[01:22] Introducing Our Guest, Gerald Caron

Rachael: Joining us today is Gerald Caron. He is the Chief Information Officer for the Office of Inspector General at the Department of Health and Human Services.

Welcome to the podcast, Gerald. We're always interested in the journey. What got you on the path to IT and security? Was it before you joined the Army? I'd love for our listeners to hear what that looked like.

Gerald: I actually went to college, a small technical college in Northern Maine for a little while. I did computer programming and decided that being in Maine, there's not a whole bunch of computer jobs that were enticing. So, I decided to join the Army and spent seven years in the Army as a computer programmer. I got stationed at the Pentagon and was scheduled to get out in 2001. With IT at that time, it's like, what better place to get out if I was going to be in IT.

I got a job as a contractor for the Department of State, answering telephones at the help desk. Some people will probably say the bottom rung of the ladder. I spent 20 outstanding years at the Department of State and worked my way up to SES from answering telephones at a help desk to being a system administrator to being an active directory SCCM team lead. Then I became a lab lead a branch chief to division chief and then a Director of Enterprise Network Management while I was there.

How Gerald Decided to Be with IT As an Enabler

Eric: I joined in right out of high school, unassigned Airborne. I was going to be an infantryman, which I was. How did you decide IT was the place for you versus anything else? Was there a calling or just an interest in you?

Gerald: It was just an interest on how things worked. I like dealing with data, solving problems, and always liked computers. I’ve had my TRS-80. We had a couple of them in our school and I thought it was really cool, and some of the things it could do. I had a little Radio Shack color computer at home, hooked up to the TV with the tape recorder, writing little programs, and it just stuck.

It's something that I wanted to do and I just stuck with it. Then when I went to college, I did RPG and COBOL, which I didn't wholly like. But I ended up going to the Army because I thought there were other opportunities there and I learned a lot. I did a lot of database management in the Army, for personnel branches of the Army, and programming. I converted old COBOL programs to Access databases at the time. So learning that technology.

I just kept learning and learning because the opportunities were endless and I just loved that. There was always a challenge, figuring something out and seeing the results of your little program coming out. I just thought it was really cool. It's nothing spell-binding, but it's just something that just stuck and I liked.

The IT Frontier Is Wide Open

Eric: That’s a good example where in IT, the frontier is so wide open. There's so much you can do. You can learn your entire career and still only know a tiny fraction of what's going on in the industry and everything else.

Gerald: I was a jack of all trades. I got my bid into everything, database administration, programming, and all kinds of things. What I still look back at as one of my fondest jobs or I'm glad I experienced was the call center, answering telephones on the help desk. You deal with all kinds of technologies, learn all kinds of problems, and how to solve them.

I was one that would actually want to work with the tier twos and understand how something got fixed and stuff. Learn from that so I can better help customers. There was always a great learning opportunity. I just think everybody should experience that at some point in their IT career, being on the front lines of a tier-one help desk.

Eric: I did the same thing. I was a software test engineer out of college. Technically I was still in college, and I lasted two weeks. I had three monitors back in those days. It was rational visual tests, which I think Microsoft consumed at some point. I'm running test routines all day, every day. I can't talk to anybody, and I'm not a programmer either. I'm just looking at these screens, my mind. It's just not my personality. For anybody who does it, anybody who's in programming, it's just not me, and that's okay. We can both go our own ways. But we had a lot of technical issues at the business I was in.

Being in IT as An Enabler Is the Greatest Job Ever

Eric: Our customers had technical issues. So they put a couple of us, I'd say kids, but early-stage career personnel in a break room. It's this little break room in the middle of a one-story building. No windows or anything. We set up desks, really tables, with computers everywhere. And we were the interface between level one, level two help desk, and engineering. All of the issues that were hard came to us.

It was the greatest job ever. I loved it. We were helping people and we could literally get things fixed. You learned so rapidly because you'd go and talk to the head DBA or you'd talk to the head GUI interface programmers and say, why does it look like this? Why is it working like this? You'd go out. You would fly out on the hard cases to customers.

I spent a week in Bank One Ballpark in Arizona watching the Diamondbacks waiting for a restaurant point of sales system to fail. It was a great job, Gerald. I'm with you. It was like trial by fire, but it was one of those things where you really learned quickly, you help people, and you understood the workings of that piece of the business.

