condition system. If you have the right framework, even if I don't understand the technology per se, that's when I collaborate.Carolyn: Thank you, Lonye. Our next prediction is from Captain Jazmin Furtado of the U.S. Space Force. I want to get your predictions for technology in 2022.Jazmin: We're going to continue to see growth in AI capabilities and not just within the DoD, but everywhere. We'll see a lot more and better personalized services that we see in finance, medical, legal, things that are more for you. So you no longer need to go through a middle man. You no longer have to go through trial and error to get and to converge on the right answer, you can get it faster.These services are a lot more available and easily available. The barrier to access is a lot lower because they’re technological solutions, rather than people and process solutions. I also think we're going to see an increase in no-code capabilities. People are able to access software or tools without having to know how to code. They can have better user interfaces.We're going to continue to see technology with increasingly better user interfaces. Allow people to be more data minded without having that formal background. All of these just blend into more transparency and literacy when it comes to data. Because we can no longer afford to have people that are like, \"Oh, I'm not technical.\"Jazmin’s 2022 Predictions for This Day and AgeJazmin: We are in this day and age where that's no longer something that we can afford to have. Everyone needs to be technical and be treated as an analyst in their own right. We're moving into this stage in society where everyone has to and everyone produces data. Everyone needs to ingest data, everyone needs to process it in their own way. Going into next year, we’ll continue to see services that emphasize that.Mark: How do you feel the air force, maybe space force are too new to it, prioritizes this?Jazmin: Data transparency and literacy are these sorts of tools. They are asking for it. They're definitely prioritizing it because these conversations are very difficult to have without these things. People need to be able to speak that same language. They can't do that without these tools, these no-code capabilities as visualizations. We need to have people go in and be able to do discovery into the data for themselves.And we can't continue to just have, \"Oh, we'll just present something to you about the status every month and you can make decisions.\" People need to be able to go in themselves and figure things up for themselves. When we treat everyone as an analyst in their own right, it's becoming apparent very fast. The limiting factor in a lot of these conversations is that people don't have access to all the information that they need.Carolyn: I'm going to give a sneak peek to a survey that we just completed among government and IT people. One of their number one pains was the lack of expertise in these very things that you're talking about.The Highest Pains in the 2022 PredictionsCarolyn: Just that people are coming in, \"Well, I'm not technical enough to understand what the data means.\" That was one of the highest pains that these IT managers that responded to the survey talked about.Jazmin: That is not surprising.Carolyn: Yes. Thank you, Jazmin. Now we will hear from Rayvyn Manuel. He’s a senior application developer at the national museum of African American history and culture and an army veteran.Mark: As we approach 2022, tell us what your predictions for technology are going to be this coming year.Rayvn: Do you want me to tell you about cultural institutions or in general?Mark: In general, both.Rayvn: There's a lot happening out there in technology and there's quantum computing. A lot of focus on AI and AIOps, ML, and MLOps. Those things are what technologists are focused on. I belong to a group and we're looking at Hyperledger, not Bitcoin per se.For blockchain technology and cultural institutions, I'm thinking about how can a cultural institution leverage blockchain technology to track its assets and the objects? How can we even use Bitcoin maybe? The government is not ready for that. To use Bitcoin, to be able to procure things or to let people buy things for technology. There's also this push in the accessibility realm. How do we leverage the existing technology that we have to make experiences for people with various disabilities? All disabilities, because when people say disabilities, they think of people who have no mobility or have visual issues or hearing. But there are other disabilities that are out there like cognitive disabilities. How do we use these technologies to give them similar experiences?Rayvn’s 2022 Predictions in Technology Will Never Be the SameRayvn: It'll never be the same, a similar enhanced experience in cultural spaces. I believe that everything that I'm hearing from application development is how to take these monolithic applications and make them into microservices. That's all the buzz right now, so that's where those things are going. At my space in the museum specifically, it's how do I take mobile technology, things that can only be done on a mobile device, and make it so that we can have interactives that are contactless?One of the things that I'm actually thinking about is for the application that I'm building with this other agent. One of the challenges is that if a person doesn't have a particular version of iOS or Android, they're not going to be able to engage. So what can we do? I thought, \"Well, I can use a Raspberry Pi because they're small and blocky.\" But who wants to steal that from a place? That's something you can put in your pocket.How can I actually use a Raspberry Pi and get the same experience as I can on a mobile device? It’s a challenge because the mobile manufacturers' devices are integrated. When you want to do AR or VR, it's integrated with the hardware. Mobile has certain libraries and a Raspberry Pi is pretty much a desktop. It's just an operating system and...","content_html":"On this special episode of Tech Transforms, Carolyn and Mark look to the new year with trends and predictions for government technology. Willie Hicks Public Sector CTO at Dynatrace, Lonye Ford CEO at ARLO Solutions, Jazmin Furtado Military Captain at Space Force, Rayvn Manuel, Senior Application Developer at NMAAHC and Tracy Bannon, Senior Principal / Software Architect & DevOps Strategic Advisor at MITRE talk about their predictions as we move into 2022.
Episode Table of Contents
- [00:32] Willie Hicks’ 2022 Predictions for Government Technology
- [09:07] Lonye’s 2022 Predictions on the Acquisition Process
- [17:09] Jazmin’s 2022 Predictions for This Day and Age
- [21:31] Rayvn’s 2022 Predictions in Technology Will Never Be the Same
- [24:03] Tracy Bannon’s 2022 Predictions on New Technology
Episode Links and Resources
- Willie Hicks - CTO of Public Sector at Dynatrace
- Lonye Ford - CEO of ARLO Solutions
- Jazmin Furtado - Military Officer at Space Force
- Rayvn Manuel - Senior Application Developer at NMAAHC
- Tracy Bannon - Senior Principal/ Software Architect & DevOps Strategic Advisor at MITRE, ambassador for the DevOps Institute
Willie Hicks’ 2022 Predictions for Government Technology
Carolyn: Today, we have a special episode to cover some topics of tomorrow. We asked a few of our guests their predictions for the U.S. Government technology in 2022. First, we have Willie Hicks, public sector CTO at Dynatrace. The AI arms race. Will you talk about that a little bit and talk about where you see the U.S.' position in the AI arms race? I know this ties into the massive, National Security Commission's on Artificial Intelligence final report.
Willie: Yes. The term AI arms race is actually in academia and industry, it's a debated term. Are we in an arms race? Some people are more purists when they think of an arms race. You think about the Cold War, you think about past arms races. There are certain criteria around that. Like the money that's being spent on, if you think of a conventional type arms race, both sides.
Or multiple sides are investing millions, billions of dollars on arms, on different weapon systems, on trying to keep up, or keeping a step ahead of the adversary. You could argue two things. One, that you don't see that kind of spending today in AI, at least from the government. You do see spending across the board, industry-wise, a higher increase on spending. But some would argue that just by that definition, it's not really an arms race.
You can make the argument that AI itself is not a weapon. AI is a tool that could be used to make weapons more lethal, more effective, but in itself, AI is not a weapon.By the textbook, there's some debate if there is, but let's just set all that aside to answer your question.
How to Stay Advanced
Willie: Leave out spending. There is definitely increased competition. If we want to say that there is a race from a technology standpoint, that's from industry and from the government, and that's underway today. We see that daily in the advances and the money that's being spent in AI. But also you see that in the national security report that you had mentioned. There are a lot of studies going on.
How do we technologically stay advanced or ahead of our adversaries? Or, at least, we've got to make sure that we stay on top because at the end of the day, AI could be just like anything. AI could be used for many wonderful things. Like I was saying in medical applications, we saw this during COVID. People often think about, "Wow, the vaccines that we have, they came out really rapidly."
Some people say not fast enough, but how long vaccines usually take? It came out very rapidly. A lot of that is due to some new techniques for the whole RNA type of vaccine. But also, there was a lot of AI. There was a lot of compute horsepower that went behind the analysis of a lot of these drugs, a lot of the virus, DNA strains and all that.
There is a lot of good. But then, AI, this technology arms race, this competition could also be used by state actors. I even hesitate and sometimes I don't even like to think about it. It could make war more lethal, more kinetic. Let's just say it can make weapon systems run out of control. We're not going to the Skynet world where things just take over. But what you could have is what we've seen today, which is fascinating.2022 Predictions on AI
Willie: We have seen AI being used in things like drones that can be sent to a target, loiter around, scanning the system. Waiting for his target to come in range and then go and attack that target. That arms raise is to be able to not only have those same capabilities but also counter those capabilities.
Also in the cyber front, how do we protect our power grids? How do we protect our water systems? AI is being deployed in all of these ways to attack us in multiple different ways.
Carolyn: Is AI being used to protect as well?
Willie: It's definitely and defensively being used.
Mark: You mentioned the National Security Commission on Artificial Intelligence's final report a couple of times here. I wanted to ask you if you had a couple of takeaways from that?
Willie: That is a pretty beefy document and a lot to go through. But at the end of the day, there were some really good takeaways. Honestly, there were some, no-brainers in there. Number one in my mind, we've got to increase funding and research. This goes back to a question you asked earlier about the arms race. One reason you might not want to call it an arms race is because a lot of money is not being put into it by the government.
Mark: It's got to be an arms race if there's money, if there's not money.
Willie: Let's just cut to the chase. There needs to be more funding of research, public and private. One thing that I found interesting is that we need to address the talent and diversity deficit in AI. More importantly, we need to address how to develop an internal government talent to meet these challenges.
Diversity in AI
Willie: I say diversity because I mentioned AI systems being able to recognize targets. To be able to look for certain things and understand patterns, and then respond to those patterns. So some might argue that we need diversity in thinking in AI.
Some argue that AI systems themselves aren't inherently biased because they're programmed by humans. But if humans are programming some of their biases, even indirectly into the system, they're not recognizing targets. They're not really factoring things like skin tone and how people look.Carolyn: Yes, they are inherently biased because they're being programmed by humans.
Willie: I'm trying to be tactful about it, but at the end of the day, that is a very important part of the report. We need to have that diversity of talent and we need more, I shouldn't say better, but we need more talent in this field. Also, I found it interesting that the report called out. This is something dear to me. They're calling out agencies, the government, especially.
They're focused on the IC needs to really start leveraging AI to more fully automate tasks. Things that are repetitive, things that are prone to error, things that could be tasked well to an AI. Those things need to be looked at for more automation through AI systems. So those are some of the bigger takeaways that I saw. But also most importantly, more industry outreach and partnering.Carolyn: Thank you Willie. Next, we ask Lonye Ford, CEO of Arlo Solutions. What are your predictions? You've talked about a lot of things, like a cyber security integrator. What are your predictions for cyber security in the next year? We're coming up on the end of the year. We all love a good prediction.
Lonye’s 2022 Predictions on the Acquisition Process
Lonye: I only speak to the government. In the next year, I hope that we see more of our cyber experts in the acquisition process. Working with the acquisition teams to build out these statements of work and those types of things for these program offices. I’d love to see that. I think that we'll continue to see more automation, the government wants speed.
Cyber from an authorized perspective, is not a speedy process. We're going to start finding ways as our cyber workforce works with our developers to integrate. You hear people say bake it in, grow it in. But to really focus on doing that in real life, not just a cliche term, “how do we do that”?
I'm seeing now that the cyber is working more with the developers on the technology side. My prediction, again, I told you I'm optimistic that it’s going to mature. We're going to start moving more of that cyber work to the left so that you're not trying to prove things to me via a document. Once we get to the end of this gravy train and you're baking that in, the developers are understanding the responsibilities from a cyber perspective. So, I would love to see that.
I know we're going to see a lot of focus on supply chain rightfully so. That truly needs to be a focus in the government. I see it from an internal perspective. It's a real issue. Supply chain and software supply chain too. I'm not just talking about hardware. Based on the executive orders and those types of things that's coming out, there's going to be a major focus on supply chain. That would be my prediction.2022 Predictions From the DoD Perspective
Lonye: I hope to see from the air force and for DoD, I work mostly in the air force. From the DoD perspective, we went through a time in cyber where everything was decentralized.
A lot of the workforce was decentralized. Each program has their own cyber and doing their own thing. They're spending their money on cyber. It's time to centralize some of that. I don't mean take away the decision making from other agencies. But I do think that the workforce, to understand cyber and cloud and DevSecOps is slim.The air force and DoD in general is paying for all these different pockets of cyber expertise. I'm including myself, I'm a vendor and I'm in those pockets. But you're hiring all these different vendors to do cyber for all these different programs that are doing it differently, that truly don't understand DevSecOps.
They're learning on the government's dime too, and there's no centralization of it. If we centralize training, if we start centralizing some of this and then from our expertise, our experts out to these different program offices, that will be a win too. I hope to see more centralization in that as well.
Carolyn: Leverage each other's wisdom. I heard about acquisition, better processes up front, DevSecOps, supply chain, and then to centralize. That's a shift from 20 years ago.
Lonye: We really shifted, decentralized. The workforce is so slim and there is a lot of competition. We were just talking about the D.C. area once the Amazons are coming in, there's competition in the workforce. So people, the cyber workforce because it's so popular right now, they have a lot of options. We have to find a way to use our workforce as smartly as possible.
Decentralization
Carolyn: Now it's interesting that you brought up this whole decentralization thing. It seemed like working in the DoD arena, that was the strength. I understand why they would do that. I don't think this has been a common thought that the civilian side of the house is in some ways ahead of the game. They are more centralized in their approach on some of this stuff than the DoD. It may be because of the nature of what they do, they're very siloed.
Lonye: I agree. Money and funding makes a big difference. In industry, at the company there's someone at the top that's controlling how they spend their funds. That person's going to look at everything from an enterprise perspective. DoD, internal too to the government, the way that the money is farmed out to the different agencies, that they can come up with their own solutions in their own workforce. That's what they're doing.
They are building solutions that work specifically for them. We do, we try our best to be more focused on enterprise, but it's tough. We're looking at a diverse need from someone who needs to work on CE and may work on the air conditions for a DoD. Someone else may be focused on jets, someone else may be focused on providing typical IT.
Their needs are so vast and different that it is hard to centralize that from a funding and a solutions perspective. It's difficult, but where we could centralize is the cybersecurity support because that support shouldn't change. Whether I'm assessing it, or authorizing it, I say all the time, "You can put anything in front of me."
The Right Framework
Lonye: I can show you how to assess and authorize code going to the F35, or how to assess and authorize your air condition system. If you have the right framework, even if I don't understand the technology per se, that's when I collaborate.
Carolyn: Thank you, Lonye. Our next prediction is from Captain Jazmin Furtado of the U.S. Space Force. I want to get your predictions for technology in 2022.
Jazmin: We're going to continue to see growth in AI capabilities and not just within the DoD, but everywhere. We'll see a lot more and better personalized services that we see in finance, medical, legal, things that are more for you. So you no longer need to go through a middle man. You no longer have to go through trial and error to get and to converge on the right answer, you can get it faster.
These services are a lot more available and easily available. The barrier to access is a lot lower because they’re technological solutions, rather than people and process solutions. I also think we're going to see an increase in no-code capabilities. People are able to access software or tools without having to know how to code. They can have better user interfaces.
We're going to continue to see technology with increasingly better user interfaces. Allow people to be more data minded without having that formal background. All of these just blend into more transparency and literacy when it comes to data. Because we can no longer afford to have people that are like, "Oh, I'm not technical."Jazmin’s 2022 Predictions for This Day and Age
Jazmin: We are in this day and age where that's no longer something that we can afford to have. Everyone needs to be technical and be treated as an analyst in their own right. We're moving into this stage in society where everyone has to and everyone produces data. Everyone needs to ingest data, everyone needs to process it in their own way. Going into next year, we’ll continue to see services that emphasize that.
Mark: How do you feel the air force, maybe space force are too new to it, prioritizes this?
Jazmin: Data transparency and literacy are these sorts of tools. They are asking for it. They're definitely prioritizing it because these conversations are very difficult to have without these things. People need to be able to speak that same language. They can't do that without these tools, these no-code capabilities as visualizations. We need to have people go in and be able to do discovery into the data for themselves.
And we can't continue to just have, "Oh, we'll just present something to you about the status every month and you can make decisions." People need to be able to go in themselves and figure things up for themselves.
When we treat everyone as an analyst in their own right, it's becoming apparent very fast. The limiting factor in a lot of these conversations is that people don't have access to all the information that they need.Carolyn: I'm going to give a sneak peek to a survey that we just completed among government and IT people. One of their number one pains was the lack of expertise in these very things that you're talking about.
The Highest Pains in the 2022 Predictions
Carolyn: Just that people are coming in, "Well, I'm not technical enough to understand what the data means." That was one of the highest pains that these IT managers that responded to the survey talked about.
Jazmin: That is not surprising.
Carolyn: Yes. Thank you, Jazmin. Now we will hear from Rayvyn Manuel. He’s a senior application developer at the national museum of African American history and culture and an army veteran.
Mark: As we approach 2022, tell us what your predictions for technology are going to be this coming year.
Rayvn: Do you want me to tell you about cultural institutions or in general?
Mark: In general, both.
Rayvn: There's a lot happening out there in technology and there's quantum computing. A lot of focus on AI and AIOps, ML, and MLOps. Those things are what technologists are focused on. I belong to a group and we're looking at Hyperledger, not Bitcoin per se.
For blockchain technology and cultural institutions, I'm thinking about how can a cultural institution leverage blockchain technology to track its assets and the objects? How can we even use Bitcoin maybe? The government is not ready for that. To use Bitcoin, to be able to procure things or to let people buy things for technology. There's also this push in the accessibility realm.
How do we leverage the existing technology that we have to make experiences for people with various disabilities? All disabilities, because when people say disabilities, they think of people who have no mobility or have visual issues or hearing. But there are other disabilities that are out there like cognitive disabilities. How do we use these technologies to give them similar experiences?Rayvn’s 2022 Predictions in Technology Will Never Be the Same
Rayvn: It'll never be the same, a similar enhanced experience in cultural spaces. I believe that everything that I'm hearing from application development is how to take these monolithic applications and make them into microservices. That's all the buzz right now, so that's where those things are going. At my space in the museum specifically, it's how do I take mobile technology, things that can only be done on a mobile device, and make it so that we can have interactives that are contactless?
One of the things that I'm actually thinking about is for the application that I'm building with this other agent. One of the challenges is that if a person doesn't have a particular version of iOS or Android, they're not going to be able to engage. So what can we do? I thought, "Well, I can use a Raspberry Pi because they're small and blocky." But who wants to steal that from a place? That's something you can put in your pocket.
How can I actually use a Raspberry Pi and get the same experience as I can on a mobile device? It’s a challenge because the mobile manufacturers' devices are integrated. When you want to do AR or VR, it's integrated with the hardware. Mobile has certain libraries and a Raspberry Pi is pretty much a desktop. It's just an operating system and...
","summary":null,"date_published":"2021-11-17T06:30:00.000-05:00","attachments":[{"url":"https://aphid.fireside.fm/d/1437767933/81d9d6b0-0045-48da-8495-fd87c4613d7f/35a1f721-2f9b-4f3f-bad0-784300d05b7e.mp3","mime_type":"audio/mpeg","size_in_bytes":29120402,"duration_in_seconds":2078}]},{"id":"827fabf4-edd7-406b-8334-f0d338e1c511","title":"Episode 14: Technology Lessons From the Smithsonian with Rayvn Manuel","url":"https://techtransforms.fireside.fm/14","content_text":"Senior application developer at the National Museum of African American History and Culture, and Army veteran Rayvn Manuel explains why her job is the best job. From serving our country as a soldier, to serving our history through dynamic storytelling, Rayvn has a passion for development that shows in her work. Listen in as Carolyn and Mark learn about the innovative technology behind the newest addition to the Smithsonian. Episode Table of Contents[01:46] The Purpose of Technology Is Huge[08:54] The Purpose of Technology Is Transformative Inclusion[17:49] They Take Cybersecurity and the Purpose of Technology Extremely[28:26] What I Wish the Purpose of Technology Can DoEpisode Links and ResourcesRayvn Manuel LinkedInNMAAHCA Fool's ErrandBroken Earth SeriesGod, Human, Animal, MachineThe Purpose of Technology Is HugeCarolyn: Today we have a guest who, as soon as I heard about this guest, I'm like, I want to talk to her. We've been trying for a little bit. Ravyn Manuel, welcome and thank you so much for being here.Ravyn: Thank you for having me here. This is actually exciting.Carolyn: Ravyn Manuel is Senior Application Developer at Smithsonian Institute National Museum of African-American History and Culture. The NMAAHC is the 19th museum of the Smithsonian that has been open since 2016. Since opening, it has collected over 36,000 artifacts and gained nearly 100,000 members. It was awarded the People's Voice Webby Award in 2017.Mark: Can you describe your role in the context of a modern museum experience? What that means and what your role is at the museum? Carolyn: Why do we even need an application developer? Having been through it, I have to look back and I'm like, oh yes, the technology was huge. I didn't notice it at the time. Looking back on it, the technology is what really bathed me and immersed me a lot in the experience, especially as I moved up.Ravyn: That is awesome. It was so integrated, that you felt it was just part of that experience from what I was hired for. Our museum is not just the only one that has application developers. There are other museums because every museum and gallery has a website. We have to have somebody on staff to actually maintain the website. I don't work on the website, I actually have three hats.The Whole Purpose of SmithsonianRavyn: One, when there are smaller exhibits and they are interactive. Those things that you touch, which are going to be contactless, moving forward. Those are the things that I develop. Or I will work with a designer like the UI, UX designer then develop these interactives. These will bring home the message that the education department would like people to take away from an exhibit.The whole purpose of the Smithsonian itself is for education. When we make an exhibit, it isn't just to have you have a feeling. It's also for you to have an opinion for you to be immersed in that history. To walk away with some knowledge that you didn't know before, or to change your opinion about what you felt before. My role as an application developer is the R and D person. I look at spaces in our museum and I go, how can we get the message across better here? What would help make this, not only a fun engaging process but also help people learn? My particular interest is in accessibility. I’m always looking for ways to make our interactions or the museum visit accessible for people who may not be able to experience it with their eyes.For people who may not be able to hear the audio that's going on or have cognitive differences and how they actually interpret. That's what I do. I'll make a prototype, show it to my supervisor and say, what do you think about this? Most of the time, what I feel isn't going to go there. But it gives me a chance to say, “here's how we can use technology to actually assist people in their experience and to tell the story in an engaging way.”Interactive ExhibitsRavyn: A lot of our exhibits are interactive, some of them are really huge. So we hire out for that. We have contractors for that. But if it's small, if there's a game like World War II which was the last one, I think I made. There was at the end, once you got through that whole exhibit, you should have learned about the nine luminaries that were highlighted in the exhibit. When you get to the end, you have a quiz.What the quiz does is ask you, do you see yourself as a writer? At the end, you actually came up with a luminary that should have mimicked what you felt. So, that was an interactive that I actually implemented. That's actually my role, the best job ever. There is nobody who has a better job than me.Mark: What options are there for virtual visitors that can't get to DC, that you want to have some sort of experience of the museum? Do you work on that stuff?Ravyn: I didn't. There is a big project and I think it's going to be launching in a couple of months. It is a Smithsonian vision. It's not just for our unit. It is the Smithsonian vision of making everything digital so that it can be experienced on the web. We have a virtual museum experience that's going to be launched and it is phenomenal. What it will do for you is it will have you pick an object. Pick an experience and then connect it with another experience or another object that you would not have actually thought about.An Open Access to the Purpose of TechnologyRavyn: Most of the museums have some type of digital, like we have open access. I don't know if you are aware of that open access. The developers or anybody can actually go online and use the images in this space. We have the Smithsonian. If you go to the Smithsonian website, si.edu, you can just search for open access. You'll see that you have access to any number of objects from all the museums.Carolyn: Cool, I didn't know that either.Ravyn: The Smithsonian High was something that was started at the Hirshhorn Gallery and you use your mobile device. When you go into the units, the museums, or galleries that have this implemented, you'll take your mobile device and put it on the QR code. Then you'll get more information about that object, or about a tour, or a way of finding things. That's actually something that we have.Then there’s the other websites, our website is unique, but it's pretty put together like the other websites. It is where we highlight our objects. You can search for our objects, you can see what the exhibits are about. We have a mobile app that will help you plan your visit. I'm actually working on a mobile application with the National Center for Atmospheric Research.Believe it or not, we are coming up with a mobile device for accessibility. It will give people who are low vision or blind, a way to navigate not just through the facility, but also to have a similar experience and learn about those particular objects. They can go to an exhibit and then point their phone onto something. They’ll be able to hear something about that object. That's actually next year's thing.The Purpose of Technology Is Transformative InclusionCarolyn: That's transformative inclusion. That's the way we do technology.Ravyn: Yes, exactly. Not just for technology’s sake, it has to have a purpose.Mark: Do you guys have any plans or vision to do stuff like virtual reality?Ravyn: That's actually me, that's my thing. I want to add AR like the app that we're using. I am making this with my co-developer, Neon, using AR, Artificial Reality. I'm looking into how we can use AI or machine learning or VR into these experiences. One of the places, the contemplate of court actually is where I've looked. I thought this was a great space. But if you don't know the people who have the writings on the wall, then you're missing it.Mark: What's the difference between VR and AR? That's a good term.Ravyn: Artificial reality is when you take reality as it is and then you expand it. You have to have something there in order to expand it. Virtual reality is you make something out of nothing.Carolyn: I read a couple of articles about it in the last Signal magazine that DoD is doing a lot with it. It is like simulating reality. What you're doing is awesome though.Ravyn: I worked for the State Department way back and for the Diplomatic Security Service. That is what we did as programmers. We tried to help with the training by using VR and AR, which was really cool.Carolyn: There were certain rooms, like when I got to the ancestry room, I don't know what it's really called. I did obviously notice the technology in there.Plan for Security MajorsCarolyn: One of the reasons that I didn't is because it was seamless. There was no glitch. Like how do you keep it running all the time? How do you plan for security majors? I’ve noticed that one of the descriptors in your job includes DevSecOps. Another term I would not put in a Smithsonian museum.Ravyn: I personally do not keep them running because I don't actually work in the museum. I work at the capital gallery. We have an AV crew, we also have facilities. People who go to the museum every day and make sure everything works every day, that is the one thing that we do. We make sure that the visitor experience isn't hampered by anything that doesn't work.Carolyn: Do they manually walk through and make sure everything works? Do you monitor from afar as well?Ravyn: They do. They have a way to monitor, especially if it's a web-based thing. We have an internal network. The monitoring system is tapped into the internal network so they can see what's happening. There are times when they have to be down, maybe for maintenance. But there are people that go every morning that the museum is open to make sure everything is open, and it is correct.When I got to the museum, I worked for AOL. I was a developer there, but I also did systems and system admin stuff. On the backend of things, we have our servers, we have these things that have to happen. Even though we don't produce a lot of software, we do produce applications. I told my supervisor we could be a little bit more performant in the way we get things from the developer to the floor.How DevSecOps Got Into the MuseumRavyn: That is how DevSecOps actually got into our museum. I have counterparts, like in SAM, in the American Art Museum. Their title is DevSecOps engineer. They're application developers as well, but they do take care of their systems. Our IT infrastructure, the enterprise, IT, which is OCIO, the Office of the Chief Information Officer, they're investigating how to implement DevOps into this Smithsonian. Because they manage most of the web applications that are out there.Mark: Including you guys. It all comes together to the greater Smithsonian team.Ravyn: Sort of. We're autonomous, most of the units are autonomous. We can do whatever we want to the chagrin of both CIOs. But we do try to be good citizens and work with them. They do have a server, a server farm I guess, that we have some things on. We do have this big IT presence that you never would know that the Smithsonian would have. You wouldn't think that's part of it, but it is. It's cool.Mark: So, how did you manage all this through the pandemic?Ravyn: We had to close for a bit. We have the bigger Smithsonian which we call the castle that is like the mothership. The units mimic that, so we have a new normal team. It was one of the teams that we had. We did this castle to figure out how to go from where we were to the new normal, whatever the new normal is going to be.Also, we had another team, a COVID team that was specifically to help with the health thing. If you needed assistance with COVID and to be able to pipe what was happening down at the unit level to go to the Smithsonian. We had those two teams.The Phase ApproachRavyn: The COVID team is responsible for how, when we open in the phase approach. How we keep our visitors safe, how we ensure that we're following CDC guidelines and our own stricter guidelines. Making sure that everybody stayed healthy, including staff, visitors, and security.The new normal team is the team that took all of the staff input about how we were feeling. What were our concerns, what were we willing to do and what we were not willing to do? And what were we doing because of COVID that actually seemed like best practice?One of the things that came out of that, from my understanding, is, we have so many options for telework. It's ridiculous how people can pretty much make a buffet out of how they would like to telework. People like myself where I don't really need to be at the museum. We have at this point, we are not going into our workspaces or into the museum.I've been teleworking for almost two years now. I haven't been anyway, but we can go. But if we don't have a reason to go, then don't go. What we're trying to do is keep everybody safe. That's really how those things happened.You asked me about security. Security has always been on property. Even when the museum was closed, security has always been there. The level of security across Smithsonian never diminished. It's always been like we're in a very visual place and there's some controversy sometimes with what we display. Security has never actually been diminished.Mark: That's like physical security, but what about cyber security?Carolyn: What about your applications?Taking Cybersecurity and the Purpose of Technology to the Nth DegreeRavyn: For our applications, the ones that are in the museum, when I make the ones that I've been implementing, I use the internal network. There is no access outside really because it's an internal network. The network itself is OCIO. They are responsible for the whole network and because they take cybersecurity extremely, to the nth degree, which is to my chagrin as a developer. That means, I have to be careful about what I'm doing, about libraries that I'm using, about open source stuff.There's got to be a balance, but it's really a tug of war between I need to use this thing. Security is like, if you use that thing, it's going to open us up for an attack. We really don't like to have our websites down. It's not good because there are people who don't get to come to the museum who want to experience the museum. The only way they can touch us is through the websites.Carolyn: I wanted to ask you about just your recommendations for navigating the museum. You touched on this application. I'm not sure if it's ready yet. You can plan your trip because I wish I would've done that. I feel like I missed so much, I could have spent a month in that museum.Ravyn: It's our mobile device and it's going through some upgrades. I will get back to you to let you know when this feature will be available. But what the features are supposed to do is, like you say that you only have 5 hours. You want to spend two and a half hours in that museum.What the App Is Meant to DoRavyn: Then in our museum, two and a half, like NMAI. You're like a baseball aficionado. So you say, give me some suggestions of where I can go in the museum if I have this particular like. Or if I only have these particular things, or I only have this particular amount of time. That's what the app is meant to do.I believe that that feature might be coming. It's being worked on. I will definitely email you and let you know if it's available, then you do it on your mobile device. It's another QR code thing that you do and then it'll come up.Mark: Do you have an app that someone can download onto their phone and then they navigate through the app?Ravyn: That app is that one you can download.Carolyn: This'll be a new feature to the app where you can actually plan your time. That's brilliant.Ravyn: Yes.Carolyn: I have a love-hate relationship with museums in general, because I want to see it all. I like the idea of going exhausted before I'm even there because I know I can't see it all. Let’s jump to our tech talk questions. These are just fun questions with rapid answers. I’m always looking to build my reading and my television viewing list. So I want to know what you're reading, listening to, and watching that inspires you or that you just do to chill.Ravyn: I live in the mountains and I have very poor internet connection, so I don't have TV. I don't even have a signal. And I don't really like TV. I never did when I was a kid. But I read a lot and I listen to audiobooks a lot.The Whole Journey of Building the Purpose of TechnologyRavyn: One of the books I just finished is a Fool's Errand by Lonnie Bunch, our secretary who used to be our director. He wrote the book and it’s about that whole journey of building the museum. It was great just to hear his experience about how to get that in there. I'm also a geek. I won't talk about the tech manuals I'm reading because I read a lot of tech manuals.But the museum, I grew up in the Bronx and I grew up going to Catholic school. It kind of ditched history for placement for religion. I didn't really know history very well or geography. And I thought everything was New York. Like Chicago was part of New York when I was growing up. I just thought that was how it was.I'm trying to make myself learn more. But the reconstruction exhibit and the records that you were able to search, they had me thinking about my history, because I didn't know it. And so I started reading the constitution and reading books about American history. I'm really not a person who likes history because I don't do well with dates, but I'm really great with numbers.I think about why reconstruction failed because we're still in a place where we have racism. Like why do we still have this? Where did that come from? Those are the types of books I read when I'm in a contemplative mood. It's about American history, the founding fathers, about England and the English system. For fun, I read anything that's fantasy, sci-fi, I've got this thing about murder mysteries that I like.The Broken EarthCarolyn: What's your favorite sci-fi? Have you read the Broken Earth series?Ravyn: No. What series is it?Carolyn: It's called the Broken Earth series. I'm going to send you the link and it is one that I started. It's a trilogy. She won the Hugo award, three years in a row, and that's never happened before. It's sci-fi fantasy, but she approaches things on this cosmic level. So rather than looking at time, like in years, it's billions of years. It blew my mind and it's fantastic. But I have another one for you.Ravyn: Have you heard of God, Human, Animal, Machine by Meghan O'Gieblyn?Carolyn:...","content_html":"Senior application developer at the National Museum of African American History and Culture, and Army veteran Rayvn Manuel explains why her job is the best job. From serving our country as a soldier, to serving our history through dynamic storytelling, Rayvn has a passion for development that shows in her work. Listen in as Carolyn and Mark learn about the innovative technology behind the newest addition to the Smithsonian.
Episode Table of Contents
- [01:46] The Purpose of Technology Is Huge
- [08:54] The Purpose of Technology Is Transformative Inclusion
- [17:49] They Take Cybersecurity and the Purpose of Technology Extremely
- [28:26] What I Wish the Purpose of Technology Can Do
Episode Links and Resources
The Purpose of Technology Is Huge
Carolyn: Today we have a guest who, as soon as I heard about this guest, I'm like, I want to talk to her. We've been trying for a little bit. Ravyn Manuel, welcome and thank you so much for being here.
Ravyn: Thank you for having me here. This is actually exciting.
Carolyn: Ravyn Manuel is Senior Application Developer at Smithsonian Institute National Museum of African-American History and Culture. The NMAAHC is the 19th museum of the Smithsonian that has been open since 2016. Since opening, it has collected over 36,000 artifacts and gained nearly 100,000 members. It was awarded the People's Voice Webby Award in 2017.
Mark: Can you describe your role in the context of a modern museum experience? What that means and what your role is at the museum?
Carolyn: Why do we even need an application developer? Having been through it, I have to look back and I'm like, oh yes, the technology was huge. I didn't notice it at the time. Looking back on it, the technology is what really bathed me and immersed me a lot in the experience, especially as I moved up.
Ravyn: That is awesome. It was so integrated, that you felt it was just part of that experience from what I was hired for. Our museum is not just the only one that has application developers. There are other museums because every museum and gallery has a website. We have to have somebody on staff to actually maintain the website. I don't work on the website, I actually have three hats.
The Whole Purpose of Smithsonian
Ravyn: One, when there are smaller exhibits and they are interactive. Those things that you touch, which are going to be contactless, moving forward. Those are the things that I develop. Or I will work with a designer like the UI, UX designer then develop these interactives. These will bring home the message that the education department would like people to take away from an exhibit.
The whole purpose of the Smithsonian itself is for education. When we make an exhibit, it isn't just to have you have a feeling. It's also for you to have an opinion for you to be immersed in that history. To walk away with some knowledge that you didn't know before, or to change your opinion about what you felt before.My role as an application developer is the R and D person. I look at spaces in our museum and I go, how can we get the message across better here? What would help make this, not only a fun engaging process but also help people learn? My particular interest is in accessibility. I’m always looking for ways to make our interactions or the museum visit accessible for people who may not be able to experience it with their eyes.
For people who may not be able to hear the audio that's going on or have cognitive differences and how they actually interpret. That's what I do. I'll make a prototype, show it to my supervisor and say, what do you think about this? Most of the time, what I feel isn't going to go there. But it gives me a chance to say, “here's how we can use technology to actually assist people in their experience and to tell the story in an engaging way.”
Interactive Exhibits
Ravyn: A lot of our exhibits are interactive, some of them are really huge. So we hire out for that. We have contractors for that. But if it's small, if there's a game like World War II which was the last one, I think I made. There was at the end, once you got through that whole exhibit, you should have learned about the nine luminaries that were highlighted in the exhibit. When you get to the end, you have a quiz.
What the quiz does is ask you, do you see yourself as a writer? At the end, you actually came up with a luminary that should have mimicked what you felt. So, that was an interactive that I actually implemented. That's actually my role, the best job ever. There is nobody who has a better job than me.Mark: What options are there for virtual visitors that can't get to DC, that you want to have some sort of experience of the museum? Do you work on that stuff?
Ravyn: I didn't. There is a big project and I think it's going to be launching in a couple of months. It is a Smithsonian vision. It's not just for our unit. It is the Smithsonian vision of making everything digital so that it can be experienced on the web. We have a virtual museum experience that's going to be launched and it is phenomenal. What it will do for you is it will have you pick an object. Pick an experience and then connect it with another experience or another object that you would not have actually thought about.
An Open Access to the Purpose of Technology
Ravyn: Most of the museums have some type of digital, like we have open access. I don't know if you are aware of that open access. The developers or anybody can actually go online and use the images in this space. We have the Smithsonian. If you go to the Smithsonian website, si.edu, you can just search for open access. You'll see that you have access to any number of objects from all the museums.
Carolyn: Cool, I didn't know that either.
Ravyn: The Smithsonian High was something that was started at the Hirshhorn Gallery and you use your mobile device. When you go into the units, the museums, or galleries that have this implemented, you'll take your mobile device and put it on the QR code. Then you'll get more information about that object, or about a tour, or a way of finding things. That's actually something that we have.
Then there’s the other websites, our website is unique, but it's pretty put together like the other websites. It is where we highlight our objects. You can search for our objects, you can see what the exhibits are about. We have a mobile app that will help you plan your visit. I'm actually working on a mobile application with the National Center for Atmospheric Research.
Believe it or not, we are coming up with a mobile device for accessibility. It will give people who are low vision or blind, a way to navigate not just through the facility, but also to have a similar experience and learn about those particular objects. They can go to an exhibit and then point their phone onto something. They’ll be able to hear something about that object. That's actually next year's thing.The Purpose of Technology Is Transformative Inclusion
Carolyn: That's transformative inclusion. That's the way we do technology.
Ravyn: Yes, exactly. Not just for technology’s sake, it has to have a purpose.
Mark: Do you guys have any plans or vision to do stuff like virtual reality?
Ravyn: That's actually me, that's my thing. I want to add AR like the app that we're using. I am making this with my co-developer, Neon, using AR, Artificial Reality. I'm looking into how we can use AI or machine learning or VR into these experiences. One of the places, the contemplate of court actually is where I've looked. I thought this was a great space. But if you don't know the people who have the writings on the wall, then you're missing it.
Mark: What's the difference between VR and AR? That's a good term.
Ravyn: Artificial reality is when you take reality as it is and then you expand it. You have to have something there in order to expand it. Virtual reality is you make something out of nothing.
Carolyn: I read a couple of articles about it in the last Signal magazine that DoD is doing a lot with it. It is like simulating reality. What you're doing is awesome though.
Ravyn: I worked for the State Department way back and for the Diplomatic Security Service. That is what we did as programmers. We tried to help with the training by using VR and AR, which was really cool.
Carolyn: There were certain rooms, like when I got to the ancestry room, I don't know what it's really called. I did obviously notice the technology in there.
Plan for Security Majors
Carolyn: One of the reasons that I didn't is because it was seamless. There was no glitch. Like how do you keep it running all the time? How do you plan for security majors? I’ve noticed that one of the descriptors in your job includes DevSecOps. Another term I would not put in a Smithsonian museum.
Ravyn: I personally do not keep them running because I don't actually work in the museum. I work at the capital gallery. We have an AV crew, we also have facilities. People who go to the museum every day and make sure everything works every day, that is the one thing that we do. We make sure that the visitor experience isn't hampered by anything that doesn't work.
Carolyn: Do they manually walk through and make sure everything works? Do you monitor from afar as well?
Ravyn: They do. They have a way to monitor, especially if it's a web-based thing. We have an internal network. The monitoring system is tapped into the internal network so they can see what's happening. There are times when they have to be down, maybe for maintenance. But there are people that go every morning that the museum is open to make sure everything is open, and it is correct.
When I got to the museum, I worked for AOL. I was a developer there, but I also did systems and system admin stuff. On the backend of things, we have our servers, we have these things that have to happen. Even though we don't produce a lot of software, we do produce applications. I told my supervisor we could be a little bit more performant in the way we get things from the developer to the floor.
How DevSecOps Got Into the Museum
Ravyn: That is how DevSecOps actually got into our museum. I have counterparts, like in SAM, in the American Art Museum. Their title is DevSecOps engineer. They're application developers as well, but they do take care of their systems. Our IT infrastructure, the enterprise, IT, which is OCIO, the Office of the Chief Information Officer, they're investigating how to implement DevOps into this Smithsonian. Because they manage most of the web applications that are out there.
Mark: Including you guys. It all comes together to the greater Smithsonian team.
Ravyn: Sort of. We're autonomous, most of the units are autonomous. We can do whatever we want to the chagrin of both CIOs. But we do try to be good citizens and work with them. They do have a server, a server farm I guess, that we have some things on. We do have this big IT presence that you never would know that the Smithsonian would have. You wouldn't think that's part of it, but it is. It's cool.
Mark: So, how did you manage all this through the pandemic?
Ravyn: We had to close for a bit. We have the bigger Smithsonian which we call the castle that is like the mothership. The units mimic that, so we have a new normal team. It was one of the teams that we had. We did this castle to figure out how to go from where we were to the new normal, whatever the new normal is going to be.
Also, we had another team, a COVID team that was specifically to help with the health thing. If you needed assistance with COVID and to be able to pipe what was happening down at the unit level to go to the Smithsonian. We had those two teams.
The Phase Approach
Ravyn: The COVID team is responsible for how, when we open in the phase approach. How we keep our visitors safe, how we ensure that we're following CDC guidelines and our own stricter guidelines. Making sure that everybody stayed healthy, including staff, visitors, and security.
The new normal team is the team that took all of the staff input about how we were feeling. What were our concerns, what were we willing to do and what we were not willing to do? And what were we doing because of COVID that actually seemed like best practice?
One of the things that came out of that, from my understanding, is, we have so many options for telework. It's ridiculous how people can pretty much make a buffet out of how they would like to telework. People like myself where I don't really need to be at the museum. We have at this point, we are not going into our workspaces or into the museum.
I've been teleworking for almost two years now. I haven't been anyway, but we can go. But if we don't have a reason to go, then don't go. What we're trying to do is keep everybody safe. That's really how those things happened.
You asked me about security. Security has always been on property. Even when the museum was closed, security has always been there. The level of security across Smithsonian never diminished. It's always been like we're in a very visual place and there's some controversy sometimes with what we display. Security has never actually been diminished.Mark: That's like physical security, but what about cyber security?
Carolyn: What about your applications?
Taking Cybersecurity and the Purpose of Technology to the Nth Degree
Ravyn: For our applications, the ones that are in the museum, when I make the ones that I've been implementing, I use the internal network. There is no access outside really because it's an internal network. The network itself is OCIO. They are responsible for the whole network and because they take cybersecurity extremely, to the nth degree, which is to my chagrin as a developer. That means, I have to be careful about what I'm doing, about libraries that I'm using, about open source stuff.
There's got to be a balance, but it's really a tug of war between I need to use this thing. Security is like, if you use that thing, it's going to open us up for an attack. We really don't like to have our websites down. It's not good because there are people who don't get to come to the museum who want to experience the museum. The only way they can touch us is through the websites.Carolyn: I wanted to ask you about just your recommendations for navigating the museum. You touched on this application. I'm not sure if it's ready yet. You can plan your trip because I wish I would've done that. I feel like I missed so much, I could have spent a month in that museum.
Ravyn: It's our mobile device and it's going through some upgrades. I will get back to you to let you know when this feature will be available. But what the features are supposed to do is, like you say that you only have 5 hours. You want to spend two and a half hours in that museum.
What the App Is Meant to Do
Ravyn: Then in our museum, two and a half, like NMAI. You're like a baseball aficionado. So you say, give me some suggestions of where I can go in the museum if I have this particular like. Or if I only have these particular things, or I only have this particular amount of time. That's what the app is meant to do.
I believe that that feature might be coming. It's being worked on. I will definitely email you and let you know if it's available, then you do it on your mobile device. It's another QR code thing that you do and then it'll come up.
Mark: Do you have an app that someone can download onto their phone and then they navigate through the app?
Ravyn: That app is that one you can download.
Carolyn: This'll be a new feature to the app where you can actually plan your time. That's brilliant.
Ravyn: Yes.
Carolyn: I have a love-hate relationship with museums in general, because I want to see it all. I like the idea of going exhausted before I'm even there because I know I can't see it all. Let’s jump to our tech talk questions. These are just fun questions with rapid answers. I’m always looking to build my reading and my television viewing list. So I want to know what you're reading, listening to, and watching that inspires you or that you just do to chill.
Ravyn: I live in the mountains and I have very poor internet connection, so I don't have TV. I don't even have a signal. And I don't really like TV. I never did when I was a kid. But I read a lot and I listen to audiobooks a lot.
The Whole Journey of Building the Purpose of Technology
Ravyn: One of the books I just finished is a Fool's Errand by Lonnie Bunch, our secretary who used to be our director. He wrote the book and it’s about that whole journey of building the museum. It was great just to hear his experience about how to get that in there. I'm also a geek. I won't talk about the tech manuals I'm reading because I read a lot of tech manuals.
But the museum, I grew up in the Bronx and I grew up going to Catholic school. It kind of ditched history for placement for religion. I didn't really know history very well or geography. And I thought everything was New York. Like Chicago was part of New York when I was growing up. I just thought that was how it was.
I'm trying to make myself learn more. But the reconstruction exhibit and the records that you were able to search, they had me thinking about my history, because I didn't know it. And so I started reading the constitution and reading books about American history. I'm really not a person who likes history because I don't do well with dates, but I'm really great with numbers.
I think about why reconstruction failed because we're still in a place where we have racism. Like why do we still have this? Where did that come from? Those are the types of books I read when I'm in a contemplative mood. It's about American history, the founding fathers, about England and the English system. For fun, I read anything that's fantasy, sci-fi, I've got this thing about murder mysteries that I like.
The Broken Earth
Carolyn: What's your favorite sci-fi? Have you read the Broken Earth series?
Ravyn: No. What series is it?
Carolyn: It's called the Broken Earth series. I'm going to send you the link and it is one that I started. It's a trilogy. She won the Hugo award, three years in a row, and that's never happened before. It's sci-fi fantasy, but she approaches things on this cosmic level. So rather than looking at time, like in years, it's billions of years. It blew my mind and it's fantastic. But I have another one for you.
Ravyn: Have you heard of God, Human, Animal, Machine by Meghan O'Gieblyn?
Carolyn:...
