This post first appeared on Federal News Network. Read the original article.
As with any new presidential administration, incoming leadership will face the enormous task of getting up to speed quickly and implementing programs to promote changes needed to achieve the administration’s goals. This presents a great opportunity for improving how the government operates but also brings with it challenges as new leaders try to rapidly understand the environment they are entering and the processes and inner workings of government — which are very different from the private sector for those who may be making the transition into government for the first time.
Chief information officers of all stripes will face an array of challenges. Not only will they have to protect the attack surfaces of their agencies, but CIOs will also need to navigate increasing nation-state cyberattacks, safeguard and oversee remote workers, manage the continuing flood of executive orders and guidance from oversight agencies related to cybersecurity, and much more.
When I was appointed as the CIO for the Energy Department (DoE) under the first Trump administration, I was immediately confronted with some basic challenges — ones that I expect every CIO will also face in the new administration, even if they have been in place for a few years. From new politically-appointed CIOs to acting career CIOs, a presidential transition is a time of rapid change and an opportunity to act on key priorities.
Based on my experience, I recommend a few steps for CIOs to start off on the right foot.
Gain full situational awareness
When I started at the DoE, I was immediately faced with the challenge of understanding the environment I had to manage and protect. Newly appointed leaders will be faced with federal agencies staffed with tens of thousands of employees and a multitude of contractors. They will also be responsible for the risks posed by hundreds of thousands of assets, many of which they may not directly manage.
Agencies need a comprehensive security strategy to address the entire life cycle of cyber threats. To start, CIOs should have the ability to regularly inventory all physical and virtual assets connected to the network from on-premises infrastructure to cloud environments. This extends beyond simply IT assets to include operational technology (OT), internet of things (IoT), building management systems (BMS) and more. By understanding the context of their asset landscape, CIOs can then determine which threats need to be prioritized based on vulnerability/asset criticality and help demonstrate the risks that must be managed to their department’s leadership.
Partner with senior leaders
When I arrived at the DoE, I was fortunate in that Energy Secretary Rick Perry early on moved my reporting directly to him and the deputy secretary. The leadership team took my regular briefings with them very seriously. There’s recently been a broader recognition across the federal government that those types of communications must happen, which means a successful CIO needs to serve as the owner and explainer of risk to leadership. Whether the CIO is appointed, acting or a career senior executive, they must be able to understand and address the key priorities of the leadership and tell a compelling story.
CIOs must also get a handle on the budget process and the timing involved. Unlike in most private sector organizations, it can take years in government between when the CIO identifies a need for a new budget item and when they actually see the funding. Therefore, CIOs must work closely with department CFOs to help them understand the department’s risks and needs and then to identify different funding methods that may be available for issues like legacy systems and consolidation.
The goal should not be to approach the CFO with a wish list but instead set regular meetings with them to understand their budget and policy priorities. Many times, the CIO can present new opportunities to save money, consolidate for efficiency through tools like enterprise license agreements or simply provide intelligence, given that the CIO team often has visibility into departmental activities and priorities that others miss. Building that collaborative relationship can pay dividends down the road.
Look for creative funding opportunities
Legacy systems were a major problem when I came to the DoE. We still had a lot of organizations running on-premises servers for email and needed to move those to the cloud for cost savings and improved integration. To address this, we put in three proposals for the Technology Modernization Fund (TMF) right off the bat. DoE was subsequently one of the first three departments awarded a TMF loan. I’m a great believer that the TMF program and working capital funds can help agencies accelerate change effectively. Shared services and enterprise license agreements are a couple of the other ways to look for opportunities to fund key priorities and find cost efficiencies. Initiatives like the Cybersecurity and Infrastructure Security Agency’s Continuous Diagnostics and Mitigation program provide other means of funding critical cybersecurity needs. First-time CIOs should also bear in mind that program funding requires a multiyear process, so some of the progress made on their watch will serve as building blocks for the CIOs who follow them.
Be a practitioner
Given the responsibility of CIOs to keep their department running on a daily basis, it can be a challenge to keep up with technology changes. But, if you have to make the hard decisions about assessing risk, knowing when to patch or mitigate or simply accepting risk, CIOs should have the mindset of a technical practitioner who can also speak to leadership in plain language. You will never understand it all, so make sure you hire (and listen to) people who are smarter than you.
Embrace change management concepts
CIOs must understand that it takes time to accomplish things in government. Simply making changes without ensuring they are absorbed and accepted within the agency culture means they won’t stick. Therefore, CIOs need to do the back-end work to ensure their changes are not only implemented but that they also don’t disappear after a couple of years.
It can be frustrating at times, but CIOs have to put in the effort to meet with all of the relevant stakeholders, even when they know they will not like what they are going to hear. It is critical for CIOs to give stakeholders a vision for what they want particular policies or programs to achieve and why they will bring value.
Finally, I would often express concern whenever the Office of Management and Budget or CISA sent out directives without talking to those impacted, setting expectations or taking feedback. CIOs shouldn’t do that either.
Federal CIOs must shoulder the responsibility of managing risks through the people, processes and assets that underlie nearly every aspect of their department’s mission. I hope some of the five tips outlined above should prove helpful or thought provoking for CIOs on the path to achieving the goals and efficiencies they will be asked to put into effect under the new administration.
Max Everett, a member of the federal advisory board for Armis, previously served as CIO for the Department of Energy.
The post Five tips for incoming CIOs under the new administration first appeared on Federal News Network.