Rachael, have you ever done anything like that in marketing? Listeners, the eyes are going back and forth, left and right. Like a Grover doll that you're shaking furiously in the air.

Rachael: I think the closest thing was when I worked at Dell and I was in product communications, you were assigned the media phone. You would have to answer the media hotline during a three-hour window or something usually during lunchtime when people were out.

We Love Dell

Rachael: You would field questions from all areas of the business that you didn't interact with. I thought it was a form of learning about areas outside of the products that I was supporting at the time. You would also get customers who would call that hotline because it was the only published number they could find for Dell and they would share their feedback as well.

Eric: I'm sure it was always happy. We love you and we love what Dell's doing.

Rachael: Every time I wore a Dell shirt on an airplane, I got to hear from more customers as well. It was sort of the same but different.

Gerald: Media phone, not to be confused with movie phone. That episode of Seinfeld.

Eric: These early-stage trial-by-fire experiences are very impressionable. I agree with you, Gerald, everybody should have something that pushes them really hard.

Gerald: I took every job you have. You take a piece of it with you, the good and the bad, and learn from it. From that, I get a great appreciation for customer service because we all deal with customer service with our own things. It's like, if I don't like the way they're doing it, I want to make sure I'm providing good customer service. I don't want to be like that other organization, which every time I call it's just like pulling teeth kind of thing. I've carried that up forward with me.

Eric: You know how you feel when you get bad service, you want to do better. You can't always do it, but you want to do better.

[10:34] One of the Big Challenges of IT as an Enabler

Rachael: Incremental changes can add up over time as well. So, you just got to start somewhere. Would you say, yes, I was reading an article where you were talking about IT modernization and I really liked what you were talking about? If you don't have the users involved, as part of your modernization process and planning, then it's going to be really difficult. One of the big challenges is hesitancy.

As you said, when users feel like any of these changes are going to more complicate their workflow, then they're less likely to embrace them. So, I thought that was a really interesting comment and an important one about users first, and perhaps that started from your time at the help desk. But you're coming on about a year now in your role as CIO. Is that shaping how you were looking at what you want to accomplish in the role ahead? What have you done and what do the next five years look like?

Gerald: I'm very customer-focused. One of the things we did, first of all, came into what I would say in a very tactical reactionary organization. Not a bad thing, but they were jumping to the occasion when things happened. So, developed a multi-year strategic plan, new mission, vision, and understanding and introduced some more formal planning and we're still maturing it. You can't do it overnight, maturing our formal planning. The other thing I looked at was, and I think this is the root of a lot of things, people don't pay enough attention. I like to go back to basic communications.

What Makes Sense To the People

Gerald: We inventoried every aspect of how we communicate, and where our communication, where we weren't communicating. Then we looked at, this is how we're communicating in this instance. It may be, that we send out an email to say we're doing maintenance, okay. Does it make sense to the people? Are they even reading it or are they just ignoring it? You send it out, but how many calls are we getting back? Are people understanding as a result of us doing that work now, are we getting a whole bunch of calls because then people aren't reading it?

So, we did every aspect. Newsletter, we put out a bimonthly newsletter to humanize ourselves. We introduce somebody from our staff to say, we're humans too. Then the other thing is, how we communicate internally, how we communicate externally every aspect of communications. And of course, communication is sender, receiver, and feedback. We need to make sure we have that feedback, so we've engaged.

There's one customer we have, we meet with them monthly. They said that they felt in a way ignored in the past when it came to IT things. So they didn't hold their breath when they needed something, whether they get it or not. We started meeting monthly with them, about what they weren't doing. We're listening, delivering, and getting an understanding because we're now getting that whole 360.

At the working level, they're talking, but they sometimes talk past each other. Now, at management as senior managers, we're meeting monthly, getting on the same page, understanding what's coming up, what we're hearing, getting that understanding. We have a full 360 to make sure everybody can get on the same page, and understand what priorities are.

Big Efforts Around Cybersecurity

Gerald: The great, unbelievable relationship I think has been fostered and continues to mature. One of the big efforts we're doing around cyber security is Zero Trust. A lot of people, I think I'm probably not too far off in saying this, it's an IT thing. It's the back office, the security guides are putting stuff together and everything. What we did is we actually presented to our whole OIG community, hey, we're doing Zero Trust.