","summary":null,"date_published":"2021-11-10T06:30:00.000-05:00","attachments":[{"url":"https://aphid.fireside.fm/d/1437767933/81d9d6b0-0045-48da-8495-fd87c4613d7f/db9de526-674a-4d9c-abc4-333a3de737fb.mp3","mime_type":"audio/mpeg","size_in_bytes":25940765,"duration_in_seconds":1851}]},{"id":"367b5dc3-2f76-44f4-9ec7-e0e92e9e1dc2","title":"Episode 13: Kessel Run: Originally Chartered to Create Culture Change, with Captain Jazmin Furtado US SpaceForce","url":"https://techtransforms.fireside.fm/13","content_text":"Find out how the DoD's Kessel Run Office is digitalizing longtime manual processes through AI, taking the military to the next level of its digital transformation. Listen as Captain Jazmin Furtado talks about her experience with Kessel Run, and now Space Force, spreading a culture of data driven communication. DisclaimerThe opinions expressed in this episode are those of Jazmin Furtado, our presenter, and do not necessarily reflect those of the Department of Defense, U.S. Air Force, or U.S. Space Force. Episode Table of Contents[00:40] Captain Jazmin Furtado of the US Space Force[11:19] The Important Contribution of Kessel Run[19:34] Learning From the Kessel Run RoleEpisode Links and ResourcesJazmin Furtado LinkedInSpaceForce WebsiteSquid GameTed LassoPhoenix ProjectCaptain Jazmin Furtado of the US Space ForceCarolyn: Our guest this morning is Captain Jazmin Furtado. She’s a military officer with the US Space Force and a data science and artificial intelligence leader. Before joining the Space Force, Jazmin worked as a military officer for the United States Air Force for over four years. The information expressed in this episode are those of Jazmin, our presenter. They do not necessarily reflect those of the Department of Defense, US Air Force, or US Space Force.So Jazmin, talk to us a little bit about your journey. How you started with the Air Force, what you did there and how you ended up with the US Space Force.Jazmin: I went to the Air Force Academy and graduated there in 2016. The reason I entered was because the challenge was very enticing to me. I like the idea of being challenged, not just academically, but also militarily and physically. There was a big focus on leadership that I think is pretty invaluable. After I graduated from there, I was able to go to MIT and continue with my degree in operations research. I got my master's there.Afterwards, I am a program manager in the military in the Air Force. That's a little bit of a different background than most program managers have in the military. A lot of times you'll have a management background or an economics background but I had more of a tech background. The military is trying to figure out what to do with me for a little bit.From a Traditional Program to Kessel RunJazmin: After a year of being in a more traditional program management role, I was pulled into Kessel Run. I was there for two years. So I was plopped into that organization just to do AI because I had some sort of background. One thing about this space and you see this in a lot of the organizations like Kessel Run, is that you just figure things out as you go. You're put there with a very vague job description and you just have to figure things out.So I went in there initially with my operations research cap on knowing stuff about data science, machine learning, and AI. I was like, this is great. Then really quickly realized, that's just the tip of the iceberg in terms of capabilities that are needed to make AI actually applied. You need to put in, invest in the other 90% of the iceberg, which is the data infrastructure and that architecture piece.I spent a lot of time, the two years I was at Kessel Run, building a data portfolio. It consists of data scientists, software developers, and data engineers to build the things needed for analytics. That was really the goal there. When the Space Force was created, I had the opportunity to move over. I put my name in the hat because I really liked the idea of space.I've always been inspired by space. I wanted to be an astronaut when I first graduated from high school. I've been very inspired by Star Trek. I have a little Star Trek thing I drew over my desk to remind me of where I came from, Star Trek.Kessel Run Is a Star Wars ThingJazmin: Kessel Run is a Star Wars thing, but I will forgive them for that. But now in the Space Force, I was very excited. It's just such an inspirational place to be. It's like The Next Frontier. And to be able to influence that branch from the start, I thought it was a really great opportunity. The amount of data that we're developing, that we're gathering from space is also very tremendous.There was really no reason for me to say no. So that's how I got to the Space Force. I've been here for a couple of months. I'm really like a sponge gathering a whole lot of information about our space operations. Yes, I'm really enjoying it so far.Mark: You talked about Kessel Run where you started out in the Air Force. Many of our listeners probably won't know what that means. Can you describe a little bit about what that is and what Kessel Run actually does? Then we'll talk about Star Wars.Carolyn: Kessel Run, I know it's a software factory but I don't even really know what that means. I just know the buzzwords.Jazmin: Software factory is definitely a term that's put out there. Kessel Run is a software development organization within the Air Force that develops software for airmen. So it's code, it's applications that are built by and coded by government, civilians, military, contractors. It's all government-owned. We own all the applications, we own our own data. Kessel Run doesn't just create the code for the applications, they also build the platform that those applications reside on.What Gives Kessel Run the Ability to Deploy ApplicationsJazmin: They are responsible for the different environments, the development environment, and the production environment for these applications. The pipelines to deploy these applications to production, they are responsible for the security behind all these. It's a lot. It is that same analogy with the iceberg, the applications are really the tip of it. A lot of the Kessel Run's offerings come from its platform. That platform is what's given Kessel Run the ability to deploy their applications continuously. It's very iterative.Mark: Is this for military applications and things like that or across the whole spectrum?Carolyn: Or just on the Air Force? Is there anything on the Kessel Run platform that is not developed by the Air Force? Are there industry applications or code or is it all homegrown?Jazmin: The core of Kessel Run is really homegrown. It's building applications for airmen. So airmen such as schedulers for their famous tanker planning scheduling tool. Where you have tankers that need to be scheduled to be flown for different missions. There's an application that takes that previously manual process of scheduling these aircraft. Putting it to the cloud and making it available and for multiple people to collaborate on the same application. That's a really powerful tool. Tools like that, applications like that that are making the current manual processes digital. Creating digital parody to a lot of things that are done manually right now. It's helping schedulers. We have analysts with people like maintainers, pilots, those airmen. Kessel Run's platform, like the All Domain Common Platform, is used for other applications as well. It is not its core functionality because that's really for the Kessel Run's applications.Space Force Kobayashi MaruJazmin: But there are other groups that are government entities that are utilizing it to deploy some of their applications as well. I know Space Force Kobayashi Maru is another \"software factory\" for lack of a better term here. It uses that platform to deploy its products. Their applications are more space-specific, so space operators, satellite operators.Mark: It seems that Kessel Run has set themselves up to operate and go to market so to speak as a commercial organization. They have a CEO and a CFO. Is that by design or is that a cultural thing?Jazmin: It definitely is designed to be more of a disrupter in the space to introduce a new way of acquiring software. Kessel Run is an acquisitions program office. So they're acquiring software, just happens to be one that they're building themselves. Kessel Run's put together because there is a thought that we can do software acquisition better, faster. We don't have to follow this waterfall method.As a result of the idea that we need to go fast, that created the startup mentality, flat organization. That's where these concepts from industry have been brought into the startup world, and have been brought into the government space. That is how you're seeing the different roles or the parallel roles that you don't see traditionally in military units.Carolyn: It almost sounds like Kessel Run was born out of the need for culture change. Like the acquisitions process is a painful process antiquated. You're telling me that Kessel Run turned that on its head? Did it work?Mark: It did work.The Important Contribution of Kessel RunJazmin: It should work. I don't know if you could say that at the end of day. It is a process. It's going to take a lot to create change. The most important thing that Kessel Run has contributed is that cultural piece. The fact that we need to value ideas over rank in acquisitions. I'm very much a proponent of that. We can no longer afford to have people at a table and only listen to the highest-ranking officers.Because we have people with relevant experiences that are coming through the ranks that may be are actually more relevant in some cases than people that have come from different backgrounds than those that have made it to higher ranks in the military and now are overseeing a unit that may not be something that they are used to commanding. It's not a field that they're well versed in.We need to be able to listen to all the voices in the room. That's something that I have really appreciated and I've really thrived in the military. Having that experience at Kessel Run, I've been very fortunate to have that as a military experience. I know that's not the same for everyone. The goodness that has been created in Kessel Run needs to be replicated elsewhere.That cultural shift, that's really where the value proposition in Kessel Run comes from. It’s this lighthouse in a sense of another way of doing things, creating the documentation, the processes. Improving that out so that other units can start to adopt, at least in piecemeal, these different things that make up that Kessel Run culture.The Old Ways of Doing ThingsCarolyn: Is there an effort to do that right now, to share this? The wisdom of the many is coming to the table here with Kessel Run. Then the next piece of that, it's hard to share something like that. To get it to take in other places, especially where we're so entrenched in the old ways of doing things. Is there a committee, a group that's tasked with sharing these ideas?Jazmin: I'm not sure if it's a committee. The military already has sort of a natural way of sharing knowledge. Its officers and its military members are moving every few years from base to base. That's how a lot of goodness has been spread. A lot of the upcoming hubs, these innovation hubs, a lot of its members have come from places like Kessel Run. Kobayashi Maru for example on the Space Force side was really started and put together by a core crew of ex-Kessel Run members.We see the same thing over in Colorado Springs with Space CAMP. Even Platform One, AF Works, Space Works, all these innovation groups. What I've seen recently in my own professional development is that there's two tracks you can go down now. There's like the more traditional track where you're a military member. You have knowledge of a lot of things but you're really a master of none. There's also this new track that's forming that's a digital transformation track. They try to keep these people that have these experiences in these hubs. Keep them in the space so that they can share that goodness, that digital transformation goodness to other units.AI’s Role in the Space ForceCarolyn: Speaking of the digital transformation, I want to shift gears towards AI. There's a lot of talk around it. We just had a big report that came out. I'm wondering how important it is, what role it's playing in the Space Force.Jazmin: It's been talked about a lot. A lot of senior leaders, especially in the Space Force, are talking about how we need to leverage innovation. We need to leverage technology like artificial intelligence and we need to take this opportunity in developing a new branch. Really just becoming the digital leader of the military. That's really something that the Space Force has embodied and just a message they're putting out. It's very exciting.There is so much potential for artificial intelligence in the Space Force. Think of all of the data that we're gathering on a regular basis, every second from all of our space assets. That's a lot of information. Being able to harness the power of that in starting a new branch is not like turning a new link. It's what really puts the Space Force in a really great position. We don't need to adopt the things that were already status quo from the Air Force. We can start over again, we can start fresh.That jumpstart is a really powerful thing. Not a lot of branches can say that, \"Starting August, or whatever this month, this day, we are now looking at everything with fresh new eyes. Looking at everything from soup to nuts with fresh eyes.\" Not a lot of branches get that. That's one of the reasons why I joined the Space Force, because of opportunity.Creating a Digital ParodyJazmin: Artificial intelligence in the Space Force is going to play a similar role that it does in many other industries. It’s creating more automated and augmented ways of doing things. Creating this digital parody to what may be done manually right now. How do we make our operators' jobs easier?With the proliferation, with the increase of space assets that we are now seeing, our operators are getting inundated with things they can't keep up. How do we make their jobs easier through automation? That's really where the power of AI is going to come in.Mark: A lot of people think of the Air Force as one of the leaders in the digital transformation or technology. They're in front of the other branches of the military being innovators. It's exciting to hear your thoughts about the Space Force and where they're going with that.Carolyn: Is the Space Force part of the Air Force? Is it its own branch?Jazmin: The Space Force is the newest branch, but it's falling under the Air Force. The same way that the Marines fall under the Navy, that's how the Space Force is falling under the Air Force. The Space Force really just was previous space units within the Air Force. They just rebranded them to be Space Force units now. Eventually, we'll grow into additional units that didn't previously fall under the Air Force.Mark: You've only been in the Space Force for a short while. You talk about the collaboration of Kessel Run on the Air Force side. Bringing together the industry and the government, all these different pieces and parts to collaborate. How have you seen that happen in the Space Force, the bringing of the industry and the government together?Learning From the Kessel Run RoleJazmin: The Air Force has been doing this, all the services have been doing this well. We're continuing to try to increase our collaborations with industry. I've actually participated in the fellowship with industry. I was with SpaceX for three months where I worked with them. It’s because I needed to learn in this Kessel Run role that I was in and how to create a data portfolio.I had no formal experience in being a system architect and understanding what role data folks need to play in the organization. So I went to SpaceX to learn how they approach artificial intelligence, what support they have to oversee these types of capabilities, and just overall to get an idea of how their organization culturally approaches data and artificial intelligence. So I gained a lot from that experience.There's a lot of those smaller-scale collaborations where military members are learning from industry and bringing that back. Upskilling our own workforce to learn what is the most cutting edge or what's the newest to do or way to do things. Or just to see another perspective, see another point of view, just to see what another possibility may be to run things. Those are really beneficial. We have defense ventures, education with industry, those sorts of things.But from an industry to government, more from a capability application perspective, that's always been so tricky. That's the topic that's constantly brought up. It's so difficult for some small companies to make their way into the government. That's something that we're going to continue to try to better that relationship. There's that whole valley of death where we need to invest in these smaller companies.Give Them a Shot of Kessel RunJazmin: Give them a shot because these non-traditional companies are how we're getting these cutting-edge technologies. But we do need to make these processes more transparent. It's not just to the companies. The companies will do their due diligence of figuring out how they need to make their way and utilizing those resources. I've definitely seen that being leveraged quite often by industry.What I think we need to spend more time on is in educating our military members and our government members on that process. Not everyone is aware. If someone were to go and approach them, be like, \"My technology may be valuable for your use case,\" most people don't know where to point them or where they are in the process. A lot of members don't know the direction of phase one, phase two, phase three.Depending on where you are, you may not need to. You're an operator or you're not an acquisition. But there needs to be more education around that. A better guidance given to military members on how to help these companies navigate the DoD. It's such a vague organization, it's impossible to navigate. The more people that know about the process, the higher probability of success of the company being able to find a valid user.Carolyn: We've got tech talk questions. Our last few questions are just pretty quick answers. Tell me what inspires you now. We know you're a Treky. I would love to know what you are watching or reading about in the Treky realm. Just in general too, what inspires you? What do you do for your downtime fun or inspires you for work?Squid GameJazmin: What's all the rage now is Squid Game. I don't know if you've watched that.Carolyn: I've just heard about that.Mark: It'll freak you out. I'm watching it now and it's intense.Carolyn: I heard about the premise and I was like, \"No. I'm sticking with Ted Lasso.\"Mark: You know why? It's not Ted Lasso.Jazmin: So Squid Game, it was very stimulating.","content_html":"Find out how the DoD's Kessel Run Office is digitalizing longtime manual processes through AI, taking the military to the next level of its digital transformation. Listen as Captain Jazmin Furtado talks about her experience with Kessel Run, and now Space Force, spreading a culture of data driven communication.
Disclaimer
The opinions expressed in this episode are those of Jazmin Furtado, our presenter, and do not necessarily reflect those of the Department of Defense, U.S. Air Force, or U.S. Space Force.
Episode Table of Contents
- [00:40] Captain Jazmin Furtado of the US Space Force
- [11:19] The Important Contribution of Kessel Run
- [19:34] Learning From the Kessel Run Role
Episode Links and Resources
Captain Jazmin Furtado of the US Space Force
Carolyn: Our guest this morning is Captain Jazmin Furtado. She’s a military officer with the US Space Force and a data science and artificial intelligence leader. Before joining the Space Force, Jazmin worked as a military officer for the United States Air Force for over four years.
The information expressed in this episode are those of Jazmin, our presenter. They do not necessarily reflect those of the Department of Defense, US Air Force, or US Space Force.
So Jazmin, talk to us a little bit about your journey. How you started with the Air Force, what you did there and how you ended up with the US Space Force.
Jazmin: I went to the Air Force Academy and graduated there in 2016. The reason I entered was because the challenge was very enticing to me. I like the idea of being challenged, not just academically, but also militarily and physically. There was a big focus on leadership that I think is pretty invaluable. After I graduated from there, I was able to go to MIT and continue with my degree in operations research. I got my master's there.
Afterwards, I am a program manager in the military in the Air Force. That's a little bit of a different background than most program managers have in the military. A lot of times you'll have a management background or an economics background but I had more of a tech background. The military is trying to figure out what to do with me for a little bit.
From a Traditional Program to Kessel Run
Jazmin: After a year of being in a more traditional program management role, I was pulled into Kessel Run. I was there for two years. So I was plopped into that organization just to do AI because I had some sort of background. One thing about this space and you see this in a lot of the organizations like Kessel Run, is that you just figure things out as you go. You're put there with a very vague job description and you just have to figure things out.
So I went in there initially with my operations research cap on knowing stuff about data science, machine learning, and AI. I was like, this is great. Then really quickly realized, that's just the tip of the iceberg in terms of capabilities that are needed to make AI actually applied. You need to put in, invest in the other 90% of the iceberg, which is the data infrastructure and that architecture piece.
I spent a lot of time, the two years I was at Kessel Run, building a data portfolio. It consists of data scientists, software developers, and data engineers to build the things needed for analytics. That was really the goal there. When the Space Force was created, I had the opportunity to move over. I put my name in the hat because I really liked the idea of space.I've always been inspired by space. I wanted to be an astronaut when I first graduated from high school. I've been very inspired by Star Trek. I have a little Star Trek thing I drew over my desk to remind me of where I came from, Star Trek.
Kessel Run Is a Star Wars Thing
Jazmin: Kessel Run is a Star Wars thing, but I will forgive them for that. But now in the Space Force, I was very excited. It's just such an inspirational place to be. It's like The Next Frontier. And to be able to influence that branch from the start, I thought it was a really great opportunity. The amount of data that we're developing, that we're gathering from space is also very tremendous.
There was really no reason for me to say no. So that's how I got to the Space Force. I've been here for a couple of months. I'm really like a sponge gathering a whole lot of information about our space operations. Yes, I'm really enjoying it so far.
Mark: You talked about Kessel Run where you started out in the Air Force. Many of our listeners probably won't know what that means. Can you describe a little bit about what that is and what Kessel Run actually does? Then we'll talk about Star Wars.
Carolyn: Kessel Run, I know it's a software factory but I don't even really know what that means. I just know the buzzwords.
Jazmin: Software factory is definitely a term that's put out there. Kessel Run is a software development organization within the Air Force that develops software for airmen. So it's code, it's applications that are built by and coded by government, civilians, military, contractors. It's all government-owned. We own all the applications, we own our own data. Kessel Run doesn't just create the code for the applications, they also build the platform that those applications reside on.
What Gives Kessel Run the Ability to Deploy Applications
Jazmin: They are responsible for the different environments, the development environment, and the production environment for these applications. The pipelines to deploy these applications to production, they are responsible for the security behind all these. It's a lot. It is that same analogy with the iceberg, the applications are really the tip of it. A lot of the Kessel Run's offerings come from its platform. That platform is what's given Kessel Run the ability to deploy their applications continuously. It's very iterative.
Mark: Is this for military applications and things like that or across the whole spectrum?
Carolyn: Or just on the Air Force? Is there anything on the Kessel Run platform that is not developed by the Air Force? Are there industry applications or code or is it all homegrown?
Jazmin: The core of Kessel Run is really homegrown. It's building applications for airmen. So airmen such as schedulers for their famous tanker planning scheduling tool. Where you have tankers that need to be scheduled to be flown for different missions. There's an application that takes that previously manual process of scheduling these aircraft. Putting it to the cloud and making it available and for multiple people to collaborate on the same application.
That's a really powerful tool. Tools like that, applications like that that are making the current manual processes digital. Creating digital parody to a lot of things that are done manually right now. It's helping schedulers. We have analysts with people like maintainers, pilots, those airmen. Kessel Run's platform, like the All Domain Common Platform, is used for other applications as well. It is not its core functionality because that's really for the Kessel Run's applications.Space Force Kobayashi Maru
Jazmin: But there are other groups that are government entities that are utilizing it to deploy some of their applications as well. I know Space Force Kobayashi Maru is another "software factory" for lack of a better term here. It uses that platform to deploy its products. Their applications are more space-specific, so space operators, satellite operators.
Mark: It seems that Kessel Run has set themselves up to operate and go to market so to speak as a commercial organization. They have a CEO and a CFO. Is that by design or is that a cultural thing?
Jazmin: It definitely is designed to be more of a disrupter in the space to introduce a new way of acquiring software. Kessel Run is an acquisitions program office. So they're acquiring software, just happens to be one that they're building themselves. Kessel Run's put together because there is a thought that we can do software acquisition better, faster. We don't have to follow this waterfall method.
As a result of the idea that we need to go fast, that created the startup mentality, flat organization. That's where these concepts from industry have been brought into the startup world, and have been brought into the government space. That is how you're seeing the different roles or the parallel roles that you don't see traditionally in military units.
Carolyn: It almost sounds like Kessel Run was born out of the need for culture change. Like the acquisitions process is a painful process antiquated. You're telling me that Kessel Run turned that on its head? Did it work?
Mark: It did work.
The Important Contribution of Kessel Run
Jazmin: It should work. I don't know if you could say that at the end of day. It is a process. It's going to take a lot to create change. The most important thing that Kessel Run has contributed is that cultural piece. The fact that we need to value ideas over rank in acquisitions. I'm very much a proponent of that. We can no longer afford to have people at a table and only listen to the highest-ranking officers.
Because we have people with relevant experiences that are coming through the ranks that may be are actually more relevant in some cases than people that have come from different backgrounds than those that have made it to higher ranks in the military and now are overseeing a unit that may not be something that they are used to commanding. It's not a field that they're well versed in.
We need to be able to listen to all the voices in the room. That's something that I have really appreciated and I've really thrived in the military. Having that experience at Kessel Run, I've been very fortunate to have that as a military experience. I know that's not the same for everyone. The goodness that has been created in Kessel Run needs to be replicated elsewhere.
That cultural shift, that's really where the value proposition in Kessel Run comes from. It’s this lighthouse in a sense of another way of doing things, creating the documentation, the processes. Improving that out so that other units can start to adopt, at least in piecemeal, these different things that make up that Kessel Run culture.The Old Ways of Doing Things
Carolyn: Is there an effort to do that right now, to share this? The wisdom of the many is coming to the table here with Kessel Run. Then the next piece of that, it's hard to share something like that. To get it to take in other places, especially where we're so entrenched in the old ways of doing things. Is there a committee, a group that's tasked with sharing these ideas?
Jazmin: I'm not sure if it's a committee. The military already has sort of a natural way of sharing knowledge. Its officers and its military members are moving every few years from base to base. That's how a lot of goodness has been spread. A lot of the upcoming hubs, these innovation hubs, a lot of its members have come from places like Kessel Run. Kobayashi Maru for example on the Space Force side was really started and put together by a core crew of ex-Kessel Run members.
We see the same thing over in Colorado Springs with Space CAMP. Even Platform One, AF Works, Space Works, all these innovation groups. What I've seen recently in my own professional development is that there's two tracks you can go down now. There's like the more traditional track where you're a military member. You have knowledge of a lot of things but you're really a master of none.
There's also this new track that's forming that's a digital transformation track. They try to keep these people that have these experiences in these hubs. Keep them in the space so that they can share that goodness, that digital transformation goodness to other units.AI’s Role in the Space Force
Carolyn: Speaking of the digital transformation, I want to shift gears towards AI. There's a lot of talk around it. We just had a big report that came out. I'm wondering how important it is, what role it's playing in the Space Force.
Jazmin: It's been talked about a lot. A lot of senior leaders, especially in the Space Force, are talking about how we need to leverage innovation. We need to leverage technology like artificial intelligence and we need to take this opportunity in developing a new branch. Really just becoming the digital leader of the military. That's really something that the Space Force has embodied and just a message they're putting out. It's very exciting.
There is so much potential for artificial intelligence in the Space Force. Think of all of the data that we're gathering on a regular basis, every second from all of our space assets. That's a lot of information. Being able to harness the power of that in starting a new branch is not like turning a new link. It's what really puts the Space Force in a really great position. We don't need to adopt the things that were already status quo from the Air Force. We can start over again, we can start fresh.
That jumpstart is a really powerful thing. Not a lot of branches can say that, "Starting August, or whatever this month, this day, we are now looking at everything with fresh new eyes. Looking at everything from soup to nuts with fresh eyes." Not a lot of branches get that. That's one of the reasons why I joined the Space Force, because of opportunity.
Creating a Digital Parody
Jazmin: Artificial intelligence in the Space Force is going to play a similar role that it does in many other industries. It’s creating more automated and augmented ways of doing things. Creating this digital parody to what may be done manually right now. How do we make our operators' jobs easier?
With the proliferation, with the increase of space assets that we are now seeing, our operators are getting inundated with things they can't keep up. How do we make their jobs easier through automation? That's really where the power of AI is going to come in.Mark: A lot of people think of the Air Force as one of the leaders in the digital transformation or technology. They're in front of the other branches of the military being innovators. It's exciting to hear your thoughts about the Space Force and where they're going with that.
Carolyn: Is the Space Force part of the Air Force? Is it its own branch?
Jazmin: The Space Force is the newest branch, but it's falling under the Air Force. The same way that the Marines fall under the Navy, that's how the Space Force is falling under the Air Force. The Space Force really just was previous space units within the Air Force. They just rebranded them to be Space Force units now. Eventually, we'll grow into additional units that didn't previously fall under the Air Force.
Mark: You've only been in the Space Force for a short while. You talk about the collaboration of Kessel Run on the Air Force side. Bringing together the industry and the government, all these different pieces and parts to collaborate. How have you seen that happen in the Space Force, the bringing of the industry and the government together?
Learning From the Kessel Run Role
Jazmin: The Air Force has been doing this, all the services have been doing this well. We're continuing to try to increase our collaborations with industry. I've actually participated in the fellowship with industry. I was with SpaceX for three months where I worked with them. It’s because I needed to learn in this Kessel Run role that I was in and how to create a data portfolio.
I had no formal experience in being a system architect and understanding what role data folks need to play in the organization. So I went to SpaceX to learn how they approach artificial intelligence, what support they have to oversee these types of capabilities, and just overall to get an idea of how their organization culturally approaches data and artificial intelligence. So I gained a lot from that experience.
There's a lot of those smaller-scale collaborations where military members are learning from industry and bringing that back. Upskilling our own workforce to learn what is the most cutting edge or what's the newest to do or way to do things. Or just to see another perspective, see another point of view, just to see what another possibility may be to run things. Those are really beneficial. We have defense ventures, education with industry, those sorts of things.
But from an industry to government, more from a capability application perspective, that's always been so tricky. That's the topic that's constantly brought up. It's so difficult for some small companies to make their way into the government. That's something that we're going to continue to try to better that relationship. There's that whole valley of death where we need to invest in these smaller companies.Give Them a Shot of Kessel Run
Jazmin: Give them a shot because these non-traditional companies are how we're getting these cutting-edge technologies. But we do need to make these processes more transparent. It's not just to the companies. The companies will do their due diligence of figuring out how they need to make their way and utilizing those resources. I've definitely seen that being leveraged quite often by industry.
What I think we need to spend more time on is in educating our military members and our government members on that process. Not everyone is aware. If someone were to go and approach them, be like, "My technology may be valuable for your use case," most people don't know where to point them or where they are in the process. A lot of members don't know the direction of phase one, phase two, phase three.
Depending on where you are, you may not need to. You're an operator or you're not an acquisition. But there needs to be more education around that. A better guidance given to military members on how to help these companies navigate the DoD. It's such a vague organization, it's impossible to navigate. The more people that know about the process, the higher probability of success of the company being able to find a valid user.
Carolyn: We've got tech talk questions. Our last few questions are just pretty quick answers. Tell me what inspires you now. We know you're a Treky. I would love to know what you are watching or reading about in the Treky realm. Just in general too, what inspires you? What do you do for your downtime fun or inspires you for work?
Squid Game
Jazmin: What's all the rage now is Squid Game. I don't know if you've watched that.
Carolyn: I've just heard about that.
Mark: It'll freak you out. I'm watching it now and it's intense.
Carolyn: I heard about the premise and I was like, "No. I'm sticking with Ted Lasso."
Mark: You know why? It's not Ted Lasso.
Jazmin: So Squid Game, it was very stimulating.
","summary":null,"date_published":"2021-11-03T07:30:00.000-04:00","attachments":[{"url":"https://aphid.fireside.fm/d/1437767933/81d9d6b0-0045-48da-8495-fd87c4613d7f/a5339564-1ce2-4764-973e-e126e90e0c78.mp3","mime_type":"audio/mpeg","size_in_bytes":22578032,"duration_in_seconds":1611}]},{"id":"8925f179-c7fa-49a5-87db-0dd7e848a34a","title":"Episode 12: Strategize a Secure Foundation with Lonye Ford","url":"https://techtransforms.fireside.fm/12","content_text":"When it comes to industry and government technology, who is the glue that holds it all together? Lonye Ford joins Carolyn and Mark to give her insight on roles and responsibilities within the cybersecurity field. From Lonye's time at the U.S. Air Force help desk, to her current role of CEO at Arlo Solutions, she offers a unique perspective on cybersecurity career path. #CybersecurityAwarenessMonthEpisode Table of Contents[01:02] The Ever-Evolving Landscape of a Secure Foundation[09:20] Understanding the Importance of a Secure Foundation[16:37] The Secure Foundation of the People[26:28] A Secure Foundation Is Void of Decision FatigueEpisode Links and Resources: Secure FoundationLinkedInWebsiteCalm AppTraction: Get a Grip on Your Business by Gino WickmanThe 7 Habits of Highly Effective People by Stephen CoveySoulCycleThe Ever-Evolving Landscape of a Secure FoundationCarolyn: Today, we have Lonye Ford, CEO of Arlo Solutions. Lonye served for over 10 years in the U.S. Air Force and was named one of the top 50 in tech visionary at Intercom 2021.Since it's cybersecurity awareness month, we're super excited to talk to Lonye about her 20-year career in the cybersecurity field. Her experience on both the government and industry teams, and insights on the ever-evolving landscape of government cybersecurity. Lonye: Thank you Carolyn, for having me. Hi, Mark. When I heard the intro, I think I'm going to ask next time to move out with that 20-year experience. Makes me sound super old.Carolyn: You caught Mark and I discussing your age because we looked you up on LinkedIn, we're like, there's no way she's been doing this for 20 years.Lonye: I appreciate being invited, so thank you, I'm looking forward to this conversation.Carolyn: It's October. We have the best holiday of the year, which is Halloween, but also, super important, cybersecurity awareness month. We'd like to start out with you talking about your cybersecurity career journey. Why do you think it's such an important component of our lives?Lonye: Halloween is actually my favorite holiday as well. I have two little ones and so I get all into Halloween.Carolyn: What's your costume this year?Lonye: We're going to be the Space Jam family and I'm going to be Lola Bunny.Carolyn: We got Alice in Wonderland theme going on at my house, I will be the Cheshire cat.A Proud VeteranLonye: COVID messed Halloween up for me because, we get into it, as far as in our house and a holiday party. We open our bottom floor, so whenever the kids come through, we do a scary, little, haunted house and give. They'll have to come in and have scary movies playing. I missed that, I can't wait till we can open back up that way.My journey started in the Air Force, I am a very proud Air Force veteran. When I started at the Air Force, I started at the help desk. I like to tell people I started from the bottom, literally. No offense to help desk technicians, but working on a help desk gave me an amazing place to start. You get experience, visibility just across the gamut.I’m a service type of person, I like to service people. I am a person that really likes to help in every capacity, so I love the help desk when others hated it. Started at the help desk, then I did more network admin stuff, SOS admin, and network admin. I've been a cable dog, I've pulled cable through buildings. Then I went on to work for the program offices within the Air Force, doing things still in cybersecurity.I like to be very specific in what part of cyber I'm in, because cyber is such a huge domain. My focus is more on assessment and authorization of systems, so we started at a system called Disc Cap. It's the way that they used to do it back in the day, and then it matured into a program called Dye Cap. Now you hear people talk about RMF, Risk Management Framework, so that's what we're doing now.A Secure Foundation Focuses on Risk Assessment and AuthorizationLonye: So, that was my journey in the Air Force, I got out of the Air Force and I supported the government via contract. I was contracting government, went both ways, but I've supported DOD CIO, Army CIO, and the Air Force CIO. I've also supported some programs at the program office, which I love. But satellite-based systems, telephony, all focused on risk assessment and authorization.What happened in my career is that you start technical. As you mature with cyber, as you increase your skillset and your knowledge, you get to the point where now I'm focusing more on policy, procedures, compliance, building strategies. That's what I really do, that's what my niche is, what I love to do.I helped build the strategy for the Air Force that's an authorized called the fast track ATO process, doing the same type of thing for department USDA. Working across some of the Air Force, major acquisition programs like the Aircrafts and the F35's. But now I'm looking at DevsecOps, how do we assess and authorize code? How do we assess and authorize what we're putting on a cloud that may be code that's transitioning over to the aircraft?Mark: Is that what Arlo Solutions is? Is that the primary function of Arlo Solutions?Lonye: It’s what you would consider the sexy part of Arlo solutions. The part that we talk about the most is cyber, but we have more work probably in the Intel space. We do Intel and cyber security, but even from an Intel perspective, we're still looking at strategy.The Strategy Level to Secure FoundationLonye: We have a contract. It's still personnel security, but the process of how they transition that personnel security over to DOD. So we are still at the strategy level, we have contracts at the Pentagon actually. We still really work, we're advisors to senior leadership.Mark: You started talking a little bit about Cybersecurity and the early years of cybersecurity. It seemed like it all started with the network. You did a lot of networking type stuff early and computing and cybersecurity. It seems like it's changed over the last 20 years. Can you talk a little bit about the development or how cybersecurity has grown or advanced?Lonye: First, I would say, cyber is now sexy. People didn't like to see us coming. The focus in the government is call, schedule, and performance. Typically, cyber in the past, they wouldn't send us one of the friendlies. Nira calls more, it really decreases the time, and increases the timeline. It affected the schedule. Many times before we were mature, it could possibly affect the performance. I would say the difference now. Senior leaders didn't like to see us coming, the tech people didn't like to see us coming. We were not usually welcomed, and cyber was an afterthought.Some of it is because of the cyber security workforce. Back then cyber security focused on NO, I would say everything someone wanted to do. We found NO is insecure, you can't do it. So holistically, we weren't very helpful, it's just my opinion. Now we are integrated into the team. From a maturity perspective, once you're building these programs, cyber security is a tenant that you're going to have to speak to.Understanding the Importance of a Secure FoundationLonye: People are understanding the importance of cyber now, and that wasn't the case in the past. Number one, the cyber security workforce has matured in the way that they communicate, and we need to do a much better job. In the past, we may communicate, Hey, AC One! You don't have AC One talking and control and specific cyber jargon, which has not been helpful.Now it’s starting to learn how to communicate with senior leaders, to help them make decisions. Because you should be posturing your leaders to make risk based decisions. Not saying no, just saying that this risk is high. But for leaders, it could be okay to accept this high risk because maybe that risk is for 10 seconds. So we have to learn how to communicate risk to senior leaders.Carolyn: You're tapping into something that a lot of our guests bring up. It's about culture and that you have to find a way, or change. I don't know if it's change the culture, but it has become part of the culture. Look at you now, you have your own domain and the best month of the year.Lonye: Yes, it is. I was going to say culture changed at night, but I didn't want to sound so cliche because that's what's happening. It's difficult. I'll give you an example, I just told you my history. If you think about that, that means I haven't touched technology in years. But I’m the person that's developing a strategy and telling you what the policies are, and what the process is. Do I fully understand Kubernetes? Am I a developer? The answer is no.The Risk Management FrameworkLonye: So the difference now is we have to learn how to collaborate. These people that have advanced in their career, that's putting out these policies, they have to be able to collaborate with developers. The same, if you look at the risk management framework and any type of framework, and sometimes RMF gets a bad name. But I love it, because it's a framework. It's just really how people implement it, but the framework is a really good framework.The issue is that we have to integrate the developers, the operations, the decision makers, as you develop these policies and thresholds. We're maturing there, and from a culture perspective, what I'm saying is a lot of issues with ego. Because now in these domains, everyone, they're experts. I have a developer that is an expert, I have an operations person as an expert, I have a cyber person as an expert. These experts don't talk to one another, because they're all the smartest in the room.Carolyn: How do you do this? How do you facilitate the collaboration and deal with the egos?Lonye: I would say, that's my niche, that's what I do well at, that's what I like actually. You break down those egos. I go in and I'll start the conversation with, I'm not an expert in Kubernetes. I'm not an expert in containers, I'm an expert in my field. You may be an expert Kubernetes, but I promise you, you're not an expert at what I do.Break Down That EgoLonye: So what we have to do is work together, this is the only way that we're going to do it. I'll break down myself and try to break down that ego so they can understand what we're saying. I see a lot of that, a lot of bickering and back and forth because everyone has their own perspective.And I understand the developers because if I'm a developer, I'm moving fast. Here you come at the end saying, “I've integrated all this cybersecurity”. Now the cyber person’s saying, “Can you give me 50 documents to document what you did? Developers, you're antiquated.” “No, I'm not.” That's what I'm seeing a lot from a cultural perspective.Mark: You talk about culture, and you've seen this from both sides, industry, and government. Can you tell us how you've seen change over the past few years between government and industry?Carolyn: What does it look like now?Lonye: I'm a very optimistic person, so I'll say that in general, so honest, but very optimistic. I'm proud of the government, and what the government is trying to do. I don't think people understand how difficult it is to either change culture, to integrate all of the industry because the government has their own processes and procedures. It's not in compliance to statutory requirements, law, acquisition law.It’s very difficult to sometimes integrate more of the smaller, innovative companies into the acquisition process. So, I would start there. I would say from a maturity perspective, I do see the government trying to do innovative things.Secure Foundation and Streamline the Acquisition ProcessLonye: Use the OTA, check and help streamline the acquisition process so that it's more consumable by smaller companies. I do think that they're trying the best way they can to innovate companies outside of the larger defense companies, which is difficult. It's really difficult, but I see them trying. I'm on programs, they're doing CIBERs, they are finding different ways to integrate.From an industry perspective, I see more of a partnership. I see the government trying to be more open. In the past, the government has stayed away from even having a lot of conversations with industry because there's a lot of rules. For industry, I can't go out to the government. I can't buy them a meal if it's over $25, I can buy my friend a meal. I'm not bragging.Carolyn: I hear you, I feel that pain.Lonye: So many rules stand in the way of open collaboration because everything has to be fair competition. You can't give that perspective to anyone that is not. It could be, I just want to talk to the industry about this issue. I just really want to be open and tell you, this is my problem. The government has not been comfortable doing that in the past.They're starting to, more freely, open up those lines of communication. It's not for around upon, so I do think that, that's the difference with industry. Another way that we have to mature, in my opinion, is that the industry likes to throw tools at problems. They like to scale the government, all these different tools, and a tool that can answer all of your problems.The Secure Foundation of the PeopleLonye: But if you don't have the foundation of the people in the process, those tools do not work. They don't, you have to be configured right. You have to have the right people that can run these tools, they have to make sure they are interoperable. That's an area that industry has to continue to mature in, because the government doesn't always have the workforce to consume your tools. You're talking about huge enterprises.That's an area that industry can mature in, and that's an area that we focus on. I don't sell tools and I'm trying to be very non-biased on tools. I'm looking more so at the capability. The work that I like to do is really to team with the government, to work on behalf of the government. To team with the government versus coming in as a new industry selling something like a tool.Carolyn: Often, we have the tool, we have the features in existing tools. But rather than figure out how to use it, we're like, let's just throw a new one at it. That's so frustrating. On a macro level, it sounds like government's getting better at diversity with smaller, innovative industry companies. What about on a micro level? So within your teams, how are you managing the need for diversity? Just on the people level or do you see that as a need?Lonye: From a diversity perspective, it goes back to, you have to have a diverse team now. The domain is so much larger than it used to be, the internet of things.When There’s a Secure Foundation, Everything Is ConnectingLonye: You know, everything is connecting, it's so many different types of technologies and tools. Your team has to be set up sometimes for people that understand strategy. People that can understand that you want to do these cool things, and I'll come in in this case sometimes.But how do I cross-map this to the requirements, the compliance, the statutory law, and make sure that you're covered from that perspective? How do you integrate these cool things that you want to do into current processes and procedures and laying out roles and responsibilities. You need a person that can do that. But then, you also have to have diversity from a person that understands technology.You have to have diversity from a person who's going to use it, the user community, or the operations community. From a thought leadership perspective, you really truly need a diverse team. Technology is moving so quickly, every week there's a new technology. You really have to have folks that understand that, and those typically are not the people that's been in this domain for a long time. They graduated from the technology part.Mark: Do you see the recognition of this across customers? Or you have to go out and make that happen?Lonye: Make it happen. I will almost consider myself a cyber security integrator and that's not necessarily a domain. The government is not saying I want to hire a cyber integrator, they hire technology integrators. The issue the government is having, to me and some of these major programs, is the acquisition process. The way that the acquisition process is working now.A Secure Foundation Needs an IntegratorLonye: We may have a company that comes in and focuses on infrastructure or building a cloud. You may have another company that's coming and doing the pipeline work. Then you have another company that's coming in, maybe doing integration of that. Another company comes in and does O and M, so that's doing maintenance. You have another company that's coming in that's doing cyber.They're on all different contracts. They are supporting the same client and there's a lot of integration. So you miss that. There has to be an integrator that truly focuses on, maybe technology integration, but then they crosswalk the contracts. Some companies are very specific about what's in their statement of work. So if the government is not very tight on contractual actions and acquisition upfront before the company even comes, they have failed.It's a failure because of those gaps there, no one is going to fill it. A lot of times, bless the government but, you may not have a strong program manager in some of these programs that can talk across all that technology, or can do that integration as well. As we continue to mature on being diverse in all the different companies that we bring in, the government has to really focus on acquisition, and how we integrate those.Mark: That's no easy problem.Carolyn: Let's move to our tech talk questions. Our tech talk...","content_html":"When it comes to industry and government technology, who is the glue that holds it all together? Lonye Ford joins Carolyn and Mark to give her insight on roles and responsibilities within the cybersecurity field. From Lonye's time at the U.S. Air Force help desk, to her current role of CEO at Arlo Solutions, she offers a unique perspective on cybersecurity career path. #CybersecurityAwarenessMonth
Episode Table of Contents
- [01:02] The Ever-Evolving Landscape of a Secure Foundation
- [09:20] Understanding the Importance of a Secure Foundation
- [16:37] The Secure Foundation of the People
- [26:28] A Secure Foundation Is Void of Decision Fatigue
Episode Links and Resources: Secure Foundation
- Website
- Calm App
- Traction: Get a Grip on Your Business by Gino Wickman
- The 7 Habits of Highly Effective People by Stephen Covey
- SoulCycle
The Ever-Evolving Landscape of a Secure Foundation
Carolyn: Today, we have Lonye Ford, CEO of Arlo Solutions. Lonye served for over 10 years in the U.S. Air Force and was named one of the top 50 in tech visionary at Intercom 2021.
Since it's cybersecurity awareness month, we're super excited to talk to Lonye about her 20-year career in the cybersecurity field. Her experience on both the government and industry teams, and insights on the ever-evolving landscape of government cybersecurity.
Lonye: Thank you Carolyn, for having me. Hi, Mark. When I heard the intro, I think I'm going to ask next time to move out with that 20-year experience. Makes me sound super old.
Carolyn: You caught Mark and I discussing your age because we looked you up on LinkedIn, we're like, there's no way she's been doing this for 20 years.
Lonye: I appreciate being invited, so thank you, I'm looking forward to this conversation.
Carolyn: It's October. We have the best holiday of the year, which is Halloween, but also, super important, cybersecurity awareness month. We'd like to start out with you talking about your cybersecurity career journey. Why do you think it's such an important component of our lives?
Lonye: Halloween is actually my favorite holiday as well. I have two little ones and so I get all into Halloween.
Carolyn: What's your costume this year?
Lonye: We're going to be the Space Jam family and I'm going to be Lola Bunny.
Carolyn: We got Alice in Wonderland theme going on at my house, I will be the Cheshire cat.
A Proud Veteran
Lonye: COVID messed Halloween up for me because, we get into it, as far as in our house and a holiday party. We open our bottom floor, so whenever the kids come through, we do a scary, little, haunted house and give. They'll have to come in and have scary movies playing. I missed that, I can't wait till we can open back up that way.
My journey started in the Air Force, I am a very proud Air Force veteran. When I started at the Air Force, I started at the help desk. I like to tell people I started from the bottom, literally. No offense to help desk technicians, but working on a help desk gave me an amazing place to start. You get experience, visibility just across the gamut.
I’m a service type of person, I like to service people. I am a person that really likes to help in every capacity, so I love the help desk when others hated it. Started at the help desk, then I did more network admin stuff, SOS admin, and network admin. I've been a cable dog, I've pulled cable through buildings. Then I went on to work for the program offices within the Air Force, doing things still in cybersecurity.
I like to be very specific in what part of cyber I'm in, because cyber is such a huge domain. My focus is more on assessment and authorization of systems, so we started at a system called Disc Cap. It's the way that they used to do it back in the day, and then it matured into a program called Dye Cap. Now you hear people talk about RMF, Risk Management Framework, so that's what we're doing now.A Secure Foundation Focuses on Risk Assessment and Authorization
Lonye: So, that was my journey in the Air Force, I got out of the Air Force and I supported the government via contract. I was contracting government, went both ways, but I've supported DOD CIO, Army CIO, and the Air Force CIO. I've also supported some programs at the program office, which I love. But satellite-based systems, telephony, all focused on risk assessment and authorization.
What happened in my career is that you start technical. As you mature with cyber, as you increase your skillset and your knowledge, you get to the point where now I'm focusing more on policy, procedures, compliance, building strategies. That's what I really do, that's what my niche is, what I love to do.
I helped build the strategy for the Air Force that's an authorized called the fast track ATO process, doing the same type of thing for department USDA. Working across some of the Air Force, major acquisition programs like the Aircrafts and the F35's. But now I'm looking at DevsecOps, how do we assess and authorize code? How do we assess and authorize what we're putting on a cloud that may be code that's transitioning over to the aircraft?Mark: Is that what Arlo Solutions is? Is that the primary function of Arlo Solutions?
Lonye: It’s what you would consider the sexy part of Arlo solutions. The part that we talk about the most is cyber, but we have more work probably in the Intel space. We do Intel and cyber security, but even from an Intel perspective, we're still looking at strategy.
The Strategy Level to Secure Foundation
Lonye: We have a contract. It's still personnel security, but the process of how they transition that personnel security over to DOD. So we are still at the strategy level, we have contracts at the Pentagon actually. We still really work, we're advisors to senior leadership.
Mark: You started talking a little bit about Cybersecurity and the early years of cybersecurity. It seemed like it all started with the network. You did a lot of networking type stuff early and computing and cybersecurity. It seems like it's changed over the last 20 years. Can you talk a little bit about the development or how cybersecurity has grown or advanced?
Lonye: First, I would say, cyber is now sexy. People didn't like to see us coming. The focus in the government is call, schedule, and performance. Typically, cyber in the past, they wouldn't send us one of the friendlies. Nira calls more, it really decreases the time, and increases the timeline. It affected the schedule. Many times before we were mature, it could possibly affect the performance. I would say the difference now. Senior leaders didn't like to see us coming, the tech people didn't like to see us coming. We were not usually welcomed, and cyber was an afterthought.
Some of it is because of the cyber security workforce. Back then cyber security focused on NO, I would say everything someone wanted to do. We found NO is insecure, you can't do it. So holistically, we weren't very helpful, it's just my opinion. Now we are integrated into the team. From a maturity perspective, once you're building these programs, cyber security is a tenant that you're going to have to speak to.
Understanding the Importance of a Secure Foundation
Lonye: People are understanding the importance of cyber now, and that wasn't the case in the past. Number one, the cyber security workforce has matured in the way that they communicate, and we need to do a much better job. In the past, we may communicate, Hey, AC One! You don't have AC One talking and control and specific cyber jargon, which has not been helpful.
Now it’s starting to learn how to communicate with senior leaders, to help them make decisions. Because you should be posturing your leaders to make risk based decisions. Not saying no, just saying that this risk is high. But for leaders, it could be okay to accept this high risk because maybe that risk is for 10 seconds. So we have to learn how to communicate risk to senior leaders.Carolyn: You're tapping into something that a lot of our guests bring up. It's about culture and that you have to find a way, or change. I don't know if it's change the culture, but it has become part of the culture. Look at you now, you have your own domain and the best month of the year.
Lonye: Yes, it is. I was going to say culture changed at night, but I didn't want to sound so cliche because that's what's happening. It's difficult. I'll give you an example, I just told you my history. If you think about that, that means I haven't touched technology in years. But I’m the person that's developing a strategy and telling you what the policies are, and what the process is. Do I fully understand Kubernetes? Am I a developer? The answer is no.
The Risk Management Framework
Lonye: So the difference now is we have to learn how to collaborate. These people that have advanced in their career, that's putting out these policies, they have to be able to collaborate with developers. The same, if you look at the risk management framework and any type of framework, and sometimes RMF gets a bad name. But I love it, because it's a framework. It's just really how people implement it, but the framework is a really good framework.
The issue is that we have to integrate the developers, the operations, the decision makers, as you develop these policies and thresholds. We're maturing there, and from a culture perspective, what I'm saying is a lot of issues with ego. Because now in these domains, everyone, they're experts. I have a developer that is an expert, I have an operations person as an expert, I have a cyber person as an expert. These experts don't talk to one another, because they're all the smartest in the room.Carolyn: How do you do this? How do you facilitate the collaboration and deal with the egos?
