my name is Arun AER and I'm going to allow our uh guests here to introduce themselves we're starting with savan uh good morning everybody my name is savan Kong I'm the customer experience officer for the Department of Defense I'm Bob Cunningham I'm the executive director of our Enterprise command operations good morning everybody Rick Driggers I lead exenter Federal Services cyber practice good morning my name is off hello I'm Dr Tina rri I'm the sizo of cfpb anything I say here is my opinion uh and past Excellence is no guarantee of future so I'm not endorsing anything and uh don't take any of my advice as legal guidance thank you thank you Dr rodrigue I think you said something for all of us here so thank you very much um so um you know this is our first mainstage event and like I said it's kind of difficult to follow uh that great presentation uh the title of our session is building a resilient government uh with secure Automation and what I want to do is just get the state set on the kind of challenges we're facing you know we have leaders here from various different federal agencies and we are now in a place where every constituent every citizen everybody who's interacting with the government expects consumer grade experiences what that means is it's a personalized experience and which means that we want them to register with us which means then we get some demographic demographic information and that becomes pii and now we are the stewards of that data so Dr rodri U starting with you it seems like we are hearing a lot about automation AI zero trust in every aspect of it transformation so how do these collectively help agencies to prepare and respond to these cyber threats the best part about those aspects working together is that it helps identify the patterns more quickly and speeds not only the recovery but the resilience so that you're able to quickly identify anomalies more um pardon me you're able to respond to them more quickly you're about able to see whether or not there's lateral movement and if there is any aspect that you had not accounted for the best part about automation is that if it's a clear defined repeatable pattern you're able to elevate that into orchestration and if it's something where you need our big beautiful brains in order to discern what is the next step you can get to that step faster yeah oh thank you thank you for sharing that and you know we we addressed the secure automation the secure part of it you know I want to go to Bob if you will on the automation part uh where you know if you can share what are the best practices that you offer agencies that are just starting to automate because we know they're on a Continuum right correct so what you have to do is you have to review all your processes right and one of the key things when you're reviewing those processes you want to think big the large picture but you want to start small you want to take the smaller items and you want to look at those make sure that they're optimized before you start the Automation and as you're automi automating those those processes you also want to look at your tools and you want to have the best solution for what you're doing and you want to be able to have reuse you don't have to always develop it yourself so you want to have that that reuse you want to make sure that when you're looking at those processes and you have that optimization that security is always top of mind if you're not thinking about security when you begin to do it you're going to find out about it when you have issues on the back end and then the one of the other issues that I think is is really um necessary is when you're doing the automation is you want to keep it as simple as possible and then the last thing you probably want to do is make sure you're looking from end to end you don't have to automate a process 100% you can pick and choose different areas within a process to have that Automation and then iterate and get better thank you Bob um for sharing that the automation aspect of it so we started with talking about the data that we are trying to protect you know and you know that's where the resiliency of the government is because when you present a trustworthy set of applications and systems to the citizens and constituents you have more adoption so that turns into a challenge for somebody like Deon at the Department of Education you have vast trows of data of the student information we all know data is monetizable that's the that's what bad factors are trying to get at so AI automation zero trust how are all of that coming together in the Department of Education yeah it's a great question I think before we got to the how we really try to Center on why do we do why do we need to automate why is AI important why is zero trust important and one of the things that we constantly speak to each other about is what data who data do we have and we realize very quickly it's the data of our family our friends our neighbors our co-workers right there's not a single person probably in his room does not have somebody that they know that does not have data within our system so so we take that wide then we really use that to drive the how and a lot of that symetry that we created between the teams that we have between the department as well as the federal student a we look at where do we have chos of data and one of the things that we worked on is really truly integration how do we take the data in other environments and integrate it into a holistic environment so that we can make better decisions so that we can power the tools that have ai and Automation and really Drive forward one of the things that we realize with zero trust is that there has to be orchestration between those various pillars so we worked very hard and really Baseline of where we are today and really pulling that data together so that we can make better decisions moving forward H so I me then you know we talking about the data that we protecting the the Automation and the security perspective I just want to throw up in a general discussion question um you know the resilience against all the cyber attacks and other dis itions you