CIOs, CISO navigate management, culture barriers to telework amid coronavirus

Nearly a week into the Trump administration’s directive to maximize telework, agencies have adjusted to a new normal under the coronavirus pandemic.

Agency leadership last week requested nearly $46 billion in emergency funding to, in part, bolster IT systems to withstand a greater volume of remote traffic.

But aside from technical issues like capacity, federal IT and cybersecurity officials say management and workplace culture issues remain a persistent challenge in maintaining regular operations through telework.

At the Department of Homeland Security, acting Chief Information Officer Beth Cappello said she’s “cautiously optimistic” with the current performance of the agency’s systems with more employees teleworking amid the coronavirus pandemic.

Advertisement

The agency’s confidence in telework, she said, is built on several years spent testing the resiliency and capacity of its IT systems to ensure continuity of operations.

“A couple of years ago, during one of the major snowstorms, our remote access didn’t perform as well as we would have would have liked,” Cappello said in an Association for Federal Information Resources Management (AFFIRM) webinar last Thursday. “We didn’t have the necessary capacity, so  there was a lot of work done at DHS headquarters to shore up the infrastructure, and thus far, it is performing exceptionally well.”

As part of that resilience planning, DHS more than a year ago moved to Office 365 for essential lines of communication like email.

“I’ve been very impressed with how quickly our workforce is picking up on how to use the collaboration tools, the new ones, and how to adjust to this new telework environment. Overall, it’s been very positive,” Cappello said.

If anything, she said the biggest hurdle to telework right now is overcoming cultural barriers rather than technological ones.

“Some parts of DHS, they may have been a little more resistant to telework as a normal course of business because of their operational requirements. I think they’re finding that adjusting that perspective on telework is really important,” Cappello said.

To help overcome those cultural barriers around telework, Cappello decided to work from home last week, and hopes that others feel empowered to do the same.

“If leaders are in the office, then staff are going to feel like they need to be in the office, and that is the wrong message in the current environment,” she said.

Dan Chandler, the Office of Management and Budget’s chief information security officer, said OMB has a “very small skeleton crew” working in the office, with each employee having their temperature checked before walking in the building.

“Most staff are already used to working at home at least sporadically or one day a week, so the infrastructure was really there,” Chandler said. “We’ve always been very careful to scale that infrastructure — easier for us, a small agency, to do this — but to scale that infrastructure so that if the day ever occurred where everybody had to work from home at the same time, you have the resources in place to do that.”

The CISO office, he added, is focused on reminding OMB staff what’s allowed and what isn’t under the telework, but also providing technical support for employees.

That includes accessing a website that may have important information or connecting to devices in the most secure manner, rather than troubleshooting on their own.

The role of his office, Chandler said, means “fostering that relationship of trust, that we’re not the culture of ‘no,’ we’re the culture of ‘we can help you do your job better, more effectively and safer.’”

Lynne Clark, the deputy chief of the National Security Agency’s Center for Education Outreach and Innovation and program office manager of the NSA/DHS National Centers of Academic Excellence in Cybersecurity, said most of the NSA’s workforce isn’t in a position to telework from home.

However, she said the NSA is adjusting policies around telework every day, and keeping in regular contact during these uncertain times.

“The biggest thing is to keep people calm, keep people focused on getting as much of their job done as they can, accepting that there’s some things that we’re not going to be able to do from home,” Clark said.

One advantage, Clark added, is that the NSA workforce has a high level of cyber-savviness at a time when coronavirus-targeted phishing campaigns are on the rise.

“All it takes is one user to do the wrong thing, and best-laid plans go awry. So we’re trying to keep people informed,” she said.

John Banghart, the former director for federal cybersecurity at the National Security Council, now a senior director for technology risk management at Venable, told Federal News Network that agencies face a “manageable challenge” scaling up their telework capacity, but if they’ve implemented best practices to secure their information, the risk now shouldn’t be any higher than during normal operations.

However, he added that agencies also face challenges around training and familiarity with telework.

“Many organizations have a lot of folks who simply never work from home or never work remotely, don’t have the tools installed, don’t have the training to be able to know how to use it correctly,” Banghart said in an interview.

Best practices around telework, he added, come down to setting a routine and keeping a “work mindset” when working from home.

“This can be a challenge for a lot of people because kids are home, spouses and partners are home, but that can be disruptive,” Banghart said. “Do the best you can, give yourself a work environment where you can stay focused and have that routine.”

Meanwhile, a huddle between agencies may yield new cybersecurity guidance for teleworking federal employees.

Jeff Greene, the director of the National Institute of Standards and Technology’s National Cybersecurity Center of Excellence, said the agency has met with Cybersecurity and Infrastructure Security Agency officials on ways to fill in some of the cyber gaps in telework guidance.

Greene, during a livestream event Monday on cybersecurity considerations for telework hosted by Venable, said any new guidance would reflect updates in new telework technology and practices.

“We are coordinating a talk with folks at CISA. We’re kicking off potentially a new effort looking at gaps to fill in between some of the telework guidance that’s been out there by NIST for years and new telework practices and technology. We hope to collaborate a little bit more in-depth,” Greene said.

NIST last week gave advice to organizations on how to keep virtual meetings secure during the coronavirus pandemic.