What does that mean and what is it? Why is it important? Then here are some benefits to you as a result of us doing this. There are going to be some good things as a result of doing this but also we need something from you. With Zero Trust, we're trying to protect data.

Where's the data? When do you access it? How do you access it or how do you want to access it?

So not how, necessarily. We want the right data to the right people at the right time. So we say, how do you want to work, not how do you work? How do you really want to work? We can say, now that we understand that, let's build those requirements in. So then it's less friction when it comes time to adoption because we listened. 

We did our best to include the things about how you want to work in the future. Especially with going mass remote work and people want to still be mobile and have more access to things as they get a little more comfortable in time. I wish I could do this now, as a result.

We really want to make sure that we include them.

The Football Analogy

Gerald: I call that including them as part of the team. So, I use a football analogy, football team. You got the players on the field. Those are the people that are making things happen and doing the technology stuff. You got the sidelines, your project managers, your coaches, your managers, things like that. The indirect support, the water boys, the C suite people, people up in the sky box, that are making sure the resources, the prioritization is there. But if not for the fans, would that team exist? No.

So I always remind my engineers, HHS OIG was not put on this earth to do IT. That's not the primary mission. It's the enabler. I got to remind them of that as well. We would not be here if we didn't have fans, basically. So, we do it for our fans. We need to listen to our fans and be responsible to our fans, we put a good product out on the field.

Eric: I like the way you think about that. I think that model really holds up with the exception of like the New York Jets or something.

Gerald: I'm a Patriots fan, so I have no problem.

Eric: You have no problem there. No, I think that model really holds up though. I saw a quote from you in a fed scoop article. My users are part of my team. I saw that and I was like, this is not a traditional CIO perspective, at least one that gets vocalized frequently. You are thinking of your fans in everything you do. From at least that snapshot and the discussion we've had so far, it's about them. It's a great perspective.

IT as an Enabler from an IT Perspective

Gerald: I came from what there was in the past, I've seen where it's like, the IT guys, they're creating this great thing. From an IT perspective, you can nerd out on it. It's great, it's a shiny new object. It's awesome. And then they deploy it. All right, what's the business case that's being deployed? It's like, come on. You want to like it and it's like pushing now, come on. It's like how much money, effort, resource, and time was spent to deliver something that nobody cares about. Nobody really wanted it and nobody was asking for it.

Eric: On the opposite side of that coin, it's very often difficult to get out of an IT organization or a cyber security organization, what they do care about, what their real needs are. A lot of times we'll get an RFI for product-level stuff, but we can't get to the fans either and really understand what does HHS need to do their job? The fact that you're pushing that, to me is incredible. I'd love to understand though, how'd you do it? 

The normal CIO, normal IT organization, I'm assuming is running, 120% all open just to hit the day-to-day. You come in, you've got a team that's working there you know what's off trying to get things done. How do you take a step back and take a pause?

Gerald: The thing is accessibility and communications. It's that simple. Be accessible. Offer different avenues to be accessible from the user community. Listen, don't just dismiss. Refine, understand, make sure you have that feedback loop going, and really focus on it.

[19:21] IT as an Enabler Is No Exaggeration

Gerald: We did, and when I say this is no exaggeration. We did a deep dive on all aspects of communications just to make sure we were effectively communicating and listening. Let's say you are a firewall engineer and you were making a change. I asked you why you were making that change. Oh, because it's the latest release from blah, blah, blah.

Eric: I just read this blog and it's a good thing to do.

Gerald: How is it enabling the mission? That's the answer I want. I don't want the technical answer. Well there's and then we have, then we have an internal. So then we have an internal communications problem. So that's why we have a new strategic plan. Make sure that everybody understands the goals of our strategic plan. It talks about being a mission-driven, business-oriented, and field-first mentality.

People that are out on the front lines, doing the OIG mission, we understand what that mission is and that we're supporting it. It’s really getting that communication and that understanding and breaking down that stove pipe. I had stove pipes just within the small organization and I had to break those stove pipes down. We still work on it and we still foster it.

