Although the Obama administration has made updating legacy federal IT systems a cornerstone of its cybersecurity policy this year, almost half of federal IT workers in a recent survey said that efforts to do so have actually increased security threats.
SolarWinds’ third annual Federal Cybersecurity Survey reveals that along with the clear benefits of upgrading technology come security risks. According to Mav Turner, director of product strategy at SolarWinds, upgrades can yield significant benefits for agencies but only if IT leaders make sure they are implemented correctly.
In December 2015 and January 2016, independent research firm Market Connections surveyed 200 federal government IT executives on behalf of SolarWinds, an IT infrastructure management software company.
Risks and Benefits of IT Modernization and Consolidation
According to the survey and a statement from SolarWinds, 48 percent of respondents reported that IT consolidation and modernization efforts have led to increased IT security issues, citing transitions that haven’t been completed (48 percent), enterprise management tools that are too complex (46 percent) and a lack of training on new systems (44 percent).
Yet some of those surveyed see positive aspects of IT modernization and consolidation. Twenty percent of respondents say such moves can decrease security challenges. Of that group, 55 percent noted the benefit of replacing legacy software, while 52 percent pointed to the security advantage of updating equipment. And another 42 percent mentioned simplified administration and management.
The survey found there are enduring challenges to improving IT security. Twenty-nine percent cited insufficient budgets as the greatest impediment, 16 percent blamed the “complexity of internal environments,” and 12 percent pointed to insufficient collaboration among internal teams.
Keys to Successful Upgrades
In an interview with FedTech, Turner said that many of those surveyed who think IT modernization and consolidation improve security had either completed an upgrade project or are nearing the end of the process.
Issues often pop in the transition period of a modernization or consolidation project, Turner observed, with the training of federal IT managers being a key concern. If workers do not know how to use, manage and implement new systems, security risks may result. That’s why “training and awareness on how those technologies are deployed and making sure they’re deployed correctly” are imperative.
Another perennial issue with technology transitions is insufficient funding, according to Turner, since oftentimes the budget for such projects is spent incrementally and is too small to hire and train enough staff.
In many federal IT modernizations or consolidations, the legacy and new systems need to coexist because the old one cannot be turned off overnight, Turner explained. That can expose an agency to security issues and holes that it needs to plug once the new system is operational. “You have to open yourself more in order to get the integration up and running before you can close” those vulnerabilities, he said.
The Obama administration’s $19 billion proposal for cybersecurity, announced Feb. 9, includes a $3.1 billion revolving fund, dubbed the “Information Technology Modernization Fund,” which aims to accelerate the replacement and updating of legacy IT systems, which pose security risks and are costly to maintain.
Turner expressed concern about agencies that “try to do too much at once” on IT modernization. He would advise them to select a smaller set of applications or systems to upgrade.
“There are a lot of learnings you can get from your first one or two,” he said. After those projects are complete, an agency should conduct a retrospective analysis to ensure it closed security vulnerabilities that may have been opened during the transition. The agency should also analyze how well it adhered to the original transition timeline, as well as how accurate it was in predicting the number of staff required and how the move would affect agency operations.
“That’s something that really needs to be taken into consideration — that process of reevaluation and looking at how well you’ve done,” Turner said.
When deciding what legacy systems to update, agencies should also determine what systems are connected to each other so they can be updated at the time time. He recommends that IT leaders “start with the easy ones” and “keep the scope really narrow” to prevent tackling more than can be handled at once.
“It’s classic project management,” he said. But with large-scale IT modernizations, it’s “even more important to have that measured approach.”
Although some agencies may be tempted to start with the modernization or consolidation that delivers the most cost savings up front, Turner does not recommend that approach. It’s better for an agency to start with a smaller and less complex system, he said, so it can build up its modernization capabilities. “Then you go attack the Goliath midway or at the end.”
Ultimately, an agency CIO is responsible for setting the IT strategy, Turner said, but he or she needs to let the IT executives recommend the projects that can be completed in a reasonable amount of time.
“Most people understand the value of [modernization and consolidation]. The reality of how you get there is what creates the problems and risk.”