Big-picture technology cycles that once spanned a decade or more now evolve at ever-faster clips so that IT modernization – however an organization defines that state – has become a faster-moving and often elusive target. Traveling a parallel arc is the same requirement for better security technologies that can keep ahead of threat-actors who never rest.
Something that changes far less frequently than cutting-edge technology, however, are the basic thrusts of human motivation – the tendency to be reactive versus proactive, to stick with the tried and true, and to direct resources accordingly.
We caught up in mid-pandemic with Roger Coelho – two years into his current gig as Vice President of Public Sector at Recorded Future after a seven-year stint as Federal Sales Director at Tenable – for a free-wheeling discussion of motivations, the upside of tending to the proactive side of the equation, and the value of better security in a time of expanded attack surfaces. Here’s what he had to say…
MeriTalk: What can the federal government do right now on the tech front to better sustain and improve service to citizens but also to the federal workforce?
Coelho: To put a frame around the problem, let’s first consider the current state of affairs and how the pandemic differs from other big problems. For instance, we know how to deal with things like periodic financial recessions, but we’re not used to dealing with the impact of this problem, which stems from our inability to get where we need to go physically.
The state of the Federal government and how it has procured has always been a good mix of proactive versus reactive modes. There are things they target on an ongoing basis, and there are known risks they are trying to accommodate for in requirements to take care of networks – that’s the reactive side. Reactive is really where budget comes from, and it usually addresses a problem that everybody has known about, and that is acknowledged up the chain.
Then you have the proactive side, and that’s where the real innovation comes from – from people that are at the forefront of thought leadership within their agencies, and who try new things in order to get ahead of a reactive situation.
Unfortunately in the U.S. government, the budgetary constraints on proactive are pretty heavy, and it usually takes quite a bit of time to convince somebody to go outside the box that a firm like Gartner or Forrester has pre-defined as the technology spend that you need to be looking at. That makes it a little more difficult to move forward with the innovation that’s required in the public sector.
So that’s what it was before the pandemic, but now we have a different situation. Where once it was 50/50 reactive to proactive – plus or minus 10 or 25 percent – now the government is almost solely reactive. They realize that their initiatives require a virtual workforce, and that’s taking up all the cycles.
Right now, there have been a lot of procurements around the COVID pandemic that revolve around buying laptops and spending money on VPN services. So they have that very top layer of security, but the problem is they are scaling their infrastructure to boundaries that are unknown to them and are increasing their risk footprint. We’re not seeing the security side keep up with that increased infrastructure scope.
MeriTalk: Is there a sense that the lagging security you are talking about is going to catch up? How acutely are people are understanding those new security holes?
Coelho: So in a steady state without a pandemic, there is always a lag between security and infrastructure, or security and agile development. We as a government weren’t talking about DevSecOps until well after establishment of DevOps efforts. So there is that natural lag, and I think the pandemic is going to increase that a little bit, and unfortunately that expanded risk footprint is going to be attacked. So with that, the government will become more reactive about security requirements, and their hands will be forced a few months down the road in order to address that.
The other option is you do have a much-reduced resource constraint on the proactive side for security, and government can shift focus from the more traditional security technologies like hardware for the next-gen firewall, or things like that. You don’t have to put physical assets in a SOC in order to protect your network in more detail.
You could also look at things like a SaaS vendor – such as Recorded Future – who is providing intelligence that can be injected anywhere that you may need it. That helps you scale up your security requirements without the increased infrastructure, because we integrate with all the solutions that an agency has bought over the last few years. We’re able to inject the valuable intelligence to make people more efficient, provide more context to that intelligence, and reduce risk for agencies.
And back to the pandemic effect – if you have users that are now using their home IP addresses, you no longer have complete control over the activities of your daily users. Now you’re going to need to know a little bit more about the risk ecosystem around that aspect of your network versus just the traditional SOC activities.
MeriTalk: So what kind of things can Recorded Future for Federal agencies right now to help?
Coelho: We can absolutely help in the short term. We like to think of our solution as much more of a long-term solution, obviously, but even in the short term we can help because we are a real-time intelligence gathering solution.
As things change in the ecosystem, APTs are attacking agencies and there are malware and spam sites popping up that are trying to bait your users into clicking on a link that they shouldn’t. And because that threat is ever changing, having a technology like ours that can produce real-time context to threats can provide an immediate relief.
Knowing more about threats ahead of time – including COVID-related malware – is going to help you harden the assets that you need to harden, and educate employees to prepare for that kind of risk.
MeriTalk: What’s it take to get your technology up and running?
Coelho: It’s a very frictionless deployment. We don’t require hardware because we’re a SaaS model solution. We provide access to our portal, and we can get integrated into your existing technology so you can see all that you’re used to seeing right now. It doesn’t require you to change any kind of architecture or anything of that.
MeriTalk: Six months out, hopefully the pandemic conditions will have improved. What would you put on the Feds’ to-do list?
Coelho: So I have a morbid sense of optimism – I believe in times of crisis there are opportunities. Going back to proactive versus reactive, being reactive to the need for a remote workforce so agencies can continue their mission is very reactive, and it’s getting funding.
My recommendation to Federal leaders is to use that new influx of money around the problem of telework and doing that securely. You may have wanted to start on it several years ago, but maybe didn’t make enough progress, so right now is the time you can start figuring out how to enable your workforce to work remotely, not only efficiently but securely and do it now while you actually have the funding.
My advice is don’t make this a short-term fix. This does not need to be a band-aid over COVID that we are going to rip off in six months.
We need to make an assessment that we probably were not architected the way we needed to be to make sure that our workforce is the most efficient as it can be. So what we need to do is make our agencies more efficient right now, and also use that as leverage so we can avoid this type of situation in the future as well.
The opportunity here is now that folks have gotten the approval to move forward with some of these initiatives, then move forward and don’t opt for a temporary fix.
MeriTalk: To what degree will the pandemic be a catalyst for longer-term IT modernization? Is this the big kick in the pants that makes it happen?
Coelho: I think in the short term it is. I think the biggest stumbling block that we’ve had to modernization is not that the Feds don’t want to do it. I think a lot of good people in government have always wanted to go down that route.
The issue with technology in the Federal space is once you have agreed that this is the right path, is actually getting funding with agency budgets that will take care of that specific project.
At the end of the day, that process will take a minimum of a year and a half, maybe two years. Then once you get the technology in place you have to staff up in order to be able to deploy that kind of solution.
I love the idea of Federal IT modernization, and I love the idea that It promotes SaaS model solutions, because that is the way we’re all going to move forward so no longer need those giant mainframes or SOCs to get jobs done.
My fear is that we still have not set up the political engine, or the policy engine, in order to accommodate that quick of a change. I think COVID is going to throw some money at the problem, and I think it will help get the ball rolling. But I think there still needs to be some changes on that front in order for the ball to continue to be pushed down the road.
MeriTalk: Whenever the pandemic abates, will the government snap back to its previous state in terms of workforce location, or are some of the location changes more likely to become permanent?
Coelho: There has to be a permanent change, right? If we get cut, we can heal to where we’re almost 100 percent, but we are always going to have a scar there. If we don’t look at the scar, we’re not going to remember why we got cut. So we need to be able to take the lessons of the pandemic and use them. Unless we make changes to account for the unknown, then how are we going to learn from this lesson? We always have to be ready for the unknown, and we have to learn from the past in order for us to heal.