Cloud Adoption Can Be Risky Business—But That’s Not Bad, Officials Say

Cloud deployments and infrastructures are dynamic, ever-changing and different for each federal agency—but across the board, embracing adaptability, agility and keen risk-acceptance can spur more successful implementations, two federal officials explained Thursday.

During a virtual Nextgov panel, Small Business Administration’s Bill Hunt and Government Accountability Office’s Tom Johnson reflected on agencywide cultural aspects that can be conducive to operating transformational cloud capabilities.

“I think there are a lot of components that go into it. One is just a top-cover level willingness to actually try new things, and part of that is giving your teams the permission to be able to understand that they're going to fail,” Hunt, the chief enterprise architect in SBA’s Office of the Chief Information Officer, explained. “In government, that is a terrifying thing—that this service that you're about to stand up or about to spend millions of taxpayer dollars on might not work exactly how you think it's going to.” 

Agile organizations that are compelled to pursue smaller initial endeavors and make less weighty mistakes without losing entire systems, generally fare well in the long run, Hunt said, noting “doing it in smaller chunks of improvement—that's really critical.” Johnson reiterated the importance of chasing smaller pursuits and victories, at the start.

“There's a temptation to kind of ‘swing for the fences,’ potentially in some of these projects—to do the big cloud project, as opposed to maybe doing like 20 smaller cloud projects to get the organization where it needs to be,” Johnson, assistant director for information technology audits in the Office of the Inspector General at GAO,  said, adding “cloud implementations will start to expose some of those gears that don't quite fit right in your organization.”

In that light, agency insiders should consider how their organization’s deal with things like on-demand procurement, increase flexibility and accept that leveraging cloud environments means “you're going to find things that you didn't realize you had to do differently.”

When leaning into cloud capabilities—and other emerging technologies that supplement them—agencies will inevitably be introduced to new impending threats. SBA’s Hunt pinpointed “risk acceptance,” as opposed to “risk avoidance,” when it comes to personnel perspectives and government methodologies assessing possible dangers. Johnson added that it's all about “moving towards that risk mindset and less towards the compliance mindset.” 

“It's about how an organization discusses risk internally. Is risk something that you don't want to hear about, or is this something that you hear about so that you can address it, right?” Johnson said. “And how does your organization look at risk as something to be managed, whereas risk as something to be, you know, minimized?”

Hunt added that there’s a fundamental “cultural mindset shift that has to happen,” when traditional teams that might operate in silos with compliance-based security checks shift to more modern cloud-centric DevSecOps models, which involves constant iterating and changing. 

“It's all around, you know, trust, resilience and agility—and really building that knowledge base in your organization,” Hunt said.

However Hunt, who also had a hand in crafting the government’s Cloud Smart policy, noted that there’s also a flipside to that agility. Federal insiders need to construct and maintain a very clear vision and goals when exploring cloud and other new technologies. “The federal government has a real problem with the fact that it hasn't modernized and therefore it goes what I like to call ‘shiny-chasing’ a lot,” he explained, highlighting how he’ll hear heaps of conversations about buzzwords like machine learning and robotic process automation—concepts and products the private sectors been tapping into for years. 

“And if you just go into a mindset of ‘here's a solution, and I really would love to find a problem that we could solve with it so we can get in the press’—if you make that sort of approach and these modernization efforts—you're just going to fail. You're going to just burn through taxpayer dollars and waste it,” Hunt said. “So [it’s about] making sure that you start from, like, a problem standpoint. And again, as a very cynical security engineer and software engineer, like I always say, find the dumbest possible solution that will solve your problem for you, and work from there and iterate up rather than, you know, starting with these highfalutin, expensive buys.”

“Cloud isn't the point,” Johnson said. “Cloud is the tool you use to get the thing you want.”