In 2021, CISA Chief Information Officer Robert Costello made culture one of his top priorities. This moderated keynote will cover some of the challenges he faced, how his team addressed them, where those initiatives are delivering results, and why it’s important to have room to fail.
Anthony Jimenez
Welcome back to CarahCast the podcast from Carahsoft, the trusted government IT solutions provider. Subscribe to get the latest technology updates in the public sector. I'm Anthony Jimenez, your host from the Carahsoft production team. On behalf of GovExec and Carahsoft, we would like to welcome you to today's podcast focused on FedRAMP. This moderated keynote will cover some of the challenges he faced, how his team addressed them where those initiatives are delivering results, and why it's important to have room to fail.
Francis Rose
What I think is really cool about this conversation, Bob, is that we have talked all day today about the technical stuff about security, and the techniques that people are using. And you don't want to talk about that stuff. Well, I mean, it's not that you don't want to. It's not fair, I said that wrong. But you wanted to focus on culture. And what I think is really good about that is culture is the piece of this that just about everybody, whether it's the industry side of the government side says we got to get that right. Because the technology, these companies all have terrific technology solutions, and they are all more than happy to tell you about them. I'm aware, you focused on that when you went into CISA a couple years back, what did you find culture wise when you got there? And how did you determine what the actions were what the steps you needed to take where to get from what you saw, then, to where you want it to be, whether it's today or at some future point where you're still working toward that goal?
Robert Costello
Sure. So I think some of the things like I noticed right away, I came back to government to come back over as the CIO of says A, and it was very clear, I took over an organization that was scared of technology scared of change, and an agency is still trying to find itself, they had been NPPD for a long period of time, they hadn't been CISA very long. We're only on our, you know, our really first full administration as an independent agency as part of DHS. So, there was a lot to do. And if we didn't get the culture stuff, right, like all the other stuff doesn't matter. So what we really did it first was, first I refocus, my office is pretty small compared to other offices of lead in the federal government, and even small compared to say, the cybersecurity Directorate of Souza, we're about, you know, for every employee I have, they have 10 to 12 employees. So, we're a little bit over 100 Feds right now. And then, you know, we've grown a lot in the last two years. So, I made a quick shift to hire very technical heads, sometimes more senior than had been there before people that really live and breathe this stuff. And then people that really want to be part of the mission like that was what was really critical to us is to be embedded with our customers, because we're working with some of the best. And if I'm going to at other systems, I need really good people to work through that. So that's been kind of what I focused on. So, we need very technically adept federal employees and people that just, you know, kind of know what they're doing. And that was something that that we had a really change in the office. And now we're kind of in, you know, officially, it's been two years this week, we've really dramatically changed how the office is viewed. So now we're a place that people from other parts of scissor are asking to come work in. And we're now doing some really cutting-edge technology solutions and providing services to the agency that we weren't before. So that's been, you know, really gratifying.
Francis Rose
If this was a sports team, and you, let's say you came into it, it sounds like in rebuilding mode. And then there's the talent acquisition mode. We're okay, now we're starting to I think I can see where we're going to be good. And then there's where say, the Orioles are, where they're really good now.
Robert Costello
I'll take your word for it.
Francis Rose
Please, best record the American League, by the way. Sorry.
Robert Costello
I'm an IT guy.
Francis Rose
At least you didn't say I'm a Yankee fan, which would mean this conversation. What that's not bad. They're really good now. And kind of hitting a crest. Where would you say you are on that continuum? Hitting the crest yet?
