[Senate Hearing 116-283]
[From the U.S. Government Publishing Office]
S. Hrg. 116-283
MODERNIZING TELEWORK: REVIEW OF PRIVATE
SECTOR TELEWORK POLICIES DURING THE COVID-19 PANDEMIC
=======================================================================
HEARING
before the
SUBCOMMITTEE ON
REGULATORY AFFAIRS AND FEDERAL MANAGEMENT
of the
COMMITTEE ON
HOMELAND SECURITY AND
GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
ONE HUNDRED SIXTEENTH CONGRESS
SECOND SESSION
__________
JULY 28, 2020
__________
Available via http://www.govinfo.gov
Printed for the use of the Committee on Homeland Security
and Governmental Affairs
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
______
U.S. GOVERNMENT PUBLISHING OFFICE
41-324 PDF WASHINGTON : 2020
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
RON JOHNSON, Wisconsin, Chairman
ROB PORTMAN, Ohio GARY C. PETERS, Michigan
RAND PAUL, Kentucky THOMAS R. CARPER, Delaware
JAMES LANKFORD, Oklahoma MAGGIE HASSAN, New Hampshire
MITT ROMNEY, Utah KAMALA D. HARRIS, California
RICK SCOTT, Florida KYRSTEN SINEMA, Arizona
MICHAEL B. ENZI, Wyoming JACKY ROSEN, Nevada
JOSH HAWLEY, Missouri
Gabrielle D'Adamo Singer, Staff Director
David M. Weinberg, Minority Staff Director
Zachary I. Schram, Minority Chief Counsel
Laura W. Kilbride, Chief Clerk
Thomas J. Spino, Hearing Clerk
SUBCOMMITTEE ON REGULATORY AFFAIRS AND FEDERAL MANAGEMENT
JAMES LANKFORD, Oklahoma, Chairman
ROB PORTMAN, Ohio KYRSTEN SINEMA, Arizona
MITT ROMNEY, Utah THOMAS R. CARPER, Delaware
RICK SCOTT, Florida JACKY ROSEN, Nevada
MICHAEL B. ENZI, Wyoming
Chris J. White, Staff Director
James D. Mann, Senior Counsel
Eric A. Bursch, Minority Staff Director
Jackie A. Maffucci, Minority Policy Advisor
Mallory B. Nersesian, Subcommittee and Document Clerk
C O N T E N T S
------
Opening statement:
Page
Senator Lankford............................................. 1
Senator Sinema............................................... 2
Senator Carper............................................... 11
Senator Rosen................................................ 14
Prepared statement:
Senator Lankford............................................. 31
Senator Sinema............................................... 33
WITNESSES
Tuesday, July 28, 2020
Sean Morris, Principal, Deloitte Consulting LLP.................. 4
Lane Wilson, Senior Vice President and General Counsel, The
Williams Companies, Inc........................................ 6
Michael Ly, Chief Executive Officer, Reconciled.................. 8
John Zanni, Chief Executive Officer, Acronis SCS................. 9
Alphabetical List of Witnesses
Ly, Michael:
Testimony.................................................... 8
Prepared statement........................................... 50
Morris, Sean:
Testimony.................................................... 4
Prepared statement........................................... 35
Wilson, Lane:
Testimony.................................................... 6
Prepared statement........................................... 45
Zanni, John:
Testimony.................................................... 9
Prepared statement........................................... 56
APPENDIX
Statement from Cisco............................................. 64
Responses to post-hearing questions for the Record:
Mr. Morris................................................... 67
Mr. Wilson................................................... 69
Mr. Ly....................................................... 72
Mr. Zanni.................................................... 74
MODERNIZING TELEWORK: REVIEW OF
PRIVATE SECTOR TELEWORK POLICIES DURING THE COVID-19 PANDEMIC
----------
TUESDAY, JULY 28, 2020
U.S. Senate,
Subcommittee on Regulatory,
Affairs and Federal Management,
of the Committee on Homeland Security
and Governmental Affairs,
Washington, DC.
The Committee met, pursuant to notice, at 2:30 p.m., via
video conference, Hon. James Lankford, Chairman of the
Subcommittee, presiding.
Present: Senators Lankford, Scott, Sinema, Carper, and
Rosen.
OPENING STATEMENT OF SENATOR LANKFORD\1\
Senator Lankford. Thanks for joining today. This is the
hearing before the Regulatory Affairs and Federal Management
(RAFM) Subcommittee, Modernizing Telework: Review of Private
Sector Telework Practices During Coronavirus disease (COVID-
19). Good afternoon, everyone.
---------------------------------------------------------------------------
\1\ The prepared statement of Senator Lankford appears in the
Appendix on page 31.
---------------------------------------------------------------------------
In 1990, Congress passed its first piece of legislation
directly related to an employee's ability to be able to work
outside of their assigned duty station. The most recent and
significant legislation affecting the Federal workforce and
teleworking was the Telework Enhancement Act of 2010, which set
the current standards for Federal workforce requirements for
telework.
With so many changes in the world over the last 10 years,
or in the case of just 2020, so many changes, period, this
year, it makes sense to be able to take a look at the current
telework practices to see what is working, what is not working
for the Federal workforce, and to be able to learn the lessons
of what is happening in the private sector. We have a
responsibility to ensure Federal workforce strategies are
relevant, cost-effective, and well thought out.
Even before this pandemic, many private sector companies
were giving remote work flexibility to their employees. The
Society for Human Resource (HR) Management reported a threefold
increase in the number of companies offering remote work
options between 1996 and 2016. Obviously, that has accelerated
dramatically since then.
The Office of Personnel Management (OPM) reported that in
2018, only 22 percent of the Federal workforce was eligible to
telework. With the March transition to maximum telework
impacting many of these positions not traditionally considered
telework-eligible, we need to reevaluate eligibility and how
this is determined. Clearly we have more than 22 percent of our
Federal workforce that is actually teleworking now.
Since March of this year, both the Federal workforce and
many in private industry have been forced into a new, remote,
work-centric reality. Almost overnight, Federal agencies and
private companies were forced to deal with complex problems
like cybersecurity, remote performance management, employee
engagement, hiring all these on a very grand scale. The
pandemic has been a great disruptor but it also shines a light
on broken processes and shows an opportunity for real
improvement.
There are some very important telework questions that I
believe we need clarity on in order to trudge a clear path
forward for the Federal workforce. For example, how do we best
prepare employees so that during a future disaster or pandemic
we can seamlessly transition to a Federal workforce posture?
How do we effectively train managers to stay engaged and to
monitor performance of a remote workforce? We want to make sure
cybersecurity threats are seriously considered and telework
policy conversation are protected.
Being good stewards of American tax dollars, something I
talk about often, I believe future cost-savings from reduction
in needed office space could be a key component to improving
remote work opportunities for Federal employees.
I want to reinvent the wheel, so today we will start a
series of Federal workforce-related telework hearings by first
reaching out to some individuals in private industry to see
what they have learned. Those outside Federal service
understand very clearly that creating efficient, cost-savings
workforce strategies are less a luxury and more of a necessity.
I want to thank this panel for taking away from their
business and their very busy schedules. We really appreciate
the opportunity to be able to hear about your views on telework
and the lessons that you have learned.
With that I would like to recognize Ranking Member Sinema
for her opening remarks.
OPENING STATEMENT OF SENATOR SINEMA\1\
Senator Sinema. Thank you, Mr. Chairman, and thank you for
holding this very important hearing. I appreciate our witnesses
joining us today, and I am particularly grateful to have Mr.
John Zanni here. He is the Chief Executive Officer (CEO) of
Acronis SCS, a cyber protection and edge data security company
based in Scottsdale, Arizona. Also welcome to Mr. Michael Ly.
He is an Arizona native who, unfortunately, left our State and
now lives in Vermont. I am not quite sure why, but you are
welcome back any time.
---------------------------------------------------------------------------
\1\ The prepared statement of Senator Sinema appears in the
Appendix on page 33.
---------------------------------------------------------------------------
From the start of the coronavirus pandemic, it was clear
that the public and private sectors needed to embrace telework
wherever it was possible. It is why I co-sponsored the
Emergency Telework Act of 2020, to ensure that agencies had the
authority to permit maximum telework during the pandemic.
The ability of COVID-19 to spread is scary, and the best
way for us to reduce that spread is to follow the Centers for
Disease Control (CDC) guidelines, maintain social distance, and
wear masks. But most office buildings and traditional workplace
setups are not conducive for social distancing. I know many
companies in Arizona had to quickly transition their workforces
to telework models.
There are inherent challenges to implementing telework.
Access to broadband, ensuring security in a virtual
environment, providing the appropriate equipment, and
supporting employees who feel socially isolated or challenged
by the lack of person-to-person contact are some of the hurdles
that Arizona companies have had to overcome.
I look forward to discussing these topics with our
witnesses so we can develop a better checklist to help both
private and public sector entities be more successful with
telework.
I also think it is critical that we recognize many jobs
cannot be done virtually. Many workers do not have telework
options. From first responders to health care professionals,
many workers in Arizona and across the Nation put themselves
and their families at risk to support their communities. I
applaud their efforts and understand that telework is one part
of the larger discussion regarding how we keep our communities
and families safe.
With that I look forward to hearing from our witnesses and
I yield back, Mr. Chairman.
