Stan Lowe, global CISO at Zscaler since 2018, is no stranger to danger when it comes to protecting large enterprise networks both within government and in the private sector.
After stints as CIO at the Federal Trade Commission from 2007-2010 and CISO at the Department of Veterans Affairs from 2013-2015, he left the public sector to protect networks at PerkinElmer and its 13,000 employees across a variety of product segments before landing at cloud-based security provider Zscaler.
We caught up with Lowe late last week, but not for the usual discussion of the Federal IT landscape that we might have had in more normal times. Because these times are very far from normal in the midst of the COVID-19 coronavirus pandemic, we talked instead about the government’s growing pains in the very first days of the Federal teleworking boom, and what agencies can do right now to improve their ability to better serve a newly dispersed workforce and increasingly concerned citizens.
MeriTalk: We’re working from home today. How about you, and how’s that going?
Lowe: I’m absolutely working from home! I’m a pretty social person, I spend a lot of time on the phone talking to people and customers, and taking care of my operations. From my perspective, and for Zscaler’s enterprise, it’s almost like any other normal day, other than the fact that I’m either not on an airplane or I don’t have the ability to go have lunch with people that I work with. In a lot of ways, it’s just another day at work.
MeriTalk: The Office of Management and Budget (OMB) is telling Federal agencies to maximize telework. Just from outside observation, it seems that some agencies are better prepared to do that, and others seem a little bit less so. What kinds of technology, and preparation, seem to characterize the agencies that are better prepared for a quick-turn rollout of telework?
Lowe: Preparation is key, and it tends to differ by agency. For most Federal organizations, a pandemic is always part of an agency’s business continuity plan (BCP) – it’s a little chapter in the manual. But there are some organizations that deal with healthcare – like the Department of Health and Human Services or Veterans Affairs – that actually take that pandemic chapter in their BCP much more seriously than others. They test, they plan the work, and they end up being the most prepared to be able to support their workforce and deliver mission in this type of situation.
For other agencies that don’t, not so much. Some of those agencies plan more around physical things that need to get done, physical infrastructure assets that have to survive a hurricane or an earthquake or something like that.
That’s typically what you’re seeing now between the folks that are the most prepared and the ones that aren’t – it depends on what their mission is and how they look at developing and implementing testing, and deploying business continuity plans. Because if you’re a healthcare organization or you have anything to do with part of the national infrastructure for delivering health care, you’re paying more attention to things like pandemics, and you put in place technology to account for that.
Another agency might not be thinking as much about pandemic planning. That’s not necessarily saying that they’re not prepared, but by mission definition a pandemic may not be as big a part of their organizational planning.
MeriTalk: Is there anything that would characterize the technology investments of the agencies that have planned for pandemics, versus ones that plan more for different kinds of emergencies?
Lowe: For the most part, until recently, the Federal government was pretty much bound to the traditional types of technology for remote access and applications. The government is just now starting to dip its toe into cloud apps like Office 365, or things like Workday and Salesforce which because of cyber policy requirements they couldn’t traditionally.
For most organizations, remote access is primarily centered around utilizing legacy VPN [virtual private network] to access application data, and they’re driven by the regulatory requirements they have to comply with, or had to comply with. TIC 3.0 sort of opened the door for agencies to be able to utilize different technologies inside their architecture and still be compliant with the security requirements that DHS [Department of Homeland Security] and NIST [National Institute of Standards and Technology] guidelines specified.
So things like being able to think about how you provision applications in the cloud, and data in the cloud, and access those applications and data in the cloud, are now completely different than they were six months ago [before TIC 3.0]. But the problem is that doesn’t help most agencies because essentially they are still tied down to legacy architecture.
The big news is that the cloud is built to be provisioned and deployed quickly, and it expands quickly. So agencies that are under the gun now can start looking for technologies – such as those from Zscaler – that you can deploy quickly and position quickly, and help agencies
access those applications both internally and externally quickly, and still make their security requirements. Just because we’re having a pandemic doesn’t mean security is not less important – it’s just as important as it was before.
MeriTalk: What do agencies need to do over the next three to six months – if that’s the presumed timeframe of what we’re going through now – to make a better investment in telework capabilities?
Lowe: The biggest thing an agency can do is take a look at how they have implemented telework and access to applications and data. Right now it’s not necessarily for a lack trying to provide employees permission or the ability to telework, it’s the capacity to support the total number of employees you’re talking about at most agencies.
Which may mean looking at new technologies, being able to implement new architectural models such as zero trust, such as secure edge … utilizing the technology that the private industry has been using for the last 18 to 24 months to give the government the ability to do that. Because at the end of the day, the government’s job is to provide services and mission to the taxpaying public, and the only way that they can continue to do that is having the ability to access those applications and data.
Think about utilizing regulatory directions and directives, and apply new technologies to support those types of things, like zero trust, to be able to provide access at the largest scale possible. This is a scale question, and typical security architectures are just not built to handle scale.
MeriTalk: What can Zscaler do right now to help agencies out during this period?
Lowe: We didn’t build Zscaler with a pandemic in mind, but we provide the ability for cloud-based security for all of your outbound traffic, in addition to allowing your employees to securely access applications and data from anywhere, and not just as some of your employees, all of your employees. Zscaler has the ability to help when you need to give people access to applications and data both in the cloud, as well as in your legacy data center.
We’re doing it now for folks at some Federal agencies, we have some agencies that are using Zscaler and using TIC 3.0 requirements to be able to satisfy their mission delivery needs. We’re bringing on hundreds and thousands of customers onto our commercial cloud at scale, so we have the capacity to be able to help you.
MeriTalk: You can provide that help if somebody calls you today?
Lowe: Absolutely. We’re all in this together, and this is about making sure that we all get through this together.