Government and Remote Work Status - Ep. 102
As we approach the end of 2020, Sean Berg shares his perspective on how the government has done on the rapid transition to remote work, the pros and cons and what's next.
Episode Table of Contents
- [02:13] A Herculean Effort
- [08:12] The Amount of Government Remote Work Increased Dramatically
- [14:39] What COVID Taught Our Adversaries
- [22:07] Government Remote Work and Risks Associated With COVID
- About Our Guest
A Herculean Effort
Carolyn: This is the last episode in cybersecurity month. It’s wrapping up cybersecurity month and it's a very fitting topic.
Carolyn: We have our Senior Vice President for Global Governments and Critical Infrastructure, Sean Berg. He’s here to talk about how he has seen the government react and respond to COVID. Welcome back, Sean.
Sean: Thank you. Great to be back.
Eric: Sean, we're over eight months in. I saw a quote yesterday repurposed from Churchill's saying, "We're near the end of the beginning." Where are we going to go from here?
Sean: Certainly, as this kicked off back in mid-March. No one in government understood the level of disruption and the magnitude of impact that COVID would have and how the government does business. Everything from going to work, working in spaces, to how they process classified work. Even how they go to battle has changed over just the last six to eight months. Organizations within government are getting better at this.
Sean: They understand the lay of the land. They've made a Herculean effort back in March to shift their workforce from an office workforce to a remote workforce. Within record time, a lot of them had plans in place to be able to support five, 10, 15% of the workforce moving.
Sean: To rapidly go to 100%, or 80%, or some variants of that has been a Herculean effort. Getting that done in the time that they did was really amazing. The first phase of this was probably the first couple of months where it was just to get everyone online, to be able to communicate, give them access to email remotely.
A Pretty Good Job in the Transition to Government Remote Work
Sean: Get them in a notebook if they didn't have one, and ensure that they could do some level of work. Works fine in the unclassified world, less so in the classified spaces. You have to have access to a particular facility in order to be able to do work. The next phase of this is a couple of things. One, connectivity is the first thing, and then comes security. Making sure that the work that they do is done in a secure fashion.
Eric: They nailed connectivity. There were mistakes, but most government agencies I've been involved with did a pretty good job of getting their people online. Whether they had to buy laptops or let them use work from home devices, personally owned devices. I feel like most customers did a good job.
Sean: In the unclassified space.
Carolyn: What did they do for the class?
Sean: Across the DOD, we've seen this with specific customers and where they've basically had to disperse their workforce. Leverage commercial solutions for classified or other types of technology to light up non-traditional workspaces with access to secret networks. That is new. The Department of Defense has been doing it for VIPs and senior leaders for some time.
Sean: To do this in a more organized fashion, to give more people access to those classified spaces. Giving non-traditional classified access into non-traditional spaces is something that's new. Government, Department of Defense, Intelligence Community are all looking at this. As a means of, okay, in a pandemic, you can't aggregate people into confined spaces like skiffs.
Keeping the Classified Communication Going
Sean: You need to look for other means with which people can communicate and collaborate. Albeit maybe not on a top secret level, but on a secret level where you can disperse your workforce to other commercial buildings. Then be able to quickly wire it up for classified access. That's a good means of being able to keep the classified communication and collaboration going.
Eric: We'll learn going forward that this will be the new normal, if you let me use that overused term. When COVID goes away, we will still allow for types of access where it makes sense.
Carolyn: Any process in the government seems like it takes a really long time. You're saying, getting access to classifieds happened very quickly. I'm wondering if processes had to change to make that happen quickly.
Sean: Processes and policy.
Carolyn: Is that going to be the new normal? Are we going to live under those new processes and policies? Will we go back to the old, let's take five years to do something?
Sean: Everyone recognizes the importance of resilience within their organization and in facing threats. Whether it's a pandemic like COVID or whether it's a near peer adversary that's denying spaces for you. Dispersion of a fighting force or workforce is going to be an important means of resilience. We're learning a lot. The government's learning a lot in this.
Sean: It's only going to help us as we build better business continuity plans, better resilience across the workforce. New ways of collaboration for sure is probably one of the biggest benefits from this predicament that we're in. People are becoming more comfortable collaborating over video and being able to get work done.
