PSHC Industry Webinar — Pro Services-MAS Winning Business through Cyber Risk Assessment 08JUN2021

Show video

>> Thank you and welcome for joining us today, you will probably notice that there was a change on today's schedule, our original speaker was called away on urgent business. So we have in place, Mr. Todd Lyle, who will be discussing cyber risk analysis. But before I introduce Mr. Lyle, I would just like to go over a few housekeeping issues.

First, these industry focused webinars are designed to answer your questions about professional services acquisitions, and to provide information to help you enhance business opportunities and successfully manage your GSA Schedules contract. Please use the Q&A box at the bottom of your screen to ask questions. We will answer questions at the end of Mr. Lyles' presentation. Any questions we aren't able to cover will be answered and emailed out to all participants.

Let me also say that you can ask the questions anytime during the presentation. So feel free to put them in the Q&A box, we just most likely will not answer any of them until the end of the presentation. Secondly, you should have a copy -- you should receive a copy of today's presentation just prior to the meeting.

If you did not, please make sure to check your spam folder. Okay. And with that, I would like to introduce -- Mr. Lyle comes to us with a background -- he's an author of four books and he comes to us with a military background as well as a background in industry. Working in -- from Microsoft. He is going to discuss the seven factors that are important for everyone to understand about human behavior that influence cyber -- cyber risk. So I'm going to turn it over to you now Todd, please take it away.

>> Oh, good morning. Good afternoon and Good evening. Thank you all for your time today. I would hope that we could have a comfortable kind of fireside chat, frankly, when it comes to these issues. As Arlinda said, I am a former Army officer, I hold a master's in risk control from the University of Wisconsin Stout Graduate School.

I've spent the last 20 years as an entrepreneur and I am now retired. So I am not representing any particular organization today. My opinions are my own, the information is from various sources throughout government. So let's get kicking off. What you should be able to do by the end of today, and you will get a copy of this, is I will provide you with a cyber risk control survey that was prepared at The Ohio State University in conjunction with their psychology department. And the idea here -- and this is for my fourth book, I share this with you not only as an individual risk assessment, but it's also a good discussion guide for -- for any size organization that wants to get everyone's singing from a common -- or a common -- I'd say singing from a hymnal, but from common goal.

And there are two things that I'd like you to keep in mind is how do you, as an individual, define cyber risk control and risk management? And do you believe that cybersecurity is an infrastructure primarily issue? Or is it human factors? So we'll set the stage, I'm going to take you now to an infographic that was prepared. It was pointed out to me a moment ago that the dates are slightly off. But ultimately, we have six generations of workers throughout the United States.

Currently, in the United States government, we have a very high percentage of boomers, which is great from a knowledge and continuity vantage point. We do have a little bit of a talent gap when it gets down into the younger folks in the 20s. And that's something that we're working towards collectively. Not only will I talk from my perspective, but I will also share with you frameworks, standards, and primers that have been created by ACT-IAC that are free of charge that you can use when you're looking to acquire artificial intelligence -- to decide even if artificial intelligence -- intelligence is the right route, machine learning and those types of factors. So ultimately, let's think for a moment, when I was back as an aviator in Korea, one of the things that we would do every single time we went flying besides checking the aircraft and checking the weather was checking each of our frame of mind.

So the crew would get together, typically in the nose of the aircraft, discuss what the mission was for the day, and also talk about current risks. It could be we were carrying a certain classified piece of material from one end of Korea to the other. It could be that the weather had changed, they may have added additional crew members without our -- you know, our knowledge as we show up on the airfield and we've got other folks that need to be briefed.

So I put together this infographic from an aviator's vantage point to look at all of the various challenges. First of all, did I happen to have an argument with my significant other before I got into the aircraft? Where -- am I bringing in a pilot from the Korean army that's going to be flying with us? So those are cultural challenges. What is the geopolitical environment that we're working in? What type of additional technologies have been thrust upon us? And this is important when you're thinking about task at hand is what are those technologies? What are the disruptive technologies that you and I must deal with, as we work to accomplish our -- not only our individual goals, but our collective goals? What are the regulations? For example, we don't have a great deal of regulations in the United States government presently, but we are caught what I like to call between the blue vise of legislation and regulation, you've got GDPR in Europe, which is driving a great deal of the behaviors that we're seeing, quite candidly, from a privacy and data security perspective. And then we've got CCPA out in California.

