Technologies such as AI, automation, and analytics all have a critical role to play when it comes to cybersecurity and zero trust. On this episode of the GovFuture Podcast we interview Gerald (Gerry) Caron, who is the Chief Information Officer, International Trade Administration at the U.S. Department of Commerce. We discuss the use of emerging technologies such as AI, automation, and analytics in the context of cybersecurity and zero trust, and discuss the rise of new, sophisticated cyber attacks and how government agencies need to prepare for a rapidly changing and challenging future, and stay ahead of the curve.

If you enjoy listening to this podcast please rate us on apple podcasts, Google, Spotify or on your favorite podcast platform. Also, if you’re not already, consider becoming a GovFuture member to take advantage of all the community has to offer including Access to a diverse network of government innovators, Opportunities to collaborate with government agencies, exclusive access to events and resources, and a platform to have a voice in shaping the future of government innovation. To sign up go to govfuture.com/join.

Show Notes:

• GovFuture resources
  
  
• GovFuture community and membership
  
  
• GovFuture Forum DC
  

Trimmed Episode Transcript: (note there may be transcription errors or mis-attributions, so please consult the audio file for any potential errors)

[Kathleen Walch] For today’s podcast, we’re really excited to have with us Gerry Caron, who is the Chief Information Officer, International Trade Administration at the U.S. Department of Commerce. Welcome, Gerry, and thanks so much for joining us.

[Gerry Caron] Thanks. Thanks for having me. Pleasure to be here.

[Kathleen Walch] We’d like to start by having you introduce yourself to our listeners and tell them a little bit about your background and your current role at the Department of Commerce.

[Gerry Caron] Yeah, sure. Yeah, Gerald officially go by, but of course, in conversation, I go by Gerry. I have been with the International Trade Administration for about four months. I like long walks on the beach. Oh, wrong profile. But now I’ve been here about four months now. Previous to that, I was the CIO for the Office of the Inspector General at the Department of Health and Human Services for a couple of years. And before that, I was at the Department of State for 20 years. My role, of course, as a CIO now at the International Trade Administration, or as we call it, so if I say it, that’s what I’m referring to.

As a CIO, you’re responsible for all aspects of IT for the Bureau within commerce. So we have a lot of people overseas. It’s about 2,200 people within the Bureau that make up ITA and support its mission. And as a IT arm of the Bureau, I am there to support the overall mission of ITA.

Well, fantastic. I think folks may or may not be familiar with all the various different parts and components of the Department of Commerce in the United States, which has a lot. There’s actually a lot of, as we keep digging into the Department of Commerce, like, oh, my goodness, NOAA is there and all these other groups and people don’t realize how much impacts come. Yeah, yeah, US patent and trademark, NIST. Yeah, there’s a lot.

But if you’re interested in international trade and what it’s about, you can go to trade.gov and see it on our website.

[Kathleen Walch] That’s fantastic. And I encourage folks, because we have an international listenership.

So there’s probably some component of what your government is doing that’s also involved in international trade. So this will be very relevant. So actually, it’s a good place to start here, which is talking about commerce and talking about the fact that now, as you said, so many different aspects of commerce people may not even be thinking about. And of course, there’s a technology as well that’s impacting commerce, of course, e-commerce, which has impacted for decades. But there’s so many other technologies, right? So maybe let’s talk a little bit about cybersecurity and Zero Trust and, of course, some other emerging technologies which we’ll get into, like AI and quantum and that sort of stuff. How are these sort of impacting what you’re thinking about at ITA there?

[Gerry Caron] Yeah, definitely. Although I come up through operations, I’ve never been tagged as a cybersecurity expert or had the job role of a typical cybersecurity expert. I am a big advocate, evangelist, preacher, whatever you want to call it about Zero Trust. I really believe in coming up and primarily one of my past jobs being responsible for an enterprise infrastructure. So providing that infrastructure service that everybody relies on to communicate from the network, active directories and things like that. Definitely had a good knowledge of what was going on when the skeletons were buried and things. So when there was events or cybersecurity, things to do was very involved in either implementation or strategizing around those things.

