The Department of Homeland Security: At the Intersection of Customer Experience and Cybersecurity

Government IT leaders have been working through digital transformation roadmaps with a key focus on cybersecurity for several years, supported by mandates and volumes of guidelines from the Federal government. While customer experience has not historically been tied to these efforts, the pandemic exposed some issues in government service delivery that have eroded trust in government. The American people expect not only a secure government, but one that also offers a seamless customer experience. Yet, cybersecurity and customer experience have often been approached as separate functions. At the Department of Homeland Security (DHS), however, the two are coming together.

MeriTalk recently sat down with Erin Godinez, director, homeland security solutions, and Dean Irwin, senior director, cybersecurity, at Maximus, to discuss how the department is using technology to drive improvements that are rebuilding trust in government.

MeriTalk: Many people associate DHS with the Transportation Security Administration (TSA) officers at airports, but their interactions with citizens are wide-ranging. What are some of the other public-facing functions that have elevated the need for a secure customer experience at DHS agencies?

Irwin: Many people don’t realize that DHS interacts with the public more than any other government agency. Every day, the U.S. Citizen and Immigration Service (USCIS) welcomes 3,800 new citizens at naturalization ceremonies across the country. Customs and Border Protection (CBP) interacts with 869,000 international travelers. TSA processes 13,665 new TSA Pre Check enrollments and 3,555 renewals. The Federal Emergency Management Agency (FEMA) deploys 5,700 staff to aid in disaster recovery efforts. The Cybersecurity and Infrastructure Security Agency (CISA) manages 100 requests for assistance in response to cyberattacks and threats. To support and improve all of those interactions, the department is establishing a new customer experience directorate that reports to the CIO’s office. With a core mission to protect our nation, the agency truly sits at the intersection of cybersecurity and customer experience.

MeriTalk: In 2021, the White House issued the Executive Order on Improving the Nation’s Cybersecurity (cyber EO). That same year, it issued the Executive Order on Transforming the Federal Customer Experience and Service Delivery to Rebuild Trust in Government (CX EO). How can agencies that interact with the public balance and achieve the two mandates?

Godinez: The mandates in the cyber EO and the CX EO, along with the strategies set forth in the President’s Management Agenda, signify a transformative shift in digital modernization within government. Cybersecurity has emerged as a fundamental catalyst for the development of secure applications while customer experience has become an essential ingredient for ensuring efficient application functionality. When deployed correctly, cybersecurity and customer experience principles balance each other, such as when multi-factor authentication (MFA) provides login security with minimal imposition to users. Both cybersecurity and customer experience are core, interdependent capabilities that must be recognized for their role in building trust in government.

To effectively deploy both, it’s imperative to take a holistic approach to developing technology solutions, where cybersecurity and the public’s experience coexist to meet mission needs. At DHS, they are turning to public-private partnerships to gain insights on unifying cybersecurity and customer experience. Through collaboration with industry leaders, the department aims to leverage industry best practices and expertise to forge the path in delivering a secure customer experience.

MeriTalk: Many interactions with the public take place electronically, so security is paramount. How does DHS ensure its secure networks combat cyberattacks and safeguard vital systems and data while also providing a good customer experience?

Godinez: Agencies are implementing CISA’s secure by design guidance, which calls for building security into the design of IT solutions. With secure by design, security is baked in, not bolted on, at the design and manufacturing level, which creates a model of shared responsibility.

Irwin: DHS is keenly focused on protecting sensitive information, including personal identifiable information, and monitoring for data loss from both external and internal threat actors. It has multiple security operations centers (SOCs) that monitor systems, handle incident response and threat mitigation, meet logging requirements as outlined in OMB’s M-21-31, and engage in threat hunting activities. At TSA, for example, Maximus protects IT networks using our security operations, digital forensics, and malware analysis capabilities. We also monitor systems to prevent loss of citizen and agency data. This in-depth protection is foundational to a good user experience.

MeriTalk: How can technology drive the secure customer experience in government?

Godinez: Trust is an essential element of the customer experience. In the private sector, customers can stop doing business with a company if they have a poor experience. This is not an option with government-offered services where a single, unfortunate encounter can result in a negative perception and general mistrust of the government’s ability to serve citizens. With cybersecurity, a data breach at one agency can undermine the public’s confidence in the government’s ability to safeguard their personal information.

So, it’s imperative that agencies use technology that delivers a seamless and secure customer experience. Through partnerships, government agencies can break down silos between customer experience, service delivery, and cybersecurity to develop systems and applications that provide a positive customer journey. Technology can enable this with user interfaces and human centered design principles that improve information accessibility, online transactions, and benefit delivery.

MeriTalk: Security can be viewed as an impediment to the user experience. For example, some processes can be overly complex or make it difficult for users to access the resources they need. How have agencies overcome this issue?