Senator Lankford. Thank you. Let me introduce our witnesses
for today. Mr. Sean Morris is a member of Deloitte's Government
and Public Services (GPS) Executive Committee, and the U.S.
firm's Operating Committee. He is Chief Operating Officer (COO)
for Deloitte's $4 billion U.S. Government and public services
executive business. Mr. Morris has day-to-day operational
responsibility for more than 16,000 U.S. and globally deployed
personnel. He has responsibility for a comprehensive future of
work transformation across HR, information technology (IT),
Facilities, Contracts, Finance, Security, Security Compliance,
Marketing, and Business Development.
The second person is Lane Wilson, clearly the most
important of the four because he is from Oklahoma, so I am glad
that you have joined us as well. Mr. Lane Wilson is Senior Vice
President and General Counsel (GC) for The Williams Companies
based in Tulsa, Oklahoma.
Prior to joining Williams, Mr. Wilson served as a Federal
magistrate judge for the Northern District of Oklahoma, and
served in private practice for Hall, Estill in Tulsa. Mr.
Wilson received his bachelor's degree in electrical engineering
from the University of Tulsa, his juris doctorate with honors
from University of Tulsa College of Law. Lane, thanks for
joining us today.
Mr. Michael Ly is a serial entrepreneur and speaker, cloud
accounting professional. He is founder and CEO of Reconciled, a
nationally recognized online accounting firm based in
Burlington, Vermont. Mr. Ly speaks nationally on the topics of
remote work, company culture, entrepreneurship, cloud
accounting, and diversity in new leadership.
Prior to Reconciled, Mr. Ly worked for a variety of
companies in accounting and consulting roles in Arizona, which
has already been mentioned, Washington State, and Vermont.
Thank you, Mr. Ly, for being here as well.
Mr. John Zanni serves as the CEO of an American cyber
protection edge data security company, exclusively dedicated to
meeting the unique needs of the U.S. public sector, including
Federal, State, and local government, education, health care,
and nonprofit institutions.
Prior to leading Acronis SCS, Mr. Zanni held senior
positions at Acronis AIG. Before joining the Acronis family,
Mr. Zanni spent 4 years at Parallels and 16 years at Microsoft,
a tiny little company in the Northwest.
So I appreciate all of your engagement and for appearing
today.
We typically have our witnesses stand and raise their right
hand. Since all of you are seated at your desks or tables I
assume I will go ahead and have you seated there, but I would
like to ask you to raise your right hand because I do need to
swear all of our witnesses in, as is the custom of this
Committee.
Do you swear that the testimony you will give before this
Subcommittee will be the truth, the whole truth, and nothing
but the truth, so help you, God?
Mr. Morris. I do.
Mr. Wilson. I do.
Mr. Ly. I do.
Mr. Zanni. I do.
Senator Lankford. Let the record reflect both of them
answered in the affirmative.
We are using a timing system today. As we go through this
process you will see the clock up there. If you are in Grid
view they will show a 5-minute countdown for your testimony
time. I would like you to be as close as you can to that, to
save as much time as we can for as many questions for this. But
we are very grateful for both your written testimony that you
have already submitted and for your oral testimony as well.
We will recognize Sean Morris first for your testimony.
TESTIMONY OF SEAN D. MORRIS,\1\ PRINCIPAL, DELOITTE CONSULTING
LLP
Mr. Morris. Chairman Lankford, Ranking Member Sinema, and
Members of the Subcommittee, thank you for the opportunity to
testify today on the lessons the Federal Government can learn
from the private sector regarding telework. My name is Sean
Morris. I am a Principal in Deloitte Consulting's Government
and Public Services business, and I have spent my entire life
in and around the critical missions of our government, first,
growing up in a U.S. military family and professionally for
more than 20 years working with government clients. Currently I
am the Chief Operating Officer for Deloitte's U.S. Government
business, with operational responsibility for more than 16,000
personnel.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Morris appears in the Appendix on
page 35.
---------------------------------------------------------------------------
I fundamentally believe that challenges pose opportunities
to rethink orthodoxies, and so it is my hope that the Federal
Government, like Deloitte, can use this challenging moment in
history to rethink how and where its workforce performs their
important roles for the American people.
Based on the investments Deloitte has made for the past
decade in technology, facilities, and our people, for this
Subcommittee's consideration I offer four recommendations.
Recommendation one is to continuously invest in IT
infrastructure and cybersecurity. Now there are a number of
core aspects of this recommendation. For example, consistent
investment in the latest cloud-based tools is a game-changer
for an organization's ability to rapidly pivot to numerous
scenarios, which means IT infrastructure and technology
platforms must be a focal point for organizations.
Next, any workforce requires access to reliable broadband
to successfully perform their work, which means organizations
should provision for different forms of broadband connectivity.
Additionally, critical to operational success in any
virtual work environment, the workforce must be equipped with
the correct on-the-go hardware and software, which means
organizations need to have a secure supply chain to enable the
provisioning of IT hardware and software.
And finally, workplaces and supporting IT ecosystems have
become more diverse and extended, causing an increase in cyber
risks. Therefore, cybersecurity programs require appropriate
layers of technical defense. But equally important is the
nurturing of a cyber culture where employees understand and
counteract ever-evolving threats.
For recommendation two, real estate and location footprint,
we are seeing the evolution of location liberation, the concept
that the workplace is not limited to any one single physical
space. At Deloitte, we are working toward supporting four
unique types of workplaces. First, the traditional office is
transforming into a community hub where employees come to
collaborate. Next, the field is where employees are empowered
to be productive, no matter where their work may take them.
Then the home, which is where employees can balance work and
life while maintaining productivity, and finally, a growing set
of third places which include alternative space types.
Recommendation three is centered around performance
management. An effective performance management approach is a
foundational element for building trust. Deloitte's approach to
performance management is grounded in frequent, meaningful
conversations. These conversations, when coupled with reliable
data, enable us to understand and recognize performance
throughout the year. The rapid transition to virtual work
presents government organizations with an opportunity to
challenge the orthodoxy that physical presence and visibility
in the office equals a productive and a high-performing
workforce.
Further, shifting to measuring accomplishments and outcomes
over activities and labor hours allows organizations to
cultivate a work environment of high-performing teams.
And finally, recommendation four, employee engagement. At
Deloitte, we invest heavily in an employee's experience, from
the recruiting phase all the way through to our alumni program.
This full life cycle investment is widely recognized as
enabling our ability to attract and retain the most diverse and
skilled workforce. To reinforce this point, since the onset of
COVID-19, and so as not to lose momentum around employee
engagement, we have transitioned many of our learning, social
impact, and team-building events to virtual platforms.
In conclusion, the fundamental principle underlying all
four of these recommendations is that an organization must
consider its human capital to be its core asset, and build its
technology and facilities accordingly to achieve a successful
work environment.
Thank you again for providing me this opportunity to share
Deloitte's perspectives, and I look forward to answering your
questions.
Senator Lankford. Thank you very much. Lane Wilson.
TESTIMONY OF T. LANE WILSON,\1\ SENIOR VICE PRESIDENT AND
GENERAL COUNSEL, THE WILLIAMS COMPANIES, INC.
Mr. Wilson. Good afternoon, Chairman Lankford, Ranking
Member Sinema, and distinguished Members of the Committee. I
thank you for the opportunity to testify regarding private
sector telework policies during the COVID-19 pandemic. I will
focus my remarks on how Williams has pivoted and evolved our
telework capabilities and policies to maintain operational
effectiveness, productivity, and efficiency across our
workforce of 4,800 employees in 26 States.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Wilson appears in the Appendix on
page 45.
---------------------------------------------------------------------------
In light of our business, we had to get this issue right.
Today we handle about a third of the natural gas in the United
States. It is used every day to reliably and affordably heat
our homes, cook our food, and generate our electricity. During
the COVID-19 pandemic, this reliable source of energy has been
crucial to hospitals and the supportive infrastructure they
need, and the natural gas liquids we deliver continue to be
used as feed stock to make the lightweight materials necessary
for much of the equipment and supplies used by those hospitals.
None of this would have been possible without our dedicated
employees, who are doing their part during these unstable
times, and they are doing it almost entirely by teleworking
from field locations and from home.
Williams' success is also due to our commitment to safety,
reliability, and responsibility. With this in mind, I will
share some key best practices from our transition to 100
percent voluntary work from home in March.
These best practices can generally be categorized into
three areas: one, the availability of tried and tested systems
and process; two, cybersecurity; and three, technology
deployment.
Going into the pandemic, Williams had the advantage of a
decade of experience with significant remote work. Williams
categorizes its employees as field workers and knowledge
workers. Field workers include field technicians, safety
specialists, and operations supervisors, and represent 60
percent of our employee talent. Our knowledge workers,
representing our remaining employee talent, include our
corporate support functions like finance, legal, and human
resources.
Though we have central offices in Tulsa, Houston,
Pittsburgh, and Salt Lake City, Williams' preference is for our
field workers to be in the field, so we have developed
processes and tools to enable our field workers to telework.
Leveraging these processes and tools allowed us to smoothly
transition our knowledge workers to remote work. This
underscores the first best practice--a tried and tested system
is key for successful telework.