So I got a huge appreciation because I like to call it sometimes, there’s the problem of the day and what size band aid do I need to put on it to fix it? Very tactical, very reactive and Zero Trust to me was looking at it more as a strategy of how to go about and approach it. And definitely eliminating those stove pipes of what I like to call stove pipes of excellence. As a CIO, of course, I’m responsible for the security posture and the cybersecurity posture of my organization to make sure everything is safe. So if I have to go to the patch person and ask how are we doing on patching, go to the network person, do we have any end of life equipment, go to the splunk person, are you seeing anything strange in the log? I’m going to all these stove pipes of excellence to figure out what is my operational risk posture across my area of responsibility. I don’t have that, I hate the term and I threaten to kick people out, single pane of glass.

Kind of thing, there is no such thing really. No, I still got to go look through that other window too. You don’t cover that. But anyways, I need to know what my operational risk posture is and what do I need to do that?

I need data in order to protect data. And if we get into True Zero Trust and understand the true principles that John Kindved, when he fathered Zero Trust, there were the five principles that he created at Forester and really understanding those. And there’s plenty of great government documents and everything and I totally suggest reading those. They’re publicly available through NIST. There’s a Zero Trust frameworks and things.

DHS provides a lot of good maturity models and everything. But really, when I describe Zero Trust, I kind of describe it from the inside out. What am I trying to protect at the end of the day? And I always refer to it and I keep it, I’m keeping it overly simple, but I’m protecting data. All data is not created equal. We kind of choose the highest value of data and we draw this big circle around it, right?

In what I like to call the Tootsie Roll Pop approach. Then we have the Hard Outer Shell and the Soft Gooey Center. And I kind of trust those people in the Soft Gooey Center. But we know how many bites it took Mr. Al to break into the Soft Gooey Center of the Tootsie Roll Pop.

It only took three. So bad guys, nation state actors and stuff, they’re very well backed, financed, persistent as well about getting information. And so is the data. A lot of people will argue with me and start it, started identities. Identity is the most important thing. Well, it is very important. I’m not going to disperse that. But, But you want to get the right data to the right people at the right time, not all the data to all the people all the time.

And if you got compromised, my first question is a cybersecurity analyst, I got probably going to be, what did you have access to? And is there Xfill? I’m not talking about you anymore. I’m talking about data.

So again, all data is not created equal. So moving, you know, I like to use the stupid analogy of a bologna sandwich and crown jewels. I cannot afford to use the crown jewels. I cannot recreate those.

I can, if I lose those, I’m done. But my bologna sandwich, I’m not as concerned about it. If it gets stolen, yeah, I might go hungry and I might have to take the effort to build another bologna sandwich, but there’s plenty of bologna in the world.

But did I protect my crown jewels? If we’re doing that just to roll pop of security, if my bologna sandwich gets compromised, my crown jewels are going to probably get compromised eventually. So putting our protections closer to those things that are important and then working the way back, how are they accessed? How are the, how are they accessed?

Well, what facilitates access to that data? A lot of people are going to say a device, not really. It’s really an application. So what do we do around applications?

And then applications need what to live on to communicate with networks. Some of them I manage, some of them I’m not. Like right now, admittedly, I’m in a hotel, free wifi, right? So I’m not going into some of my things on my computer or some of my emails and stuff because it’s dirty as far as I’m concerned. And that’s the other thing about zero trust is assume breach, right? You trust no one.

You always don’t trust, but verify just like the X files, trust no one. And then after you get to network, you know, devices need networks to talk on. And then it’s the identity, right? Data, the right people at the right time. There’s different ways they authenticate and proof themselves. And all of those things like what type of device is it managed, unmanaged? Is it no network? Is it dirty network? How did you authenticate?

Did you use a PIV or a cat card or a certificate based multi factor username or password? There’s all different levels of risk. And depending on what the target that you’re trying to access is, I add up those factors and depending on that level of risk decides what I allow you to do. But the other thing is, is I’m going to constantly check you in as real time as possible. All tools are not real time, but I’m going to constantly do checks because factors change.

So we got to get away from that linear one time through the door. Thank you. Have a nice day. Enjoy. Enjoy the ride.

But no, I got to keep checking because factors may change. So that’s the quick and dirty. Hopefully that helps. Yeah, that was a really great, I think, you know, high level, quick and dirty review of what is zero trust and kind of how, how you interpret it, how you think about it and how you implement it. So that was a really nice overview.

