Impending retirements will reduce the average level of experience for senior state technologists from 40 years to 11 years, Miller explained. To compensate for an impending dearth of expertise and to circumvent union rules, ITS was forced to raise the number of third-party contractors from 164 to 849 -- a huge funding sink, both Miller and the legislative panel agreed, given the relatively high cost of outside contractors at $245 million annually.
“The skills of our staff are locked into ‘skill silos,’" Miller said, "leading to excessive spend on third parties and an inability to offer the most exciting career paths to our brightest and best, many of whom are stuck supporting legacy technologies."
Miller suggested several possible solutions to this problem, including an in-sourcing agreement, as was used in years past, or by the transfer of existing contractors into state government as full employees, both solutions that would reduce reliance on relatively expensive contractors. Some union representatives, however, were unwilling to consider these options the last time they were presented, Miller told the panel.
“One of the ways we will address this is to focus and standardize on a smaller number of technologies, which will make it far easier for us to share expertise across all agencies. … I’m open to suggestions on how to fill that gap,” Miller said. “Given the restrictions we work within, it’s very difficult.”
The 2016/2017 budget for ITS includes $587 million to be allocated to statewide consolidated technology services and an additional $85 million in capital funding for enterprise-level applications and programs. Much of the state funding, Miller testified, will go toward the state’s continued technology transformation. Within the past few years, more than 50 disparate technology agencies began consolidation under ITS through Gov. Andrew Cuomo’s IT transformation program.
“Having made significant progress with building a sound technology and infrastructure foundation," Miller said, "we’re beginning to shift our focus now to transforming the whole lifecycle experience of our citizens to one they have the right to expect in the digital era."
Consolidating the state’s IT infrastructure has provided ITS with a view more clear that allows the agency to understand where their risks and vulnerabilities lie.
“During the consolidation and stabilization phases of the IT transformation, it became clear that a significant technology debt had accumulated over many decades of underinvestment,” Miller said, adding that about $40 million of their 2016/2017 budget will be allocated to repair that debt.
Though the state has come a long way in its IT consolidation efforts, she said what’s left is an organization whose structure is informed by a fragmented past.
“The resulting environment is massively complex to support reliably and securely,” she explained. “Most importantly, this complexity leads to a negative citizen experience.”
Miller outlined initiatives intended to address this problem, such as building “a set of strategic platforms comprising a portfolio of tools and services, which not just individually, but as an integrated set, will deliver an enhanced citizen experience across all agencies.”
Cybersecurity was the topic lawmakers asked about most during Miller’s testimony, and Miller herself stated that cybersecurity is her agency’s top priority.
Two 2015 frameworks from the National Institute of Standards and Technology will carry into the coming budget to inform new guidelines that ITS will create around a risk-based investment and cybersecurity best practices improvement program that will protect the state’s data this year and beyond, Miller said. She added that the consolidation of the state’s IT function under ITS makes cyber efforts, led by Chief Information Security Officer Jim Garrett, much easier than in the past. Because ITS now manages the infrastructure that houses the data they’re trying to protect, their security experts are able to view attacks across the entire lifecycle and ensure that new systems are compliant with best security practices.
After questioning by Sen. Michael Nozzolio, Miller listed the steps ITS is taking to ensure the security of sensitive data, which include the remediation of outdated software and hardware, the employment of Deloitte consultants who assess the state’s cyber control risk related to regulated data and third-party controlled data, a revamp of legal language used for contractors to ensure best practices are used for regulatory control, the instatement of a comprehensive risk management program, and process improvements in the state’s enterprise cyber command center, enterprise risk assessments and identity management program.
Nozzolio said he was “doubly concerned” that those charged with protecting the state’s data within each agency were not qualified to do so. Miller ensured him that the cybersecurity representatives embedded within each agency focused solely on cybersecurity, that they were members of a centralized cybersecurity team led by the CISO, and that they were qualified cybersecurity experts. The benefit of this organizational structure, she explained, was that each embedded official was able to become familiar with the unique security challenges of their assigned agency, but maintained a centralized command posture.
Nozzolio continued pressing Miller on the controls in place, emphasizing the importance of protecting state data. “Government, thank God, has not been a recipient of major attacks yet at the state level,” Nozzolio said.
After his line of questioning, Nozzolio called for further investigation into the matter on another day.
In several cases, questions put to Miller by the legislators had already been comprehensively answered at an earlier point in her testimony, but she remained poised, affable and well-spoken throughout.
“We’ve encountered and continue to encounter challenges in this multi-year journey, but those challenges don’t deter us,” Miller said. “Rather, they inspire us to be even more creative, innovative, and deliver service excellence and the best possible experience for our citizens.”