From futuristic telephones with screens on desks in the 1990s, to punch card mainframes using FORTRAN, Janet Vogel, the former acting chief information officer and chief information security officer at the Department of Health and Human Services, has seen significant change in the federal technology sector.
She said her experiences, from HHS and the U.S. Agency for International Development, to her political science background and learning technology, taught her several things about how to be successful in the federal sector.
“I would definitely recommend that they think big and lean forward. It’s a big job. There are so many moving pieces that you really have to focus on both compliance and operations at the same time because we do operate things departmentwide, and compliance can eat your lunch, and your dinner,” Vogel said during an “exit” interview on Ask the CIO. “So I would say think big, get views that are not just techie so that you understand the impact of choices. Listen, get the input, think about it, lean forward and definitely focus on resiliency. What’s your plan B? What’s your plan C? Because HHS holds critical infrastructure capabilities, and that’s on the shoulders of the IT and the cyber people. It really is, and everyone else, if you believe cyber is everything.”
And to that end about cyber, Vogel said the next HHS CISO and incoming CIO Karl Mathias — Vogel’s interview occurred before he was named the new CIO at HHS — should continue its focus on implementing the updates in Special Publication 800-53 from the National Institute of Standards and Technology as part of the move to zero trust.
“We put together a new HHS policy on zero trust, so that needs to be front and center. Zero trust and defense-in-depth are very important, so I would definitely focus on that kind of thing,” she said. “The skills of the people that are involved is also really important. When you have high performing employees, they like to be challenged. So take advantage of that. Take advantage of that as a resource, but also think about how to ask skill and make sure that everybody stays current on their skills.”
Landed in IT by accident
Vogel’s words of wisdom about training and cybersecurity were ones she lived by. She came to the federal government from a small farming community in Oregon. She studied political science at Colorado State University. After graduating in 1978, she earned an internship at HHS in Washington, D.C, and her career took off.
After her first stint at HHS, she worked for USAID, the Federal Aviation Administration, the Treasury Department and then the Centers for Medicare and Medicaid Services.
Vogel spent her last four years working as the HHS CISO and then acting CIO since May. She got her start in IT almost by accident.
“It was an HHS program, and I worked for the Office of Information Services, I believe it was called at the time. IT was called ADP, automated data processing, and I got a lot of experience there with great mentors,” she said. “I moved to the Office of the Assistant Secretary for Health, and I went through all of the process of how do you get an authority or an approval for an ADP project? I worked mostly with the National Institutes of Health at that time. It was really exciting because I got to see what it takes to put together a program and what it takes to manage it. We went through every acquisition, and went to GSA for approval for every IT acquisition at that time so it really gave me a thorough understanding.”
She said one of her first projects was to get approval for HHS to buy a supercomputer in the 1980s.
Vogel built on that experience while at USAID, where she worked on a project to help Pakistan with hardware and software development for their census.
“With USAID, the money has to be spent on U.S. products, and so I was able to see the companies, the quality of their proposals and help show the people there how to look for those things and what to do next. So it was helping them actually implement the technology in their country and a little bit of education,” she said.
Too many IT regulations, laws
All of her experiences left an indelible imprint on her about how difficult federal acquisition and technology can be.
“The federal IT sector is governed by over 100 laws, rules and regulations, and it is weighed down by that. I would simplify the compliance and the auditing so that we could focus being more effective with IT and cyber. That said, it’s not one office that can do this. We need to make sure that others are engaged. So I would simplify the oversight and all of the legislation that we’re constantly reporting on,” she said. “I think that the evolving nature of cyber makes it a little more difficult because it’s not quite as mature yet. I’m not sure it’ll ever get there because we have a lot of bad actors and all they want to do is disrupt some things that are important.”
Vogel also said agency CIOs need more authority and direct funding for cybersecurity.
“It really does make a difference if you have multi-year funding in your ability to plan and execute strategic operational activities. That would be a big improvement,” she said.
“The HC3 takes cyber information that we know about threats or vulnerabilities and puts it into a language that is understandable to the medical community,” she said. “We send out those bulletins to the cyber contacts in the health care industry, we have thousands of them, telling them about a threat, what it means to you, here’s how you could identify this if you have the problem and here’s what you do. Our outreach to the health care sector has been enormous, and, I think, it’s been very beneficial. We’re able to put things in more medical and operational terms than just techie talk.”
Now HHS receives more requests for cyber information to the HC3 than ever before and it’s reaching more cyber and non-cyber experts because the information is more easily accessible and understood.
Another area where HHS has changed is the internal coordination among bureau CIOs. Vogel said she reinvigorated HHS CIO council meetings to create connections across the bureaus to improve sharing, specifically of cyber data.
“One of the things in our council meetings that I did was how I sponsored what I called speed matching. The instructions were each of you bring three things that you do really well, and three things you want to improve on. And through our meeting, we paired folks up and had sessions where each of them in that pair would talk about the things that they did well and share information,” she said. “As a result, we were able to improve the sharing of everything from training on privacy or security to products so we don’t have to reinvent the wheel.”
Vogel said she has no plans for what comes next after some much-deserved rest and relaxation. She said she may do some volunteering.
“It definitely is hard to step away from because I have real, deeply-rooted sense of patriotism and dedication. And so stepping away to make a change was a really hard decision,” she said. “I did think about it over the last couple years, and this time just seemed opportune for me to try something new. I like to learn something new every day, and this gives me the opportunity to do a lot of that. So [a] difficult decision, but it’s just the right time.”