[Ronald Schmelzer] Thank you for sharing that. And, you know, this leads into the idea of cyber attacks and they’re getting more sophisticated. So with the rise of these sophisticated cyber attacks, what are some of the strategies that government is employing to use advanced technology to protect this sensitive data and infrastructure from threats? You talked about not all data is created equal. You want to make sure that you’re protecting data, but, you know, very, it can be different levels of data depending. So maybe how are you approaching that?

[Gerry Caron] Yeah, one of the things I’m looking forward to, and I think there’s still probably some maturity in the area, but I need as much telemetry as I can to understand what is going on. What does normal look like? What does my baseline look like? Where’s my data going? Who’s accessing it? How are they accessing it?

And is that normal? So I need a lot of to bring a lot of telemetry in to kind of create that picture. But, you know, humans looking at and waiting for a red, blanky light and saying, Hey, Kathleen, what does it mean? What do we do? What is, you know, it looks like this, but is it, you know, and then next thing we ask Ron, what do you think? And then all this time that we’re trying to figure out what to do about this blanky light thing that could potentially be something bad, you know, automation can help with that. Machine learning, machine learning learns over time, because you kind of what normal looks like, AI can figure out the best way to probably possibly address it in an automated fashion. We got to get more automated because I want humans are very important.

And I’m not just not saying anything bad about humans. They’re probably my most valuable resource. But being my most valuable resource, I want them doing higher end things, not doing the mundane waiting for the red, blinky light kind of things. The more we can automate and this has to be automated because it’s got to be as real time as possible.

Because, you know, we’ve all seen the chart that says, you know, a cyber attack actually begins here. And before a organization realizes it, it’s like so many days or months of whatever it is right now. They’re gaining persistence. They’re elevating themselves.

They’re getting a foothold and then you know, command and control and an X-FIL. You know, and before you find all this, it’s like, man, we got to clean up effort. What are we trying to do? And I think, you know, the great thing about the EO is being more strategic, being upfront about it, you know, not being reactive, but being more strategic and protecting these things and putting the things around, concentrating on the things we really have to protect and not that castle and moat or that titty roll pop. So definitely, I think the government is going to take in the right direction. I’m glad, you know, the cyber EO that came out a couple of years ago, excellent. The latest cyber EO about it’s a, you know, there is a great partnership that us as government have to have with the vendors because they have the technologies know how to apply them. We have to, we have to sometimes figure out how they integrate because they all don’t integrate because this has to work across all those pillars, right? I talked about data, I talked about devices, I talked about applications, networks and users. It has to integrate together.

I can’t do it in stovepipes. It has to flow all the way through ultimately to protect that data. So we got to be very strategic and try to get it up front. So AI, machine learning and automation, I think are going to be very key and very important to keep an ahead of the game because nation state attackers and one of the disadvantages we have, unfortunately, you know, we have acquisition policies, we have change management policies and great. And I really believe in processes and procedures and making sure things are being done in the right way. But I don’t think the bad guys have the same processes and procedures and things and waiting for their government approval to go break in the such and such kind of thing.

So, you know, by putting and taking something like a zero trust strategy and applying it, I think helped keep us ahead of the game. Now, one thing that really scares me is quantum computing. But at the same time, I’m really excited about it because we’re creating more data than ever now, nowadays. We’re depending on data, we’re becoming data driven organizations and using that data to make decisions, well-informed decisions and things like that.

But in quantum computing can churn through that data. AI can take, you know, we in government, we like to create large documents. AI can apply AI to that and it can tell me, you know, spit out in a few seconds, what’s important to me? You know, what do I really need to know? Give me that Cliff Notes version of the things that I’m interested in. So, I don’t have to read that whole document. But also bad guys, they can use quantum computing as well. You know, so I got to protect against that. So, quantum level encryption and stuff, you know, there’s a lot of discussion about quantum level encryptions and all of that. Technology is moving so fast.

I was just, you know, pondering the other day. I come up through the cassette era, you know, and then that turned to CDs. And that was awesome. Then we went to digital.