But in the time that those two acts have come together, there are statewide and local regulations. There are organizational regulations, there are agency requirements. So when you're looking at all these factors, it's a balancing act. But we need to recall that while we're navigating, it's important that we're communicating again, from a common understanding so that we understand each of our abilities, what are the expectations of the mission or the goal? And what are the personalities that are affecting our immediate or tactical input that's going to affect at a strategic level? Let me get you here. Bear with me.

We do hear about cyber damage. There's so many lists that we could go through from a financial, political, reputational perspective. But ultimately, where we can put controls in place and we can reduce physical losses is by working together and understanding what the expectations are. So we're witnessing, as I said, regulations that are coming together, haphazardly, quite candidly.

And that presents a challenge for us because it asks us where do we -- we do we fit into the picture? So we've got a couple of high level strategic requirements that even as an individual contractor are very important to be aware of. At the highest level, we have the Technology Modernization Act of 2017. And currently, for your edification, there is over a billion dollars worth of resources available for loan to agencies. And moreover, they just recently -- it was yesterday an article came out where they are changing the payback requirements, because every organization has different expectations, a different mission, and quite candidly, a different culture as to how they approached these -- these particular tasks. So the Technology Modernization Fund is available, we'll make sure that you get that link. But that's something that you should be able to speak to at least at a high level, when you're looking at obtaining work through the federal government.

Artificial Intelligence, we hear that everywhere. And it's a very exciting opportunity, keeping in mind that artificial intelligence is a tool, it is not a set and forget. So it's important that when the tools are being developed, that they're being developed in a very diverse manner, with as many diverse individuals and skill sets as possible when you're going through the planning and developmental phase of artificial intelligence.

And these tools can be used not only for AI, they can be used to assess any type of emerging technology that your organization may be considering. After the artificial intelligence executive order from the last administration, we have a relatively new order as far as trustworthy -- I'm sorry, as far as the nation's security -- cybersecurity, and this came out on May 12. And again, we'll make sure that you get that link.

As far as the nation's cybersecurity executive order is concerned. And then finally, those are high level strategic documents that regardless of your level, whether you're a senior leader, a manager, or a dealer, that you should be aware of when you're conducting business with the federal government or for any government for that -- that matter. And then we have the ACT-IAC emerging technology, community of interest. And this is a great link, it gives you resources, primers for both machine learning and for artificial intelligence. [Inaudible] -- bear with me here. I've lost my way here, agenda.

So -- so fundamentally, that's what I was hoping that we can have a dialogue. Tim, do we have any questions at this time to kind of get it going? >> I have no questions. >> No questions at this point. Okay. Somewhere in here, I will -- there we go. All right, I'm going to take us now to the actual survey that was prepared, as I said, by Ohio State University, it's not letting me open.

Okay, this is in conjunction with my fourth book as Arlinda had mentioned, the -- it's the grounding to cloud leadership series. And we take a look at the cloud, we take a look at big data, security measures and shared services. And this is designed to again to take from 18 to 25 year olds, we're looking for 1000 18 to 25 year olds, that we can do this survey to compare and contrast and come up with -- regardless of our age group or our demographic -- a common seven behavioral traits, that again, regardless of who we are or where we come from, it allows us to to practice. So this is the survey sample. And what we wanted to do is to get an idea of what the perceived knowledge is and familiarity. For example, what do you do to keep yourself safe online? How knowledgeable are you about computers? How comfortable are you with computers? how knowledgeable you are about risk -- cyber risk and security.

Okay, that's fundamentally it. I feel like I'm having a brain freeze at this particular time. There are no questions to stimulate? >> Not yet.

>> Okay. Well, that's ultimately all I have without any questions to move a conversation forward. No questions? Anyone? Okay, well, if there are no questions, ultimately, these guides can be used, as I say, for any type of emerging technology, as long as you can get your group together and -- >> I've got a question.

>> Yes, sir. >> You mentioned you would share some frameworks. Are those available now? >> Yes, they are. Excellent question. They are on the professional services. If you look down here you can see we have the executive order for the nation's cybersecurity, we have the artificial intelligence and then we have the TMF, but here -- this may take a moment to highlight.