Lonye: I would say, that's my niche, that's what I do well at, that's what I like actually. You break down those egos. I go in and I'll start the conversation with, I'm not an expert in Kubernetes. I'm not an expert in containers, I'm an expert in my field. You may be an expert Kubernetes, but I promise you, you're not an expert at what I do.
Break Down That Ego
Lonye: So what we have to do is work together, this is the only way that we're going to do it. I'll break down myself and try to break down that ego so they can understand what we're saying. I see a lot of that, a lot of bickering and back and forth because everyone has their own perspective.
And I understand the developers because if I'm a developer, I'm moving fast. Here you come at the end saying, “I've integrated all this cybersecurity”. Now the cyber person’s saying, “Can you give me 50 documents to document what you did? Developers, you're antiquated.” “No, I'm not.” That's what I'm seeing a lot from a cultural perspective.
Mark: You talk about culture, and you've seen this from both sides, industry, and government. Can you tell us how you've seen change over the past few years between government and industry?
Carolyn: What does it look like now?
Lonye: I'm a very optimistic person, so I'll say that in general, so honest, but very optimistic. I'm proud of the government, and what the government is trying to do. I don't think people understand how difficult it is to either change culture, to integrate all of the industry because the government has their own processes and procedures. It's not in compliance to statutory requirements, law, acquisition law.
It’s very difficult to sometimes integrate more of the smaller, innovative companies into the acquisition process. So, I would start there. I would say from a maturity perspective, I do see the government trying to do innovative things.
Secure Foundation and Streamline the Acquisition Process
Lonye: Use the OTA, check and help streamline the acquisition process so that it's more consumable by smaller companies. I do think that they're trying the best way they can to innovate companies outside of the larger defense companies, which is difficult. It's really difficult, but I see them trying. I'm on programs, they're doing CIBERs, they are finding different ways to integrate.
From an industry perspective, I see more of a partnership. I see the government trying to be more open. In the past, the government has stayed away from even having a lot of conversations with industry because there's a lot of rules. For industry, I can't go out to the government. I can't buy them a meal if it's over $25, I can buy my friend a meal. I'm not bragging.
Carolyn: I hear you, I feel that pain.
Lonye: So many rules stand in the way of open collaboration because everything has to be fair competition. You can't give that perspective to anyone that is not. It could be, I just want to talk to the industry about this issue. I just really want to be open and tell you, this is my problem. The government has not been comfortable doing that in the past.
They're starting to, more freely, open up those lines of communication. It's not for around upon, so I do think that, that's the difference with industry. Another way that we have to mature, in my opinion, is that the industry likes to throw tools at problems. They like to scale the government, all these different tools, and a tool that can answer all of your problems.
The Secure Foundation of the People
Lonye: But if you don't have the foundation of the people in the process, those tools do not work. They don't, you have to be configured right. You have to have the right people that can run these tools, they have to make sure they are interoperable. That's an area that industry has to continue to mature in, because the government doesn't always have the workforce to consume your tools. You're talking about huge enterprises.That's an area that industry can mature in, and that's an area that we focus on. I don't sell tools and I'm trying to be very non-biased on tools. I'm looking more so at the capability. The work that I like to do is really to team with the government, to work on behalf of the government. To team with the government versus coming in as a new industry selling something like a tool.
Carolyn: Often, we have the tool, we have the features in existing tools. But rather than figure out how to use it, we're like, let's just throw a new one at it. That's so frustrating. On a macro level, it sounds like government's getting better at diversity with smaller, innovative industry companies. What about on a micro level? So within your teams, how are you managing the need for diversity? Just on the people level or do you see that as a need?
Lonye: From a diversity perspective, it goes back to, you have to have a diverse team now. The domain is so much larger than it used to be, the internet of things.
When There’s a Secure Foundation, Everything Is Connecting
Lonye: You know, everything is connecting, it's so many different types of technologies and tools. Your team has to be set up sometimes for people that understand strategy. People that can understand that you want to do these cool things, and I'll come in in this case sometimes.
But how do I cross-map this to the requirements, the compliance, the statutory law, and make sure that you're covered from that perspective? How do you integrate these cool things that you want to do into current processes and procedures and laying out roles and responsibilities. You need a person that can do that. But then, you also have to have diversity from a person that understands technology.
You have to have diversity from a person who's going to use it, the user community, or the operations community. From a thought leadership perspective, you really truly need a diverse team. Technology is moving so quickly, every week there's a new technology. You really have to have folks that understand that, and those typically are not the people that's been in this domain for a long time. They graduated from the technology part.Mark: Do you see the recognition of this across customers? Or you have to go out and make that happen?
Lonye: Make it happen. I will almost consider myself a cyber security integrator and that's not necessarily a domain. The government is not saying I want to hire a cyber integrator, they hire technology integrators. The issue the government is having, to me and some of these major programs, is the acquisition process. The way that the acquisition process is working now.
A Secure Foundation Needs an Integrator
Lonye: We may have a company that comes in and focuses on infrastructure or building a cloud. You may have another company that's coming and doing the pipeline work. Then you have another company that's coming in, maybe doing integration of that. Another company comes in and does O and M, so that's doing maintenance. You have another company that's coming in that's doing cyber.
They're on all different contracts. They are supporting the same client and there's a lot of integration. So you miss that. There has to be an integrator that truly focuses on, maybe technology integration, but then they crosswalk the contracts. Some companies are very specific about what's in their statement of work. So if the government is not very tight on contractual actions and acquisition upfront before the company even comes, they have failed.
It's a failure because of those gaps there, no one is going to fill it. A lot of times, bless the government but, you may not have a strong program manager in some of these programs that can talk across all that technology, or can do that integration as well. As we continue to mature on being diverse in all the different companies that we bring in, the government has to really focus on acquisition, and how we integrate those.
Mark: That's no easy problem.
Carolyn: Let's move to our tech talk questions. Our tech talk...
","summary":null,"date_published":"2021-10-20T07:30:00.000-04:00","attachments":[{"url":"https://aphid.fireside.fm/d/1437767933/81d9d6b0-0045-48da-8495-fd87c4613d7f/1d895fb9-a2ad-4773-8790-ee7cec33a22b.mp3","mime_type":"audio/mpeg","size_in_bytes":23929291,"duration_in_seconds":1708}]},{"id":"31eec1bb-c2c8-4bc2-b015-06a5cef722f3","title":"Episode 11: What AI Is, and What it Is Not with Willie Hicks","url":"https://techtransforms.fireside.fm/11","content_text":"AI capabilities range from providing on-the-ground safety for US soldiers, to removing the time delay of the Mars drone. But what misconceptions are there about Artificial Intelligence and Machine Learning? Join as Carolyn and Mark welcome Willie Hicks Public Sector CTO at Dynatrace on to debunk myths and confirm beliefs about the power of AI. Episode Table of Contents[00:41] Willie Unpacks What AI Is[09:22] What AI Is in the Medical Field[16:44] When AI Starts to Become Practical[23:38] Staying in the Vein of What AI IsEpisode Links and ResourcesLinkedInWebsiteWillie Unpacks What AI IsCarolyn: Today, we get to talk to Willie Hicks, CTO of Dynatrace public sector, on the very hot topic of artificial intelligence. Willie is going to unpack what AI really is and isn't. Apparently, I will not be having an in home version of Star Trek's Data to do light chores anytime soon, spoiler alert. But we also get into the nuances of AI versus ML, how the government is developing and using AI.Willie is going to tackle the recent National Security Commission on artificial intelligence final reports. He's going to share his biggest takeaways from the 800-page report. That's going to save us from actually having to read anything. Finally, we're going to discuss how he has seen the industry and the government partner in AI, the wins, the losses, and how we can do better. I want to go straight to our topic of the day and just have you level set us on AI. Define what we're talking about here.Willie: When I think about and talk to people about AI, often I get the question, \"What is AI?\" We can talk about it from the strict definition of AI, if you wanted me to rattle off the Oxford English dictionary version of it. It is a theory in the development of computer systems that can perform tasks. These are normal tasks that humans would do, so it's artificial intelligence. But in reality, AI is more than that definition.A Task-Oriented Type of AIWillie: Most people have heard or directly experienced AI in one fashion or another, and they don't even realize it. Every time you call into Amazon or some company to chat about a product that didn't arrive, or you're calling to pay a bill, you'll get an automated chatbot or an automated service. A lot of times, it asks you to speak to it, in a natural language. It is processing that information and giving you back some type of feedback. That's a very task-oriented type AI that you're interacting with. We actually interact with AI all the time, and that's growing day in and day out. If you've got devices, smart speakers in your home, you're interacting with a type of AI. Or if you are using a lot of systems today on computers that are trying to keep you from gaming the system, like they're getting a lot more complex. The CAPTCHAs and things like that are getting more complex to try to understand when other bots are trying to get into the system. All of these types of systems are some types of AI. Now, we'll get into this later. There are different types of AI. There's what you were just talking about, Data. I would love to have Data in my house, or Jarvis. Not Skynet, but one of those AIs that has a more general purpose that doesn't exist. Those types of AI don't exist today, except in science fiction.Carolyn: At all?Willie: Not really, at least not that we know of. If they're in a secret lab somewhere, we don't know about it.How People Misuse What AI IsMark: They probably do at Bill Gates' house. It seems like the use of the term AI is all over the place. Everybody uses it pretty ubiquitously, but it means so many different things based on the description that you just laid out. Literally, the spectrum is massive. But people use the term, it sounds like artificial intelligence to mean just about any of that.Willie: Also, they misuse terms a lot of times too. Some people say machine learning is AI. A lot of sci-fi and a lot of what we see on TV has driven what people think about AI. But there is really more of a practical side of AI. The funny thing is AI is becoming really more ubiquitous. AI is being embedded in systems. There are manufacturers' chips that are really being designed to leverage AI at the edge.The smart speaker is one way, but a lot of times, you'll interact with devices in buildings. You might not even realize it, but in the backend, AI is processing and understanding what that user is doing. How to respond back to the user, how to feed data and capture that data for marketing purposes, all other sorts of things. AI is really ubiquitous, but people kind of misunderstand what it really is.Mark: Let's break this down into a practical sense. How are you seeing artificial intelligence being used? Let's just use this example, how do you see it being used in military agencies across the DOD? Then I'll just tack onto that on top of it. What role do you see the industry playing in that mission?Two Parts of What AI IsWillie: Two parts there. How do I see AI being used in the military?Mark: Or DOD in general maybe.Willie: DOD in general. It's funny because I was thinking about this recently for another talk. Most people, when they think of the military, they think warfare, rightly so. The military is really more about peacekeeping, hopefully. We don't want to go to war. But a lot of times, we are thinking about it from a war platform standpoint. So again, going back to sci-fi like Skynet kind of thing.People have these fears that AI is going to take over military systems and all. But the military is actually using AI in a lot of different more practical applications. Things that you see in industry, business systems, data analytics, big data analytics. I'm not talking about just from a warfare standpoint, but the military is a massive organization.Mark: Logistical stuff, yes.Willie: Logistics. When you think about transport, you think about having to move thousands of people at a moment's notice, maybe overseas. You're transporting equipment, heavy equipment, and so forth. The maintenance of that equipment, all of these things take a lot of manpower to maintain. Or if you use AI, which the military is actually investing a lot of time and resources into figuring out how to better maintain their fleet, how to do predictive analytics on their fleet.When do I need to change, instead of constant rotation of maintenance, having more smart systems. Decision systems helping them say, \"You need to replace this part no based on X, Y and X.\" And systems are becoming more explainable for the military to understand. Okay, this is why I'm giving you this decision.What AI Is in the Medical FieldWillie: Also, you'll see this in things like the medical field, battlefield medicine, also non-battle field, conventional medicine for our veterans in the VA. AI is being implemented in these places in a lot of different ways. A lot of cool things that may not be here today, but things that I have seen and read about and talked to others about. This is more futuristic.But having drones that have AI built into them that could do dangerous tasks that you would have to use a person for in the past. Let's say you had a soldier in the field and you had to extract that soldier in the middle of combat. If you could send a drone out, or something that could actually go pull that soldier back without endangering another soldier.Mark: I went to a dinner recently and was listening to the CIO of the Navy talk about this question. He brought up the example, it made me think of it because you were talking about drones. He said the thing that popped out in his mind was to remember the videos of the drone on Mars that we saw. I don't know what the gap in communication is between Earth to Mars. But he said it was nine or 19 minutes, or something like that. He said that they're using artificial intelligence to extrapolate out that gap, so a drone doesn't crash into the planet.Carolyn: What does that mean, extrapolate out that gap?Leverage GPS MappingMark: Well, that was my interpretation, but to leverage GPS mapping and things like that. So if a drone is flying across the landscape to be able to see that there's objects coming. Or how to navigate terrain and things like that, or weather conditions and stuff like that.Willie: And NASA, granted, we're talking about military applications. There’s a second part to your question.Mark: The second part was how's the industry supporting that mission.Willie: Let me get right back to that because that is actually a very interesting point and something that's fascinating. I've got two young kids and we always love to watch the science things from NASA and videos from NASA. They watch over and over again, that Mars landing. I don't know if people recognize and appreciate the engineering and the science that went into doing something like that. There is a physical limitation of how fast we can send a signal between Earth and Mars. There's the speed of light and you can only send the signal so fast.If we were trying to remotely control that lander, but the time we sent, got the first signal back to the lander, it would've crashed into the planet. So to maneuver and land a probe like that, you have to do it automatically. Or it has to be AI-driven, it has to be a more computer-driven system. What's fascinating about that is that it was using multiple, different sensors. I don't know the exact number. But if you think about it, it has to be calculated from the moment of entry into the planet, its speed, its velocity, its position.The Best Thing About What AI IsWillie: It had to have cameras to see where it was going to land. This is the best thing too. Automatically, it could correct for itself in flight. It knew where it reached the point where it needed to deploy its heat shield, release it. Then, it lowers itself. It continues down until it gets to a point where it can start scanning the landscape. This is where AI really starts to come in because it has a map of where it wants to land, where humans want it to land. It can then start looking for, based on criteria, the best place for me to set it down.Mark: Would you consider what pilots, 25 years ago, were using autopilot to land a very rudimentary or an early-stage artificial intelligence?Willie: I don't even know if I would put it in the same vein as what the AI is doing today. In the early '80s, I used to have Simon, this little robot that you could program. It was cool. You could talk to it, you could program it. It would walk around, bring you a little drink or something. You couldn't call that AI, you programmed it to do something, but it was equivalent.Carolyn: So back to NASA, how much of the industry is part of that AI engine that's making all of this work?Willie: There is a lot of industry. First of all, I will say JPL. This is truly a partnership.What AI Is in Places Like the Defense Research AgencyWillie: What I've learned over the years, especially working with NASA, places like JPL, working with the Navy, a lot of this technology that we're utilizing today, it starts as military projects a lot of times, or NASA driven. These are massive programs to get off the ground, to research, takes a lot of money. In the early days when the industry didn't truly see a revenue stream out of that or a benefit, they're not investing that kind of money. But the government is going to invest in that, especially if it's around national security and other topics.So you'll see early on, AI being invested in by places like DARPA, the defense research agency. You'll see this in places like NASA and JPL. People also probably don't realize AI is not something that's new. People think about AI and they think about it in the last 10 years, five years, just because of how technology moves today. Things happen so quickly. Those advances, people are like, \"AI's only probably been around five or 10 years.\" No.Honestly, the rudimentary thoughts around AI go back to the 1800s, or 1830s. It was only probably until the 1950s that some practical applications could start being conceived. But having the technology to conceive some of these more practical applications, only in the last few years do we have the capability to really exploit AI. This has been a topic that's been around for a long time. Now the question around industry is that this gets started and gets funded and researched by education, by higher education, by some private sector, a lot by DARPA and JPL, and some of these government institutes.When AI Starts to Become PracticalWillie: Then what will happen is, like you see today, AI starts to become really practical. There starts to be a lot of applications where it could help cut costs in business. It could help save resources, X, Y, and Z, a lot of practical applications. Then industry gets involved, and they really start funding and putting money into research and into development. Now we've taken that catalyst, that's been started often by the government. And now the industry is taking over and really taking it to the next level.Then the interaction begins because now industry and government can really partner together. Government can help with a lot of the heavy research, and what they've done already. Industry can take what they've done and made practical applications. The industry's really good at taking and making practical applications, and making systems that can do very specific tasks. Those tasks and applications are usually things that the government needs.Carolyn: The industry, typically, we think that they can iterate a lot faster. Partially because industry's not iterating on a fighter jet. So a fighter jet, you're not going to do 50, to Tracy Bannon's point, our guest from Mitre a few weeks ago. There's a reason that you're not deploying code 50 times a day to a fighter jet. But in the industry, we're not working on those things, necessarily. Although, sometimes.Willie: Granted, you're not deploying to a fighter jet 50 times a day. But what the industry is doing is that with every iteration, with every advancement, we're making this process better. We are making it more stable. We're making these iterations not just faster, but each iteration becomes a little bit shorter, but also less error-prone.Adversaries Constantly Attacking From CyberspaceWillie: So over time, you will start to be able to, even in the military, because you see this today with sulfur factories and so forth. They're starting to embrace some of these ideas around agile development around being able to deploy faster. It's in our best interest. It becomes a national security consideration then because we have adversaries that are constantly attacking us from cyberspace. Constantly attacking us, not just from a military standpoint, but from our national infrastructure. And these aren't just state actors all the time. These are proxies that may be working for state actors.So we have to be able to move as fast as a lot of those actors as well. Over time, you might not be deploying to, and you have no need to deploy to a fighter that many times. But I've heard of cases where you do have newer, more modern technology, even in fighters. You hear about containerization and having modular code. There are some subsystems that I would imagine have that type of capability. So they can quickly deploy and upgrade a system if they need to based on the threat.Mark: You mentioned something in your answer right there that made me think of this. It made me think of machine learning. How do you delineate what people consider machine learning and artificial intelligence?Willie: People will equate AI and ML. The short answer is they're not the same thing at all. Anybody who thinks that AI and ML aren't the same thing, that's a common misconception.Carolyn: I thought that's how AI did its thing, through machine learning. Like it was another term to say it's what it was doing.Machine Learning as a Sub-discipline of AIWillie: Think of ML as a sub-discipline of AI. It's just one way you can do AI, as you might say. But ML is just a sub-discipline. It is not artificial intelligence itself. Think of AI as just much more of a general term or concept. That definition I gave earlier, it's just more generic high-level general term that talks about machines performing complex tasks. ML, machine learning is an aspect or a sub-discipline of AI. That's how you can conduct, machine learning is one way you can get to AI, as it were.So that's really the difference, and if you think about it, there is machine learning. Generally with machine learning, you use different types of algorithms, different types of methods in different circumstances. Machine learning is good at certain types of tasks. It might not be so good at tasks that need to be, let's say tasks that are on data sets that are constantly changing. That are changing really fast, really rapidly, and you need to be able to respond to quickly.Machine learning takes time. You know it takes a lot more time to learn the system, to learn the data sets. To also start to feed back good answers, good data from those data sets. Sometimes it takes interactions from humans to help augment what the machine learning algorithms are doing. So machine learning might be good for some applications, maybe not so good for others.Carolyn: Does machine learning eventually lead to AI or not necessarily?Willie: Yes, it would lead to more of a task-based type of AI. It would lead to a type of artificial intelligence. It’s a technique for getting to a type of artificial intelligence.Staying in the Vein of What AI IsCarolyn: Let's get to our tech talk questions.Mark: Willie, what do you think the next big leap in tech's going to be?Willie: If we can stay in the vein of AI, I don't know when it's going to happen, but there’s one big leap that I'm waiting for that I'm looking towards. This is getting more nerdy, but I was just reading about this lately, quantum computing. I think that there is investment in that now. That is a very technical discussion, I don't understand half of it, but let's just put it this way. If we are able to really take advantage of just quantum computing, think about quantum computing as using the most fundamental parts of our universe.Getting down past the atom, getting down to a very rudimentary part of the fabric of this universe. If you start looking at what are called quantum states, there is this idea that something can be in multiple positions. I could be in multiple places at one time. Sounds counterintuitive, but it can be in something called superposition.And so what my understanding is, you can have this idea of superposition. Basically, until you observe it, it doesn't make a decision on what it's going to be until it's observed. You can use this and there's a lot of math and science behind it that I don't even pretend to understand. But you can use that to","content_html":"AI capabilities range from providing on-the-ground safety for US soldiers, to removing the time delay of the Mars drone. But what misconceptions are there about Artificial Intelligence and Machine Learning? Join as Carolyn and Mark welcome Willie Hicks Public Sector CTO at Dynatrace on to debunk myths and confirm beliefs about the power of AI.
Episode Table of Contents
- [00:41] Willie Unpacks What AI Is
- [09:22] What AI Is in the Medical Field
- [16:44] When AI Starts to Become Practical
- [23:38] Staying in the Vein of What AI Is
Episode Links and Resources
Willie Unpacks What AI Is
Carolyn: Today, we get to talk to Willie Hicks, CTO of Dynatrace public sector, on the very hot topic of artificial intelligence. Willie is going to unpack what AI really is and isn't. Apparently, I will not be having an in home version of Star Trek's Data to do light chores anytime soon, spoiler alert. But we also get into the nuances of AI versus ML, how the government is developing and using AI.
Willie is going to tackle the recent National Security Commission on artificial intelligence final reports. He's going to share his biggest takeaways from the 800-page report. That's going to save us from actually having to read anything. Finally, we're going to discuss how he has seen the industry and the government partner in AI, the wins, the losses, and how we can do better.
I want to go straight to our topic of the day and just have you level set us on AI. Define what we're talking about here.
Willie: When I think about and talk to people about AI, often I get the question, "What is AI?" We can talk about it from the strict definition of AI, if you wanted me to rattle off the Oxford English dictionary version of it.
It is a theory in the development of computer systems that can perform tasks. These are normal tasks that humans would do, so it's artificial intelligence. But in reality, AI is more than that definition.A Task-Oriented Type of AI
Willie: Most people have heard or directly experienced AI in one fashion or another, and they don't even realize it. Every time you call into Amazon or some company to chat about a product that didn't arrive, or you're calling to pay a bill, you'll get an automated chatbot or an automated service. A lot of times, it asks you to speak to it, in a natural language. It is processing that information and giving you back some type of feedback. That's a very task-oriented type AI that you're interacting with.
We actually interact with AI all the time, and that's growing day in and day out. If you've got devices, smart speakers in your home, you're interacting with a type of AI. Or if you are using a lot of systems today on computers that are trying to keep you from gaming the system, like they're getting a lot more complex. The CAPTCHAs and things like that are getting more complex to try to understand when other bots are trying to get into the system. All of these types of systems are some types of AI.Now, we'll get into this later. There are different types of AI. There's what you were just talking about, Data. I would love to have Data in my house, or Jarvis. Not Skynet, but one of those AIs that has a more general purpose that doesn't exist. Those types of AI don't exist today, except in science fiction.
Carolyn: At all?
Willie: Not really, at least not that we know of. If they're in a secret lab somewhere, we don't know about it.
How People Misuse What AI Is
Mark: They probably do at Bill Gates' house. It seems like the use of the term AI is all over the place. Everybody uses it pretty ubiquitously, but it means so many different things based on the description that you just laid out. Literally, the spectrum is massive. But people use the term, it sounds like artificial intelligence to mean just about any of that.
Willie: Also, they misuse terms a lot of times too. Some people say machine learning is AI. A lot of sci-fi and a lot of what we see on TV has driven what people think about AI. But there is really more of a practical side of AI. The funny thing is AI is becoming really more ubiquitous. AI is being embedded in systems. There are manufacturers' chips that are really being designed to leverage AI at the edge.
The smart speaker is one way, but a lot of times, you'll interact with devices in buildings. You might not even realize it, but in the backend, AI is processing and understanding what that user is doing. How to respond back to the user, how to feed data and capture that data for marketing purposes, all other sorts of things. AI is really ubiquitous, but people kind of misunderstand what it really is.Mark: Let's break this down into a practical sense. How are you seeing artificial intelligence being used? Let's just use this example, how do you see it being used in military agencies across the DOD? Then I'll just tack onto that on top of it. What role do you see the industry playing in that mission?
Two Parts of What AI Is
Willie: Two parts there. How do I see AI being used in the military?
Mark: Or DOD in general maybe.
Willie: DOD in general. It's funny because I was thinking about this recently for another talk. Most people, when they think of the military, they think warfare, rightly so. The military is really more about peacekeeping, hopefully. We don't want to go to war. But a lot of times, we are thinking about it from a war platform standpoint. So again, going back to sci-fi like Skynet kind of thing.
People have these fears that AI is going to take over military systems and all. But the military is actually using AI in a lot of different more practical applications. Things that you see in industry, business systems, data analytics, big data analytics. I'm not talking about just from a warfare standpoint, but the military is a massive organization.Mark: Logistical stuff, yes.
Willie: Logistics. When you think about transport, you think about having to move thousands of people at a moment's notice, maybe overseas. You're transporting equipment, heavy equipment, and so forth. The maintenance of that equipment, all of these things take a lot of manpower to maintain. Or if you use AI, which the military is actually investing a lot of time and resources into figuring out how to better maintain their fleet, how to do predictive analytics on their fleet.
When do I need to change, instead of constant rotation of maintenance, having more smart systems. Decision systems helping them say, "You need to replace this part no based on X, Y and X." And systems are becoming more explainable for the military to understand. Okay, this is why I'm giving you this decision.
What AI Is in the Medical Field
Willie: Also, you'll see this in things like the medical field, battlefield medicine, also non-battle field, conventional medicine for our veterans in the VA. AI is being implemented in these places in a lot of different ways. A lot of cool things that may not be here today, but things that I have seen and read about and talked to others about. This is more futuristic.
But having drones that have AI built into them that could do dangerous tasks that you would have to use a person for in the past. Let's say you had a soldier in the field and you had to extract that soldier in the middle of combat. If you could send a drone out, or something that could actually go pull that soldier back without endangering another soldier.
Mark: I went to a dinner recently and was listening to the CIO of the Navy talk about this question. He brought up the example, it made me think of it because you were talking about drones. He said the thing that popped out in his mind was to remember the videos of the drone on Mars that we saw. I don't know what the gap in communication is between Earth to Mars. But he said it was nine or 19 minutes, or something like that. He said that they're using artificial intelligence to extrapolate out that gap, so a drone doesn't crash into the planet.
Carolyn: What does that mean, extrapolate out that gap?
Leverage GPS Mapping
Mark: Well, that was my interpretation, but to leverage GPS mapping and things like that. So if a drone is flying across the landscape to be able to see that there's objects coming. Or how to navigate terrain and things like that, or weather conditions and stuff like that.
Willie: And NASA, granted, we're talking about military applications. There’s a second part to your question.
Mark: The second part was how's the industry supporting that mission.
Willie: Let me get right back to that because that is actually a very interesting point and something that's fascinating. I've got two young kids and we always love to watch the science things from NASA and videos from NASA. They watch over and over again, that Mars landing. I don't know if people recognize and appreciate the engineering and the science that went into doing something like that. There is a physical limitation of how fast we can send a signal between Earth and Mars. There's the speed of light and you can only send the signal so fast.
If we were trying to remotely control that lander, but the time we sent, got the first signal back to the lander, it would've crashed into the planet. So to maneuver and land a probe like that, you have to do it automatically. Or it has to be AI-driven, it has to be a more computer-driven system. What's fascinating about that is that it was using multiple, different sensors. I don't know the exact number. But if you think about it, it has to be calculated from the moment of entry into the planet, its speed, its velocity, its position.
The Best Thing About What AI Is
Willie: It had to have cameras to see where it was going to land. This is the best thing too. Automatically, it could correct for itself in flight. It knew where it reached the point where it needed to deploy its heat shield, release it. Then, it lowers itself. It continues down until it gets to a point where it can start scanning the landscape. This is where AI really starts to come in because it has a map of where it wants to land, where humans want it to land. It can then start looking for, based on criteria, the best place for me to set it down.
Mark: Would you consider what pilots, 25 years ago, were using autopilot to land a very rudimentary or an early-stage artificial intelligence?
Willie: I don't even know if I would put it in the same vein as what the AI is doing today. In the early '80s, I used to have Simon, this little robot that you could program. It was cool. You could talk to it, you could program it. It would walk around, bring you a little drink or something. You couldn't call that AI, you programmed it to do something, but it was equivalent.
Carolyn: So back to NASA, how much of the industry is part of that AI engine that's making all of this work?
Willie: There is a lot of industry. First of all, I will say JPL. This is truly a partnership.
What AI Is in Places Like the Defense Research Agency
Willie: What I've learned over the years, especially working with NASA, places like JPL, working with the Navy, a lot of this technology that we're utilizing today, it starts as military projects a lot of times, or NASA driven. These are massive programs to get off the ground, to research, takes a lot of money. In the early days when the industry didn't truly see a revenue stream out of that or a benefit, they're not investing that kind of money. But the government is going to invest in that, especially if it's around national security and other topics.
So you'll see early on, AI being invested in by places like DARPA, the defense research agency. You'll see this in places like NASA and JPL. People also probably don't realize AI is not something that's new. People think about AI and they think about it in the last 10 years, five years, just because of how technology moves today. Things happen so quickly. Those advances, people are like, "AI's only probably been around five or 10 years." No.
Honestly, the rudimentary thoughts around AI go back to the 1800s, or 1830s. It was only probably until the 1950s that some practical applications could start being conceived. But having the technology to conceive some of these more practical applications, only in the last few years do we have the capability to really exploit AI. This has been a topic that's been around for a long time. Now the question around industry is that this gets started and gets funded and researched by education, by higher education, by some private sector, a lot by DARPA and JPL, and some of these government institutes.
When AI Starts to Become Practical
Willie: Then what will happen is, like you see today, AI starts to become really practical. There starts to be a lot of applications where it could help cut costs in business. It could help save resources, X, Y, and Z, a lot of practical applications. Then industry gets involved, and they really start funding and putting money into research and into development. Now we've taken that catalyst, that's been started often by the government. And now the industry is taking over and really taking it to the next level.
Then the interaction begins because now industry and government can really partner together. Government can help with a lot of the heavy research, and what they've done already. Industry can take what they've done and made practical applications. The industry's really good at taking and making practical applications, and making systems that can do very specific tasks. Those tasks and applications are usually things that the government needs.Carolyn: The industry, typically, we think that they can iterate a lot faster. Partially because industry's not iterating on a fighter jet. So a fighter jet, you're not going to do 50, to Tracy Bannon's point, our guest from Mitre a few weeks ago. There's a reason that you're not deploying code 50 times a day to a fighter jet. But in the industry, we're not working on those things, necessarily. Although, sometimes.
Willie: Granted, you're not deploying to a fighter jet 50 times a day. But what the industry is doing is that with every iteration, with every advancement, we're making this process better. We are making it more stable. We're making these iterations not just faster, but each iteration becomes a little bit shorter, but also less error-prone.
Adversaries Constantly Attacking From Cyberspace
Willie: So over time, you will start to be able to, even in the military, because you see this today with sulfur factories and so forth. They're starting to embrace some of these ideas around agile development around being able to deploy faster. It's in our best interest. It becomes a national security consideration then because we have adversaries that are constantly attacking us from cyberspace. Constantly attacking us, not just from a military standpoint, but from our national infrastructure. And these aren't just state actors all the time. These are proxies that may be working for state actors.
So we have to be able to move as fast as a lot of those actors as well. Over time, you might not be deploying to, and you have no need to deploy to a fighter that many times. But I've heard of cases where you do have newer, more modern technology, even in fighters. You hear about containerization and having modular code. There are some subsystems that I would imagine have that type of capability. So they can quickly deploy and upgrade a system if they need to based on the threat.
Mark: You mentioned something in your answer right there that made me think of this. It made me think of machine learning. How do you delineate what people consider machine learning and artificial intelligence?
Willie: People will equate AI and ML. The short answer is they're not the same thing at all. Anybody who thinks that AI and ML aren't the same thing, that's a common misconception.
Carolyn: I thought that's how AI did its thing, through machine learning. Like it was another term to say it's what it was doing.
Machine Learning as a Sub-discipline of AI
Willie: Think of ML as a sub-discipline of AI. It's just one way you can do AI, as you might say. But ML is just a sub-discipline. It is not artificial intelligence itself. Think of AI as just much more of a general term or concept. That definition I gave earlier, it's just more generic high-level general term that talks about machines performing complex tasks. ML, machine learning is an aspect or a sub-discipline of AI. That's how you can conduct, machine learning is one way you can get to AI, as it were.
So that's really the difference, and if you think about it, there is machine learning. Generally with machine learning, you use different types of algorithms, different types of methods in different circumstances. Machine learning is good at certain types of tasks. It might not be so good at tasks that need to be, let's say tasks that are on data sets that are constantly changing. That are changing really fast, really rapidly, and you need to be able to respond to quickly.
Machine learning takes time. You know it takes a lot more time to learn the system, to learn the data sets. To also start to feed back good answers, good data from those data sets. Sometimes it takes interactions from humans to help augment what the machine learning algorithms are doing. So machine learning might be good for some applications, maybe not so good for others.Carolyn: Does machine learning eventually lead to AI or not necessarily?
Willie: Yes, it would lead to more of a task-based type of AI. It would lead to a type of artificial intelligence. It’s a technique for getting to a type of artificial intelligence.
Staying in the Vein of What AI Is
Carolyn: Let's get to our tech talk questions.
Mark: Willie, what do you think the next big leap in tech's going to be?
Willie: If we can stay in the vein of AI, I don't know when it's going to happen, but there’s one big leap that I'm waiting for that I'm looking towards. This is getting more nerdy, but I was just reading about this lately, quantum computing. I think that there is investment in that now. That is a very technical discussion, I don't understand half of it, but let's just put it this way. If we are able to really take advantage of just quantum computing, think about quantum computing as using the most fundamental parts of our universe.
Getting down past the atom, getting down to a very rudimentary part of the fabric of this universe. If you start looking at what are called quantum states, there is this idea that something can be in multiple positions. I could be in multiple places at one time. Sounds counterintuitive, but it can be in something called superposition.
And so what my understanding is, you can have this idea of superposition. Basically, until you observe it, it doesn't make a decision on what it's going to be until it's observed. You can use this and there's a lot of math and science behind it that I don't even pretend to understand. But you can use that to
","summary":null,"date_published":"2021-10-13T07:30:00.000-04:00","attachments":[{"url":"https://aphid.fireside.fm/d/1437767933/81d9d6b0-0045-48da-8495-fd87c4613d7f/b849e588-1e9c-446d-90b0-abefbe723c8a.mp3","mime_type":"audio/mpeg","size_in_bytes":26699604,"duration_in_seconds":1906}]},{"id":"406e3e54-86dc-4da8-bb0f-ecc096c300e2","title":"Episode 10: A Culture Built on Moxie with Tracy Bannon","url":"https://techtransforms.fireside.fm/10","content_text":"Building a culture starts with communication and a willingness to change. Tracy Bannon Senior Principal / Software Architect & DevOps Strategic Advisor at MITRE and ambassador for the DevOps Institute talks with Carolyn and Mark about her recent event #StraightTalk4Gov hosted by the DevOps Institute. Listen as Tracy outlines ways to create a culture of comfortability in the government technology workspace. Episode Table of Contents[01:11] A Straight Talk Featuring a Culture Built on Moxie[06:34] Acquisition in Government Is a Culture Built on Moxie[13:34] A Collaboration Between the Industry and the Government[20:17] A Common Theme in a Culture Built on Moxie[28:14] Sisyphus MomentsEpisode Links and Resources - Culture Built on MoxieStraight Talk On DemandSkill Up DaysNicolas Chaillan PostControl Global ArticleA Straight Talk Featuring a Culture Built on MoxieCarolyn: Our guest today, Tracy, is a returning guest. She's senior principal, software architect, and DevOps strategic advisor at MITRE. Tracy Bannon is just an all-around badass. She’s an ambassador for the DevOps Institute. We had her a few weeks ago, we talked a little bit about a conference that was her brainchild. She facilitated it.Straight Talk, that's what we want to talk about today. Which, by the way, the conference is still on demand. You can rewatch these sessions that we're about to talk about. Tell us how it went overall, and what was some feedback that you've been getting from attendees?Tracy: Overall, it went very well. We didn't expect the spike in folks who registered for it. Even during special sessions, when folks saw the different sessions happening. We're getting real-time registrations happening and people joining. There's such a thirst for going beyond the technology. That's what this was all about, taking a step past the technology. Overall, it went very well.The feedback that we're getting has been, I want more, can I meet with X, Y, Z, I want to talk to Brian directly. So, folks who have done the different sessions, where they want to talk to Don, they want to meet up. They want to keep going, which is exactly what we wanted to have happened. We wanted to start those organic connections with people.Mark: What made Straight Talk for government different than other events that you've participated in?A Shiny Quarter Organization with A Culture Built on MoxieTracy: Let me track it back to why I was so passionate to get this going in the first place. Every time I deal with a government sponsor, with the government client, they'll often say, I need to do some DevOps. I need to be like this group over here. It's almost always, exclusively, pointing at something in the commercial area that's a shiny quarter organization, I want to be like Netflix. Well, do you really need to be like Netflix? What's important about that? But there's also a focus on the technical pieces of it.I can go and get an excellent Udemy course, I can go to Cloud Guru. And I can get really awesome technical advice on how to accomplish the building of the pipeline. But what's missing is the front matter, the architecture, the engineering, the people, the process, and culture. Because I always say, people, process, tech, culture. The underpinnings of this was to pivot away from the technical pieces. Start to build out of a community that is really focused on opening the doors with the government and with industry and with academia.We've got to make sure that everybody is on a level set. What are the real problems, what are the challenges? How is it similar? How's the government similar to industry? How is it different? Because in understanding the differences and in opening the door up and letting industry know, letting academia know, they're going to help us solve those problems that much more. We're going to build this cohesive set of examples. Real examples, that have to do with the government, instead of, I want to be just like Netflix. I want to be like Carnival Cruise, I want to be like whoever.Trying To Change the Dialogue Around Culture Built on MoxieTracy: Fantastic stories that they have isolated but I'm not, necessarily, in the government space, deploying 50 times a day to a jet, for example. Because on the defense side, there's a lot of interesting things that have to happen before I can just hit that deploy button. So, that was really the kickoff moment for this or the catalyst. It’s trying to change the dialogue and really having talked to so many people in my network, talking to my sponsors, my clients on a day-to-day basis. It has just become so obvious, especially the last two years, that there's a need to bring real examples forward.Mark: Listening to some of the discussions that were said, did you find that you were hearing pressure points that come up time and time again? I guess this goes to the culture aspect that you were wanting to address.Tracy: What was interesting was, because it was a remote conference and that was intentional, a virtual conference. I would say, about 75% of the sessions were recorded within a couple of days ahead of time, to make sure that we didn't have too many glitches. There's a really excellent crew that the DevOps Institute had put together that was helping us. They were leading through these.A young woman came to me outside all of these recordings and said, I'm not a technical person and I don't work at the government. She said the theme of culture is everywhere. This was somebody independent, totally outside this domain, not a techie, who heard that loud and clear, in talking to each one or in listening to each one of the sessions. Not everybody was there to talk about culture.Acquisition in Government Is a Culture Built on MoxieTracy: We talked about leadership styles, we talked about acquisition, we did talk about tech. We talked about metrics, we talked about all kinds of different things but the common thread was muscle memory hurts. It's so strong and changing muscle memory takes a lot of effort. A lot of energy and a couple of change agents thrown in the mix to make that happen.Mark: Acquisition in government is a culture.Tracy: It has its own. We actually did a training session, a 101 on acquisitions, so that people understood. So many small businesses or so many startups, they have fantastic, amazing ideas, they should be helping the government. They also need to understand that, the way allocations are happening, the money that we're spending on tech right now was approved two years ago. The money that's getting approved right now for the government, will be spent in two years.People need to understand those kinds of crazy things that you never think about. You just go to think, I've got a really great idea, this is going to help the war fight or this is going to help the taxpayer, this is going to help the CDC. Well, yes. And we have to figure out how we make that happen credibly and quickly but within those budget cycles or change the policy. Or change how acquisitions happen. There's some good things happening in that way.Carolyn: Changing acquisition processes?Tracy: There's something called the adaptive acquisition pathway. It's created about two to three years ago, at least. It's all about changing it from being these waterfall approaches where you've got tens, maybe thousands of requirements, all set down.How Can I Buy Features Instead of Systems to Have a Culture Built on Moxie?Tracy: Forecasting what you need for three or four years, breaking it down so that you can do things in a more lower case agile, a more nimble fashion. So, how can I buy features instead of systems? How do I no longer buy a project but I buy a capability that inserts into my program? It is a different way of thinking, it really is.Carolyn: Is it fair to say that, the acquisition processes, in general, really were developed 200 years ago? A lot of them don't serve us anymore. Some of them still good or am I simplifying it too much?Tracy: It is so complex that I have folks that I turn to that keep me walking straight and narrow. I am not an acquisition specialist. It's like living in a house with your parents who are techies, so you just know the language. Or your parents are doctors, a nurse and you know the language. I'm around it, I'm associated to it. I've put together RFPs and responded to the acquisitions. The intentionality of it has always been to make sure that there's fairness.That all of the acquisition, all of the scaffolding around it, comes down to mandating or legislating or policying. To force people to behave well, to force people to not collude, to force there to be equality. It's like many things that we do. We start out with a good idea that we should probably narrow this down and make it an even playing field. Then we have to add on to it because people come up with interesting and new ideas and ways to skirt things. There's some goodness there, there definitely is goodness there.Getting People’s AttentionTracy: Especially when we think about some of the laws that we should have and do have about foreign trade. I can't automatically allow a foreign country to provide technology to the federal government. That would not necessarily be in our best interest. Interesting article that came out today. It’s talking about an assessment that was done of our power grid and the number of foreign components, Chinese components and specific, that are part of our core power grid. Well, goodness, imagine it, our tech. What pieces of technology are coming from foreign folks?Mark: That's great to get people's attention. It already has.Carolyn: I love what you said, coming from industry, if you don't know government well, it's easy to have this knee-jerk reaction of, acquisitions process is just stupid. They don't deploy 50 deployments of code a day. You're like, there's a reason we don't deploy 50 deployments of new code to a fighter jet a day. That's the idea of bringing industry and government together so we can understand the different cultures. It's not all bad, what you just said, there's some goodness in there, let's keep the goodness.Tracy: Absolutely. This is not a negative, government is bad, industry is bad, it's actually the opposite. The opportunities are endless for us to work together. Now, industry has been working with the government. This isn't as though it's brand new but the upstarts, the number of folks that are coming out of universities, the number of folks who are working in one field and have an amazing, bright idea, it's not all about the big firms. In some areas of government, not all of it, it's been the big players for a long time.A Culture Built on Moxie Have Better ResultsTracy: The big players, whether they're big system integrators or whether they're some of the big defense contractors, they have entire departments that are specialists in acquisition law. They have entire departments that understand how to engage in protocols. That's a lot different. So, if we can open the door, providing that aperture for smaller, private startups, academics, whoever, to get in the mix with this, we're going to have better results. Now, that also means that we have to really pay attention to security and cyber risk. Making sure that we're very laser focused on understanding lineage of software. In one conversation that we had was about something called SBOM, software bill of materials. People are probably aware of some of the things that happened this spring, with there being bugs or back doors, to the SolarWinds. Well, I think about open-source and how beautiful and wonderful open-source can be. I also need to know who's contributing to that open-source.Even though my best friend is living in a foreign country and what they intend to do with that piece of code provide goodness, we, as the United States, as a government, especially if we're talking about securing the sovereignty of a nation, have to double-check, why was that code change made? What's the lineage of that? So, there's a lot of goodness because we shouldn't be throwing out open-source, we should be embracing it. But with making sure that we're dotting our I's and crossing our T's, that's all.A Collaboration Between the Industry and the GovernmentCarolyn: You said, this collaboration between industry and government is not new. What did you do at Straight Talk that would be good to carry over? Or what lessons might other conferences take from Straight Talk, to facilitate this open collaboration even more?Tracy: I'm hopeful that we're able to take forward the asynchronous conversations, whether it's a Slack channel, whether it's Mattermost. Being able to not send emails back and forth, not necessarily always have to pick up the phone. But be able to have that async community conversation, where we're tagging things and we're going back and forth. We're jumping in and weighing on each other's conversation. That has started and that's something that I would like to definitely see move forward.Join in the conversation, it's transparent and open and that's a goodness for all of us. The second part will be listening to the different voices. I sought out voices that hadn't necessarily been heard but I knew their messages, I had heard their message but I hadn't heard it broadly yet. So, some of the content was from folks who had not yet been on quite as broad as stage but need to be. There's some advocacy that I'd like to see. The people who are putting together the different sessions, they're putting together these different conferences. They’re trying to shine the spotlight in a number of different places.Mark: If you could summarize two takeaways from the event, what would you say?Carolyn: A couple of things that jump out.Mark: Or 10.It’s Not About Having a Culture Built on MoxieTracy: We've said the word culture, we've sprinkled the word culture. One of the things that needs to jump out is, it's not about culture change. Because if you say to me, Bannon, Trace, you need to change your culture. First thing I do is, my head starts to bob and I get a little bit of an attitude. Like, excuse me, I need to change my culture. But if you say to me, Trace, let's get together and let's figure out how we, together, need to move forward.What we're talking about is culture building and it's a joint thing that we're brought into. That's probably one of the biggest takeaways of all of this. It's not about changing culture, it's about building a world together. It is about building a professional culture together. That is the number one thing that came out of all of this. The second thing is, it's okay to debunk myths, urban legends, tech legends, DevOps legends. It's okay to look at those things and say, maybe not.What I'm bringing up there is a friend of mine, Brian Finster. He was working with a global retail corporation. Then he's looking for a bigger challenge, something even more complex and has started to work with the Air Force. He and I have a gnash and talk, at least once a week, about things that need to change. Where he's really landed on is the weaponizing of metrics, the weaponizing of how you measure. People talk about DevOps. They're like, I need your burn down, I need to know your velocity. Are those really the right metrics, are those really the things that we need to be focused on?Applying the DORA MetricsTracy: They'll look at some of the wonderful industry published publications, like the Phoenix Project, Accelerate. They will look at the door of publications and they'll say, we need to apply the DORA metrics. What Brian took away or should I say, what Brian brought to the table was that, we need to question this. So, the second big takeaway is, don't be afraid to question because it's good to question. It's good to have that diversity in the conversation, diverse thoughts to get a better answer.Mark: Speaking of the Air Force, one of the sessions that you had at your event was by major Austen Bryan, from Platform One. The subject of the session was, it's not about the tools. Can you explain a little bit more about what that was all about?Tracy: Austen is the chief operating officer and he's been there since the beginning of it. Now, they have over 250 people, acquisition and engineering teams, all responsible for delivering Platform One and the services that they're providing. In his role, he's delivering to all four military branches, so Platform One is Air Force but it's Air Force at the end.Manpower and People Power in a Culture Built on MoxieTracy: He was really passionate and he was one of the first people who said, I really want to be a part of Straight Talk. He want to talk about manpower or people power, whatever we'd like to call it, whatever is appropriate there. Hiring not being the biggest problem but how do we retain? How do we retain talent, if there's not a career path? In the Air Force, you may rotate. I may have six months working on something that I love and it's amazing. This is where I want to go with my career, from a technology perspective and then, I'm rotated because that's what happens.He was really passionate about talking about career paths, to help with the retention, developing, moving people from being entry-level developers. Helping them with a career path that gets us to those mid-level and senior-level architects and engineers because the demand is high. The experienced higher numbers are not as high as what we want them to be. Second thing that he talked about was acquisitions, he was all over acquisitions.Now, we didn't talk about the colors of money because that would be really huge but modular contracting mechanisms. Doing active market research to understand different approaches to acquisition and being more dynamic about it, not having a four year run-up to it. How do you get the smaller tranches, smaller acquisitions, and multiple smaller acquisitions? The third thing just blew me away. This really lines up with some of the things that we've been seeing. LinkedIn posts, the chief software officer, has put in his resignation.A Common Theme in a Culture Built on MoxieTracy: What’s really a common theme across what Austen was talking about as his third point and on Nick's resignation is, leadership style. What changes when you're building software? Command and control type leadership is absolutely core. It’s central to the military but a lot of times when we're building the software, it's not the same life or death situation. It will be used by warfighters in a life or death situation. However, that's not the same style that you need to use as a leader, it's much more flattened.There's a lot more autonomy given for decisions, decisions to be made at a more junior...","content_html":"Building a culture starts with communication and a willingness to change. Tracy Bannon Senior Principal / Software Architect & DevOps Strategic Advisor at MITRE and ambassador for the DevOps Institute talks with Carolyn and Mark about her recent event #StraightTalk4Gov hosted by the DevOps Institute. Listen as Tracy outlines ways to create a culture of comfortability in the government technology workspace.