The second best practice is around cybersecurity and the
need for multifactored systems as well as employee
cybersecurity hygiene training. Because of Williams' critical
infrastructure status and commitment to safety, our networking
systems already have a layered suite of cybersecurity
protection software. Further, our existing infrastructure and
protocol allow us to remotely push patches to laptops, so we
have continued to protect our devices from vulnerabilities.
With the doubling and tripling of virtual private network
(VPN) activity and collaboration software use, we did
experience an uptick in malware and phishing, but one that did
not impact our business. As a best practice, we increased
internal communication to employees with reminders about good
cybersecurity hygiene, and made the decision to always have one
cybersecurity analyst onsite in case we need to invoke our
cybersecurity instant response plan.
Third, regarding technology deployment, our rapid
transition to remote work depended on effective collaboration
software. We saw the utilization rates of this software
increase between 100 and 300 percent for online chats, web
calls, and teleconferences. Our transition also relied upon
employees taking home their laptops and, in some cases,
monitors, headphones, and other assets. Also worth mentioning
when transitioning large numbers of employees, it is key to
have ample IT support as employees acclimate to the new
technology and tools.
Looking forward, we recognize that for some workers
telework may continue to be an option, but we are also
cognizant of the value of in-person collaboration and idea
generation that happens organically in an office environment.
Balancing these two factors is important, and while we have not
made any final decisions around a long-term telework policy we
will continue to track efficiencies and productivity measures
to help inform our path forward. We will also capitalize on
lessons learned, particularly around employee engagement, and
continue to build on these opportunities, even after we are
free to return to our office environments.
Thank you again for the opportunity to appear today, and I
look forward to your questions.
Senator Lankford. Lane, thank you very much. Michael Ly.
TESTIMONY OF MICHAEL LY,\1\ CHIEF EXECUTIVE OFFICER, RECONCILED
Mr. Ly. Thank you, Chairman Lankford and Ranking Member
Sinema and the Members of the Subcommittee for inviting me to
share about Reconciled's approach to telework, or what we at
Reconciled refer to as ``remote work.'' My name is Michael Ly
and I am founder and CEO of Reconciled. I am joining you
remotely from Burlington, Vermont, where I live with my wife
and three young children. Vermont is my wife's home State, but
I still consider Arizona my home State, Senator Sinema, and
visit every year with my family to see my mother and my
siblings. I was actually there at the beginning of the
pandemic.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Ly appears in the Appendix on
page 50.
---------------------------------------------------------------------------
Remote work allowed me to continue to run my business,
Reconciled. We are an online accounting firm, started about 5
years ago. Today we have about 30 employees, working remotely
from 8 States, and serving almost 200 small businesses
throughout the country, handling their in-house accounting
services, remotely and online. We are recognized nationally in
the accounting industry by our innovative approach, and we also
speak regularly on the topic of remote work, how to build a
strong company culture as a remote work company, and how to
keep remote employees engaged.
Since we have been operating as a remote company and
completely distributed before it was popular because of COVID-
19, our operations have not been greatly impacted as much as
our customers.
I want to highlight one primary challenge to remote work
that will challenge everyone involved in remote work, and then
highlight a few key recommendations. The challenge primarily
being children at home, school-aged children at home. This is
by far the biggest obstruction to our employees' ability to be
productive and successful with remote work. Most of our
employees have school-aged children that attend public schools
in multiple States. Having children now at home requires us to
be very flexible with our employees and their work schedules so
that they can both take care of their families' needs, their
child's education, as well as their work responsibilities.
In my prepared statement I highlighted six key proposals to
remote work success. I want to focus on just a few of those,
mainly defining role expectations and outcomes, regular and
consistent communication, schedule flexibility, and taking
breaks.
Remote workers need to understand what is expected of them
to accomplish their jobs successfully. Clearly defining the
expectations an organization has for each employee and the
outcomes that should result when a job is done well is key for
the success of the remote employee. Often employers assume that
their workers know what is clearly expected of them. The
reality is employees have one expectation communicated to them
when they initially start with any organization, but then those
expectations change as their organizations change, as their
roles change, and when the roles now shift to work from home.
So clearly communicating those expectations and outcomes are
important.
The other recommendation is regular and consistent
communication. Never underestimate the amount of social
interaction that we receive outside of our home in a physical
workplace, and imagine you having to recreate those virtually
with a remote work team now. Time at the water cooler and
spontaneous meetings occur 40 to 60 percent of the time at
work, and the rest of your time is done actually doing work,
and studies have been done in multiple workplaces across the
country. So creating those spontaneous interactions needs to be
intentional in a remote work setting, as well as taking regular
work meetings, and one-on-one interaction with your supervisors
and coworkers also need to take place.
Flexibility is another proposal I have highlighted in my
prepared statement. Flexibility may be one of the key benefits
of remote work, especially during a pandemic. Flexibility can
be seen in multiple ways, including work schedule flexibility,
how often employees can take breaks, and from what location a
remote employee is allowed to work or can work. The key is
articulating a remote work policy that provides standards for
the majority of your staff while being broad enough to fit
multiple individual scenarios, and that is especially important
in light of the fact that school-aged children are now at home.
And then finally, breaks. Taking short and regular breaks
throughout the day for remote work employees is the key to
their long-term success. Remote employees often find themselves
more productive in the short term, but if they do not take
regularly scheduled, consistent breaks they find their
productivity decreasing and their stamina burning out.
Thank you for letting me come and share, and I am looking
forward to helping answer questions.
Senator Lankford. Mr. Ly, thank you very much. Mr. Zanni.
TESTIMONY OF JOHN ZANNI,\1\ CHIEF EXECUTIVE OFFICER, ACRONIS
SCS
Mr. Zanni. Chairman Lankford, Ranking Member Sinema,
Members of the Committee, it is an honor to join you today.
Ranking Member Sinema, thank you for the invitation to come
discuss the particular challenges associated with telework. I
appreciate the opportunity to share my insight informed by more
than 25 years in the cybersecurity field, and a remote worker
myself since 2020, including in my current role as CEO of
Acronis SCS, an Arizona-based company dedicated to meeting the
unique cyber protection needs of the U.S. public sector.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Zanni appears in the Appendix on
page 56.
---------------------------------------------------------------------------
As COVID-19 spread, IT teams had the unenviable job of
enabling secure telework capabilities at an incredible
breakneck speed. Today's typical home includes a mix of work
and personal laptops, smartphones, and network-connected toys
and appliances, all sharing access to standard Wi-Fi router
with basic security configurations.
With telework, the IT help that we all take for granted in
an office are greatly reduced. With increased dependence on
applications like Zoom, Teams, and WebEx, that has presented
new risks as well people tuning into calls from devices on
unsecured networks. However, adhering to a layered ``defense in
depth'' approach to cyber hygiene that adopts relatively simple
processes and tools like ours significantly diminishes the
dangers of remote work.
As the CEO of a cyber protection company, when this
pandemic started I had two priorities. First, ensure the
physical and digital safety of my employees. That was
paramount. Then continue providing solutions that help our
public sector customers stay secure.
On the tech front, we were well-positioned for telework.
Similar to how the medical field uses vaccines, diagnosis,
medication, surgery, and research to treat illness, we
implemented a cyber hygiene plan underpinned by prevention,
detection, response, recovery, and post-incident forensics, a
framework for digital resilience that I would recommend for any
organization.
For Acronis SCS, that plan includes zero-trust
architecture, leveraging next-gen firewalls, segmented
networks, multi-factor authentication, and certificate-based
VPN for access to sensitive resources. This posture helped us
shift to telework without fear that an attack on one device
would compromise the whole company.
Beyond technical factors, we have taken a holistic approach
to ensure the safety and productivity of our workforce. We have
reimbursed employees for at-home office equipment purchases,
disbursed monthly Internet stipends, and ensured our health
insurance supports telemedicine and mental health services. We
also host virtual town halls and social hours to keep our more
isolated employees engaged, and have flexible schedules for
those balancing work with at-home family obligations.
We doubled down our commitment to provide software that
meets the U.S. public sector needs, whether keeping mission-
critical assets running with our hard and backup software or
protecting endpoints with Acronis SCS Cyber Protect Cloud.
While telework has certainly exposed new risks, it has also
spurred urgency, and I want to thank the Committee for its work
on this front. Chairman Lankford, Ranking Member Sinema, you
have been both instrumental in educating the American people on
our nation's cybersecurity vulnerabilities and have developed
bipartisan legislation to address them, bills like your
Telework for U.S. Innovation Act and the Emergency Telework
Act. From this legislation to the cybersecurity-focused NDAA
amendments under consideration to the Defense Department's
much-needed Cybersecurity Maturation Model Certification, all
signs point to even more urgency across government and a more
secure nation and robust economy as a result.
To facilitate public-private collaboration I ask you to
consider making the reporting of cyber attacks on Federal,
State, and local government agencies mandatory. Similar to
testing for COVID-19, if we do not fully understand the scope
or the pervasiveness of the problem, we cannot appropriately
address it.
Increased telework flexibility is in our nation's long-term
future. America cannot afford to relegate cybersecurity to the
back burner. The risks of doing so are simply too high.
Chairman Lankford, Ranking Member Sinema, Members of the
Committee, thank you again for the opportunity to be here
today, and I look forward to hearing your insights and
addressing your questions.
Senator Lankford. Thank you very much, and I appreciate
your testimony. We will have lots of ways to be able to pick
your brain as we go through this as well. I would tell you, on
the technology side and the video side, you are taking an
exceptional risk, Mr. Zanni, of standing in front of a green
screen. I have already imagined how many different ways people
could use that green screen and how many places they could put
you right now.
