Federal cybersecurity leaders have a message: It’s time to bring chief information security officers (CISOs) to the decision-making table for government modernization projects.
Speaking at the GovCIO Media and Research Federal Efficiency Summit in Reston, Va., officials from the Department of Transportation (DOT), Department of Labor (DOL), and Government Accountability Office (GAO) said many federal agencies are pursuing modernization efforts that rely on temporary integrations between decades-old systems and newer technologies.
Justin Ubert, director of cyber protection at DOT, described the approach as a “Frankenstein approach to modernization” that creates operational and cybersecurity risks.
“We have to make sure that as we’re transitioning these systems … we’re doing our best to make sure that the modernization doesn’t leave gaps in the background that we have no way to fill with a security perspective,” Ubert said.
Ubert pointed to incompatible legacy databases, growing technical debt, unmanaged historical data, and outdated identity and authentication systems that struggle to support modern zero trust architectures. To compensate, he said agencies are often deploying temporary integration layers that add complexity and expand potential attack surfaces.
Mangala Kuppa, chief information officer and chief AI officer at DOL, said agencies need to involve cybersecurity leaders earlier in technology planning and acquisition decisions. “It’s time to elevate your CISOs,” she said.
“What happens in most organizations is cyber comes to the table a little bit later, [after] decisions are made,” Kuppa said. “CISO should be in your strategic meeting, every technology decision you’re making.”
“They should be proactive … I don’t need a passive CISO, I need an active CISO,” Kuppa added. “Make them part of your decision-making process, because the threats with the newer technology that we are facing require that discipline.”
Ubert said bringing cybersecurity officials into modernization planning earlier can help agencies avoid delays and compliance conflicts later in the process.
“One of the reasons that security is being seen as the party of no is because we come in late and we go, ‘you can’t do this for XYZ regulatory law,’” Ubert explained. “So, get us in early, because we’ll help you shape your process and integrate security as a natural part of the process.”
The discussion comes as agencies increasingly shift toward continuous modernization models rather than periodic technology refreshes.
Kevin Walsh, director of information technology and cybersecurity at GAO, said that while agencies rethink their modernization processes, they should also view legacy systems not simply as old technology, but as systems that no longer meet evolving mission requirements.
“Legacy,” Walsh explained, “is a system that is no longer meeting its agency’s needs, but the needs are constantly changing, and the technology is constantly changing too.”
Walsh said agencies also need to rethink modernization as an ongoing operational and security effort rather than a one-time technology replacement project.
“The only way you avoid the legacy trap is if … you’re continuing to build and evolve, and … you’re not just focused on the current snapshot of what you need to do. You’re … having that future-focused, future-proof outlook to make sure that you’re not going to get left in the dust,” Walsh said.