Episode Table of Contents
- [01:11] A Straight Talk Featuring a Culture Built on Moxie
- [06:34] Acquisition in Government Is a Culture Built on Moxie
- [13:34] A Collaboration Between the Industry and the Government
- [20:17] A Common Theme in a Culture Built on Moxie
- [28:14] Sisyphus Moments
Episode Links and Resources - Culture Built on Moxie
A Straight Talk Featuring a Culture Built on Moxie
Carolyn: Our guest today, Tracy, is a returning guest. She's senior principal, software architect, and DevOps strategic advisor at MITRE. Tracy Bannon is just an all-around badass. She’s an ambassador for the DevOps Institute. We had her a few weeks ago, we talked a little bit about a conference that was her brainchild. She facilitated it.
Straight Talk, that's what we want to talk about today. Which, by the way, the conference is still on demand. You can rewatch these sessions that we're about to talk about. Tell us how it went overall, and what was some feedback that you've been getting from attendees?
Tracy: Overall, it went very well. We didn't expect the spike in folks who registered for it. Even during special sessions, when folks saw the different sessions happening. We're getting real-time registrations happening and people joining. There's such a thirst for going beyond the technology. That's what this was all about, taking a step past the technology. Overall, it went very well.
The feedback that we're getting has been, I want more, can I meet with X, Y, Z, I want to talk to Brian directly. So, folks who have done the different sessions, where they want to talk to Don, they want to meet up. They want to keep going, which is exactly what we wanted to have happened. We wanted to start those organic connections with people.
Mark: What made Straight Talk for government different than other events that you've participated in?
A Shiny Quarter Organization with A Culture Built on Moxie
Tracy: Let me track it back to why I was so passionate to get this going in the first place. Every time I deal with a government sponsor, with the government client, they'll often say, I need to do some DevOps. I need to be like this group over here. It's almost always, exclusively, pointing at something in the commercial area that's a shiny quarter organization, I want to be like Netflix. Well, do you really need to be like Netflix? What's important about that? But there's also a focus on the technical pieces of it.
I can go and get an excellent Udemy course, I can go to Cloud Guru. And I can get really awesome technical advice on how to accomplish the building of the pipeline. But what's missing is the front matter, the architecture, the engineering, the people, the process, and culture. Because I always say, people, process, tech, culture. The underpinnings of this was to pivot away from the technical pieces. Start to build out of a community that is really focused on opening the doors with the government and with industry and with academia.
We've got to make sure that everybody is on a level set. What are the real problems, what are the challenges? How is it similar? How's the government similar to industry? How is it different? Because in understanding the differences and in opening the door up and letting industry know, letting academia know, they're going to help us solve those problems that much more. We're going to build this cohesive set of examples. Real examples, that have to do with the government, instead of, I want to be just like Netflix. I want to be like Carnival Cruise, I want to be like whoever.Trying To Change the Dialogue Around Culture Built on Moxie
Tracy: Fantastic stories that they have isolated but I'm not, necessarily, in the government space, deploying 50 times a day to a jet, for example. Because on the defense side, there's a lot of interesting things that have to happen before I can just hit that deploy button. So, that was really the kickoff moment for this or the catalyst. It’s trying to change the dialogue and really having talked to so many people in my network, talking to my sponsors, my clients on a day-to-day basis. It has just become so obvious, especially the last two years, that there's a need to bring real examples forward.
Mark: Listening to some of the discussions that were said, did you find that you were hearing pressure points that come up time and time again? I guess this goes to the culture aspect that you were wanting to address.
Tracy: What was interesting was, because it was a remote conference and that was intentional, a virtual conference. I would say, about 75% of the sessions were recorded within a couple of days ahead of time, to make sure that we didn't have too many glitches. There's a really excellent crew that the DevOps Institute had put together that was helping us. They were leading through these.
A young woman came to me outside all of these recordings and said, I'm not a technical person and I don't work at the government. She said the theme of culture is everywhere. This was somebody independent, totally outside this domain, not a techie, who heard that loud and clear, in talking to each one or in listening to each one of the sessions. Not everybody was there to talk about culture.
Acquisition in Government Is a Culture Built on Moxie
Tracy: We talked about leadership styles, we talked about acquisition, we did talk about tech. We talked about metrics, we talked about all kinds of different things but the common thread was muscle memory hurts. It's so strong and changing muscle memory takes a lot of effort. A lot of energy and a couple of change agents thrown in the mix to make that happen.
Mark: Acquisition in government is a culture.
Tracy: It has its own. We actually did a training session, a 101 on acquisitions, so that people understood. So many small businesses or so many startups, they have fantastic, amazing ideas, they should be helping the government. They also need to understand that, the way allocations are happening, the money that we're spending on tech right now was approved two years ago. The money that's getting approved right now for the government, will be spent in two years.
People need to understand those kinds of crazy things that you never think about. You just go to think, I've got a really great idea, this is going to help the war fight or this is going to help the taxpayer, this is going to help the CDC. Well, yes. And we have to figure out how we make that happen credibly and quickly but within those budget cycles or change the policy. Or change how acquisitions happen. There's some good things happening in that way.Carolyn: Changing acquisition processes?
Tracy: There's something called the adaptive acquisition pathway. It's created about two to three years ago, at least. It's all about changing it from being these waterfall approaches where you've got tens, maybe thousands of requirements, all set down.
How Can I Buy Features Instead of Systems to Have a Culture Built on Moxie?
Tracy: Forecasting what you need for three or four years, breaking it down so that you can do things in a more lower case agile, a more nimble fashion. So, how can I buy features instead of systems? How do I no longer buy a project but I buy a capability that inserts into my program? It is a different way of thinking, it really is.
Carolyn: Is it fair to say that, the acquisition processes, in general, really were developed 200 years ago? A lot of them don't serve us anymore. Some of them still good or am I simplifying it too much?
Tracy: It is so complex that I have folks that I turn to that keep me walking straight and narrow. I am not an acquisition specialist. It's like living in a house with your parents who are techies, so you just know the language. Or your parents are doctors, a nurse and you know the language. I'm around it, I'm associated to it. I've put together RFPs and responded to the acquisitions. The intentionality of it has always been to make sure that there's fairness.
That all of the acquisition, all of the scaffolding around it, comes down to mandating or legislating or policying. To force people to behave well, to force people to not collude, to force there to be equality. It's like many things that we do. We start out with a good idea that we should probably narrow this down and make it an even playing field. Then we have to add on to it because people come up with interesting and new ideas and ways to skirt things. There's some goodness there, there definitely is goodness there.
Getting People’s Attention
Tracy: Especially when we think about some of the laws that we should have and do have about foreign trade. I can't automatically allow a foreign country to provide technology to the federal government. That would not necessarily be in our best interest. Interesting article that came out today. It’s talking about an assessment that was done of our power grid and the number of foreign components, Chinese components and specific, that are part of our core power grid. Well, goodness, imagine it, our tech. What pieces of technology are coming from foreign folks?
Mark: That's great to get people's attention. It already has.
Carolyn: I love what you said, coming from industry, if you don't know government well, it's easy to have this knee-jerk reaction of, acquisitions process is just stupid. They don't deploy 50 deployments of code a day. You're like, there's a reason we don't deploy 50 deployments of new code to a fighter jet a day. That's the idea of bringing industry and government together so we can understand the different cultures. It's not all bad, what you just said, there's some goodness in there, let's keep the goodness.
Tracy: Absolutely. This is not a negative, government is bad, industry is bad, it's actually the opposite. The opportunities are endless for us to work together. Now, industry has been working with the government. This isn't as though it's brand new but the upstarts, the number of folks that are coming out of universities, the number of folks who are working in one field and have an amazing, bright idea, it's not all about the big firms. In some areas of government, not all of it, it's been the big players for a long time.
A Culture Built on Moxie Have Better Results
Tracy: The big players, whether they're big system integrators or whether they're some of the big defense contractors, they have entire departments that are specialists in acquisition law. They have entire departments that understand how to engage in protocols. That's a lot different.
So, if we can open the door, providing that aperture for smaller, private startups, academics, whoever, to get in the mix with this, we're going to have better results. Now, that also means that we have to really pay attention to security and cyber risk. Making sure that we're very laser focused on understanding lineage of software.
In one conversation that we had was about something called SBOM, software bill of materials. People are probably aware of some of the things that happened this spring, with there being bugs or back doors, to the SolarWinds. Well, I think about open-source and how beautiful and wonderful open-source can be. I also need to know who's contributing to that open-source.
Even though my best friend is living in a foreign country and what they intend to do with that piece of code provide goodness, we, as the United States, as a government, especially if we're talking about securing the sovereignty of a nation, have to double-check, why was that code change made? What's the lineage of that? So, there's a lot of goodness because we shouldn't be throwing out open-source, we should be embracing it. But with making sure that we're dotting our I's and crossing our T's, that's all.A Collaboration Between the Industry and the Government
Carolyn: You said, this collaboration between industry and government is not new. What did you do at Straight Talk that would be good to carry over? Or what lessons might other conferences take from Straight Talk, to facilitate this open collaboration even more?
Tracy: I'm hopeful that we're able to take forward the asynchronous conversations, whether it's a Slack channel, whether it's Mattermost. Being able to not send emails back and forth, not necessarily always have to pick up the phone. But be able to have that async community conversation, where we're tagging things and we're going back and forth. We're jumping in and weighing on each other's conversation. That has started and that's something that I would like to definitely see move forward.
Join in the conversation, it's transparent and open and that's a goodness for all of us. The second part will be listening to the different voices. I sought out voices that hadn't necessarily been heard but I knew their messages, I had heard their message but I hadn't heard it broadly yet. So, some of the content was from folks who had not yet been on quite as broad as stage but need to be. There's some advocacy that I'd like to see. The people who are putting together the different sessions, they're putting together these different conferences. They’re trying to shine the spotlight in a number of different places.
Mark: If you could summarize two takeaways from the event, what would you say?
Carolyn: A couple of things that jump out.
Mark: Or 10.
It’s Not About Having a Culture Built on Moxie
Tracy: We've said the word culture, we've sprinkled the word culture. One of the things that needs to jump out is, it's not about culture change. Because if you say to me, Bannon, Trace, you need to change your culture. First thing I do is, my head starts to bob and I get a little bit of an attitude. Like, excuse me, I need to change my culture. But if you say to me, Trace, let's get together and let's figure out how we, together, need to move forward.
What we're talking about is culture building and it's a joint thing that we're brought into. That's probably one of the biggest takeaways of all of this. It's not about changing culture, it's about building a world together. It is about building a professional culture together. That is the number one thing that came out of all of this. The second thing is, it's okay to debunk myths, urban legends, tech legends, DevOps legends. It's okay to look at those things and say, maybe not.What I'm bringing up there is a friend of mine, Brian Finster. He was working with a global retail corporation. Then he's looking for a bigger challenge, something even more complex and has started to work with the Air Force. He and I have a gnash and talk, at least once a week, about things that need to change. Where he's really landed on is the weaponizing of metrics, the weaponizing of how you measure. People talk about DevOps. They're like, I need your burn down, I need to know your velocity. Are those really the right metrics, are those really the things that we need to be focused on?
Applying the DORA Metrics
Tracy: They'll look at some of the wonderful industry published publications, like the Phoenix Project, Accelerate. They will look at the door of publications and they'll say, we need to apply the DORA metrics. What Brian took away or should I say, what Brian brought to the table was that, we need to question this. So, the second big takeaway is, don't be afraid to question because it's good to question. It's good to have that diversity in the conversation, diverse thoughts to get a better answer.
Mark: Speaking of the Air Force, one of the sessions that you had at your event was by major Austen Bryan, from Platform One. The subject of the session was, it's not about the tools. Can you explain a little bit more about what that was all about?
Tracy: Austen is the chief operating officer and he's been there since the beginning of it. Now, they have over 250 people, acquisition and engineering teams, all responsible for delivering Platform One and the services that they're providing. In his role, he's delivering to all four military branches, so Platform One is Air Force but it's Air Force at the end.
Manpower and People Power in a Culture Built on Moxie
Tracy: He was really passionate and he was one of the first people who said, I really want to be a part of Straight Talk. He want to talk about manpower or people power, whatever we'd like to call it, whatever is appropriate there. Hiring not being the biggest problem but how do we retain? How do we retain talent, if there's not a career path? In the Air Force, you may rotate. I may have six months working on something that I love and it's amazing. This is where I want to go with my career, from a technology perspective and then, I'm rotated because that's what happens.
He was really passionate about talking about career paths, to help with the retention, developing, moving people from being entry-level developers. Helping them with a career path that gets us to those mid-level and senior-level architects and engineers because the demand is high. The experienced higher numbers are not as high as what we want them to be. Second thing that he talked about was acquisitions, he was all over acquisitions.
Now, we didn't talk about the colors of money because that would be really huge but modular contracting mechanisms. Doing active market research to understand different approaches to acquisition and being more dynamic about it, not having a four year run-up to it. How do you get the smaller tranches, smaller acquisitions, and multiple smaller acquisitions? The third thing just blew me away. This really lines up with some of the things that we've been seeing. LinkedIn posts, the chief software officer, has put in his resignation.
A Common Theme in a Culture Built on Moxie
Tracy: What’s really a common theme across what Austen was talking about as his third point and on Nick's resignation is, leadership style. What changes when you're building software? Command and control type leadership is absolutely core. It’s central to the military but a lot of times when we're building the software, it's not the same life or death situation. It will be used by warfighters in a life or death situation. However, that's not the same style that you need to use as a leader, it's much more flattened.
There's a lot more autonomy given for decisions, decisions to be made at a more junior...","summary":null,"date_published":"2021-10-06T07:30:00.000-04:00","attachments":[{"url":"https://aphid.fireside.fm/d/1437767933/81d9d6b0-0045-48da-8495-fd87c4613d7f/c42f85b3-d4dc-455f-a845-b95005cd4e08.mp3","mime_type":"audio/mpeg","size_in_bytes":25414295,"duration_in_seconds":1814}]},{"id":"97ebc36d-a7d0-410a-9ba1-cd6b5123d5ca","title":"Episode 9: Autonomy of the Moon, with Mary Hagy","url":"https://techtransforms.fireside.fm/9","content_text":"Mary Hagy went from serving in the U.S. Army, to showing our future generations that the sky is not the limit. Carolyn is joined by guest host Eric Monterastelli to learn about Moon Mark's mission and have imagination personified in Mary Hagy. Episode Table of Contents[00:45] I Want to Be Mary Hagy[08:37] Where Humans Have Never Been[17:55] One of the Things Mary Hagy Is Proudest Of[28:11] The Leap That Mary Hagy Hopes ForEpisode Links and ResourcesMoon Mark SpaceRacing On the MoonLinkedInI Want to Be Mary HagyCarolyn: I have Eric Monterastelli as my co-host. Thanks for being here. You actually introduced me to today's guest, Mary Hagy. I listened to your podcast. You interviewed her on Break/Fix. Honestly, I'm telling you right now, I want to be Mary Hagy. She's cool. Like she has one of the coolest jobs ever.Mary Hagy is a veteran of the U.S. Army. She is a creative entrepreneur, storyteller, and civic enthusiast. She conceives, capitalizes, and executes profitable projects that have inspirational, entertainment, and educational impact across broad audiences. Her current project is Moon Mark.What we're here to talk about today will capture global audiences. With the stories of six teams of high school explorers who compete to become the final two that will design, build, land, and race to autonomous vehicles on the moon. Let me just repeat that.She's got a project that has six teams of high school kids who are going to compete. To become two teams of finalists that will design, build, land, and race two autonomous vehicles on the moon. They'll communicate peer-to-peer with young people who will become explorers in space and on earth. And open a talent pipeline for the workforce of the future. Welcome, Mary Hagy, CEO of Moon Mark.Mary: Thanks so much, Carolyn. I really appreciate that introduction.Carolyn: Let's start with, what is Moon Mark? Can you give us an overview?Mary: What you just described is very much a capsulation, if that's a word of what we're doing. When you think about Moon Mark, the idea really came from the notion that humans right now are on the precipice of commercialization of space.The DNA of Moon MarkMary: Yes, governments will be involved. They have been involved for 60 years. But also, the way that the opportunity for really getting to whether it's the moon or an asteroid or Mars or Pluto or whatever, we're on that precipice. It's the commercial industries that are going to get us there.We came up with Moon Mark and the DNA of Moon Mark remains that of the high school kids that happen to be that age. Human beings that happen to be that age, wherever they are on the face of the earth, they’re going to accept stewardship of space exploration.There are aspects to space exploration that are, I'm going to call them mistakes and paradigms. The space industry has really been all about the agencies of countries. Whether it's NASA, the Canadian Space Industry, the European Space Industry, whatever agency it is.What has occurred is that young people, there's no real access for them to be able to understand that they can be a part of this. Until now, it's been very much about, \"If you want to go to space, you have to be an astronaut. And if you have to be an astronaut, you have to go through this excruciating process with very high attrition and likely you won't make it,\" and all of that stuff. That's just not true anymore, that's the good news. It's not true. With Moon Mark, at our DNA level, we are creating experiences and opportunities for young people. For them to understand that the game has changed, that they can have access to space exploration. It doesn't have to be one astronaut out of 30,000 applicants.Exploration in GeneralMary: There are all kinds of ways to reach their potential if they're interested in space exploration, or exploration in general. That's kind of what we're really all about. It's about accessibility, it's about opportunity, it's about exploration. It is about a little bit of competition.Carolyn: I used to teach middle school. I taught 13 year olds and that age and the high school age, they still believe that anything is possible. They still have that sense of wonder and awe for the most part on a daily basis. What you're doing right now is fostering that. I love that you're doing this for these kids.Mary: I really appreciate that, Carolyn. Moon Mark has been quite a story in the making itself. We've had a lot of spirited discussions, mostly with people in the space industry. Mary, why are you targeting high school students?How do you think they're going to be able to do what's really needed to put vehicles on the moon? Race them from afar and all of the other stuff that's about Moon Mark. The reason why we decided that the high school age demographic was the right one for us is because they do still have that sense of awe.Carolyn: Tainted, jaded.Mary: The high school kids will absolutely look at this and they'll turn their thinking caps on. Once a student reaches a certain age, she or he becomes skeptical, because that's what human beings do. What we want to do is offer opportunities for those that are right on the edge of being skeptical, but they're not. They still have the ability to dream big and achieve big.Mary Hagy and the Home on the MoonMary: That is the demographic that we know is the steward of commercialization of space. One of the things that I want to share with you this morning is a new program that we have called home on the moon. It's going to be a challenge for kids across the world, that age group, and also middle school. You know, we're all about that too. We're working with the Aldrin Family Foundation and their curriculum and their experiences and stuff like that.Carolyn: Is it a US-based program only? Or is it worldwide?Mary: It absolutely is global. Here are the reasons why. When we crafted Moon Mark, came up with the idea and started to really flush it out. One of the tenants, one of the values that we hold dearest is that no one owns the moon. Every human has experienced the moon in their own way, in their own life. We use the moon as a unifying element. A unifying force for people in all cultures, in all locations, because they can see the moon, it's their moon.Carolyn: I got chills when you said that. It made me think of John Lennon's Imagine song, just where we stop trying to own stuff. You're right, no one owns the moon. I love that.Mary: It really has given me a lot of inspiration when I think about how we have already. And we're going to reach young people across the world and to do it in a way that is meaningful for them. At the same time, it really challenges them and helps them understand what they can do personally to affect the future.Where Humans Have Never BeenMary: Humans have never been to this place. We've never been at the place where we're really going to go and explore space. I don't mean in any way to detract from the achievements of the people that have gone to space before. It's a different ball game now, it's a completely different ball game.If you think about what it must have been like when the silk road was created years and years ago. Those people were doing trading and they were exploring new lands and all of that. That was a real moment in time. Right now, the responsibility that we have at Moon Mark is to make sure that young people understand how they can not only access the ability to explore space.But also most importantly, the responsibility of making the right kinds of decisions. We don't need to go out there and create wars in space, we got enough of them here. We’ve demonstrated pretty strongly how humans can be drawn to those types of situations where it's mine, not yours. Let me fight you for it or your beliefs are different from mine and all of that.What we really want to do, and are doing, is integrating the message of responsibility into the experience that we're creating. You don't get to race on the moon, unless you really have demonstrated through a series of structured experiences and things like that, that you understand the responsibilities and the potential consequences of what you do.Eric: Let's circle back and talk about how we got to this point. If anybody dives into your background, obviously the claimed Philadelphia businesswoman, military veteran, you've worked with veterans in the past.Mary Hagy Has a CompulsionEric: Journalism, broadcast, television, all these fun things that we even covered on the episode that we did together. I remember specifically, there's a story. There is a turning point. There's a threshold that you crossed that got you to space, and it wasn't watching reruns of Star Trek. So how do you go from the army and the IT world, and the business world to Moon Mark?Mary: There are certain people in the world, and I'm one of them, that has a compulsion. For me, it's a joyous one. That is that I really love being in the startup space. I love creating ideas, ideation, rumination, creation, and execution. A couple of years ago I didn't have anything to do on a Saturday afternoon. So I went to a high school robotics competition.I had gone there because number one, I wanted to enjoy the experience. Number two, I really wanted to see the kids in action. So I went there. One of my favorite moments was when the folks gave me a group of kids, a team that was competing that day. We were talking and one of them said to me, \"Why are you doing this? Why are you doing that? Mary, do you want to see the pit?\"I was like, \"Oh yeah, I want to see the pit.\" And so they took me to the pit, as there is in racing. There's the pit where the team is working on the car. It was really incredible to me. We of course went there and they explained to me everything that they were doing. How they had built this robot over a six-week period.The First Competition That Was So Influential to Mary HagyMary: Now they were at the first competition. How they were going to win it. That was just so influential for me. When I left that day with a very happy heart, I thought, \"Whatever I do next, I need to work with young people again.\" It’s what I had done in the past, but then I've done a couple of other things in the meantime.I said, \"Yes, it's important to me that I work with this group of kids, this age demographic. They haven't become skeptical yet,\" as we were saying earlier. That's how it actually started. I didn't have any idea what I was going to do to make that happen. But when that happens for me, when I have an experience like that, it means that I must listen. I must listen to what I'm supposed to hear.Sometimes that's easy, sometimes that's hard, because sometimes you just want to put the puzzle piece together. And say, \"Oh, well, that clip, that never happens for me.\" I started listening. That's how I was drawn into the notion of space, which I've not been a part of my professional life. I started learning about it and understanding where we are as a human species. Saying, \"Okay, there's something here.\" So that's how it started.Eric: This is actually a really important point that she's getting to hear. This goes back to the episode that you and I did together. That has to do with all this telemetry, all this data, the crossover, and the intersection between let's say the racing world. And even this, the space world with technology.Mary Hagy and Her TeamEric: Mary Hagy and her team and the kids can't do what they do without being invested in different facets of technology. That technology stands not just sitting behind a keyboard and programming out what these robots and these race cars are going to do. It's engineering, it's science, it's mathematics, it's thermodynamics.It is the aerodynamics, it's all these things that we talked about before. It's amazing how STEM extends itself and how many different programs, applications, and pieces of technology you need to make this all work. I can see Mary bringing her vast experience in that world to the table as well. It makes the transition a little bit easier.Carolyn: We're in a place in human history where all of this is converging. You're bringing in the technology piece of it. I'm thinking about how you refer to me as the meat behind the wheel. I'm thinking about you, the meat here, your brain bringing all this telemetry in. These ideas and coming up with Moon Mark, the technology piece. But then, the brain piece, that's the ultimate piece of technology.Mary: I do want to call out what you and Eric just said, which is, you don't get to the moon. You sure don't get to race. And you sure don't get to leave a scientific experiment there that's going to last the next 30 years. You don't do that without the skill set of STEAM.We have had some interesting conversations with folks about, \"No, it's STEM.\" No, it's STEAM. It’s the arts. The arts are, for example, we were working with Frank Stefansson in London, who is a world renowned auto designer. He cannot create a Ferrari or a Maserati, or a McLaren.A Very Compelling ExperienceMary: He can't do any of that if he doesn't understand the other aspects, or be able to call upon science, technology, engineering, and mathematics. In bringing together what we know to be a very compelling experience and opportunity for young people. It's very much also about what skills are you drawn to?What skills do you need to learn or want to learn? How do they affect your future? And how does your future affect the future of humankind? It very much is an amalgam. We happen to be at some place where we've got an acronym.Carolyn: I like your acronym the best, I like STEAM. I've never heard that the A is so important. The creative part, the art part, you're right. It can't happen without that piece.Eric: But A is silent, it's like French. You hit on something really important. In projects like this, technology is a more broad term, it's not just IT. There is technology in mechanics. There's the technology of electronics, there's technology for different things.When you look at this, as people are building these machines to go on the moon, how much do you think old technology is being rediscovered? How much of it is future-proofing, things that we want to last the next 30 years. An example I'll bring up, ancient technology.Sometimes people forget, like how are we going to move water from this lower level to the upper level? There's something known as Archimedes' screw. We don't want to reinvent the wheel, but we want to take that type of old technology and modernize it. So how does that work in this arena when you're talking about vehicles on the moon?One of the Things Mary Hagy Is Proudest OfMary: One of the things that we are really proudest of, and for me has been such a joyous part of the journey is that we have existing technology. It possibly can work on the moon, or it possibly cannot work on the moon.An example of that is the requirement for data transmission. We watched the astronauts walk on the moon. We've seen videos of the rovers that are up there. We're very much about capturing the journeys of these young people. Obviously, a critical part of the journey is the race on the moon.What we did not expect is that the technology does not exist for anything to be able to be captured and brought back in a form that people would watch. It's very useful to have the data streams right now for scientific purposes.It's very useful and very effective for us to understand that we can't really capture and bring back what we need. Or we couldn't be like, wait a minute. Number one, this is something we need to solve that we didn't expect. Number two, equally important if not more important, is solving for that acceleration in technologies.That may not have occurred if we had not been here and said, \"We need this.\" It will enable future explorers to have more capability in a more timely fashion than exists now. Like you're saying, Eric, when you were talking, I was thinking about cranes.You were talking about water distribution, but the same thing, who came up with cranes? I've watched this wonderful documentary about cranes and it was fascinating. Humans continue to develop capabilities that hopefully affect positively the larger scale of life and potential.You Can Go Race on the MoonMary: That's one of the things that we are charging our young people to do. You get to go race on the moon, but there are all of these other things that are involved. Here's your backpack of responsibility. You're not going to get there unless you fill that backpack. And you put those pieces out when they need to be put out.Carolyn: Has the program started? Let's talk a little bit about logistics, how participants are chosen and teams are narrowed down. What's the timeline of the whole program?Mary: We're talking in September of 2021. The goal that we had been marching towards relentlessly was to launch a rocket and a lander, and land and race in October of 2021. There's a couple of things that have happened. This is just a moment in time when there's a confluence of stuff going on. That confluence, it is COVID for sure.It's also a shift in the space industry. Talk about COVID for a moment, as we were talking earlier about having young people participate and compete in Moon Mark. There's a requirement that when we get to the six teams, they have to be in the same place. They got to be competing. That's not possible right now.Carolyn: Physically in the same space.Mary: Yes. So we will have a lot of teams that are competing virtually. But then, when we get to the six teams that have to compete, they have to be together. COVID over the last year and a half has just barked our shins on every front. If we were doing it in the United States, it would be difficult enough.The Requirement of Global ParticipationMary: What parents want to send their kids in the middle of a pandemic to Houston Johnson Space Center? Not many. That would be hard enough. Having the requirement of global participation has really been a challenge for us. So that is one impact of COVID, and it's been meaningful.It has required us to come up with virtual challenges that will enable us to continue to interact with kids all over the world. At the same time, keep them safe. To me, job one is to keep them safe. That's one impact of COVID. Another impact of COVID, which you probably have heard about, but bears mentioning here is that COVID affected the global supply chain.What happened is that with this impact in the global supply chain, if you need a microchip or you need this particular kind of part for a lander, or you need this kind of rocket, the global supply chain has just slowed everything to a snail's pace....","content_html":"Mary Hagy went from serving in the U.S. Army, to showing our future generations that the sky is not the limit. Carolyn is joined by guest host Eric Monterastelli to learn about Moon Mark's mission and have imagination personified in Mary Hagy.
Episode Table of Contents
- [00:45] I Want to Be Mary Hagy
- [08:37] Where Humans Have Never Been
- [17:55] One of the Things Mary Hagy Is Proudest Of
- [28:11] The Leap That Mary Hagy Hopes For
Episode Links and Resources
I Want to Be Mary Hagy
Carolyn: I have Eric Monterastelli as my co-host. Thanks for being here. You actually introduced me to today's guest, Mary Hagy. I listened to your podcast. You interviewed her on Break/Fix. Honestly, I'm telling you right now, I want to be Mary Hagy. She's cool. Like she has one of the coolest jobs ever.
Mary Hagy is a veteran of the U.S. Army. She is a creative entrepreneur, storyteller, and civic enthusiast. She conceives, capitalizes, and executes profitable projects that have inspirational, entertainment, and educational impact across broad audiences. Her current project is Moon Mark.
What we're here to talk about today will capture global audiences. With the stories of six teams of high school explorers who compete to become the final two that will design, build, land, and race to autonomous vehicles on the moon. Let me just repeat that.
She's got a project that has six teams of high school kids who are going to compete. To become two teams of finalists that will design, build, land, and race two autonomous vehicles on the moon. They'll communicate peer-to-peer with young people who will become explorers in space and on earth. And open a talent pipeline for the workforce of the future. Welcome, Mary Hagy, CEO of Moon Mark.
Mary: Thanks so much, Carolyn. I really appreciate that introduction.
Carolyn: Let's start with, what is Moon Mark? Can you give us an overview?
Mary: What you just described is very much a capsulation, if that's a word of what we're doing. When you think about Moon Mark, the idea really came from the notion that humans right now are on the precipice of commercialization of space.
The DNA of Moon Mark
Mary: Yes, governments will be involved. They have been involved for 60 years. But also, the way that the opportunity for really getting to whether it's the moon or an asteroid or Mars or Pluto or whatever, we're on that precipice. It's the commercial industries that are going to get us there.
We came up with Moon Mark and the DNA of Moon Mark remains that of the high school kids that happen to be that age. Human beings that happen to be that age, wherever they are on the face of the earth, they’re going to accept stewardship of space exploration.
There are aspects to space exploration that are, I'm going to call them mistakes and paradigms. The space industry has really been all about the agencies of countries. Whether it's NASA, the Canadian Space Industry, the European Space Industry, whatever agency it is.
What has occurred is that young people, there's no real access for them to be able to understand that they can be a part of this. Until now, it's been very much about, "If you want to go to space, you have to be an astronaut. And if you have to be an astronaut, you have to go through this excruciating process with very high attrition and likely you won't make it," and all of that stuff. That's just not true anymore, that's the good news. It's not true.
With Moon Mark, at our DNA level, we are creating experiences and opportunities for young people. For them to understand that the game has changed, that they can have access to space exploration. It doesn't have to be one astronaut out of 30,000 applicants.Exploration in General
Mary: There are all kinds of ways to reach their potential if they're interested in space exploration, or exploration in general. That's kind of what we're really all about. It's about accessibility, it's about opportunity, it's about exploration. It is about a little bit of competition.
Carolyn: I used to teach middle school. I taught 13 year olds and that age and the high school age, they still believe that anything is possible. They still have that sense of wonder and awe for the most part on a daily basis. What you're doing right now is fostering that. I love that you're doing this for these kids.
Mary: I really appreciate that, Carolyn. Moon Mark has been quite a story in the making itself. We've had a lot of spirited discussions, mostly with people in the space industry. Mary, why are you targeting high school students?
How do you think they're going to be able to do what's really needed to put vehicles on the moon? Race them from afar and all of the other stuff that's about Moon Mark. The reason why we decided that the high school age demographic was the right one for us is because they do still have that sense of awe.
Carolyn: Tainted, jaded.
Mary: The high school kids will absolutely look at this and they'll turn their thinking caps on. Once a student reaches a certain age, she or he becomes skeptical, because that's what human beings do. What we want to do is offer opportunities for those that are right on the edge of being skeptical, but they're not. They still have the ability to dream big and achieve big.Mary Hagy and the Home on the Moon
Mary: That is the demographic that we know is the steward of commercialization of space. One of the things that I want to share with you this morning is a new program that we have called home on the moon. It's going to be a challenge for kids across the world, that age group, and also middle school. You know, we're all about that too. We're working with the Aldrin Family Foundation and their curriculum and their experiences and stuff like that.
Carolyn: Is it a US-based program only? Or is it worldwide?
Mary: It absolutely is global. Here are the reasons why. When we crafted Moon Mark, came up with the idea and started to really flush it out. One of the tenants, one of the values that we hold dearest is that no one owns the moon. Every human has experienced the moon in their own way, in their own life. We use the moon as a unifying element. A unifying force for people in all cultures, in all locations, because they can see the moon, it's their moon.Carolyn: I got chills when you said that. It made me think of John Lennon's Imagine song, just where we stop trying to own stuff. You're right, no one owns the moon. I love that.
Mary: It really has given me a lot of inspiration when I think about how we have already. And we're going to reach young people across the world and to do it in a way that is meaningful for them. At the same time, it really challenges them and helps them understand what they can do personally to affect the future.Where Humans Have Never Been
Mary: Humans have never been to this place. We've never been at the place where we're really going to go and explore space. I don't mean in any way to detract from the achievements of the people that have gone to space before. It's a different ball game now, it's a completely different ball game.
If you think about what it must have been like when the silk road was created years and years ago. Those people were doing trading and they were exploring new lands and all of that. That was a real moment in time. Right now, the responsibility that we have at Moon Mark is to make sure that young people understand how they can not only access the ability to explore space.
But also most importantly, the responsibility of making the right kinds of decisions. We don't need to go out there and create wars in space, we got enough of them here. We’ve demonstrated pretty strongly how humans can be drawn to those types of situations where it's mine, not yours. Let me fight you for it or your beliefs are different from mine and all of that.
What we really want to do, and are doing, is integrating the message of responsibility into the experience that we're creating. You don't get to race on the moon, unless you really have demonstrated through a series of structured experiences and things like that, that you understand the responsibilities and the potential consequences of what you do.
Eric: Let's circle back and talk about how we got to this point. If anybody dives into your background, obviously the claimed Philadelphia businesswoman, military veteran, you've worked with veterans in the past.
Mary Hagy Has a Compulsion
Eric: Journalism, broadcast, television, all these fun things that we even covered on the episode that we did together. I remember specifically, there's a story. There is a turning point. There's a threshold that you crossed that got you to space, and it wasn't watching reruns of Star Trek. So how do you go from the army and the IT world, and the business world to Moon Mark?
Mary: There are certain people in the world, and I'm one of them, that has a compulsion. For me, it's a joyous one. That is that I really love being in the startup space. I love creating ideas, ideation, rumination, creation, and execution. A couple of years ago I didn't have anything to do on a Saturday afternoon. So I went to a high school robotics competition.
I had gone there because number one, I wanted to enjoy the experience. Number two, I really wanted to see the kids in action. So I went there. One of my favorite moments was when the folks gave me a group of kids, a team that was competing that day. We were talking and one of them said to me, "Why are you doing this? Why are you doing that? Mary, do you want to see the pit?"
I was like, "Oh yeah, I want to see the pit." And so they took me to the pit, as there is in racing. There's the pit where the team is working on the car. It was really incredible to me. We of course went there and they explained to me everything that they were doing. How they had built this robot over a six-week period.
The First Competition That Was So Influential to Mary Hagy
Mary: Now they were at the first competition. How they were going to win it. That was just so influential for me. When I left that day with a very happy heart, I thought, "Whatever I do next, I need to work with young people again." It’s what I had done in the past, but then I've done a couple of other things in the meantime.
I said, "Yes, it's important to me that I work with this group of kids, this age demographic. They haven't become skeptical yet," as we were saying earlier. That's how it actually started. I didn't have any idea what I was going to do to make that happen. But when that happens for me, when I have an experience like that, it means that I must listen. I must listen to what I'm supposed to hear.
Sometimes that's easy, sometimes that's hard, because sometimes you just want to put the puzzle piece together. And say, "Oh, well, that clip, that never happens for me." I started listening. That's how I was drawn into the notion of space, which I've not been a part of my professional life. I started learning about it and understanding where we are as a human species. Saying, "Okay, there's something here." So that's how it started.
Eric: This is actually a really important point that she's getting to hear. This goes back to the episode that you and I did together. That has to do with all this telemetry, all this data, the crossover, and the intersection between let's say the racing world. And even this, the space world with technology.
Mary Hagy and Her Team
Eric: Mary Hagy and her team and the kids can't do what they do without being invested in different facets of technology. That technology stands not just sitting behind a keyboard and programming out what these robots and these race cars are going to do. It's engineering, it's science, it's mathematics, it's thermodynamics.
It is the aerodynamics, it's all these things that we talked about before. It's amazing how STEM extends itself and how many different programs, applications, and pieces of technology you need to make this all work. I can see Mary bringing her vast experience in that world to the table as well. It makes the transition a little bit easier.
Carolyn: We're in a place in human history where all of this is converging. You're bringing in the technology piece of it. I'm thinking about how you refer to me as the meat behind the wheel. I'm thinking about you, the meat here, your brain bringing all this telemetry in. These ideas and coming up with Moon Mark, the technology piece. But then, the brain piece, that's the ultimate piece of technology.
Mary: I do want to call out what you and Eric just said, which is, you don't get to the moon. You sure don't get to race. And you sure don't get to leave a scientific experiment there that's going to last the next 30 years. You don't do that without the skill set of STEAM.
We have had some interesting conversations with folks about, "No, it's STEM." No, it's STEAM. It’s the arts. The arts are, for example, we were working with Frank Stefansson in London, who is a world renowned auto designer. He cannot create a Ferrari or a Maserati, or a McLaren.
A Very Compelling Experience
Mary: He can't do any of that if he doesn't understand the other aspects, or be able to call upon science, technology, engineering, and mathematics. In bringing together what we know to be a very compelling experience and opportunity for young people. It's very much also about what skills are you drawn to?
What skills do you need to learn or want to learn? How do they affect your future? And how does your future affect the future of humankind? It very much is an amalgam. We happen to be at some place where we've got an acronym.Carolyn: I like your acronym the best, I like STEAM. I've never heard that the A is so important. The creative part, the art part, you're right. It can't happen without that piece.
Eric: But A is silent, it's like French. You hit on something really important. In projects like this, technology is a more broad term, it's not just IT. There is technology in mechanics. There's the technology of electronics, there's technology for different things.
When you look at this, as people are building these machines to go on the moon, how much do you think old technology is being rediscovered? How much of it is future-proofing, things that we want to last the next 30 years. An example I'll bring up, ancient technology.
Sometimes people forget, like how are we going to move water from this lower level to the upper level? There's something known as Archimedes' screw. We don't want to reinvent the wheel, but we want to take that type of old technology and modernize it. So how does that work in this arena when you're talking about vehicles on the moon?
One of the Things Mary Hagy Is Proudest Of
Mary: One of the things that we are really proudest of, and for me has been such a joyous part of the journey is that we have existing technology. It possibly can work on the moon, or it possibly cannot work on the moon.
An example of that is the requirement for data transmission. We watched the astronauts walk on the moon. We've seen videos of the rovers that are up there. We're very much about capturing the journeys of these young people. Obviously, a critical part of the journey is the race on the moon.
What we did not expect is that the technology does not exist for anything to be able to be captured and brought back in a form that people would watch. It's very useful to have the data streams right now for scientific purposes.
It's very useful and very effective for us to understand that we can't really capture and bring back what we need. Or we couldn't be like, wait a minute. Number one, this is something we need to solve that we didn't expect. Number two, equally important if not more important, is solving for that acceleration in technologies.
That may not have occurred if we had not been here and said, "We need this." It will enable future explorers to have more capability in a more timely fashion than exists now. Like you're saying, Eric, when you were talking, I was thinking about cranes.
You were talking about water distribution, but the same thing, who came up with cranes? I've watched this wonderful documentary about cranes and it was fascinating. Humans continue to develop capabilities that hopefully affect positively the larger scale of life and potential.
You Can Go Race on the Moon
Mary: That's one of the things that we are charging our young people to do. You get to go race on the moon, but there are all of these other things that are involved. Here's your backpack of responsibility. You're not going to get there unless you fill that backpack. And you put those pieces out when they need to be put out.
Carolyn: Has the program started? Let's talk a little bit about logistics, how participants are chosen and teams are narrowed down. What's the timeline of the whole program?
Mary: We're talking in September of 2021. The goal that we had been marching towards relentlessly was to launch a rocket and a lander, and land and race in October of 2021. There's a couple of things that have happened. This is just a moment in time when there's a confluence of stuff going on. That confluence, it is COVID for sure.
It's also a shift in the space industry. Talk about COVID for a moment, as we were talking earlier about having young people participate and compete in Moon Mark. There's a requirement that when we get to the six teams, they have to be in the same place. They got to be competing. That's not possible right now.
Carolyn: Physically in the same space.
Mary: Yes. So we will have a lot of teams that are competing virtually. But then, when we get to the six teams that have to compete, they have to be together. COVID over the last year and a half has just barked our shins on every front. If we were doing it in the United States, it would be difficult enough.
The Requirement of Global Participation
Mary: What parents want to send their kids in the middle of a pandemic to Houston Johnson Space Center? Not many. That would be hard enough. Having the requirement of global participation has really been a challenge for us. So that is one impact of COVID, and it's been meaningful.
It has required us to come up with virtual challenges that will enable us to continue to interact with kids all over the world. At the same time, keep them safe. To me, job one is to keep them safe. That's one impact of COVID. Another impact of COVID, which you probably have heard about, but bears mentioning here is that COVID affected the global supply chain.
What happened is that with this impact in the global supply chain, if you need a microchip or you need this particular kind of part for a lander, or you need this kind of rocket, the global supply chain has just slowed everything to a snail's pace....
