After the cyber order: Secure IT modernization
President Donald Trump's May 11 executive order on cybersecurity answered many questions federal and industry stakeholders had concerning cybersecurity's role in IT modernization. According to the order, the executive branch's policy is to build and maintain a modern, secure and more resilient IT architecture, and agency heads should show preference for shared IT services, including cloud services.
Although the executive order is clear on “what” needs to happen, it does not provide much information on “how” a coordinated and systematic modernization should be managed. That work is left to the American Technology Council.
With roughly 77 percent of agency IT budgets for FY 2017 going to operations and maintenance, agencies are spending an estimated $69 billion spent this year delivering the same applications with largely outdated technologies. So when it comes to the actual modernization, it would be very easy for agencies to go down the wrong path and simply “lift and shift” legacy systems into the cloud, check the box and call it a win.
Yet while we clearly want more secure and less expensive systems, we also care about improving mission performance, providing better citizen services and making government work better for its customers. That means we must modernize these systems, leveraging cloud-based, platform-as-a-service technologies in a smart way that optimizes performance.
Although modernizing agency IT applications may seem a bit daunting, IT managers can update and transform their application portfolio by following these steps.
Place modernization in the context of larger agency strategies
To successfully kick-start the digital transformation process, the first critical step is to develop a modernization vision and goals that are consistent with the broader policy objectives and strategies of the agency. IT managers should view this as an overall transformation program and build in change management and communications capabilities right at the outset.
Inventory applications and conduct opportunities analysis
Most agencies already have some sense of their security deficiencies or the savings they could reap through application modernization. Agencies should consider conducting initial screening of these known-impact opportunities and then follow up with deeper dives that assess the biggest performance impacts, security vulnerabilities, costs, contracts, culture, business process complexity, technologies and dependencies/integration issues in greater detail.
One tool we use to support modernization opportunities analysis is a modernization prioritization matrix, which maps applications across business complexity and technological obsolescence matrixes, taking into account how much is spent on the application (by the size of the bubble in the figure).
Cost and technological obsolescence taken together can be a proxy for security risk, as agencies are typically paying more for patches and upgrades from outdated technologies.
Take a look at this sample matrix, for example. Applications in quadrant three are usually considered good starting points for modernization because there is a clear need from a technological perspective and the business complexity is manageable.
On the other hand, applications in quadrant two are typically large, difficult undertakings. They need to be tackled because of the significant risk and the potential payoff, but they require greater organizational commitment and expertise.
When prioritizing modernization efforts, IT managers should select projects that have the highest cost savings but relatively low business complexity, such as Application C in the matrix example above. This will allow an agency to modernize the application at a relatively quick pace and give it savings it can reinvest into other modernization efforts, thereby pursuing a budget-neutral approach to modernization. This approach is consistent with the objectives of the Modernizing Government Technology Act, which is now making its way through Congress.
Develop a modernization portfolio and manage the effort through a digital service center
To complete the initial stage of modernization, match opportunities to investment priorities, select candidates for modernization and also conduct alternatives analysis as well as development business cases. Once that is done, develop the application modernization roadmap, tie it to enterprise architecture transition plans and manage the effort as a portfolio.
Any major transformational effort requires the management and governance discipline to make it successful. Agencies should invest in a centralized capability to support stakeholder engagement and promote platform-based solutions in the context of business process improvement and IT modernization. They must also provide technical and solution architecture support, risk mitigation services and consistent project management.
This is no small undertaking. For each application, it requires deep understanding of both policy objectives and business processes combined with the knowledge of what can be possible with newer technologies. As the President’s Homeland Security Advisor Thomas Bossert said, “Modernizing is imperative for our security. But modernizing is going to require a lot of hard, good governance.”
The American Technology Council will approach its cybersecurity mandate from multiple perspectives that range from critical infrastructure protection to a variety of shared IT services. As it proceeds with its mandate to coordinate the development of a report on modernizing federal IT to be delivered to the president by mid-August, it should keep the modernization of applications front and center of its focus.
John Low is the vice president of corporate strategy at the Phase One Consulting Group.