Sean Roche is former Associate Deputy Director of CIA for Digital Innovation. The Directorate of Digital Innovation (DDI) was created to accelerate the integration of advanced digital capability across all of CIA’s mission areas and is responsible for a wide range of espionage missions including cyber intelligence, open source collection, secure global communications, worldwide mission information systems, data curation, and data science. He successfully worked to overhaul the legacy personnel systems and practices to create CIA’s first digital workforce.
This is part two of his series on Dangerous and Expensive Addictions to Legacy Systems
When you listen to people who have confronted and addressed an addiction, they talk about how tough it was to accept that they needed to change (usually after rock bottom) and the courage it took to take active steps. But mostly they describe how transformative it was for every aspect of their life.
Although significantly more superficial, you hear the same type of feedback from those who make the decision to declutter and downsize —- even while maintaining the same lifestyle or environment.
Any organization can immediately improve their collective cyber hygiene, lower their vulnerability and free up funding simply by cutting back on their use of legacy systems – a digital decluttering. We are the country that executed a successful rebellion against the world’s most powerful empire and then put a man on the moon less than 200 years later. Organizations must achieve greater agility across all aspects of mission in order to remain viable in the digital era overcoming the addition to legacy is one component.
Here are eight steps to get you started:
- Communicate Commanders Intent: Senior leadership (CEO/COO) must take sincere and honest ownership of the factors that allowed addiction to legacy systems, highlighting that it has created an unacceptable risk to the mission of the organization in terms of cyber security, excessive cost and most importantly damage to the agility required for operations. Written in mission terms, this must create a sense of urgency and a call to action by noting that the status quo is unmanageable and that there will be significant departures from past practices. All of this requires a level of leadership that may have the effect of revealing those who are not suited for the positions they currently hold. Ensure that the senior leadership is actively demonstrating that the CIO, CISO and CDO are mission components that must be integrated into every aspect of the operational and resource workflow.
- Be the Higher Power: There must be unquestioned commitment to the ruthless annihilation of legacy systems by the senior leadership —- to do less would mean that they are not willing to exert the leadership required to secure the organization. Gather the top two tiers of senior leadership and explain that they will not be allowed to accept hyperbole laced excuses associated with the cycle of addiction. Organizations are in a perpetual state of denial regarding the perpetuation of legacy systems. Users will offer a host of unsupportable, exaggerated excuses. When retirement of their favorite (yet vulnerable, expensive and redundant) system is announced self-entitled users may resort to fear mongering, cajoling and other tactics to undermine the change. This cannot be a filibuster of endless multiple rounds of debate and discussion. Given the growing threat, speed and impact of cyber incursions, the decision process and implementation must be more akin to Democratic centralism.
- Take an Honest Inventory: You can immediately reclaim and repurpose funding with no mission impact. No matter how federalized you believe IT spending to be you should direct those who administer contracts and budgets throughout the organization to rapidly compile the true lifecycle costs associated all hardware and software systems that have been in use for 18 months or more. This should not be a “data call” request to the components but instead executed and compiled by those structuring the lower level budgets and approving payments. Beyond the IT support services contracts be sure to include costs associated with all recurring specific service level agreements while apportioning pro-rata share of common services like Help Desk, bandwidth and indirect costs associated with supply chain management. The total true cost (bodies, buildings and budgets) associated with IT scattered and hidden in pockets across the enterprise is likely to be 30-50% more than the budget associated with the activities of the CIO.
- Map Your Networks: For large organizations that have existed more than 30 years there is no omnibus network but most likely a crazy, non-sensical mix composed of an enterprise network with multiple other unique networks integrated at various levels. Digital mapping tools have many purposes one of which is to reveal the detailed configuration (version) of the devices throughout your networks. Because no one entity has the “as currently built” drawings, you will need to constantly be creating one. This hunting activity will be digital archeology and discovery. You will find both hardware (we have a terminal where???!!) and software (yes….Win XP) that are no longer supportable. You will also finally have real data to determine the mission utility and use rates for digital antiques like Lotus Notes.