But I see more collaboration with our customers, more collaboration internally, and you get a natural understanding of, because how many times have you had, if the three of us were talking, we were in a meeting, then we go back to our staff and we say, blah, blah, blah. Guess what Rachael said, blah, blah, blah. She's trying to do this and I don't believe that.

IT as an Enabler—Bring the People Together

Gerald: But when you get the people together and get an understanding of why Jerry's saying this, why Rachael's saying this, people just start figuring out. It's like, now I understand where she's coming from and get rid of that back-office talk, bring the people, bring the humans together.
Sometimes you can send me an email and I'll interpret it a certain way. But when I talk to you, oh I get it now. I'm trying to bring more people together to collaborate. I don't think there's any project that we are not collaborating on. I'm not just giving it to a stove pipe and saying, all right, here's the thing that we need to do. We need to engineer this. All right, go. No. The enterprise architect is involved. Very important, which I think is underutilized in a lot of locations. I think enterprise architecture is just a nice picture on the wall, but we're trying to make it actionable. My CTO and CSO are involved, and my operations lead is involved. 

The other thing that I'm fostering and I keep fostering is any idea can come from a great place. It can come from a customer and it can come from the lower-level person turning the screws. I don't like turning this with a screw, I want to do it with something else. All right. Let them be heard, not filter up. I want to hear every idea. So inclusion is very important to make sure everybody's included. Everybody has a voice because ideas can come from anywhere.

Eric: I'm assuming you're talking about a major cultural shift here, in the way HHS operated.

Culture Change

Gerald: One of the parts of communications is culture change. I come from the military and there is a chain of command and I totally respect the chain of command. It's in place so things can be managed properly. I'm not trying to throw that out, but I want to make sure that all voices are heard. The other thing is, failure's not a bad thing. Failure is an opportunity, a reason to learn, and an opportunity to learn. So, fail fast and learn from it. I’m trying to get rid of that notion of, failure is not an option. Well, if you have an SOP that says do it this way and you don't follow it and it fails, that's something.

If we're trying to modernize, we're trying to do new technologies, we're all learning from it. All right, it didn't work. You do your testing, but it didn't work. What did we learn? Let's try again with these little changes, so failure's not necessarily a bad thing. I think people have looked at failure. So, definitely trying to foster a positive culture change within the organization so that all voices can be heard. Failure's not necessarily a bad thing. Communicating with our customers, and understanding what our customers' needs are that's why we are here. We wouldn't have jobs if they didn't exist.

Eric: What do you think, Rachael? As the director of communications, what do you think of that message?

Rachael: I love it. That's exactly what you want to hear. It's crazy that more people don't espouse that Gerald. It seems straightforward. When we're all on the same page, then we can execute the mission together in alignment.

Is Change Scary?

Rachael: Why do you think that others just aren't on that bandwagon yet, or aren't embracing it? Is it too hard or is change scary? What's holding people back from getting to this path of almost enlightenment if you will?

Gerald: I think sometimes, I don't want to say it in a totally negative way. I tried. That's not going to work. I think people look at the immediate, sometimes and it's like, they look at the reactionary thing and the bandaid that is needed to put it in the light term. Bandaid and onto the next thing, whereas I think sometimes, so what do you end up doing? You keep band-aiding as things come about.

I'm really trying to dig down to the trenches, the root issue, or the root areas and build those up. I have a good foundation and organization in which everybody can feel inclusive. Everybody can communicate, and everybody sees things in a positive way. Now, are you going to have a hundred percent of your employees absolutely in euphoria and nirvana? No. There's always going to be somebody that doesn't like something.

Eric: Mine are all happy, every single one of them.

Gerald: I'm going to come work for Eric, then. I'll send you my resume. But still, you listen to them. Why do they still feel that way? I'm fortunate enough, actually, my organization is small enough. One of the things I did at the end and the beginning of this calendar year is,

I interviewed every single one of my employees. Government employees. I went to my staff, what do they like?

What Do People Want to See Better?

Gerald: They could talk about anything. I left it open. But I try to ask them, what do they like, what do they not like? What would they like to see better? Things like that.

Generally, it was overall positive. They like some of the changes. They like some of the new technologies being introduced and ideas and thoughts of, we wish we could have done this way for a while kind of thing, or look at these things. But they're all human. I wanted to make sure that they all had an opportunity and I get to meet all of them, especially when I come in during the COVID time.

