Episode Overview

Title: Enhancing Cyber Posture: Leadership, Zero Trust, and AI Adoption in Government
Podcast: To the Point – Cybersecurity
Air Date: April 14, 2026
Host(s): Rachael Lyon and Jonathan Knepher
Guest: Jennifer Franks, Director, Information Technology and Cybersecurity Team, Government Accountability Office (GAO)

This episode tackles the evolving challenges and strategies in strengthening cybersecurity across government agencies. Rachael and Jonathan are joined by Jennifer Franks, who shares her experience overseeing cybersecurity engagements at the GAO. The discussion dives deep into closing the gap between cybersecurity knowledge and execution, the pivotal role of leadership, ongoing Zero Trust implementation, the workforce and cultural factors shaping cyber maturity, and how AI and other emerging technologies are reshaping the threat landscape and oversight priorities.

Key Discussion Points & Insights

1. The Execution Gap in Government Cybersecurity

[03:50–05:19]

• Awareness vs. Execution:
  • Agencies today generally understand cybersecurity frameworks and risks.
  • The main challenge is effective and consistent execution across complex, decentralized, and fragmented environments.
• Visibility is Critical:
  • Many agencies struggle with visibility—knowing what systems they have, where they are, who has what access, and how data flows.
  • The transition to cloud and hybrid environments makes tracking and securing assets even harder.

“The gap isn’t awareness like it used to be, it’s in the execution... We’re just continuing to see challenges with visibility and just knowing what the systems are and where they exist, who has access, do they need that access, and data flow—even data at rest.”
—Jennifer Franks (04:00)

2. Building Lasting Cyber Hygiene Through Leadership and Culture

[05:45–07:01]

• Beyond Compliance:
  • Sustained improvement happens when cybersecurity is integrated into daily operations, not treated as a yearly “checkbox.”
  • Progress requires strong leadership actively engaged in understanding and addressing cyber risk throughout the organization—not just at the CIO/CISO level.
• Shared Accountability:
  • Frequent leadership changes can disrupt continuity. Building dialogue and accountability at all organizational levels is essential.

“It’s where we, as the agencies, are making the most progress—where we have strong leadership helping us understand posture and risk... Cyber hygiene becomes a shared responsibility.”
—Jennifer Franks (06:08)

3. Challenges and Progress with Zero Trust

[07:22–09:29]

• Zero Trust: Not Just Tech, but Architecture:
  • Initial misunderstandings led agencies to treat Zero Trust as a collection of tools rather than as a fundamental shift in architecture and operational mindset.
  • There’s been real progress in identity and stronger authentication, but continued evolution is needed, especially as technologies like AI advance.
• Integration and Operationalization:
  • Moving from implementing controls to operationalizing them (making them part of how things actually run) remains a major hurdle.

“We were not approaching it just correctly... We really need to be focusing on Zero Trust as an architectural shift.”
—Jennifer Franks (07:56)

“A lot of these elements are also helpful for those of us building AI use cases—because even with your AI tool... you still have to have adequate security protections.”
—Jennifer Franks (08:55)

4. How GAO Assesses and Prioritizes Risk

[09:39–12:18]

• Severity and Mission Impact:
  • GAO examines vulnerabilities in the full context: criticality of systems, sensitivity of data, and real-world disruption potential.
  • They prioritize what most directly threatens operational missions and look for patterns that might affect multiple agencies.
• Continuous Engagement:
  • GAO works to maintain a collaborative, not adversarial, relationship—ongoing dialogue with agency tech leaders is key.

“We’re not just assessing technical severity; we’re assessing risk in the full context of your agency’s computing infrastructure... Not if, but when.”
—Jennifer Franks (10:21)

5. Making Progress Amidst Constant Change

[12:18–14:19]

• Onslaught of Vulnerabilities:
  • Agencies want to improve, but if recommendations are seen as “just compliance,” progress stalls.
  • Franks emphasizes issuing recommendations focused on operational and technical risk and maintaining open communication with agencies.

“When recommendations are viewed as a compliance requirement, they tend to stall. But when we drive recommendations to focus on operational and technical risk—the areas are more focused, they gain attention, and get mitigated faster.”
—Jennifer Franks (13:14)

6. Culture, Workforce, and the Modernization Challenge

[14:50–17:09]

• Tech Adoption vs. Workforce Readiness:
  • Many agencies overlook workforce planning, critical for successful technology adoption and modernization.
• Breaking Down Silos:
  • Cybersecurity professionals often work in silos; leadership must foster collaboration and link training to real mission needs.