Mr. Zanni. Yes. That is a fair point. But I keep my private
life private and watch what I say, but we will see.
Senator Lankford. I will defer my questions to the end of
our hearing. Senator Sinema has also chosen to do the same
thing as well, to be able to defer her questions to the end. So
I recognize Senator Carper for his questions now.
OPENING STATEMENT OF SENATOR CARPER
Senator Carper. Thank you. Thank you, Mr. Chairman. To all
of our witnesses, welcome. In fact, you all have some very
interesting backgrounds. You have made some significant career
changes and moves that one would not have expected, given your
early start in life. I am delighted that you are here to share
your thoughts with us today.
I am going to start with a question for Mr. Zanni. In your
testimony, you state that the modern cyber threat landscape is
more sophisticated and relentless than ever before--I would
agree--but that many of these threats are not new.
Ransomware is one example of this, as these attacks have
continuously posed a threat across different sectors, including
State and local government. Educational institutions as well.
More recently, scam emails have been a way bad actors are
affecting vulnerable systems. Did you hear that? That sound
says we just began our next vote, and maybe our last vote for
the day. We will see. It will be over in a second. Maybe. There
we go.
More recently, scam emails have been a way bad actors are
accessing vulnerable systems while folks are teleworking. How
has your organization, Mr. Zanni, handled cybersecurity
incidences with employees shifting to telework, and how can
Federal, State, and local governments learn from those
incidences in identifying our vulnerabilities?
Mr. Zanni. Thank you. In the context of our company, we
took a ``defense in depth'' approach, which means a layered
approach to protection. No single company can provide
sufficient protection against ransomware or phishing attacks or
other malware. Unfortunately, the weakest link is still humans.
We are taught and trained to trust, and that trust is sometimes
taken advantage of.
Also, it is impossible for anybody to keep their systems up
to date instantly. So by having a multilayer approach in terms
of VPN, multi-factor authentication, having a good antivirus
software, having good backup and recovery, good anti-
ransomware, you really minimize the chances of anything bad
happening. And if it does, you can recover quickly, and if you
take full advantage of encryption, the likelihood of any data
being compromised is very low.
The other part I would like to add here is education.
Unfortunately, as a society, we do not understand yet the
seriousness of these threats and the tools that the bad actors
have. Right? This is not college kids in a dorm room having
fun. These are nation-states, well-funded organized crime. They
have the same access to machine learning and quantum computing
and artificial intelligence (AI) that we have access to. And so
without bringing in the experts and the professionals and the
tools and the processes to protect ourselves, we just become
vulnerable.
And so education and awareness is an absolute key
component, and we spend a lot of time, like me here, just
educating and driving awareness, so that people really protect
themselves and not make security an afterthought.
Senator Carper. Thank you very much, and thank you for
making time to do some of that educating with us, my colleagues
and me.
A question, if I could, for Mr. Morris. This deals with
coordination with an agency we call Cybersecurity
Infrastructure Security Agency (CISA) at the Department of
Homeland Security (DHS) Mr. Morris, I understand that you are
responsible for managing over 16,000 U.S. and globally deployed
personnel. Is that right?
Mr. Morris. That is correct, sir.
Senator Carper. Boy. How long have you been in your current
leadership position?
Mr. Morris. Current role, one year.
Senator Carper. OK. I read in your testimony that Deloitte
practically shared cyber threat intelligence with the U.S.
Government agencies, cyber threats before they can cause
substantial harm. One of those agencies, I presume, includes
the Cybersecurity Infrastructure Security Agency, which is at
the Department of Homeland Security. Is that correct?
Mr. Morris. Yes, sir. We share it governmentwide and
actually within the industry as well. We find it is a good way
to collaborate on external threats.
Senator Carper. OK. Over the years, a number of my
colleagues and I worked to give DHS the resources necessary to
carry out its cyber mission. We are especially proud of the
bipartisanship in Congress that led to the passage of
Cybersecurity and Infrastructure Security Act in 2018, 2 years
ago.
Could you take a minute and talk a little bit more about
your relationship and that of your colleagues with CISA and the
other relevant Federal agencies that you work with? Tell us a
little bit more, if more needs to be done to improve that
relationship between the Federal Government and the private
sector in addressing the current threats that we face in light
of this pandemic.
Mr. Morris. Yes. Thank you for that great question. I will
just say that I spent a decade working with the Department of
Homeland Security, both pre-9/11 and post-9/11, so it is one of
the agencies that I have had a lot of experience with, and it
is a fantastic organization.
What I would say is that our cyber professionals work
across the Federal Government, State and local governments,
higher ed, and in commercial organizations, and we share some
of the best practices that we see with all of those
organizations, in addition to standard threats that are
occurring on an almost real-time basis.
One of the things that I would add about some of the
uniqueness of the Federal Government and governments in general
is just the multi layers that are associated with our IT
systems. And we are noticing a significant amount of success
utilizing machine learning, both in our own networks and then
sharing that with other government agencies.
The reason that that is a game-changer is the volume that
you have to go out and see on a regular basis, and that must be
monitored on a regular basis is, quite frankly, too much for a
human to do, in any realistic manner, and so machine learning
is starting to transform the way that we can interact with all
of these layers of network going forward. I think that is a
game-changer for agencies, in general, to better utilize.
Senator Carper. All right. Thanks very much. My time has
expired. Thank you all.
Mr. Morris. Thank you.
Senator Lankford. Stick the landing, Senator Carper. I
appreciate that. I am going to ask a couple of questions and
then I am going to defer on to Senator Rosen and Senator
Sinema, because I will have to run and do a second vote, just
like Senator Carper is going to have to do here in just a
moment as well. So we will switch back and forth.
But I do want to ask, Mr. Ly, you mentioned about school-
aged children and flexibility. Obviously that is a unique issue
right now with COVID-19, with schools being closed. I want to
ask you, as you are thinking about, let's say, a year from now,
are there lessons to be learned? And that is a lot of what we
are trying to be able to pick your brain on for all of you, is
to pick your brain on what you are doing in the private sector,
or things we need to implement in the public sector in the days
ahead.
For school-aged children, do you anticipate for telework
you will handle schedules differently for teleworkers, not
during summertime but during summertime that may be different?
Do you anticipate something is going to have to change when we
are not in a COVID-19 world but still doing telework?
Mr. Ly. Yes. Right now we have been operating pre-COVID-19
world as a remote work and telework company, and so we first
set expectations with every employee that the majority of their
work, the predominant majority of their work has to be
accomplished and done during the normal business hours of 8
a.m. to 5 p.m. Eastern time, which is the time zone we
generally operate in, and what our customers generally operate
in and want to receive responses from us from.
We also communicate with our employees that they need to be
responsive to emails, to communication, to their customers as
well as other coworkers that have questions related to work.
I think the really main disruption is the reality of
school-aged children at home. Besides that, we have been able
to have fairly efficient operations as a business and also set
expectations of our employees on their productivity and work
outcomes. That work would normally be able to be accomplished
during normal work hours, between 8 and 5 p.m. local.
Senator Lankford. Right. Before I transition to Senator
Rosen here for her questions, what I am really trying to drill
down on is do you anticipate, post-COVID-19 lessons learned
that you are going to have one type of structure for your
telework folks that have school-aged children, let's say
January to May, and another type structure that functions
during the summer, with those that have school-aged children,
or do you just, for your managers you are just basically saying
be more merciful to your folks that are managing when they have
school-aged children? Do you anticipate there are two different
structure or just more mercy and flexibility during the summer?
Mr. Ly. I think there is more flexibility during the
summer, but as long as you empower your managers and your
employees to make decisions that work for their families but
also allows them to accomplish their work outcomes and that
those are clear for them, then what we find is generally our
employees are very flexible with their own lives because they
appreciate the flexibility they are being given.
So with the responsibility of being able to work from home,
they take that seriously, and they flex their own personal
lives to be able to get their jobs done, as well as the needs
of their families.
Senator Lankford. OK. Fair enough. I want to recognize
Senator Rosen for her question time, and then Senator Sinema
will follow her directly after that.
OPENING STATEMENT OF SENATOR ROSEN
Senator Rosen. Thank you, Chairman Lankford, for waiting
for us to come back from votes. I really appreciate it. Thank
you, Ranking Member Sinema.
This hearing today, of course it is such an important
topic. It is on the minds of every single person I know,
whether you are a worker, a business owner. This is one of the
many challenges that we have today. So I am so glad we get to
come together in a bipartisan way to figure out how we are
going to support businesses as employees migrate to some form
or fashion of telework, and what kind of flexibilities do we
all need to be able to make this happen.
I want to focus a little bit on cybersecurity, and, of
course, the pandemic. We have forced many small businesses now
to transition their workforce to work remotely, and we know the
challenges it faces is sometimes you do not have the right
Internet, you cannot get on, the phone signal, whatever those
things are. Our companies had very little for planning before
having to shift quickly from in-person work to telework.
So, of course, we know there is no shortage of hackers out
there. They see this as a prime opportunity to just pounce on,
and potentially steal information, get inside someone's place
of business. They want to exploit those gaps in security,
targeting individuals on secure devices or networks. Many of
them are now using things from home that are not secure in the
same way their space may have been at the office.
