Alan P. Balutis is senior director and distinguished fellow at Cisco Systems, Inc.'s U.S. public sector.
The trade press reminded us recently we have far to go before we sleep. The House recently passed the Modernizing Government Technology Act. Rep. Will Hurd, R-Texas, said he was confident the Senate will move on the bill. Four members of the upper chamber wrote to the leadership of the Senate’s Homeland Security and Government Affairs Committee, asking for a prompt and favorable hearing on the bill.
The Congressional Budget Office has revised its scoring of the bill’s impact on the budget from costing $9 billion over the next few years down to $500 million. And President Donald Trump’s fiscal year 2018 budget provides for $228 million of IT modernization funding through the General Services Administration. The Office of Management and Budget continues to push agencies to shift their spending and get off old systems, hardware and software applications. Finally, the recent cybersecurity executive order reaffirms that priority.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
But HSGAC still needs to move the bill. Concerns of the Senate Appropriations Committee need to be addressed. And the Senate needs to pass the bill. Let’s keep our fingers crossed.
Nonetheless, an optimist would say agencies should start thinking now about making the business case for change, performance metrics and how to transition from outdated technologies to new platforms. Let me offer a few suggestions.
Making the Business Case
Reversing the old adage, modernization may not just be a law soon; it’s a good idea. Professors Min-Seok Pang (Temple University) and Huseyin Tanriverdi (University of Texas) recently co-authored a paper titled, “Security Breaches in the U.S. Federal Government." They confirm the argument behind the MGT Act: that the large stock of legacy IT systems in federal agencies are not designed for security and hence cause vulnerabilities. Here are their key findings:
- Agencies that invest more in new IT development and modernization experience fewer security breaches than ones that invest more in the maintenance of legacy systems. In fact, a 1 percent point increase in DME (development, modernization and enhancement) spending is associated with a 5 percent decrease in total security breaches.
- Outsourcing legacy systems to the cloud also reduces the frequency of security breaches, but not as significantly.
- Effective IT government, risk and control mechanisms also mitigate security risks of the legacy systems.
How Do We Define Success?
Beyond addressing the imbalance between DME spend and Operations and Maintenance, what else should chief information officer look at as metrics? We should start developing more granular indicators of enhanced security (e.g., number of incidents, unauthorized access, social engineering, unintentional breaches of personal information, malicious codes, and so on). But we should also track other areas as well—reduced duplication, cost savings, enhanced citizen services and the like.
How We Can Get There
A recent report suggests a road map, actually two alternative routes (See August 2015, McKinsey Insight article, “Two Ways to Modernize IT Systems for the Digital Era" by Juan Garcia Auedillo, Duarte Begonha and Andrea Peyracchia) for successfully realizing improvements in the short term while transforming the IT architecture in the long term: Two-speed and Greenfield.
Two-Speed Approach: Under the two-speed approach, the IT organization produces quick iterations and launches of front-end customer-facing applications while continuing to ensure the stability of slower, back-end systems that handle foundational transactions. The agency would need to limit the number of fast-track initiatives. But it would also need to set critical milestones for the longer-term transformation, investment strategy. Otherwise, it will be caught up in a change cycle with no end.
Greenfield Approach: As the name suggests, this is a replacement of core legacy IT systems. The approach works best when an agency requires a total transformation the existing legacy system simply can’t support. Implementing this approach also requires a bit more lead-time, substantial capital and business process redesign to fit the IT tools and packages being acquired.
Regardless of which approach is closer agencies would need to adhere to certain governance principles:
- Ensure agency leadership plays an active role.
- Have a clear long-term vision and plan.
- Simplify processes and IT at the same time.
- Maintain good housekeeping: implement IT standards, freeze legacy investments and prevent shadow IT offerings from being introduced.
- Make clear and frequent communications a priority.
- Dedicate the best internal resources to the transformation project.
- Choose industry partners that prioritize your account.
Hopefully, with these McKinsey insights, we can begin our transformation journey.