“A lot of folks do not have workforce planning efforts underway... When you’re doing things in silos, it becomes difficult to then implement cross-cutting initiatives because you’re not talking, you’re not collaborating.”
—Jennifer Franks (15:14)

7. Emerging Threats: AI, Quantum, Supply Chain [17:09–19:27]

• Stick to the Fundamentals:
  • Identity management, data protection, and system visibility are the baseline for defending against increasingly sophisticated attacks.
• AI as Both Opportunity and Threat:
  • AI accelerates both defensive and offensive cyber capabilities; weaknesses in baseline controls are magnified.
• Incident Response vs. Recovery:
  • Most agencies can respond to incidents. Many still struggle with robust recovery.

“The biggest priority right now is focusing on strengthening your baseline... If you stick to the fundamentals, you’ll be able to thwart supply chain attacks, phishing attempts, and AI vulnerabilities.”
—Jennifer Franks (17:50)

8. Oversight Evolution: GAO & AI Adoption

[19:27–21:34]

• More Than Control Checks:
  • GAO’s oversight must expand to assess ethical decision-making, bias in AI, and data governance, not just technical controls.
• Demand for Transparency:
  • Agencies need to be able to explain how AI-driven decisions are made.

“It’s no longer going to just be about evaluating cybersecurity controls... We’re going to have to evaluate how decisions are made and how ethical implications were considered and biases as well.”
—Jennifer Franks (20:25)

9. Actionable Advice for Leaders

[21:53–23:57]

• Start With Visibility:
  • Inventory hardware, software, and data assets and understand who has access and why.
  • Integrate and better utilize existing visibility tools.
  • Begin with one system/project to build momentum—don’t “jump into the deep end” all at once.

“You can’t protect what you don’t know you have and who needs access to it... Start with visibility; reducing the blind spots—I really cannot stress that enough.”
—Jennifer Franks (21:55)

10. Generational Change and Future Workforce

[24:35–27:41]

• Young Professionals:
  • New hires need both technical breadth (including AI) and soft skills to thrive.
  • The next generation is expected to bring new ways of thinking—but must also develop communication, adaptability, and collaboration abilities.

“These younger folks, yeah, AI is here. Show us what you can do. Come in and help us... Government likes to take the long way... I’m hopeful for the young folks who are excited about it to come in and show us.”
—Jennifer Franks (25:18)

11. Baking Security and AI Into Culture

[29:10–33:33]

• Embed Security Everywhere:
  • Security must be built into all processes, not bolted on after the fact.
  • Leadership should foster environments where staff feel empowered and accountable for security.
• Continuous Coaching & Learning:
  • Use “teachable moments” (automatic pop-ups, small trainings) as part of the security culture.

“The fundamentals again have to be embedded in your daily operations... It’s not something you just leave to the cybersecurity analysts.”
—Jennifer Franks (31:31)

12. Career Reflections: Pivotal Moments

[34:53–37:19]

• Adaptability is Key:
  • Openness to change, learning, and evolving is central to a successful cyber career.
  • Mentorship and investing in people have been crucial to personal growth and leadership.

“One of my biggest lessons has been the importance of adaptability... The principles of what we’re doing, why we’re doing it, how... the accountability of it all, really has remained constant for me.”
—Jennifer Franks (35:01)

13. Diversity of Backgrounds in Cybersecurity

[39:31–42:23]

• Valuing Non-Traditional Paths:
  • While most in government cyber have relevant degrees, there’s an important (if currently rare) role for those with backgrounds in fields like sociology, psychology, geography, and the humanities, especially in people management and policy.

“[People] pivot all the time. They’ve gone to school for psychology or sociology... Those skill sets are also very neat... You can build amazing, confident teams because you’re going to be listening and to understand, and the work will come.”
—Jennifer Franks (40:48)

Memorable Quotes & Timestamps

• “The gap isn’t awareness... it’s in the execution” (Jennifer Franks, 04:00)
• “We really need to be focusing on Zero Trust as an architectural shift.” (Jennifer Franks, 07:56)
• “You can’t protect what you don’t know you have and who needs access to it... Start with visibility.” (Jennifer Franks, 21:55)
• “Sustained improvement is when we incorporate cybersecurity into organizational practice every single day.” (Jennifer Franks, 05:51)
• “The risk of not supporting and developing the people is so much greater because those are the ones that are going to push us forward.” (Jennifer Franks, 41:53)

Practical Takeaways

• Focus on visibility and asset inventory before any technological leap.
• Invest in leadership, shared accountability, and breaking down silos to ensure cyber hygiene.
• Treat Zero Trust as an architectural and cultural change, not a tech shopping list.
• Embrace continuous learning, adaptability, and cross-generational knowledge sharing.
• Embed security and privacy as defaults, not afterthoughts, in technological and cultural adoption.
• For AI and emerging tech: Prepare to oversee how decisions are made, not just whether controls exist.

This summary faithfully reflects the language, tone, and expert guidance of Jennifer Franks and hosts, offering actionable insights for cybersecurity leaders and practitioners.