This is where you want to go to ACT-IAC for the -- for the various tools that we have for you. Okay, this -- for those of you who aren't familiar with ACT-IAC, they are very, very prevalent throughout the federal agencies with regard to doing studies that include academia, government, and business. And this emerging technology COI, we meet each Friday at 11 o'clock, and then we have subcategories that are broken out. And for example, if you look down here, you can see emerging technologies and acquisition for blockchain RPA data analytics, there's an ACT white paper for process automated -- automation. This one here, the AI federal workforce certification is very important. And there are multiple agendas going on through the JAIC at the Department of Defense, and through the National Artificial Intelligence Institute at the VA.

There are currently pilots that are being prepared, so that we can go out to academia and even below the college and university level, and starting to identify students at the high school level throughout the country, urban, suburban rural, to find those people who are talented, who have the -- the acumen to be able to be trained, mentored, and then retained over a period to serve within the federal government, so that AI federal workforce certification is something that you're going to be hearing a lot about here in the next probably third to fourth quarter. Then as you go down the list, there's a DevOps primer, artificial intelligence playbook. And each of these are -- they're recipes, so that you can take your ingredients, go through the list, practice it, work through the -- the agenda before actually launching. And there's also a tool in there that will allow you from an artificial intelligence perspective to -- to ascertain whether that's the right thing to do. Many people want to jump on current technologies, because they're -- they're shiny, and they're new. But there are times where putting a new technology in place is not what we need to do.

It might be more of a human factors addressing. So the artificial intelligence playbook is very useful from that vantage point, we have blockchain and again, we have those acquisition best practices for procuring IT. And the link is above and Tim will send that out if he hasn't already along with the infographic. And with the outline that contains the executive orders as well. Any other questions? >> This is Arlinda and I have a couple of questions, just to see if we can sort of stimulate the dialogue.

Regarding for example, if I'm a small business, and I am looking to obtain business with the federal government, and one of the things that needs to be in place is I want -- well, I want to get a contract and I have to have some knowledge of cyber -- sort of cyber risk and cyber security. What -- and I'm a small business, so I don't have a team that's dedicated to that work. Where is a good place for me to start? What should I be looking at implementing? What should I be looking at knowing so that I don't end up missing out on that particular opportunity? >> Well, ultimately, you need to be able to express a knowledge of what -- what the current initiatives are. And this is why I decided to pull out these two executive orders and the Technology Modernization Fund to be able to speak at a high level. And then the ability to come in and be able to do an assessment, whether you've done an individual stock assessment, or whether you're going to want to do it within a group is to be able to express that you understand what the challenges are at a -- at a granular level, but also what's -- what we're looking at from a national expectation.

There's so much coming down the pike right now from the Biden administration, with regard to cybersecurity, if you're able to highlight that -- that your small organization offers just a modicum of what we're looking for on the bigger picture that is a selling point. >> And then, in terms of you mentioned, that there were risk factors and that these risk factors you see as sort of being common through -- you know, sort of a common entity. Could you -- could you tell us what some of those risk -- risk factors that you have identified are that -- that -- that -- that agency -- or an organization I'm sorry, a contractor would need to be looking for? >> Well, ultimately you -- coming into an organization where you may understand the technology or may understand the mission, it's important to get to know the crew that you're working with, and making sure that we understand the fundamentals. You know, we don't open up emails that come to us from somebody that we don't -- that we don't know, and on the surface, they look like they're made to -- to be a high of importance, but they've got spelling errors in them.

It really is -- these are what we would say common sense approaches. But oftentimes, we get so focused on the mission at hand, that we forget about the ancillary task, and in this case, those -- they're not so ancillary, it's the security of the organization, the protection of the data, there are many regulations, as far as protecting personal health information, these are the types of things that you should be able to speak to, regardless of whether you're going to be responsible for that in the bigger picture, because each of us are responsible for ensuring that we've -- that we've taken -- we're taking care of our personal workspace, and that includes our behavior, as far as interfacing with different various technologies. And to ask questions. Don't assume that everything is in place, ask those questions going in. >> I think, in some cases, because the emergent technology information is -- is so new and just sort of filtering down and that -- that even our industry participants may not know a lot about what it involves.

