Following a 25-year aviation career in the Navy, John Zangardi suddenly found himself working in the IT space. The Department of Homeland Security (DHS) Chief Information Officer (CIO) explained his jump to IT started when the Navy offered him a senior executive role in the IT realm because of his experience working with budgets.
Zangardi admits it was “no straight line” from the Navy to DHS. Despite the windy road to get where he is today, in his nearly two-year tenure as CIO of DHS, he’s worked to modernize and improve the agency’s existing technology — including leading the transition to a multi-cloud environment. Zangardi recently spoke with GovLoop to share what he’s learned in his time as CIO and what IT projects he’s currently working on at DHS.
The interview below has been lightly edited for brevity and clarity.
GOVLOOP: What skills from other positions, including over at the Defense Department and in the Navy, did you bring to your position as CIO at DHS?
ZANGARDI: It’s been exciting and every day I reach and find new challenges. I rely upon my past. We’re beginning to look at some enterprise license agreements, and my background from being in Navy acquisition is really proving to be very helpful in helping me wrap my arms and my team’s arms around that.
An uncle to me said a long time ago that the key to success is not necessarily that you’re the smartest person in the room. The key to success is coming into work every day when you’re supposed to, leaving when you’re supposed to, not cutting corners, maintaining your honesty and your integrity, and being persistent to do your job. Doing those things really separates the wheat from the chaff. It’s not that hard to get ahead if you do those simple things every day in a repeatable process.
Those are some great nuggets of wisdom. Is there anything else you wanted to add that you would like other IT leaders to know about getting into the position or pushing for innovation in the public sector?
Being a CIO is a very difficult job because the pace of technology changes so rapidly, and the expectations of the customers in government are so high. We run a network that gets attacked. The ability to communicate why you’re doing what you’re doing is truly key.
One of the things I counsel my people on is that when you’re sitting down with senior executives and political types, you have to be able to explain in English, not IT. IT is a separate language full of acronyms and terms that are different. You have to explain why you’re doing something in simple terms. You cannot presume that everyone has the same deep understanding of your profession that you do. It’s very important that you explain things in a way that folks can understand it, and you have to do it in a way that keeps them up to date and shows the consistency in your approach.
Having mentors is important. Having multiple mentors is probably even more important. Just having one mentor means you get one perspective. Someone else may have a completely different experience and shed a different light on this topic than I am. Don’t limit yourself to just one perspective; get multiple perspectives.
And lastly, it’s really easy in IT to feel discouraged. In IT, very rarely do you get a thank you. We usually get complaints, and it’s so very easy to be discouraged. I always remind my folks that when you’re not hearing complaints that’s really your ‘thank you.’ And you’ve got to keep blazing the trail forward.
Email phishing scams and other ransomware-type attacks are on the rise across the nation. It really only takes one employee clicking on a suspicious link to compromise the entire system. What practical measures can both the private and public sector take to avoid falling victim? And are there types of training or exercises that you recommend that you do for your team?
Email phishing scams are an easy way for the bad guy to get in. We do training on phishing and it’s mandatory. It’s really important to make sure our folks understand that’s a big vulnerability. Maybe it seems really tempting to click on that link because it looks like it’s some sort of trusted friend, but you don’t know if that trusted friend is really the person you think it is. You shouldn’t click on links, even if it’s coming from your mom.
Cyber hygiene is absolutely critical: that means two-factor authentication, that means getting to modern OS [operating systems], that means patching. Those are really critical things. And if you’re at home right now and you’re running on an old version of Windows that is no longer supported, get off of it. If the vendor is not supporting that particular operating system, it means you’re not getting the patches to protect you. You want to make sure that you’re using common sense in making it complicated and harder for the bad guys to crack [passwords].
It’s training, it’s cyber hygiene, and it’s recognizing that you need to have software to protect your network, home or work.
You said last October that you want the cyber and IT hiring process to be more limber, in an effort to compete with talented employees in the private sector. What does that process look like for your department, and has it been effective in terms of time to hire, finding strong candidates, and other priorities?
