The pandemic has accelerated remote work. Some industry experts estimate that it might have accelerated the move to remote work by 10 years. This applied to the intelligence community too, who were otherwise used to working in closed-door, highly secure environments. To make this switch, the community needed the same secure environment at home too, built in their computer networks.
That’s where players like GitLab stepped in. GitLab’s DevOps platform empowers organizations to maximize the overall return on software development by delivering software faster and efficiently, while strengthening security and compliance. GitLab’s single application is easier to use, leads to faster cycle time and allows visibility throughout and control over all stages of the DevOps lifecycle.
We caught up with Marc Kriz, Strategic Account Leader of National Security Programs, GitLab, to talk about how the company enabled its customers in making this switch, the future of remote work for the intelligence community, and much more.
Since joining GitLab in 2018, Kriz has been focused on driving innovative, end-to-end DevOps transformation in the National Security Community. As a technology specialist and trusted advisor to the US Intelligence Community, he works with government agency clients and industry partners to assess and solve complex challenges that support the mission of protecting the nation’s citizens, infrastructure, and data. Prior to GitLab, he supported National Security programs at Cloudera, SAS, and HP.
I think you are spot on. The future of work within the intelligence community (IC) has changed forever. When COVID hit, intelligence agencies who otherwise used to do all their work inside of a secure facility, had their employees go home. But just because people go home, doesn’t stop the mission and the threat landscape continues to change rapidly and evolve. The decision that each agency had to face was, how do I allow work and figure out how much of the work can be done from home. We have some people in the office and some people at home. I think most agencies landed on sort of a hybrid approach.
This is where GitLab stepped in, to enable the intelligence community to work from home, safely and securely.
At GitLab, we have been working remotely even before COVID. As one of the largest, all-remote companies in the world, what we have discovered is people are more productive working from home. If you measure people based on their output and results, and not based on the hours worked, that frees them up to work when they’re most productive.
I’ll give you an example: We have some employees at GitLab who enjoy gaming. They are gamers, and they’re good developers. We don’t force them to do their development work from 9-to-5 office hours. We just tell them, “Here’s the development we need you to do, you do it whenever you’re comfortable”. And they are some of our best developers. If we had a policy that said, you must come into the office and develop from 9 to 5, they wouldn’t work for us.
Similarly, the NGA (National Geospatial Intelligence Agency) gets to attract the best talent by saying, “We have a flexible hybrid approach to remote work. We’re going to allow some of our workers to be telework or to work from home”, and that allows NGA to go look for the best of the best.
And, with remote work, it doesn’t matter what part of the United States employees live in. You might have a young geospatial analyst that lives in the Midwest somewhere, and they don’t want to move to Washington DC, or they don’t want to move to St. Louis, but they want to work for NGA.
Our technology is unique in that we are a single end-to-end DevSec Ops platform. So, as a developer, I might have to use a dozen tools in my daily work. That means I’m jumping from tool to tool. With GitLab, I can stay in GitLab all day and from idea to production, I can do the whole thing inside of GitLab.
What this means for remote workers is, everybody is on the same version of the truth. If GitLab is a single application, any work that I do as a remote worker inside of GitLab is going to trickle through the whole workflow and all my teammates can collaborate with me on that same workflow. Everyone can be on a single platform — government leaders, program managers, developers, operation people and even security people can all be on the same application and they can all be sharing ideas no matter where they are in the country. It enables collaboration during remote work.
As a result of accelerating remote work, customers realize the benefits of a single platform and the ability to collaborate seamlessly as a team with their remote workers and their workers that were still in the office. It really brought to light GitLab’s capabilities as that single platform. It gave a lot of customers new reasons to look at GitLab as a powerful solution for DevSecOps.
As a result of accelerating remote work, customers realize the benefits of a single platform and the ability to collaborate seamlessly as a team with their remote workers and their workers that were still in the office.
Within the intelligence community, we are working with all of the IC agencies to some degree. Some agencies have adopted GitLab as their development platform of choice. We have one agency we work with that GitLab has multiple ways of security scanning your code. We come at it from different approaches and these different aspects of security scanning give you a more holistic, secure way to develop code. This agency has gotten their security team to look at our holistic approach and they have found that we are as good, if not better, at securing that code as if we were a third-party security-only scanner type of application.
They’ve accredited or blessed GitLab security scanners to scan that code, it’s been a real success story — and because the scanners are built-in and very close to the developers, it speeds up development of the software. The developer can be developing a code, and then as soon as they hit the commit button, they’re told if they violated something or if they introduced a vulnerability. They can immediately remediate and fix it right then. They don’t have to wait to send their code off to some third-party scanner and then wait for it to come back. The beauty is that they develop quickly but more securely.
A lot of times security professionals think that velocity or speed is the enemy of security. That is if I’m developing code really fast, I must be letting vulnerabilities get through. With GitLab, the opposite is true. The scanners are all built in. The faster I develop code, the faster that code gets scanned by GitLab. I get to fix the error and then I get to get my code approved by the security team and put into production. So now I’m going faster and I’m more secure than I was before.