And, for example, you mentioned that it's -- it's no longer it's not just about even protecting your own information, it's become a matter of national security. Could you -- could you tell us a little bit about that. And also, like, for example, one of the analysts -- one of the analytical things you mentioned about our, for example, right down to the level of our fighter jets having questionable technology in them just to sort of give a broader understanding the scope of what we're dealing with, as it -- as it is not just about -- not just about the -- protecting your own information, but it at the graphic level that this -- this incorporates? >> Well, let me go back to that, if I can get it open in a timely fashion. That's an excellent question.

And here we go. It's going to take a minute to open. Arlinda, would you say that again, to me, please, while I'm getting this open, I'm getting. >> You had mentioned that this is not just about any particular system or any particularly -- particular person's computer, agency system, that it's -- it -- that the issues that we're having on such a large and graphic scale that it has become a -- the reason its number one priority with the current administration, is that it's being considered a major matter of national security, that it's no longer, you know, we're not -- that -- that the focus is not even on terrorism anymore of the, you know, type with bombs. It's on this type of cyber terrorism.

>> Right, [inaudible]. >> So yeah -- >> Well, if you look at the top here, with this balancing act between the millennials and the boomers, what we're facing right now is a challenge where the non technical person, the non IT person who falls -- they kick the ball back to the IT departments, oftentimes, this is no longer a specific IT challenge. This is for all of us. And we tend to -- and it's a cultural challenge, and because we've differed so much in the past to the information technology departments, is that we need to take back some of the control and we do that by being knowledgeable of our mission. We do that by being knowledgeable of the technologies and where those technologies are being developed.

I had mentioned to Arlinda, what she was referencing was our F35. aircraft, the Air Force platform has chips in it that are made by the Chinese. Now, this is nothing to say about the Chinese population.

We're talking about the CCP that's problematic. In a normal world, we wouldn't necessarily worry about that. But we are becoming more foe with China, Euro Asia challenges that we're having. And that is one of the challenges that we need to do when you're looking at acquiring a tool. And this is where the Biden administration -- and they've announced this today, where they're going to start drilling down and going back to look at the various vendors, and where these vendors are coming from, who ultimately owns those vendors. And is it ultimately a good idea to be putting Chinese chips in our most advanced fighter platform, because it's not at this point, the F35 is a flying computer.

But those are the types of things that we need to look at. And in the ACT-IAC primers and frameworks that I gave you, there are methods, matrixes and such to walk through to do a critical analysis before asking the question, do we really need to go down the machine learning or the AI route? And where are we going to successfully procure the tool -- not the tools, but the equipment that we need, the infrastructure to be successful moving forward? >> Todd, could you also speak to any compliance issues that like, for example, with -- the -- the standards that have been put in place by NIST, and by -- in conjunction with DoD and DHS that -- that agencies will all be responsible for having in place and so this would be opportunity -- business opportunities for the industry population, especially as regards to professional services, because we -- we focus on compliance, and audits? >> Well, again, regardless whether you're the senior leader, if you're at the tactical level, a knowledge of what NIST has to say, as far as compliance is definitely concerned, I can't drill down on those right now. Arlinda. I didn't -- I didn't pull -- I didn't prepare to speak to those particular challenges. But what I have listed here, as far as the executive orders are extremely important to understand to be able to articulate going through the hiring process. >> You also referenced the European model, and that is the model that's heavily influenced -- influencing what we are doing here in this country.

Can -- and -- and I don't know, this may be, you know, out of your wheelhouse, but can you -- I think that, you know, folks don't have a large understanding of like blockchain, and can you -- can you tie that -- the -- the strategies that are happening -- happening globally, to the blockchain process, as something that people sort of -- should understand? >> Well, as -- as consumers, we are being affected by the General Data Protection Act, the GDPR of Europe. We've got the big tech, Google, Facebook, they're all being affected by what the GDPR requirements are. So de facto that's having an impact on us as American citizens. But one of the biggest challenges is -- is that our -- we're rather blithe about protecting data in the general sense.