Robert Costello
I think we are like so we actually and we could have, you know, great arguments in the audience and good discussions about like the validity of like the FISMA scorecard measuring your cyber possible. I don't think people would argue I don't think they would either. You know, it does provide a metric that we're measured about from the department, and we've taken ours from what was pretty much the worst in DHS to either the best or in the running for the best. So while I may not agree that it overall improves my cyber posture, if you're not doing those very basic things, then I would have no time because Every, every month, it's extensive meetings on, why is everything red or yellow, I would say that we're hitting that crest and really have made some dramatic improvements, we now understand how to use all our tools from vendors that are possibly here today, which has been a great improvement. There's also a pretty big shift in our customer base. They're trusting us. And I think they're seeing a difference in how we're running the organization, myself and my leadership team. So, when we have issues, we're very transparent. It's kinda like, you know, Wall Street doesn't like if you hide things from them, my customers won't like that, either. So, we pretty much share really broadly with them, whether it's good progress or issues. And that wasn't how the office historically operated. So, I think we're hitting a crest and now it's figuring out how to keep it running. Next, you know, you want things to run after you leave. Yeah. And leaving? No, no, when you step into these roles, it's very different. Like, I used to be a tech person, and then I've come up, I've been at DHS 1515 years or so you never expect that you're going to be the one talking to OMB or having to do, you know, briefings to Congress or stuff like that. So, we've gotten the office to the point where, you know, we're really hopeful in the next couple of budget cycles, it's self-sustaining. And it wasn't before, like it was one of those offices always begging for end of year money. I think we're hitting that stride; I think we got another couple of years to get it to where I want it to where it's comparable to some of the other CIO offices in DHS for stability. Across the board.
Francis Rose
Talked about customers a number of times already, just in this conversation, I've seen you speak before and talk about your customers. I imagine given CISA's role inside DHS and the role that it plays for the federal government in the cybersecurity community in the entire country, as a whole, there's some pretty demanding customers, when it comes to information technology.
Robert Costello
There are. You know, I thought Border Patrol and field operations were tough customers, there's nothing harder than an entire agency that has a lot of it running throughout it. One of the ways, you know, we've had to build our credibility, and a lot of those systems are moving to us to run now, which is a big deal. The cybersecurity director to your point is a very demanding customer as they should be, you know, they're often writing the policy or running systems that have a national level mission. So, our goal is to enable them to move faster, to not be obstacles and to be good partners. Yeah, it's been one of the biggest challenges of my career, because we started like, my office didn't just have technical debt, we had a lack of technical know-how, and our contracts and some of our staffing, so we had to make some really big dramatic changes to be respected. And that's, you know, understanding that their mission will always intersect with my internal, we try and concentrate very, like, when I speak about CISA, I don't speak about CSDs mission like that is there they are the outward facing on that, but I need to make sure that they don't have to worry about those internal things. So some of it was just, you know, getting a handle on the business systems, they shouldn't have to worry about having a non-working human capital system, they shouldn't have to worry that, you know, they're coming to you and saying, We want to roll out this national solution. But your shops telling us an ATO is 24 months. So, we've gotten that down significantly, and sometimes down to 30 or 45 days, for certain types of systems, which is pretty good, but we're getting better. That's been the key, and then also becoming a more vocal partner to the DHS, CIO and CISO community. So, I'm really happy that like, we led the way in an initiative earlier this year on an archiving solution for certain types of messages. And the CISA solution was adopted by several other components much larger than ours. And then my team was asked to provide like technical assistance to one of the larger law enforcement agencies, that was like a big moment for my team and myself, you know, my CISO, in her deputy says, oh, are really providing great inputs to the DHS as a community. And that wasn't historically how in BBD, and says OCIO function. So those are some really great things that are going on.
Francis Rose
I think the timing there is interesting, too, because my sense that the CISO community inside DHS was not as strong more broadly, as it is today. Ken Bible was on the TV show three weeks or so ago, and talked about his CISO counsel, that's become really important to him since he's been there. And even if there had been infrastructure in place where the CISO could have contributed, I'm not sure at some point in the past that would have even existed to contribute to in the first place.
Robert Costello
Yeah, I'm really impressed with the CISO Council. We get a lot of, you know, I get the meeting notes and stuff from or from my team, but it's very active and they seem to have really coalesced, you know, historically, the agencies of DHS operated largely independent, shocking. Yeah. Shocking. Nobody saw that coming. The DHS CIOs shop which and either, you know, that shift often from policy to technology back and forth, depending on, I think Ken has done a really nice job. And I really see the value of what they're doing. And I'd say the CIOs are all working closer together to Yep. Eric and Beth have done a great job at that. And many of us have worked together. For many years. All the CIOs, whether it's Charlie at FEMA, Rochelle at ICE bill at CIS, all of us have worked together sometimes for 15 or, or more years. Yummy. Yummy. That's right. Over at TSA now. Yeah. And that's really helped us to the point, sometimes just our team sharing information, or just us bouncing ideas off each other. It's something that I don't think existed in prior years.
