CIOs discuss how agency leadership and change management facilitate Biden’s cybersecurity executive order implementation.
Additional cybersecurity requirements stretching across all public organizations are a welcome addition to modernization efforts, but require a strong leadership presence, two federal chief information officers described during an ATARC panel discussion on Tuesday.
President Joe Biden’s cybersecurity executive order, which requires federal agencies to implement stronger cybersecurity protocols in the wake of several major hacks, pushes agencies to do more in preventing cyber attacks.
“There was always an IT problem, you know, cybersecurity and things,” said Gerald Caron, CIO and assistant inspector general for information technology at the Health and Human Services Office of the Inspector General. “And I think that brought to light that no, it's an agency. You know, it's got to be taken on at the highest levels of the agency and understood that it needs to be prioritized.”
Caron added that the OIG has always been very compliance focused regarding its IT modernization efforts, and that the new executive order moves the agency to be proactive on the cybersecurity front.
Guy Cavallo, CIO at the Office of Personnel Management, agreed.
“Getting the executive order just provided additional reinforcement on the paths we were headed,” he said. Cavallo specified that in order to ensure the directives outlined in the executive order were properly implemented, OPM focused on change management strategies to bring all employees on board with the technical updates.
He said that this approach helps communicate to customers and end users alike why the agency is making a modernization change. These teams also help train employees adjusting to new software.
Cavallo said this approach has worked in several different offices.
“In each place, I bring in a change management team, to work with our communications, to work with our processes, to really reinforce what the customers, you know, ‘we’re making this change not because [a] guy wants to do it, but it's the right thing to do’,” he said.
Caron added that change management tactics can be important in broader modernization efforts.
“Change management is a very important aspect,” he said. Caron used the implementation of a zero trust architecture as a year-end goal for the OIG as an example of how top-down project management can benefit modernization efforts as a whole.
“We [OIG] get a lot of foundational things we need to do. Some of these things would not affect the end user necessarily, some of the back office things that the CIO needs to set up as foundational things,” he said. He explained further that his office created an agency-wide presentation outlining the benefits of new security software and how it matters to both end users and management.
“It kind of helps tell that story; it's like, ‘we got some work to do, we need some support, we need you to help prioritize this for the organization,’” Caron said. “So there's some good ways to communicate, you know, in all different aspects.”
Cavallo warns that without this level of communication, modernization implementation can fail simply from employee and customer pushback.
“Change has been stopped by many people, because it has been forced down their throat and not properly vetted,” he said.