This website uses cookies. By continuing to browse this website, you accept our use of cookies and our Cookie Policy. Close

Explore the future of cloud & network security at the 2020 SASE Cybersummit.

Close

The Crisis CIO with Dave McDonald Part 1 - Ep. 77

Challenges the CIO is facing in the "new normal" created by COVID19, we talk with David McDonald, Navy Telecommunications, Information Technology and Cyber Operations, CIO.

Episode Table of Contents

  • [01:54] Working From Home as a Crisis CIO
  • [06:20] The Prime Directives of a Crisis CIO
  • [14:06] A Crisis CIO Is Not Letting a Good Crisis Go to Waste
  • [19:20] Things That a Crisis CIO Cares About
  • [27:42] A Crisis CIO Keeps Everybody Picking up and Going
  • About Our Guest

Working From Home as a Crisis CIO

Arika: We've had guests from other countries, but I don't think we've had anyone from Hawaii. So aloha. We have Dave McDonald with us today.

Dave: Hello Arika, and Eric, and the entire Forcepoint team that's on. Indeed out in the middle of the Pacific. It's morning time here, I guess, it's mid-afternoon your time. But it's an honor and a pleasure to be online with Forcepoint.

Dave: My day is just getting started. And like so many people around the world, my day is starting in my home office. So even though I'm a CIO and my boss continues to think I'm somewhat essential, I'm working from home, I'm doing the telework thing like so many other folks are doing.

Eric: COVID-19, Dave, I don't know. I think I'd want to be stuck on an island like Honolulu, Hawaii. Or Oahu.

Arika: I'll trade your locations. Well, Dave, let's just talk a little bit about your background first and let our listeners know your background as far as the work you're doing for the Department of Navy. And then let's talk about what it's like to be in your kind of role at a time like this.

Dave: So just as a bit of a level set or a primer for what we do, I'm the Chief Information Officer, plans, programs, director, Department of Navy civilian. I'm a government official. And I should say right at the outset here, not here to speak officially for the Navy on behalf of the Navy.

Crisis CIO for the World’s Greatest Navy

Dave: So this is kind of sideline sort of discussion. I'm happy to share some perspectives and so forth. But I'm not officially speaking on behalf of the Navy in this form that we have.

Eric: Forcepoint loves that, I'm not speaking on behalf of Forcepoint too half the time. I'm kidding Dave.

Dave: So we can speak freely, but on some topics, if I come across as a little bit guarded or mindful of things like OPSEC and so forth, I work for the world's greatest Navy and we have significant missions around the world that obviously have to be protected and I will do that as best I can.

Dave: But Arika, yes, so I'm the CIO and I work for an organization out here called the Navy Computer and Telecommunications Area Master Station Pacific, so that's a mouthful.

Eric: Oh, NCTAMS PAC.

Dave: Yes, NCTAMS PAC, that's us. That's an acronym only a career Navy guy could love. The short version of our mission is we do hemisphere-wide across the entire Pacific. Pretty much from the Mississippi all the way out to the approaches into the Arabian Gulf, out into the Indian Ocean.

Dave: We do telecommunications, IT, critical communication services across Navy joint coalition, warfighters that span 60, 70% of the Earth's surface. So I'm the CIO for that enterprisea and we have to look both in the today as well as out into the future about our capabilities supporting the warfighter.

What Has Changed in the CIO and C-Level Executive

Arika: So Dave, we're recording this, this is mid-April or almost mid-April and we're in the midst of this pandemic, as Eric just said. So as far as you know, what has changed for you in the past three, four weeks?

Arika: Like everyone else, you're working from home, but I would imagine it's a bit more challenging. You probably have some things that are keeping you up at night. Tell us a little bit more about that, of what you can share of course.

Dave: Well, sure. I think I'll start kind of generally with the notion that I think any CIO and certainly almost any C-level executive in almost any kind of organization is realizing through this crisis, first, nothing really fully focuses the mind like a totally unexpected and severe and complex crisis of this kind of nature.

Dave: I'll use the phrase failure of imagination but it's maybe not quite right to call it a failure. I mean who in their right mind could have imagined in any enterprise, whether it's DOD, or banking, or IT, or any industry, logistics supply chain, who would have imagined sending 80, 90, nearly 100% of their workforce home.

Eric: In fact, few did snd those who did were, I don't want to say they were laughed at, but nobody did anything, let's leave it at that.

