The chief information officer at the Department of Health and Human Services talks about his priorities, the department’s effort to develop a new cybersecurity strategy and what keeps him up at night
Karl Mathias has been the CIO at the Department of Health and Human Services since March. The department’s last permanent CIO retired in mid-2021, and he took on the job after two people had served in an acting capacity. He was previously the CIO at the U.S. Marshals Service.
Mathias now oversees a $7 billion IT portfolio in a federated department with over 10 operating divisions, which include the Centers for Disease Control and Prevention and the National Institutes of Health. He recently spoke with FCW about his priorities and what keeps him up at night. The following interview has been edited for length and clarity.
FCW: How is it going so far? What have you been working on?
Mathias: I can tell you what has surprised me. I knew Health and Human Services was a very large department. I did not understand just exactly how large it was.
I don’t think it’s any secret there has been a lot of turnover in CIOs, and they hadn’t had a permanent CIO in awhile. You always wonder: What’s morale going to look like when you come in? It was a very pleasant surprise to find out just how motivated everybody is.
The mission here is the most compelling you could ever have, and now I understand why people are motivated — because HHS is here to save people’s lives.
FCW: As you mentioned, HHS has experienced several years of CIO turnover. How are you addressing that?
Mathias: Let’s talk about why the turnover occurred. Some of this was just about bad timing — that’s how I would describe it. People hit the end of their careers, and they’re ready to retire. Welcome to one of the things we talk about in civil service: the senior IT people starting to retire. Here it is happening in front of your face.
The challenge for me becomes how to reassure people that I’m going to be here for awhile. These are the guiding principles that I have, and here’s how I’m going to operate. Karl Mathias has no aspirations beyond this because this is what I wanted to do. I wanted this job, and I have very specific, very personal reasons for wanting this specific job. I intend to stay here. I’m not ready to move somewhere else. I’m not out job hunting from day one.
FCW: Why did you want this job?
Mathias: My daughter has a doctorate of nursing practice and is currently working as a rapid response nurse in Columbus, Ohio. My sister is a nurse practitioner who, after years and years of doing it, said that’s enough and now lives with her husband on the beach in Costa Rica.
When they talk to me about their experiences, what they’re dealing with in the health care system, how services are delivered, I can sit here and whine about it or I get off my tail and go do something. I’m off my tail doing something.
FCW: What are your top priorities?
Mathias: There are the internal goals: What do I have to fix in my own shop, and what do I want to make more efficient? And then there are the departmentwide goals. Internally, the areas we’re looking at specifically are improving our ability to do acquisitions effectively and efficiently and find the best value.
Of course, every time you go to a new place, you need to learn how budgeting is done and then make sure that when we develop budgets, we’re well ahead of any deadlines, and even more importantly, we’re looking well ahead on the timeline.
My goal is to knock down servers. Fortunately, I have CIOs who think along the same lines, and they’re busy going to cloud.
For the external, departmentwide priorities, cybersecurity is, in fact, the top priority. What we are doing is developing a coordinated cybersecurity strategy. This is beyond the zero trust strategy that came down as part of the Executive Order on Improving the Nation’s Cybersecurity. That will certainly be encapsulated within this, but by September, we’re going to have a coordinated — across the operating divisions and staff divisions — cybersecurity strategy, saying these are the risk areas we see and these are the goals we think we need to pursue and the order we need to take them in. Then we will have initial implementation plans based on the priorities.
The issue you run into is you have to consider: What can I do within the budget I have now? Is this something I should do a Technology Modernization Fund proposal for? There have been some within the department that have already been through even before I showed up and are in progress now. Or is this something we need to put in as part of a budget request to Congress? There’s some of that going on also.
In addition, we could really improve our human resources automation. I’m partnering up with the new chief human capital officer to look at what’s appropriate technology to bring in to replace some of the more aging components.
FCW: The HHS Office of Inspector General recently concluded that the department’s cybersecurity program is not effective based on Federal Information Security Management Act guidelines. What’s your sense of the main challenges and what you can do to fix them?
Mathias: I do have some information, but I’m getting my full brief on that soon. We’re going to do a full comprehensive analysis of what’s going on with the FISMA report and where the weaknesses are, so honestly, I’m not in a great position to comment on it.
FCW: The OIG has noted that the federated nature of HHS can make it difficult to get a top-down view of cybersecurity. What do you think?
Mathias: I’m not going to disagree with that. I do think when you’re federated like this, it makes it more complex to pull all that together and get that look. This is why we’re doing the cybersecurity strategy. We’ll be able to look at something as a risk and ask: Where are we? What do we need to do? How can we get better?
FCW: You mentioned acquisition being a priority. What’s going on there?
Mathias: This is more of an internal inside the Office of the CIO shop, just making sure that we’re more efficient. It’s one of those things where if you find yourself having to do a bridge contract because you didn’t hit your timelines, it’s telling you that you’ve got an issue you need to resolve. We’ve had a few of those.
This is boring stuff. I tell my staff I’m going to be the most boring CIO you ever ran into because I’m concerned about things like are we doing acquisition well? Are we doing appropriate types of contracts?
FCW: Anything else?
Mathias: If you want to talk about what keeps me awake at night and keeps other CIOs awake at night, it’s how do we get and retain our quality workforce. Money is important, and you do have to think about it, but you can draw in a lot of good people based on helping them understand what your mission is.
The other thing is we run into common problems with bringing on IT talent quickly once we’ve identified somebody. That can be a real torturous process.
How do I get the best workers, and how do I retain them? How do I keep these people motivated? That’s really what I worry about because if you take care of your people, they will take care of the mission for you. They will every time.
This article was originally published in the August 2022 print edition of FCW.