And that was awesome. You know, cell phones, you know, used to have those big bags, then they became these big bricks. And now it’s like, I have my life on my phone. I can’t live without it. If I don’t, if I leave it, you know, laying around somewhere and I don’t have it in my pocket, I’m like, oh, my God, I freak out, right?

Everybody freaks out. Because there’s just so much computing power in that little phone now. And just the way the technology is moving forward. Yes, it’s great for us, but it’s great for the bad guys too, because they’re able to do throw more attacks at you and use these things. So getting back to the question, I think that’s why Zero Trust is looked at as a strategy, not an exercise or check the box compliance exercise.

It’s making us more effective at how we do security.

[Kathleen Walch] Right. Exactly. That’s a great way of talking about it. I really love this perspective, because some of our listeners may know that Gov Future actually came out of the AI and government event that we used to run in person, actually, at George Washington, and then became online, which was really interesting. And what we found, part of the reason why there’s this new thing called Gov Future is because we realized that these technologies are not really as separate as we might have thought them to be.

[Gerry Caron] AI is not that separate from big data analytics, separate from cloud computing, separate from cyber and Zero Trust and automation and IT modernization. These are all kind of like now part of this general combination. And the thing is, these are being used in combination in the case of cybersecurity in ways that are both useful and concerning.

You can use AI and you can use cloud computing and big data for the purposes of cyber threat or cyber protection, or you can use all this sort of stuff. And it’s becoming a much more complicated world, I think, for folks who try to wrap their arms around it. You talk about stovepipes, which is interesting. And some industries they call them silos, and they’re maybe they’re the same thing or different ways. But the idea is that it’s really very hard now to say, there’s my cyber group and there’s my AI group and there’s my cloud group and there’s my big data group.

It’s very… Yeah, you can’t find. Yeah, so actually, that brings up this next question, which has to do with the role of AI and machine learning in strengthening cybersecurity and maybe some of the opportunities. And then some of these challenges, perhaps even non-technical challenges around just knowledge and people and experience that we have to build that we may or may not have.

Yeah, I think AI has a great future in a lot of areas, a lot of functions that we do here in the federal government, in my organization and things.

Like I said, what is the latest information on this? Ask AI and AI. I just created this thing, wrote this script, or have AI write the script. AI, I need to do such and such. What’s a good script for that?

AI, as it As it matures, it’s only going to get smarter due to the more access of the data it has. But it’s just like I tell my kids on the internet, when they said, well, I saw it on the internet. Well, do you believe everything you see on the internet? AI is going to have access to data that’s not actually going to be correct sometimes. So you have to make sure you understand.

And I think that’s the thing we face if we use AI in a functional sense, in a non-cyber security sense at the moment. I have a bunch of information. And I want to allow my users to find and get the right information. But if content management isn’t keeping that information up to date, then I’m giving bad information. So, you know, I have to be sure of that.

And I have to be sure that AI doesn’t go into the places where I don’t want it to go. You know, let’s say, you know, pretend that I’m in the private sector. Let’s say, you know, we’re going to have I write the CIO, I’m writing a letter. Well, we’re going to be having layoffs and I’m drafting a letter and it’s not going to happen until next month. And then somebody’s like searching, you know, I wonder what’s happening with the CIO’s office.

And then there’s my thing that I saved to the cloud saying about we’re having a layoff next month that’s only in draft right now. And somebody gets hold of that because I did not control where my AI had access to. Same thing with bad guys, right? You know, we have to be able to protect against AI, but leverage it in such a way that I think it’s going to really free up our humans.

It’s going to help, you know, make those hard things. It’s like where are my weaknesses in, you know, you know, I can see like blue teaming, red teaming, finding my weaknesses, you know, leveraging AI to do things like that that would take, you know, those are usually resource intensive operations and functions. You know, AI can just tell you, you got a weakness here or this isn’t normal or, hey, here’s the latest attacks that we know about, you know, being used by nation states.

Here’s some of the weaknesses in regards to those types of attacks that you can, you can address and then, you know, what’s some, and then, you know, what’s some solutions. There’s just, I think people are just starting to get a realization. We’ve been talking about AI for years, but I think the reality of where it’s getting right now, it’s becoming an actual realization where we may be able to actually apply it in a lot of ways. It’s going to mature.

