Standing up for what you believe is tough at any job, especially when there’s a lot at stake — your career, credibility and a mission that impacts millions of people.
But one thing you can’t discount is your conviction.
For the Small Business Administration’s (SBA) Guy Cavallo and his boss, Chief Information Officer (CIO) Maria Roat, that conviction runs deep. So much so that Cavallo and Roat are challenging the government’s approach to implementing a multi-billion dollar cybersecurity program run by the Homeland Security Department (DHS).
“The technology is moving so fast now that the policy and mandates are way behind, and that creates a problem,” Deputy CIO Cavallo said last month during the ATARC Cloud and Infrastructure Summit. “Do you implement the current technology that gives you better cybersecurity protection or do you stay under the old limits of policy and directives?”
At SBA, the answer to that question is clear: Roat empowers employees to challenge the status quo and seek better outcomes. This is particularly true as it relates to SBA’s implementation of the Continuous Diagnostics and Mitigation (CDM) program. The program, which launched in 2013, was designed to equip agencies with automated security tools that help them continuously detect cyber risks, prioritize those risks based on potential impact and address the most serious problems first.
But Cavallo noted that the CDM program was developed for an on-premise world, one which is gradually moving to more cloud-based operations. The standard approach to implementing CDM involves many tools that aren’t interoperable out of the box, which means there is continuous customization to address the issue and a blank check for the integrators doing the work, he said.
In regard to CDM, SBA’s IT leaders didn’t take the road less traveled. They charted a completely new path.
They asked DHS for a pilot program to prove that cloud-based cybersecurity tools meet the objectives of CDM, not just the letter of the law. “We said, ‘The cloud is the answer to this,’” Cavallo said. “’Let’s flip this around. Instead of using on-premise tools to monitor and secure a cloud, let’s use the cloud tools to monitor [and] secure on-prem,’” he added.
“If the on-premise CDM program gave me better protections of doing that, I absolutely would be doing that,” Cavallo explained. “But what we’ve done in the cloud we believe runs circles around on-premise tools because we’re using unlimited big data [and] we are using AI in the cloud. I don’t have to rely on a ton of individuals staring at monitors trying to piece together something [that] happened on this monitor over here and something else [that] happened on this monitor over here.”
For the first time in his IT career, Cavallo said he can quickly and accurately respond to auditors’ requests to know how many PCs are operating on SBA’s network. “I can actually do a data call in less than five clicks, and if you can’t do that today, whatever tools you are using today are failing you. You should welcome a data call.”
When DHS recently asked agencies to identify any use or presence of Kaspersky products on their IT systems, Cavallo said SBA was able to determine with just three clicks that a contractor and guest user on the network were using the software. This was all thanks to the agency’s cloud-based security tools.
“The reason I can do that is we are using cloud big data and AI to take data, not from one tool, but from five different tools, mashed together so that we come up with an algorithm that tells me exactly what we have,” Cavallo said.
The team at SBA is coordinating with DHS to detail the agency’s experiences and findings from the CDM pilot. The overall benefits have been simpler cybersecurity, better protection and cost savings from shutting down disparate and one-off tools. The pilot enabled SBA to decrease the number of cybersecurity monitoring tools it relies on from 38 to about five.
But getting to that point required a willingness to challenge the status quo and change the culture. “You have to take the gambles,” Cavallo said. “We tried some things and we failed.”
He encouraged agencies to be flexible, take risks and borrow lessons learned from other agencies.