We're not going to revisit Eric's first question at the beginning, but I never got a chance to meet all my staff. So getting with them one on one, I found out, I didn't know somebody was doing certain things. Now I know. Then I know where my strengths are or where my issues are, and where people and their functional areas are. Sometimes I like to reach straight down. Sometimes I bypass. Why? It gives me a chance to talk to them as well as I know I'm going to get a straight answer from them because that's what they do.

So getting an understanding from me, who does what, what makes them tick? It gave them an opportunity, not to, yes, I'm the CIO, but I don't stand on a pillar. The way I look at it is, that my employees make me successful and what do they need so I can make them successful? So it's a team effort at the end of the day. That’s the same thing I say to my contractors.

[29:16] Making Many Opportunities in IT as an Enabler

Eric: How do you do that during COVID? How do you do that? It's hard. We're not coming in as much.

Gerald: It's much harder. But, every quarter, we'll have a virtual town hall for all the OCIO staff.

Eric: Are people coming in now?

Gerald: Some are. Not much, but I have my acting operations director, who lives in the San Francisco area. So, you always keep your chat open. We have virtual town halls every other week. I have biweekly with all my directors and they can invite their staff, not just the director. But I like to have their staff there so I can hear directly from them as well. So, just trying to make as many opportunities as possible.

I don't like to have meetings just to have meetings. I’d make sure that there's meaning to them, we've done surveys. We just did a survey for our upcoming town hall that we're having this coming month about culture. What is good? What isn't? We asked about a few questions just to get a gauge because sometimes they won't tell me directly. I'll get positive but in a way to give an anonymous way.

We try to keep all kinds of different ways to communicate out there. I wish you could see it. We have it on this mural thing where we have, it would cover a whole wall if we drew it out on an actual whiteboard, but virtually. It's just amazing, all the communications we inventoried.

Eric: That's impressive. In the time of COVID where people are not in the office very often, at best case, you're probably a hybrid in most organizations.

Reaching Out Makes a Difference

Eric: You see people once or twice a week, whatever it may be. It's different. I think personally, maybe it's my age, it's more difficult, but it's different.

Gerald: To talk about a cliche, IT people tend to be more on the introverted side as well, so you got to pull them out. Some of them you got to pull out sometimes. So, I’m reaching out directly sometimes. Make sure that I don't get mad about things, things happen. I'll vent, but you never show that in front of your staff. Of course, you get an understanding. Things happen for a reason, make sure that we learn from them and make sure that we understand.

I just don't blow up for the sake of blowing up. It's like, oh, the network's down. Let's see what's going on. Do we understand? I, honest to God have an unbelievable staff. Got some great government employees that I'm just so thankful to have, they do a great job. They are very thorough. They're more thorough than I ever imagined a staff could be and very good at what they do. In that regard, I'm fortunate to have them. You got to value your people. They're the ones making things happen.

Eric: Let's talk a little about Zero Trust. What do you think?

Gerald: I know nothing about it.

Eric: Perspective on Zero Trustt. At least I hope so.

Rachael: Can we talk about the ATARC, the demo lab, and all the work that you guys do? I thought it was genius. I’d love for you to share with our listeners how that Zero Trust demo lab works, and what you guys are doing because it just is so smart. I love it.

Government Participation

Gerald: I get involved with ATARC some years ago when TIC 3.0 was early on, then I chaired a TIC 3.0 working group. We came up with the use cases and then we had vendors come in and actually do demos. Not just do white papers, but we really wanted to see here are the use cases, and show us how it works. We had about seven or eight, I think, presentations. Then we really liked that format the way we went about it. We started a Zero Trust working group, myself and another lady from SBA co-chair it.

She's out on maternity leave, congratulations to her. But so we co-chair. What we found out at the beginning is we had government participation. We had about, I think, 20 at the beginning and some vendors, probably about 15, 10. We started off, we grandfathered everybody in from the TIC 3.0 working group in and we found out we had some new members. Everybody had a different definition of Zero Trust. We said, all right, hold on. Let's have government only, let's get a level set on what the heck Zero Trust is. So it took a lot of my presentations.

Eric: Even within government, we have the list, I can count. We have NIST, we have CISA, and we now have yours, we have Army, Air Force, Navy, DOD, DIS. I mean, we have a lot.