And so, Mr. Zanni, can you talk a little bit about the
major cybersecurity challenges that small businesses are facing
when they transition? Are the current programs at DHS and Small
Business Administration (SBA), do you think they are enough to
help us get over kind of this hump of having to figure all of
this out? What can we do to help fill the gaps as everyone
needs to navigate this?
Mr. Zanni. So I thank you for the question. Prior to my
tenure at Microsoft I was actually a small business owner, a
single restaurant, for over a decade, so I have a particular
affinity and love for those people who work very hard, day in
and day out, to support their families.
The first thing is that, for small businesses, it is still
way too complex to figure out how to protect yourself against
cyber attacks. Part of that challenge is, of course, with the
industry itself, and that includes me. Part of it with the
government, providing clear and concise guidance on how to
protect yourself. It is not that hard. It is just very
confusing today.
We are fortunate. We follow a lot of the government
guidelines. But as you know, if you have ever read a National
Institute of Standards and Technology (NIST) guideline, they
are not two-pagers, right, and it takes some expertise to
really go figure that out.
So I think what the government could do better is first
awareness and education on how this threat is real. Just like
none of us would leave our house with our door unlocked, or
even remove the locks and leave, we need to show people that
you need to have cybersecurity as top of mind. And even the
smallest business is not exempt. In Arizona, a small school
district was attacked, a K-12 school. They said, ``Why did they
attack us? We are nobody.'' They do not care.
And then the other one is really providing concise
guidance, right? It really is just about keeping your system up
to date, having the right cyber protection tools, and some
people to make that happen. Just like you have made it very
easy for me to recycle trash, which I know is more of a
physical piece, but it is that same concept, and there is some
work we could do together there.
Senator Rosen. I appreciate that. I appreciate you being a
former restaurant owner. I would love to chat with you about
that because in Nevada we love our restaurant and hospitality
industry, for sure. But I want to thank you for your answer,
because 99 percent of businesses in Nevada are actually small
businesses. My office, we have heard from hundreds of them. We
have connected with every Chamber of Commerce, our small
business directors, done over 100 webinars. I have been on many
of those with them.
I want to really ask the business owners, the businesses
represented on the panel, if you did not turn to the SBA or to
NIST or some of those, where did you turn for information to
maintain your cybersecurity as you were transitioning? So, Mr.
Wilson, I guess we will let you go first, and then Mr. Morris
and then Mr. Ly, please.
Mr. Wilson. Thank you, Senator. Yes, I mean, we are not a
very small business so fortunately we have a very robust IT
department and they were able to transition us in the means
that we needed to. So probably not the best one to answer that
question for you.
Senator Rosen. Mr. Morris.
[No response.]
Mr. Ly.
Mr. Ly. Right. Because we handle accounting work and we
often have access to financial information related to our
customers, we, from the beginning, have implemented
cybersecurity protocols that are very secure. The weakest link
in most remote organizations is what we call ``endpoints.''
Generally they are mobile devices or laptops that are either
provided by a company or brought in by an employee themselves.
And it is ensuring that the security protocols are set up as
well as virus protection, malware protection, and Internet
security suites are preloaded onto those devices, as well as
ensuring that employees' homes and the networks that they are
on are protected and secure, and that they are using VPN
software when they are entering into areas that are unsecured,
like public Wi-Fi settings, if they are planning to do work
from a location that is not their home location.
Also, the more pure cloud-based technology you can
leverage, in our opinion, the better, mainly because then
documentation or confidential documentation is no longer
sitting on those devices but instead sitting in the cloud, in
the Internet, and accessed through Internet software, Internet-
based software, and that is primarily the practice we have
used.
And so we leverage accounting journals, technology
journals, and websites that allow us to ensure that we are
setting the right security protocols for ourselves and
consulting also our clients on the best practices as well.
Senator Rosen. Thank you. I appreciate that. I know I am
just about out of time so I am going to submit this one for the
record. But I think about the costs associated with migrating
to telework, and I think about the capital investments that can
make that may spur our economy. Those are those one-time
investments that we are going to do to bring all of our systems
up to speed or create that personal protective space we might
need, even if people come in or buy laptops, hardware,
software, and the like, versus the normal operating expenses.
And perhaps Congress can think about how we help you with the
one-time capital expense so people's businesses can continue to
operate, and that can take it off their daily books, if you
will.
So we will look forward to seeing those answers. Thank you,
Mr. Chairman.
Senator Sinema. [Presiding.] Thank you, Senator Rosen.
Hi. It is Senator Sinema again, and my first question is
for Mr. Zanni and Mr. Morris. Successful telework is dependent
on reliable high-speed Internet and as a member of the Senate
Commerce Committee I have repeatedly called for future
coronavirus relief legislation to include a long-term plan to
invest in broadband infrastructure, ensure we have the
appropriate regulatory framework, develop better coverage maps,
and utilize Federal resources effectively.
My State, in Arizona, ranks 51st for rural fixed broadband
deployment, and three-fifths of rural residents have no access
to ground-based broadband. So folks in Arizona frequently tell
me the service that exists is often unreliable.
Given that both of you highlighted these types of broadband
challenges in your testimony, what advice would you give to
other employers seeking to expand telework, those who face
similar challenges?
Mr. Zanni. This is John and I could take the first one, if
that is OK.
Senator Sinema. Great.
Mr. Zanni. OK. Great. Thank you. So first, I do want to
emphasize that we do need to solve the lack of broadband access
to rural populations, because that is critical. Today, if you
do not have access to broadband in most businesses you are at a
competitive disadvantage.
Having said that, there are ways around it until it becomes
available. There are products like ours that are optimized for
low broadband situations where they are using smaller agents, a
lighter footprint, combined solutions to not use as much of the
network. Even the teleconferencing software, you will see a
very big difference in low broadband situations if you are
using Zoom, for example, versus Skype.
And so being able to make sure you identify the tools that
work best in those situations, you can still be quite
productive. We need to solve the problem of not having
broadband access to everybody.
Mr. Morris. And this is Sean Morris. Ironically, you may
have noticed my picture went away for a moment there, about a
minute ago, and actually the power went out in my house, and so
it re-emphasizes the importance of actually having a backup,
which I think is incredibly important. Bad things do happen
sometimes, sometimes on a world stage, I guess, as well.
But in any event, what I would say is I completely support
John's comments previously. We have to invest in our broadband
technology for all aspects of our country, and not just the
populated cities but the rural areas as well. We put ourselves
at a competitive disadvantage against other European countries,
for example, that have made significant investments and are
leaps and bounds ahead of us, in many instances, and are better
able to take advantage of things like 5G in the future.
Backups are important, at the end of the day, as I proved
just a moment ago. From a Federal employee perspective, one of
the things that we have done, while it is not perfect, when
broadband connectivity is down or not available, in particular,
in one of four locations that I referenced in my opening
remarks, every one of our employees is issued a smartphone,
which enables a hotspot to work and provides some levels of
connectivity. It is actually very good. These days it is 4G and
moving to 5G.
Senator Sinema. Thank you so much.
My next question is for first Mr. Ly--I apologize; I think
I pronounced your name wrong at the beginning of our hearing--
and then also for Mr. Morris. Whether a company is a small
startup or a large multinational firm, individual employees are
its backbone. Social interaction in the workplace is not only
helpful for professional development but also in cementing the
relationships inherent in creating a team.
So what steps have you taken to ensure that your employees
continue to feel fulfilled and supported while teleworking, and
have you discovered any tools available to help employers
enhance and maintain that camaraderie amongst the workforce?
Mr. Ly. Yes. So thank you, Senator Sinema. The tools we
use, we leverage technology to allow for that consist
connection to be recreated virtually, that normally happens in
an office. It starts on day one, when an employee begins, and
starts with their experience with onboarding into a company and
their experience with HR. We leverage video technology such as
Zoom, and then an internal communication tool such as Slack
that replace traditional email but allow instant communication
between employees, and allows us to create spontaneous meetings
and interactions and collaboration that normally happen within
an office.
We also require that every employee has a touchpoint
throughout the week with either a supervisor or a coworker, so
that they have regularly scheduled times in which they are
connecting in with their team virtually. Because again, you are
trying to compensate for, as you said, in-person times that
happen throughout the day, and we cannot overestimate the
amount of social interaction that continues to occur, and the
health and well-being that helps with that.
So we are very intentional about that, scheduling that
throughout people's calendars, and making that a part of an
employee's work responsibility throughout the day and
throughout the week.
Mr. Morris. I would just add, I agree with those comments.
We have invested significantly in what we call the employee
experience, throughout the life cycle of an employee's time at
Deloitte, and we did not want to lose all of that investment
when we went into this full telework environment. And so we
have transitioned to almost everything we do for employee
experience to a technology and online platform. And what that
has allowed us to do is not lose that culture of heavy
investment in our employees.
One of the core aspects of our culture is to give back to
our communities. We give a significant amount of our time and
money to pro bono efforts, as an example, across the country.
And we have moved our pro bono activities, our social impact
activities to those online platforms that we have, many that
are very similar to what was previously shared.
So, at the end of the day the best practice here is do not
stop investing in the employee experience. Move it, if you can,
to these platforms, and that culture will continue to thrive
and adapt.