The Amount of Government Remote Work Increased Dramatically
Sean: They didn't feel like they were able to in the past, where you can have access to talent across the nation. Before, certainly there's jobs and roles which you felt had to be gone in a particular location. That limited the pool of talent you could access to fulfill that.
Sean: Now that talent, the amount of jobs that are able to be supported remotely has increased dramatically. That's going to increase the labor pool. To have benefits from a diversity and experience perspective that we're still trying to figure out.
Eric: The world changes. At the Edge Summit in the end of September, Steve Hernandez was in my panel, the CIO of the Department of Education.
Eric: He’s awesome and a great CIO. He made a comment, which I have written down here, "I have a physical building, I have gates, guns, and guards. I have my land, and you have to get access through it. Then Cloud happened, and that really rocked most of us back on our heels." That flows in with COVID also.
Eric: COVID was a big move to the cloud, Sean. No longer did gates, guns, and guards matter, because all of a sudden you're processing your work. Everything was done in a very dispersed manner. From people's homes, vacation homes, family, living with their parents, whatever it may be. The world's changed.
Sean: Definitely. If you think about the next phase of this that everyone's grappling with, first it was to get everybody online. Then it came to, "Okay, how do we secure this?" The world's changed. Applications are in the cloud, albeit maybe a protected cloud or something to that effect.
A Big Concern of the Government
Sean: How you access technology remotely is very different than it once was where everything was routed through the corporate environment. This is a big concern of the government. They look at architectures like Zero Trust where you're basically authenticating everyone coming onto the network and the associated privileges.
Sean: You're doing micro-segmentation and things like that are becoming the mainstay. You have to do this. You're not going through a traditional routing through a corporate network to get access to resources. You have to do this. You're not going through a traditional routing through a corporate network to get access to resources.
Sean: Even as you look at Zero Trust and the components of it, there's a lot of traditional components of it. You start thinking that people will have access from home office on either corporate systems or BYOD systems. Then you have to make sure you authenticate somebody as they come onto the network.
Sean: But how do you continuously make sure that that person is who they are? That they're behaving appropriately based on their role and who they are. So behavior analysis is in analytics across an individual. Taking a human-centric view of security becomes even more important.
Carolyn: The Zero Trust idea that you're talking about was at the summit.
Sean: Steve spent a lot of time talking about it.
Carolyn: We've been talking about Zero Trust forever, at least 10 years. For some reason, that panel, a light went on in my head. I was like, "Okay, this is the philosophy. This is something that we need to be doing just across the board. It's not a technology. This is a way that we should be doing business."
A Journey and a Way of Thinking
Eric: It's a journey, Steve said. He was really brilliant. Him and Merner going back and forth. It's a journey, I absolutely agree with that. It is a journey, but it's a way of thinking. The work has dispersed, it has changed.
Carolyn: It seems possible too, for George Caymus and General Brendler to talk about cross-domain in the cloud. It is not that far off, and it seems like Zero Trust is one of those things. One of those ideas that's really going to make that secure.
Sean: When you think about cross-domain and cloud, they're diametrically opposed. Cross-domain is a device that connects various networks at varying levels. It is an enabler for clouds. Cloud service providers are now providing clouds at different security levels, whether it's unclassified, or secret, or higher. You have to be able to move information between those environments.
Sean: A lot of sources for data that needs to go into a secret cloud will come from the unclassified arena or from an unclassified source. Therefore, it needs to come across a cross-domain device in order to be able to go in there. Have a platform, like Azure or Office 365 that may exist within a higher security cloud. Those aren't connected to the internet.
Sean: To update the platforms and the applications that reside on those platforms, you have to leverage cross-domain capabilities. Think about the importance of cross-domain capability, to leverage the full value of cloud at multiple security levels. That technology is an absolutely critical enabler of success for customers and what they're trying to accomplish.
What COVID Taught Our Adversaries
Eric: Accessibility to that information, whatever it may be, is key. The other thing, as I look at the space, our adversaries have learned. COVID taught them something. We can work from home, but our systems were much less secure the day we decided to do that. We're going to secure them more.
