This week, we talked with Pennsylvania CIO and Deputy Secretary for Information Technology John MacMillan about the state’s efforts to recruit talent, bolster the service catalog and ultimately protect constituent data from outside threats. MacMillan was appointed to the position in March 2015 and takes a measured, thoughtful approach to his role within state government.
What are some of the issues and challenges facing Pennsylvania in the IT realm?
It’s hard to separate IT from money. The governor’s priorities are pretty clear to us: Schools that teach, jobs that pay and government that works. We would fall under the government that works area as far as IT goes.
What are some of the key initiatives you are focusing on in the state right now?
First and foremost is the people part of the business. We are putting a lot of effort forward to recruit, retrain and develop our staff. That starts with what are our services and how do we get organized to deliver them. Understanding our services, as represented in the service catalog, involves the service management process to help manage them more effectively.
There are a couple of key initiatives around enterprise telecommunications and data centers that we have been working on for a number of years that will remain at the top of our list.
One of the topics that has come up in conversations with other CIOs is that recruiting the younger generation of IT professionals has been a challenge for government. How specifically are you addressing pulling new blood into state service?
[We are not doing anything] specific. Our services don’t change that rapidly, but when it comes to IT service management our goal is to break that down into roles and responsibilities. It’s in that area where we feel that we are becoming more clear both internally with our own HR department and with other business functions, such as procurement, about what our real requirements are. So clarity is one of the ways we are going about it.
As we mature and improve our offerings in our service catalog, where those elements attract that talent, I think we are much more clear about what we need and why we need it. For example, as we seek to empower the workforce through mobility and other offerings in the catalog, that is one of the areas that I think those with less experience or those entering the workforce have an affinity for: developing apps for smartphones, developing apps that can be downloaded from websites and developing new Web content. Those kinds of things will attract that talent.
One of the other areas we are looking at is digital government and continuing to execute against our digital strategy.
In terms of cloud infrastructure, how has Pennsylvania approached this space?
Let’s be clear about what the cloud is: Somebody else’s infrastructure and somebody else’s data across a high-speed, high-capacity network. So, if you use those concepts, we already have a cloud, except that we did it ourselves.
We’re using cloud concepts to build out our consolidated data center strategy where it makes sense and where the application portfolio is ready, then we’ll talk about further cloud adoption. When you look at our cloud adoption portfolio, a small percentage of applications are actually cloud-ready. We’re trying to be careful with the broader cloud term and seeking to focus in on areas where it would benefit us the most, most likely around platform as a service.
We embrace cloud concepts, but ultimately, we have to be very careful with our citizens’ data. Where we need to protect the data, we will move very carefully and in compliance with the law. So, if we were seeking to enter into some sort of infrastructure-as-a-service, software-as-a-service, platform-as-a-service cloud offering, we want to understand how the data will be protected when it enters the environment, how it’s managed while it is in the environment and how we get our data back at the end of a relationship and to make sure that any of the IT infrastructure that’s in the service provider’s environment is cleansed in accordance with the law.
When it comes to the security of state infrastructure and data, what would you say your priorities are and how are you addressing those priorities?
I don’t think we are different than any other state when it comes to the approach. But one of the things we are doing, perhaps a little bit differently this year, is we started to use the moniker “it’s not if it happens, it’s when it happens.” We are trying to be prepared when security incidents occur with the right response, solid communications, clear understandings of impact. We could spend all the money in the world, and I mean that metaphorically, trying to protect the perimeter, doing email spam filtering, all kinds of firewalls, all sorts of great tools. But it just seems that regardless of how much IT spends, something happens. We’ve got excellent people, we’ve got outstanding tools, we’ve got great suppliers and while we know that we can continue to try to build cybersecurity walls, at some point somebody or some tool from some place will break through those walls. It changes how you think a little bit about security. If you focus on the data and protecting it, what the vulnerabilities are, you start to shift to a more risk-based approach.
Looking ahead for the state, where would you like to see IT in the next five to 10 years?
The world is changing very quickly. We continue to become more and more service-oriented, trying to better align the business demands with the IT capabilities. So, five years from now, I would like to see a much stronger alignment between business cycles and IT capacity availability.