It’s going to get smarter and that’s a good thing. But at the same time, you have to be careful because it, you’re not going to get 100 % correct information every time. So you do want to still validate some of the, some of the answers that you get, I think. I think that hopefully I answered your question.

[Kathleen Walch] Yeah, no, that was a great answer. And we talk about this idea of augmented intelligence, where you’re not using AI to replace the human, but help them do their job better. And we’ve been talking about this for years, but I think with recent advances in things like chat GPT, Google Bard, people are really understanding the power of this, where before it was like, yes, it was nice to have, and maybe it affected certain industries, maybe some companies were adopting it, but it’s so widespread suddenly that now we’re able to really see the impact of this, where how can I use it to help me write code?

So maybe I still need to know how to write code, but it’s just gonna help me do it better. Or how do I look at attacks, look at maybe possible areas of threat that I have, and make that go so much faster, where it would take so many people working on this at such a high level of skill set, now you can take people that maybe don’t have as much of a skill set, or not as many people, and you’re like, look what I can do, that’s augmenting, not replacing.

[Gerry Caron] Yeah, and typically you’d have an engineer, and it’s well, funny, I was having a conversation with my parents the other day, and they keep saying, do you hear about that thing that happened, in the news and stuff? Or I see these things, videos of people on getting someone off-plane, and they think, oh, the world’s going crazy.

I’m like, no, it’s probably always been crazy, we just have so much access to information now, and it’s so much more accessible, because they record it off their phone, and they can put it out there. And it’s the same thing with AI. Before, I wanted to do, how do I, as an engineer, how do I write a script to do such and such? I would go to a community practice, I’d go hunting and pecking, and then I’d have to read through this page, oh, that’s not the one, let me go back to this other link, and you’re doing searching, whereas AI, you’re getting an answer, and actually an actionable answer.

This is how you could write it, here’s a suggested script, and how it’s written, rather than trying to like, okay, here’s a script that looks kind of, and maybe not go hunting and pecking. It’s just that mindset and that difference that I think AI offers, that it just puts it one step over the edge of getting information, and being actually actionable information that you can use. Exactly, and you had mentioned, AI is not new, right? It’s been around since the 1950s, but the applications were very limited back then. It was really focused on just government applications, then we went through our first AI winner, which was a period of decline in investment and in popularity, then we got our second AI wave, and that was focused, organizations were using it, but it wasn’t in the hands of everybody, right? And then we went through our second AI winner, now we’re back in, we’re calling an AI spring, and it’s really in the hands of everybody. You use it daily, whether or not you realize you’re using it daily to help you with navigation and getting from place to place, helping you craft emails, now with chat GPT, large language models, we’re really able to use it in ways that we couldn’t have imagined maybe five years ago, where the technology just wasn’t there.

[Ronald Schmelzer] And you also talked a lot about data, you have to make sure that you’re trusting your data, you have to make sure not all data is created equal, and some of it is bad data, so what are you using to train these models on? So there’s a lot of things that you got to unpack there, but you’re right, the possibilities for it really are exciting. And in the coming years, coming months, to see what’s happening with that. We just hope it doesn’t turn out like the Terminator movie. TBD, I guess. Hopefully more. We’re like, maybe more like Wally, we’ll say.

Yeah, we like Wally. I know, we were having a conversation with someone else, so like, well, what do you do if, you know, technology is supposed to free up all your time? Are you going to actually work out and do all that? And I said, well, they didn’t in Wally, right? They just started going on those rotating chairs and gaining more weight. Turn up the blobs. That’s what’s gonna happen. Easy blobs. I love that movie. More likely of a future, anyway.

[Gerry Caron] Probably. And we always like to learn from others as well, which is part of our mission at GovFuture, where we really want to learn from others. We want industry, we want government folks, people in this entire ecosystem, to share what they’re learning, because there’s a lot to be learned here. So as cybersecurity threats continue to evolve, what steps do you believe that the government needs to take to stay ahead of the curve, to effectively manage and effectively address some of these ongoing challenges of cybersecurity?

And maybe how are you looking to private industry or partners and seeing what they’re doing and adopting maybe some things that they’ve done or learning some of the things they’ve done that you don’t want to do? Yeah, I think the government’s taken the right steps. By releasing the EO a couple of years ago, that was a great first step. And then OMB came out with the cybersecurity zero trust strategy.