Dave: Yes. So, not really a failure of imagination or a failure to plan, but it's just one of those. It really focuses on the mind that you could have as severe, complex, and fast a crisis as what we're experiencing. In my own experience,  I guess I'll call it some goodness or some real focus that comes out of that.

The Prime Directives of a Crisis CIO

Dave: And it really compels you quickly to figure out what's your prime directive, or what's your set of prime directives? What are the critical things that you must sustain and that you really have to drill in on and understand?

Dave: So we talk broadly about essential personnel and mission-critical personnel, but it really goes bigger than that. It’s right out here as the world's greatest Navy in a very much a contested hemisphere of operations. What has to be sustained?

Dave: We're in a business that has to be sustained. The fleet doesn't steam without critical command and control. Warfighters don't plan and execute without critical command and control. Our systems have to work. Our communications have to flow. Our services have to operate. Our teams have to be responsive. So that part has honestly not been all that complicated.

Dave: We've really had to drill into the prime directive which is protect critical command and control, protect the 24/7 watches, the operations that assure those things. Protect some ability to maneuver, respond, be resilient. I think what CIO's all over the world are discovering, among other things is that they're really the chief resilience officer in many ways.

Eric: Very good point.

Dave: I'm kind of finding that as, we didn't otherwise have a resilience officer or even an emergency action officer. A lot of folks have an emergency action plan. I don't think many emergency action plans or continuity of operations plans accommodated this kind of crisis.

A Crisis CIO Evolving Into a Chief Resilience Officer

Dave: But it's really the leadership, the people, and the immediate imagination of "What are those things I have to protect and get at right now?" So a chief resilience officer is sort of what a crisis CIO becomes in times like this.

Eric: Dave, one of the things we talked about was people are the most important asset, whether it's the Navy or any business. Your workforce transition from normal to not so normal, pretty much in the span of what, a week or two?

Dave: Yes, it was internal to a week. And there's some interesting nuances with respect to the how and how many and the dynamics of top-down directed tools and technologies versus internally selected.

Dave: I'll say we had some, I'll call it minor false starts and restarts as we went through that week to week and a half long process of transitioning everybody to this virtual operating model.

Eric: It's interesting as we look at our business, the commercial companies including Forcepoint internally had a relatively smooth transition because a lot of us were accustomed to working from home.

Eric: My defense customers, my government customers globally really stumbled in some ways because the culture of the workforce was so attuned to working from an office space, right, together.

Eric: Things like communications, the command and control which you mentioned, capacity challenges, expertise, things like that have been challenging. What are your thoughts? What's your guidance? What are you observing?

A Thought Process for a Crisis CIO on Failure of Imagination

Dave: I guess I would frame my thoughts or my response on that in kind of the immediate here and now, you do what you have to do, you do what you can do. But then there's a thought process I think for CIO's and for other senior leaders that gets into this question of failure of imagination.

Dave: And did you plan out, or did you what if, or war game to use a model that we care about deeply in our community. Here's what I find interesting, let me start with the kind of a longer-term kind of governance culture and planning dimension of this. It's pretty well known and been mentioned in the open press that the DOD, we do somewhat robust wargaming on pandemic, global pandemic.

Dave: So the question is all right, we war-gamed it, we did all the what-ifs, we played the worst-case scenarios but then what did we do? Did it fully inform culture? Did it fully inform governance? Did it fully inform architecture and design, technology and tool selection, training, and acculturation of different working models?

Dave: I guess I'll call it a little kind of a sweet spot for me or a pet peeve if you will. Quite often we do war game and play out these scenarios in very low risk protected sorts of environments but then we don't take the lessons. So I think there's a real takeaway here for CIOs, for acquisition officials, and senior leaders.

Hope Springs Eternal

Dave: If you don't acculturate for some of these worst cases, if you don't design governance for these worst cases, if you don't make architecture and investment decisions, and tools deployment and training, and sustainment decisions based on some of those worst cases, don't be surprised when you find yourself not ready.

Eric: Do you think things will change? Do you think we'll learn from this?

Arika: There's so many lessons learned and I've heard the statement that you've just made, Dave, a couple of times. I just wonder when all of this is said and done, I don't know, a decade, two decades from now, how will it be different if this happens or something of this magnitude happens again?

Eric: Well Dave and I will be retired. So it'll be somebody else's problem. Arika, you'll still be working away.

Dave: Yes, it'll be somebody else's problem. The next generation will figure this all out. One of my favorite phrases, well, two phrases, one, hope springs eternal and the other one is, it's never too late to turn the whole thing around.