Francis Rose
All right, you've listed as your priorities training, CX of system, and IT modernization?
Robert Costello
Well, sure. I mean, like, I think I get in trouble if I don't list those things. Well, so you know, customer experience is really important. And as CISA kind of grows, and you know, everyone's interested in what says is doing, you know, what is next versus and everyone's really looking at, you know, we've gotten a lot of things from Congress on authorities, or sericea, which is going through a rulemaking process, we have to make sure that our external interfaces are well built, easy to use. And that hasn't always been something that as an agency we've concentrated on, because we didn't, we didn't have to do that. But that's an area that we really want to work through. I think one of the other experiences we have too is I you know, we have a large field force that's out there advising on physical cyber and election security issues, and their tooling was pretty awful. A lot of it was very antiquated, or headquarters would roll out like a CRM solution that had had no testing, you know, it was built for headquarters and, and people get it out in the field, and it doesn't work. So, we really want to improve on that. And then just scissor workers in general, like, we want people to come work at CISA. We just hired over 1300 people since 2021. I think we announced that on Tuesday, no one wants to work at an agency that you can't guarantee that you'll get paid every two weeks, or the human capital system doesn't work. So, we've been really working to next level that off. And we actually wants the new system with the new fiscal year. And we really tried to model it on things that you were dead in private industry, like it should be largely automated if you want chat, if you want to submit tickets, and things like that, we don't have that today. And that's not going to work with well doesn't work for me. And it certainly doesn't work for people new to the workforce. So those are things on the CX front it modernization is huge. I inherited a lot of technical debt, a lot of systems that had been built over the years, sometimes running in different environments outside DHS, it made sense at the time, it doesn't any longer. We had some cloud migrations that could be textbook cases of how not to do it. You know, really, really struggling, we're gonna take those systems, evaluate them, and then figure out how best to provide services because we have to provide not just services to the cyber arm of CISA, but the infrastructure security division that handles while infrastructure, more on the physical side, the chemical security mission, National Risk Management Center, all the business systems. So, we have to kind of be I really see the OCIO office is that quarter. This is a strategic plan. And director Easter's release plan is agency unification. You can't do agency unification, if people can't talk to each other people can't share data. So, I really see my office as a big enabler through technology of agency unification and breaking down a lot of those silos that had existed before.
Francis Rose
So, the first of those priorities that I listed was training. And I imagine that's really important to your cultural transformation concepts, not just to teach people, here's the skills that you need for your job. But maybe on some level, and maybe this isn't even formal training. But this is how we do things around here now. Is that part of it?
Robert Costello
It is and some of it was like when I when I took over, I'm like, well, what conferences do you guys go to what training? And the answer was none. So, we just sent our first we had about 10 people at you know, DevCon and Blackhat, which for my office was a big deal. And they came back, and they briefed our teams today. One of the things I've always had for many years was if you go to a conference, you have to come back with something you're going to teach or something we're going to implement. And they're doing that we had no training program. So, people had no technical training. So, they didn't understand cloud or modern approaches to a lot of things. So, we've established a whole training environment. We got a lot of that leadership and other training through the agency and things like that, but I really had to establish that baseline and give people the opportunities I had to learn and grow. So that's why training will always be big with what we do and OCIO Because I am really committed, like, we have to be the best across all areas. And that's working with our partner community to whether it's OEMs, or our, you know, contract partners that are staff augmentation or actually doing a lot of the technical work. I need people that understand contracting and be experts on it to make sure that we're effective on the government side, as well. It's always a two-way street of contracts performing.