Now, strategy being a key word. So it’s setting us on the right path. And there’s a lot of great things coming out of DHS and NIST, the National Cybersecurity of Excellence Project around zero trust.

There’s so many great things. Things are going in the right direction. I think there’s some culture, maybe some agencies or some smaller parts of the government that are struggling with that culture change, because we are talking about changing the culture of how we do cybersecurity. But I think the federal, and it’s hard to move the federal government, right?

Turn around the battleship and the river kind of thing. And we’re all different. And we all believe we’re our special snowflakes, because we all have missions.

We all exist for one reason or another for a specific mission. So definitely I think things are going in the right direction. I think as far as, what was the other part of your question? Let’s try to trace it back to that.

[Kathleen Walch] Yeah, so how are you looking to private industry, maybe partners?

[Gerry Caron] Oh, yes, yes, perfect. Sorry, thank you for that.

I got to get on a tangent and then I forget, lose my mind. But yeah, private industry and partners, definitely. I am working, I lead a working group at a nonprofit. We started about a couple of years, a few years ago. We did TIC 3.0, and then we liked the model that instituted there, and we turned it into a zero trust working group. And we grandfathered about 10 vendors, and we ended up with 70 vendors in this.

And one of the things we did is like, they all wanted to show their wares. We’re zero trust, we can do it. And there’s no silver bullet. You know, there’s no one vendor that has that silver bullet.

They all have what I like to say their niche for lack of a better term. So we actually had, and it’s in the DOD strategy actually. We used an earlier version, but if you look at the DOD zero trust strategy that’s publicly available now, there’s a whole bunch of functional capabilities. So we asked them, what is it?

What is your primary functional capabilities? And we had it in the pillars that I mentioned before, and they would highlight and then we’d allow them to present. And then we also asked them secondarily, where do you integrate? Because this is an integration effort. I can’t just take one tool that work on its own.

I need it to work with the identity pillar to work with the network pillar that works with the device pillar and so on. So we asked them, where do they integrate as well? And there’s some great technologies, but first I got to know what my ads is. So I took the same exercise. If I didn’t spend another penny, what can I do with what I have? So that was some talking with the vendors that I already had investments in. What do you, can you do in this area? You know, whether it be data loss prevention, I have a cloud environment.

What can I do about data loss prevention with what I have, what I own, not spend another penny? Then I understood where my gaps were, where I needed to improve, and then talking with the vendors. And having them do that exercise so I knew which ones could help fill my gaps.

And there’s some very unique and some very good vendors out there, but there’s so many. Everybody says they do Zero Trust and it’s wading through that and trying to figure it out. So that’s why if you want to talk to me about Zero Trust, you got to do this exercise, fill out this chart. I need to know where you work. And then, you know, you kind of understand and, you know, you ask them where they integrate. Is that going to work in my environment?

It kind of things. But we need them. They have the technologies. They have the means. And working, not working with them, it makes it more difficult.

You can’t invent it yourself. So definitely like that working group, we’re our first fit. We gave them their dog and pony show, so to speak, to showcase their individual technologies. But now, and we’re asking integrators or for them to partner up and say, show us a true Zero Trust lab through all the pillars.

Here’s some use cases that would apply to anybody, not just government, but just about any organization, general use cases. And you have to show us these. We don’t want a slide show. We want to see it. We want to see how you do it. We want to see how you product A integrates with product B.

So bring your integrator, your best integrator that can display that or partner up with who you know you work best with and show us a live lab. So that’s what we’re asking for them to do. And, you know, pieces are playing play.

You know, you might have this SaaS, but I’ve already invested in this one. Well, I see the art of the possible now through this lab. So we’re really excited about it to kind of show what a true art of the possible is of a full potential Zero Trust lab across all those pillars. But the vendors are key to us because I don’t own the tech. I don’t own or I don’t create technologies. There’s so many technologies out there. I don’t have to reinvent the wheel, but I need, you know, their help to also integrate and work together because is that’s a difficult part, right?

This has a taxonomy or a schema that doesn’t match with this thing that I already got. I need them to talk if I truly want to get this done. So I need their help to do that.