Senator Sinema. Thank you. Just a quick follow-up on this
topic. Are there specific actions you would recommend a company
take regarding telework during a pandemic when feelings of fear
and social isolation are often exacerbated?
Mr. Morris. Yes. I will just add that, what we did was we
encourage our individuals to take time off. That is a challenge
that we see at the moment across industries.
The other thing that we did was recognize that well-being
is both physical well-being and emotional well-being. And so we
gave 80 hours of time off in addition to sick leave and
personal time off. So there is a steady focus on that working
from home does not equal working all the time.
Senator Sinema. That is an important point. My next
question is a follow-up on kind of building off the question
that Senator Lankford asked earlier, for Mr. Zanni and Mr.
Morris. I have heard from some Arizona companies that perhaps
the chief challenge with teleworking right now is the closure
of most of our schools. Parents are managing their children's
education needs while also juggling their own work
responsibilities. And as we have seen, this requires great
flexibility on the part of companies and families.
So what specific recommendations might you have for
companies, or for families, on how to set up or expand a
telework plan so that people can both manage being a good
parent, a home-school teacher, and a good employee?
Mr. Morris. John, do you want to start?
Mr. Zanni. Sure. Yes, that is an incredibly hard problem to
solve, especially some of those families live in smaller homes.
And it is not just about the child or the dog coming in and
interrupting you during a meeting. It is the worrying even when
you are in a meeting, are they going to interrupt you? When do
I get a break?
The best we can do is first really send the message to
these families that as an employer we are here to support them
and support flexible work hours, and take the time off that
they need. I have one, my head of sales. He came to one day and
just said, ``John, I need to take 3 days off. I need to give my
wife a break so that we do not go crazy.'' And of course I
said, ``Immediately.''
Longer-term, we have to think about how these workers can
somehow segregate themselves or separate themselves enough to
not be as distracted or find the right work-life balance. I
have seen hotels offering rooms during the day now for
telework. I am sure there are other options that will come up.
But we need to think together how to do it.
But the first thing is really--I have made sure, for me,
one-on-one calls from my head of HR, that everyone in my
organization knows family first. If you need a break, take it.
Senator Sinema. I appreciate that.
Mr. Morris. Thank you, Senator. I would just add that the
training does start from the top, and that is absolutely a
lesson learned that we have had in Deloitte.
The other thing I would say here is that yes, it is
families with children. My wife and I are certainly examples of
that. Yes, it is very challenging. But it is also other
circumstances, and I think it is important to note that in
diverse employee networks, that could be an aging parent, that
could be a pet that is sick. There are a whole bunch of things
that it could equal.
One of the things that we have focused on is this concept
of courageous conversation. So very open, authentic
conversations with senior leaders in the firm to really get the
tone and the culture out there that you can actually ask for
time off. It is not looked down upon. In fact, we would like
you to share what is going on in your life so that we can adapt
our processes and our policies. And we use various
communications techniques as well as surveys as a way to get
that information and feedback to tailor our programs and our
processes.
Senator Sinema. I appreciate that.
Mr. Chairman, thank you, and I yield back.
Senator Lankford. [Presiding.] Thank you.
All right. So going back again to the basic of this whole
hearing. We are trying to gather ideas from you, lessons you
have learned, so that when we are writing legislation or
working through policies for the future for Federal agencies we
need to learn what you have done. We will gather, obviously,
what they have experienced in the last couple of months and try
to apply it to policies.
So let me ask some very basic questions. All of you have
been through this in different forms for a while, but this is a
very different type of year. I have heard quite a few companies
say, ``Well, you know what? We are finding good success in
teleworking, more so than we thought we would,'' and then they
put this caveat in there, ``except when we are hiring new
workers.''
Because the people existing and teleworking now that you
have added so many that are teleworking, they have previous
relationships, they are used to collaborating. But when you add
a new person or a new group of people into this, trying to
learn from each other, figure out how to collaborate,
integrating into the culture of your business, that is a very
experience when all of their experience has been telework and
all the people that physically collaborated now do not know
what to do with this new person that is teleworking.
So let me pick your brain on this a little bit. For the
long term, are there lessons that we can gain from this on
integrating new people into your culture when all of the
relationships are telework relationship? Any or all of you can
answer that. If you have input for that, we need it.
Mr. Ly. Yes, I can start with that, because we hire the
majority of our employees in that way, remotely, employees I
have never physically met or been present in the same room
with.
So it first starts with thinking through your onboarding
experience or your employee, your day one experience. And most
important for us at Reconciled was what is an employee
experiencing in the first day, first week, and first 30 days of
being here, and how do we set them up for success? So we
leverage technology to do that. We created a dashboard where we
literally outline all the different steps of what they are
going to experience in those first 30 days, what their
different days are going to look like, the training they have
to go through online. We require every employee to set up video
meetings with others in the company, even if it is not related
to their work, just so that they start interacting with other
co-workers and other team members in the company.
We also have required meetings with different managers,
different leaders in the organization, and they do go through a
pretty thorough video orientation with the head of HR as well
as their managers, several times that week during the first few
days.
So it is important to think through intentionally what is
an employee experiencing, what is it like, what are things that
they need to see on video, what do they need to see in physical
documentation, what can be a quick email, and really trying to
create what I call, like in a Disney-like experience. How can
you wow them, even in a virtual setting?
And we often have employees say they feel more connected in
that experience virtually than they do with most places they
have worked physically. So we know the results speak for
themselves when we get that feedback from an employee. So it is
really that intentional investment, very similar to what you
would do to invest in the customer experience, on how do you
make a customer feel like they really are connected with you
and can trust you. You have to do the same, if not more, with a
virtual employee.
Senator Lankford. OK. Very helpful. Who else?
Mr. Zanni. This is John. I will just second what Michael Ly
said. It really is about being intentional. We have onboarded a
number of employees since COVID. First time in my life I have
not met them in person, quite disconcerting at the beginning.
But once they start we have a very robust onboarding session.
We have teams that keep Zoom sessions on all day, so that
people can interact, ensure those video meetings.
I personally will send them a message on Teams to say, ``I
am right here if you ever need anything.'' So remove those
layers that I am not the fake, inaccessible guy. And it has
worked out very well for us.
Senator Lankford. OK.
Mr. Morris. I will just add one other point. I agree with
everything that is being said. We are being very successful in
some unusual circumstances here.
But I would add that when we beat this virus and we get to
our new normal, my personal perspective is that the need for
some level of in-person interaction is important for continuing
to cultivate an employee experience and a culture, which is why
we think about our workplaces facilities in the four quadrants
that I spoke about earlier. It is this dynamic movement across
those, where you can have different experiences and different
interactions.
Technology is a fantastic game-changer, particularly right
now in COVID-19. But I am a believer in some level of human
interaction as well.
Senator Lankford. So Sean you are saying that you are going
to keep those four quadrants even after this, that it is your
expectation that you are going to have, if I remember them
correctly, collaboration, that you will have home, alternative
place, and then there is one other, the field was the fourth
one, if I recall correctly. Do you anticipate you are going to
still have those four quadrants even after this?
Mr. Morris. Yes, Senator, and it is recognizing that an
employee may be doing different things at different stages in
their careers, so they can move around those quadrants. And
that we have taken all those into consideration as we are
building the right platforms, and we are building those
platforms on that experience, as opposed to the platforms
first.
Senator Lankford. All right. Lane, where are you as far as
trying to be able to onboard people during this time period?
Any lessons that you have learned that could help us in the
Federal workforce?
Mr. Wilson. Yes. We are onboarding people as we speak. I
think this boils down to leadership, frankly, and intentional
touchpoints.
So I lead a team that even before the pandemic was not on
the same floor as I am here in Tulsa, and the majority of the
team was not even in Tulsa. They were spread across four
different States. And being very intentional about getting them
in front of leadership, through town halls, for example. We are
now doing monthly town halls as opposed to before we were doing
quarterly town halls. Making sure that they get a feel of the
culture from the leadership, and then as a leader, making sure
that you are having those intentional interactions with your
team, and also making sure that your team members are having
intentional interactions with themselves. And then you cascade
that down through your organization.
We probably have five, six layers here at Williams. So we
have to make sure that our supervisors, who might be managing a
team of eight or nine people, either out in the field or in an
office, are doing the same thing, that they are talking to and
visiting with and having collaboration sessions with their
teams, and also making sure that their team members are doing
that. And when you bring somebody new on board, that is even
more critical, that you build in an expectation that, hey, you
have a new team member. Have you reached out to them? Have you
had a videoconference with them? Have you talked to them? Do
you know anything about them? Have you gotten to know them in
any way?
And so I think it is really just about very intentional
leadership.
Senator Lankford. So let me delve in on this a little bit
more, for all four of you, if any of you want to be able to
answer this. Has your perspective changed, or maybe it has not?
I am interested to be able to know what that might look like,
that there are certain positions that you will no longer hire
those within a geographic area, or certain tasks and certain
jobs you know that they are very capable of teleworking from
anywhere in the world, for that mindset, but at least anywhere
in the country. Is there a perspective that you have that in
the future there will be certain jobs that you will hire
remotely, find the best person no matter where they live, and
have them permanently work not in an office space?
Mr. Ly. Yes. I can speak for the accounting industry. My
peers who were not previously doing telework or remote work,
and believed that was impossible and saw what we did, said, ``I
am not sure how that is possible. I have been forced to.'' And
they are finding a lot more efficiency, a lot more productivity
when they implement the best practices around it.
