How Kentucky streamlines IT operations
- By Sara Friedman
Kentucky CIO Chuck Grindle, a retired Army colonel, is leaning on his military experience to modernize and improve enterprise services, starting as the commonwealth's IT chief in October 2017. At the NASCIO midyear conference he spoke about his priorities moving forward this year and beyond.
Grindle’s answers have been edited for length and clarity.
What are your major priorities as state CIO?
The first thing that we’re doing is doing an optimization of our x86 infrastructure, which involves 1,100 physical and 3,300 virtual servers in a Windows-based environment. There was a consolidation in 2012 that brought all of that equipment to us at the Commonwealth Office of Technology (COT), but it hasn't been optimized, so we are running on technologies that are five or six years old. We are optimizing that by building one infrastructure and migrating services over to the new infrastructure. We started with the new environment on April 16, and essentially over the next six months we will be moving the physical and virtual servers into the new environment. This will help us to streamline the way we deliver services to the different cabinet-level offices within the commonwealth.
This move also consolidates nine different vendors down to one single contractor. We are moving away from the traditional way of buying a device and putting it into a rack, where you would plumb it and pipe it. We are going in the direction of buying capacity and letting someone manage that. We are training six individuals with 400 hours of classroom time and hands-on training for that environment.
How much of IT operations are based in the cloud?
We use certain services in the cloud depending on our evaluation, such as those that have gone through the Federal Risk and Authorization Management Program or are designed for a government facility. Workloads that don't contain personally identifiable information and that comply with IRS Publication 1075, HIPPA and FERPA can go into our cloud. In the commonwealth, we are about 70 percent already in the cloud, and we are looking a large IBM z/OS move to a Boulder, Colo., facility. We are looking at ways to better utilize services instead of paying for the redundant applications across the commonwealth.
How are IT operations structured in Kentucky?
Under the consolidation memo in 2012, infrastructure came under our purview. However, application development stayed within the agencies. A new executive order after I came on board gives me authority over the funding. People who want to do certain projects have to map out the project and the costing for it. COT is responsible for approving it, providing the funding, making sure that they are staying on timelines, and making sure that it fits into our enterprise architecture.
Many states have problems with siloed information. How are you working to solve big data challenges?
I hired a chief data officer and a chief compliance office after I started. The data officer understands the siloes of excellence that we have out there, and the compliance officer deals with the privacy issues that we have with sharing this information across the commonwealth. I intend to create structure for all of that data so we know what each silo represents and can look at the data sharing agreements across all cabinets. I ultimately see the potential of us getting legislation approved that will allow us to openly share data across the cabinets.
How do you approach cybersecurity?
From my perspective, we have a great chief security officer and are taking a defensive approach: We want to identify, evaluate and mitigate. We know that an event is going to happen, and it is a matter of when. The ability to segment the traffic once an incident occurs and be able to mitigate it is our posture. There is no CIO out there who is going to say that this isn’t going to happen. We need to have the procedures and processes in place to mitigate it once it happens.
How does your Army background influence your approach as a CIO?
In the military, you transition about every 18 months to a new job. In Kentucky, we see a lot of individuals who will be in a position for years, maybe even decades. I’m working on a strategy with four lines of effort. They are security, enterprise services, contracting, training and education. Those lines of effort bring training for my folks and provide an action plan.
For example, when it comes to a breach, network access control has an action plan that allows me to get the folks who are in the networking branch in telecommunications to install the proper communications so we can evaluate everyone who is connecting to our network. If we know you and can trust you then you have access. I want to get this intelligence down the lowest level staff members so they know as they use a device that they are feeding network access control.
That's nirvana to me, since it is just like training a solider to take the hill. If a solider says that he is taking the hill because an officer or sergeant said to do that, it is the wrong answer. If he says he is taking the hill because the objective is to secure this piece of terrain and set up a perimeter, he knows why -- which is what we are trying to do with this strategy: build understanding into the lowest levels of our operations.
Sara Friedman is a reporter/producer for GCN, covering cloud, cybersecurity and a wide range of other public-sector IT topics.
Before joining GCN, Friedman was a reporter for Gambling Compliance, where she covered state issues related to casinos, lotteries and fantasy sports. She has also written for Communications Daily and Washington Internet Daily on state telecom and cloud computing. Friedman is a graduate of Ithaca College, where she studied journalism, politics and international communications.
Friedman can be contacted at firstname.lastname@example.org or follow her on Twitter @SaraEFriedman.
Click here for previous articles by Friedman.