Francis Rose
Yeah. That partner community concept, I think is important to touch on in the time that we have left, I know, we're starting to run down. But because I imagine your partners, you're not just talking about the vendors that you work with. You've got partners in the C suite there. You've got partners in acquisition; you've already talked about HR and the importance of that. And I imagine you have HR folks that you're working with to help you roll out those things and get the people bring people up to speed on what's that ecosystem look like? Who are the people that have really helped you move the needle to whatever degree that you did?
Robert Costello
I will say like directory Sully and our deputy director Natarajan have been great bosses, you know, you never get into government, or at least I didn't thinking I've ever be like reporting to an agency head. They are super supportive. And I think when you talk about the C suite, one of the best things a CIO can do is make sure they never have to call you with problems. Yep. So, like, the first thing I did was like, there's a whole team that supports them. And that makes my life easier. But they've been very supportive of our initiatives and our approaches to crack things. I think we have a great mission enabling suite of leaders. So, I have a very strong partnership with our chief of contracting operations, we actually tend to talk multiple times a day, we actually have like, syncs at like eight or nine o'clock at night, this time of year to get stuff done. And that's vitally important. One of the areas that, you know, we're working to improve is to make sure that spreading beyond us so that our teams are doing that too. So again, that we can continue to leave a better agency than when we took over.
Francis Rose
Regarding people, another guest on the TV show a couple of weeks ago was Charlie Armstrong. You mentioned Charlie, a couple of minutes ago, he's going to be dipping into the cyber talent management system to bring people in. So that's something you see on the horizon for you?
Robert Costello
It is. We're actually using it pretty extensively in my office. And in CSD, we were some of the first ones out of the gate, we have, I'd have to look at the numbers to see what percentage My office is now of CTMS, we've gotten some amazing, they call it entry level or developmental talent through it really outstanding individuals that I don't think we would have reached before, it does make us a little bit more competitive with the private sector and our ability to do certain things from the recruiting front offerings sign on bonuses and things like that we're not something typically part of Title Five, I think that we're going to use it where it makes sense, it doesn't make sense for all positions, I would say that it's been a great partnership with DHS headquarters on that Eric and Beth and their Chico staff up there have really made it work. It's gone quite well, like I'm quite happy with how it's going for, you know, whenever a new personnel system stands up in the government, it's hard. I think this took DHS seven years after they got the authority to stand it up. You're not going to know in a year if it's working. It takes a long time for these things. But I think by and large, we're doing pretty good.
Francis Rose
We'll go back to culture, as we talked about at the beginning, how do you or how does one measure whether the culture is moving to the degree that you want it to move? Whether the efforts that you're undertaking are successful?
Robert Costello
I think it's like with anything. And to your point, we have probably early in the day, a lot more vendors here, like any vendor will tell me this, this tool or solution will solve all your problems, right? Well, how do I measure that? Because it probably created 10 more problems along the way. You know, what gets measured gets done is one of the things I live by metrics that matter. I think when you look at, I try to only concentrate on myself, like it's not my job to tell the CFO how to do their job. I think one of the things is people asking to work here, you know, people asking come over there we see change, we see things going on, we see things going better than it did. That's a measure, maybe not quantifiable, but it's there. I think some of the other ways too, is when we're CIO or an IT shop. When people are saying I'd rather give you money than do it myself. That's probably the hallmark of that you've arrived. And that was something that we started with border patrol in 2012. They had a lot of what would be considered rogue it when we left myself, Michelle Phil and freed Beth Capello and others. We couldn't stop them from sending money to address their IT needs. That's where I'd like to get is when it's instead of us running a rogue solution. We want to come to you to get it done.
Francis Rose
An old Washington soliloquy. Follow the money. It's a good sign when it's coming to you. Exactly. Robert Costello. It's great to talk to you. Thanks for doing it. Thank you.
Anthony Jimenez
Thanks for listening. Don't forget to like comment, and subscribe to CarahCast and be sure to listen to our other discussions. If you'd like more information on how Carahsoft can assist your organization, please visit www.carahsoft.com or Email us at fedramp@carahsoft.com. Thanks again for listening and have a great day.