Steve Grewal, Federal CTO at data management platform provider Cohesity, is urging Federal agencies to take a fresh look at continuity-of-operations planning (COOP), along with further training and education for the Federal workforce as the initial wave of the COVID-19 pandemic abates enough for agencies to embark on phase-one re-opening plans.
His reasoning addresses two points of risk and opportunity. First, nobody knows whether or when the coronavirus might present a subsequent wave of rapid spread in the U.S. And second, the experience in remote work that agencies have won over the past three months is ripe for analysis and distilling into clearer lessons learned.
It’s also advice born in part from an enviable six-year run from 2012-18 in the top tech ranks at the General Services Administration and the Department of Education – including stints as CIO, CTO, and CISO. We talked with Grewal last month about the government’s pandemic experience, what the Feds can do over the next year to better prepare for a still-uncertain future, and how Cohesity can help.
MeriTalk: Two months into the pandemic, what can the Federal government do on the tech front to better sustain and improve service to citizens, and to the Federal workforce?
Grewal: The pandemic has surfaced a lot about remote access readiness, well beyond the table-top exercises and continuity of operations plans that preceded it. This is a real-life scenario of having that capability activated. The maturity level of those investments and services largely varies by organization by agency, so I think this is a key moment to assess the readiness of those services. How well do they work, and where are there gaps?
As we think about the workflows and the business processes of serving everyone from internal employees to the citizen, where are some of those gaps – either from a technology perspective for capabilities that don’t exist yet, or capabilities that are sub-par? And then how do we formalize some metrics and collect data to really capture that experience.
Once you have that data – and there’s an incredible amount of tooling and services out there to capture that whole experience – then I think it’s in the best interest of Federal agencies to seek funding to address creating better performance in full-scale pandemic operations.
Because, God forbid, if there’s a second wave of this come flu season and we have to revert back to this current model, how are we equipped to support that model overall? From a sustainment and improvement perspective, how does all that have to flow? If we have to stay in this mode for another six to nine months, I think the same way the private sector is thinking it through – based on mission and the end customer – is the same logic that agencies should also be applying.
MeriTalk: You haven’t been away from government for that long. Do you imagine what your pandemic experience would be if you were still were a Fed?
Grewal: I do. I think in that position you’re very operationally consumed, not only from the perspective of making sure the right technology building blocks are in place ready for primetime, but also from the perspective of security operations. And thinking about workflows that we’ve delivered on-prem, but now have to be done in a virtual construct.
That introduces a cybersecurity element to it – from the perspective of service delivery, operationally working with the teams to make sure that we have capacity, bandwidth, and licensing, and that we’re proactively pressure-testing those things. And then of course monitoring that experience.
And there’s an elevated level of inspection and oversight for everything that’s tied to security operations, from phishing attacks to credential theft – all of those kinds of threat vectors that can cause some damage.
MeriTalk: Looking out six to 12 months into the future, what do you think should be on top of the Federal government’s IT to-do list?
Grewal: There are a few things to do to ensure more effective preparedness for any next round of the pandemic. I would say double down on education, training, and awareness for these scenarios. I think in many cases, depending on the agency or department, not everybody is deemed “telework eligible.”
Switching over to pandemic footing was fairly abrupt from the perspective of knowing how to utilize necessary tools and services while continuing to do your day job. So having a greater emphasis on education, training, and awareness is certainly something that in the next six to 12 months all agencies should focus on.
Now that we’ve gone through a real-life scenario – versus a hypothetical scenario – I’d suggest really dusting off and taking a closer look at business continuity and disaster recovery plans. I hate to say this but in my experience as a former CIO, sometimes those exercises are paper-driven, and very focused on a point in time. They conceptually make sense, but they don’t necessarily map to reality.
So now that we’ve gone through this scenario, I think it’s necessary to go back and take a fresh look at updating those plans to reflect reality. And then making sure that you reconcile those plans with the overall technology architecture. Sometimes the plans say one thing, but when you execute, things don’t quite match up. So make sure the plans match reality.