","summary":null,"date_published":"2021-09-29T07:30:00.000-04:00","attachments":[{"url":"https://aphid.fireside.fm/d/1437767933/81d9d6b0-0045-48da-8495-fd87c4613d7f/0050f6c8-9b94-46fa-9f7e-c7d4b724a7f7.mp3","mime_type":"audio/mpeg","size_in_bytes":30411076,"duration_in_seconds":2171}]},{"id":"9e6bb5af-afed-4ab7-87fe-4fc040b4d0ba","title":"Episode 8: Racing! Crossover Episode with Break/Fix: The Gran Touring Motorsports Podcast","url":"https://techtransforms.fireside.fm/8","content_text":"On this crossover episode Carolyn and Mark learn about the power of racing. Eric Monterastelli, Public Sector SE at Dynatrace and host of Break/Fix: The Gran Touring Motorsports Podcast, joins the Tech Transforms team to talk about where the rubber meets the road in government technology. Episode Table of Contents[00:51] Across the Side of Racing[06:59] All Racing Cars Have Self-Correcting Computers[14:16] From the Performance Racing Side[20:09] The Rule of Three in Racing[27:00] International Racing of Champions[33:01] Unlimited Funds To Fill a Racing Car GarageEpisode Links and ResourcesBreak/Fix the Gran Touring Motorsports PodcastEric Monterastelli LinkedInAcross the Side of RacingMark: We have invited our friend, Eric Monterastelli to join us on a crossover episode for this morning's Tech Transforms.Carolyn: His podcast is Break Fix. Thanks for being here, Eric, and we're super excited to talk to you today.Eric: That's right, folks. It's not uncommon to see IT branding plastered across the side of race cars in many motor sports disciplines. Names like AWS, CrowdStrike, and SailPoint immediately come to mind. But for application performance monitoring and artificial intelligence, the relationship between technology and racing goes far beyond stickers and sponsorship dollars.As Carolyn pointed out, this is a crossover episode between Break Fix and Tech Transforms. I'd like to personally thank Mark and Carolyn for having us on their show to explore this idea.Carolyn: It's a little bit geeked out for me, so let's just get really basic. Talk about cars and racing first. Tell me how you got into cars and racing in general.Eric: I'll keep it brief because I think that could be a whole episode into itself. Gran Touring Motorsports was founded in late 2013, officially 2014. Our mantra is to continue to spread motorsports enthusiasm. The idea is that people understand that there's multiple disciplines to racing. Racing is a big part of our world, whether you believe it or not.The chemistry, the science, the technology, the engineering that trickles down into your daily car is incredible. It all stems from manufacturers using the racetrack as their test center. Think about it from that perspective. Here at GTM, we want to continue to spread that enthusiasm because if we don't, racing will dry up.Tied Into the Racing CommunityEric: That advancement in technology ceases to exist. We've been around now for almost eight years. We have our own podcast, Break Fix, we talk about all sorts of different things. Ranging from these super technical episodes, all the way up to advice episodes.Like, what should I buy, and things of that nature. Personally, I got into cars by way of genetics. From my grandfather to my dad, and to me. Hopefully I get to pass it onto my daughters along the way. We've been tied into the racing community for a very long time.I’ve been a high-performance driving instructor for almost a decade. Before autocrossing, I was a cart racer nationally. It's unfortunately in the blood. What I find most interesting about it is that there's a huge intersection between the automotive and the IT world.I also followed in my father's footsteps, who was a mainframe programmer. I’ve had the IT side, and also the racing side. As a younger racer, I was involved in things like timing and scoring. I went to work for British Aerospace, where I tried desperately to get in on their helicopter division.Because I was actually working on engine management systems at another company. So, data, technology, IT, racing, it's all very intertwined. As I grew more into ProAm racing, time trials, and other disciplines, I started to realize how valuable the data that we collect.Not just from the cars, from the track, and from the motors and all this stuff related to what I was doing in the SIM and threat intelligence world and also in the APM and artificial intelligence space. There's this huge crossover there. I want to be able to explore that with you guys.The Mechanics and Infrastructure of CarsMark: It seems to me that in the sixties and seventies, the things that teams would do to increase their edge was around mechanics and the infrastructure of cars. Over the last 20 years, there has been that shift to IT and leveraging technology to give racers an edge on the racetrack.Eric: You're a hundred percent right. I'll use an example. Colin Chapman, the founder of Lotus is infamously known for both pushing the boundary and cheating like crazy. What he did is, he found loopholes in the rules where he could take experimental technology and push the boundaries of racing and engineering.So how do you control that? More rules get put into place to try to squelch that. You penalize people, these kinds of things, but really what he was doing is he was moving everything forward. Back then in the sixties and seventies, and even still partially in the eighties where you didn't have big data available, it was all trial and error. Let's use Formula 1, as an example.You'll see cars back in the seventies with six wheels. You're like, \"Why is that a good idea?\" Because somebody needed to try. Chaparral was famous for mounting fans on the bottom of the cars to try to absorb them into the pavement. To create ground effects instead of doing studies and aerodynamics.Mark: So the cars wouldn't fly off the racetrack.Eric: Exactly. There's all this trickery and all this crazy stuff that they would do, but we've shifted away from that. We've shifted away to raw data to say, what is that tire doing in that corner, under load at this pound of pressure?Bridging the Physical to the DigitalEric: But if we change it by half a pound, what difference does it make? How much more G can we pull in that corner? We've gotten to the deeper layers of the science, and the engineering to make these cars go faster. That's why, if you look at a Formula 1 car of today versus 1960, it's completely different.Mark: To bridge the physical to the digital, cars have sensors. These microchips are all embedded throughout the structure of the car to feed that data back.Carolyn: Even on the tires?Eric: Yes. So get this. Starting in the 1990s and the advent of something known as OBD1, so now we all run OBD2 or CAN buses. There's actually a port in the car that you can tie a laptop into, and pull all sorts of information from all over the vehicle. More and more manufacturers are putting that up on the heads up displays and on the dashboards these days, which is fantastic.It's right there at your fingertips. But starting in the 90s, they needed a way to interface with the engine because they were putting in more sensors. Thanks to electronic and programmable fuel injection, engine management, it's also known as. So, there's a sensor for water. There's a sensor for oil. There is a sensor for pressure.There's a sensor for the rotational speed of the motor at the crank and at the cam. It's very nit-noid information. And it's all to keep the engine running at maximum efficiency under multiple conditions. So just because you're tooling down the highway, that computer on board is making corrections in microseconds, if not faster.Carolyn: It's correcting itself?Eric: Yes, it is a self-correcting computer.All Racing Cars Have Self-Correcting ComputersMark: The electronics we have are just a much more simplified version of that, not corrective.Eric: All cars, even your street cars have these self-healing self-correcting computers. The way it works is that a lot of it is for emissions. A lot of it is for efficiency, a lot of it is for power. For instance, in the old days, I'll draw a parallel to understand that a carburetor is very static. You jetted it a certain way, ran terribly when it was cold and the barometric pressure was wrong.You had to reject it, and tweak it, and get under the hood to get it to purr just perfectly. Now with electronic fuel injection, it takes that into account. It takes into account atmospheric pressure, air temperature, elevation, all this kind of stuff. And it makes corrections based on where you are, where the pedal is at any given time.Carolyn: Are we talking about AI?Eric: We're talking about mechanical aid.Carolyn: My car?Eric: Yes. That's pretty cool.Carolyn: In my mind, I'm drawing all these parallels to what you do for work with the government and how these race cars and cars in general work.Eric: So telemetry used in a race car finds itself on the back of a Humvee. Finds itself in a tank, finds itself on an airplane. So, weapons systems, navigation systems, all that can be tied back in some ways to the automotive world, including GPS work. Because we do use GPS telemetry as well to calculate speed, and distance, and all sorts of additional telemetry when objects are in motion.Carolyn: Does the government use the data gathered on the racetrack?Engine ManagementEric: I'll put it this way. I've worked on some projects that were tied into engine management on tanks and Humvees. So it is possible. I don't know that I can expand too much further than that. But the data collected there is very similar to the data that's collected in your passenger car, as well as the race car.Mark: I would imagine it's probably more finely tuned for aircraft than land vehicles.Eric: In the airplane, yes. Because you have to take into consideration yaw and pitch and elevation and all the atmospheric conditions. But that's also true in other disciplines of motor sport. If I'm talking about off-roading the terrain, then the pitch and yaw of the vehicle is extremely important. When I'm looking at using sensors to show the articulation of my suspension.How much suspension travel do I have, how much rotation per axle am I using? Do I need to transfer power from the front wheels to the rear wheels? You see those commercials all the time from Audi and Subaru about how it does all this stuff. A lot of that is computer-controlled. It's very much that mechanical AI, making those decisions based on the sensors, and the telemetry that it's collecting in real-time.Mark: I imagine in the performance racing industry, when you're going at speeds at 200 miles per hour, or greater. Decisions need to be made and milliseconds, it ups the ante a lot greater.Eric: That is very true. We're not at Mach two or whatever, like a fighter jet, but you're absolutely correct. In both cases, there's still that common denominator of, as we say in our world, the meat behind the steering wheel.The Augmented Reality of AI in Racing VehiclesEric: There's still an organic computer making those minute by minute or second by second decisions. With the augmented reality of AI in the vehicle controlling those multitudes of different systems that are helping that person, that pilot, that driver be able to do what they do.Carolyn: A lot of tech companies plaster their names on the sides of cars. I'm not going to lie, I thought it was a testosterone thing. But you said, there's this intersection between the racing and the tech world. Is it just an advertising ploy or is there more to it?Eric: If you ever speak to any race engineers, or if you happen to go to say an IMSA where you can get really close to the pit boxes. Something like the Rolex 24 hours or the sale in six hours at Watkins Glen. If you can get your eyes inside the booth, you'll see that it looks like a command center.You'd think you were at NASA, it's all screens. All data coming in real-time, over wireless into the booth race engineers are analyzing the data. They're also leveraging platforms like AWS and Azure to run their applications. They need to be able to get this stuff immediately. Because what they can do from those, let's say control booths, is also send corrections back to the car.Some drivers, let's say Formula 1, if you've ever looked at the steering wheel, they have dials and knobs. They can make changes. They're talking back and forth with the pit constantly, \"The car is doing this.\" And they're like, \"All right, give it a little bit of tweak on this dial,\" and it'll make a change to the suspension as they're driving.Other Disciplines of RacingEric: But there's also other disciplines of racing, especially endurance racing, where they're watching the cars for longer periods of time. They need to be able to manage them over the course of that race. They can send over the air changes to the vehicles.Carolyn: Are they correlating the data like in this command center? Do they have a big seam that they're pulling everything in and cross tabbing and data analysis? Or do you have specialists like one's looking at the tires and one's looking at the key.Eric: You actually have both. Then you also have on-track telemetry. You've got folks that are responsible for certain parts of the car, let's say the tires, they're responsible for fueling. You can get really deep on many different portions of that stack. Let's call it the racing stack there that goes on on race day.On the other side of it, it's also the telemetry from the track. They're going to have people that are just watching the weather. Studying the weather and how the weather conditions and slight changes in temperature of the air are going to change the way the motor performs. Like losing upwards of let's say 20 horsepower, because there's one degree of weather change or rain is on its way.We've got to make strategic decisions on what tires we're going to use. How long are we going to stay out? We just passed Le Mans a weekend or two ago. That track is famous for being rained on one side and completely dry on the other because a full lap is almost nine miles long.Carolyn: The one in Ford versus Ferrari?There’s a Lot to Take InEric: Absolutely. There is a lot to take in, there's a lot of data. There's a lot of different sources of authority that are providing data just like there would be in an IT ecosystem. You've got firewalls, routers, IPS's, and an active directory. You have storage systems that are providing you with tons of metrics. And you have to have a way to correlate all that together and make sense of it.If there's a problem, and if you happen to listen to Le Mans two weekends ago. They could pinpoint an issue on the car before even the driver could tell it was about to happen. They're always talking back and forth. Like, \"This is about to go down. You should bring the car in. We want to look at this particular thing. A sensor is telling us that there's an issue.\"The same is true of IT. If you can forecast that, \"We've got an IOP degradation here on this particular sand server. It's going to cause this ripple effect, we're going to have to V motion. We're going to have to do this. That's going to cause an outage, looking at real user monitoring. We're going to have an issue where we're going to have people that are down and are going to be stuck in limbo.\" The same is true on the racetrack. There's this interesting intersection between two worlds. Where racing is this more mechanical application performance monitoring versus what we're used to on the IT side of the house. View a race car as an application, view the track as an ecosystem. Very similar to your data center or to your mission application, that you might be working on right now. From the Performance Racing SideMark: I'm interested to see how you can talk a little bit more about how you apply some of those disciplines. From the performance racing side to IT that we see or that we're talking to government customers about.Eric: There's always the physical side of racing, the car, the machine, the boat, the airplane, whatever it might be. But there's also the driver's side. How do you determine a talented driver from another driver? There's also another subcomponent of data there.Mark: Is that like the end-user?Eric: Absolutely. Lewis Hamilton, eight-time world champion Formula 1 driver. He was good, he was naturally talented. If they left him where he was, maintaining the status quo, he would have only gotten so much better. So then there's the telemetry of the driver. It coincides with the telemetry of the car, but it has to do with their physical abilities.It has to do with their risk mitigation, it has to do with how consistent they are on track. The key on track is consistent lap times being not a second apart, a second is a light-year. You need to be hundreds, if not tens of thousands of a second lap per lap. And you need to be that precise, racing is a precise sport.That being said, there's other forms of telemetry that we use to better the drivers. To help teach them, help educate them, and get them away from the status quo. I relate that back to continuous monitoring, CIC pipeline. All these kinds of things where not only is my driver, the end user, but he's also my mission act. How do I make my mission act better? And how do I make it more efficient?Monitoring the Driver AppCarolyn: How are you monitoring the driver app? Is the driver hooked up to sensors?Eric: Sometimes, yes. Actually, in the longer endurance races, they do have health and status monitors because they are in the car for long periods of time. In a race like Le Mans, there is a minimum of three drivers per team. Sometimes there's four, and they'll do double stints. They're out there for six hours or they're out there for three hours at a time. That's a lot to take in.You have to think about health, hydration, nutrition, all that stuff. There's doctors on staff. Let's take that out of the equation. But also how do I make that guy be consistent for three hours in the middle of the night when he's only running on two hours of sleep? Obviously, I could probably inject him periodically.Mark: Think of the endurance of doing an ironman. But when you're going 200 miles per hour, 220 down straight away, you have to be alert. So it does make a difference. I think about the endurance where you sit in a car for eight hours.Eric: To go back to your question and to your point, there's one system. Even in my more grassroots world where I'm teaching folks that might be from the government. Or they might be from industry, or they might be from wherever that they got this bucket list.Maybe they bought a Porsche, they retired or Corvette, and they want to go out and experience the track. Well, how do I make them better? I can teach them how to be safe, I can teach them how to be fast.What’s in My ToolboxEric: But if I want them to be perfect and be consistent, I have to use data. It's in my toolbox of things. There's been a go-to product for a very long time known as the EM. It's an Italian product. They have a whole series, the EM Solo and the smarty system and the DMX's, and all these different pieces.What it does is you attach it to the car, very simply. It's not something I have to tie in, and integrate like an octopus into the vehicle. I can throw it","content_html":"On this crossover episode Carolyn and Mark learn about the power of racing. Eric Monterastelli, Public Sector SE at Dynatrace and host of Break/Fix: The Gran Touring Motorsports Podcast, joins the Tech Transforms team to talk about where the rubber meets the road in government technology.
Episode Table of Contents
- [00:51] Across the Side of Racing
- [06:59] All Racing Cars Have Self-Correcting Computers
- [14:16] From the Performance Racing Side
- [20:09] The Rule of Three in Racing
- [27:00] International Racing of Champions
- [33:01] Unlimited Funds To Fill a Racing Car Garage
Episode Links and Resources
Across the Side of Racing
Mark: We have invited our friend, Eric Monterastelli to join us on a crossover episode for this morning's Tech Transforms.
Carolyn: His podcast is Break Fix. Thanks for being here, Eric, and we're super excited to talk to you today.
Eric: That's right, folks. It's not uncommon to see IT branding plastered across the side of race cars in many motor sports disciplines. Names like AWS, CrowdStrike, and SailPoint immediately come to mind. But for application performance monitoring and artificial intelligence, the relationship between technology and racing goes far beyond stickers and sponsorship dollars.
As Carolyn pointed out, this is a crossover episode between Break Fix and Tech Transforms. I'd like to personally thank Mark and Carolyn for having us on their show to explore this idea.
Carolyn: It's a little bit geeked out for me, so let's just get really basic. Talk about cars and racing first. Tell me how you got into cars and racing in general.
Eric: I'll keep it brief because I think that could be a whole episode into itself. Gran Touring Motorsports was founded in late 2013, officially 2014. Our mantra is to continue to spread motorsports enthusiasm. The idea is that people understand that there's multiple disciplines to racing. Racing is a big part of our world, whether you believe it or not.
The chemistry, the science, the technology, the engineering that trickles down into your daily car is incredible. It all stems from manufacturers using the racetrack as their test center. Think about it from that perspective. Here at GTM, we want to continue to spread that enthusiasm because if we don't, racing will dry up.Tied Into the Racing Community
Eric: That advancement in technology ceases to exist. We've been around now for almost eight years. We have our own podcast, Break Fix, we talk about all sorts of different things. Ranging from these super technical episodes, all the way up to advice episodes.
Like, what should I buy, and things of that nature. Personally, I got into cars by way of genetics. From my grandfather to my dad, and to me. Hopefully I get to pass it onto my daughters along the way. We've been tied into the racing community for a very long time.
I’ve been a high-performance driving instructor for almost a decade. Before autocrossing, I was a cart racer nationally. It's unfortunately in the blood. What I find most interesting about it is that there's a huge intersection between the automotive and the IT world.
I also followed in my father's footsteps, who was a mainframe programmer. I’ve had the IT side, and also the racing side. As a younger racer, I was involved in things like timing and scoring. I went to work for British Aerospace, where I tried desperately to get in on their helicopter division.
Because I was actually working on engine management systems at another company. So, data, technology, IT, racing, it's all very intertwined. As I grew more into ProAm racing, time trials, and other disciplines, I started to realize how valuable the data that we collect.
Not just from the cars, from the track, and from the motors and all this stuff related to what I was doing in the SIM and threat intelligence world and also in the APM and artificial intelligence space. There's this huge crossover there. I want to be able to explore that with you guys.
The Mechanics and Infrastructure of Cars
Mark: It seems to me that in the sixties and seventies, the things that teams would do to increase their edge was around mechanics and the infrastructure of cars. Over the last 20 years, there has been that shift to IT and leveraging technology to give racers an edge on the racetrack.
Eric: You're a hundred percent right. I'll use an example. Colin Chapman, the founder of Lotus is infamously known for both pushing the boundary and cheating like crazy. What he did is, he found loopholes in the rules where he could take experimental technology and push the boundaries of racing and engineering.
So how do you control that? More rules get put into place to try to squelch that. You penalize people, these kinds of things, but really what he was doing is he was moving everything forward. Back then in the sixties and seventies, and even still partially in the eighties where you didn't have big data available, it was all trial and error. Let's use Formula 1, as an example.
You'll see cars back in the seventies with six wheels. You're like, "Why is that a good idea?" Because somebody needed to try. Chaparral was famous for mounting fans on the bottom of the cars to try to absorb them into the pavement. To create ground effects instead of doing studies and aerodynamics.
Mark: So the cars wouldn't fly off the racetrack.
Eric: Exactly. There's all this trickery and all this crazy stuff that they would do, but we've shifted away from that. We've shifted away to raw data to say, what is that tire doing in that corner, under load at this pound of pressure?
Bridging the Physical to the Digital
Eric: But if we change it by half a pound, what difference does it make? How much more G can we pull in that corner? We've gotten to the deeper layers of the science, and the engineering to make these cars go faster. That's why, if you look at a Formula 1 car of today versus 1960, it's completely different.
Mark: To bridge the physical to the digital, cars have sensors. These microchips are all embedded throughout the structure of the car to feed that data back.
Carolyn: Even on the tires?
Eric: Yes. So get this. Starting in the 1990s and the advent of something known as OBD1, so now we all run OBD2 or CAN buses. There's actually a port in the car that you can tie a laptop into, and pull all sorts of information from all over the vehicle. More and more manufacturers are putting that up on the heads up displays and on the dashboards these days, which is fantastic.
It's right there at your fingertips. But starting in the 90s, they needed a way to interface with the engine because they were putting in more sensors. Thanks to electronic and programmable fuel injection, engine management, it's also known as. So, there's a sensor for water. There's a sensor for oil. There is a sensor for pressure.
There's a sensor for the rotational speed of the motor at the crank and at the cam. It's very nit-noid information. And it's all to keep the engine running at maximum efficiency under multiple conditions. So just because you're tooling down the highway, that computer on board is making corrections in microseconds, if not faster.Carolyn: It's correcting itself?
Eric: Yes, it is a self-correcting computer.
All Racing Cars Have Self-Correcting Computers
Mark: The electronics we have are just a much more simplified version of that, not corrective.
Eric: All cars, even your street cars have these self-healing self-correcting computers. The way it works is that a lot of it is for emissions. A lot of it is for efficiency, a lot of it is for power. For instance, in the old days, I'll draw a parallel to understand that a carburetor is very static. You jetted it a certain way, ran terribly when it was cold and the barometric pressure was wrong.You had to reject it, and tweak it, and get under the hood to get it to purr just perfectly. Now with electronic fuel injection, it takes that into account. It takes into account atmospheric pressure, air temperature, elevation, all this kind of stuff. And it makes corrections based on where you are, where the pedal is at any given time.
Carolyn: Are we talking about AI?
Eric: We're talking about mechanical aid.
Carolyn: My car?
Eric: Yes. That's pretty cool.
Carolyn: In my mind, I'm drawing all these parallels to what you do for work with the government and how these race cars and cars in general work.
Eric: So telemetry used in a race car finds itself on the back of a Humvee. Finds itself in a tank, finds itself on an airplane. So, weapons systems, navigation systems, all that can be tied back in some ways to the automotive world, including GPS work. Because we do use GPS telemetry as well to calculate speed, and distance, and all sorts of additional telemetry when objects are in motion.
Carolyn: Does the government use the data gathered on the racetrack?
Engine Management
Eric: I'll put it this way. I've worked on some projects that were tied into engine management on tanks and Humvees. So it is possible. I don't know that I can expand too much further than that. But the data collected there is very similar to the data that's collected in your passenger car, as well as the race car.
Mark: I would imagine it's probably more finely tuned for aircraft than land vehicles.
Eric: In the airplane, yes. Because you have to take into consideration yaw and pitch and elevation and all the atmospheric conditions. But that's also true in other disciplines of motor sport. If I'm talking about off-roading the terrain, then the pitch and yaw of the vehicle is extremely important. When I'm looking at using sensors to show the articulation of my suspension.
How much suspension travel do I have, how much rotation per axle am I using? Do I need to transfer power from the front wheels to the rear wheels? You see those commercials all the time from Audi and Subaru about how it does all this stuff. A lot of that is computer-controlled. It's very much that mechanical AI, making those decisions based on the sensors, and the telemetry that it's collecting in real-time.
Mark: I imagine in the performance racing industry, when you're going at speeds at 200 miles per hour, or greater. Decisions need to be made and milliseconds, it ups the ante a lot greater.
Eric: That is very true. We're not at Mach two or whatever, like a fighter jet, but you're absolutely correct. In both cases, there's still that common denominator of, as we say in our world, the meat behind the steering wheel.
The Augmented Reality of AI in Racing Vehicles
Eric: There's still an organic computer making those minute by minute or second by second decisions. With the augmented reality of AI in the vehicle controlling those multitudes of different systems that are helping that person, that pilot, that driver be able to do what they do.
Carolyn: A lot of tech companies plaster their names on the sides of cars. I'm not going to lie, I thought it was a testosterone thing. But you said, there's this intersection between the racing and the tech world. Is it just an advertising ploy or is there more to it?
Eric: If you ever speak to any race engineers, or if you happen to go to say an IMSA where you can get really close to the pit boxes. Something like the Rolex 24 hours or the sale in six hours at Watkins Glen. If you can get your eyes inside the booth, you'll see that it looks like a command center.
You'd think you were at NASA, it's all screens. All data coming in real-time, over wireless into the booth race engineers are analyzing the data. They're also leveraging platforms like AWS and Azure to run their applications. They need to be able to get this stuff immediately. Because what they can do from those, let's say control booths, is also send corrections back to the car.
Some drivers, let's say Formula 1, if you've ever looked at the steering wheel, they have dials and knobs. They can make changes. They're talking back and forth with the pit constantly, "The car is doing this." And they're like, "All right, give it a little bit of tweak on this dial," and it'll make a change to the suspension as they're driving.
Other Disciplines of Racing
Eric: But there's also other disciplines of racing, especially endurance racing, where they're watching the cars for longer periods of time. They need to be able to manage them over the course of that race. They can send over the air changes to the vehicles.
Carolyn: Are they correlating the data like in this command center? Do they have a big seam that they're pulling everything in and cross tabbing and data analysis? Or do you have specialists like one's looking at the tires and one's looking at the key.
Eric: You actually have both. Then you also have on-track telemetry. You've got folks that are responsible for certain parts of the car, let's say the tires, they're responsible for fueling. You can get really deep on many different portions of that stack. Let's call it the racing stack there that goes on on race day.
On the other side of it, it's also the telemetry from the track. They're going to have people that are just watching the weather. Studying the weather and how the weather conditions and slight changes in temperature of the air are going to change the way the motor performs. Like losing upwards of let's say 20 horsepower, because there's one degree of weather change or rain is on its way.
We've got to make strategic decisions on what tires we're going to use. How long are we going to stay out? We just passed Le Mans a weekend or two ago. That track is famous for being rained on one side and completely dry on the other because a full lap is almost nine miles long.
Carolyn: The one in Ford versus Ferrari?
There’s a Lot to Take In
Eric: Absolutely. There is a lot to take in, there's a lot of data. There's a lot of different sources of authority that are providing data just like there would be in an IT ecosystem. You've got firewalls, routers, IPS's, and an active directory. You have storage systems that are providing you with tons of metrics. And you have to have a way to correlate all that together and make sense of it.
If there's a problem, and if you happen to listen to Le Mans two weekends ago. They could pinpoint an issue on the car before even the driver could tell it was about to happen. They're always talking back and forth. Like, "This is about to go down. You should bring the car in. We want to look at this particular thing. A sensor is telling us that there's an issue."
The same is true of IT. If you can forecast that, "We've got an IOP degradation here on this particular sand server. It's going to cause this ripple effect, we're going to have to V motion. We're going to have to do this. That's going to cause an outage, looking at real user monitoring. We're going to have an issue where we're going to have people that are down and are going to be stuck in limbo." The same is true on the racetrack.
There's this interesting intersection between two worlds. Where racing is this more mechanical application performance monitoring versus what we're used to on the IT side of the house. View a race car as an application, view the track as an ecosystem. Very similar to your data center or to your mission application, that you might be working on right now.From the Performance Racing Side
Mark: I'm interested to see how you can talk a little bit more about how you apply some of those disciplines. From the performance racing side to IT that we see or that we're talking to government customers about.
Eric: There's always the physical side of racing, the car, the machine, the boat, the airplane, whatever it might be. But there's also the driver's side. How do you determine a talented driver from another driver? There's also another subcomponent of data there.Mark: Is that like the end-user?
Eric: Absolutely. Lewis Hamilton, eight-time world champion Formula 1 driver. He was good, he was naturally talented. If they left him where he was, maintaining the status quo, he would have only gotten so much better. So then there's the telemetry of the driver. It coincides with the telemetry of the car, but it has to do with their physical abilities.
It has to do with their risk mitigation, it has to do with how consistent they are on track. The key on track is consistent lap times being not a second apart, a second is a light-year. You need to be hundreds, if not tens of thousands of a second lap per lap. And you need to be that precise, racing is a precise sport.
That being said, there's other forms of telemetry that we use to better the drivers. To help teach them, help educate them, and get them away from the status quo. I relate that back to continuous monitoring, CIC pipeline. All these kinds of things where not only is my driver, the end user, but he's also my mission act. How do I make my mission act better? And how do I make it more efficient?Monitoring the Driver App
Carolyn: How are you monitoring the driver app? Is the driver hooked up to sensors?
Eric: Sometimes, yes. Actually, in the longer endurance races, they do have health and status monitors because they are in the car for long periods of time. In a race like Le Mans, there is a minimum of three drivers per team. Sometimes there's four, and they'll do double stints. They're out there for six hours or they're out there for three hours at a time. That's a lot to take in.
You have to think about health, hydration, nutrition, all that stuff. There's doctors on staff. Let's take that out of the equation. But also how do I make that guy be consistent for three hours in the middle of the night when he's only running on two hours of sleep? Obviously, I could probably inject him periodically.
Mark: Think of the endurance of doing an ironman. But when you're going 200 miles per hour, 220 down straight away, you have to be alert. So it does make a difference. I think about the endurance where you sit in a car for eight hours.
Eric: To go back to your question and to your point, there's one system. Even in my more grassroots world where I'm teaching folks that might be from the government. Or they might be from industry, or they might be from wherever that they got this bucket list.
Maybe they bought a Porsche, they retired or Corvette, and they want to go out and experience the track. Well, how do I make them better? I can teach them how to be safe, I can teach them how to be fast.
What’s in My Toolbox
Eric: But if I want them to be perfect and be consistent, I have to use data. It's in my toolbox of things. There's been a go-to product for a very long time known as the EM. It's an Italian product. They have a whole series, the EM Solo and the smarty system and the DMX's, and all these different pieces.
What it does is you attach it to the car, very simply. It's not something I have to tie in, and integrate like an octopus into the vehicle. I can throw it
","summary":null,"date_published":"2021-09-22T07:30:00.000-04:00","attachments":[{"url":"https://aphid.fireside.fm/d/1437767933/81d9d6b0-0045-48da-8495-fd87c4613d7f/b143b177-0968-4796-b115-aa96f9e55330.mp3","mime_type":"audio/mpeg","size_in_bytes":30514911,"duration_in_seconds":2178}]},{"id":"7d95f5c4-766c-408b-b6d0-c35298cb06a9","title":"Episode 7: United by The Mission, With Troy Schneider","url":"https://techtransforms.fireside.fm/7","content_text":"The U.S. Government is leveraging technology to improve and accelerate the citizen experience. Listen as Carolyn and Mark learn more about the ecosystem of the mission from Troy Schneider, Editor-in-Chief of FCW and General manager of GCN.Episode Table of Contents[01:35] The Oldest and Most Influential Publications United by the Mission[11:07] The Physicians and the Patients Are United by the Mission[18:43] The Industry and the Government Are United by the Mission[26:17] Not as Sexy as Machine LearningEpisode Links and ResourcesSoulfireIEEEWiredThe Oldest and Most Influential Publications United by the MissionCarolyn: Today's guest is Troy Schneider, Editor-in-Chief at Federal Computer Week, FCW, and Government Computer News, GCN. Troy began his career in print journalism, and has written for a wide range of publications, including the New York Times, Washington Post, Slate, and Political.Troy, I would love to hear about your professional career. How did you become the Editor-in-Chief at FCW and GCN, two of the oldest and most influential publications in the public sector IT? You've had this long career. I'm really interested to know how you got into the government side of things, especially.Troy: I started in what most people think of as more of the traditional Washington journalism, more of the politics, and the campaign, the lobbying side of things. I worked for National Journal almost straight out of college, and was there when it was a weekly print magazine, not much else, and just starting to tiptoe into the digital space. I’ve spent about a decade, a little more than that, with different parts of National Journal, which grew into Atlantic Media Company over the years.I was lucky enough to be there at the creation of the digital business, moving to publishing and even online publishing before websites were the settled-on channel. Covered Congress, covered campaigns, all of that sort of work, and then made a pivot to a think tank. I’ve worked for A New America Foundation, which is now called New America, and went there to help them with their publishing efforts.The Policy SideTroy: I really liked the ideas and the policy side of things. It’s a very media-centric organization, where they knew they couldn't just be contributing op-ads to places, but really needed to have their own publishing channels. I did that for seven years or so, and got a call about a job with FCW, to come on as the number two editor. If everyone liked each other, to move into the senior role. It’s a little bit of a daunting transition to focus on the true government side.My focus for the first part of my career had been about all the stuff that happens to figure out what goes into the budget. To figure out what goes into the laws, to figure out who's going to be elected to those positions. In that politic-centric view, \"What happened after the bill was signed?\" The agencies got it. That’s just implementation details. Then you dive in, you realize just how big that set of details is, and just how important the operations are. FCW at the time, they wanted to be less about computers, because IT is so much more than that now.More about the policy, the business, and the leadership side. I’ve done a lot of work with emerging technology during my time at New America. We’ve crept a lot closer than we would have been when I was at National Journal. We would've seen each other in two completely different spaces, but there was enough overlap that it was interesting to both parties. I came in, in 2012, as the Executive Editor of STW. Stepped into the Editor role about a year and a half later, then took the similar role at GCN a couple of years after that. We've just been rolling ever since.What Agencies Have Done to Be United by the ProcessCarolyn: Early on, you had a government beat, but there was a transition for you.Troy: There was. I knew the government, I knew Congress, I knew the budget process, I knew nothing about things like FedRAMP or FISMA. Or really what agencies have to do to effectively run, and execute their missions. I remember talking to a colleague who had worked in the sector before I took the job in central. This is exciting. There's a lot that I don't know. It's like learning a foreign language.You walk around, you're scribbling down notes, and looking things up every day. Then six weeks or six months later, you wake up and you realize you're dreaming in Spanish. That was it. I would come out of every conversation I had with Ann Armstrong, at FCW, or every interview I did with someone, with a list of names and acronyms. I had to go dig into the FCW archives and figure out what they were talking about, but it didn't take long for that stuff to start to fit together.At a certain level, journalists should be able to get smart on any beat. It helps to have some subject matter expertise, but mainly it helps to have curiosity and want to dig in. The federal IT space is just a fascinating community. It's easy to be engaged. The fact that it really is a community is something I didn't fully appreciate when I joined FCW, but is one of my favorite parts of the job now. The people in government, the people in industry, yes, everyone has their jobs.They Want to Work Together and Be United by the MissionTroy: Everyone has their things they do, and don't want to talk about, but they really do want to work together. They’re generally united by that mission of making government work better. It's nice to be a part of that in a media capacity.Carolyn: You said something that really hits home to me almost daily. Government is its own ecosystem. You talked about Congress, and that layer and knowing it. The agencies, and what they have to deal with, with the mandates, but then also developing and procuring the different technologies. This podcast is focused on how global technology is changing the way we live, and how critical government decisions are.It affects the intersection of technology advancement and human needs. That said, you said something really interesting in your promotion of the 2021 GCN Innovation Awards. I'm going to quote you here. You said, \"Public sector tech is far cooler than the government often gets credit for.\" First, I love that. Can you talk more about that?Troy: There are certainly corners of government where the stereotype of bureaucracy has been earned. I've never met more people who work harder, and are more committed to their job, than I have in my conversations with people in government IT. I care about my job, and I think I worked very hard. But I feel like a slacker when I'm talking to almost any agency CIO. The people part of it is truly outstanding, but you look at the technology side of things. Over the last 10 years especially, the government has been such a leader in thinking about how to digitize the workflows, and think about how to serve citizens differently.The Emerging Tech SideTroy: Then obviously in the emerging tech side, and the things that I cited in that short article or intro, that you were quoting, you have DARPA, you have NASA. You have places that have the reputation for being the cool kids, doing amazing things. But you dig deeper and there's no one that's doing more with data than some of our government agencies. At the state and local level, what's happening with the internet, and smart city efforts is really leading edge.Are there places where everyone's trying to catch up to the Googles and the Amazons? Absolutely. You can't have a conversation in government. Several years ago, it was the dominoes analogy of, \"Why can't I do whatever in government, as easily as an order a pizza on my phone?\" I feel Amazon, and any number of other companies have continued to advance the user experience even further. There are places where government's still working to catch up.When you talk about doing new technology, and doing it at scale, there aren't many places that can match what the government's doing. You're seeing some agency beyond the traditional cool places, again, the NASAs, the DARPAs. You've found agencies doing a better job of leveraging that mission and that scale challenge. To bring a whole new type of talent, and a new type of worker into the government space, because you can work on things that you just couldn't do anywhere else.Carolyn: Can you think of an example, specifically the cool stuff that agency has done?Troy: Let's go to VA. Most of the stories you hear about VA are like, \"Oh, scheduling problems, vets waiting on care over the years.\"The Physicians and the Patients Are United by the MissionTroy: The VA, even 30 years ago, was doing stuff that virtually no one else was doing on digital health records and focusing on long-term care. Making those systems really work, for both the physicians and the patients. The Vista system is being replaced now, as they move to Cerner. VA was a true innovator in developing a real user-centered design, and working all through the health system to both serve individuals. And to try and look at the bigger lessons of what's happening with public health, by looking at the data across their entire veteran caseload.That's one. Another more recent would be what HHS was doing when the pandemic first got rolling with HHS Protect. Really trying to pull all the data, and bring it together at tremendous speed, so the policymakers could make decisions about understanding how the virus was progressing, and making sort of public health recommendations. Obviously, that's been a very politically charged conversation.But if you strip away exactly what decisions were made, and look at what the HHS team did in 2020 to build out an amazing data lake, and high-end analysis, that was pulling things in from hospitals across the country in real-time. That's the type of project that you can't go to a private sector company and work on. The impact in the short term for helping us get a handle on the COVID crisis, and in the long term the lessons learned of what we can do with public health data, is just going to be tremendous.Things That Go Hand in Hand Are United by the MissionMark: One of the things that go hand in hand with some of those efforts is security. The president put out the executive order in regard to cybersecurity. I was very curious to get your thoughts about that. Particularly zero trust, and what that means to you.Troy: I should say that we could fill several books with what I don't know about zero trust. But it's been really interesting to watch that become the organizing principle for so many security conversations in government. I remember it was three or four years ago, at FCW. We were doing a round table with about a dozen CEOs and CTOs, talking about security challenges. One of them said, \"I really wish we could get to zero trust. Google has been doing this. It'd be great.\"The reaction in the room was, \"That would be really cool. It would also be really cool if I had wings,\" was the sense. Now agencies are actively pushing toward it, but in terms of what zero trust is, it's an idea. I'll give you the layman's explanation. There's a longstanding idea in IT security, of least privilege access. If you're doing your stuff on your computer day to day, you don't want to have the permissions that lets you intentionally or accidentally delete all the files on your machine.You should be logged in, in a way that lets you do what you absolutely need to do, and have to go in with admin privileges to do more. That's hard. It makes life complicated for users. One of the big cyber hygiene problems that the government and all organizations have had, was rampant use of admin privileges, where they really weren't necessary.What Leads to VulnerabilitiesTroy: It leads to vulnerabilities like we saw in the OPM hack several years ago. Once people are able to get in and they can get privileges, they can move through the system and access everything. Zero trust is this idea of, \"I am going to give you only permission to access the data you need right now. When you need a new set of data, I'm going to reverify. It's a simple concept. But to do that across government systems, in a way that doesn't grind operations to a halt, because of all the frictions that are being put in, that's the hard part.That's what agencies are wrestling with right now. Where they get into trouble, but they say, \"oh, we're just going to implement zero trust in 2022.\" Well, it's not a thing you can implement. It’s a mindset and approach. It requires changes at virtually every level of the IT operations and how they're managed. I think it's good, but it's going to be a long slog.Mark: It seemed about a decade or so ago, there was this analogous executive order that was put out on Insider Threat. It had a lot of specific details and requirements that were laid out as to how to go about that. In this executive order, there seems to be a certain level of vagueness to it. How do you see this manifesting itself as we move forward?Troy: At this point, I'm willing to give the administration the benefit of the doubt on this. I had a conversation with a group of officials not too long ago. It included Chris DeRusha, the Federal CISO.What We Have in Place to Be United by the MissionTroy: One of the main assignments of the executive order was that agencies have to do their own assessment, and say, \"This is our plan of working towards zero trust. This is what we have in place now. Here's how we think we're doing against those efforts.\" You're right, that's a very abstract set of marching orders.Part of the goal, as I understand it, is for OMB to be able to take that information. To start to get a sense of what building blocks different agencies actually have in place. So they can then take that to bring both more specific guidance out for the agencies, and also to start to make the business case.To say, \"Okay, well, for agencies to get to this certain level that we think is important, we can now see that this amount of time or this amount is required.\" Part of this is to help establish the facts, and make the business case, for helping agencies move forward with their zero trust efforts. Because there is a recognition that it's going to be a long and somewhat expensive process.Carolyn: Coming right up, are The Federal 100 Awards. I want you to speak more about it. As I understand them, these awards are all about industry and government innovations. What I'm hearing you say is the government says, \"We want to get to where Google is with zero trust.\" But I've seen a lot of really forward-thinking, especially with the DOD, around zero trust.The Industry and the Government Are United by the MissionCarolyn: This coming together of industry and government is so important. I see that with the Fed 100 Awards. Will you talk more about those awards, how you decide who to name because there are so many. How do you decide who the innovators are every year?Troy: We, at FCW, do not. It's one of the things that makes the Federal 100 Awards so special. They're coming up. The winners were announced early this year. We put off the actual gala until the end of August, hoping we'd be back to a good, safe space. We're now in a safe-ish space. With vaccination requirements for attendance, and masking, we're feeling pretty good about being able to celebrate in person here in a few days.I'd encourage people to check out the list because it's an amazing list of people. It's all at fed100.com. The award program, what makes it real, is that it’s really community-driven. The nominations come in from across the community. We put the nomination out. It's not just a, \"Hey, I like Mark, I like Carolyn,\" one line, if they did great stuff. It's fairly intensive.Carolyn: Are you saying I'm not going to make the list?Mark: That was an endorsement.Troy: There are plenty of awards as listicles out there, not just in our space, in the world in general. The Federal 100 is not that, the best nominations, they come in. They have a whole slate of nominators from both the organizations of the individual there. Usually, customers or partners who were vouching for her or for him. They have pretty detailed essay questions/answers about explaining the job, explaining what they accomplished in the past calendar year.Outstanding Individual AchievementTroy: The criteria for Federal 100 is an outstanding individual achievement in the previous year. We really look for the specifics there. Then what FCW does is we assemble a panel of judges for this. It is often, but not always, previous Federal 100 winners. It’s always people who are both senior in the community and doing work to where they know about a lot more than their own silo.They're working across agencies. They have ties in the industry. We have often had the Federal CIO be a judge. The CIO of the defense department, other major agencies. We worked very hard to build a panel that has expertise from across the government. There's always an acquisition pro, there's always a security expert. Our industry leaders' there as well. As you all know, from this community, a lot of the industry people have spent a portion of their careers in government as well.They know both sides of that conversation. The judging process, they get a binder that's about a year thick, and spend a tremendous amount of their personal time going through that. Then we all convene. This year, unfortunately, it was in a Microsoft Teams meeting for seven hours on a Saturday. Normally we'll gather in a conference room, bring in food, and lock ourselves in there.The group of seven to nine judges goes through each nomination, and reaches a consensus on who makes it and who doesn't. Some of them were easy and slam dunks. And some of them are easy to say, \"No, nice person, but this is not a nice personal award there. That project's not far enough along yet.\"Intensive Debates Troy: Then there are really intensive debates about that 80/20 rule that applies to a lot of things. It's fascinating. I learned more on that day of deliberations than I do in any other three or four weeks of the year. I'm just amazed at how much our judges know about the individual people and the individual projects that are going on across the government.There's almost never a case where there isn't at least one judge who has firsthand knowledge about either the person, or the project. Or at the very least, one of the nominators who's vouching for them can sort of do a quick fact check on it. We bring our reporters in to help take notes in this process. It helps us with writing the profiles when things are done. But I also do it because it's like a masterclass for the edit team, to just sit there and learn from these people. It's legit.When I first came to FCW, we had a black-tie, what to recognize, who, and why. I was a little bit skeptical, until I went to the first one, and saw how seriously people took it. Then I went through the selection process. Again, where, Ann Armstrong, our Chief Content Officer, who helped create the Federal 100 Awards. She likes to say, \"We have a voice, but not a vote in there.\" Same thing, I will...","content_html":"The U.S. Government is leveraging technology to improve and accelerate the citizen experience. Listen as Carolyn and Mark learn more about the ecosystem of the mission from Troy Schneider, Editor-in-Chief of FCW and General manager of GCN.
Episode Table of Contents
- [01:35] The Oldest and Most Influential Publications United by the Mission
- [11:07] The Physicians and the Patients Are United by the Mission
- [18:43] The Industry and the Government Are United by the Mission
- [26:17] Not as Sexy as Machine Learning
Episode Links and Resources
The Oldest and Most Influential Publications United by the Mission
Carolyn: Today's guest is Troy Schneider, Editor-in-Chief at Federal Computer Week, FCW, and Government Computer News, GCN. Troy began his career in print journalism, and has written for a wide range of publications, including the New York Times, Washington Post, Slate, and Political.
Troy, I would love to hear about your professional career. How did you become the Editor-in-Chief at FCW and GCN, two of the oldest and most influential publications in the public sector IT? You've had this long career. I'm really interested to know how you got into the government side of things, especially.
Troy: I started in what most people think of as more of the traditional Washington journalism, more of the politics, and the campaign, the lobbying side of things. I worked for National Journal almost straight out of college, and was there when it was a weekly print magazine, not much else, and just starting to tiptoe into the digital space. I’ve spent about a decade, a little more than that, with different parts of National Journal, which grew into Atlantic Media Company over the years.
I was lucky enough to be there at the creation of the digital business, moving to publishing and even online publishing before websites were the settled-on channel. Covered Congress, covered campaigns, all of that sort of work, and then made a pivot to a think tank. I’ve worked for A New America Foundation, which is now called New America, and went there to help them with their publishing efforts.
The Policy Side
Troy: I really liked the ideas and the policy side of things. It’s a very media-centric organization, where they knew they couldn't just be contributing op-ads to places, but really needed to have their own publishing channels. I did that for seven years or so, and got a call about a job with FCW, to come on as the number two editor. If everyone liked each other, to move into the senior role. It’s a little bit of a daunting transition to focus on the true government side.
My focus for the first part of my career had been about all the stuff that happens to figure out what goes into the budget. To figure out what goes into the laws, to figure out who's going to be elected to those positions. In that politic-centric view, "What happened after the bill was signed?" The agencies got it. That’s just implementation details. Then you dive in, you realize just how big that set of details is, and just how important the operations are. FCW at the time, they wanted to be less about computers, because IT is so much more than that now.
More about the policy, the business, and the leadership side. I’ve done a lot of work with emerging technology during my time at New America. We’ve crept a lot closer than we would have been when I was at National Journal. We would've seen each other in two completely different spaces, but there was enough overlap that it was interesting to both parties. I came in, in 2012, as the Executive Editor of STW. Stepped into the Editor role about a year and a half later, then took the similar role at GCN a couple of years after that. We've just been rolling ever since.
What Agencies Have Done to Be United by the Process
Carolyn: Early on, you had a government beat, but there was a transition for you.
Troy: There was. I knew the government, I knew Congress, I knew the budget process, I knew nothing about things like FedRAMP or FISMA. Or really what agencies have to do to effectively run, and execute their missions. I remember talking to a colleague who had worked in the sector before I took the job in central. This is exciting. There's a lot that I don't know. It's like learning a foreign language.
You walk around, you're scribbling down notes, and looking things up every day. Then six weeks or six months later, you wake up and you realize you're dreaming in Spanish. That was it. I would come out of every conversation I had with Ann Armstrong, at FCW, or every interview I did with someone, with a list of names and acronyms. I had to go dig into the FCW archives and figure out what they were talking about, but it didn't take long for that stuff to start to fit together.
At a certain level, journalists should be able to get smart on any beat. It helps to have some subject matter expertise, but mainly it helps to have curiosity and want to dig in. The federal IT space is just a fascinating community. It's easy to be engaged. The fact that it really is a community is something I didn't fully appreciate when I joined FCW, but is one of my favorite parts of the job now. The people in government, the people in industry, yes, everyone has their jobs.They Want to Work Together and Be United by the Mission
Troy: Everyone has their things they do, and don't want to talk about, but they really do want to work together. They’re generally united by that mission of making government work better. It's nice to be a part of that in a media capacity.
Carolyn: You said something that really hits home to me almost daily. Government is its own ecosystem. You talked about Congress, and that layer and knowing it. The agencies, and what they have to deal with, with the mandates, but then also developing and procuring the different technologies. This podcast is focused on how global technology is changing the way we live, and how critical government decisions are.
It affects the intersection of technology advancement and human needs. That said, you said something really interesting in your promotion of the 2021 GCN Innovation Awards. I'm going to quote you here. You said, "Public sector tech is far cooler than the government often gets credit for." First, I love that. Can you talk more about that?
Troy: There are certainly corners of government where the stereotype of bureaucracy has been earned. I've never met more people who work harder, and are more committed to their job, than I have in my conversations with people in government IT. I care about my job, and I think I worked very hard. But I feel like a slacker when I'm talking to almost any agency CIO. The people part of it is truly outstanding, but you look at the technology side of things.
Over the last 10 years especially, the government has been such a leader in thinking about how to digitize the workflows, and think about how to serve citizens differently.The Emerging Tech Side
Troy: Then obviously in the emerging tech side, and the things that I cited in that short article or intro, that you were quoting, you have DARPA, you have NASA. You have places that have the reputation for being the cool kids, doing amazing things. But you dig deeper and there's no one that's doing more with data than some of our government agencies. At the state and local level, what's happening with the internet, and smart city efforts is really leading edge.
Are there places where everyone's trying to catch up to the Googles and the Amazons? Absolutely. You can't have a conversation in government. Several years ago, it was the dominoes analogy of, "Why can't I do whatever in government, as easily as an order a pizza on my phone?" I feel Amazon, and any number of other companies have continued to advance the user experience even further. There are places where government's still working to catch up.
When you talk about doing new technology, and doing it at scale, there aren't many places that can match what the government's doing. You're seeing some agency beyond the traditional cool places, again, the NASAs, the DARPAs. You've found agencies doing a better job of leveraging that mission and that scale challenge. To bring a whole new type of talent, and a new type of worker into the government space, because you can work on things that you just couldn't do anywhere else.
Carolyn: Can you think of an example, specifically the cool stuff that agency has done?
Troy: Let's go to VA. Most of the stories you hear about VA are like, "Oh, scheduling problems, vets waiting on care over the years."
The Physicians and the Patients Are United by the Mission
Troy: The VA, even 30 years ago, was doing stuff that virtually no one else was doing on digital health records and focusing on long-term care. Making those systems really work, for both the physicians and the patients. The Vista system is being replaced now, as they move to Cerner. VA was a true innovator in developing a real user-centered design, and working all through the health system to both serve individuals. And to try and look at the bigger lessons of what's happening with public health, by looking at the data across their entire veteran caseload.
That's one. Another more recent would be what HHS was doing when the pandemic first got rolling with HHS Protect. Really trying to pull all the data, and bring it together at tremendous speed, so the policymakers could make decisions about understanding how the virus was progressing, and making sort of public health recommendations. Obviously, that's been a very politically charged conversation.
But if you strip away exactly what decisions were made, and look at what the HHS team did in 2020 to build out an amazing data lake, and high-end analysis, that was pulling things in from hospitals across the country in real-time. That's the type of project that you can't go to a private sector company and work on. The impact in the short term for helping us get a handle on the COVID crisis, and in the long term the lessons learned of what we can do with public health data, is just going to be tremendous.
Things That Go Hand in Hand Are United by the Mission
Mark: One of the things that go hand in hand with some of those efforts is security. The president put out the executive order in regard to cybersecurity. I was very curious to get your thoughts about that. Particularly zero trust, and what that means to you.
Troy: I should say that we could fill several books with what I don't know about zero trust. But it's been really interesting to watch that become the organizing principle for so many security conversations in government. I remember it was three or four years ago, at FCW. We were doing a round table with about a dozen CEOs and CTOs, talking about security challenges. One of them said, "I really wish we could get to zero trust. Google has been doing this. It'd be great."
The reaction in the room was, "That would be really cool. It would also be really cool if I had wings," was the sense. Now agencies are actively pushing toward it, but in terms of what zero trust is, it's an idea. I'll give you the layman's explanation. There's a longstanding idea in IT security, of least privilege access. If you're doing your stuff on your computer day to day, you don't want to have the permissions that lets you intentionally or accidentally delete all the files on your machine.
You should be logged in, in a way that lets you do what you absolutely need to do, and have to go in with admin privileges to do more. That's hard. It makes life complicated for users. One of the big cyber hygiene problems that the government and all organizations have had, was rampant use of admin privileges, where they really weren't necessary.
What Leads to Vulnerabilities
Troy: It leads to vulnerabilities like we saw in the OPM hack several years ago. Once people are able to get in and they can get privileges, they can move through the system and access everything.
Zero trust is this idea of, "I am going to give you only permission to access the data you need right now. When you need a new set of data, I'm going to reverify. It's a simple concept. But to do that across government systems, in a way that doesn't grind operations to a halt, because of all the frictions that are being put in, that's the hard part.That's what agencies are wrestling with right now. Where they get into trouble, but they say, "oh, we're just going to implement zero trust in 2022." Well, it's not a thing you can implement. It’s a mindset and approach. It requires changes at virtually every level of the IT operations and how they're managed. I think it's good, but it's going to be a long slog.
Mark: It seemed about a decade or so ago, there was this analogous executive order that was put out on Insider Threat. It had a lot of specific details and requirements that were laid out as to how to go about that. In this executive order, there seems to be a certain level of vagueness to it. How do you see this manifesting itself as we move forward?
Troy: At this point, I'm willing to give the administration the benefit of the doubt on this. I had a conversation with a group of officials not too long ago. It included Chris DeRusha, the Federal CISO.