know that's something that the government is always trying to get ahead of um workflows automation you know how are these helping you improve the security uh security operations and the ability to kind of respond to the threats um open question anybody want to take that yeah I could I could take that around I I think you know from a Department of Defense standpoint so my role is a relatively new one in speaking um primarily for the war fighter but you know one of the things that we do is we really try to um dial in the amount of risks whenever we're actually um deploying new technologies deploy new processes and what I'd like to tell people is you know there was thousands of years ago um when you had the first caveman and they were building the first tool you know the risk between what that caveman was building to him eventually catching LGE was very low because he was the consumer of that Tool uh he was the inventor that tool and so he knew that the results were going to be three things right he's going to get the lunch the lunch is going to get him or or he's going to go hungry fast forward couple thousand years that risk has now sort of like expanded because the distance that we have from the user all the way to the tools that we're producing are are now pretty vast and so the key for us is really understanding where we want to automate and scale things so that we can expedite our ability to deploy new technologies but also know um what that customer workflow is so that we can make the right decisions on what to automate what to improve and then what to scale back yeah I I think it's it's incredibly important and I want to go back to something that Bob said about um Simplicity particularly when there's a government disruption or something like that Simplicity is going to be incredibly important and so making sure that what you're automating you're doing it in an intentional and focused way um and that it adds Simplicity um to to whatever the workflow is and I also think that embedding security up front and making sure that that that that is is purposeful is is also incredibly important and you got exercise right you got to exercise these workflows you got to exercise these processes you got to make everybody understand and be familiar with the automation that's going to be key to coming out of that disruption yeah that's you want to add something yeah part of what I wanted to share is that by having our um aspects all feed into a single pane of glass we're able to have full visibility from the procurement front all the way through policy and compliance down through to the Cyber operations so by having that consolidation we get away from the fragmented areas of information to truly executable information that we can then orchestrate and automate and it's through those Integrations that we're able to consistently reliably protect to the point where at cfpb at least sometimes people don't even recog recognize the 10 million threats we protect against every single day that's interesting I mean uh I think looking at it from a holistic perspective and you know getting that information like you said in a single pain of class uh but savan you know from the dod's digital modernization strategy I've heard of these four strategic initiatives that you have you know the Innovation for Advantage the optimization the resilient cyber security and last but not least the cultivation of talent mhm so how will the user experience portfolio management that is the office that you are working for how does that contribute to these kind of for uh that's a great question you know I I think one of the things that that my office is really trying to do is reorient the conversation to less about the the functions of what it is that we're doing whether it's zero trust or whether it's cyber security and more have the more centered discussion around the outcomes of the mission right I think there are certain things that are within that spectrum that are important that we need to understand but in order for us to really deliver for the war fighter we have to understand the environments that they're in the conditions that they're working in the Technologies they're using um the challenges that they have and I would say that there there are certain key elements to what what that package looks like and for us it's really foundational to be able to understand um you know what it is that Baseline that we're working with and then be able to start to like I mentioned before automate some of the things that we need to scale the department defense is a massive organization there's nothing that's a one- siiz fits all so in order for us to really understand how things like AI can really improve the war Fighters lives we really need to understand you know the problems that they're dealing with um you know uh we we talk about jobs to be done in my in my office right the job to be done is uh a term that Clayton Christensen had had had had coined uh over at Harvard and the idea behind that is really that people hire things to achieve a job and so for us is getting back to the basics right understanding what that is and then we can then apply things like zero trust in a more meaningful way that can have a much greater impact at scale oh okay I mean I know it's a new office so I think you know lot of the um specific Focus that you have now across all those different four pillars that you have but I want to switch gears into you know Rick you come from a Services background and you see across the uh the the landscape of the federal government uh you know you see agencies using automation AI zero trust um how are they doing that to improve operational resiliency I mean we talked about security but operational resiliency is also an important part of that share yeah I think you know it's a great question I think from an you know obviously AI Automation and zero trust they feed each other but there are also different approaches to those underpinning the success of any of that is data data data so you got to get a handle on your data from an AI perspective uh you know we're seeing pockets of successful implementation specific to uh