Dave: I'm a real avid follower of what our national leadership and the DOD is doing. I think we're blessed right now to have a gentleman named Dana Deasy as our DOD CIO. He's a guy who grew up navigating from one crisis to another as an executive CIO. And lucky are we that we have him now.

Dave: I think he's driving a process in the immediacy of this crisis.

A Crisis CIO Is Not Letting a Good Crisis Go to Waste

Dave: He's driving daily epiphanies about kind of, what we should have planned for, how we should have been designed, what we should have been able to do as a matter of kind of routine non-crisis governance, and acquisition, and deployment of capabilities, and acculturation of a certain working model.

Dave: So Mr. Deasy is driving that now across the DOD. There have been some press reports this week about exactly what he's doing. So I won't go into that too much. But it's good to get fresh leadership to come in from the outside and say, "Hey, you guys, all of you DOD officials who have been doing things a certain way for so long need to kind of rethink what your model is."

Dave: And so to your question, Arika and Eric, I think there will be very precise epiphanies and lessons learned, and followups that come from this. Some have used the phrase never let a good crisis go to waste. The community was admiring acquisition reform, and fast acquisition, and OTAs, and innovation were really the last many years kind of admiring different ways we could do that.

Dave: And there were acquisition reform panels that did the same, but no sense of urgency. Nothing was creating a compelling sense of urgency to do that. I think we now kind of have that to understate the case.

Eric: I'll compare and contrast again. For all the commercial companies I've worked where we've never really had a coop plan or a disaster recovery plan. I don't want to, once again OPSEC, I don't want to go into too much detail around Forcepoint but we certainly never drilled for anything like this.

The DOD’s Risk-Averse Culture

Eric: You don't run scenarios in the commercial world like you do in the military. But I think one of the differences is you operate a little differently. We're relatively accustomed to working from home. So we've had to make some adjustments. But unlike a lot of my customers, it was relatively smooth and we're very fortunate we didn't run into any issues.

Eric: We ran into very few issues, I should say. We needed some developers who needed laptops. We needed to figure out how to access source code from home, little things like that. But the business pretty much continued on even though 3000 people went away.

Eric: They went home and stayed home.

Dave: I think, I wouldn't kind of go to the mat to completely defend the DOD's really risk-averse culture with regard to this. Because I think it's a nuanced mixed sort of subject.

Dave: Let me start this way. There are and there have been very good reasons why the DOD tends to come down on the side of deliberate acquisition processes, perhaps more risk-averse, both runtime and design time governance processes, technology selection, access management, how we govern our facilities in terms of physical security and systems security. So there are good reasons for that.

Dave: We're in the national security defense and warfighting business, and the intelligence business essentially. I think without entirely defending kind of a generally kind of moribund or flat-footed acquisition culture and collaboration culture.

Dave: There are underpinning reasons for the conservative and protective nature of what we do. The question is, going forward, and I'll go back to the wargaming idea.

Playing Severe What If and What Now Scenarios

Dave: This is again a frustration for me that we actually do have pretty robust mechanisms to do really thorough what if and what now kinds of assessments.

Dave: Worst case, really dire, grim, tough, sustained what if, and what now type scenarios and global pandemic is not the least of them. We're talking escalation to full out war, two-theatre war, rogue state actors committing both cyber and kinetic attacks to undermine and level the battlefield and so forth.

Dave: So there's all kinds of scenarios where we do very severe what if and what now scenario playing. Our culture needs to catch up with how do we benefit from the lessons learned from that. And I think this is really focusing some minds on that question.

Arika: I was just going to ask you just, just that question though. So what now? Where do we go from here? I think lots of industries obviously are thinking about this but from a government perspective, again, as someone who is a CIO and just this uncertain time like where do we go? What happens next from your perspective?

Dave: So all the prognosticators are out there trying to try to predict flattened curves and getting to the other side of the curve and so forth. But let's postulate when things start getting back to more normal and the dust settles on COVID-19 and everybody can kind of take stock and get back to a routine.

Dave: I think I wouldn't go way out on a limb and say the DOD is just going to turn on a dime and be just a fundamentally different thing from the standpoint of operating culture, risk-averse culture, acquisition culture, and so forth.

Things That a Crisis CIO Cares About

Dave: We're going to ponder this and take stock. Now the good news is even before, with respect to things that CIOs care about, distributed work, collaboration, networking, connectivity, more specific topics like either bring your own device or choose your own device.

Dave: And thinking more broadly about your endpoint, kind of your endpoint community, both from a people and technology perspective. The good news is before COVID-19 the DOD was already thinking through a lot of those things. We were just doing it at the normal slow pace.

