Creating a Culture for IT Innovation

Steve Rice, CIO, Transportation Security Administration (TSA)

Steve Rice, CIO, Transportation Security Administration (TSA)Steve Rice, CIO, Transportation Security Administration (TSA)

November 19th marked the 15-year anniversary of the Transportation Security Administration (TSA), the first agency charged with securing the Nation’s transportation systems from terrorist attacks. Today TSA operates in more than 450 airports and, along with our industry partners; we also safeguard the four general modes of land-based transportation: mass transit, freight rail, highway motor carrier, and pipeline.

The 70,000 brave, dedicated men and women who serve our mission depend on IT products and services to gather intelligence, share information, and provide security for passengers and cargo. As the terrorism threat to our country evolves, the demands of our mission require us to deliver IT faster and cheaper, which is easier said than done. Government agencies are often unable to modernize technology due to constrained resources and complicated requirements and acquisition processes, creating a self-perpetuating cycle of trying to keep pace with the most current technology. According to Federal CIO Tony Scott, of the $82 billion in Federal IT spending planned for 2017, approximately 78 percent ($63 billion) is dedicated to maintaining legacy IT investments, mostly aging systems and fixed infrastructure that is growing more expensive to operate and more challenging to defend against modern cyber security risks. Volumes of legacy policies and processes also make it challenging to implement promising ideas and innovation.

"We must balance the need to maintain a stable infrastructure for national security with the priority of providing an agile, innovative platform for our customers"

TSA is addressing these challenges, in part, by changing our IT business model from an asset-based culture to a services-based, customer-centric delivery model. We are looking at ways to leverage cloud computing technologies to more quickly and efficiently meet the IT needs of the Agency, all while driving down costs. There is a popular saying that the cloud is simply “someone else’s computer”. However, it can be much more than that. With cloud, TSA cannot only minimize recapitalization requirements; we can manage the delivery and security of our infrastructure with unprecedented speed and agility.

One of the biggest challenges we face is managing cloud disruption, both to operating procedures and “company” culture. For IT staff who are used to configuring and provisioning IT equipment in a traditional way, adopting a cloud model can be stressful, to say the least. Some agencies try to identify all requirements at the outset, even before building a basis of expertise or gaining hands-on experience. At TSA, we approached the problem differently, first by partnering with the General Services Administration and their digital services office, 18F, then by introducing cloud activities and principles through an agile, collaborative, iterative approach.

This scaled approach ensured that we did not bite off more than we could chew. Our first goal was simple: we asked our employees to move two applications to the cloud, but more importantly, to learn, to document lessons learned, and to prepare the organization for a larger cloud migration. Traditionally, our organization employed a waterfall development method where workflow was characterized by a series of sequential events and handoffs between development, engineering, security, and operations. That is not very agile, and the lack of integrated teamwork can result in frustrating roadblocks that impede progress, particularly for the development of systems and services that cloud computing enables.

The first thing we needed to do was change our culture, which requires effective organization change management, and lots of training. We created a Cloud Team that included representatives from each division in our organization, and we told employees that the only three possible failures were: not to try, not to learn, and not to manage risk appropriately. We established an agile room, where architects, engineers, developers, and security professionals work side-by-side in true DevSecOps fashion, and in doing so, we established an open, collaborative, transparent method of working together, focused on delivering value to the end-user.

We then focused on providing the technical training necessary to ensure the success of TSA’s cloud adoption efforts. In addition to 18F, we brought in outside counsel to conduct targeted training sessions, as well as “on-the-job training,” so we can truly employ agile methods, not just treat them as buzzwords or checkboxes. We leveraged hands-on learning to build a skills matrix and training plan to support staff in developing and maturing new talents, and we are incorporating these modern methods into employee performance plans to reward and incentivize the adoption of agile methodologies.

As we create this culture, we are also focusing on how to quickly pilot new capabilities. By breaking down historical silos to build a better understanding of how everyone contributes to the mission, we are better-positioned to expand our focus into new areas, such as using “big data” and Artificial Intelligence technologies to create new capabilities for enabling our mission.

New avenues for restructuring of technology have emerged in the past 15 years, and current demands necessitate a new model and an expansion of IT service. In effect, the new risk is in moving too slowly, either enabling those who might wish us harm to gain a foothold, or in failing to meet the new pace and demands of the mission. We know that at TSA we have a unique obligation to leverage technology to protect the Nation. We must balance the need to maintain a stable infrastructure for national security with the priority of providing an agile, innovative platform for our customers. In addition, our workforce needs time to adapt to the new model. They need a chance to learn and to develop better policies and practices in an ever-evolving technology landscape. Meanwhile, we will continue to maximize the value of our IT spending while encouraging experimentation and innovation. As the TSA cornerstone states, we are an agency “built of innovation, patriotism and steady virtue,” and our workforce is dedicated to facing all challenges as we secure our nation’s transportation systems

Weekly Brief

Read Also

Building a Comprehensive Industrial Cyber Security Program

Building a Comprehensive Industrial Cyber Security Program

Mohamad Mahjoub, CISO, Veolia Middle East
Bolstering Cybersecurity

Bolstering Cybersecurity

Amr Taman, Chief Information Security Officer, Al Ahli Bank of Kuwait
Building Untrusted Networks to Improve Security

Building Untrusted Networks to Improve Security

Earl Duby, Vice President and CISO, Lear
Security challenges that companies face when implementing telehealth and the solutions and best practices for managing the risks

Security challenges that companies face when implementing...

Stefan Richards, Chief Information Security Officer, CorVel Corporation
Building Cyber Resilience during Covid-19

Building Cyber Resilience during Covid-19

Aleksandar Radosavljevic, Global Chief Information Security Officer, STADA
IAM may help secure data, but it needs to be protected as well

IAM may help secure data, but it needs to be protected as well

Marc Ashworth, Chief Information Security Office, First Bank