certain use cases we're not seeing you know kind of wholesale Enterprise level implementation of AI yet there's a lot of planning for it um a lot of Readiness um I think that you know one of the things that really uh people are focused on is you know the responsible and safe use of AI and uh I think some of the work that is coming out of the nist artificial uh intelligence safety Institute Consortium is going to is going to lay the foundation for those types of policies and that planning moving forward on on the automation front we are seeing automation I think people have been trying to automate various different workflows uh for a while using various different sore tools and things of that nature so like threat intelligence to get near to real time you know um identification of potential threats and vulnerabilities in your Enterprise um incident um handling uh and escalation um incident triage so that you can have a more efficient more effective and faster response time uh to uh to incidents in your environment as well as automating playbooks to really balance the workload that your analysts have and making sure that you know those kind of routine mundane tasks are automated so that your your analyst can focus on more more complex tasks on the zero trust front um we're seeing a lot of planning we're seeing a lot of initiatives uh like the VA trust um first initiative um a lot of resource planning uh going in um and I think that you know one of the things that we've seen from an exential Federal Services perspective is a lot of focus on identity and access management programs and really getting those mature uh and what we are hoping and what we are talking to our clients about is pivoting from that obviously get those programs mature uh that's first out of the gate but then and then use that as a pivot point to really move into a zero trust journey across all of the other pillar from data Security application security network security that sza has laid out as well as the Department of Defense that's going to be key um you know one of the things that we've done we've partnered with service now to build a zero trust maturity assessment it's a zero trust 360 and what it does is provides a comprehensive security assessment of your of your cyber security posture across your Enterprise and once you have that assessment you have a much better understanding of what your maturity level is and you're able to put measures in place to to Really track your progress and it also allows you to build a strategic road map of of solutions and actions that need to be taken in a prioritized way whether it's a technology upgrade or a uh or process refit wow that was pretty comprehensive I guess going across the landscape and I think I want to just segue into something that you brought up here in terms of sisa's zero trust maturity model so I want to kind of uh throw this to each one of you from the government space um cza has this maturity model with there are four levels and there's the partial and then there's the risk informed and then you have repeatable and then you have prepared and you have risk optimized so those um levels of maturity if each of you can share where you think your organization is uh in that maturity model currently Devon you want to start I'll go first and I'll use the analogy that we that was used earlier I think some systems we have from assessments that we've done are at M Mar five and some systems are at M marker one so as we look across the board we're Gathering where we at where do we want to be some systems may continue to be at M Walker one but again it's that assessment that was talked about earlier that we're doing across the board we started with our servicers we moved on to other systems to really evaluate where we were so we can make Target investment into those systems and again from our standpoint or ation automation is key so from the security operations center leveraging all that data that we're Gathering from these systems as well as taking the orders from on bm21 2131 and saying we now have these trolls of data what do we do how can we automate this enable the sock to be a better sock to enable us to have a better Enterprise view of the environment that's something that we're looking at holistically but from a system level we're still looking down to making sure we're making decisions that make sense for that system oh anybody you want to share what is your maturity level in the organization yeah we're currently between an advanced and optimized state but part of what we did is we started with avoiding the boom and shifting left and so now we're continuing to shift left of the build left of the buy left of the budget left of the business case so that by consistently integrating the governance into the visibility we're able to build zero trust while they're still dreaming of the solution in that that ideation stage of the digital product development by starting as partners early we're able to integrate security throughout and then that's how we were able to get to el3 on time that's how we're able to make sure that we have full visibility into each new product and then in the off chance there might be something new or novel that someone has adopted we're able to detect it quickly and help it get well and immediately oh can I just ask you to repeat what you said left off left off yes so we wanted to get left of the boom left of the build left of the buy left of the budget left of the business case wow that's pretty cool I like that whole progression of how the you've approached those things thank you thank you for repeating that uh so soan you want to share your maturity level I couldn't have said it any better yeah Bob you want to share yeah same here with the the VA is such a large organization with so many different uh Avenues and so many different applications um it is all about trying to get to the entry point the left of very cool um so I I know we we um we talk about all of these things that we must do uh but one of the things that we do is we throw a lot of things to our cyber security operations teams who are already overstretched so Rick I think you see