Gerald: I like to say, I go back, I'm forced or certified Zero Trust strategist. So I go back to the basic principles.

Eric: Like back to 2010.

Doing Cool Things in IT as an Enabler

Gerald: Yes. I've been doing it for many years. Well, before 800- 207, all those things. I was cool before the cool kids, I was a trendsetter. Actually, the trendsetter is John Kindervag and Dr. Cunningham and stuff, which are unbelievable people, if you ever get to talk.

Eric: We've had Dr. Zero Trust Chase Cunningham on the show probably three or four times.

Gerald: He's awesome. But so what we did is, all right, let's level set, make sure everybody's on the same page about what Zero Trust is. So the government split off. As we did that, we started feeding the vendors so that they would understand what we were defining, and how we were going about this, and so that they could start prepping. Then we remerged, once we had all the definitions and everything we remerged, and we came up with eight outlines for the vendors. 

There were five architectural use cases. If I use your thing, how does it get deployed? Here are the five different use cases for that. Then, we had what I called the Zero Trust functional capabilities model. CISA has five pillars, which are data, endpoint, application, network, and user. Well, we have visibility and analytics and automation I added to mine.

They all have functional capabilities under all of them and also governance, which crosses all of the pillars for risk scoring or confidence scoring things, the policy, and all of those things. So, all right, if you're going to present, show us what functional areas you cover primarily when you integrate because it's an integration effort. Then we had 12 use cases to demo.

Highlight and Showcase

Gerald: At the end of the day, we have 60 plus vendors participating. I think we're up to like 30 government agencies represented in some form or fashion. So 60 vendors, all get a chance to highlight and showcase. I think we do two every Friday, to showcase their solution. They’re, I call them, the stove pipe solution.

Eric: How do they map to yourZero Trust framework or how do they map to the 12 scenarios?

Gerald: All of that's got to be included. So that outline is their template for their presentation.

Eric: How long do they have?

Gerald: 75 minutes. Now they're not going to make it through all 12 use cases.

Eric: No. But a decent amount of time.

Gerald: They don't make it through all 12 use cases. They can do as many as they want within the 12. We don't expect them to do all the 12. So that's successfully going. I think those are wrapping up this month or next month because they've been going on for the better part of the year. As you can imagine, 60 vendors, two a week been going on, but it's a singular solution. Nobody does Zero Trust themselves. There's no one tool, no one silver bullet. So now we're moving to phase two.

The government's remeeting and we have developed an outline in use cases for phase two. Phase two is all right, vendors, and partners, because it is an integration. We've all seen your singular solutions, which is great. They've been very good presentations. A lot of people have gotten benefits out of it, but we want to see more of a true Zero Trust integration.

We Got Integrators Joining IT as an Enabler

Gerald: Now we got integrators joining and we got vendors that will be partnering to put their demos together. We'll give, right now we have 12 use cases again, and we'll ask them to present and this will be closed to the government. The other, the vendor presentations have been open, but this will be more closed to the government only for them to showcase their output. So, the great thing about this is for the vendors it's presenting once to many.

Also, it's being set up so it's actionable. It's not just a white paper drawing on the wall. It actually, shows us. Here are the government's use cases and they’re apples to apples. We're all looking at the same use cases every time. We are controlling the narrative of the things that we want to see. Now the great thing about phase two is once that's set up, ATARC has its own lab space. We're hoping that it will be there long-term so we can iterate on it.

Also that any of the government, because we're all our special snowflakes, we all have our little requirements and we're not all created equal. My implementation of Zero Trust is going to look different than Eric's or Rachael's. I need to do my flavor so I can engage with the vendor on that. The other thing is, if you have identity management, you have one product module or you can talk through it. It's like, well I've already got this investment, and all right, well you can switch that out with this, and get through those things. We want it to be stood up so it'll be longer.

[39:34] Cloud Working Group

Gerald: Then ATARC has a bunch of other working groups. They got a cloud working group, they get all kinds of other working groups. What I'm hoping that we can also do with the lab is, all right, you're doing multi-cloud environments and things. Here's what it looks like.

All right, we got a Zero Trust lab, we'll come into this. Here's what it looks like in Zero Trust now. We can start taking these working groups and getting them more holistic. It starts getting more to look like an actual agency environment in some form or fashion.