What We Have in Place to Be United by the Mission
Troy: One of the main assignments of the executive order was that agencies have to do their own assessment, and say, "This is our plan of working towards zero trust. This is what we have in place now. Here's how we think we're doing against those efforts." You're right, that's a very abstract set of marching orders.
Part of the goal, as I understand it, is for OMB to be able to take that information. To start to get a sense of what building blocks different agencies actually have in place. So they can then take that to bring both more specific guidance out for the agencies, and also to start to make the business case.
To say, "Okay, well, for agencies to get to this certain level that we think is important, we can now see that this amount of time or this amount is required." Part of this is to help establish the facts, and make the business case, for helping agencies move forward with their zero trust efforts. Because there is a recognition that it's going to be a long and somewhat expensive process.
Carolyn: Coming right up, are The Federal 100 Awards. I want you to speak more about it. As I understand them, these awards are all about industry and government innovations. What I'm hearing you say is the government says, "We want to get to where Google is with zero trust." But I've seen a lot of really forward-thinking, especially with the DOD, around zero trust.
The Industry and the Government Are United by the Mission
Carolyn: This coming together of industry and government is so important. I see that with the Fed 100 Awards. Will you talk more about those awards, how you decide who to name because there are so many. How do you decide who the innovators are every year?
Troy: We, at FCW, do not. It's one of the things that makes the Federal 100 Awards so special. They're coming up. The winners were announced early this year. We put off the actual gala until the end of August, hoping we'd be back to a good, safe space. We're now in a safe-ish space. With vaccination requirements for attendance, and masking, we're feeling pretty good about being able to celebrate in person here in a few days.
I'd encourage people to check out the list because it's an amazing list of people. It's all at fed100.com. The award program, what makes it real, is that it’s really community-driven. The nominations come in from across the community. We put the nomination out. It's not just a, "Hey, I like Mark, I like Carolyn," one line, if they did great stuff. It's fairly intensive.
Carolyn: Are you saying I'm not going to make the list?
Mark: That was an endorsement.
Troy: There are plenty of awards as listicles out there, not just in our space, in the world in general. The Federal 100 is not that, the best nominations, they come in. They have a whole slate of nominators from both the organizations of the individual there. Usually, customers or partners who were vouching for her or for him. They have pretty detailed essay questions/answers about explaining the job, explaining what they accomplished in the past calendar year.
Outstanding Individual Achievement
Troy: The criteria for Federal 100 is an outstanding individual achievement in the previous year. We really look for the specifics there. Then what FCW does is we assemble a panel of judges for this. It is often, but not always, previous Federal 100 winners. It’s always people who are both senior in the community and doing work to where they know about a lot more than their own silo.
They're working across agencies. They have ties in the industry. We have often had the Federal CIO be a judge. The CIO of the defense department, other major agencies. We worked very hard to build a panel that has expertise from across the government. There's always an acquisition pro, there's always a security expert. Our industry leaders' there as well. As you all know, from this community, a lot of the industry people have spent a portion of their careers in government as well.
They know both sides of that conversation. The judging process, they get a binder that's about a year thick, and spend a tremendous amount of their personal time going through that. Then we all convene. This year, unfortunately, it was in a Microsoft Teams meeting for seven hours on a Saturday. Normally we'll gather in a conference room, bring in food, and lock ourselves in there.
The group of seven to nine judges goes through each nomination, and reaches a consensus on who makes it and who doesn't. Some of them were easy and slam dunks. And some of them are easy to say, "No, nice person, but this is not a nice personal award there. That project's not far enough along yet."
Intensive Debates
Troy: Then there are really intensive debates about that 80/20 rule that applies to a lot of things. It's fascinating. I learned more on that day of deliberations than I do in any other three or four weeks of the year. I'm just amazed at how much our judges know about the individual people and the individual projects that are going on across the government.
There's almost never a case where there isn't at least one judge who has firsthand knowledge about either the person, or the project. Or at the very least, one of the nominators who's vouching for them can sort of do a quick fact check on it. We bring our reporters in to help take notes in this process. It helps us with writing the profiles when things are done. But I also do it because it's like a masterclass for the edit team, to just sit there and learn from these people. It's legit.
When I first came to FCW, we had a black-tie, what to recognize, who, and why. I was a little bit skeptical, until I went to the first one, and saw how seriously people took it. Then I went through the selection process. Again, where, Ann Armstrong, our Chief Content Officer, who helped create the Federal 100 Awards. She likes to say, "We have a voice, but not a vote in there." Same thing, I will...
","summary":null,"date_published":"2021-09-15T07:30:00.000-04:00","attachments":[{"url":"https://aphid.fireside.fm/d/1437767933/81d9d6b0-0045-48da-8495-fd87c4613d7f/19636cc2-f409-4b48-919c-a48a95d27e46.mp3","mime_type":"audio/mpeg","size_in_bytes":33955374,"duration_in_seconds":2119}]},{"id":"609aae1b-56c8-40f8-a0f0-c52fb5f181f4","title":"Episode 6: DevOps: Pushed by Circumstance or Pulled by a Dream, with Tracy Bannon","url":"https://techtransforms.fireside.fm/6","content_text":"Tracy Bannon Senior Principal / Software Architect & DevOps Strategic Advisor at MITRE and ambassador for the DevOps Institute talks through the original DevOps timeline. Join as Carolyn and guest host Steve Mazzuca find out what happens when Dev fraternizes with Ops.Episode Table of Contents[00:48] DevOps Strategic Advisor and Ambassador[10:34] Respected DevOps[18:35] The DevOps Pipeline[24:05] DevOps InstituteEpisode Links and ResourcesDevOps InstituteProject To ProductDevOps Strategic Advisor and AmbassadorCarolyn: Today, I have Steve Mazucca or The Mas as I like to call him, co-hosting with me. It's always fun to have a conversation with you Steve. The hard part is going to be getting you to be quiet, so we can get our guest Tracy Bannon. He is Senior Principal, Software Architect and DevOps Strategic Advisor at MITRE, as well as an ambassador for the DevOps Institute. So welcome Tracy.Tracy: I'm thrilled to be here today. It's always fun to have these conversations.Carolyn: You are a striking woman with pink hair and you were in development, which makes you in my mind, kind of a unicorn. I would really love to hear your story.Tracy: I'll start with the pink hair and go backwards from there. I've had little bits of color in my hair for years. My mom was an art teacher. My dad's more on the math and the sciences side of it. I kind of have that left brain, right brain, need to express myself. Over probably the last two or three years, as I've been doing more remote work, I was having more fun with the pink and decided that it's the pandemic. Let's stretch things a little bit more. I'm just loving it. So that's a little bit about that piece of it.But as for me being a woman in technology, I actually like to come at it in reverse. To say that I'm a real technologist and not say I'm a woman technologist. It matters, but it doesn't matter. What's important to me, is I've always been so interested in tech.A Woman DeveloperTracy: Someone asked me, \"When was the first time you realized that you liked computers and that you were into computers?\" It's a long story, but I'll make it very short. I can remember building a computer out of a box and cutting and putting mag tapes on the outside. Yes, I just told you how old I was. And arguing with my brother on who got to sit inside it and be the brains. So I remember being real and I couldn't read yet. I remember that very vividly. It goes a long way back.Carolyn: Did you end up being the brains?Tracy: Yes I did. I happened to be a little bit bigger than him. Even though he's two years older, I happened to have the weight advantage. As for being a woman developer, I've always been in tech. I never thought anything about the makeup of the team. That’s because I always tagged around with my older brother and his buddies. I considered myself one of the guys. One of the gang would be a better way to put it. I realized about midway through my career that there was a little bit of uniqueness to it. As I would look around the room, I would be the only woman on the team.Now, occasionally there would be fantastic women involved, more on the database side of things, who had grown into that. Very few from a development perspective. We did see some spikes in industry, we saw that. But we're seeing that decline recently. But across my career, I tend to come at it that I'm a technologist. If you need to give me an adjective, make it real, instead of woman. But that's a little bit about me.A Technologist at DevOps Who Happens to Be a WomanCarolyn: I love that you want to take the emphasis off women. That you're a technologist, you're a developer and you happen to be a woman. You're often the only woman in the room. I'm often the only woman in the room and it will be a room of many people. But I do love that you've always just thought of yourself this way. What was your first development? Well, what was your first job actually?Tracy: First paying job, was actually a lifeguard, but we won't go that far back. If we go forward, I worked throughout college in different corporate settings, always related to technology. When I graduated, I actually was independent before anybody was doing anything independent. And then it happened on my way into the engineering department at AccuWeather. My husband and I were already married and he was in operation. You can tell there was a little bit of, hey, take a look at this resume. That helped get me in the door in a very heavily male-populated tech group.Yes, we were both within AccuWeather. That's actually a segue to a fun story. He's in operations, I'm in engineering. You could actually say that we're the original DevOps because we've been married for a couple of decades now before we said DevOps. So something would happen with engineering and they would call because there was a production problem. They would call him and he would realize that we had talked about something that week. Dinner time chatter.Debugging Things Together at DevOpsTracy: He'd say, \"Didn't you guys roll out a change to XYZ.\" I say, \"Oh yes.\" \"Can you open up a window?\" It wasn't a browser at that point. \"Can you open up a window, let's take a look. We need to look at this queue or this record or this log.\" And we would end up debugging things together. They started to no longer just call and ask for him. They’d call the Bannon house because they would get both of us to solve a problem, it was really cool.That showed me how important it was that I was writing software that could be operated, could be managed, could be maintained, could be debugged. It also taught him how important it was to give me access. I didn't have to have right access. But I needed to be able to check the cues. I needed to be able to look at these different things. That started me having that fraternizing with Ops. I've always been an advocate of having Ops at the table, even before. Well, before we coined that wonky phrase DevOps.Steve: When did we start coming out with that? Is that Gene Kim, is he famous for that? Or is that even before Gene Kim, as far as when he started coming out with that?Tracy: It was before Gene, but I cannot remember the fellow's name off-hand. I'd have to Google it. It strikes me that it's Patrick something. It wasn't that long ago. Maybe in 2011, 2012, somewhere in that, he made a comment about it. It really resonated with folks.An EvolutionTracy: Gene was brilliant to realize that it's a true and valuable story. He started really to table pound to get the message out and started this. I'll call it an evolution. I hate the revolution thing. But he started us evolving and thinking about it.Steve: It's certainly come a long way. You and I obviously have done a lot of work together over the years and a couple of different iterations across government. I've only known you supporting the government, but I know you did some other things before. How long have you supported the federal government? I don't actually know that story.Tracy: Federal 2015. Not that long, not an entire career focused on the federal government. But I was working across state governments starting in 1999.Carolyn: Is it really, really different to be a state versus federal?Tracy: There are parallels and there are differences. In the federal government, we have a mandate on citizenship. You don't have the same mandates for a state-level data center. I can have a foreign nationals, I can have different types of folks coming in with different types of visas, to be able to support that. That's starting to grow and evolve and change. The policies are much stricter at the federal level and the size.Some of the biggest states are similar to some of the smallest federal agencies. But think about the economies of scale. It's just that much bigger at the federal level. In defense, not a whole lot of defense at the state level. That's probably the most interesting, different mission that I've been involved with.Respected DevOpsTracy: Being involved on the public sector side of the government, the civilian side of the federal government, that's where Steve and I got to know each other. It was with the IRS and treasury and around that side of it. Changing the focus more into defense has been very humbling just because of the sheer complexity. Think about NATO with 30 different nations involved in technical decisions and discussions and the complexities that come with them. It's just mind-boggling.Carolyn: Just think of communication alone. Being able to communicate across all those different groups, it breaks my head. Can you think of any use cases between state government, federal government vice versa? A best practice that one should pick up from the other.Tracy: Leading practices abound across both of them. Whether it is with respected DevOps, whether it's with respect to leveraging AI and ML, to improve. One of the things that I'm seeing in both places. I experienced this first with the state of Colorado and that was embracing Cloud. This was multiple years ago, they looked at it and this was one particular agency. They said, \"In order for us to be secure enough, we actually need to go to the Cloud.\" Now that seems to be the opposite of what people think about right now.Oh no, we don't want to go to the Cloud. That could be a breach. But they looked at it from an economics perspective and said, \"For us to have the same number of professionals, with the same level of training, with the same SLAs, with the same contractual obligation to keep us safe, would cost us this many millions. Hundreds of millions.\"A Part of the OpportunityTracy: Where if I have that through my contract with a provider like Salesforce or Service Now, or AWS, or Google, any of them, I have that out of the box. I have that as part of it. For the most part, I have that as a part of the opportunity. That's one thing that I saw the states do a little bit before the federal government. I’d say the federal government is tighter in its cyber practice, absolutely. Tighter in its cyber practice, but it's like any technology. It's not about the tech, it's about how we apply it. So how about we go about problem-solving. We do a lot of things in the commercial space. I did a lot of commercial work.The commercial is a little less fettered. They're not as tethered to what the policies and the bureaucracy can be. Federal bureaucracy is a little more impacted by the administration changes. Trying to think of what the acronym was the other day. Somebody was joking with me. Instead of meantime to recover MTTR as a DevOps, it was a meantime to command change. It was MTTC or MTCC. Because you can figure out how much disruption was going to happen, and that's something very different.The states have much more continuity with their technology leadership in specific, than I see in the federal space. The defense definitely, because of the time you do rotations, you may be there for six months, a year, or two years. You see it more in this less civilian side, less frequently. But still the federal is much more changeover, than I see at the state level.The Challenge With DoDCarolyn: The defense, Mas, that's your world. I could see a little bit of two things with that command change. Fresh eyes, means fresh ideas. Also, it feels like it could be a huge setback.Steve: The other challenge with DoD that we run into is it's everything about the network edge security. Everybody is commercial and never gone in civilian, not all a bunch of places, but the vast majority is civilian. We're using the public internet, we're using everything that's out there. They have access to everything that is commercially sound. In defense, it starts with, we don't have what we don't have access to. You start with what you don't have access to and you've got to build off from there.The problems are obviously incrementally different. But the problem is also we can't take advantage of a lot of things that we can. We have to constantly fight that battle on both. As technology advisers, we have to go in there with that understanding that we're talking about solutions and products and technologies that sometimes you can't utilize all of the capability. Can we utilize enough to actually make a difference in your mission? Even beyond the fact that the kernels aren't going to be rotating in and out correct.Tracy: It's interesting. There's always an opportunity for those fresh eyes to come in and infuse a lot of new energy and thought. But that depending on how large a program is, it takes them maybe a year to 18 months, to really hit stride. And so, there's a lot of churn that can happen during that time. Sometimes you'll see that folks will entrench themselves like, oh no, there's a change of leadership coming. I'm going to stay the course.Specific Thing About DevOpsTracy: While there's a leader that's talking about this amazing different type of infusing, of innovation, those in the trenches are saying, \"Okay, I'm going to stay the course until we figure out how this solidifies, or how it plays out a little bit more.\" It causes a little bit of tension back and forth. But Steve, you bring up a really good point. I think about DevOps in specific. On the defense side, I jokingly say that they like the term DevSecOps.But it's really DevSec, pause, wait, there's some other things going on, then SecOps. So the idea that we see of that infinity loop, right the figure eight, for there to be constant and continual feedback from the war fighter, from the constituency, to the developer. It's more difficult because there are different groups that are in charge of it.I don't mean a guy in the other room is in charge of operations, versus me here in charge of Dev. They may be contractually a different part, they may be totally a different part of the service. Think about deploying onto a Naval vessel. Ops, there is a lot different than Ops that would be CONUS. Continental US sitting right beside me. It does have some pretty different challenges and is not insurmountable.There's so much goodness that we should be looking at North Star to Steve's point. What's happening in commercials and then, what's my problem? What is the actual thing I'm trying to do? Then looking at commercials and saying, \"What applies here? And what could be tailored? What could be improved and brought in?\"The DevOps PipelineTracy: As opposed to, I'm going to go do what they did over here. I always use the example and it's trite at this point because so many people have heard it. But we're not just going to Netflix this. It's not just 50 releases a day. If I'm putting software onto a tank, if I'm putting it onto a jet, I'm not going to release 50 times a day. I may release a couple of times a week, but not 50 times a day. And so, there's economies of scale and things to learn with that.Carolyn: I want to go back to that feedback loop that you talked about. Have you seen an agency that does that really well or a group? We don't even have to name names. Because just what you said, putting those software releases onto a tank, where we're talking about lives on the line. You need feedback from the guys operating it. Have you been in situations where that's just really smooth and they figured it out as a well-oiled machine?Tracy: Yes, at scale. Not as much, but definitely there're amazing pockets of goodness. If I think about the things that are happening within the Air Force, if I think about things that are happening within the Navy and specific things with the Space Force, there are some fantastic loops that are going on. It depends on what the type of software is.Also, it depends on what has to be done for fielding it ahead of time. There're policies and procedures that are in place, that would say I can't take that code that Tracy wrote. That she committed, that it was unit tested, that it automatically went through all of those things that we think of as the DevSecOps pipeline.An Operational Fielding ExerciseTracy: It actually has to go through an operational fielding exercise, before it could actually go into a war protection type scenario. Think of it like when people talk about the sequence and getting to pre-production. A lot of things happen in a beautiful figure eight up to this pre-production. Then there's one additional step, which is to live in the field. It's almost as though you have the figure eight and then another little punctuation off to the side. Steve, is that your experience too?Steve: I think so. You differentiate when we think of war fighters, we always go right away to the weapon system to the plane or the tank. And now those software engines are a little bit different than all of the other business systems that are still out there. The vast majority of software being developed for them is still through the software batteries. It’s really more about the business logistics of doing everything else. Not necessarily command and control that the missile fly straight, that's being done at a very discreet kind of lab oriented.But everything else, which at least looks on the surface anyway, with all of these software factories, the government is trying to move faster in that it embraces the CIT, the pipeline, and does more things in the Cloud. So yes, I'm encouraged by it. There's still a little bit of a disconnect between the CIC of the pipeline and then the ATO process. There is always this big Cloud around the ATO process, which does put a monkey wrench into things. Because every time you change any aspect, could we have broken something that could cause a security vulnerability?The Purpose of Doing DevOpsSteve: How do we get around that? How do we make that faster? Tracy: There's so much goodness that's happening now, to focus on CATO, Continuous ATO, the authorization to operate. It's a good debate on how real that CATO is, the ATO process as well as a platform that's underneath it. Then the thing that you need to look at and audit and be super focused on, is what's moving across the top of the Delta and the change? But that means that your pipeline needs to have a tremendous amount of auditability. Instantaneous audit ability throughout that process.The RMF process in and of itself, is a good and strong framework. What's difficult, is helping the cyber professionals become part of the earlier parts of the design. I did a Navy project, I guess this was about two and a half years ago. And I really learned so much about the RMF process during that. RMF, it's a Risk Management Framework. It is a way that you assess and evaluate a project, or a system, or a product before it goes to production.Normally, the feed into RMF is that you have all of the designs complete, all of the boundaries, all of the information flows, everything complete. I thought I had a brilliant idea that I said, \"Okay, guys, I've been hanging out during DevOps things. Not for the purpose of doing DevOps, but I've been leveraging those capabilities for many years, to take systems into production.\" I have horizontal teams, I want transparency for anybody who's involved in this. Hey, you RMF guys, those folks are going to work on our ATO, come on...","content_html":"Tracy Bannon Senior Principal / Software Architect & DevOps Strategic Advisor at MITRE and ambassador for the DevOps Institute talks through the original DevOps timeline. Join as Carolyn and guest host Steve Mazzuca find out what happens when Dev fraternizes with Ops.
Episode Table of Contents
- [00:48] DevOps Strategic Advisor and Ambassador
- [10:34] Respected DevOps
- [18:35] The DevOps Pipeline
- [24:05] DevOps Institute
Episode Links and Resources
DevOps Strategic Advisor and Ambassador
Carolyn: Today, I have Steve Mazucca or The Mas as I like to call him, co-hosting with me. It's always fun to have a conversation with you Steve. The hard part is going to be getting you to be quiet, so we can get our guest Tracy Bannon. He is Senior Principal, Software Architect and DevOps Strategic Advisor at MITRE, as well as an ambassador for the DevOps Institute. So welcome Tracy.
Tracy: I'm thrilled to be here today. It's always fun to have these conversations.
Carolyn: You are a striking woman with pink hair and you were in development, which makes you in my mind, kind of a unicorn. I would really love to hear your story.
Tracy: I'll start with the pink hair and go backwards from there. I've had little bits of color in my hair for years. My mom was an art teacher. My dad's more on the math and the sciences side of it. I kind of have that left brain, right brain, need to express myself. Over probably the last two or three years, as I've been doing more remote work, I was having more fun with the pink and decided that it's the pandemic. Let's stretch things a little bit more. I'm just loving it. So that's a little bit about that piece of it.
But as for me being a woman in technology, I actually like to come at it in reverse. To say that I'm a real technologist and not say I'm a woman technologist. It matters, but it doesn't matter. What's important to me, is I've always been so interested in tech.A Woman Developer
Tracy: Someone asked me, "When was the first time you realized that you liked computers and that you were into computers?" It's a long story, but I'll make it very short. I can remember building a computer out of a box and cutting and putting mag tapes on the outside. Yes, I just told you how old I was. And arguing with my brother on who got to sit inside it and be the brains. So I remember being real and I couldn't read yet. I remember that very vividly. It goes a long way back.
Carolyn: Did you end up being the brains?
Tracy: Yes I did. I happened to be a little bit bigger than him. Even though he's two years older, I happened to have the weight advantage. As for being a woman developer, I've always been in tech. I never thought anything about the makeup of the team. That’s because I always tagged around with my older brother and his buddies. I considered myself one of the guys. One of the gang would be a better way to put it. I realized about midway through my career that there was a little bit of uniqueness to it. As I would look around the room, I would be the only woman on the team.
Now, occasionally there would be fantastic women involved, more on the database side of things, who had grown into that. Very few from a development perspective. We did see some spikes in industry, we saw that. But we're seeing that decline recently. But across my career, I tend to come at it that I'm a technologist. If you need to give me an adjective, make it real, instead of woman. But that's a little bit about me.
A Technologist at DevOps Who Happens to Be a Woman
Carolyn: I love that you want to take the emphasis off women. That you're a technologist, you're a developer and you happen to be a woman. You're often the only woman in the room. I'm often the only woman in the room and it will be a room of many people. But I do love that you've always just thought of yourself this way. What was your first development? Well, what was your first job actually?
Tracy: First paying job, was actually a lifeguard, but we won't go that far back. If we go forward, I worked throughout college in different corporate settings, always related to technology. When I graduated, I actually was independent before anybody was doing anything independent. And then it happened on my way into the engineering department at AccuWeather. My husband and I were already married and he was in operation. You can tell there was a little bit of, hey, take a look at this resume. That helped get me in the door in a very heavily male-populated tech group.
Yes, we were both within AccuWeather. That's actually a segue to a fun story. He's in operations, I'm in engineering. You could actually say that we're the original DevOps because we've been married for a couple of decades now before we said DevOps. So something would happen with engineering and they would call because there was a production problem. They would call him and he would realize that we had talked about something that week. Dinner time chatter.
Debugging Things Together at DevOps
Tracy: He'd say, "Didn't you guys roll out a change to XYZ." I say, "Oh yes." "Can you open up a window?" It wasn't a browser at that point. "Can you open up a window, let's take a look. We need to look at this queue or this record or this log." And we would end up debugging things together. They started to no longer just call and ask for him. They’d call the Bannon house because they would get both of us to solve a problem, it was really cool.
That showed me how important it was that I was writing software that could be operated, could be managed, could be maintained, could be debugged. It also taught him how important it was to give me access. I didn't have to have right access. But I needed to be able to check the cues. I needed to be able to look at these different things. That started me having that fraternizing with Ops. I've always been an advocate of having Ops at the table, even before. Well, before we coined that wonky phrase DevOps.Steve: When did we start coming out with that? Is that Gene Kim, is he famous for that? Or is that even before Gene Kim, as far as when he started coming out with that?
Tracy: It was before Gene, but I cannot remember the fellow's name off-hand. I'd have to Google it. It strikes me that it's Patrick something. It wasn't that long ago. Maybe in 2011, 2012, somewhere in that, he made a comment about it. It really resonated with folks.
An Evolution
Tracy: Gene was brilliant to realize that it's a true and valuable story. He started really to table pound to get the message out and started this. I'll call it an evolution. I hate the revolution thing. But he started us evolving and thinking about it.
Steve: It's certainly come a long way. You and I obviously have done a lot of work together over the years and a couple of different iterations across government. I've only known you supporting the government, but I know you did some other things before. How long have you supported the federal government? I don't actually know that story.
Tracy: Federal 2015. Not that long, not an entire career focused on the federal government. But I was working across state governments starting in 1999.
Carolyn: Is it really, really different to be a state versus federal?
Tracy: There are parallels and there are differences. In the federal government, we have a mandate on citizenship. You don't have the same mandates for a state-level data center. I can have a foreign nationals, I can have different types of folks coming in with different types of visas, to be able to support that. That's starting to grow and evolve and change. The policies are much stricter at the federal level and the size.
Some of the biggest states are similar to some of the smallest federal agencies. But think about the economies of scale. It's just that much bigger at the federal level. In defense, not a whole lot of defense at the state level. That's probably the most interesting, different mission that I've been involved with.
Respected DevOps
Tracy: Being involved on the public sector side of the government, the civilian side of the federal government, that's where Steve and I got to know each other. It was with the IRS and treasury and around that side of it. Changing the focus more into defense has been very humbling just because of the sheer complexity. Think about NATO with 30 different nations involved in technical decisions and discussions and the complexities that come with them. It's just mind-boggling.
Carolyn: Just think of communication alone. Being able to communicate across all those different groups, it breaks my head. Can you think of any use cases between state government, federal government vice versa? A best practice that one should pick up from the other.
Tracy: Leading practices abound across both of them. Whether it is with respected DevOps, whether it's with respect to leveraging AI and ML, to improve. One of the things that I'm seeing in both places. I experienced this first with the state of Colorado and that was embracing Cloud. This was multiple years ago, they looked at it and this was one particular agency. They said, "In order for us to be secure enough, we actually need to go to the Cloud." Now that seems to be the opposite of what people think about right now.
Oh no, we don't want to go to the Cloud. That could be a breach. But they looked at it from an economics perspective and said, "For us to have the same number of professionals, with the same level of training, with the same SLAs, with the same contractual obligation to keep us safe, would cost us this many millions. Hundreds of millions."
A Part of the Opportunity
Tracy: Where if I have that through my contract with a provider like Salesforce or Service Now, or AWS, or Google, any of them, I have that out of the box. I have that as part of it. For the most part, I have that as a part of the opportunity. That's one thing that I saw the states do a little bit before the federal government. I’d say the federal government is tighter in its cyber practice, absolutely. Tighter in its cyber practice, but it's like any technology. It's not about the tech, it's about how we apply it. So how about we go about problem-solving. We do a lot of things in the commercial space. I did a lot of commercial work.
The commercial is a little less fettered. They're not as tethered to what the policies and the bureaucracy can be. Federal bureaucracy is a little more impacted by the administration changes. Trying to think of what the acronym was the other day. Somebody was joking with me. Instead of meantime to recover MTTR as a DevOps, it was a meantime to command change. It was MTTC or MTCC. Because you can figure out how much disruption was going to happen, and that's something very different.
The states have much more continuity with their technology leadership in specific, than I see in the federal space. The defense definitely, because of the time you do rotations, you may be there for six months, a year, or two years. You see it more in this less civilian side, less frequently. But still the federal is much more changeover, than I see at the state level.The Challenge With DoD
Carolyn: The defense, Mas, that's your world. I could see a little bit of two things with that command change. Fresh eyes, means fresh ideas. Also, it feels like it could be a huge setback.
Steve: The other challenge with DoD that we run into is it's everything about the network edge security. Everybody is commercial and never gone in civilian, not all a bunch of places, but the vast majority is civilian. We're using the public internet, we're using everything that's out there. They have access to everything that is commercially sound. In defense, it starts with, we don't have what we don't have access to. You start with what you don't have access to and you've got to build off from there.
The problems are obviously incrementally different. But the problem is also we can't take advantage of a lot of things that we can. We have to constantly fight that battle on both. As technology advisers, we have to go in there with that understanding that we're talking about solutions and products and technologies that sometimes you can't utilize all of the capability. Can we utilize enough to actually make a difference in your mission? Even beyond the fact that the kernels aren't going to be rotating in and out correct.
Tracy: It's interesting. There's always an opportunity for those fresh eyes to come in and infuse a lot of new energy and thought. But that depending on how large a program is, it takes them maybe a year to 18 months, to really hit stride. And so, there's a lot of churn that can happen during that time. Sometimes you'll see that folks will entrench themselves like, oh no, there's a change of leadership coming. I'm going to stay the course.
Specific Thing About DevOps
Tracy: While there's a leader that's talking about this amazing different type of infusing, of innovation, those in the trenches are saying, "Okay, I'm going to stay the course until we figure out how this solidifies, or how it plays out a little bit more." It causes a little bit of tension back and forth. But Steve, you bring up a really good point. I think about DevOps in specific. On the defense side, I jokingly say that they like the term DevSecOps.
But it's really DevSec, pause, wait, there's some other things going on, then SecOps. So the idea that we see of that infinity loop, right the figure eight, for there to be constant and continual feedback from the war fighter, from the constituency, to the developer. It's more difficult because there are different groups that are in charge of it.I don't mean a guy in the other room is in charge of operations, versus me here in charge of Dev. They may be contractually a different part, they may be totally a different part of the service. Think about deploying onto a Naval vessel. Ops, there is a lot different than Ops that would be CONUS. Continental US sitting right beside me. It does have some pretty different challenges and is not insurmountable.
There's so much goodness that we should be looking at North Star to Steve's point. What's happening in commercials and then, what's my problem? What is the actual thing I'm trying to do? Then looking at commercials and saying, "What applies here? And what could be tailored? What could be improved and brought in?"
The DevOps Pipeline
Tracy: As opposed to, I'm going to go do what they did over here. I always use the example and it's trite at this point because so many people have heard it. But we're not just going to Netflix this. It's not just 50 releases a day. If I'm putting software onto a tank, if I'm putting it onto a jet, I'm not going to release 50 times a day. I may release a couple of times a week, but not 50 times a day. And so, there's economies of scale and things to learn with that.
Carolyn: I want to go back to that feedback loop that you talked about. Have you seen an agency that does that really well or a group? We don't even have to name names. Because just what you said, putting those software releases onto a tank, where we're talking about lives on the line. You need feedback from the guys operating it. Have you been in situations where that's just really smooth and they figured it out as a well-oiled machine?
Tracy: Yes, at scale. Not as much, but definitely there're amazing pockets of goodness. If I think about the things that are happening within the Air Force, if I think about things that are happening within the Navy and specific things with the Space Force, there are some fantastic loops that are going on. It depends on what the type of software is.
Also, it depends on what has to be done for fielding it ahead of time. There're policies and procedures that are in place, that would say I can't take that code that Tracy wrote. That she committed, that it was unit tested, that it automatically went through all of those things that we think of as the DevSecOps pipeline.
An Operational Fielding Exercise
Tracy: It actually has to go through an operational fielding exercise, before it could actually go into a war protection type scenario. Think of it like when people talk about the sequence and getting to pre-production. A lot of things happen in a beautiful figure eight up to this pre-production. Then there's one additional step, which is to live in the field. It's almost as though you have the figure eight and then another little punctuation off to the side. Steve, is that your experience too?
Steve: I think so. You differentiate when we think of war fighters, we always go right away to the weapon system to the plane or the tank. And now those software engines are a little bit different than all of the other business systems that are still out there. The vast majority of software being developed for them is still through the software batteries. It’s really more about the business logistics of doing everything else. Not necessarily command and control that the missile fly straight, that's being done at a very discreet kind of lab oriented.
But everything else, which at least looks on the surface anyway, with all of these software factories, the government is trying to move faster in that it embraces the CIT, the pipeline, and does more things in the Cloud. So yes, I'm encouraged by it. There's still a little bit of a disconnect between the CIC of the pipeline and then the ATO process. There is always this big Cloud around the ATO process, which does put a monkey wrench into things. Because every time you change any aspect, could we have broken something that could cause a security vulnerability?
The Purpose of Doing DevOps
Steve: How do we get around that? How do we make that faster?
Tracy: There's so much goodness that's happening now, to focus on CATO, Continuous ATO, the authorization to operate. It's a good debate on how real that CATO is, the ATO process as well as a platform that's underneath it. Then the thing that you need to look at and audit and be super focused on, is what's moving across the top of the Delta and the change? But that means that your pipeline needs to have a tremendous amount of auditability. Instantaneous audit ability throughout that process.
The RMF process in and of itself, is a good and strong framework. What's difficult, is helping the cyber professionals become part of the earlier parts of the design. I did a Navy project, I guess this was about two and a half years ago. And I really learned so much about the RMF process during that.
RMF, it's a Risk Management Framework. It is a way that you assess and evaluate a project, or a system, or a product before it goes to production.Normally, the feed into RMF is that you have all of the designs complete, all of the boundaries, all of the information flows, everything complete. I thought I had a brilliant idea that I said, "Okay, guys, I've been hanging out during DevOps things. Not for the purpose of doing DevOps, but I've been leveraging those capabilities for many years, to take systems into production." I have horizontal teams, I want transparency for anybody who's involved in this. Hey, you RMF guys, those folks are going to work on our ATO, come on...
","summary":null,"date_published":"2021-09-08T07:30:00.000-04:00","attachments":[{"url":"https://aphid.fireside.fm/d/1437767933/81d9d6b0-0045-48da-8495-fd87c4613d7f/c5b04307-d457-4f95-ac85-7481d8d8aa6a.mp3","mime_type":"audio/mpeg","size_in_bytes":30627345,"duration_in_seconds":2184}]},{"id":"9679b160-ce16-4b37-9a53-9dba4d75b5b3","title":"Episode 5: Best Practices, Better Experiences, With Jonathan Alboum","url":"https://techtransforms.fireside.fm/5","content_text":"What matters most when it comes to providing the better experiences for our citizens? Listen as Jonathan Alboum of ServiceNow outlines the importance of preventing information from getting lost in the sea of data.Episode Table of Contents[00:45] Moving Fully Into Better Experiences[09:15] Providing Better Experiences More Effectively[14:41] A Control Tower ApproachEpisode Links and ResourcesSapiens: A Brief History of HumankindTransforming citizen experiences in federal healthcare agenciesMoving Fully Into Better ExperiencesCarolyn: We're excited to have Jonathan Alboum, who is the federal CTO of ServiceNow. He was formerly the CIO of the U.S. Department of Agriculture before moving fully into the service industry in 2019. I don't like that term, \"moving fully into the service industry\". When I read through your bio, I feel like you've been in the service industry your whole career.Jonathan: Good point, I began my career after college. I went to UVA, same place that Mark went to school, but he went a few years before I did.Mark: You had to point that out Jonathan, thank you.Jonathan: He went when it was really, really fun. I went when it was just fun. But you know, when I exited college with a systems engineering degree, I joined a professional services firm. I worked at Pricewaterhouse and I learned management consulting, and we were doing services. We were implementing systems and different technologies for customers. Eventually, I moved to a smaller company. I was working on the same kinds of projects, doing professional services, helping organizations do modernization. We weren't focused on this big grandiose term of IT modernization or digital transformation, which were the same kinds of things we were doing. We wanted people to have better access to data and systems so things could happen more efficiently.It's the same kinds of things we're doing today, even if we use different words. I was in a service role before the government. When I joined the government at the food and nutrition service part of USDA versus the deputy CIO and then the CIO for that agency.Providing a Strong Service and Better ExperiencesJonathan: We're a service provider to the programs at the food and nutrition service. So if the office of information technology at food and nutrition that I was responsible for wasn't providing a strong service, the programs would find another way to get their job done.We could be shut out of that conversation. That's a terrible place for a CIO to be at. Cut out of the technology or the core business processes or the budget. So I always had a strong focus on service and that reality continued through my career. As I moved to general services administration, or back to the department of agriculture, to be the CIO for the entirety of the department, you have to be able to provide a service.I eventually exited government and found my way to ServiceNow. I’d say the lessons I learned along the way are in terms of what it takes to provide a service that people want to use, and that they will partner with you on. Those things really informed the way I go about doing my job at ServiceNow. ServiceNow, it's a technology provider that supports this idea of service management. It's not customer relationship management.We have tools for that, but you have customers, you want to provide them a service. Well, you have to think about the end to end workflow. How does the person interact with the system and what are they trying to get out of it? You think about it comprehensively. I feel like I'm well positioned to do that based on these other roles that I've had. I've either been the creator of a service or the provider of the service. Now I can really think about it in a holistic manner.A Pioneer of Digital TransformationCarolyn: I like what you said about digital transformation. We didn't call it that at the beginning of your career, but really you're a pioneer of digital transformation. So not to call you old.You've really built your career, figuring out how to make things better and faster and really through digital. As I looked at some of your stuff online, you're all about data.Jonathan: I have a person I want to thank for that. Her name is Kelly Chambliss. She was one of the first managers that I worked for at Pricewaterhouse and I haven't seen her in many years. I always remember her because when I was very early in my career, it was my first Pricewaterhouse project for an insurance company. It was a visual basic project and it was like 1995 or so, it was a long time ago. I remember telling her, \"I'm going to really learn visual basics. I'm going to be this great visual basic developer\".She looked at me, sort of funny, and said, \"you know, maybe that's not the best path for your career, technologies come and go. But if you focus on process and data, you'll be really valuable on this project or any future project that you're on.\" That was really excellent advice. As you point out, a lot of what I talk about is data and how data moves through the environment. How the work moves through an environment and thinking about how you can automate some of those things.The Data and the ProcessJonathan: It's about the data and the process, and you can swap out one technology for the other. You're still trying to solve that same problem. We just have better ways of interacting with the data or the process today. Or we have more ways to automate it or more people can be dealing with the same data at the same time. We can have cloud technologies and other things that give us the ability to go faster, maybe.But still, at the core are these things that I learned on that first project about thinking about a process. Thinking about data and trying to improve it. We have more tools to do that now. It's the same motion, so it's a really good observation, Carolyn.Carolyn: I heard an interview with the author of Sapiens. I don't know if you've read that book. It doesn't really matter. What he said was, there we go!Jonathan: I just recommended this book and it arrived the other day. But I haven't picked it up. I haven't had a chance to read it yet, but it was highly recommended by a friend of mine.Carolyn: So, same. I have not read it, but it keeps coming at me, which for our listeners, Jonathan just held up a copy of the book. Now, I got to get it too. What he said was \"Whoever owns the data, controls the data. And here's the key, can understand the data is going to win.\" Then something else said what was really funny to me. It was, \"Never underestimate the power and the limitlessness of human stupidity.\" Looking at your profile, it just made me think of the data. Like, what do we do with all this data?Establishing Better Experiences Is a Big ChallengeJonathan: That's a big challenge. There's more data today than there was yesterday. Tomorrow there'll be even more data in the world and on and on and on.Carolyn: Let's qualify it. When we say data, like we kick that word around, but give it to us in billions. What are we talking about here?Jonathan: Well, when I talk about data, it's both the data that's in a system. We might be interacting with the system or we're putting data into a system. It's also all of the things that get created as we do a particular business process. The forms we fill out, the pictures we take, the conversations we have, the videos we create, all these things are data. They all have a role in informing someone about the process, the person, and all of that.It's very easy for the information to get lost in the data. Because, some of the data's not important, some of it is really important. Figuring out what's really important is part of the key. You go back to that process of conversation a little bit. If we put it in a business or a government setting, we're trying to improve a service we're providing to a customer or a citizen. Thinking about it that way, you can really understand how the work flows through the organization, which is the data's representation of what that work is. You can be focused on the things that make the biggest impact and you can really find, sometimes we'll call it \"the moments that matter\". Where either data is getting created or data is needed.Providing Better Experiences More EffectivelyJonathan: If you can get quick access to it, now you can provide that service much more effectively. One of the ways that I think about this is all the data that exists in the environment. I'm trying to provide that service to a citizen. It might be in different systems, or it might be in spreadsheets. Or it might be on a piece of paper that I printed out.If I have to move between all those sources of data to get you the answer that you need, I'm not really providing you a very great service. So one thing is understanding where all the data is and the next part is being able to connect it. Once that data is connected and you can bring it together on a single platform, a single place to go to see it, I can now interact with it and get you an answer much faster. I can provide you a service much faster. When we're doing that in a government setting, we're providing a really great service to the people we serve as government employees or people that support the government. Well, now you begin to change the way people think about their government and you begin to inspire more trust. We create more engagement. If we can think about technology and data in that sense, now our jobs, in the federal IT community and in the broader technology community, they take on a little bit of a higher calling. Cause we're really focused on ways that we can strive to a better society. That might be a grandiose idea, a pie in the sky. But I mean, I believe those things, cause I think it does make a real difference.Prioritize the Citizen’s Better ExperiencesMark: When you talk about prioritizing the citizen experience to improve quality of the services or what they're experiencing, are you talking about applications in technology? Are you talking about the quality of the actual service that they're trying to receive or both?Jonathan: I always try to think about it from the customer's perspective. I want to try and take an outside-in view of these things we're trying to automate or digitize. If I'm thinking inside-out, I'm thinking about my agency or my government program, I'm creating a system that works in a way I want it to, as the government program manager. There might be a citizen interaction, but I'm thinking first about me and my job.I'm not necessarily thinking about that person who's using the system, who might also say, I'm at my government program and I have a set of customers. They are probably customers of other similar programs. If you think about entitlement programs, say SNAP or WIC or unemployment insurance or Medicaid, you may have the same person in multiple programs. And if I'm a state government and I'm creating opportunities for people to apply for these programs, there might be four or five different applications.If I can think about it from that customer's perspective, they're trying to do three or four or five things kind of around the same time. Can I design with the human in the middle, with the human at the front? A human-centered design approach that creates opportunity for them to be a lot more efficient and effective than signing up for these programs. Can I take information from one application and apply it to the other application?Privacy RequirementsJonathan: These things are very logical and it makes sense. Sometimes there are regulations or privacy requirements that might get in the way of that. You know part of it's having the conversation and the dialect to understand what's possible. What are the limitations? And engaging in a discussion about, \"can we change some of these things to make it easier for people to interact with their government?\" People shouldn't be forced to interact with the government. People should have the opportunity to interact with the government in the way they want to interact. They shouldn't be forced into a certain way because we have legacy technologies that don't interact. The state is not integrated, that Jonathan is represented differently across five systems and someone who tries to look at the opportunities from a comprehensive, we can't do so easily. It's not easy to see that I'm the same person trying to do multiple programs because I have a particular need at a particular time. That's the idea of citizens-centered services.Carolyn: I love that idea of citizen-centered services. Then I think about the poor guys trying to make this citizen-centered services because now you're talking about all these different applications. The data just got exponentially bigger. How do we manage it?Jonathan: If you’re starting from the very beginning, you’d take a different approach than, maybe you have to take today because we have what we have. If you are going to build it from the start, you could design it with a mindset of \"I'm going to create a central hub with these different capabilities and build it a certain way.\" But we can't undo or we can't change all the systems at once.A Control Tower ApproachJonathan: What I’d like to talk about is this idea of having something that is a connected tissue across programs, the connected tissue across systems. It's almost like a control tower approach for these capabilities. You can connect systems and data. You understand what the processes are, how that work flows. Now you're able to begin a conversation about the customer experience and how it may work across these systems.You don't have to be focused on individual system modernization multiple times, so across all your systems. And you may want to upgrade those systems over time. They may need modernization to become more secure, or for some, maybe the technology is no longer supported. But, now you're doing that in a more controlled manner. You're not doing that with the urgency of providing a better service because you've taken that interaction layer and integration layer. You've moved it up, you've connected the systems. Now over time, you can swap out the things underneath that are connected to that platform.That's sort of a platform as a strategy. Sometimes I'm out there talking, because there's a faster, lower-risk path to doing some of these more digital services. It's a faster way to digitally transform the way we interact with our citizens. It drives us towards more of an anticipatory government approach when you think about the citizen comprehensively, I can predict some things they might need. Or I can reach out to them proactively and provide them information. I'm thinking about the citizens as a whole. That's what we want to strive for.Mark: Are you seeing this concept, these concepts get adopted in government?Better Experiences At the State and Local LevelJonathan: Yes, I am. As I talk with different agencies, I interact with some of my colleagues who are thinking about this at the state and local level. We have these conversations with CIOs. From their perspective, the modernization of all the individual systems is not the way to speed that digital transformation.Carolyn: I want you to repeat what you just said. Modernization is not the way to speed.Jonathan: Let me elaborate on that. If I'm going to try and modernize individual systems in the example I was talking about, I'm going to go system by system. Try to modernize from a mainframe to some cloud-based modern system. I have to repeat that for all of these programs or all of these services I provide. Those are really hard, complicated projects that require new technology skills that require a lot of change management.You may be running systems in parallel for a period of time. There's a lot of risk with that. So you can't do that across all your systems. The conversations that I've had with different CIOs at the state and local level, and the federal government, it's about how do we provide digital services faster?What's a way to speed the digital transformation of the way we interact with our customers? That's more of a platform approach that is the connective tissue across systems where the data can be integrated. The systems can be integrated and you can drive to a citizen-focused outcome a lot faster. Again, we still have to think about modernizing those underlying systems. But if that's where you're starting, you can easily get bogged down and the results you're after.Legacy SystemsCarolyn: Well, I asked you to stop so we could repeat it because what you said feels a lot more doable. I literally felt myself breathe, like, \"oh, we can do that.\" But to take on the legacy systems is overwhelming.Jonathan: I totally agree, you have to understand them for sure. You have to know what you're dealing with. And you have to understand the data in those systems. We were talking about data before. If you don't understand what and where all the data is, it's really going to be very hard for you to protect all of that data. Make sure you have good data protection to make sure that you have the right level of security.But there's a difference between understanding all of that information on the systems. And taking a perspective that I need to move off of all of these legacy technologies at once, so I can have a modern environment. I just don't think that's a practical approach. Because you know, CIO's, they have to operate very complex environments every day. Those technologies and those complicated environments only exist because there are technologies.There are government programs that require those technologies. It's not IT for the sake of IT, it's IT in the spirit of customer service, citizen service. So you can't commit to modernizing everything and expect to be able to provide un-disrupted services. It just feels too risky from our perspective.Mark: Or maybe agencies were forced to embark on this transformation before they may be ready to. For example, the pandemic. I know you recently gave an interview that you talked about.Digital Transformation For Better ExperiencesMark: You said you felt like agencies should take a pause and their momentum or their digital transformation. Consider whether those processes were put in place because they were forced to. Given the circumstances with the pandemic or whether they're sustainable, or they make sense.Jonathan: I stand by those statements and I talk about it as a strategic pause. One of the things that I've learned is that sometimes if you go too fast, you can create some blind spots in your professional life, your personal life, whatever. We are pushing towards a goal. We're not necessarily considering everything else that's happening. We had to do that, we had great urgency in the early days of the pandemic. There are some technology opportunities and service opportunities that emerged from there.Carolyn: We've already seen some huge technology advancements coming out of this pandemic. Thank you, Jonathan, for this great insight. It's been a pleasure to have you on the show and...","content_html":"What matters most when it comes to providing the better experiences for our citizens? Listen as Jonathan Alboum of ServiceNow outlines the importance of preventing information from getting lost in the sea of data.
Episode Table of Contents
- [00:45] Moving Fully Into Better Experiences
- [09:15] Providing Better Experiences More Effectively
- [14:41] A Control Tower Approach
Episode Links and Resources
- Sapiens: A Brief History of Humankind
- Transforming citizen experiences in federal healthcare agencies
Moving Fully Into Better Experiences
Carolyn: We're excited to have Jonathan Alboum, who is the federal CTO of ServiceNow. He was formerly the CIO of the U.S. Department of Agriculture before moving fully into the service industry in 2019. I don't like that term, "moving fully into the service industry". When I read through your bio, I feel like you've been in the service industry your whole career.
Jonathan: Good point, I began my career after college. I went to UVA, same place that Mark went to school, but he went a few years before I did.
Mark: You had to point that out Jonathan, thank you.