The Cyber Talent Management System [CTMS] is managed by our Chief Human Capital Officer, [Angela] Bailey, and she’s continuing to work and bring the process into full bloom. It is not yet up and operational, though I am optimistic that it will yield the benefits that I talked about in previous speeches about flexibility and getting the right talent skills in your organization.
We need something that allows us to be more flexible to bring people in when we need them. We need to be able to pay people more. When you talk about IT people, particularly those in the cybersecurity profession, the demand for their skills is very high. A lot of the folks who work for me can walk out immediately to industry and get a very high-paying, well-compensated job. We have to compete against that, and that’s a challenge. Finding ways to be able to offset that is important.
While we wait for the CTMS to get in place, one of the things we’ve done here at DHS Office of CIO is to put in place something called the Cyber Retention Incentive Pay. It’s more of a band-aid that helps us provide to those people in critical cyber positions additional compensation, recognizing that they can go make more in the civilian industry. That little bit of offset really helps them feel more valued as an employee, and I think it will result in higher retention across the years.
This summer we did a cyber internship with about 10 folks who are in college. We brought them in here for eight weeks. Instead of just walking them around and showing them, we actually got them involved in projects across the organization. We did not just have them doing data entry; we gave them higher-level tasks. And my senior executives who report to me said that the products they received from these interns were of high quality and of benefit.
Are there other modernization projects directly related to IT?
My first priority is network modernization. I have to be able to protect, connect, and deliver capability to the Department of Homeland Security employees in order for us to do our mission. We were able to get to a point where we were able to get complete concurrence on how we’re going to move forward. We got that basic document put together, we have briefed OMB [Office of Management and Budget] and the Federal CIO, so we’re going to start moving forward on the enterprise infrastructure services contract and getting it out there.
We’ve been spending a lot of time on cloud computing. One of the key components of anything is training. We have recently done a Cloud Stand Down Day, where we provided training to all of our employees. It was introductory level to make sure that all my employees across CIO understand what cloud is, understand what it could bring to us, and understand how it works. The next session will be more focused on the intermediate level, and we’re going to start moving into the area of security.
When I got here, we started looking at our security operations centers [SOC], and how we can improve them. We call it SOC Optimization. And the key thing here is we want to take our 17 SOCs and make sure that they provide exactly the security services we need to ensure that each of the components and the exporters is secure. We’re now going to inspect our SOCs on a three-year cycle, and we’re going to issue each of the SOCs an ATO [authority to operate] that will be good for three years, then we’ll come back and reinspect them. The objective here will be every time we come back, we’re raising the bar.
We’ve also gone down the road in trying to improve or speed up the time to get applications and systems on the network. Our policy this year is something called Authority to Proceed. It’s a takeoff of an ATO where we look at the system coming on the network and leverage either its FedRAMP certification or another ATO from an agency and department. That’s about reciprocity, but there will still be things we’re concerned about. The key thing is, as we take out those high-risk vulnerabilities and resolve them, we put the things on the network. That system goes on the network, and it has the ability to operate for a year, and during that year, it needs to close out everything and mitigate it. At the end of that year, we’re going to put it into continuous monitoring, and grant it an ATO. That’s a way of speeding things up.
To comply with legislation, we have designated an interim Chief Data Officer [CDO]. It is my CTO [Chief Technology Officer], Brian Teeple. He has some tasks over the next year, one of which is to begin looking at what does our federated enterprise data strategy look like.
One of the things that a CIO is responsible for is thinking about the future. When I talk about SOC optimization and network modernization, that’s near-term future. But what’s coming downstream?
We’re positioning ourselves through the CDO effort and others to start looking at AI [artificial intelligence] and ML [machine learning]. Generally speaking, we’re going to start with RPA [Robotic Process Automation]. We’re going to address business systems first, and then later move on to mission systems.
We’ve begun spending a lot of time thinking about zero trust and how would we implement it on our networks. And this is key because we’re at an inflection point with cloud, with AI, with 5G and all the drones that are out there. The perimeter defense to the network is becoming a thing of the past. We begin to need, because we’re having many more connections to our network and more devices on our network, to find out and determine what is the right way for us to move forward in that different world. These new technologies that are coming downstream are going to force a lot of changes on us.