And this is what GDPR is doing. And it's really done also on privacy. So right now, as we wait for regulation to come down the pike, we do have these executive orders. And the challenge is that these executive orders are not -- if you speak to the average folks, they're not -- they're not being promulgated, and they're not being read. So that right in itself is a human factors challenge, because the -- many leaders within the -- the agencies have not taken the time to absorb the information that's coming out. And even with the changes to the technical modernization fund, as I said, just this week, they have come out with a repayment -- a redesign of the repayment plan, based upon what the particular agency mission is, and what the risks are associated with that particular mission.

As what HHS has to do is far different from what DoD has to do, and so that -- the new -- the changes to the Technical Modernization Fund, do take that into account because people aren't borrowing against it. They're not getting out there and making the -- doing the research to get us from the current legacy challenges that we have to a more progressive, and this has to do with the acquisition side, a more progressive purchasing model. >> Could you tell -- could you sort of explain what a more aggressive purchasing model would look like? And also, what types of -- what types of skill sets -- I mean, I know you've talked about we need to, you know, all understand more and know more.

But when it comes on to the program side of -- of -- of acquisition, as well as, you know, the -- the contract side of acquisition what -- are there -- are there any sort of like hard skills? I don't know if that's a good -- I don't guess hard skills is not a good term, but skill sets that program offices and contract offices should be making sure that they have people on board that understand so that they can meet -- help these agencies meet their mission, when it comes to procuring technology, merchant technology? Can you frame that in a slightly different manner? Can you -- do you have -- can you -- can you give us some solid skill sets that program offices need to have in place to be able to help agencies meet their mission when it comes to emergent technology? And not -- I mean something other than generic? Like we all need to know certain -- we all need to be as up to -- to -- to standard as -- as we can be. Can you give us like a solid framework of something that prob -- that you don't see this happening with program -- in program offices or acquisition offices? You just mentioned that they need to be more progressive. So what would a more progressive acquisition and program workforce look like? >> Well from the first as ethicists, we have a moral burden and maybe the burden is not -- I've been trying to think of a better word than burden. But we don't -- we're not -- China has the ability to go forth and develop tools and use those tools, because they are not held to the same moral standard that we like to think that we're at quite frankly. So that -- ethicists obviously data scientists jobs are -- we do not have enough of them.

We do not have enough cyber security professionals. But we also don't have human resources folks that are able to bridge the gap from the old school way of acquiring to a new school. By new school I'm talking about a more timely acquisition model, which -- which we're starting to see. DoD has a couple of initiatives that are happening. The VA does as well, as far as being able to go out to the marketplace to assess off the shelf products to ensure that they are meeting the standards that we are seeking to meet.

I feel like my brain is frozen [laughter]. >> I understand. It happens.

I think that is my last question. >> I would highly encourage -- I mean, if you've come here today, and you saw that the change that we did, we made a 24 hour shift in what the topic was going to be. These are if you could articulate to a hiring office of what's going on with the nation cybersecurity executive order, how it's important to do the proper homework, the planning before we actually get to the point of purchasing any type of emerging technologies, artificial intelligence, machine learning tools, and remember that these are tools, they are not meant to be a set and forget. And unfortunately, that's where a lot of people look at this is that, oh, it's going to get automated, so I don't -- I no longer have to worry about that.

Quite candidly, it increases our risk, because we have so many folks that are transitioning. I mean, it doesn't matter what age or demographic you fit into. We're all making a gigantic shift into these -- into the next, what I'm calling workforce 4.0.

We -- each of us have to have a base knowledge of how to protect not only our own surface, but the surface of our organization. >> One thing that you mentioned, when we talk about behaviors and the workforce, there -- there has been a lot of, you know, writing and stuff done just about sort of a shift in people's attitudes who are internal, because of a -- sort of a misunderstanding of what emergent technology is and is not. How -- how do -- based on your research, what do you see as the best ways to help an organization do a major shift in how it gets its workforce, to think about, you know, AI and emergent technology so that they then can help agencies meet their mission, or support industry, in helping agencies meet their mission? >> I think first and foremost, you need to do a personnel inventory, and find out where -- where your folks are as far as their -- their tenure within the organization, and then find out also what their interest level is.