Jonathan: He went when it was really, really fun. I went when it was just fun. But you know, when I exited college with a systems engineering degree, I joined a professional services firm. I worked at Pricewaterhouse and I learned management consulting, and we were doing services. We were implementing systems and different technologies for customers. Eventually, I moved to a smaller company. I was working on the same kinds of projects, doing professional services, helping organizations do modernization.
We weren't focused on this big grandiose term of IT modernization or digital transformation, which were the same kinds of things we were doing. We wanted people to have better access to data and systems so things could happen more efficiently.It's the same kinds of things we're doing today, even if we use different words. I was in a service role before the government. When I joined the government at the food and nutrition service part of USDA versus the deputy CIO and then the CIO for that agency.
Providing a Strong Service and Better Experiences
Jonathan: We're a service provider to the programs at the food and nutrition service. So if the office of information technology at food and nutrition that I was responsible for wasn't providing a strong service, the programs would find another way to get their job done.
We could be shut out of that conversation. That's a terrible place for a CIO to be at. Cut out of the technology or the core business processes or the budget. So I always had a strong focus on service and that reality continued through my career. As I moved to general services administration, or back to the department of agriculture, to be the CIO for the entirety of the department, you have to be able to provide a service.
I eventually exited government and found my way to ServiceNow. I’d say the lessons I learned along the way are in terms of what it takes to provide a service that people want to use, and that they will partner with you on. Those things really informed the way I go about doing my job at ServiceNow. ServiceNow, it's a technology provider that supports this idea of service management. It's not customer relationship management.
We have tools for that, but you have customers, you want to provide them a service. Well, you have to think about the end to end workflow. How does the person interact with the system and what are they trying to get out of it? You think about it comprehensively.
I feel like I'm well positioned to do that based on these other roles that I've had. I've either been the creator of a service or the provider of the service. Now I can really think about it in a holistic manner.A Pioneer of Digital Transformation
Carolyn: I like what you said about digital transformation. We didn't call it that at the beginning of your career, but really you're a pioneer of digital transformation. So not to call you old.
You've really built your career, figuring out how to make things better and faster and really through digital. As I looked at some of your stuff online, you're all about data.
Jonathan: I have a person I want to thank for that. Her name is Kelly Chambliss. She was one of the first managers that I worked for at Pricewaterhouse and I haven't seen her in many years. I always remember her because when I was very early in my career, it was my first Pricewaterhouse project for an insurance company. It was a visual basic project and it was like 1995 or so, it was a long time ago. I remember telling her, "I'm going to really learn visual basics. I'm going to be this great visual basic developer".
She looked at me, sort of funny, and said, "you know, maybe that's not the best path for your career, technologies come and go. But if you focus on process and data, you'll be really valuable on this project or any future project that you're on." That was really excellent advice. As you point out, a lot of what I talk about is data and how data moves through the environment. How the work moves through an environment and thinking about how you can automate some of those things.
The Data and the Process
Jonathan: It's about the data and the process, and you can swap out one technology for the other. You're still trying to solve that same problem. We just have better ways of interacting with the data or the process today. Or we have more ways to automate it or more people can be dealing with the same data at the same time. We can have cloud technologies and other things that give us the ability to go faster, maybe.
But still, at the core are these things that I learned on that first project about thinking about a process. Thinking about data and trying to improve it. We have more tools to do that now. It's the same motion, so it's a really good observation, Carolyn.
Carolyn: I heard an interview with the author of Sapiens. I don't know if you've read that book. It doesn't really matter. What he said was, there we go!
Jonathan: I just recommended this book and it arrived the other day. But I haven't picked it up. I haven't had a chance to read it yet, but it was highly recommended by a friend of mine.
Carolyn: So, same. I have not read it, but it keeps coming at me, which for our listeners, Jonathan just held up a copy of the book. Now, I got to get it too. What he said was "Whoever owns the data, controls the data. And here's the key, can understand the data is going to win." Then something else said what was really funny to me. It was, "Never underestimate the power and the limitlessness of human stupidity." Looking at your profile, it just made me think of the data. Like, what do we do with all this data?
Establishing Better Experiences Is a Big Challenge
Jonathan: That's a big challenge. There's more data today than there was yesterday. Tomorrow there'll be even more data in the world and on and on and on.
Carolyn: Let's qualify it. When we say data, like we kick that word around, but give it to us in billions. What are we talking about here?
Jonathan: Well, when I talk about data, it's both the data that's in a system. We might be interacting with the system or we're putting data into a system. It's also all of the things that get created as we do a particular business process. The forms we fill out, the pictures we take, the conversations we have, the videos we create, all these things are data. They all have a role in informing someone about the process, the person, and all of that.
It's very easy for the information to get lost in the data. Because, some of the data's not important, some of it is really important. Figuring out what's really important is part of the key.You go back to that process of conversation a little bit. If we put it in a business or a government setting, we're trying to improve a service we're providing to a customer or a citizen. Thinking about it that way, you can really understand how the work flows through the organization, which is the data's representation of what that work is. You can be focused on the things that make the biggest impact and you can really find, sometimes we'll call it "the moments that matter". Where either data is getting created or data is needed.
Providing Better Experiences More Effectively
Jonathan: If you can get quick access to it, now you can provide that service much more effectively. One of the ways that I think about this is all the data that exists in the environment. I'm trying to provide that service to a citizen. It might be in different systems, or it might be in spreadsheets. Or it might be on a piece of paper that I printed out.
If I have to move between all those sources of data to get you the answer that you need, I'm not really providing you a very great service. So one thing is understanding where all the data is and the next part is being able to connect it. Once that data is connected and you can bring it together on a single platform, a single place to go to see it, I can now interact with it and get you an answer much faster. I can provide you a service much faster.When we're doing that in a government setting, we're providing a really great service to the people we serve as government employees or people that support the government. Well, now you begin to change the way people think about their government and you begin to inspire more trust. We create more engagement.
If we can think about technology and data in that sense, now our jobs, in the federal IT community and in the broader technology community, they take on a little bit of a higher calling. Cause we're really focused on ways that we can strive to a better society. That might be a grandiose idea, a pie in the sky. But I mean, I believe those things, cause I think it does make a real difference.
Prioritize the Citizen’s Better Experiences
Mark: When you talk about prioritizing the citizen experience to improve quality of the services or what they're experiencing, are you talking about applications in technology? Are you talking about the quality of the actual service that they're trying to receive or both?
Jonathan: I always try to think about it from the customer's perspective. I want to try and take an outside-in view of these things we're trying to automate or digitize. If I'm thinking inside-out, I'm thinking about my agency or my government program, I'm creating a system that works in a way I want it to, as the government program manager. There might be a citizen interaction, but I'm thinking first about me and my job.
I'm not necessarily thinking about that person who's using the system, who might also say, I'm at my government program and I have a set of customers. They are probably customers of other similar programs. If you think about entitlement programs, say SNAP or WIC or unemployment insurance or Medicaid, you may have the same person in multiple programs. And if I'm a state government and I'm creating opportunities for people to apply for these programs, there might be four or five different applications.
If I can think about it from that customer's perspective, they're trying to do three or four or five things kind of around the same time. Can I design with the human in the middle, with the human at the front? A human-centered design approach that creates opportunity for them to be a lot more efficient and effective than signing up for these programs. Can I take information from one application and apply it to the other application?
Privacy Requirements
Jonathan: These things are very logical and it makes sense. Sometimes there are regulations or privacy requirements that might get in the way of that. You know part of it's having the conversation and the dialect to understand what's possible. What are the limitations? And engaging in a discussion about, "can we change some of these things to make it easier for people to interact with their government?" People shouldn't be forced to interact with the government.
People should have the opportunity to interact with the government in the way they want to interact. They shouldn't be forced into a certain way because we have legacy technologies that don't interact.The state is not integrated, that Jonathan is represented differently across five systems and someone who tries to look at the opportunities from a comprehensive, we can't do so easily. It's not easy to see that I'm the same person trying to do multiple programs because I have a particular need at a particular time. That's the idea of citizens-centered services.
Carolyn: I love that idea of citizen-centered services. Then I think about the poor guys trying to make this citizen-centered services because now you're talking about all these different applications. The data just got exponentially bigger. How do we manage it?
Jonathan: If you’re starting from the very beginning, you’d take a different approach than, maybe you have to take today because we have what we have. If you are going to build it from the start, you could design it with a mindset of "I'm going to create a central hub with these different capabilities and build it a certain way." But we can't undo or we can't change all the systems at once.
A Control Tower Approach
Jonathan: What I’d like to talk about is this idea of having something that is a connected tissue across programs, the connected tissue across systems. It's almost like a control tower approach for these capabilities. You can connect systems and data. You understand what the processes are, how that work flows. Now you're able to begin a conversation about the customer experience and how it may work across these systems.
You don't have to be focused on individual system modernization multiple times, so across all your systems. And you may want to upgrade those systems over time. They may need modernization to become more secure, or for some, maybe the technology is no longer supported. But, now you're doing that in a more controlled manner. You're not doing that with the urgency of providing a better service because you've taken that interaction layer and integration layer. You've moved it up, you've connected the systems. Now over time, you can swap out the things underneath that are connected to that platform.
That's sort of a platform as a strategy. Sometimes I'm out there talking, because there's a faster, lower-risk path to doing some of these more digital services. It's a faster way to digitally transform the way we interact with our citizens. It drives us towards more of an anticipatory government approach when you think about the citizen comprehensively, I can predict some things they might need. Or I can reach out to them proactively and provide them information. I'm thinking about the citizens as a whole. That's what we want to strive for.
Mark: Are you seeing this concept, these concepts get adopted in government?
Better Experiences At the State and Local Level
Jonathan: Yes, I am. As I talk with different agencies, I interact with some of my colleagues who are thinking about this at the state and local level. We have these conversations with CIOs. From their perspective, the modernization of all the individual systems is not the way to speed that digital transformation.
Carolyn: I want you to repeat what you just said. Modernization is not the way to speed.
Jonathan: Let me elaborate on that. If I'm going to try and modernize individual systems in the example I was talking about, I'm going to go system by system. Try to modernize from a mainframe to some cloud-based modern system. I have to repeat that for all of these programs or all of these services I provide. Those are really hard, complicated projects that require new technology skills that require a lot of change management.
You may be running systems in parallel for a period of time. There's a lot of risk with that. So you can't do that across all your systems. The conversations that I've had with different CIOs at the state and local level, and the federal government, it's about how do we provide digital services faster?
What's a way to speed the digital transformation of the way we interact with our customers? That's more of a platform approach that is the connective tissue across systems where the data can be integrated. The systems can be integrated and you can drive to a citizen-focused outcome a lot faster. Again, we still have to think about modernizing those underlying systems. But if that's where you're starting, you can easily get bogged down and the results you're after.
Legacy Systems
Carolyn: Well, I asked you to stop so we could repeat it because what you said feels a lot more doable. I literally felt myself breathe, like, "oh, we can do that." But to take on the legacy systems is overwhelming.
Jonathan: I totally agree, you have to understand them for sure. You have to know what you're dealing with. And you have to understand the data in those systems. We were talking about data before. If you don't understand what and where all the data is, it's really going to be very hard for you to protect all of that data. Make sure you have good data protection to make sure that you have the right level of security.
But there's a difference between understanding all of that information on the systems. And taking a perspective that I need to move off of all of these legacy technologies at once, so I can have a modern environment. I just don't think that's a practical approach. Because you know, CIO's, they have to operate very complex environments every day. Those technologies and those complicated environments only exist because there are technologies.
There are government programs that require those technologies. It's not IT for the sake of IT, it's IT in the spirit of customer service, citizen service. So you can't commit to modernizing everything and expect to be able to provide un-disrupted services. It just feels too risky from our perspective.
Mark: Or maybe agencies were forced to embark on this transformation before they may be ready to. For example, the pandemic. I know you recently gave an interview that you talked about.
Digital Transformation For Better Experiences
Mark: You said you felt like agencies should take a pause and their momentum or their digital transformation. Consider whether those processes were put in place because they were forced to. Given the circumstances with the pandemic or whether they're sustainable, or they make sense.
Jonathan: I stand by those statements and I talk about it as a strategic pause. One of the things that I've learned is that sometimes if you go too fast, you can create some blind spots in your professional life, your personal life, whatever. We are pushing towards a goal. We're not necessarily considering everything else that's happening. We had to do that, we had great urgency in the early days of the pandemic. There are some technology opportunities and service opportunities that emerged from there.
Carolyn: We've already seen some huge technology advancements coming out of this pandemic. Thank you, Jonathan, for this great insight. It's been a pleasure to have you on the show and...
","summary":null,"date_published":"2021-09-01T07:30:00.000-04:00","attachments":[{"url":"https://aphid.fireside.fm/d/1437767933/81d9d6b0-0045-48da-8495-fd87c4613d7f/24b7ee25-c684-4000-8845-381208256f4b.mp3","mime_type":"audio/mpeg","size_in_bytes":21045996,"duration_in_seconds":1312}]},{"id":"f161fa47-0353-4d2e-bc74-79050eb371b9","title":"Episode 4: Beans, Band-Aids, and Bullets: How Your Data Can Work for You","url":"https://techtransforms.fireside.fm/4","content_text":"Listen in as Carolyn and Willie find out the true power of data. Sean Applegate, CTO of SwishData, explains how data can be utilized across an entire mission to empower the warfighter. Episode Table of Contents[01:00] Smart People With Great Ideas[07:29] Your Data Can Work for You up to Some Extent[14:15] Securing the Application So Your Data Can Work for You[22:08] Eight Guiding Principles[28:03] Applicability of AIEpisode Links and ResourcesSmart People With Great IdeasCarolyn: I'm Carolyn Ford and this week, my guest co-host is Willie Hicks, public sector CTO at Dynatrace. I'm super excited that we get to talk to Sean Applegate, CTO of SwishData.Sean: I'm excited to be here, it should be a blast.Carolyn: Honestly, this is the best part of my week. This is the best part of what I do. I love talking to really smart people with great ideas about how technology can better our lives and how the government specifically can do that. So, Sean, you've written a lot of stuff. You're a pretty prolific writer, blogs articles, and a recent blog that I saw, I'm not going to lie, it kind of broke my head. It was a lot of technical stuff, but there were a couple of things in it that were kind of gotchas for me. I'd love for you to drill down into a little bit.At the beginning of your blog, you write, the name of the blog is Optimizing Mission Outcomes with Intelligent Insights. In one of the beginning paragraphs, you say transforming the DoD to a data-centric organization requires that data is visible, accessible, understandable, linked, trustworthy, interoperable, and secure. So I would love for you to dive into that.Sean: I would say the one thing that DoD is noticing, and you'll see this with some of their DevSecOps reference architectures is it requires culture change. Whether that's the business leaders or the mission leaders, the contractors, the developers, the people running infrastructure, or delivering a service.Your Data Can Work For You But It Has To Be AccessibleSean: They've identified that the data has to be accessible across all of those different parts of the mission. That getting that data collectively together is extremely important. It's valuable for both mission velocity and a competitive advantage around the world, whether that's DoD or civilian agencies, we see that as well. So data is critical, be able to find it first.Carolyn: If you've got the data, what do you mean it's not accessible? Do you mean like across agencies or across groups?Sean: A lot of it is making it not just within your command, but outside the command. So it's trusted. For example, I'm using an application performance management issue. I'm delivering an application, I have lots of stuff on the application. I may not have a lot of stuff on the user community, or maybe somebody wants to analyze the success of my mission. That mission can be measured, lots of different ways.How do I merge those data points together? So I can draw, make a business decision from that, that's very impactful. That may be something at a very strategic echelon such as the Pentagon. Or maybe very tactical, down at the tip of the sphere, the unit deployed overseas. I need to make a decision right this minute. How do we do that? That's very complex.Carolyn: One of the things that gets bounced around a lot these days, you guys have both talked about AIOps. Using AIOps to get us to this place, all of these things that you list. Can you talk about how AI ops enables this?Your Data Can Work for You Through Problem Solving Complex ThingsSean: On the AIOps side, what we find is, it allows our human workers to better focus on problem-solving and the complex things you can easily do with the computer. The AI piece allows us to typically make linkage. If you think of linked data, it's the dependencies between data points or systems. In many cases, when we look at application performance management, a user might have an issue on the front end. We have to go, what was that issue? The network, is that the desktop? Is it the application web front end, or is it deep back in the database?Being able to draw that picture out in the end so you can analyze what their dependencies are and understand them, and then do the root cause analysis to figure out where the problem is at is absolutely critical so we can solve those problems faster. And that's really what it's aboutl solving problems quicker, or building better performing team systems so that we can achieve our mission and make citizens happy or empower the war fighter at the tip of the spear.Carolyn: I was going to ask you to jump in because the whole linkage thing, that's kind of boring when I want to talk about AI. I want to talk about the Terminator or data from Star Trek.Willie: And Jarvis.Carolyn: Exactly. Willie, first level, set us on AI. I'll try to keep my fantasies out of the podcast and then respond to what Sean said.Willie: Just kind of a level set on AI. It's more of a question. All through these conversations with people, there's always a lot of misconceptions about AI, what AI is.A Narrow Approach to AIWillie: A lot of names get thrown around machine learning versus are we talking about more of a discreet AI model. All of these different types of AI models that might be out there. We haven't reached what you're talking about with this data-centric view and kind of utilizing AI. I see that more as a very narrow approach to AI. Very narrowly focused on that skillset and not what people think of as general AI, which we haven't reached yet. You hear about IBM Watson, that's a long way from doing the Terminator. That's kind of what I see. Is that the case?Sean: That's a good summary of it. If we looked at solving problems quickly with technology or making things better with technology, if you consider that artificial intelligence, you can really do things with basic AI today. So if you thought of, I found a problem, the next logical step might be, can I fix it automatically? Or can I build a little bot that can go fix it automatically? We're starting to see that with things like robotic process automation, for things that maybe aren't easily scriptable.But the citizen developer might be able to build that process into their day-to-day job. That job might be IT operations or application development or running some infrastructure. We've done that in the past with some existing government clients, maybe writing something to analyze complex analysis. When you think of site reliability engineering, you could write some really basic AI or machine learning scripts. Where you could analyze dependencies across functions that you need to monitor in your job that are unique.Your Data Can Work for You up to Some ExtentSean: That industry can't do themselves, and you can take something like a TensorFlow or a Pytorch. Do some analysis of basic data sets and do that enroll at your own to some extent. Or unlock those things in a cloud, if you have access to something like an Azure or an AWS where you can do some AI things in the cloud, but you can easily get the data that's accessible and understandable and snap it into that fairly easily.Willie: Just touching on then taking that to what we're talking about from your blog. I did not read the subsequent DoD document, which was about 700 plus pages. Thank you for that breakdown. What I saw there and why I think AI clicked is that you're talking about at first, the data. We're just talking about data, but we're talking about the full, you're talking about infrastructure. You're talking about the columns between all of these data points. How we secure access, everything needs to be CAC enabled and authenticated and all that good stuff.But also it came to mind, I've been reading and talking a lot lately about the fall of JEDI, which sounds like a movie. But the new JCW, the new contract that is coming out as a replacement for the JEDI. A lot of that is going to drive this new joint, all domain command, the JADC2 initiative where it's all data-centric. That's tying a lot of data from the battlespace and the tactical edge with a lot of what I don't think we talked about yet.Sensor DataWillie: Even a lot of this is going to be sensor data. We started talking about IOT. You started talking about bringing all of this data in from, could be tens of thousands, hundreds of thousands, maybe millions of data points. Something has to parse all of that information to get the right relevant information to the battle. The commanders and the people who need that are allied forces or whoever subscribes to that data. That's where AI also needs to be leveraged, especially when we're talking about what you wrote in your article. Am I close to accurate?Sean: Absolutely. In fact, there's a program called Advana, which is the DoD program. There's a bunch of approved tools for big data in AI that are included in that. One of the biggest challenges is how do you do that at scale? They're at the very early part of that journey where they figure out, how am I going to do this? They are doing it at the OSD level today, but how do I didn't do that at a mid-tier command? Or how do I do it at the edge of the battlespace? How do you do it in a jet as you're flying and you have to get telemetry off the jet at the end of the mission and analyze as part of the mission.Those are not small challenges when you think of the massive amount of data across the Department of Defense. How do you make sense of that as a community? Part of that is getting that data into a data lake or a data warehouse somewhere where people can access it. And then do things with it that are valuable because that data has value to it.Your Data Can Work for You During Time-Sensitive SituationsSean: Often that's a time-sensitive situation where you need to analyze it within minutes or days, not months or years.Carolyn: JC2. I love the idea of it. Define JC2 for me, Willie.Willie: The joint all domain kind of command and control initiative, or it's JADC2. It's this idea born out of the communication signaling part of the military where they have all of this data and Sean is spot on. I'm not a military person, not trying to pretend like I'm military. But I can see, the vision here is that the wars of the future are not just going to be fought with bullets and putting steel on target. But it's also who's going to have control of the data and that space, and who's going to be able to find answers and execute on a mission faster.This is a new arms race, this is why AI is so important. This is why you see all of this talk about AI and how the Department of Defense and the US need to be really focused on our AI capabilities. We can bring to bear the technology we're going to need to analyze all of this data from the data space. To Sean's point, this data could be coming from land, sea, under the sea from, literally soldiers on the ground who are wearing sensors.It could be coming from satellites, whether all of this data has to go in. Again, not being military, but I understand that all of these pieces have to be aligned. To get a good view of the battle space, understand where you need to have your troops, how you need to have them there.How Best Decisions Are MadeWillie: What do they need to be equipped with? All of these things need to be understood. The best decisions can be made and whoever can make those decisions the fastest. To Sean's point, there used to be a time we could make these decisions on days. I'm sure back in world war two, and you look at the planning of D-Day and things like that.Things that were in the works for days and months, we might have hours or minutes to make a decision. Humans just can't, it is just impossible to parse all of that data. To make a good decision without decision support services from something like an AI. Does that make sense?Carolyn: Yes and what you said, I translate it as we're going to have this central command and control for all DoD, maybe even some fed civ agencies. Here's why I say it kind of scares me and coming back to you, Sean, how do we secure it? How do we trust it? If we've got it, it's coming in from everywhere.Sean: Generally speaking, if you look at the zero trust piece of it first, let's break that down. There's the zero trust architecture. So NIST 800-207 and there's the DOD zero trust reference architecture, which came out about three months ago. There are seven pillars. But if you break them down to the most basic functions, it's about securing a device. Making sure it's not compromised before you let in the environment, securing the users and the applications. Typically what we find is securing users and devices are the easier pieces.Securing the Application So Your Data Can Work for YouSean: Securing the application and when we say securing, not just compliance, but actually knowing and measuring that it is secure in real time. Finding the open-source module or the function or method that is secure, that the developer can rapidly fix on their own. It’s where AI can definitely help us find that because they can measure those things with APM technologies, with integrated security. We can trigger and tell the dev ops team or the no ops team, you have an issue.Go take care of it immediately. If they're managing a small service or a function, they can go fix that in a couple of hours and it's fixed. We're starting to see that in the platform one environment and DoD, where they're patching containers every day in 24 hours. You have a team patching the Tomcat container for the web front end every 24 hours. But the rest of DoD subscribes to that container, that hardened container.They're getting that patch and leveraging that fix without having to do actual work themselves. Getting that team that runs that container, that owns the security for that container DoD-wide. Where they can patch it as fast as possible and know the exact function or method they have to fix is important.More importantly, if a large percentage of DoD applications rely on a core set of containers being shared in the community, you also have to make sure those containers operate and perform meticulously. If I have a team that's supporting that, they have to make sure it runs well. They QA it properly, they pull their performance testing left into their dev cycles.The Integrity of DataSean: When they publish it every 24 hours, which is a lot of publishing a year, that it is running smoothly and not having any problems. Then the question becomes, how do those teams then monitor those in production at scale, if they're across hundreds of applications, for example, across DoD.Carolyn: I heard a couple of things from another show. My past life is an insider threat. For you to say that it's harder to secure the app than the user, we can debate that later. To be secured, what I heard was AI DevSecOps. We're baking it in at this ground level, we're using AI to do it. That means it's coming, it's the integrity of the data. The integrity of the containers are built from birth.Sean: That's a general way to approach it. It depends on what you mean by birth, but yes. If you've mentioned having a birthing a new baby, every 24 hours, sure. It comes from the top down. Because the team's going to turn over, in this case, we're really treating them more like cattle. If you want to use the DevOps term, we're going to not treat it like a pet. But to that team that manages that one container or those five containers that a lot of people use, that's a very important asset in their life that they have to care and feed for and nurture.Those things come in lots of different flavors. But if you're a developer, you have to own everything about that container, that function that you're going to share with the rest of DoD and the community. So how do we make sure it runs well and it's secure? Then the question might be, would you?How Your Data Can Work for You From a Data Accessibility Standpoint Sean: From a data accessibility standpoint, I'd like to know how those containers are working not just in your application, but in other applications around DoD. You can make a lot more decisions and support it better if you can then access data across the organization and pull and work together across say a 10 application team. You're supporting them in ways that they care about that affect the mission.Carolyn: Once you plug your container into the mothership, then you can send sensors out and see how it's integrating, assimilating to everybody else.Sean: Sure, if you want to get the sensors for a minute. If we talk about applications, specifically containers, you can either go with some type of open sensor for application performance management to get things like metrics, logs, and transactions out of it. You could use something like OpenTelemetry or Fluentd or Telegraph or Statsd. There's lots of options that are open source that are supportable across different application performance management platforms. Or if you want to use the word observability platforms, those as well.The question for the government might be why wouldn't you embed that inherently, those sensors, if you offer for a DevOps team or an SRE team inherently as part of your build cycle. They are there, and then you can leverage them across lots of observability platforms. Then an organization can pick the one that's best for them that they liked the best. Or maybe they can pick the one with the most advanced AI functionality.One of the Hardest ProblemsSean: That's why sometimes getting the data into your platforms from lots of systems in DoD is one of the hardest problems. Because they've got to go through an authority to operate the process and to get that approved. It's great, but making changes to it after the ATO sometimes can be a little challenging. If you build your sensors and as part of that process inherently, it becomes a lot easier to get the data out later, in a more open fashion, potentially.Willie: That actually begs a question I had and this is a slight tangent, but I'm just curious. You triggered a thought in my mind, Sean. Are you seeing from your customers and the clients you work with, are speaking or baking this into the product? So there's these new concepts around like open telemetry and building this type of telemetry into the application. It can be exposed at runtime and be pulled in by any number of these tools that you're talking about. You can get a complete, more full picture of the landscape. Is that something you're seeing as well?Sean: We are seeing it in different agencies. Some of the civilian agencies have been more focused on things like distributed tracing and writing things into their application code. While that's a noble effort, it leaves a lot of the infrastructure not covered. It becomes hard to connect the dots from your application code or the web front end, which normally the app guys have pretty well covered. But then, if you look at cloud infrastructure or on-prem hardware infrastructure, it leaves it uncovered in most cases. If you consider the network, another piece of that you want to pay attention...","content_html":"Listen in as Carolyn and Willie find out the true power of data. Sean Applegate, CTO of SwishData, explains how data can be utilized across an entire mission to empower the warfighter.
Episode Table of Contents
- [01:00] Smart People With Great Ideas
- [07:29] Your Data Can Work for You up to Some Extent
- [14:15] Securing the Application So Your Data Can Work for You
- [22:08] Eight Guiding Principles
- [28:03] Applicability of AI
- Episode Links and Resources
Smart People With Great Ideas
Carolyn: I'm Carolyn Ford and this week, my guest co-host is Willie Hicks, public sector CTO at Dynatrace. I'm super excited that we get to talk to Sean Applegate, CTO of SwishData.
Sean: I'm excited to be here, it should be a blast.
Carolyn: Honestly, this is the best part of my week. This is the best part of what I do. I love talking to really smart people with great ideas about how technology can better our lives and how the government specifically can do that. So, Sean, you've written a lot of stuff. You're a pretty prolific writer, blogs articles, and a recent blog that I saw, I'm not going to lie, it kind of broke my head. It was a lot of technical stuff, but there were a couple of things in it that were kind of gotchas for me. I'd love for you to drill down into a little bit.
At the beginning of your blog, you write, the name of the blog is Optimizing Mission Outcomes with Intelligent Insights. In one of the beginning paragraphs, you say transforming the DoD to a data-centric organization requires that data is visible, accessible, understandable, linked, trustworthy, interoperable, and secure. So I would love for you to dive into that.
Sean: I would say the one thing that DoD is noticing, and you'll see this with some of their DevSecOps reference architectures is it requires culture change. Whether that's the business leaders or the mission leaders, the contractors, the developers, the people running infrastructure, or delivering a service.
Your Data Can Work For You But It Has To Be Accessible
Sean: They've identified that the data has to be accessible across all of those different parts of the mission. That getting that data collectively together is extremely important. It's valuable for both mission velocity and a competitive advantage around the world, whether that's DoD or civilian agencies, we see that as well. So data is critical, be able to find it first.Carolyn: If you've got the data, what do you mean it's not accessible? Do you mean like across agencies or across groups?
Sean: A lot of it is making it not just within your command, but outside the command. So it's trusted. For example, I'm using an application performance management issue. I'm delivering an application, I have lots of stuff on the application. I may not have a lot of stuff on the user community, or maybe somebody wants to analyze the success of my mission. That mission can be measured, lots of different ways.
How do I merge those data points together? So I can draw, make a business decision from that, that's very impactful. That may be something at a very strategic echelon such as the Pentagon. Or maybe very tactical, down at the tip of the sphere, the unit deployed overseas. I need to make a decision right this minute. How do we do that? That's very complex.
Carolyn: One of the things that gets bounced around a lot these days, you guys have both talked about AIOps. Using AIOps to get us to this place, all of these things that you list. Can you talk about how AI ops enables this?
Your Data Can Work for You Through Problem Solving Complex Things
Sean: On the AIOps side, what we find is, it allows our human workers to better focus on problem-solving and the complex things you can easily do with the computer. The AI piece allows us to typically make linkage. If you think of linked data, it's the dependencies between data points or systems. In many cases, when we look at application performance management, a user might have an issue on the front end. We have to go, what was that issue? The network, is that the desktop? Is it the application web front end, or is it deep back in the database?
Being able to draw that picture out in the end so you can analyze what their dependencies are and understand them, and then do the root cause analysis to figure out where the problem is at is absolutely critical so we can solve those problems faster. And that's really what it's aboutl solving problems quicker, or building better performing team systems so that we can achieve our mission and make citizens happy or empower the war fighter at the tip of the spear.Carolyn: I was going to ask you to jump in because the whole linkage thing, that's kind of boring when I want to talk about AI. I want to talk about the Terminator or data from Star Trek.
Willie: And Jarvis.
Carolyn: Exactly. Willie, first level, set us on AI. I'll try to keep my fantasies out of the podcast and then respond to what Sean said.
Willie: Just kind of a level set on AI. It's more of a question. All through these conversations with people, there's always a lot of misconceptions about AI, what AI is.
A Narrow Approach to AI
Willie: A lot of names get thrown around machine learning versus are we talking about more of a discreet AI model. All of these different types of AI models that might be out there. We haven't reached what you're talking about with this data-centric view and kind of utilizing AI. I see that more as a very narrow approach to AI. Very narrowly focused on that skillset and not what people think of as general AI, which we haven't reached yet. You hear about IBM Watson, that's a long way from doing the Terminator. That's kind of what I see. Is that the case?
Sean: That's a good summary of it. If we looked at solving problems quickly with technology or making things better with technology, if you consider that artificial intelligence, you can really do things with basic AI today. So if you thought of, I found a problem, the next logical step might be, can I fix it automatically? Or can I build a little bot that can go fix it automatically? We're starting to see that with things like robotic process automation, for things that maybe aren't easily scriptable.
But the citizen developer might be able to build that process into their day-to-day job. That job might be IT operations or application development or running some infrastructure. We've done that in the past with some existing government clients, maybe writing something to analyze complex analysis. When you think of site reliability engineering, you could write some really basic AI or machine learning scripts. Where you could analyze dependencies across functions that you need to monitor in your job that are unique.
Your Data Can Work for You up to Some Extent
Sean: That industry can't do themselves, and you can take something like a TensorFlow or a Pytorch. Do some analysis of basic data sets and do that enroll at your own to some extent. Or unlock those things in a cloud, if you have access to something like an Azure or an AWS where you can do some AI things in the cloud, but you can easily get the data that's accessible and understandable and snap it into that fairly easily.
Willie: Just touching on then taking that to what we're talking about from your blog. I did not read the subsequent DoD document, which was about 700 plus pages. Thank you for that breakdown. What I saw there and why I think AI clicked is that you're talking about at first, the data. We're just talking about data, but we're talking about the full, you're talking about infrastructure. You're talking about the columns between all of these data points. How we secure access, everything needs to be CAC enabled and authenticated and all that good stuff.
But also it came to mind, I've been reading and talking a lot lately about the fall of JEDI, which sounds like a movie. But the new JCW, the new contract that is coming out as a replacement for the JEDI. A lot of that is going to drive this new joint, all domain command, the JADC2 initiative where it's all data-centric. That's tying a lot of data from the battlespace and the tactical edge with a lot of what I don't think we talked about yet.
Sensor Data
Willie: Even a lot of this is going to be sensor data. We started talking about IOT. You started talking about bringing all of this data in from, could be tens of thousands, hundreds of thousands, maybe millions of data points. Something has to parse all of that information to get the right relevant information to the battle. The commanders and the people who need that are allied forces or whoever subscribes to that data. That's where AI also needs to be leveraged, especially when we're talking about what you wrote in your article. Am I close to accurate?
Sean: Absolutely. In fact, there's a program called Advana, which is the DoD program. There's a bunch of approved tools for big data in AI that are included in that. One of the biggest challenges is how do you do that at scale? They're at the very early part of that journey where they figure out, how am I going to do this? They are doing it at the OSD level today, but how do I didn't do that at a mid-tier command? Or how do I do it at the edge of the battlespace? How do you do it in a jet as you're flying and you have to get telemetry off the jet at the end of the mission and analyze as part of the mission.
Those are not small challenges when you think of the massive amount of data across the Department of Defense. How do you make sense of that as a community? Part of that is getting that data into a data lake or a data warehouse somewhere where people can access it. And then do things with it that are valuable because that data has value to it.
Your Data Can Work for You During Time-Sensitive Situations
Sean: Often that's a time-sensitive situation where you need to analyze it within minutes or days, not months or years.
Carolyn: JC2. I love the idea of it. Define JC2 for me, Willie.
Willie: The joint all domain kind of command and control initiative, or it's JADC2. It's this idea born out of the communication signaling part of the military where they have all of this data and Sean is spot on. I'm not a military person, not trying to pretend like I'm military. But I can see, the vision here is that the wars of the future are not just going to be fought with bullets and putting steel on target. But it's also who's going to have control of the data and that space, and who's going to be able to find answers and execute on a mission faster.
This is a new arms race, this is why AI is so important. This is why you see all of this talk about AI and how the Department of Defense and the US need to be really focused on our AI capabilities. We can bring to bear the technology we're going to need to analyze all of this data from the data space. To Sean's point, this data could be coming from land, sea, under the sea from, literally soldiers on the ground who are wearing sensors.
It could be coming from satellites, whether all of this data has to go in. Again, not being military, but I understand that all of these pieces have to be aligned. To get a good view of the battle space, understand where you need to have your troops, how you need to have them there.
How Best Decisions Are Made
Willie: What do they need to be equipped with? All of these things need to be understood. The best decisions can be made and whoever can make those decisions the fastest. To Sean's point, there used to be a time we could make these decisions on days. I'm sure back in world war two, and you look at the planning of D-Day and things like that.
Things that were in the works for days and months, we might have hours or minutes to make a decision. Humans just can't, it is just impossible to parse all of that data. To make a good decision without decision support services from something like an AI. Does that make sense?
Carolyn: Yes and what you said, I translate it as we're going to have this central command and control for all DoD, maybe even some fed civ agencies. Here's why I say it kind of scares me and coming back to you, Sean, how do we secure it? How do we trust it? If we've got it, it's coming in from everywhere.
Sean: Generally speaking, if you look at the zero trust piece of it first, let's break that down. There's the zero trust architecture. So NIST 800-207 and there's the DOD zero trust reference architecture, which came out about three months ago. There are seven pillars. But if you break them down to the most basic functions, it's about securing a device. Making sure it's not compromised before you let in the environment, securing the users and the applications. Typically what we find is securing users and devices are the easier pieces.
Securing the Application So Your Data Can Work for You
Sean: Securing the application and when we say securing, not just compliance, but actually knowing and measuring that it is secure in real time. Finding the open-source module or the function or method that is secure, that the developer can rapidly fix on their own. It’s where AI can definitely help us find that because they can measure those things with APM technologies, with integrated security. We can trigger and tell the dev ops team or the no ops team, you have an issue.
Go take care of it immediately. If they're managing a small service or a function, they can go fix that in a couple of hours and it's fixed. We're starting to see that in the platform one environment and DoD, where they're patching containers every day in 24 hours. You have a team patching the Tomcat container for the web front end every 24 hours. But the rest of DoD subscribes to that container, that hardened container.
They're getting that patch and leveraging that fix without having to do actual work themselves. Getting that team that runs that container, that owns the security for that container DoD-wide. Where they can patch it as fast as possible and know the exact function or method they have to fix is important.
More importantly, if a large percentage of DoD applications rely on a core set of containers being shared in the community, you also have to make sure those containers operate and perform meticulously. If I have a team that's supporting that, they have to make sure it runs well. They QA it properly, they pull their performance testing left into their dev cycles.
The Integrity of Data
Sean: When they publish it every 24 hours, which is a lot of publishing a year, that it is running smoothly and not having any problems. Then the question becomes, how do those teams then monitor those in production at scale, if they're across hundreds of applications, for example, across DoD.
Carolyn: I heard a couple of things from another show. My past life is an insider threat. For you to say that it's harder to secure the app than the user, we can debate that later. To be secured, what I heard was AI DevSecOps. We're baking it in at this ground level, we're using AI to do it. That means it's coming, it's the integrity of the data. The integrity of the containers are built from birth.
Sean: That's a general way to approach it. It depends on what you mean by birth, but yes. If you've mentioned having a birthing a new baby, every 24 hours, sure. It comes from the top down. Because the team's going to turn over, in this case, we're really treating them more like cattle. If you want to use the DevOps term, we're going to not treat it like a pet. But to that team that manages that one container or those five containers that a lot of people use, that's a very important asset in their life that they have to care and feed for and nurture.
Those things come in lots of different flavors. But if you're a developer, you have to own everything about that container, that function that you're going to share with the rest of DoD and the community. So how do we make sure it runs well and it's secure? Then the question might be, would you?
How Your Data Can Work for You From a Data Accessibility Standpoint
Sean: From a data accessibility standpoint, I'd like to know how those containers are working not just in your application, but in other applications around DoD. You can make a lot more decisions and support it better if you can then access data across the organization and pull and work together across say a 10 application team. You're supporting them in ways that they care about that affect the mission.
Carolyn: Once you plug your container into the mothership, then you can send sensors out and see how it's integrating, assimilating to everybody else.
Sean: Sure, if you want to get the sensors for a minute. If we talk about applications, specifically containers, you can either go with some type of open sensor for application performance management to get things like metrics, logs, and transactions out of it. You could use something like OpenTelemetry or Fluentd or Telegraph or Statsd. There's lots of options that are open source that are supportable across different application performance management platforms. Or if you want to use the word observability platforms, those as well.
The question for the government might be why wouldn't you embed that inherently, those sensors, if you offer for a DevOps team or an SRE team inherently as part of your build cycle. They are there, and then you can leverage them across lots of observability platforms. Then an organization can pick the one that's best for them that they liked the best. Or maybe they can pick the one with the most advanced AI functionality.
One of the Hardest Problems
Sean: That's why sometimes getting the data into your platforms from lots of systems in DoD is one of the hardest problems. Because they've got to go through an authority to operate the process and to get that approved. It's great, but making changes to it after the ATO sometimes can be a little challenging. If you build your sensors and as part of that process inherently, it becomes a lot easier to get the data out later, in a more open fashion, potentially.
Willie: That actually begs a question I had and this is a slight tangent, but I'm just curious. You triggered a thought in my mind, Sean. Are you seeing from your customers and the clients you work with, are speaking or baking this into the product? So there's these new concepts around like open telemetry and building this type of telemetry into the application. It can be exposed at runtime and be pulled in by any number of these tools that you're talking about. You can get a complete, more full picture of the landscape. Is that something you're seeing as well?
Sean: We are seeing it in different agencies. Some of the civilian agencies have been more focused on things like distributed tracing and writing things into their application code. While that's a noble effort, it leaves a lot of the infrastructure not covered. It becomes hard to connect the dots from your application code or the web front end, which normally the app guys have pretty well covered. But then, if you look at cloud infrastructure or on-prem hardware infrastructure, it leaves it uncovered in most cases. If you consider the network, another piece of that you want to pay attention...
","summary":null,"date_published":"2021-08-25T07:30:00.000-04:00","attachments":[{"url":"https://aphid.fireside.fm/d/1437767933/81d9d6b0-0045-48da-8495-fd87c4613d7f/11ed3b72-ecb5-4d6f-86df-8024dcdfc4fc.mp3","mime_type":"audio/mpeg","size_in_bytes":31880334,"duration_in_seconds":1989}]},{"id":"a32e7790-6256-4d79-bbdd-0367e9647297","title":"Episode 3: The Marvel of Risk, With General Stan McChrystal","url":"https://techtransforms.fireside.fm/3","content_text":"Risk taking is unavoidable when it comes to modernization. Best selling author and retired four-star U.S. general Stan McChrystal outlines 10 control factors to help citizens and agencies alike take smarter risks. Carolyn and Mark also get some early insight on Stan's upcoming book Risk: A User's Guide. Episode Table of Contents[01:44] Stan McChrystal of the Team of Teams[10:54] A Story of a Defensive System by Stan McChrystal[18:26] Stan McChrystal Talks About Inertia[25:57] Why Stan McChrystal Doesn’t Want to Worry About External Threats[35:40] Artificial Intelligence BasedEpisode Links and ResourcesRisk: A User's GuideTeam of TeamsStan McChrystal of the Team of TeamsCarolyn: We are joined this morning by retired four-star U.S Army General Stanley McChrystal. We've had the pleasure of talking to General McChrystal on a few occasions. Good morning, General McChrystal.Stan: Call me Stan, and it's an honor to be with you again.Carolyn: Let me give our audience for those that have been living under a rock, just a few more of your credentials. So Stan is a former commander of the U.S and International Security Assistance Forces, ISAF Afghanistan. He’s the former commander of the nation's premier military counter-terrorism force, JSOC. He is best known for developing and implementing a comprehensive counter-insurgency strategy in Afghanistan. For creating a cohesive counter-terrorism organization that revolutionized the inter-agency operating culture. Is it fair to say, Stan, that’s the basis for your book Team of Teams?Stan: It was certainly the foundation of it, and then our study beyond that.Carolyn: Honestly, Team of Teams, just a little plug here, is the best book on leadership that I have read. If you haven't read that one, do that. But we're here to talk about a new book that will be out this October that is also sure to be a bestseller. Mark and I got to have a sneak peek. We got to read an early copy of the manuscript. We're here to talk about your new book, Risk: A User's Guide. We’d like you to talk to us a bit about the 10 risk control factors, and the four measures that are the foundation for your new book Risk.Calculating RisksStan: We decided to take on Risk as a subject because through my career, there had been processes to follow. Calculating risk and acting on that too, to be able to measure the threats or risks to your organization. But it never connected with how we actually did it. Now, certainly there are some financial firms that use financial models that theoretically do this. But if you look at so many things in our lives, there's one way we talk about risk. Then there's another way we actually respond to it.I wanted to understand what the disconnect was. Of course, that had been my experience as well. In most cases in my career, we had done checklists or matrices, and calculations to come out with a risk score. But the reality was most of our reaction was intuitive. And so we decided to study risk. What we came away with was the idea that each organization and individual actually, but organizations particularly have something which I'll call a risk immune system.It's a system consisting of 10 factors, such as communication, diversity, bias, timing. Those things interact together to determine the health of the system to respond to and prevent threats from undermining the organization. It's very much akin to the human immune system. If you're not familiar with it, the human immune system is a marvel. We face about 10,000 pathogens a day that come to our body. Any one of which could harm us or kill us, but we don't think much about it.The Theory Behind VaccinesStan: We don't have to, because the body has got a process in which our immune system detects all the threats that come. Assesses each one, responds, kills off the ones that need to be, and then learns from the process. The miracle is it gets smarter and that's the theory behind vaccines. You build up an immunity so that the next time it's very easy to fight off that known threat.The human immune system is this marvel that we sort of go through most of our lives taking for granted until it's compromised. Then it's compromised like with HIV/AIDs or another assault on our system. When it's weakened, suddenly we fall prey to threats that otherwise wouldn't be a problem for us. Really, nobody ever died of HIV/AIDs itself. What they died from was other lesser things that the body was unable to combat.Now we come back to organizations. It was interesting we started to write this book and do the research and COVID arrived. It became almost a perfect example of what we were talking about. If we think about COVID-19 someone says it was a black swan event. Who knew that a pandemic was coming? The answer was, everybody knew. We'd been through it before many times in world history, particularly the Spanish flu.Most notably in 1918 and in a smaller sense, many times since. In fact, in 2019, just a few months before COVID-19 arrived, the Department of Health and Human Services ran a series of exercises. They were called Crimson Contagion and they were based on a scenario of a viral threat. Pathogen coming out of China, coming to the United States, going around the world and wreaking havoc.Stan McChrystal Talks About COVID-19Stan: The lessons from that set of exercises was, the United States had not done enough preparation. Had not stockpiled enough supplies, had not worked enough of the processes, and therefore paid a heavy cost. That was only a few months before COVID-19 arrived. The interesting thing about COVID-19 is we knew the threat was inevitable. You don't know the exact strain of the pathogen, but you know that kind of assault is inevitable.The second thing is you know exactly what to do about it. Public health is not a new science, we knew the basics that we had to do. We had to stockpile things that would take certain steps. Of course, we pulled a rabbit out of a hat in terms of developing vaccines faster than any time in history. But except for that, the world's response to COVID-19 has been very weak. It's been very weak because of many of the risks in the immune system.I would argue the society's ability to communicate effectively, to make decisions on time, to overcome the inertia against inaction. To have the kind of leadership that emerges, that brings all capabilities together. We literally stumbled on every one of them on COVID-19. It's a tremendous, but sad example of how important, because this wasn't a scientific failure. In fact, COVID-19 is a scientific triumph. It is a societal and governance failure in our analysis.Mark: Or leadership failure, if you look at the 10 dimensions of control. How did you come up with the 10 dimensions of control?The Antidote Stan McChrystal ConcoctedStan: When we decided to take a look at those things which were important factors. They were distinct or different enough to be categorized, you probably could have had 12. You probably could have had 8, if you'd put something together. There was some bias and diversity. They're a little bit akin to each other. If you have biases, the antidote is diversity, different perspectives.They could be linked to communication and narrative, but they're also distinct into themselves. We wanted readers to understand, these factors are all things which would be consciously addressed by an organization. Trying to both be sure it has a healthy risk immune system and then improving or strengthening it.Carolyn: One of the risk factors, control factors is technology, which I want to focus on since this is Tech Transforms. You start that chapter of technology with a quote that I loved. So you said, \"Technology raises a new question, who or what is in control?\" This is something that I think about almost every day and have since I was a kid watching Star Trek. And this got my head spinning about how we ensure that technology is an advantage instead of a disadvantage.Who's in control? Is it helping the agencies that are using the technology within the government? Is it helping the citizens and warfighters that those agencies are serving? Can you talk about that? Who is in control when it comes to technology?Stan: The answer is it should be us. But if we go back in our history, we refer to the movie Fail Safe, an early 1960s movie in the book. If anyone hasn't seen it, you ought to watch it.A Story of a Defensive System by Stan McChrystalStan: It's a story of a defensive system that has been implemented by the United States based on technology. It allows the United States to essentially be able to strike the Soviet Union without being stopped. It's got a defensive aspect to it, so it can analyze whether there's a threat coming and then launch a counter-threat.Of course, it malfunctions in signaling that there is an attack and then it launches a counter strike. Humans are not able to recall the counterstrike. So in the desperately tragic final scene of the movie, the president of the United States works and deals with Soviet leaders. After the United States bombs Russia, which we cannot stop our plane from doing, we bomb New York City ourselves as a tit for tat to prevent further war.Now that question you say, who's in charge? The answer is, because of the dependence upon very highly technical devices, they can get ahead of us. If we fast forward to 60 years and we've got artificial intelligence, and we've got things like hypervelocity missiles, we've now got response systems where you have to let the machine respond based upon inputs from its collection. There's no time to put a human in the loop.We always say, we'll always put a human in the loop if it's got anything to do with lethal effects. You can't do it and make it work. The reality is you either depend upon that, or you have a much slower human system. Which probably is not fast enough to deal with some of these threats. We're building threats that make us dependent upon technology-based responses.Human’s Last TouchStan: At a certain point, the human's last touch of this thing is when we craft the system and if we get it wrong, or if someone spoofs the system or corrupts it in some way, there's tremendous vulnerability.Mark: I think of the movie WarGames in the '80s, where they had the WOPR. They were simulating nuclear attacks, ominously.Stan: It's terrifying. We also refer in the book to some things that are more mundane, but they're pretty important. For example, most companies have implemented automated voice or automated telephone systems. You call your favorite company and they say, if your problem is X, dial one, or press one. You sit through this thing and you get more and more frustrated. And you want somebody to fix your problem.It's much cheaper for the firm to do, but how many times have you taken your business elsewhere? How many times do you just say, \"I give, I want to talk to someone who will accept my problem and fix it.\" That's a hidden cost or a hidden risk that technology gives us that we're not even sure we can measure.Mark: It seemed to me, reading through the book, that the way you laid out the 10 dimensions of control in the different use cases as human analysis in decision-making, et cetera. Across that, the question I've got as it relates to technology and AI is, is there possibility of taking the risk immune system and the 10 dimensions of control? And apply that into artificial intelligence so that artificial intelligence can assist humans in this process move faster. Even in the book, a couple of examples, things start moving so fast. I wonder if we're too slow in that game.Stan McChrystal Reveals What AI Could DoStan: I think we are. The first thing AI could do for a system like that is tell us what we're not doing. If you think about it, a problem comes, a fire starts in your kitchen, and you're worried about getting your kids out first. An AI system could pull all the factors together and it could remind you. It could say, \"Wait a minute, you got this wrong. You haven't done this.\" Et cetera.As conditions change, AI with the right amount of detection out could bring that information in. So that it could widen the aperture of the organization or individual making the decision and potentially respond more effectively. The problem is, we as leaders, have to understand AI much better than we do right now. We are going to get instructions from artificial intelligence in the future.We're not going to be able to have the time to dissect them or through our own processes, compete with that. We are either going to have to accept it or not. It will say, do this. We're going to have almost an act of faith because artificial intelligence can bring so many data sources together. Draw conclusions, and make a recommendation. We can't compete with that so we're going to have to, at a certain pace, take it as an article of faith. That means we really need to understand what our data sources are, how the system is, how the system works.Carolyn: It takes us down a very scary rabbit hole too. Where we've seen arrogance, laziness, I don't know how you want to label it.Brains in the Foot LockerCarolyn: But for whatever reasons, we just put our brains in the footlocker to quote one of my favorite quotes from your father. We want somebody else to do the thinking for us, we want the technology to do the thinking for us. Which is why we've heard many stories of people driving off the pier into the ocean because the GPS told them to. I think the idea of, can we get AI to the point of making all these decisions for us? It's a scary thought to me. It's the stuff that science fiction has been built on for the last 50 years.Stan: No, you're exactly right. My wife and I were driving just last weekend. And my pet peeve about most of the GPS systems is they drill in and they show you a very small area. You just turn right or turn left. With my background, from the military, I want to see the big map, I want to see where I am. I want to see the route it's chosen, I want to do that the whole way. It automatically doesn't want to do that, it just wants to tell you what to do. They may be right, and they may not be right. That's the issue.Carolyn: My dad, before we would go on any trip, he'd pull out the map and he'd make me look at it. I'm like, \"I've got GPS. I don't need to do this.\" And you know what? Technology is awesome. It gets me where I want to go until it doesn't. Single sign-on is awesome until it doesn't work.Stan McChrystal Talks About InertiaCarolyn: I want to shift gears a little bit and talk about inertia. This is something that you brought up multiple times in the book. You said, in my Physics class at West Point, we learned that in the most basic terms. Inertia tells us that absent external forces, things will keep doing whatever they're doing.That's true not only if what they're doing is brilliant and successful, but also if what they're up to is silly and destined for failure. To use the military axiom, never interrupt your enemy when they're making a mistake. But shouldn't we interrupt ourselves? Do you think that we are allowing tech to move us forward from momentum rather than deciding our own direction?Stan: Potentially, it can. Of course, we proved it in history. We didn't need tech to do that either, we could make all those things. The problem we'd make is it can reinforce that. We build processes, we do things a certain way, and we do them to be more efficient with technology. To a certain degree, an operator of a machine or a computer does certain things, gets certain guidance or responses. We think we're not smart enough to say, no, we shouldn't do that right now.Often, we give people instructions in their position. No, this is what you follow. This is the process. If it comes, if they say two plus two equals five, you use five and move on. The problem is really sociological, it's our leadership and the human side, but it is aided and abetted by technology. It's easier to go faster, further and get it way off track.A Small Problem in a High-Speed SystemStan: There's a great story on the news recently about a high-frequency trading company. It was some years back when it happened, but one of their algorithms got off in the course of 40 minutes. They lost billions of dollars. It was because of a small problem in a very high-speed system, jumping the track and boom. That can happen in our economy. It can happen in almost anything.Carolyn: Back to what you were talking about with just leveraging tech. One of the things you also say in the book, I assume this was early 2003 ish, when you were first kind of reorganizing the way JSOC operated. You said that the tech and the hardware, you were able to have communications, which is another one of the risk factors. And you were able to have communications all over the world, cross teams because of technology.You said that technology was just as important as food and ammo. As I read the book, I kept thinking all of these things are interconnected. They rely on each other. Even as we're developing tech, it would be prudent. We should be applying this model to the development of the technology.Stan: I'd throw out a couple of ideas. What would have happened a year and a half ago as COVID-19 sent us home, dispersed us, if we didn't have the level of technology that we enjoyed at that point? If let's say we didn't have the internet and whatnot, let's say we didn't have telephones. Literally society at the size and interconnected may have, would have stopped. Our Achilles' heel at that point became our ability to communicate because it built our confidence.Stan McChrystal Communicates the First StepStan: If we weren't being communicated with all the time, most of us would have panicked in some way. Society would likely have done that as well. We learned something very interesting in JSOC, and I'm not sure we're the first people to learn it. It became really clear to me, that as we were dispersed and we had to implement a lot more technology than ever, to","content_html":"Risk taking is unavoidable when it comes to modernization. Best selling author and retired four-star U.S. general Stan McChrystal outlines 10 control factors to help citizens and agencies alike take smarter risks. Carolyn and Mark also get some early insight on Stan's upcoming book Risk: A User's Guide.
