With a rather limited IT federal budget, modernizing technology to improve security and processes requires prioritizing those highest-value assets. At the Homeland Security Department, doing so has become a matter of national security.
“Every mission we have is enabled by IT … so if those operators can’t leverage the capabilities that technology provides, that’s a national security problem for us,” said DHS Chief Technology Officer Michael Hermus.
In a panel at the Institute for Critical Infrastructure Technology Forum on June 7 in Washington, D.C., Hermus added relieving the technical debt starts with acknowledging the problem has to be addressed and resources have to be applied to it. For DHS, that means focusing on architecture and software-defined infrastructure with flexibility that will strengthen security and adapt to new processes and needs.
Yet, in order to isolate the highest-value assets and prioritize what to modernize under a budget, Hermus said DHS is looking at a portfolio management approach. This means identifying the legacy systems that require the highest cost to operate, keeping those that are core business systems and retiring the others. The cost savings can then be used to modernize the rest of the portfolio. According to Hermus, most of DHS’ IT dollars are spent on sustaining older systems, but little oversight is applied to it.
To identify the high-value systems that need to be updated, DHS is looking to adopt a portfolio framework. For example, one framework identifies the systems to tolerate or invest in, to migrate or rebuild, or to completely eliminate. However, defining those high-value assets can mean different things to different people. From a security perspective, DHS and the Defense Department are working to define criteria for evaluating different types of data, and the risks and consequences associated with that data loss or corruption.
Though some argue security controls add friction to usability, Hermus believes modernizing technologies will actually improve security and its role as an enabler for mission operators and end users, rather than a burden.
“When we look at modernization …we aren’t simply modernizing," he said. "We should really be radically improving the performance of these systems, not just using modern technology."
Hermus referenced advanced tech like automation, machine learning and artificial intelligence, and said if applied appropriately, are capable of improving security processes, operations and networks without impacting the user.
“That allows us to focus more resources on the capabilities that the IT, the technology, delivers in the hands of the end users,” he said. “I think we have to maintain that focus on the value, not just the risk,” he added, like modern technology’s ability to combat advanced cyberattacks and threats.
In the end, this means leveraging both industry and government partnerships to address the highest risks first and choose the right set of tools and solutions capable of securing the enterprise.