Eric: Can you give us an example of a use case just so our listeners can really understand what you're talking about?

Gerald: An example of a use case may be a user who is remote or at a branch office accessing HR data on a mobile device.

Eric: Perfect. These are real business use cases that not just your agency has, but pretty much any agency would have with their own special spin potentially. They're using different technology or whatever, but okay.

Gerald: We've done with a VPN, without a VPN. It may be accessing data from an on-premise network, from a fully managed laptop fingerprint, or highly valued data from another agency as well. So there are those types of use cases. A lot of people, when they talk about Zero Trust, they talk about what's in the realm of control and everything, but we're also sharing data with other organizations. How are we addressing that as well?

The Show-Me State

Eric: I would imagine a lot of vendors come in and try to show you something that's cool. WhizBang graphics or, we can do this, but you're really driving them to the business use case. What the agency needs to do to do the business of HHS in this example.

Gerald: We're taking Missouri, the Show-Me State, trying to take the Show-Me State concept. I'm from Missouri. You got to show it to me, and I go, no you're not. You're from Baltimore. It was great. I got you, Dave, up at Random House. You're from Missouri. We'll show you we can do this. But you're really mapping back to what you need to do to protect or enable the agency's business and data.

They're high-level use cases that would apply to every agency. We want the labs to be set up for a little longer term so that the different government participants can come in with their special snowflakes and do some follow-ups as well. But we want to see something actionable. We want to see how it actually works.

Rachael: One final question, because I'm into reading these days and I would love to know, what's the last great book you read? It could be related to IT, could not, we're open here.

Gerald: You know what, it's sitting on my end table and I really need to dive a little bit more into it, but it's Dave Grohl's book from the Foo Fighters. He has a book. I love the Foo Fighters, right behind Tom Petty.

Eric: Gerald's here for the Foo Fighters.

Sandworm

Gerald: I hear nothing but good things about his book. I've only got a little bit into it, but I'm just looking so forward to reading. I had a chance to see him in concert and it was fun.

Rachael: I would give anything to see that. That's a great book. I'm looking for some summer reading, and that's perfect.

Gerald: There's another book, somebody recommended it to me and I haven't read it yet, but I got to read it soon. Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers.

Eric: What's his name?

Gerald: Andy Greenberg.

Eric: I met him at RSA two years, right before COVID or right during the beginnings of COVID. He has a new book coming out, it's on cryptocurrency, in the fall. He's a Wired author for Wired magazine. I just saw on Twitter or LinkedIn the other day, that there's a new book coming out in the fall also. Sandworm's pretty good. We were going to get him on the podcast and then COVID hit, and everything shut down.

Gerald: I'm still one of those people that read a physical book.

Rachael: It feels good, doesn't it? The turning of the pages and yes, it's not the same on a Kindle.

Eric: Did you see what was the movie? I think it was like an HBO documentary on the Foo Fighters, Sonic Highways, or something.

Gerald: I missed that. I think I had some episodes recorded of it.

Rachael: Great way to end the episode. Thanks again, Gerald. I really appreciate your time joining us today. This has been a lot of fun, and great conversation. To all of our listeners out there, thanks again for joining us. As always, smash the subscription.

About Our Guest

Gerald Caron is a member of the Senior Executive Service (SES) and is Chief Information Officer (CIO) / Assistant Inspector General of Information Technology (AIG/IT) for the Office of the Inspector General (OIG) at the Department of Health and Human Services (HHS) as of May 2021.

Previously he served as the Director of Enterprise Network Management (ENM) within the Directorate of Operations in the Bureau of Information Resource Management (IRM) since June 2016. Mr. Caron has over 24 years of information technology (IT) experience. He began his career in the US Army working in hands-on technical positions serving for 7 years as a Programmer and Administrator.

Mr. Caron then spent 2 years as a contractor with the federal government, where he acquired more refined technical skills and a more detailed understanding of IT operations. He joined the federal government at the Department of State (DOS) in 2003 as a Systems Administrator. He has held multiple positions at the DOS, moving from managing small technical groups leading up to Director for ENM. Mr. Caron is also a co-chair of the CIO’s Innovation Counsel for Zero Trust as well as co-chair for ATARC.org Zero Trust Working Group.