Eric: Normal pace.

Dave: Yes, so I think the hopeful side of me says now large program or record initiatives like JEDI, and DIOS, ECAP, so some of the things you can read about every week in the press, vectors that the DOD was already on will be accelerated by necessity.

Dave: I think some details on the edges of transition to cloud, transition to choose your own device, transition to a governed zero trust architecture that extends out to choose your own device, transition to full-featured multimedia collaboration group work type solutions. We'll get on with that and we'll get on with it more quickly.

Dave: I don't want any of this to sound like an I told you so. Some of us had been feeding the pots and pans for 10 years on this with respect to slow acquisition. But maybe it takes COVID-19 to get us all off the diamond and move out more quickly.

Eric: So Dave, how does cloud help you?

Dave: It depends, Eric. I think not all clouds are created equal.

Different Ways to Design, Adopt and Integrate Into Cloud

Dave: There's broad-based infrastructure as a service. There's applications as a service. There's potentially integrated security or zero trust as a service. There's a lot of ways to think about design, and adopt, and integrate into cloud.

Dave: So I'm not trying to make the answer more complex than it should be, but as an operating CIO in a part of the world where for many, many years we've kind of owned our own on-prem cloud infrastructure.

Dave: Yes, infrastructure for critical business operations, logistics and supply chain contracting. A lot of the supporting functions it takes to run our enterprise in the Pacific. So I will not say I'm entirely agnostic on the matter of migrating to a different cloud model.

Dave: I would say a rigorous CIO needs to business case the thing kind of from a CapEx, OPEX, total cost of ownership, agility, and governance, change management, and runtime governance. There's a trade space there that I think is going to be interesting and different depending on what cloud model you propose.

Dave: I generally buy into the, I'll call it the industry and academic literature that says mid and longterm there is a clear beneficial return on investment by consolidating, outsourcing or off sourcing a cloud infrastructure.

Dave: But it all depends on also being able to have a degree of runtime governance, and management, and configuration control, and security control, and security visibility that makes sense to us as a DOD or maybe operating enterprise. So Eric, I don't know if that answered or if it makes sense.

A Contrast Between Top Level Cloud Implementations Versus Local Stacks

Dave: It's probably more complex than a lot of people understand but it's why CIOs and their staffs have to really pay attention and put the rigor into assessing those options as they're put forward. I generally fear these kind of one size fits all top-down mandates of every load, every use case, every application stack, every data repository is going to go to one cloud under one governance model.

Eric: Just go to the cloud and your problems are gone.

Dave: That's right. I don't buy it and it's not just theoretical for me. It's over years and years of experience of seeing a contrast between large kind of centrally controlled, top-level, top-down for cloud implementations versus local stacks.

Dave: We've done business case analysis on those things and every now and then the local stack wins based on a whole range of important criteria for us. But I remain open-minded about looking at cloud migration.

Arika: So Dave, before we wrap, I just have a sort of technology question but not really but I think it's interesting. We've talked a lot about just the different adjustments that obviously you've had to make as a CIO working from home nut personally, how are you adjusting to working from home?

Eric: On that rough and total island.

Eric: With the water, what, 100 meters from the house? I want to hear this Dave.

Arika: Are you missing your commute?

Dave: So I don't miss the commute because it was a hefty one.

Reaching Within for Resilience

Dave: Believe it or not on this small island, I still managed to put more than 20,000 miles a year on my new car that I got last year. So, I don't miss that at all. I think military folks are kind of trained and grow up in a culture where it's like, what's the word, embrace the suck.

Eric: I've heard that before.

Dave: And there's another phrase, first world problems and so forth. In the grand scheme of things, blessed to be in Hawaii. I think Hawaii will manage to flatten the curve. My heart goes out to folks who are up on the east coast. That's where I'm from is New York, and still have a lot of relatives up there in New York, Jersey, Connecticut, and so forth.

Dave: It's just kind of astonishing, breathtaking what's happening up there, so tragic. So I don't in any way want to make light of that. It's a lucky time to be in a place like Hawaii where I think based on what the governor and the city-county are doing, they're going to manage this thing.

Dave: So I think everybody has to reach inside themselves for that resilience at a time like this as well.

Dave: All of us on this conference, we're still working. Eric, as you know, we've talked about this, I have friends in the gig economy, musicians, folks who work in restaurants and bars.

Eric: It's tough.

Dave: It's really, really tough. So I know our intent here is not to in any way get political, but we do have to get over this thing quickly and get America, get our economy working again.

