How to Modernize Mission-Critical IT Systems Without Disruption

aurielaki/Shutterstock.com

Technology never stands still, so building new solutions based on requirements drafted in the past will always result in out of data solutions.

Imagine traveling in a post-COVID-19 world. After you get past thoughts of sun-soaked beaches (or even just the excitement of leaving home), you conjure up images of security screenings that don’t just x-ray your bags, but also screen for contagious pathogens or examine “health passports.” Screening for rapidly shifting health threats would seem like an unattainable goal for any security organization, but we’ve seen it done before.

In the aftermath of the attacks of 9/11, security agencies across the globe quickly realized that screenings could only be accomplished at the scale and speed needed if they were tailored based on different risk assessments. The problem is that threats constantly evolve, meaning that risk assessments and detection capabilities need to evolve as well to keep up. This forces security agencies into an uncomfortable dilemma: either keep systems operating as they slowly drift out of date or take them off-line to update and risk having gaps in coverage. 

Fortunately, there is a way out of this dilemma. While there exists an inherent tension between seamless operations and system modernization, a properly balanced approach that emphasizes continuous discovery and accelerates capability deployment through an Agile, DevSecOps approach can help agencies do both.

The Challenge

From enabling veterans to access health care to cybersecurity screenings for critical infrastructure, the ability to modernize mission-critical systems while simultaneously executing operations with zero disruption is non-negotiable.

While the average lifespan of software is approximately six years, and mobile applications closer to two to three years, the lifespan of large government systems is often many decades. Intermittent upgrades may enable modernization of mission-critical systems at a point in time, but they quickly become out of date. While this can be inconvenient for desktops and laptops, it is a serious issue for mission-critical systems, degrading their ability to mitigate the newest, most critical threats as well as take advantage of modern technology approaches that reduce cost and technical debt over time.  

Agile + DevSecOps

So how can the government agencies we depend on 24/7/365 continuously upgrade mission-critical systems without the risk of disruption and maintain focus on application, system, and platform security at every step of the way? An entirely new approach is needed—one that pairs Agile and DevSecOps with a willingness to embrace innovation. 

Technology never stands still, so building new solutions based on requirements drafted in the past will always result in out of data solutions. The Agile method of software development allows teams to discover requirements as they build, ensuring teams are always working towards the most relevant goals. However, the best requirements are unearthed by real users, meaning that development, security, and operations, all must work together to continuously operate and improve solutions. That is the heart of DevSecOps.  

The combination of Agile and DevSecOps results in an IT organization built not only to operate systems, but simultaneously develop new capabilities. And, it enables organizations to do so securely from the beginning by tightly integrating security tools and processes throughout the DevOps pipeline and automating (and embedding) security controls at every stage of the software development lifecycle including operations and maintenance—all while lowering costs along the way.  However, agencies seeking to implement (or mature) their own DevSecOps practices should carefully architect their organizational culture and practices to ensure they are taking full advantage of all that DevSecOps has to offer—from automation to continuous security monitoring of production systems and everything in between.  

Given the benefits, it is no wonder this approach is showing up across government. Everything from F-22 software upgrades to government background investigations are turning to Agile and DevSecOps to make sure they can provide the most up-to-date, innovative solutions quickly and for less cost.

While DevSecOps transforms organizations to enable them to both modernize and operate at the same time, the challenge can be that many government agencies are themselves just not built to be able to operate that way. For example, in many organizations, funding operations and maintenance of existing systems and acquisition of new systems are separated into different appropriation categories or “colors of money.” This can make it difficult to fund one organization to do both operations and development at the same time. However, in a mature DevSecOps model, organizations can achieve the development agility they need to stay one step ahead and the operational stability they need to support the mission.  

Make It a Reality with Partners

If a shift to Agile and DevSecOps is what government agencies need to do to stay at the cutting edge, but those very practices are inherently challenging to achieve within the structures of legacy government IT organizations, how can organizations make meaningful progress? 

Partnering with industry, who is less constrained by legacy systems and organizational structures, may be the answer to achieving the agility needed to rapidly respond to new threats. The key is finding partners who not only bring the technical chops necessary to drive this transformation but who can do so without disruption to ongoing systems, driving stability and minimizing risk along the way.  

The Transportation Security Administration is a prime example of how government is looking for not just partners, but the right partners. Like many agencies, TSA is looking to industry to partner with them on hard-to-find skillsets such as cyber.  These partners become the “safe pair of hands” that government agencies need to advance the mission securely. With deep mission expertise and critically-needed resources, the right partners can help government break the trade-off of operating or modernizing to prepare for the challenges of tomorrow while sustaining mission-critical operations. 

Joe Mariani is a research manager with Deloitte’s Center for Government Insights. 

Elizabeth Krimmel is a senior manager in Deloitte’s Government and Public Services practice.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.