Eric: Our adversaries learned that when we disperse the workforce, they're online and working, but they're also accessible. We don't have physical buildings, gates, guns, and guards protecting them at that point. Now, it's a home network. It's, "What's your weakest link. Maybe it's your five-year-old who's watching, I'm dating myself, Barney." I don't know what five-year-olds watch right now.
Eric: So is my 13 year old now, constantly on YouTube? Maybe that's an accessible path, a vector.
Carolyn: We talked to Jason Ducheneaux from Booz Allen a few weeks ago. Remember, he said that we got five-year-olds getting on company devices, getting on agency devices. Think about what that's doing.
Sean: You're investing a lot in Zero Trust and the authentication of individuals. How are you ensuring that a user's credentials aren't compromised at some level? It's really interesting. This goes back to understanding the behavior of the people on your network. What they're supposed to be doing, and what's appropriate, what's not.
Sean: Identified risk within user groups, that's critically important in understanding if you do have threats. If you have somebody whose credentials have been compromised, it'll show up. You're doing things that aren't normal for a person like that. That risk identification can then be used by other aspects of the Zero Trust architecture, from a micro-segmentation perspective.
High Risk Within Organizations
Sean: If you have somebody that pops in at high risk within the organization, maybe you segment them down as to what they can access. Then from a credentialing and identity perspective, maybe you re-authenticate them. Lots of interesting tools are enhanced when you can identify risks with an organization based on the behavior of individuals.
Sean: Many people and organizations get concerned around this saying it's surveillance, and that they're monitoring. They're monitoring me and what I'm doing on the network. I view this more as protection. They're protecting individuals. No one here wants our credentials to be used in a nefarious way. So I do want some level of monitoring.
Sean: Understand if my credentials are doing things that they shouldn't be doing, and then identifying that as a risk. Ensuring that bad things don't happen because of that, that's something too. As we think about enhancing the Zero Trust architectures and leveraging behavioral analytics, it's about protection, not about surveillance.
Eric: It's not positioned that way at all. You rarely hear it talking about the benefit to the employee, to the agent, the contractor, the user as protection. You're right, Sean, a police escort is very different from being taken to jail in the backseat of a cruiser. One's surveillance, one's monitoring, and one's heavy-handed, but the other is very free. It helps you get somewhere faster and safer.
Carolyn: I want to go back to something that you mentioned before, Sean. It came up in our session with General McChrystal, and in our session with George Randle about the talent war. It’s the word resilience. You mentioned it a couple of times as government agencies were moving to remote and being resilient. What does that word mean to you?
Applying Resilience in Government Remote Work
Sean: It means diversity, it means not having all your eggs in one basket. Let me give you an example. I've got software developers across the country. Multiple sites that do development for the various platforms that we bring to market. With COVID, we've demonstrated we can do all of this development work from remote locations. What has that allowed us to do?
Sean: Say, we need specific types of capability that we couldn't find in a geographic location where we needed it. We can now go hire him someplace else in the United States. Some individuals have that skill, that capability that we wouldn't be able to target, historically.
Sean: Based on our operating model of how we looked at talent, where we needed them, and how we've hired them. To me, that's resilience. Where you can have dispersion of force, where you can tap talent wherever that talent may be. To be able to apply the best and brightest wherever they're located to the problem that you need to solve.
Carolyn: It's such an important point. When we limit ourselves geographically, in our day and age now, that's really archaic.
Sean: You want access to this new talent pool out there, this gen X or gen Z, this millennial talent pool. You have to find the more they are.
Carolyn: As we wrap up, where do you see us, I guess in the next six months, in a year?
Sean: I don't see anything happening different in the next six months. We may get early stages of a vaccine that we start to deploy. Over the next six months, we're not going to have that and any sort of force on it.
Government Remote Work and Risks Associated With COVID
Sean: I don't see things changing too much from where they are right now over the next six months. We'll start seeing things change towards maybe the end of '21. That said, the government's moving on. They're actively engaged in the pursuit of their missions.
Sean: We've recognized that this is the new normal. I hate that term, but it's the truth. We're thinking, we're innovating. We are coming up with creative and new ways of addressing all the challenges given the current risk associated with COVID. We're in this for a while longer, for sure.