Senator, I was watching a YouTube video of yours on
YouTube. I was really inspired by this daily interaction or
weekly interaction you have with different people from your
home State that visit D.C., and you have coffee with them. I
was thinking to myself, wow, imagine being able to have that
kind of coffee virtually with people all over the world that
are from your home State, and be able to answer questions and
connect with them, both formally and informally.
And that is what we do also--that is what I recommend also
for most companies who go to remote work, is an example is we
have a daily virtual lunchroom. Anyone can jump into that
virtual lunchroom. Everyone has lunch, or has a meal. And so
they can go in and interact with one another and not even talk
about work, or we do the same thing with coffees with the CEO.
I have a weekly coffee where any employees can jump in and have
an informal time with me.
As Lane said, all those interactions take leadership, it
takes modeling, and brings kind of that aspect of the culture
that you are trying to build that normally happens in an
office.
But there are definitely roles we are hearing from clients
as well as from peers in the accounting industry, which is very
slow to move in regards to technology, that are surprised at
how well it is working, and how now they are expanding the
different locations they are willing to hire from.
Senator Lankford. OK. That is helpful. Let me ask about
merit-based affirmation. Some of that is remote working. It is
harder to be able to stop by their cubicle or stop by their
office, compliment them on the work that they are doing. That
has to be a very intentional thing for a leader to manager to
be able to do in that situation. It is also, when we talk about
raises, when you talk about promotions, it is difficult to be
able to do when you are not interacting with that person, when
you are literally getting data about that person's performance
rather than interacting with them, to be able to know what they
are doing.
How are you handling merit-based affirmation, whether that
be promotions, raises, whatever that may be?
Mr. Wilson. Senator, this is Lane again. It is sort of much
of the same. I insist that all of my performance reviews and
all of the performance reviews of my team, if the person is not
there in your office, and obviously they are not now, that has
to be done by videoconference. It has to be done face to face.
You need that interaction, and I think even after this pandemic
is over, if you have people that are working remotely, as Sean
said, I think you have to get them all in together, on an
occasion, and it is obviously better to have those discussions
in person. But if you cannot, adding the face on the video is a
big benefit.
Senator Lankford. Yes. Are you adding some sort of metrics
that you are trying to track performance with, or how are you
handling that? Is there a piece of software that has been
useful to you, to be able to evaluate the performance or
quotas, whatever it is that you are putting on individuals in
the field, to be able to know customer service responses? How
do you manage that?
Mr. Wilson. Yes. So we have used that sort of collaborative
software for a very long time, in terms of our sales
representatives, the people in the field who are supposed to be
interacting with customers. From a high level, in the office
environment, with, lawyers, HR professionals, accountants, that
sort of thing, we do not get down to the individual level.
There may be some privacy issues you have to think about there.
But we do track that on a very broad level. As I indicated in
my testimony, we have been able to get a pretty good handle on
the fact that our employees are utilizing this collaborative--
the teleconferences, the chatting, that sort of thing--on a
much higher rate than they were before. And that gives us some
comfort that these interactions are occurring.
Senator Lankford. OK. Other input from other individuals?
Mr. Zanni. This is John. I can add that my experience has
been that employees really like having ownership, and
measurable goals, right, because it sets expectations
appropriately. In most cases when you cannot assess whether
people are doing their job are not, part of the problem, or
even in some case most of the problem, it is the manager
themselves who have not really thought what they want them to
do and how to measure it. It is hard, but once you do that,
then these questions of, ``I have not heard from James Lankford
in 2 days. I wonder if he is actually working,'' they come up
very rarely because you just look at the results or the output.
And so that is what we have focused on and it has been pretty
effective.
Senator Lankford. Good. By the way, I know James. He is
working.
Mr. Zanni. OK. Good.
Senator Lankford. Anyone else?
Mr. Morris. Senator, I would just add, and I referenced
this in my opening remarks, that designing a performance
management system that is built around regular interactions
between a supervisor and an employee is a builder of trust, at
the end of the day. I think setting goals and reevaluating
those goals through that system, where you are having regular
conversations and using data around it, is incredibly
important.
What I would also say is making sure that those goals are
balanced. We like to think of them in not just quantitative
terms, which is where it is easy to count, but also in
qualitative. And concepts like leadership and agility, and
looking at aspects of 360-degree feedback. All of these are
important aspects to build that trust between a supervisor and
an employee, in a sort of modern performance management
approach.
Senator Lankford. OK. Let me ask this. Several of you, in
your written testimony or in your oral testimony, talked about
increasing need for IT professionals, cybersecurity. John, you
mentioned specifically the challenge of people working from a
home system that you have no idea how that router was actually
set up, the security settings that are there. They are working
in unsecured networks at a coffee shop at some point. There are
a lot of cyber challenges there.
Are there any lessons learned that we should be aware of on
the Federal side that we could implement?
Mr. Zanni. I will start. Absolutely. So I am glad you
brought this up, because one of the biggest challenges is there
is a lack of cybersecurity experts within the country. Today
there are over 600,000 open positions, about 50 percent more
than before COVID. And without the people--you have people,
processes, and product--without the people you will not be able
to implement a good, secure solution.
And so where the Federal Government could help is getting
those people trained. For example, one of the--I still believe
in this, but I actually created a charitable foundation called
Acronis SCS Vets, specifically focused at taking our U.S.
veterans and military spouses, getting them the nationally
recognized certificates they need to get self-sustaining jobs
in cyber. So it is a reskilling effort.
It has been very successful. Unfortunately, my numbers are
nowhere near to where they need to be to impact 600,000 people.
This is an area where I think the government can help a lot in
providing cyber training to individuals who need to be
reskilled, or are willing to learn them, to go work for all
these businesses.
Senator Lankford. OK. Other input from others? Michael, I
think you mentioned this as well in your statement.
Mr. Ly. Yes. I think the one thing is, as much as you
control the endpoints--the laptops, the mobile device that your
employees are using--I would be hesitant to allow too many of
your employees to bring their own devices, because you have
less control, unless you make them basically sign the device
over to your company or over to your organization. So as much
as you can basically protect, secure the endpoints, as well as
their home networks, is important.
And then monitor and make it really clear that employees
need to let you know when they are traveling or when they are
planning to work at a different location other than their home
network, because that is where also cybersecurity threats and
accidents happen, where they are in a public Wi-Fi setting,
they are in the airport working, they are in a coffee shop
working, and those networks are not secure, and they forget to
turn on their VPN, like required.
So just making sure that you have technology that alerts
you when employees are in different Internet Protocol (IP)
settings or locations that are unsecure, and making it really
clear that there are strict standards that your company is
going to abide by, as people work and do remote work, and you
want them to do it securely and correctly.
And then who, also, they give access to their devices to.
So often you give them a laptop and then they allow their kids,
or maybe they allow a partner or a family member to use it for
web browsing or gaming. You want to make it really clear that
those devices are for work, and that any other kinds of
software or activities should be prohibited so that it reduces
the amount of cybersecurity threats, even for a small business.
Senator Lankford. So is there lockdown software, anything
that you have that prohibits someone from getting online
without using the VPN, or does not allow them to be able to
download applications without having an administrator log in,
or setting that you have created on that? I am still interested
in if they have a company laptop but they are on a home Wi-Fi
system. Their router may be 4 years old and unsecured. Do you
require that the company also installs their router at home?
Mr. Ly. Yes. So you want to make sure that you provide,
one, a stipend to cover the costs for all those things, or you,
yourself, as a company, cover those costs, and two, ensure that
those are installed correctly, with password protection that is
secure, as well as that the laptops themselves have updated
virus protection on a regular basis. And there is software that
we use to be able to do that to the computers that we have
given to our staff.
Senator Lankford. OK.
Mr. Wilson. Yes, Chairman Lankford, a couple of things. So
when I was with the Judiciary, I do not know if it is worth
visiting with them or not, but we were already unable to add
software to the laptops that we were provided by the Judiciary.
We here at Williams have VPN always on, so there is no choice.
If you are on a wireless network you are VPN'd into the
network.
Then finally I would just say record Michael's last answer,
transcribe it, and get it out to every Federal employee who is
working at home.
Senator Lankford. OK. We will see if we can actually get
that done. That is very good advice. That is why we are
gathering things at this point.
Let me ask a question about personally identifiable
information (PII). All of you are in businesses that you are
dealing with some information that individuals obviously, some
more than others, in accounting and background and such.
I will give you an example. The State Department, earlier
this year, in March, April, May, June, just stopped doing
passports at all. They had no system in place that if someone
needed a passport, their passport expired, whatever it may be,
they just could not get it because there was no structure in
place with the State Department to be able to handle that kind
of document in a remote setting. And so the alternative was
just stop doing it. We had about 1.7 million passport requests
just back up immediately.
Obviously, State Department is reevaluating that at this
point, trying to be able to figure out how to do that. Multiple
other entities, whether it be the Internal Revenue Service
(IRS), everyone else, multiple agencies in the Federal
Government deal with very private or proprietary information
through processes.
Anything that you would say, in particular, dealing with
documents, dealing with items that are personally identifiable
information, that you would teach the Federal Government to
say, ``Here is something to know about this and how to be able
to protect that information,'' even if someone is working
remotely? Or would you say there is just no way to be able to
do it current technology, we just cannot handle it?