There's the -- the idea that we retrain, we retrain, we can retain if we can't retain, then we have to retire. And that's not meant as a negative. Again, I mentioned at the beginning of our talk that we've got -- we've got a high percentage of boomers in the government today.

And that's an amazing wealth of knowledge and continuity. But then we also need folks that can take a look and say, all right, this is where we are today. This is where we want to be in three weeks. And these are the steps that we have to take to assess our workforce.

Is Todd interested in staying on board? Is Todd interested in learning about the new technologies? Because that's -- that is a giant challenge is change, not only organizational change, and we've all gone through it in the last year, but individual change and discovering do we really -- are we committed to this next phase. And that next phase, again, requires all of us to pull ourselves up to another -- to a common level of knowledge, where that we can -- where we can trust, left and right and forward and back, that the decisions you're making are being made soundly by people who are committed to the -- to the mission and that's another five to 10 year window that we're looking at. >> Okay, thank you. As it pertains to how our workforce relates to data. And -- can you -- can you sort of give us any insight into the different levels of -- of sort of like a data analysis from -- from the most simple level of data scrubbing up, you know, that -- that the employees that in the workforce that normally would have been sort of entry level administrative types, where the opportunity is -- is going to be for -- for those people to -- to -- to manage data? And -- and then you know, what, some of the steps are above the most entry level aspect of data management? >> Wow, that's a big question, Arlinda.

Ultimately, we're all -- we all have to assume, or we're all going to have to acquire new skills. That's a -- that's a given. And I will go back to the fact of finding -- I would rather have somebody who has the initiative and may not have the knowledge and be able to train them to get the task accomplished. That's -- that's a pretty deep question that you've asked that I don't have all the answers to. >> Is there anything that in that sort of like entry level data analysis or scrubbing looks like? >> I can't go there today, quite frankly, that -- because you're moving beyond the -- the lay person into the data scientist arena.

And then when you get into that category, you're looking at clean data versus you know, dirty data and how do you scrub it and how do you value that, but that's a conversation for people far brighter than me. >> But for the people who actually are the users, the end users, not the people who design and develop -- develop it, but I think aren't you the person that gave me the analogy about Amazon, that you don't need to know -- that everybody you know, they look -- everybody uses artificial intelligence who purchases through Amazon and that purchasing it -- we tend to think of it as something really difficult or really heavy, but yet all of us go on and order stuff on Amazon. And then when we go on and order something on Amazon, you know, it's like, oh, well, yeah, of course, because that's just buying stuff, that's easy. All you have to do is pick it, you know, point and click and -- and purchase it. But that's the point.

It's easy for -- for the end user. But there are all these, you know, hundreds of layers above that, or below that, that got to the point where all it took was to just point and click and buy. So I was really more asking you a question about like, an end user question, if there was some simple way to sort of -- to bring that home? But if -- if -- if not, that's okay. No, that's we're transcending.

Now we're going from the -- from us, from you and me to the actual technicians that are doing this from a data analysis, the data scientists perspective, and the development of the algorithm and the testing of the algorithm. And that really goes beyond what I was looking at to discuss from a human, you know, just understanding human factors. >> Okay. Well, you know, thank you for -- for all of your input today. And for all your information. Do we have any more -- do we have any questions Tim? Do we have any additional questions or? >> I don't have any from the group, no. >> Okay. All right.

>> Well, I apologize that my brain was a little dusty. Hopefully, at least I've given you some interest in taking a look at these executive orders, and then drilling down on the frameworks and the primers and such for assessing before you decide to -- purchase artificial intelligence is to go out there and assess if your organization needs it and then you can grade it, it gives you a gradation. And I think that's a very important act that we as -- as lay people could -- could address to help our technical folks as we go through the acquisition model or process. I'm sorry. >> All right. Well, thank you so much, Todd.

And also, to everyone the survey, it will be available to everyone. So you will all get a copy of the survey for your -- for your own use to use and assess in assessment. I think that that is it for us today.

If you didn't get a copy of today's presentation, you can email us at CAM cam@gsa.gov. And we will send it out to you. And with that, we're signing off.

Thank you again, thank you for joining us today. >> Thank you, Arlinda. Thank you, Tim.

2021-08-08

Show video