And at the risk of being redundant, if there were gaps that were uncovered as part of the cybersecurity apparatus during this exercise, going back and making sure that there’s coverage and visibility in place to ensure that we don’t have any blind spots in the future. Those are the three points that should remain key over the next six to 12 months for all agencies and departments.
MeriTalk: How can Cohesity help the Federal government over the next 6 to 12 months with priorities such as those?
Grewal: We provide a software-defined data management platform that makes it a snap for organizations and agencies to easily back up, manage, and gain insights from their data.
Part of my experience in government was that it does an incredible job of capturing and collecting data, but not such a good job of actually making that data available and accessible to gain insights into your day job.
Technology innovation is at an all-time high, and the cycles of change are very frequent. But I think one thing that’s a critical success factor in a remote telework scenario is having access to your data. So whether you’re in human resources, whether you’re in IT, or whether you’re more on the mission side and more business aligned, at the end of the day the infrastructure helps, but it’s really the data that you need to make sure you continue to be productive and effective.
We provide a data management platform that essentially consolidates a variety of disparate data assets and silos and we put them in one place that can be managed through one dashboard. There’s a variety of use cases that we support across that paradigm – first and foremost being backup. We provide end-to-end protection for virtual and physical workloads, databases, applications and storage all from one easy-to-use web-scale solution. That’s certainly a key component.
We also have a use case around disaster recovery. Government mostly, even today, has a traditional construct for disaster recovery. People used to think about disaster recovery sites as hot, cold, and warm. You often have a data center, and you have facilities that are essentially idle, and serving as an insurance policy. There’s a lot of inefficiency there.
But now, if you can leverage the public cloud on an as-needed basis, it’s more technically efficient, it can be cheaper and more cost effective. Our platform gives you the ability to spin up your entire environment in the cloud in the event we are experiencing a pandemic. That’s another very effective use case that our platform supports. We are software-defined, we can live on-premises or live in the cloud, and we give you that common unified experience across all of those environments.
The way our platform is structured, some of the secret sauce – the proprietary coding – allows you to revert back to a good known state really quickly. If you think about things like ransomware attacks and environments being infected, our proprietary file system allows you to quickly revert back to a known good state and restore operations.
And then finally, I would say we are just reducing complexity. I think complexity is a big part of the problem in government. There’s vendor management complexity, there is technical debt, and legacy investments. As we think about getting better and becoming more efficient, we have to reduce the amount of complexity.
MeriTalk: Again looking down the road, to what extent do you think – not only in government but in society and business – that we kind of snap back after the pandemic? Or will we stick with some of the new ways?
Grewal: I think this is going to change the way we do business. 50 years from now, historians will look back and say the pandemic happened and had long lasting impacts.
I’m not sure if we’ll ever go back to a like-for-like scenario, meaning that we’ll pick up exactly where we left off. I think, depending on the job function, and depending on the role, some of these practices and standard operating procedures that we’re following today may remain in place, even in a post-COVID world.
We’re starting to see big conferences being virtual, major sales kickoffs being virtual. I think it’s going to really force companies and agencies to think more closely about outcomes, as opposed to being more prescriptive about here is how it should be. There was always kind of a fear factor about maybe moving too much into this direction, but now it’s three months later and a lot of things work well the new way.
For us, we’re seeing that there were a couple weeks of learning, but everyone has gotten the hang of working this way. Perhaps a good portion of work will go back to the way it was, but I think there is an incremental portion that will change forever.
MeriTalk: Does it lead you to wonder will this time be looked upon as technology’s golden moment, when it really bridged the gap in a lasting way?
Grewal: We’ve been talking for over a decade now about how critical technology is not only from a commodity perspective, but as a business or mission enabler. I think now people see how technology is truly a critical success factor, not just a cost center or not just a talking point. I think it was maybe more implicit, where now it’s going to be very explicit in people’s minds. To your point of a golden moment, it’s going to be really interesting to see how things go over the next 12 months.