Mr. Zanni. Well, I will start. I have learned in software
you can never say that you can do everything perfectly, but
there are ways to mitigate the risk. First, the Federal
Government has a great standard called Federal Information
Processing Standards (FIPS) 140-2--there is a 140-3 coming out
here shortly--which is about how to use encryption, both at
rest and in transport, to protect data. We have FIPS-certified
product. At my company I bought FIPS-certified routers from
Palo Alto Networks.
So first just implementing those standards will radically
reduce the risk that personally identified information leaks.
And that, to me, is straightforward.
The other thing is segmenting networks and using that zero
trust model, where you control who has access to that
information. I am the CEO of the company. If you are one of my
customers, I cannot get that information, because I do not need
it on a day-to-day basis. If I want it I have to actually go
make a request. So somebody can take these images and my voice
and pretend they are me, but they still will not have access,
because I just do not have access.
So there are a number of things you can do that reduce the
risk to almost zero.
Senator Lankford. Other input?
OK. Let me move on to another question then on this. There
is a lot of conversation about telework that is in the
efficiency standard, and most often it goes toward physical
footprint, leased space, your owned space in a headquarters
building at some point.
There are some people who will make their decision based on
a footprint space and what costs, just depending on the cost of
real estate in a particular area. In Washington, D.C.,
obviously, real estate is exceptionally high. But if you get
into Oklahoma City and Tulsa, and other places around the
country, it is not a high cost. And so companies will make
different decisions based on telework.
My question to you is, more than just physical space
leasing or keeping that space open and paying the utility bills
for it, are there other areas of efficiency that you look at to
be able to decide if I am going to have a particular person
teleworking, they are more efficient, they work better in a
home setting or in a third location, if I can say it that way,
at some point than they would in an office setting where they
are just as efficient, if that, and so we find other
efficiencies or reasons to be able to have someone telework?
Mr. Ly. Yes. I can answer this one. Before the pandemic,
and still even now, unemployment in the accounting industry was
very low. It was lower than the historic unemployment of the
country, so it was lower than that. And so one advantage to
telework--and we actually did not decide telework regarding
footprint--we chose it because we wanted to access the talent
nationwide. We wanted to be able to combat against the lowest
unemployment rate that we were seeing historically in
accounting and finance.
And we were able to access a workforce that traditionally
cannot go into physical office, and that is stay-at-home moms.
So these are moms that need to be available for their school-
aged children, they are doing drop-offs and pickups, they have
a 4-to 6-hour window during the day, and then they might have
some flex time in the evenings or weekends to do the rest of
their 40-hour week.
That allowed us to access a workforce that normally would
not show up on unemployment rolls or not looking actively for
work, traditionally in the accounting field. And so that is why
the majority of our workforce actually is made up of stay-at-
home moms and dads who want an alternative to the traditional
workplace.
So I would say for sectors that are looking for access to
larger--access to more, nontraditional workers or access to
workers that would not normally apply for your job, this is a
huge advantage for us in the private sector.
Senator Lankford. OK. So what I have learned so far from
the hearing today is we desperately need accountants and we
desperately need IT folks around the country. So if anyone is
21 years old and listening, we have two good career fields for
you right now.
Other ideas or other thoughts about efficiencies or reason
to do teleworking?
Mr. Morris. Senator, I would just add that I think
challenging ourselves to re-architect the job type in the first
place is an important thing to think about. So, for example,
thinking about a crowd-based model to solving particular
challenges that an organization has, as opposed to one
individual working for 40 hours a week in a more traditional
setting, I think could have significant efficiencies.
Somebody referenced earlier the State Department and the
U.S. military, and if you look at crowds associated with those
two organizations, think about spouses in those two
organizations, those are usually underemployed individuals that
have a lot to offer, that could provide significant
efficiencies to the U.S. Government, using a different talent
model.
Senator Lankford. OK.
Mr. Zanni. I would also add that the younger generation--
well, my generation, or at least me, think of telework, up
until COVID, as a privilege, not a right. The younger
generation just expect it, right? I am always connected. I
should be able to work wherever I am. So security concerns
aside, similar to Sean, if you want access to the best talent
and the fullest employee pool, you are going to have to enable
telework.
Senator Lankford. OK. Lane, I want to ask you one more
quick question and then I am going to try to wrap this hearing
up and get final input from everyone. Lane, you have to deal in
the field with issues of rural connectivity. I know we have
already spoken about broadband before, but other solutions and
options that you have seen or that have been explored, whether
it be satellite Internet, whether it be phone hotspots and
other things? Is there anything else that you want to be able
to contribute in dealing with areas where it is more difficult
to be able to get access?
Mr. Wilson. Yes. I think you kind of hit the nail on the
head, and somebody else mentioned earlier the hotspots. So when
we have somebody in the field that cannot get good broadband
access--and there is no doubt, in rural areas, in Oklahoma and
really anywhere in the country, the broadband access is not as
good, it is not as robust as it is in more urban areas--the
hotspots are the best solution that we have found.
A not-so-optimal solution is just not use the video, but
obviously we would prefer to be able to use that. But I think
that is the best solution right now, until we get the better
broadband service into rural areas.
Senator Lankford. Yes. Let me try to wrap this up if I can.
Any input that anyone has--let me open this up to a very open-
ended question--any input from anyone, that you want to make
sure that you recommend to the Federal workforce, regardless of
what agency it is, when they are thinking about telework, to
consider this in the process, to be able to make sure we get it
on the record?
Mr. Ly. The only final thought I had was because this is
fairly new to many Federal agencies to think about this as
small teams. So, from large organizations to small companies,
everyone can look at their workforce as a make-up of small
teams, with managers, supervisors, and a small set of
employees. If you are able to apply these practices in small
teams then it makes the idea or the hill to climb a lot
smaller, and it seems a lot more doable. So think of small
teams of half a dozen or less, where there is a supervisor or a
leader in their small team and you are practicing remote work
proposals that we have all stated, and the security protocols
needed in that. It allows for better communication, better
accountability, and quicker response time, as well as agility
to move, if you need to make changes during the pandemic.
Senator Lankford. OK. Good input. Anyone else?
Mr. Morris. I would add just one thing, and that is that
human-centered design is so important when we are thinking
about adapting policies, changing processes and different
technologies. So really putting the lens on the human as we
start to think through these changes is a best practice.
Senator Lankford. OK. That is helpful.
Mr. Zanni. And this is John. I would add, as a Federal
Government, thinking about some standards or best practices
around telework and securing telework. You have heard a lot of
great antidotes here, but there are a lot of small businesses,
especially, and other agencies, remote cities, that could use
that guidance in a way that is easy for them to consume.
Senator Lankford. OK. Thank you. Lane, any final comments?
Mr. Wilson. Yes. I mean, look, it is just so easy to fall
prey to out of sight, out of mind. And I think our biggest
challenge, especially in a workforce the size of the Federal
Government's workforce, you have to get your leaders to
understand that as we move to more of a teleworking environment
they have to keep up those touchpoints. I know a lot of people
have said that today, but that cannot be overstated.
Senator Lankford. Does your management structure have to be
smaller, Lane, at that point? Do you have fewer people that you
are managing through telework, or does the same ratio still
work?
Mr. Wilson. Yes. I really have not found that to be the
case. I mean, you gain some efficiencies, like not commuting
back and forth. You pick up some time here and there. People
are more motivated oftentimes when they work from home. Some
people are not. But we have not found that we have had to
reduce those ratios, as long as our managers and supervisors
and leaders are being efficient and proactive.
Senator Lankford. Yes. Quite a few people that I have
talked to have said they have increased their efficiencies
dramatically in their workforce because they do not have the
travel time, they do not have other social distractions at
work. They were able to just plan their day a little bit
differently, and, quite frankly, get up, get going. They have
more time to be able to read the paper, catch up on news, catch
up with their family, and not commute, and then start on time
and take off. And less stress, depending on the city that you
live in and what your commute is normally like back and forth.
That is a pretty significant change for them.
Plus it is really nice for parents of small children. They
are wonderful distractions but you also get a chance to see
some things that you would have missed just in life with them.
So there are some built-in rewards there as well, with the
little ones that are running around.
Any final comments from anyone? Otherwise I want to be able
to wrap up and I want to make sure I get anything else on the
record that we need on the record.
Mr. Wilson. Thank you for your time. Thanks for having us.
Mr. Zanni. Thank you.
Senator Lankford. Gentlemen, thank you very much. I very
much appreciate, as I mentioned before, your written
testimonies--a lot of time went into that--as well as your oral
testimony. I want to tell you that the invitation is open if
you have additional input to be able to give to our team as we
are trying to be able to pull together ideas and policy changes
for the Federal workforce. The last time this was done was 10
years ago. Obviously there are a lot of lessons that have been
learned, and we want to make sure we capitalize on those
lessons, and to be able to implement those as fast as we can
across the Federal workforce in the days ahead.
So that does conclude today's hearing. The hearing record
will remain open for 15 days until the close of business on
August 12th for submissions, statements, questions on the
record, whatever individuals may want to be able to add to the
record as a whole.
So with that the hearing is concluded, and I thank all of
you again very much.
[Whereupon, at 4:06 p.m., the Subcommittee was adjourned.]
A P P E N D I X
----------
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]