a lot of this in the services space when you implement these Solutions what are some of the cultural and operational changes that agencies need to make uh so that they can position all the these new you know shiny objects AI machine learning and related Technologies you want to share look this is a great question and it's an incredibly important question I think that obviously from an operational perspective we have to invest in AI machine learning skills for uh employees across the board they've got to be comfortable uh with with with what artificial intelligence is what machine learning is um obviously robust data management practices I talked about this a little bit earlier it really is all about data um making sure that AI can be successful in your organization and successful the way you want it to be successful in terms of workflows and process Automation and things of that nature I also think in in in investing and integrating AI into your workflows is going to be important so start that out whether it's an MVP or whether it's a pilot but get started now because AI is here uh it's not coming um and I know that there's um you know a lot of uh attenion about whether we're behind the power curve or whether we're in front of it we're certainly not in front of it so I would get started immediately and then I think one of the other important things is to implement measures you want to be able to uh be able to detect anomalies uh and things of that nature in the AI as it's working within your environment from a cultural perspective you have to embrace Innovation AI is going to allow Innovation to happen at the lowest parts of your organization and you want to Foster that you want to promote that um and so I think that embracing Innovation is incredibly important promoting collaboration kind of breaking down those silos that we have in the federal government breaking those down and making sure that different parts of the organization um at the lowest ends are collaborating with each other and talking to each other and supporting each other and in developing data literacy we talked about AI uh skills and Investments for your your teammates for your employees uh data literacy is going to be important as well and not just for it cyber security and data scientists but data literacy across the board so your HR professionals uh your budget professionals uh your oper people working in operations it's going to be important that they have a foundation for data literacy and I think another very important thing is rewarding risk don't be risk averse and I think Admiral mccraven said this uh very well is you have to be able to take risk you need to fail learn fast and move forward because uh a lot of this is going to be unknown the power and the The Innovation that AI is going to bring to to all of your mission areas well said thank you um you know we've been talking about uh the Technologies and you know I think the audience would probably want to know what successes have you had I mean AI is already here machine learning has been here since a while so if each of you can share what successes you have had in your existing environment uh because it's not new I mean only the Gen AI part of it is the new one so if you want to share anybody take um on what successes you've had yeah I mean I could start you know we've uh the the dod in many ways um you know we we have uh a very vast agency that has a lot of different cultures personalities history you know uh Venus was up here talking about the Air Force Adam mcraven is talking about his history there I think for for for us it's really about understanding how these things these tools like artificial intelligence really sort of impact the mission and then enabling the department uh for example like standing up cdao um you know deploying Technologies uh as prototypes and really sort of iterating on those things um really supports the missions that we have uh across the entire world and you know I I think there's um conversations about tools and Technologies versus outcomes and I think that's the wrong approach right the tools and Technologies should be supporting whatever mission that you have whatever outcome you have and if you're talking about it as a siloed thing you're always going to run into people that are reluctant to be able to adopt whatever it is that you're trying to to build or buy or or deploy in some Manner and so you know for us it it really goes back to are these things these emerging Technologies uh helping us to scale uh the ability for us to uh deploy in multiple places um handle multiple streams of work at the same time do the things that you need to do in order to be effective within your mission and if the answer is no then the rest of that stuff Upstream doesn't matter what that looks like so I I think a lot of what you're saying is like drive it towards the business value and you know and D through that anybody else want to share yes so so looking at it I I would say from a it perspective right one of the things we focus on is the customer and for the VA we're really majorly focused on the veteran the caregivers the survivors and so it's quite difficult to sometimes when you're in operational aspect is that you may not be the one talking to that veteran you may not be helping them directly so it's tying that so everything we look at from a technology point of view is how is it going to make the job of the person helping the veteran better and that's how for from a service desk perspective that's why we use some robotics so we'll get an incident in request why havit make a stop at one or two different locations which would elongate the time we use Robotics and say well that thing needs to go over here and you cut down 48 hours that's that's keeping the customer focus utilizing that automation utilizing the Technologies to make it better for the customer and if you always keep the customer in mind your outcome is going to is going to speak for itself and then you need to measure everything if you implement something and you don't get that value stop don't continue to the process right make sure you are measuring because measuring