This post first appeared on Federal News Network. Read the original article.
Cordell Schachter, the Transportation Department chief information officer, doesn’t get too enamored with technology.
Not new cloud services or new whiz-bang cybersecurity tools, or even the DevSecOps approach DoT is implementing.
Rather, Schachter is attracted to the end result that technology will lead the department to – solving the business and mission challenges of DoT.
“DoT is such a large enterprise and we’re federated so we have operating administrations or modes with very specific missions that are quite different from each other. They have different needs in their particular area of expertise, in most cases doing some sort of oversight, possibly enforcement, and bring with them a suite of legacy applications, some of which had been migrated to the cloud, some that are on our portfolio to be migrated in the future,” Schachter said. “We’ve had probably the greatest accomplishment in the areas of common systems such as email, cloud storage, authentication and various cybersecurity tools that we’re able to deploy at scale across the enterprise.”
The federated nature of DoT is why Schachter is taking a portfolio approach to IT modernization.
The portfolios center on three main areas:
- Cybersecurity
- Workforce
- Modern development techniques
For each of them, the technology, whether cloud or artificial intelligence or whatever is the current rage, underlies, but doesn’t drive the priorities. And all three are interrelated to help DoT meet its mission goals.
The cybersecurity portfolio is taking advantage of both cloud capabilities as well as implementing a secure-by-design approach in all migrations and modernization efforts. An approach that Schachter said is disarmingly simple, but complicated and difficult to implement.
“There is a cultural change that needs to happen in terms of how cybersecurity is done. If you have a fixed budget for a particular program, or project, cybersecurity is going to consume a larger portion of that budget than you might have estimated to begin with. So we certainly need to confirm our estimates to make sure that cyber is given the proper allocation,” Schachter said. “The second is you’re going to need expertise, either full time on that team or consulting with the team, because cybersecurity isn’t about just standing up a particular tool. But it’s the three elements of people, process and technical tools that are going to get you to that secure cyber place that we all need to be.”
Secure-by-design requires a culture change
While it’s clear everyone from the secretary on down understands the critical need to secure systems and data, Schachter said he meets daily with leaders in the operating administrations and modules to review the latest threats, alerts and data to constantly update the department’s cyber posture.
Over the course of the last several years, the number of people participating in those calls have increased as the understanding and challenges of cybersecurity became better known.
Of course, DoT is leaning in on cyber capabilities in its multi-cloud environment.
“We definitely want to know that when we’re either entering or renewing a contract with one company or reseller or another, that we’re truly getting best value for the taxpayer. Within those cloud enterprises, they offer services that compete with third party sellers in the area of cybersecurity and we want to find the right mix of what services are available within that cloud that are enabled more easily, once you’re within that environment,” he said. “Then what other, especially cybersecurity services do you also want to add to the mix, so you’re not entirely dependent on one provider or even one technique to keep your enterprise resilient. In the old days, we would say we might subscribe to two different antivirus providers because the virus signatures weren’t the same. Now we’ve evolved to a point where most of that antivirus is predictive and algorithmic in nature. But yet, there are still various different types of techniques and secret sauce out there for detecting the activities of threat actors. We want to have the broadest spectrum of tools and scanning.”
The secure-by-design approach and cloud capabilities requires a workforce that is skilled and knowledgeable in how to manage and oversee many of these efforts.
Schachter said, like most agencies, his focus is both on recruiting the best and brightest employees, but also retraining current workers to meet the needs of today and in the future.
DoT’s CIO’s office has about 400 full time and contractor employees and about 70 vacancies the department is trying to fill.
“We’re aggressively hiring for cyber data positions, infrastructure, application development, project managers and many other positions. We have important roles to fill,” Schachter said. “We’re also now leaning into creating a much larger internship program to bring opportunities to either recent college graduates or people who are new to the workforce that might entertain a position at DoT’s office of the CIO. We will provide a lot of mentoring and coaching to entry level type positions in hopes of both growing our own leadership, and also building a more diverse workforce, as well as one that is better insulated against the great retirement, that people have been talking now for a number of years.”
Third leg of modernization: DevSecOps
The benefits of hiring, training and retaining a more highly skilled workforce means the complexity and challenge of their work also will increase.
Schachter said bringing automation and other tools to storage, email or other common back office functions is reducing the day-to-day burden on the staff.
“We’ve made it more difficult for ourselves by implementing practices such as multifactor authentication and zero trust. We’ve taken on new challenges to replace some of those old ones, but those challenges are much more difficult than what we faced just five or six years ago,” he said. “I believe there’s no substitute for experience and having people at the Department of Transportation that have transportation experience, it’s much easier for them to identify with their particular operating administration’s challenge. Even if their expertise was not in that particular sector, I think they can apply lessons they may have learned in another sector.”
The third priority of developing systems and applications in a modern way based on best practices is the third leg of DoT’s IT modernization efforts.
Schachter said DoT needs to develop a greater project management practice, application development and oversight as well as actually developing applications on modern, and in most cases, cloud-based secure platforms.
“We’ve had internal teams and interdisciplinary teams, for example, create a DevSecOps playbook; putting that into practice across legacy systems is difficult. But adding that to the system that we’re creating or will create gives you a greater opportunity,” he said. “That’s where you really change the culture because sticking with the legacy technologies gives you fewer options as well as presents greater risks to the enterprise.”
All three priorities are driven by decisions that are risk informed and risk directed.
“We want to apply our efforts to those things first that present the greatest risk. We define risk in more of a textbook way. It’s not just a list of scary things, anybody can put that together. But which of those scary things do you approach first, and that has to do with both the impact of that scary thing if it happens, but also the likelihood that’s going to happen,” Schachter said. “Whether it’s in a sector environment, in one of our transportation nodes, or it’s in the enterprise IT where that boundary now is graying, as a lot of operating technology that used to be on mechanical systems used to be separate from the IT network, if it was on a network at all. That OT is now becoming IT. Really it is best managed using those same IT controls. Now you need partnership on both sides, IT and OT. In transportation, as in many other fields, the lines between where IT now needs to crossover and help are being pushed out. This is why all of IT needs to follow a risk-based approach. We need to do risk assessments. We need to capture risk registers and we’re able to prioritize risks according to their probability and impact.”
Did you want to hear from other participants at our 2023 Cloud Exchange? No worries, on Monday you’ll find all the sessions available on demand on our event page.