Episode Table of Contents
- [01:44] Stan McChrystal of the Team of Teams
- [10:54] A Story of a Defensive System by Stan McChrystal
- [18:26] Stan McChrystal Talks About Inertia
- [25:57] Why Stan McChrystal Doesn’t Want to Worry About External Threats
- [35:40] Artificial Intelligence Based
Episode Links and Resources
Stan McChrystal of the Team of Teams
Carolyn: We are joined this morning by retired four-star U.S Army General Stanley McChrystal. We've had the pleasure of talking to General McChrystal on a few occasions. Good morning, General McChrystal.
Stan: Call me Stan, and it's an honor to be with you again.
Carolyn: Let me give our audience for those that have been living under a rock, just a few more of your credentials. So Stan is a former commander of the U.S and International Security Assistance Forces, ISAF Afghanistan. He’s the former commander of the nation's premier military counter-terrorism force, JSOC. He is best known for developing and implementing a comprehensive counter-insurgency strategy in Afghanistan. For creating a cohesive counter-terrorism organization that revolutionized the inter-agency operating culture. Is it fair to say, Stan, that’s the basis for your book Team of Teams?
Stan: It was certainly the foundation of it, and then our study beyond that.
Carolyn: Honestly, Team of Teams, just a little plug here, is the best book on leadership that I have read. If you haven't read that one, do that. But we're here to talk about a new book that will be out this October that is also sure to be a bestseller. Mark and I got to have a sneak peek. We got to read an early copy of the manuscript. We're here to talk about your new book, Risk: A User's Guide. We’d like you to talk to us a bit about the 10 risk control factors, and the four measures that are the foundation for your new book Risk.
Calculating Risks
Stan: We decided to take on Risk as a subject because through my career, there had been processes to follow. Calculating risk and acting on that too, to be able to measure the threats or risks to your organization. But it never connected with how we actually did it. Now, certainly there are some financial firms that use financial models that theoretically do this. But if you look at so many things in our lives, there's one way we talk about risk. Then there's another way we actually respond to it.
I wanted to understand what the disconnect was. Of course, that had been my experience as well. In most cases in my career, we had done checklists or matrices, and calculations to come out with a risk score. But the reality was most of our reaction was intuitive. And so we decided to study risk. What we came away with was the idea that each organization and individual actually, but organizations particularly have something which I'll call a risk immune system.
It's a system consisting of 10 factors, such as communication, diversity, bias, timing. Those things interact together to determine the health of the system to respond to and prevent threats from undermining the organization. It's very much akin to the human immune system. If you're not familiar with it, the human immune system is a marvel. We face about 10,000 pathogens a day that come to our body. Any one of which could harm us or kill us, but we don't think much about it.
The Theory Behind Vaccines
Stan: We don't have to, because the body has got a process in which our immune system detects all the threats that come. Assesses each one, responds, kills off the ones that need to be, and then learns from the process. The miracle is it gets smarter and that's the theory behind vaccines. You build up an immunity so that the next time it's very easy to fight off that known threat.
The human immune system is this marvel that we sort of go through most of our lives taking for granted until it's compromised. Then it's compromised like with HIV/AIDs or another assault on our system. When it's weakened, suddenly we fall prey to threats that otherwise wouldn't be a problem for us. Really, nobody ever died of HIV/AIDs itself. What they died from was other lesser things that the body was unable to combat.
Now we come back to organizations. It was interesting we started to write this book and do the research and COVID arrived. It became almost a perfect example of what we were talking about. If we think about COVID-19 someone says it was a black swan event. Who knew that a pandemic was coming? The answer was, everybody knew. We'd been through it before many times in world history, particularly the Spanish flu.
Most notably in 1918 and in a smaller sense, many times since. In fact, in 2019, just a few months before COVID-19 arrived, the Department of Health and Human Services ran a series of exercises. They were called Crimson Contagion and they were based on a scenario of a viral threat. Pathogen coming out of China, coming to the United States, going around the world and wreaking havoc.
Stan McChrystal Talks About COVID-19
Stan: The lessons from that set of exercises was, the United States had not done enough preparation. Had not stockpiled enough supplies, had not worked enough of the processes, and therefore paid a heavy cost. That was only a few months before COVID-19 arrived. The interesting thing about COVID-19 is we knew the threat was inevitable. You don't know the exact strain of the pathogen, but you know that kind of assault is inevitable.
The second thing is you know exactly what to do about it. Public health is not a new science, we knew the basics that we had to do. We had to stockpile things that would take certain steps. Of course, we pulled a rabbit out of a hat in terms of developing vaccines faster than any time in history. But except for that, the world's response to COVID-19 has been very weak. It's been very weak because of many of the risks in the immune system.
I would argue the society's ability to communicate effectively, to make decisions on time, to overcome the inertia against inaction. To have the kind of leadership that emerges, that brings all capabilities together. We literally stumbled on every one of them on COVID-19. It's a tremendous, but sad example of how important, because this wasn't a scientific failure. In fact, COVID-19 is a scientific triumph. It is a societal and governance failure in our analysis.
Mark: Or leadership failure, if you look at the 10 dimensions of control. How did you come up with the 10 dimensions of control?
The Antidote Stan McChrystal Concocted
Stan: When we decided to take a look at those things which were important factors. They were distinct or different enough to be categorized, you probably could have had 12. You probably could have had 8, if you'd put something together. There was some bias and diversity. They're a little bit akin to each other. If you have biases, the antidote is diversity, different perspectives.
They could be linked to communication and narrative, but they're also distinct into themselves. We wanted readers to understand, these factors are all things which would be consciously addressed by an organization. Trying to both be sure it has a healthy risk immune system and then improving or strengthening it.
Carolyn: One of the risk factors, control factors is technology, which I want to focus on since this is Tech Transforms. You start that chapter of technology with a quote that I loved. So you said, "Technology raises a new question, who or what is in control?" This is something that I think about almost every day and have since I was a kid watching Star Trek. And this got my head spinning about how we ensure that technology is an advantage instead of a disadvantage.
Who's in control? Is it helping the agencies that are using the technology within the government? Is it helping the citizens and warfighters that those agencies are serving? Can you talk about that? Who is in control when it comes to technology?
Stan: The answer is it should be us. But if we go back in our history, we refer to the movie Fail Safe, an early 1960s movie in the book. If anyone hasn't seen it, you ought to watch it.
A Story of a Defensive System by Stan McChrystal
Stan: It's a story of a defensive system that has been implemented by the United States based on technology. It allows the United States to essentially be able to strike the Soviet Union without being stopped. It's got a defensive aspect to it, so it can analyze whether there's a threat coming and then launch a counter-threat.
Of course, it malfunctions in signaling that there is an attack and then it launches a counter strike. Humans are not able to recall the counterstrike. So in the desperately tragic final scene of the movie, the president of the United States works and deals with Soviet leaders. After the United States bombs Russia, which we cannot stop our plane from doing, we bomb New York City ourselves as a tit for tat to prevent further war.
Now that question you say, who's in charge? The answer is, because of the dependence upon very highly technical devices, they can get ahead of us. If we fast forward to 60 years and we've got artificial intelligence, and we've got things like hypervelocity missiles, we've now got response systems where you have to let the machine respond based upon inputs from its collection. There's no time to put a human in the loop.
We always say, we'll always put a human in the loop if it's got anything to do with lethal effects. You can't do it and make it work. The reality is you either depend upon that, or you have a much slower human system. Which probably is not fast enough to deal with some of these threats. We're building threats that make us dependent upon technology-based responses.
Human’s Last Touch
Stan: At a certain point, the human's last touch of this thing is when we craft the system and if we get it wrong, or if someone spoofs the system or corrupts it in some way, there's tremendous vulnerability.
Mark: I think of the movie WarGames in the '80s, where they had the WOPR. They were simulating nuclear attacks, ominously.
Stan: It's terrifying. We also refer in the book to some things that are more mundane, but they're pretty important. For example, most companies have implemented automated voice or automated telephone systems. You call your favorite company and they say, if your problem is X, dial one, or press one. You sit through this thing and you get more and more frustrated. And you want somebody to fix your problem.
It's much cheaper for the firm to do, but how many times have you taken your business elsewhere? How many times do you just say, "I give, I want to talk to someone who will accept my problem and fix it." That's a hidden cost or a hidden risk that technology gives us that we're not even sure we can measure.
Mark: It seemed to me, reading through the book, that the way you laid out the 10 dimensions of control in the different use cases as human analysis in decision-making, et cetera. Across that, the question I've got as it relates to technology and AI is, is there possibility of taking the risk immune system and the 10 dimensions of control? And apply that into artificial intelligence so that artificial intelligence can assist humans in this process move faster. Even in the book, a couple of examples, things start moving so fast. I wonder if we're too slow in that game.
Stan McChrystal Reveals What AI Could Do
Stan: I think we are. The first thing AI could do for a system like that is tell us what we're not doing. If you think about it, a problem comes, a fire starts in your kitchen, and you're worried about getting your kids out first. An AI system could pull all the factors together and it could remind you. It could say, "Wait a minute, you got this wrong. You haven't done this." Et cetera.
As conditions change, AI with the right amount of detection out could bring that information in. So that it could widen the aperture of the organization or individual making the decision and potentially respond more effectively. The problem is, we as leaders, have to understand AI much better than we do right now. We are going to get instructions from artificial intelligence in the future.
We're not going to be able to have the time to dissect them or through our own processes, compete with that. We are either going to have to accept it or not. It will say, do this. We're going to have almost an act of faith because artificial intelligence can bring so many data sources together. Draw conclusions, and make a recommendation. We can't compete with that so we're going to have to, at a certain pace, take it as an article of faith. That means we really need to understand what our data sources are, how the system is, how the system works.
Carolyn: It takes us down a very scary rabbit hole too. Where we've seen arrogance, laziness, I don't know how you want to label it.
Brains in the Foot Locker
Carolyn: But for whatever reasons, we just put our brains in the footlocker to quote one of my favorite quotes from your father. We want somebody else to do the thinking for us, we want the technology to do the thinking for us. Which is why we've heard many stories of people driving off the pier into the ocean because the GPS told them to. I think the idea of, can we get AI to the point of making all these decisions for us? It's a scary thought to me. It's the stuff that science fiction has been built on for the last 50 years.
Stan: No, you're exactly right. My wife and I were driving just last weekend. And my pet peeve about most of the GPS systems is they drill in and they show you a very small area. You just turn right or turn left. With my background, from the military, I want to see the big map, I want to see where I am. I want to see the route it's chosen, I want to do that the whole way. It automatically doesn't want to do that, it just wants to tell you what to do. They may be right, and they may not be right. That's the issue.
Carolyn: My dad, before we would go on any trip, he'd pull out the map and he'd make me look at it. I'm like, "I've got GPS. I don't need to do this." And you know what? Technology is awesome. It gets me where I want to go until it doesn't. Single sign-on is awesome until it doesn't work.
Stan McChrystal Talks About Inertia
Carolyn: I want to shift gears a little bit and talk about inertia. This is something that you brought up multiple times in the book. You said, in my Physics class at West Point, we learned that in the most basic terms. Inertia tells us that absent external forces, things will keep doing whatever they're doing.
That's true not only if what they're doing is brilliant and successful, but also if what they're up to is silly and destined for failure. To use the military axiom, never interrupt your enemy when they're making a mistake. But shouldn't we interrupt ourselves? Do you think that we are allowing tech to move us forward from momentum rather than deciding our own direction?
Stan: Potentially, it can. Of course, we proved it in history. We didn't need tech to do that either, we could make all those things. The problem we'd make is it can reinforce that. We build processes, we do things a certain way, and we do them to be more efficient with technology. To a certain degree, an operator of a machine or a computer does certain things, gets certain guidance or responses. We think we're not smart enough to say, no, we shouldn't do that right now.
Often, we give people instructions in their position. No, this is what you follow. This is the process. If it comes, if they say two plus two equals five, you use five and move on. The problem is really sociological, it's our leadership and the human side, but it is aided and abetted by technology. It's easier to go faster, further and get it way off track.
A Small Problem in a High-Speed System
Stan: There's a great story on the news recently about a high-frequency trading company. It was some years back when it happened, but one of their algorithms got off in the course of 40 minutes. They lost billions of dollars. It was because of a small problem in a very high-speed system, jumping the track and boom. That can happen in our economy. It can happen in almost anything.
Carolyn: Back to what you were talking about with just leveraging tech. One of the things you also say in the book, I assume this was early 2003 ish, when you were first kind of reorganizing the way JSOC operated. You said that the tech and the hardware, you were able to have communications, which is another one of the risk factors. And you were able to have communications all over the world, cross teams because of technology.
You said that technology was just as important as food and ammo. As I read the book, I kept thinking all of these things are interconnected. They rely on each other. Even as we're developing tech, it would be prudent. We should be applying this model to the development of the technology.
Stan: I'd throw out a couple of ideas. What would have happened a year and a half ago as COVID-19 sent us home, dispersed us, if we didn't have the level of technology that we enjoyed at that point? If let's say we didn't have the internet and whatnot, let's say we didn't have telephones. Literally society at the size and interconnected may have, would have stopped. Our Achilles' heel at that point became our ability to communicate because it built our confidence.
Stan McChrystal Communicates the First Step
Stan: If we weren't being communicated with all the time, most of us would have panicked in some way. Society would likely have done that as well. We learned something very interesting in JSOC, and I'm not sure we're the first people to learn it. It became really clear to me, that as we were dispersed and we had to implement a lot more technology than ever, to
","summary":null,"date_published":"2021-08-18T07:00:00.000-04:00","attachments":[{"url":"https://aphid.fireside.fm/d/1437767933/81d9d6b0-0045-48da-8495-fd87c4613d7f/fbbeac56-1447-4942-8127-8e317bc9231b.mp3","mime_type":"audio/mpeg","size_in_bytes":39635439,"duration_in_seconds":2474}]},{"id":"ec916ef0-f45f-49cb-a85c-8525dee7101c","title":"Episode 2: Knowing the Unknown, With Andrey Zhuk","url":"https://techtransforms.fireside.fm/2","content_text":"When you have billions of data dependencies, and one goes amiss, how do you figure out where the issue is? Listen as Mark and Carolyn are joined by Andrey Zhuk of CTG Federal to discover how artificial intelligence is opening new doors for data security and recovery. Episode Table of Contents[00:46] The Road to AIOps[09:07] Overarching Umbrella[17:25] Knowing the Unknown From Poorly Written Codes[27:55] Knowing the Unknown in the World of TechEpisode Links and ResourcesAndre’s e-Book Software Intelligence for the Federal Government: The Road to AIOpsConnect With Andrey Zhuk on LinkedInThe Road to AIOpsCarolyn: I'm excited to introduce today's guest, , principal solutions architect at CTG and author of several eBooks. Today, we're going to talk about one of his latest eBooks, Software Intelligence for the Federal Government: The Road to AIOps. It focuses on cloud development migration in the federal government.Carolyn: Let's start with the easy stuff. Tell us your story. What do you do? Where are you talking to us from? How did you get to where you are now?Andrey: Sure. My background is actually electrical engineering. I used to design satellite systems and the networks that go along with them for the Department of Defense. From that, I went to the side of sales. I was actually selling a lot of Palo Alto products and some optimization solutions. From there, I transitioned to the world of cloud. That's kind of where I got into the whole application performance management space. I was at a startup called Skyhigh Networks. They were one of the early cloud X security brokers. We were dealing with cloud apps and security cloud apps for government customers.That's where I had the experience of dealing with the federal government workers, trying to modernize their applications. Then Skyhigh Networks got bought by McAfee. I was a solutions architect for cloud technologies with McAfee for a year or so. Then I moved on to CTG Federal to take on a principal architect position to help build their cybersecurity business with a little bit of the APM sprinkled in. We had a Dynatrace partner.Knowing the Unknown About Satellite StuffCarolyn: Yes, we wish we could say that right upfront that we are partners. But before we get into it, I got to go back to the satellite stuff. How does that compare to what you're doing now, how long did you do that?Andrey: Wow, probably six years, but ultimately everybody needs Facebook and satellite platforms get outdated like once every 10 years. So it's all about software.Carolyn: Oh, so this is a lot faster for you then like, quicker pace.Andrey: Yes.Mark: The world that you're playing in now, Andrey, is it more high-level conceptual as opposed to the engineering work that you might have done, working on satellites?Andrey: So it's interesting. The world is more about software now than it ever was before. Just to give you an example, YouTube platform. They're the one that when it got shut down by the Soviets, that is still in operation. So that airborne frames still exist, but the internals get modernized. The internals get modernized with new circuits, new equipment, but the software on those circuits gets changed quite frequently.Mark: We truly are living in a software world, are we?Andrey: Yes. Which makes application performance management and software intelligence that much more important.Carolyn: It gets us right to one of the first things we want to talk to you about is the title of this eBook that you wrote, Software Intelligence for Federal Government: The Road to AIOps. I'd like you to unpack it a little bit for me. So first, what does it mean? What do you mean by software intelligence for the federal government? And then what do you mean by the road to AIOps?A World Powered by ApplicationsAndrey: So we live in a world powered by applications. The applications are everywhere. They control how we work and collaborate, how we book travel, how we get our entertainment, how we get medical care, and taxes. But the thing is these applications have grown in scale. It used to be not so long ago, even as far back as 10 years ago, we would have just a couple of servers with some backend storage. Interact somewhere, maybe at clinics or something like that, our rec space, but now that's changing.All of a sudden the applications are running on top of complex computing infrastructures that are dynamic, hybrid, and multi-cloud. And now these environments contain hundreds, if not thousands of technologies. Million lines of codes, and literally billions of dependencies. So traditionally we manage all these applications with a set of disparate point tools.This is what we call, tooling. Each one required human involvement. This is also what we used to call application performance management, different tools reporting back to us. But as applications grew, the traditional data centers into cloud and subsequently public and hybrid clouds. So the old ways of doing things could no longer scale. The volume of data aggregated by all these monitoring and observability point tools quickly became so immense that no human can make sense of it.There's also an issue of the unknown unknown, so you can't stage for something that you have no clue can even happen. So we needed a new approach. This is where we need to make all these sensors to be intelligent and make sense of all this data. And so this is where the software intelligence comes into play.Knowing the Unknown With IntelligenceAndrey: With software intelligence, we need to imbue these monitoring solutions with intelligence to make sense of all this stuff.Carolyn: So have you seen that shift? You started the story where it was a lot more simple, was that the case when you were working on the satellites?Andrey: Yes.Carolyn: You've seen this shift through your career.Andrey: Yes. So I'll give you an example. The old school application performance management circa 2010, it was primarily network-based. For example, I worked with a company called Riverbed. Back then, Riverbed was one of the hottest companies in Silicon Valley. They bought the startup from Cambridge, Massachusetts, which was called Cascade. All it did is it took packets from the network and made predictions about application performance based on flows and packet capture. That's it.There are also a lot of competing solutions from the likes of NetScout, JDSU, and a couple of others. So it all just flows in the network. But now as things are changing going to the cloud, those solutions are no longer relevant. So you need something new.Carolyn: So this isn't just a fundamental shift, I feel like this is a leap forward. I wouldn't say that it's equivalent to the invention of fire, but maybe.Andrey: Maybe.Carolyn: It's really huge to me.Andrey: It's interesting. This is where the world of AIOps came to be. So artificial intelligence operations, I think it's a gardener term. But ultimately it's referred to a suite of products or software platforms that bring together, act as a force multiplier for correlating data across application performance management tools, IT infrastructure monitoring. This would be like your SolarWinds type stuff and network monitoring and the other diagnostics.Overarching UmbrellaAt this point, AIOps is moving forward to now being this overarching umbrella which now encompasses application performance, infrastructure monitoring, AIOps. We used to think of it as opening tickets, for example, and maybe automating service, ticketing and response. But now we also include digital business analytics, which is especially important to the likes of say, Uber and the digital experience.Mark: Yes, and user experience.Andrey: Right. Especially if we think about the likes of Uber, this is where these kinds of platforms really come into play, just behemoths. How do you make sense of it all?Carolyn: You mentioned something about our lives are run by,I mean, you said the word millions and billions, even at one point.Andrey: Billions of codes and dependencies. YesCarolyn: Yes, and dependencies on an application. So give me some examples.Mark: Some use cases.Carolyn: Tell me a story about AIOps and I guess, how we're using it now, compared to what we were doing before?Andrey: Sure.Carolyn: You kind of already talked about that.Andrey: I feel like we were talking more about the public sector or federal space. One of the best use cases that's easy to latch onto, even before undergoing through this transformation technology and re-architecting all your software. It's probably just a meantime to recover. So meantime to recover your MTTR, that refers to ability to recover a system back to an operational state. When you have billions of dependencies, something goes amiss, how do you figure out what the issue is?Where AIOps Come Into PlayAndrey: So this is where an AIOps can come into play and be able to help you figure out, find that needle in the haystack. You go from weeks of teams trying to figure out what the issue is. Isolating components and testing to literally hours, because you have all this data and it's not just a sea of information. It's very precise nuggets of information telling you when something is amiss. So that's kind of the easiest to digest use case. The other one, which was very much a federal, I feel like federal specific is mission continuity between contracts.So imagine you have a big contractor. Like Nordstrom come and run the show at one of the satellite facilities I worked with for the Department of Defense. Then that contract expires and maybe a Raytheon comes in to run the show. In an ideal world, that'd be documentation, kind of to bridge from one contractor to the next. But in the real world, documentation is usually lacking and key personnel have moved on. So how do you go about figuring out all the dependencies and process to process relationships in a satellite imaging system, for example, that one of the software factories is developing.Actually, we talked about this pre-show. DoD is probably the biggest proponent of DevOps. They're on the forefront of re-architecting a lot of these legacy applications and making new ones, cloud-native. The big software factories, the ones like Platform One, Castle Run, Thunder Campbell Sky, Sonic, there are a bunch of them. So these guys support these numerous applications. How do you make sense of these applications when the contracts change?Knowing the Unknown About the AIOps ToolAndrey: This is where an AIOps tool is of great help. I can keep going. Is there any question?Carolyn: How does the AIOps tool help that shift from contractor A to contractor B?Andrey: The tool would help with mapping out dependencies, both horizontally between components at the same time and vertically.Carolyn: Okay. It's keeping track of everything.Andrey: Yes, between components of different types. And then you will get a real-time map of the entire application stack end-to-end from your customer's web browser. All the way to the application, down to the underlying containers and infrastructure, cloud resources, and so on. All of a sudden, that stack of hay is no longer a stack of hay, but a logical interconnection of resources for consumers.Carolyn: Yes. See, I guess this is going to reveal how much of a developer I am not. I thought all that stuff had to be linked. Anyway, but you're telling me it's not, you need some kind of third entity to map it.Andrey: In an ideal world, you're right. But I’ve been in situations where there was a hasty hire and the developer did not provide any inline documentation of any kind. No comments within the code. So making sense of that is the most impossible without a third-party tool mapping all those dependencies.Mark: How do you think agencies are managing through these use cases like, we're talking about this digital transformation today?Carolyn: Yes. What if they don't have that tool in place?Andrey: Right now, it's very much just human elbow grease.Carolyn: No. That's not even possible.Science Fiction MoviesAndrey: I can't reveal a lot of things that I experienced firsthand, but you'd be surprised. So it's what you see in science fiction movies. These security operation centers like Starship Enterprise, those do exist, but they are far and few in between. The reality of things, especially with the smaller agencies. It's like three or four guys in a cube farm, looking at alerts and dashboards every couple of times a week. So without a tool like this, it's very difficult.Actually, this brings up the next use case. Well, maybe the next two use cases. So one is helping augment the IT staff shortages. For example, I get hit up on LinkedIn several times a day. The federal government can compete with the commercial vendors like Dynatraces of the world. They have to do more with less. For example, we have a civilian agency that was piloting a Dynatrace tool for intelligent observability. They were using Dynatrace with Ansible to proactively detect and remediate memory leaks in a large enterprise application.So Dynatrace would receive telemetry from the running processes. Then we'll use AI to determine if the telemetry received is indicative of a memory leak. So, this is not something that human can do. But if you're an AI operations platform, you have a broad statistical data set to make a decision upon. And so you say, \"Okay, this is indicative of a memory leak at a very early stage. Then the tool integrates with Ansible to restart the call process without any human intervention required.\"Carolyn: What do you mean restart the call process? Like, fix it?Knowing the Unknown From Poorly Written CodesAndrey: Yes. For example, a container that has some poorly written code on it is over utilizing the memory of the hypervisor it's running on. Sometimes the easiest way to fix these problems is just killing the process and bringing it back up, simple as that. But if you're a human and you have hundreds of containers running a copy of this microservice to support many threads, you don't know which one is problematic.So you have an AIOps to tell you exactly, \"Hey, this container has a memory leak. Let's kill it and bring it back up.\" And so you're also minimizing human error. That's another huge thing. This actually ties back to the next use case of how best automation works. So all these agencies usually rely on IT service management platforms like, ServiceNow, or they used to be BMC Remedy. It's now rebranded as BMC Helix, which you can run on prem.There's also SolarWinds, which has a couple tools like that. So an AIOps tool would be able to detect and create and it will parse its content and apply AI to take an appropriate action. And maybe send an email for Joe, the engineer, to go do action X. So you may have an application that worked prior to a new code release.Then you have a code upgrade and users are experiencing issues. Well, you can configure the solution. The AIOps tool or the software intelligence platform to automatically roll back code to the last working version. The software intelligence platform will take care of all the dependencies and do it correctly every time.The Room for ErrorImagine doing that just by us humans manually, the room for error is immense. Even if you've rolled back the code to the previous state, you probably forget one in 200 dependencies and you're in a world of hurt. But with a software intelligence platform, that can be all automated. In the federal government, that's kind of a key takeaway when you talk to federal customers.I was in cyber and you were trying to sell them all these point products. They're like, \"Look, I know it's great, but I don't have time for this. I have three guys doing all these things. We need something that provides automation.\" So automation, like you asked about before we started chatting, and what is the big takeaway from the federal government? I think automation is that journey to automate as much as possible.Carolyn: Well, based on what you just said, this is not a founded fear. But there is a fear when you talk about AI and when you talk about automation. That means loss of jobs, because the robots are going to take over.Andrey: Oh, yes.Carolyn: But what I heard you say is, and I've heard this from other people too, like Willie Hicks, our federal CTO.Andrey: It empowers workers and enables them to perform at their best. Yes. I mean, the stats are out there. There's simply not enough people to do this. Data keeps growing at exponential rates. Don't quote me on this, but in the last year, we've generated more data than in all of humanity, since World War II or something like that.Knowing the Unknown Real IssueMark: I wonder if you're seeing that fear of losing jobs is really not the issue. Because within a cloud-first mandated world, particularly in the federal space, it really allows organizations to take their smart people and re-allocate them. Have them do things that they really intended to do in the first place, as opposed to triage all the time.Andrey: So you have the issue, with all these disciplines growing, where there's the broad knowledge and the deep knowledge. Unfortunately, a lot of the smart people are now spread thin having to be experts in multiple areas. But there's only so much CPU. Even a smart person can allocate all this. So I feel like a software intelligence platform tool can help go deep and take care of all those nuances. Even if you look at the field of where networking used to be, I'd say, with networks we would configure everything box by box.Even to this day, most of the legacy networks and data centers in the federal government and even in commercial space are configured box by box. This is why we have CCAs making so much money back in the day. The CISCO certified is now the experts for those not familiar. But now there's a move to...","content_html":"When you have billions of data dependencies, and one goes amiss, how do you figure out where the issue is? Listen as Mark and Carolyn are joined by Andrey Zhuk of CTG Federal to discover how artificial intelligence is opening new doors for data security and recovery.
Episode Table of Contents
- [00:46] The Road to AIOps
- [09:07] Overarching Umbrella
- [17:25] Knowing the Unknown From Poorly Written Codes
- [27:55] Knowing the Unknown in the World of Tech
Episode Links and Resources
- Andre’s e-Book Software Intelligence for the Federal Government: The Road to AIOps
- Connect With Andrey Zhuk on LinkedIn
The Road to AIOps
Carolyn: I'm excited to introduce today's guest, , principal solutions architect at CTG and author of several eBooks. Today, we're going to talk about one of his latest eBooks, Software Intelligence for the Federal Government: The Road to AIOps. It focuses on cloud development migration in the federal government.
Carolyn: Let's start with the easy stuff. Tell us your story. What do you do? Where are you talking to us from? How did you get to where you are now?
Andrey: Sure. My background is actually electrical engineering. I used to design satellite systems and the networks that go along with them for the Department of Defense. From that, I went to the side of sales.
I was actually selling a lot of Palo Alto products and some optimization solutions. From there, I transitioned to the world of cloud. That's kind of where I got into the whole application performance management space. I was at a startup called Skyhigh Networks. They were one of the early cloud X security brokers. We were dealing with cloud apps and security cloud apps for government customers.
That's where I had the experience of dealing with the federal government workers, trying to modernize their applications. Then Skyhigh Networks got bought by McAfee. I was a solutions architect for cloud technologies with McAfee for a year or so. Then I moved on to CTG Federal to take on a principal architect position to help build their cybersecurity business with a little bit of the APM sprinkled in. We had a Dynatrace partner.
Knowing the Unknown About Satellite Stuff
Carolyn: Yes, we wish we could say that right upfront that we are partners. But before we get into it, I got to go back to the satellite stuff. How does that compare to what you're doing now, how long did you do that?
Andrey: Wow, probably six years, but ultimately everybody needs Facebook and satellite platforms get outdated like once every 10 years. So it's all about software.
Carolyn: Oh, so this is a lot faster for you then like, quicker pace.
Andrey: Yes.
Mark: The world that you're playing in now, Andrey, is it more high-level conceptual as opposed to the engineering work that you might have done, working on satellites?
Andrey: So it's interesting. The world is more about software now than it ever was before. Just to give you an example, YouTube platform. They're the one that when it got shut down by the Soviets, that is still in operation. So that airborne frames still exist, but the internals get modernized. The internals get modernized with new circuits, new equipment, but the software on those circuits gets changed quite frequently.Mark: We truly are living in a software world, are we?
Andrey: Yes. Which makes application performance management and software intelligence that much more important.
Carolyn: It gets us right to one of the first things we want to talk to you about is the title of this eBook that you wrote, Software Intelligence for Federal Government: The Road to AIOps. I'd like you to unpack it a little bit for me. So first, what does it mean? What do you mean by software intelligence for the federal government? And then what do you mean by the road to AIOps?
A World Powered by Applications
Andrey: So we live in a world powered by applications. The applications are everywhere. They control how we work and collaborate, how we book travel, how we get our entertainment, how we get medical care, and taxes. But the thing is these applications have grown in scale. It used to be not so long ago, even as far back as 10 years ago, we would have just a couple of servers with some backend storage. Interact somewhere, maybe at clinics or something like that, our rec space, but now that's changing.All of a sudden the applications are running on top of complex computing infrastructures that are dynamic, hybrid, and multi-cloud. And now these environments contain hundreds, if not thousands of technologies. Million lines of codes, and literally billions of dependencies. So traditionally we manage all these applications with a set of disparate point tools.
This is what we call, tooling. Each one required human involvement. This is also what we used to call application performance management, different tools reporting back to us. But as applications grew, the traditional data centers into cloud and subsequently public and hybrid clouds. So the old ways of doing things could no longer scale. The volume of data aggregated by all these monitoring and observability point tools quickly became so immense that no human can make sense of it.
There's also an issue of the unknown unknown, so you can't stage for something that you have no clue can even happen. So we needed a new approach. This is where we need to make all these sensors to be intelligent and make sense of all this data. And so this is where the software intelligence comes into play.Knowing the Unknown With Intelligence
Andrey: With software intelligence, we need to imbue these monitoring solutions with intelligence to make sense of all this stuff.
Carolyn: So have you seen that shift? You started the story where it was a lot more simple, was that the case when you were working on the satellites?
Andrey: Yes.
Carolyn: You've seen this shift through your career.
Andrey: Yes. So I'll give you an example. The old school application performance management circa 2010, it was primarily network-based. For example, I worked with a company called Riverbed. Back then, Riverbed was one of the hottest companies in Silicon Valley. They bought the startup from Cambridge, Massachusetts, which was called Cascade. All it did is it took packets from the network and made predictions about application performance based on flows and packet capture. That's it.
There are also a lot of competing solutions from the likes of NetScout, JDSU, and a couple of others. So it all just flows in the network. But now as things are changing going to the cloud, those solutions are no longer relevant. So you need something new.
Carolyn: So this isn't just a fundamental shift, I feel like this is a leap forward. I wouldn't say that it's equivalent to the invention of fire, but maybe.
Andrey: Maybe.
Carolyn: It's really huge to me.
Andrey: It's interesting. This is where the world of AIOps came to be. So artificial intelligence operations, I think it's a gardener term. But ultimately it's referred to a suite of products or software platforms that bring together, act as a force multiplier for correlating data across application performance management tools, IT infrastructure monitoring. This would be like your SolarWinds type stuff and network monitoring and the other diagnostics.
Overarching Umbrella
At this point, AIOps is moving forward to now being this overarching umbrella which now encompasses application performance, infrastructure monitoring, AIOps. We used to think of it as opening tickets, for example, and maybe automating service, ticketing and response. But now we also include digital business analytics, which is especially important to the likes of say, Uber and the digital experience.Mark: Yes, and user experience.
Andrey: Right. Especially if we think about the likes of Uber, this is where these kinds of platforms really come into play, just behemoths. How do you make sense of it all?
Carolyn: You mentioned something about our lives are run by,I mean, you said the word millions and billions, even at one point.
Andrey: Billions of codes and dependencies. Yes
Carolyn: Yes, and dependencies on an application. So give me some examples.
Mark: Some use cases.
Carolyn: Tell me a story about AIOps and I guess, how we're using it now, compared to what we were doing before?
Andrey: Sure.
Carolyn: You kind of already talked about that.
Andrey: I feel like we were talking more about the public sector or federal space. One of the best use cases that's easy to latch onto, even before undergoing through this transformation technology and re-architecting all your software. It's probably just a meantime to recover. So meantime to recover your MTTR, that refers to ability to recover a system back to an operational state. When you have billions of dependencies, something goes amiss, how do you figure out what the issue is?
Where AIOps Come Into Play
Andrey: So this is where an AIOps can come into play and be able to help you figure out, find that needle in the haystack. You go from weeks of teams trying to figure out what the issue is. Isolating components and testing to literally hours, because you have all this data and it's not just a sea of information. It's very precise nuggets of information telling you when something is amiss. So that's kind of the easiest to digest use case. The other one, which was very much a federal, I feel like federal specific is mission continuity between contracts.
So imagine you have a big contractor. Like Nordstrom come and run the show at one of the satellite facilities I worked with for the Department of Defense. Then that contract expires and maybe a Raytheon comes in to run the show. In an ideal world, that'd be documentation, kind of to bridge from one contractor to the next. But in the real world, documentation is usually lacking and key personnel have moved on. So how do you go about figuring out all the dependencies and process to process relationships in a satellite imaging system, for example, that one of the software factories is developing.
Actually, we talked about this pre-show. DoD is probably the biggest proponent of DevOps. They're on the forefront of re-architecting a lot of these legacy applications and making new ones, cloud-native. The big software factories, the ones like Platform One, Castle Run, Thunder Campbell Sky, Sonic, there are a bunch of them. So these guys support these numerous applications. How do you make sense of these applications when the contracts change?
Knowing the Unknown About the AIOps Tool
Andrey: This is where an AIOps tool is of great help. I can keep going. Is there any question?
Carolyn: How does the AIOps tool help that shift from contractor A to contractor B?
Andrey: The tool would help with mapping out dependencies, both horizontally between components at the same time and vertically.
Carolyn: Okay. It's keeping track of everything.
Andrey: Yes, between components of different types. And then you will get a real-time map of the entire application stack end-to-end from your customer's web browser. All the way to the application, down to the underlying containers and infrastructure, cloud resources, and so on. All of a sudden, that stack of hay is no longer a stack of hay, but a logical interconnection of resources for consumers.
Carolyn: Yes. See, I guess this is going to reveal how much of a developer I am not. I thought all that stuff had to be linked. Anyway, but you're telling me it's not, you need some kind of third entity to map it.
Andrey: In an ideal world, you're right. But I’ve been in situations where there was a hasty hire and the developer did not provide any inline documentation of any kind. No comments within the code. So making sense of that is the most impossible without a third-party tool mapping all those dependencies.
Mark: How do you think agencies are managing through these use cases like, we're talking about this digital transformation today?
Carolyn: Yes. What if they don't have that tool in place?
Andrey: Right now, it's very much just human elbow grease.
Carolyn: No. That's not even possible.
Science Fiction Movies
Andrey: I can't reveal a lot of things that I experienced firsthand, but you'd be surprised. So it's what you see in science fiction movies. These security operation centers like Starship Enterprise, those do exist, but they are far and few in between. The reality of things, especially with the smaller agencies. It's like three or four guys in a cube farm, looking at alerts and dashboards every couple of times a week. So without a tool like this, it's very difficult.
Actually, this brings up the next use case. Well, maybe the next two use cases. So one is helping augment the IT staff shortages. For example, I get hit up on LinkedIn several times a day. The federal government can compete with the commercial vendors like Dynatraces of the world. They have to do more with less. For example, we have a civilian agency that was piloting a Dynatrace tool for intelligent observability. They were using Dynatrace with Ansible to proactively detect and remediate memory leaks in a large enterprise application.
So Dynatrace would receive telemetry from the running processes. Then we'll use AI to determine if the telemetry received is indicative of a memory leak. So, this is not something that human can do. But if you're an AI operations platform, you have a broad statistical data set to make a decision upon. And so you say, "Okay, this is indicative of a memory leak at a very early stage. Then the tool integrates with Ansible to restart the call process without any human intervention required."
Carolyn: What do you mean restart the call process? Like, fix it?
Knowing the Unknown From Poorly Written Codes
Andrey: Yes. For example, a container that has some poorly written code on it is over utilizing the memory of the hypervisor it's running on. Sometimes the easiest way to fix these problems is just killing the process and bringing it back up, simple as that. But if you're a human and you have hundreds of containers running a copy of this microservice to support many threads, you don't know which one is problematic.
So you have an AIOps to tell you exactly, "Hey, this container has a memory leak. Let's kill it and bring it back up." And so you're also minimizing human error. That's another huge thing. This actually ties back to the next use case of how best automation works. So all these agencies usually rely on IT service management platforms like, ServiceNow, or they used to be BMC Remedy. It's now rebranded as BMC Helix, which you can run on prem.There's also SolarWinds, which has a couple tools like that. So an AIOps tool would be able to detect and create and it will parse its content and apply AI to take an appropriate action. And maybe send an email for Joe, the engineer, to go do action X. So you may have an application that worked prior to a new code release.
Then you have a code upgrade and users are experiencing issues. Well, you can configure the solution. The AIOps tool or the software intelligence platform to automatically roll back code to the last working version. The software intelligence platform will take care of all the dependencies and do it correctly every time.The Room for Error
Imagine doing that just by us humans manually, the room for error is immense. Even if you've rolled back the code to the previous state, you probably forget one in 200 dependencies and you're in a world of hurt. But with a software intelligence platform, that can be all automated. In the federal government, that's kind of a key takeaway when you talk to federal customers.
I was in cyber and you were trying to sell them all these point products. They're like, "Look, I know it's great, but I don't have time for this. I have three guys doing all these things. We need something that provides automation." So automation, like you asked about before we started chatting, and what is the big takeaway from the federal government? I think automation is that journey to automate as much as possible.
Carolyn: Well, based on what you just said, this is not a founded fear. But there is a fear when you talk about AI and when you talk about automation. That means loss of jobs, because the robots are going to take over.
Andrey: Oh, yes.
Carolyn: But what I heard you say is, and I've heard this from other people too, like Willie Hicks, our federal CTO.
Andrey: It empowers workers and enables them to perform at their best. Yes. I mean, the stats are out there. There's simply not enough people to do this. Data keeps growing at exponential rates. Don't quote me on this, but in the last year, we've generated more data than in all of humanity, since World War II or something like that.Knowing the Unknown Real Issue
Mark: I wonder if you're seeing that fear of losing jobs is really not the issue. Because within a cloud-first mandated world, particularly in the federal space, it really allows organizations to take their smart people and re-allocate them. Have them do things that they really intended to do in the first place, as opposed to triage all the time.
Andrey: So you have the issue, with all these disciplines growing, where there's the broad knowledge and the deep knowledge. Unfortunately, a lot of the smart people are now spread thin having to be experts in multiple areas. But there's only so much CPU. Even a smart person can allocate all this. So I feel like a software intelligence platform tool can help go deep and take care of all those nuances. Even if you look at the field of where networking used to be, I'd say, with networks we would configure everything box by box.Even to this day, most of the legacy networks and data centers in the federal government and even in commercial space are configured box by box. This is why we have CCAs making so much money back in the day. The CISCO certified is now the experts for those not familiar. But now there's a move to...
","summary":null,"date_published":"2021-08-11T07:30:00.000-04:00","attachments":[{"url":"https://aphid.fireside.fm/d/1437767933/81d9d6b0-0045-48da-8495-fd87c4613d7f/cd84a8e1-2994-4510-816e-76a3d2392a9f.mp3","mime_type":"audio/mpeg","size_in_bytes":30161618,"duration_in_seconds":1878}]}]}