IT Modernization may not grab the headlines that application security (AppSec) commands, but the efforts to achieve it are no less crucial to the future of an organization's IT systems. In fact, since the security of an organization's network may depend on it meeting current software standards, IT Modernization might take priority from an internal standpoint.
I saw the importance of IT Modernization highlighted at the NASCIO (National Association of State Chief Information Officers) mid-year conference last month in Baltimore. NASCIO provides state CIOs and state members with products and services designed to support the challenging role of the state CIO, stimulate the exchange of information and promote the adoption of IT best practices and innovations.
The top ten priorities facing State CIO’s for 2018 headlined many of the sessions at NASCIO, and IT modernization was not only among the priorities, but also was predominant in conversations within the sessions. Discussions around the management of cloud readiness and migration, vendor performance, and software quality standards were of primary concern.
The focus on IT Modernization is not new. At the Cyber Resilience Summit hosted by the Consortium for IT Software Quality (CISQ) during CyberWeek in October, former U.S. CIO Tony Scott spoke about why the Federal government urgently needs to upgrade the legacy systems that are still at the core of its networks.
“I think it’s a crisis that’s bigger than Y2K. It’s just creeping up on us slowly, month by month, year by year,” said Scott. “But there is a point in the future where there’s just not going to be the knowledgeable resources to keep the old stuff going on the one hand, and then not enough resources to migrate off of those old things on the other hand. It’s something that I think is a problem now and we really need to move aggressively to get it done.”
Failure to address IT Modernization could lead to issues in two IT health factors that are paramount to maintaining IT systems:
- Transferability – how easily someone can become productive when first assigned to work on the application
- Changeability – how easily and quickly an application can be modified
The better software performs in these areas, the easier it will be to maintain. Currently, government agencies at the Federal, State and Local level are doing well in these respects.
According to the 2017 CRASH Report (CAST Research on Application Software Health), government led other industries in both Changeability and Transferability, compiling mean scores of 3.25 (out of 5.0) in both areas. All other industries had mean scores below 3.1.
However, Scott noted that things may work now, but a critical point in application lifecycle will come where it’s been fixed, repaired, and touched-up so many times over the years that it becomes a piecemealed system, riddled with software complexity and comprised of faulty components and countless languages. He said by the time an application reaches this state, often there is nobody left in the IT department who knows how to keep the system running.
As the former CIO for the State of Texas, I believed consideration for the IT Modernization movement relied upon our ability to have a solid vendor management plan, especially when we chose cloud migration solutions. Modernization could not happen if our state couldn’t support the ability to innovate with solid cybersecurity and reliable vendors – the primary concerns when moving to cloud solutions.
While in my role, our IT agency coined the phrase, “My government, my way,” and believed in assessing when best to move a solution to cloud. In fact, every solution we selected in our organization had to be in the best interest of our vison and of that of the governor. My first priority for moving our workload to the cloud was proprietary applications, followed by other ancillary applications that may not be good candidates for the cloud.
The pace at which technology is evolving, though, directly impacts the state’s ability to meet IT modernization demands. This creates a challenge for CIO’s to give more consideration to outsourcing workload to the cloud, which will result in software lifting and shifting of infrastructure vs. applications.
However, any organization – whether in the public or private sector – needs to consider its options in evaluating software complexity issues that a cloud environment could magnify by measuring its systems against current software quality standards like those developed by CISQ. It was this type of evaluation option that the state of Texas mandated for government software systems when it passed into law House Bill 3275 in June 2017. The new law, which took effect the first of this year, requires that:
“For the entire life cycle of each major information resources project, the quality assurance team shall monitor and report on performance indicators for each project, including schedule, cost, scope, and quality.”
The new law also requires the quality assurance team to report results to the governor.
More states need to put this kind of system-level analysis into practice to monitor IT Modernization efforts – both outsourced and in-house. Doing so should yield stronger, more efficient, and more robust software systems to power the future of government.