A Crisis CIO Keeps Everybody Picking up and Going

Dave: Any time you get out of bed and go out the house there's risk. And you look at the CDC and their mortality statistics and so forth, there's any number of ways any of us can meet our maker on any given day.

Dave: But there are larger principles about free western society and free-market economies and individual rights. I think about that a lot in this context of we're going to have to find a way to carry on and be the America that America has been for the world for so long.

Dave: Arika, personally, so far first world problem, knock on wood. And because of our operating culture in NCTAMS PAC, and my boss, and the way he is, and the culture he's created for our organization and really across the hemisphere, man everybody's just picking up and going.

Dave: Working for 90% of the day staff is on telework. We are protecting our watches like crazy. The prime directives are understood. The leadership, which is now taking more of a virtual dynamic is as strong as ever. Nobody's in the dark. Nobody's guessing. Everybody's pulling together as a team and we're going to meet mission. We're going to get through and we're going to succeed.

Dave: We'll get to the other side of this thing as a better, stronger team and hopefully proud of everybody's behaviors along the journey. Eric, I hope your team and all your partners are probably doing the same. You've said you've made a very ready transition to this and everybody's really stepping up.

Working in the Right Areas

Eric: Everybody's working, everybody's getting creative. I think the biggest challenge is, back to back to back calls. Making sure you're doing the right behaviors. The world has changed. Making sure we're working in the right areas. And not burning out, taking care of ourselves, taking care of our people.

Eric: You've talked about it a bunch. People are the most important. That is the critical piece. I'd still like to be near the beach.

Dave: That's why I didn't want to go there with our public officials. They've managed to put some controls on things like beach parks and golf courses and so forth that I'm not cheering from the highest mountain on that stuff but we'll get over that.

Dave: The other thing about the people aspect is, I listen to a very inspiring videocast from General McChrystal and his group. He's got a consulting group that's pretty public out there on LinkedIn and so forth and a couple of key points, takeaways from that.

Dave: It's a marathon, not a sprint, to your point, Eric, about being really mindful of not burning people out, and turning people upside down.

Dave: Ideas like, just because you're home all the time doesn't mean you're working all the time. So all those same work-life balance kind of whole-person quality of life things that I think leaders need to set the example for, they need to enable, they need to mentor and talk to their teams about that.

The Need for Crisis CIOs and Leaders to Render Double Duty

Dave: That all applies doubly in a situation like this where there are other stressors that are really clobbering people and their ability to do PT, to workout and stay healthy, and get out and be emotionally and socially healthy is much limited.

Dave: I think leaders really have a double duty right now to set an example on balance and perspective, humor, and health, and all that stuff. I'm inspired by General McChrystal and some of the things that he and his team have said to all of us in the last week or two about this. It's good stuff to listen to.

Arika: Well, thank you Dave. This was a fantastic. You've definitely given our listeners a lot to think about both from a system CIO perspective, but also just from a life-work leadership perspective. So appreciate that.

About Our Guest

David McDonald, Navy Telecommunications, Information Technology and Cyber Operations. Navy and Intelligence Community professional with dual career tracks as a DoN civil service leader and manager and a uniformed Navy Reserve senior officer (now on the USNR retired list). I bring 37 years of varied professional experience to the table, with targeted expertise in strategic planning/execution, program management, project management, organizational design, professional development, mentorship and aligning business/programmatic solutions with mission operations accomplishment.

I'm a cyber professional, in the "lingo" of today, and a trained/certified, warfare qualified and operationally experienced Naval Cryptologist and Information Warfare Officer at the core. Career path has been fortunate, sometimes downright lucky, taking me on a path from tactical Cryptologic operations on submarines during the Cold War to major SIGINT field station operations, space systems operations in the National Technical Means (NTM) community, submarine programs management, military intelligence operations at the Joint Combatant Command level, and, ultimately telecommunications and IT program management.

I have sub-specialized in Defense acquisition program/project management, architecture planning and systems engineering along the way, and have complementary sub-specialities in Knowledge Management, Contracts Management, Training Program and Systems Development, Systems Architecture Development, and a few other things that I can dust off if the situation warrants. I'm from the school of Servant Leadership - have read and taught the literature and practice, and believe in creating organizations that are organic, defy usual bureaucratic "wire diagram" boundaries, and foster innovation, collaboration, continuous improvement and teamwork. If one has been fortunate enough to be mentored through a long career, one then must mentor, with selflessness and dedication.