Irwin: Agencies such as TSA have thousands of employee users spread across the country who need to access secure networks from various endpoints. Enabling this in a safe and seamless way requires zero trust architectures and tools that allow easy and secure access. These could include MFA, push notifications to mobile devices, access cards, and portable hardware tokens. With these tools, agencies can meet cybersecurity mandates while offering a good experience.

They also use security orchestration, automation, and response (SOAR) technology for a proactive approach to cybersecurity. SOAR uses predictive tools that analyze user behavior to spot anomalies and potential threats, which protects users in ways they don’t even see.

MeriTalk: What are some capabilities that Maximus uses to support DHS with customer experience and cybersecurity initiatives?

Godinez: Maximus is tapping into artificial intelligence and natural language understanding to support public sector agencies in improving the digital customer experience through our FedRAMP-authorized Maximus Intelligent Virtual Assistant, or Maximus IVA. The chatbot supports visitors to public sector websites such as USCIS with information and resources 24 hours a day.

Irwin: We also incorporate the information security model known as the CIA triad – confidentiality, integrity, and availability. Through zero trust measures, threat hunting and digital forensics, Maximus helps to secure confidential data against loss and ensures critical applications are available, all while following data compliance requirements.

MeriTalk: What is Maximus’s view of how to bring the benefits of both security and customer experience to the American people?

Godinez: For decades, Maximus has supported Federal agencies with programs that connect with citizens, which gives us a unique perspective. We know the importance of combining cybersecurity technology and human centered design principles to deliver a customer-centric experience with greater security, efficiency, and engagement.

This requires a holistic approach that takes into account all digital and in-person interactions with the public and other stakeholders. Maximus identifies areas where a better customer experience would reduce friction points and uncover cyber vulnerabilities that need to be eliminated. Effective modernization of legacy systems requires this integration of cybersecurity and customer experience.

Cookie	Duration	Description
AWSALBCORS	7 days	Amazon Web Services set this cookie for load balancing.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
JSESSIONID	session	New Relic uses this cookie to store a session identifier so that New Relic can monitor session counts for an application.
PHPSESSID	session	This cookie is native to PHP applications. The cookie stores and identifies a user's unique session ID to manage user sessions on the website. The cookie is a session cookie and will be deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_pxhd	1 year	PerimeterX sets this cookie for server-side bot detection, which helps identify malicious bots on the site.

Cookie	Duration	Description
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
li_gc	5 months 27 days	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.
__cf_bm	30 minutes	Cloudflare set the cookie to support Cloudflare Bot Management.

Cookie	Duration	Description
AWSALB	7 days	AWSALB is an application load balancer cookie set by Amazon Web Services to map the session to the target.
_gat	1 minute	Google Universal Analytics sets this cookie to restrain request rate and thus limit data collection on high-traffic sites.

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie.
CONSENT	2 years	YouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data.
ln_or	1 day	Linkedin sets this cookie to registers statistical data on users' behaviour on the website for internal analytics.
pardot	past	The pardot cookie is set while the visitor is logged in as a Pardot user. The cookie indicates an active session and is not used for tracking.
UID	1 year 1 month 4 days	Scorecard Research sets this cookie for browser behaviour research.
vuid	1 year 1 month 4 days	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos on the website.
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gcl_au	3 months	Google Tag Manager sets the cookie to experiment advertisement efficiency of websites using their services.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
__gads	1 year 24 days	Google sets this cookie under the DoubleClick domain, tracks the number of times users see an advert, measures the campaign's success, and calculates its revenue. This cookie can only be read from the domain they are currently on and will not track any data while they are browsing other sites.

Cookie	Duration	Description
anj	3 months	AppNexus sets the anj cookie that contains data stating whether a cookie ID is synced with partners.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
GoogleAdServingTest	session	Google sets this cookie to determine what ads have been shown to the website visitor.
IDE	1 year 24 days	Google DoubleClick IDE cookies store information about how the user uses the website to present them with relevant ads according to the user profile.
li_sugr	3 months	LinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant.
muc_ads	1 year 1 month 4 days	Twitter sets this cookie to collect user behaviour and interaction data to optimize the website.
personalization_id	1 year 1 month 4 days	Twitter sets this cookie to integrate and share features for social media and also store information about how the user uses the website, for tracking and targeting.
test_cookie	15 minutes	doubleclick.net sets this cookie to determine if the user's browser supports cookies.
uuid2	3 months	The uuid2 cookie is set by AppNexus and records information that helps differentiate between devices and browsers. This information is used to pick out ads delivered by the platform and assess the ad performance and its attribute payment.
VISITOR_INFO1_LIVE	5 months 27 days	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
_mkto_trk	1 year 1 month 4 days	This cookie, provided by Marketo, has information (such as a unique user ID) that is used to track the user's site usage. The cookies set by Marketo are readable only by Marketo.
__gpi	1 year 24 days	Google Ads Service uses this cookie to collect information about from multiple websites for retargeting ads.