When the coronavirus pandemic required federal offices to start closing, Oak Ridge National Laboratory — the largest Department of Energy science and energy laboratory — had to quickly adjust like so many others. All but 1,000 of the lab’s 6,000 staff suddenly needed to conduct their work remotely.
The lab’s IT department was forced to quickly implement solutions in order to maintain continuity of operations while also supporting a newly mobile workforce.
Kevin Kerr, chief information security officer for the laboratory, shares his experience navigating through those changes in a new podcast produced by CyberScoop and underwritten by Synack:
Adjusting the team’s approach to the DevSecOps process
Maintaining the DevSecOps process remotely has been a difficult shift, Kerr says. When developers are ready to test, they can no longer rely on meeting in person to move through the process.
“We had to put a lot more formality in the process of checking things in, checking them out, moving items from [development], to QA, to production,” says Kerr. But using external third-party entities to do testing of our environment has been helpful if something gets up before they know about it.
Using crowdsourcing to meet security standards
Kerr points to the benefits the lab found in working with partners, like Synack, to conduct crowdsourced testing. Services like those offered by Synack are important, he says, because the laboratory can’t afford to keep the scale and diversity of pen-testers necessary to cover the heterogenous IT environment on payroll.
“These folks cover the gamut of every tool and every application, every type of scenario you can think of. I want them testing our environment,” he says.
Because Oak Ridge is primarily a research lab, Kerr says it’s not always easy keeping up with scientists and researchers who appropriately put up their informational websites and may unintentionally misconfigure something. “[By] testing applications or processes through Synack, and some others that I use, gives us a much more secure environment,” he says.
The integration of new tools and processes
One thing the organization has come to realize is its new dependency on conferencing and collaboration tools so teams continue to interact, according to Kerr.
“It’s been really productive in that respect, keeping a tab of what projects and events are going on, sort of like a daily run sheet of what the development shop is doing or what we’re fixing. We have our change board that meets twice a week that goes over any major changes [being implemented],” he says.
Kevin Kerr has 33 years of experience in IT and management, leading a variety of projects in strategy development, security and risk management, operations and software development. His experience as Red Team Leader and USAF Cyber Warfare Commander has given him unique perspective on cyber and risk management.
Listen to the podcast for the full conversation on changing needs for security for the remote workforce. You can hear more coverage of “IT Security Modernization” on our CyberScoop radio channels on Apple Podcasts, Spotify, Google Play, Stitcher and TuneIn.
This podcast was produced by CyberScoop and underwritten by Synack.