[Ronald Schmelzer] Well, we’re definitely believers in show and tell. So we can talk about that in the lab environment. That’s actually why we do our GoFuture Forum event.

And some of our listeners may know that if you’re in the DC region, in that DC, Maryland, Virginia, we also, we run a monthly in-person event where vendors and government folks actually come and show what they’re doing. The rule is no slides. I think we allow one slide.

I love that. Ten minutes of demo because Kathleen and I have been doing this demo thing for many, many years. Some of some people may know us from tech breakfast days, but I won’t go into that.

Yeah, being mindful of the time in this podcast, I think this is really great. And I think a lot of what you’re saying really resonates with us because because to a certain extent, a lot of these big movements, whether it’s zero trust, a lot of the AI stuff, a lot of it’s not really a product. You don’t buy AI. You don’t buy zero trust. You don’t buy. I’m an enterprise architect kind of by mentality.

And I’m like, well, you can’t buy enterprise architecture. It’s something you do, right? And it’s constantly evolving and you’re never done.

You know, it’s like, well, you’re only done when your organization is done and that’s hopefully never going to happen. So an art form. It’s an art, right? It’s a method, you know, this methodology in there, this process, there’s all this sort of stuff.

And clearly technology fills into that for enterprise architects, if you know the Zachman framework, for example, it’s one of those lines, but I don’t want to get too wonky here. But I think, you know, this is maybe a good sort of transition point. And there’s a question that we always ask our featured guests here on GoFuture Forum, and you’ve been a fantastic guest. And that’s kind of just in general, like, you know, what do you see or hope to see as the future of technology and innovation in the government? It’s just an open-ended question.

[Gerry Caron] Definitely, you know, the need to understand what our risk tolerances are, you know, the new generation, you know, I’m a generation X-er and the new generation operates totally different. Nothing bad about that. I’m not dispersing that at all. But, you know, it’s just everything’s mobile. Everything’s on that little phone kind of thing. You know, we’ve got this tolerance from working from home now, you know, being more mobile.

And we quickly learned what our risk thresholds for that were because some of us were like, oh, that’s yours down the road. We’re working on it, but that’s yours down the road. We won’t be able to do a lot of these things. But lo and behold, we’re doing them. You know, that should be, to me, that was kind of a light bulb moment. It’s like, we don’t have to keep doing these things. I don’t have to, you know, have everybody in a good mood.

Government building necessarily. But there’s some, there’s some loss to that as well. You know, I was, I go into the office myself three times a week. And, you know, there’s a bunch of people that show up on one of those days where it’s a little full of the normal.

Just those nice conversations I have and chit-chatting about work and stuff. It’s like, we don’t do that on this kind of technology now. It’s like, all right, I scheduled a meeting. We’re talking about this. And boom, hit the button, go to the next meeting kind of thing.

I don’t get those hallway conversations or not. But, you know, really opening up and seeing and adopting and embracing the new technologies, new ways to work. Like I like to tell, like part of my cybersecurity strategy is involving the user community. You know, how do you want to work? Ask them the question, how do you want to work? Not how do you work? How do you want to work and building those things in?

So I think it’s very important to bring them in and part of the team. I like to say, in a way, and really using it, you know, zero trust, for an example. It’s a modernization effort. It’s not a cybersecurity effort necessarily because there’s so many things that I can bring benefits to them as well. You know, rather than bringing them and boomeraning or back to an on-premises network and sending them back out to the cloud where we’re putting everything. How chaotic is that?

You know, hairpinning, turning them back out. Why not send them direct? There’s things out there with telemetry. Embrace these new ways of thinking and these technologies and understanding them. And you really end up bringing benefits to our user community as well.

While improving cybersecurity.

[Kathleen Walch] Yeah, you know, this was such a wonderful podcast, such a wonderful discussion. So I want to, you know, we could go on forever, but I want to be mindful of the time. So with that, Gerry, I want to say thank you so much for joining us on today’s podcast.

[Gerry Caron] Thanks for having me. This was fun.

[Kathleen Walch] Yeah, you know, we loved hearing your insights and we’ll definitely keep this conversation going.

The post AI, Automation, and Analytics in the Context of Cybersecurity: Interview with Gerald Caron, Department of Commerce [GovFuture Podcast] appeared first on GovFuture.