- Mandate a Digital Retirement Dates: We set term limits for public officials and we have mandatory retirement dates for people, your organization should do the same for all things digital. Admired companies that remain competitive and agile in the digital economy have product life cycles that are continually getting shorter. The first step in this process is to announce the dismantling and shut down of digital components/systems that have been used more than 10 years. The second step is to build a budgeting lifecycle of no more than 48 months as the baseline for all hardware/software. These are two very distinct measurable guidelines that will drive decisions to eliminate unnecessary duplication of capabilities while building agility essential for mission. In addition to systems that are already being used, the ATO process must set firm fixed retirement dates that are tracked and budgeted too. This will have the effect of forcing teams to constantly evaluate the future capability they need while considering the cost/benefit to aggressively maintain the latest/up to date version for all systems that are delivering for mission.
- Don’t Ask…Just Turn it Off and Wait: The excuse for maintaining legacy is the fear of what could happen when change is comes. Beyond mapping and measuring your networks, you can also get definitive data and action by turning selected (where you have non-legacy alternatives, low user rates, uncertain purpose) systems off abruptly without an announcement or “vote”. We’ve all endured the challenge of turning off legacy/redundant systems and two significant lessons emerge that have often conditioned our hesitancy. Lesson One: If you announce it in advance – no matter how unused, vulnerable, redundant the capability —- there will be a loud protest group that forms to offer exaggerated claims of utility and dire consequences eventually resulting in a high ranking official sending a notice directly to the head of your agency. Anyone in DOD knows that if the system is a satellite, airframe or ship there will be a lobbying effort on the Hill to pass legislation to guarantee the extension its life – using resources that were destined for new higher priority capability. Lesson Two: digital systems eventually fail temporarily (for various reasons) and there are a surprising number of cases where no user notices – sometimes for an extended period of time. Despite the claim that these systems are all “mission critical” you will discover that the reason offered for maintaining it was no longer valid – but there was a budgetary and resource momentum. Quite often the excuse is offered that because it connects to other Agency(s) it is therefore vital, only to find the other Agency disconnected their system 6 years ago and that you have been maintaining a cadre of 5 FTE contractors and 3 full time GS-14 staff officers (3 shifts) to support it.
- Build, Empower and Incentivize a Digital Demolition Squad: Dedicate a portion of your workforce to tearing down legacy systems. Across the USG we form program offices to develop a wide range of mission capabilities while we carefully assess their progress and take actions to make them successful. There is a constant effort to increase the speed of procurement and we provide special authorities, funding and recognition for those who are successful in doing so. While no organization would say that their mission is “acquisition” most find themselves doing it. Why then do we not have teams dedicated to rapidly retiring legacy systems? This cannot be a typical periodic decommissioning with a prolonged schedule. Breaking the cycle of legacy addiction in order to consistently retire systems within 4 years requires aggressive efforts to remove the temptation to extend legacy use by hosting visible and celebrated efforts to purge legacy. A key distinction that differentiates this from simply “phasing out” a system is that this must be a complete abstinence. The digital demolition squad must adopt, announce and achieve a standard of “zero instances, zero users” remaining. For many of the reasons stated above, this will be both a leadership and technical challenge. Doing this on a routine basis will have ancillary benefits across the organization in terms of enhancing configuration control, enhancing agility and creating an organizational approach to digital systems as mission. The CEO of a very successful large hardware/software company was asked how we was able to rapidly turn out new capabilities that gained market share and reshaped the digital landscape. He answered that it came from the lessons learned getting completely out of legacy product lines, adding “I never wanted to be a company that was still had a “punch card” division while the world had moved to something else.
- Accelerate Migration to the Cloud: The most effective was to digitally declutter while enhancing the ability to execute mission is decision to transition to cloud IAAS. The internal resistance you encounter as the organization migrates to the cloud will also quickly reveal serious flaws in culture, digital acumen and resource model that must be addressed. Keeping systems current and maintaining cyber hygiene is far easier in the cloud. On its worst day a cloud implementation for infrastructure-as-a-service provides a higher level of cyber security than client-server systems. Staying current in the cloud, with the highest level of mission readiness and security can be accomplished continuously with 1/4th FTE required for typical client-server systems. The ATO process for new software can be made more efficient as a defined IAAS becomes a well understood standard for the bottom half of the IT stack —- informing the CISO team with consistent information and allowing them to help continuously drive better cyber hygiene.
Read part one of this special series, A Dangerous and Expensive Addiction to Legacy Systems from Cipher Brief Expert and former CIA senior executive Sean Roche.
Read more expert-driven national security insights, opinions and analysis only in The Cipher Brief