Imagine this scenario taking place at your agency. You were considered one of the worst-performing IT organizations in government. The Inspector General Agency Report listed “lack of CIO leadership was a serious risk to the agency” when discussing you. You had no cloud strategy or funding. Windows Server 2003 was still in production for most systems almost two years after all security support ended from Microsoft, with no plan to upgrade. You had a traditional on-premise security operations center using 35+ tools to try to create a single view of network and security.
Finally, you’d gone through 8 CIOs in one decade – and a staff vacancy rate of over 20%.
This wasn’t a nightmare. At the Small Business Administration from 2006-2016, it was the reality, said Guy Cavallo, Deputy CIO at the SBA today, during GovLoop’s latest Virtual Summit.
“We referred to it as the lost decade,” Cavallo said. “We were not a leader in technology at all.”
When Cavallo and his boss, CIO Maria Roat, showed up at the Administration, they came determined to change it all. And it was all about moving quickly, being the first to attempt things, and thinking big – even with a small staff and short timelines.
Cavallo said shifting the focus to the speed of change when it comes to government IT these days is the first necessary step.
“You cannot measure IT modernization projects in years anymore – you have to measure them in months,” Cavallo said. “To do that we had to fix the leadership issue.” Roat, Cavallo and others joined in 2016-2017 and decided right away to advice a cloud project and get it funded and moved forward.
To help with this, Cavallo and his colleagues modified existing technical support contracts to include requiring cloud expertise, and a new cloud technical support contract was awarded. From there, the team at SBA focused on three critical 90-day project pilots: architect, design, and build SBA’s first cloud; their TIC Modernization Pilot; and their CDM Modernization Pilot.
The SBA managed to adopt a cloud solution in a mere 82 days — a notable feat, especially considering where the agency was when Cavallo first came on in 2016. At that time, it still utilized up to 55 Windows Server 2003 machines, for which Microsoft had ceased to provide security updates.
To do this, Cavallo focused on the people structure instead of focusing exclusively on the IT. He created several “cloud tiger teams,” each of which was spearheaded by a federal manager. They were given areas of responsibility, including service management, engineering, automation, migration and cloud operations, and Cavallo was the executive sponsor of the project.
In regard to CDM, SBA’s IT leaders decided to chart a completely new path, as Nicole Blake Johnson recently wrote for GovLoop.
They asked DHS for a pilot program to prove that cloud-based cybersecurity tools meet the objectives of CDM, not just the letter of the law. “We said, ‘The cloud is the answer to this,’” Cavallo said. “’Let’s flip this around. Instead of using on-premise tools to monitor and secure a cloud, let’s use the cloud tools to monitor [and] secure on-prem,’” he added.
For the first time in his IT career, Cavallo said he can quickly and accurately respond to auditors’ requests to know how many PCs are operating on SBA’s network. “I can actually do a data call in less than five clicks, and if you can’t do that today, whatever tools you are using today are failing you. You should welcome a data call.”
When DHS recently asked agencies to identify any use or presence of Kaspersky products on their IT systems, Cavallo said SBA was able to determine with just three clicks that a contractor and guest user on the network were using the software. This was all thanks to the agency’s cloud-based security tools.
What was their secret to successfully implementing all of this change?
“You have to be willing to be first,” Cavallo advised the webinar audience. “And remember, this doesn’t take an army. Give yourself permission to start small. Everything we built is for SBA, which is a small agency, but it should be able to scale. And finally, this all can be accomplished in a short time. We just needed the dedication of leadership.”
Cavallo concluded his presentation with this challenge to the audience: “Why not you? Why can’t you be the next one to do things like this? We have failed sometimes, but that’s okay – we encourage trying things out and learning. But remember we all have to get on this fast train of technology because it’s only going to go faster.”
If you want to attend sessions like this one at future virtual summits, pre-register today!