Absolutely, we are, especially those in the regulated industries such as banking and financial services. Some of the largest banks in the world use GitLab for that very reason — they want their code to be absolutely secure. Many of those regulated industries have different levels of security networks too. They want that low side code to be every bit as secure as we do in the intelligence community before it gets pushed up to their equivalent of the high side.
ALSO READ: Digital transformation is shaping future of construction industry
We’ve got customers who say, “When we turned on GitLab security scanning, we were able to produce more secure code 10 to 20 times faster than we could before.” A bank that’s able to write code 20 faster than they could before they can measure how much revenue that produces down to the dollar, down to the minute. So, if they save five minutes, they can monetize those five minutes, and they can tell you exactly how much that means to them. It has absolutely been a game changer for regulated industries.
Absolutely. The stock market, the healthcare industry… One of the other capabilities GitLab has introduced, is compliance management. So, if you have to comply to HIPAA, if you’re healthcare, now you can put your HIPAA compliance framework into GitLab and track that too, to make sure your developers are not violating any of the HIPAA standards in developing your healthcare application.
One key aspect of cybersecurity is perimeter protection. Then, once somebody has penetrated the perimeter, what damage can be done? We all know that there’s network ways to protect the perimeter and you can build firewalls and there’s lots of technology to apply to the perimeter, but we’ve all seen the news and people penetrate the perimeter.
GitLab brings security scanning shifting left. If developers are developing secure code on the low side or the high side using GitLab scanners, they’re making sure every line of code is scanned. Every line of code is passing all the security gates. When somebody gets into the perimeter, it minimizes the damage they can do by having a secure application that can’t be penetrated. So, if I want to do damage, first I would get into your network, the second step would be to look at your software systems and worm my way through a vulnerability and take control of your software. Then I can take control of your data and the rest of your systems.
Bad actors could have penetrated the perimeter, but they can’t do any damage to your systems. When I think of security or cybersecurity, it starts with the first line of code. The very first line of code you write for a new application, you need to have the mindset of a cybersecurity professional, even as a developer. And developers don’t instinctively think of security, because they’re writing a new application, they’re creating new features. If you can automate that for them, you would take that burden off their shoulders. Now they’re creating a secure application that can’t be penetrated even if the perimeter is penetrated. So, cybersecurity begins with the first line of code.
There is the aspect of operations as part of cybersecurity. Being a single end-to-end platform, GitLab brings the operation team and the security team in with the development team. Now they’re all helping each other be more secure.
When I think of security or cybersecurity, it starts with the first line of code. The very first line of code you write for a new application, you need to have the mindset of a cybersecurity professional, even as a developer.
When the pandemic hit, we were asked by a lot of other organizations around the world how do you do remote work? Out of all that questioning and all of that conversation, we came up with a free e-book that you can download from our website. It is called The Remote Playbook. You can go to www.gitlab.com and search for all-remote to download. During the pandemic, it was downloaded over 3 million times.
GitLab, in some respects, is a small company, but in the world of ‘How do I become a remote hybrid, or all remote organization’, we are looked at as an expert. With the e-book, it’s a guide for managers, the leaders, workers, HR — all departments of a company.
There’s a section for everybody in that e-book. I would encourage your readers to take a look at that and learn to thrive in this new world of remote work.
One of the early ones is to master a method for async work. I may miss a meeting, but I will go on my own time and look at the notes from the meeting, be able to understand what happened at the meeting, and check for any action items for me? So async is key number one, but that leads me to bullet number two.
Document everything, take notes. If I’m in a meeting, I help by taking notes. I collaborate. All the team members at GitLab in a meeting will all chip in on the same document and take notes. So, we open a shared document and we all take notes and it’s for the benefit of our teammates that can’t be at the meeting- so they can async that information.
The third one is how can my company help me if I’m remote. How can they help me enable self-service? How can I understand things that I might otherwise learn by being shoulder-to-shoulder with somebody? The key is to document all the procedures at the company level.
So, if I’m going to come up with a new policy for some group at GitLab, I put it in the handbook, and then I have a meeting to share it with my teammates. The people that can’t be at the meeting can look at the notes, but they can also go to the handbook. But what’s really important about that is, what about the employee that I hired two years from now? They can go back to the handbook from that new policy and they don’t have to call other employees to go, “Mark, what was that new policy that we introduced a couple years ago?” They can go to the handbook because everything is documented in our company handbook.
ALSO READ: Digital transformation for energy, water utilities and real estate
And then the last one I’ll leave you with is, stay engaged. How do employees feel part of the culture when they’re remote? At GitLab, we are very intentional about connection. We will have social events on Zoom that are special interest groups. So, there are meetups where we will have everyone that’s interested in cooking. It meets at different times to accommodate time zones around the world and our employees in different parts of the world can join this meetup at different times. We all share a recipe and cook online while on Zoom. That’s one example. It’s a way to engage and feel like you’re part of the team.
© Geospatial Media and Communications. All Rights Reserved.
