Dave McClure made the jump from the public sector to business earlier this year when he joinedÂ cybersecurity firm Veris Group as chief strategist.
McClure brings more than two decades of federal service to his role and retired from government in the spring as head of the General Services Administration‘sÂ Office of Citizen Services and Innovative Technologies.
In this conversation with ExecutiveBiz, McClure overviews the approach thatÂ state governments take to adopt the FedRAMP standards for cloud computing that he helped spearhead at GSA. He also describes how both public and private sector organizations can balance open access and security in cloud platforms.
ExecutiveBiz: What have been the main items on your agenda or focus areas since youâ€™ve joined Veris Group?
Dave McClure: There are a lot of things to learn and sort through in a new job. It is my third week on the job and we are getting word out that Iâ€™m in the position so that everyone understands my role and the exciting work of Veris Group. For the first couple of weeks, Iâ€™m getting to know the people in the office and their responsibilities. It is important to know the people that are working around you, with you and for you in order to be successful in a company.
Beyond that, Iâ€™ve been looking at the company performance, targets and goals for the upcoming year and figuring out how we want to approach a new business strategy for the next twelve months.
ExecutiveBiz: Could you describe your primary responsibilities as Chief Strategist at Veris Group?
Dave McClure: The title itself says it all. Iâ€™m focused on strategic issues surrounding the company. Iâ€™ve been brought in to look government-wide on where Veris Group can make a difference, for example, how the organization works with federal and state agencies that are implementing cloud and cyber strategy to help them achieve high-performance results in both cyber protection and cloud migration.
On the corporate side, Iâ€™m looking at how Veris Group teams with other industry providers with solutions and opportunities in the marketplace in order to provide joint services.
A third area of focus is establishing Veris Group as an industry leader in cyber security and cloud solutions both on the commercial and public sector side. We want to ensure that the company name is well-recognized and well-known and that we deliver world class performance in the cyber area.
ExecutiveBiz: What do you see as the key to balancing both open access to some of these cloud technologies and systems and having the right level of security in those environments?
Dave McClure: The first step involves data categorization and a data management framework. The key in the open cloud world is to know the data, purpose for the dataâ€™s generation and the dissemination of and access to that information. I always have a conversation with the empathy around the rules and regulations surrounding the collection, use, sharing and dissemination of data. It is important to know what portion of the data a company holds is publicly available information or not (i.e. proprietary, sensitive, or classified.
One of the lessons weâ€™ve learned in the government side is that if one doesnâ€™t understand the data and its categorization, itâ€™s very difficult to match a cloud strategy to it. In the last few years there has been a push to make government data publicly available when possible. In this environment, agencies need what I call a â€œdisclosure management frameworkâ€ to understand that when they are releasing information, sometimes it comes from databases where there are both PII (personally identifiable information) and public data together.
One needs to be vigilant that when information is released, everything is protected under the governing regulatory framework. The good news is that the both government and commercial cloud environments can be very secure. Setting up the standards and rules to protect the information in the cloud environment is no different from a non-cloud environment.
There has been lots of good work done in the commercial and agency sides that show that data in a cloud environment can be protected according to government standards established by FedRAMP.
ExecutiveBiz: Do you plan to work with agencies in the state or local levels that are looking to adopt cloud computing? If so, how do you envision that happening?
Dave McClure: The state governments are very interested in the FedRAMP framework and the rigorous independent third party assessment work that Veris Group specializes in. We will have a lot of conversations with state CIOs and NASCIO on how some of these standards that have been put in place for the federal environment are equally applicable to state and local government. Certification work will carry itself down to the state and local levels very nicely and thatâ€™s one of the areas for possible extension of our work.
The Continuous Diagnostics and Mitigation (CDM) process is another area of partnership for Veris Groupâ€™s capabilities and for state and local governments. Everyone in the cyberspace is trying to determine the delicate balance between point-in-time examinations of security versus ongoing or near real-time security in the operational environment. Veris Group has expertise in that area and can look at its implementation in the state and local space.
State governments are often the front line service providers for the government healthcare side. Veris Group is a HITRUST CSF Assessor under HIPAA (Health Insurance Portability and Accountability Act) and can play a strong role in the integration of federal solutions in state and local agencies in matters of healthcare delivery, CDM and other programs.
Lastly, thereâ€™s a big push in all government levels to move to standard shared services in finance, payroll and HR. This presents opportunities for Veris Groupâ€™s services in cyber automation and modernization and technical security assessmentsin cross jurisdictional markets where government services transcend county and state boundaries and security is paramount.
ExecutiveBiz: Regarding the idea of public and private sector collaboration, what areas do you see industry has been able to help in on agencies in cloud adoption?
Dave McClure: First, industry can help agencies with the decisional processes they use in making the business case for cloud computing. Cloud computing is a technological capability that has to be put into a portfolio of decision-making just like every other investment decision made in IT, whether it is capital expenditure or operational services. Industry, through its commercial and market experiences across different government layers can help agencies accomplish cloud solutions with a firm decisional framework of how you are going to use it and what you are trying to gain from its speed, agility, or cost saving potential.
Second, the balancing act between the point-in-time controls and the CDM tools flowing out into the market space is changing the security game. Enhanced capability and skill sets are required in agencies in order to interpret all analytical information and to make sure the operational environment is as secure as possible on a real-time basis. Industry has experience and solutions in that space and we can depend on them for best practices and implementation of case studies.
Third, industry has migration experience that state, local and federal agencies can learn from. Many of the large companies, including IT companies, have been going through migration of legacy applications into cloud environment. Their migration episodes and case studies offer lessons on how to make things work in the new cloud infrastructure and platform space.
Lastly, web and mobile software development space is exploding with focus on building effective solutions and tools that frontline government workers can use to deliver their mission. The key is getting built-in security upfront for the application development process. We are putting energy into making a difference in our services by adding security to that agility in the web and mobile space.
ExecutiveBiz: Are there any other final thoughts you would like to offer?
Dave McClure: This is an exciting time in the information technology and management space. We are in an era where you will see rapid acceleration of capabilities, efficiencies and economies of scale that were not possible a few years ago. Since we now have more maturity in the infrastructure and commodity side of technology, the energy is focused on the cloud-based application and platform space.
There is a lot of hard work and effort to make sure we do these things right. Veris Group is playing a huge role in ensuring the security aspect in these environments is up to the evolving standards set by policy and best practice.