Sean: When we're past it, when the vaccine has been fully deployed, we're going to look back at all of this. Things will have fundamentally changed, how we do business, how we work, and how we address challenges internally and abroad. COVID has inextricably changed how we will do business as a government, as a commercial business forever.
Eric: I think of the positive, Sean. We'll actually celebrate the fact that we can now hire from different parts of the country. We have more flexibility about where and when we work. Now we have additional resiliency built into the system. When a data center comes offline or an application comes offline in one place, it comes back in the other.
Eric: I can work from different devices. On the positive side, I fully agree with you. We're looking at least another, I don't even go through a date out there, because you're guaranteed to disappoint. There will be positive aspects, positive learnings out of this.
Eric: As Matt Moynahan, our CEO, has said, "When COVID hit, IT did what would have taken years of study. Hundreds of millions of dollars, and they just did their jobs. They just moved." That we should celebrate and I think we'll benefit.
Sean: This is something that everybody needs to do at every single level. We have to look and see, what are the best practices? What are the learnings, what's going to make us more resilient? What's going to make us more efficient and better at doing things?
Sean: I'm going to change my approach to travel, my approach to customer engagement, my approach to partner engagement, for sure. We can do so much with the technology that we have today, with video conferencing, and Zoom, and Teams. All of those different capabilities now, we've never had that before.
Sean: You can do so much more now that people are comfortable with using it. We couldn't do it before when people weren't comfortable using it because they would prefer you to be face-to-face. Now with COVID, we're leveraging this technology in new ways that we've never done. I'm excited about the innovation.
Eric: It's accepted. I remember one day, you told me you were in Colorado meetings, you were in Georgia meetings, I think it was DC all in the same day. Physically impossible to have three meetings in three different cities or states like that in three days. You were excited.
The Mind Shift
Sean: All on the same day. We can all get so much more efficient now that people are comfortable with the technology.
Carolyn: That's the key, that mind shift is huge. I have so many friends that are developers. I've worked remotely for years. I love it. It reduces the stress of a commute. There are so many great things about remote work.
Sean: Think about how much more productive you are that you're not driving 12 miles in bumper-to-bumper traffic.
Eric: 12 miles? I used to spend two and a half hours a day minimum going to and from the office.
Carolyn: I have a lot of friends who are developers. They've always said, "Oh, I could never do that. I would never want to work from home." Guess what? Those developers, now, don't want to go back to the office. Maybe once or twice a week.
Sean: This would have never happened if not forced. COVID forced to think through all of this stuff. What additional things can we find that'll help enhance our lives? Improve productivity, get better at things that we just haven't realized yet. I'm pushing everyone in my organization to think differently.
Sean: Think about things that can help them when we're beyond COVID. Ultimately, we should be learning from this in more ways than just, we can do more things over video. There are probably 100 other things that we can benefit from how we're doing business today during COVID.
A Lot of Good Things
Eric: I'll tell you one thing that we're not going to get when we go back to the office. You've got two dogs tearing a toy apart behind you, Sean. I'm afraid you're next on that list.
Carolyn: Isn't that awesome?
Eric: They look hungry.
Carolyn: You get that companionship all day. It's great, and to be able to see your kids intermittently through the day. There's a lot of good things that have come from this.
Eric: Yes, homeschooling not being one, but let's wrap on that one.
Carolyn: Sean, thank you so much for your time.
Sean: You bet. Thank you for inviting me. I look forward to our next session.
Carolyn: Thanks to our listeners. Go hit that like button. Give us a review on your podcast platform, and we will hear you next week.
To The Point Cybersecurity was recently named one of the 30 top Federal IT influencers 2019 & 2020 because of fantastic guests. We are always looking for great thought leaders to interview. Please email me with guests you would like to have on the podcast firstname.lastname@example.org.
About Our Guest
Sean Berg is the Senior Vice President and General Manager, Global Governments and Critical Infrastructure at Forcepoint. It’s a technology industry leader with over 25 years of experience in both the government and private sector. He is expanding Forcepoint’s cybersecurity footprint in the cross-domain government security markets.
He's delivering capabilities through their integrated Human Point System portfolio. Sean and his government focused team bring an innovative approach to security. It uses risk-adaptive scoring to recognize the context and intent of user behavior for early and accurate threat detection.