what matters it's very important I was just going to say you know Bob and I were talking backstage about you know moving away from kind of the transactional kind of workflow uh that we we see a lot we see it a lot in particularly the supporting organizations in the federal government and moving more towards the outcome based or the or or you know making sure that those supporting organizations can understand how they can contribute or how they are contributing to the mission and you can set up this type of technology to make sure that they can see that uh and they can they can feel that and it'll make their work less transactional and more security outcome focused or more Mission outcome focused yeah that good connection so business value customer focus they want want to share I love Bob's answer and it's one of the things that we're focused on is really how do we automate how do we remove the barriers for answering these various questions when it comes from saber operations team so that's something that we've done is deploy vend agnostic tools that can integrate with other tools and therefore we can get answers quicker without actually having to go to somebody else and stopping them from doing what's more important and that's really helping out the the student a experience so we've deployed that out we're deploying other tools that have been agnostic that we can integrate with our our tool set so that we can better answer the questions about what's going in our environment how do we quickly remediate things that we see and that's something has tremendously sped up the process for us to respond to the department as well as understand where we are today part of what we recognize is that 95% of major incidents are caused by insiders whether they're intentionally or unintentionally causing the thing so part by using AI machine learning and emerging Technologies we've been able to adopt a people first approach and then only add tools when it becomes really necessary so by consolidating in this um approach with a single pane of glass we're able to not only speed our processes but automate the customer experience so that they know exactly how to ask for help how to get Cyber how to be able to be the strongest link on our behalf we've taken a really strong cultural approach so that they know that we are ineffective without their excellence and that uh message has really helped our cyber teams focus on those places where we can control influence or persuade others to be that part that it stops being the resistance and starts being the revolution uh thank you um so you know what I here the core is Automation and it is judicious Automation and in kind of bookending this thing I think Bob we started with you talking about best practices in automation I want to kind of Bring It Around to um what are the differences in operational resiliency that you're seeing for people who are less automated versus more automated because we know it's not all flip of a switch so you know if you can share some of that correct so even within the organization so you figure that the VA has um over 590 what we call PIV users right and we have we support over 800 different applications so even within our organization we have adopters of Automation and we have people that aren't haven't adopt it as fast as I would like um there's there's reasons for that because I'm the one that gets called in the middle of the night when there's an issue I'm not but my team is um so less automation usually leads to longer outages longer longer um U meantime to detect longer meantime to resolve less openness on what is or isn't going on in the environment they're not as forthcoming they're not as uh quick to embrace what we have in in our saying now embrace the red um and that is going in and looking at the event that happened what happened identify if it was a human error or not uh what are you going to do to fix it and and correct it more automation is you're driving your meantime to detect down you're getting on the issue you're going to have issues no matter what but the sooner you can find those issues the sooner they percolate up the sooner you can get the teams working together to fix them uh for example when I first started in this position we had a thousand um o over a thousand high priority incidents a year um um I'm proud to say that from this fiscal year to the end of February we've actually uh conducted over 800 what we call near misses that's catching an event before it had customer impact some of them are are circuit outages some of are memory filling up and we were able to to get and invoke some change before it happened but we didn't have that just a couple years ago that maturing that process that's a that's 800 less outages that are going to impact the customer again keeping the customer in mind they don't even know they come to work in the morning the CL Clinic comes open uh they're able to see the veterans they're able to log into their systems and and be able to work so so the biggest thing is is that right uh the more automation they have the more forthcoming they are less automation you got to pull it out of them but if you stick with it they'll come around okay so I mean very very interesting I think we've got different kind of perspectives and if I kind to summarize some of the things that stood out to me from what our uh participants on the panel have shared with us you know we talked about business outcomes you know value driven we talked about customer focused talked about cultural awareness talk about Integrations to other areas in the organization and we talked about automation but judicious automation but automation is the core so you know resilient government secure automation you know you heard it thank you Savon Bob Rick Devon and Dr rodri I think this has been a very uh informative uh session I have already learned a lot here so I hope you guys share my sentiment and I know quite a few of you are waiting to join the executive Circle but I want to take this opportunity again and to thank all of our panelists and hope you have a great rest of the day uh here at the federal Forum thank you very much