In Tech Innovation, Don’t Forget about Governance

In love, you don’t know what you’ve got ‘til it’s gone.

In IT, you often don’t know what you got ‘til your supposedly secured systems get owned and your data is all over the Internet. Or in enemy hands.

Just ask the Office of Personnel Management and the 21-plus million federal employees compromised by the headline-stealing hack of the year. Of course, OPM has plenty of company in other federal agencies getting hacked, and none of this really surprises government watchdogs like the Government Accountability Office. Many agencies routinely fail information security audits because they don’t follow the law, best practices in basic cybersecurity hygiene, and often because they don’t know what they have.

This haphazard approach to inventoried IT assets carries across technology enterprises. Maria Roat, chief technology officer at the Transportation Department, called governance one of the biggest challenges she’s faced since she began last year. Prior to taking the CTO position at DOT, Roat had worked hard to streamline cloud computing across government as the director of FedRAMP, the government’s way to require standardized and repeatable cloud computing standards.

Upon beginning at DOT, Roat told an audience at a Nextgov event she “asked for an inventory” of planned cloud computing spending through 2017. What she got in return, basically, were crickets – “almost no planned spending at all,” she said. Significant cloud spending was not reported through PortfolioStat and Integrated Data Collection reports agencies are mandated to file each year.

So maybe DOT just didn’t have it together in cloud, right?

Well, actually, it wasn’t quite so simple.

Roat learned cloud spending was sometimes not reported correctly or misreported. In one case, a cloud acquisition came through that clearly hadn’t been reported. What if it hadn’t met proper security standards? What if a vulnerability in that system exposed the agency to outsiders? What if the agency ended up on the front page for all the wrong reasons? None of this happened, of course, but in today’s cybersecurity environment, not knowing what you have can be dangerous. 

Everything, Roat said, ties together.

“You have to keep track with acquisitions,” Roat said. “You need insight.”

Roat has taken to improving the technology governance across DOT. The business offices, program offices and tech shop have to be synched from the perspectives of monitoring and management. The goal, she said, is to let people move to cloud and work with them, yet be able to manage that environment.

It’s always good to know what you have. In today’s federal environment, it’s more important than ever. Especially if you’d rather your agency didn’t get owned.  

(Image via PathDoc/ Shutterstock.com)