When President Obama selected Tony Scott to be CIO for the Executive Office of the President, Scott said the president gave him one primary directive: “Get something done.”
At the Brocade Federal Forum in Washington June 17, Scott said he has three objectives, carried over from his predecessors and projects. The first is to get maximum value out of the government’s IT investments; the second is to deliver world-class digital services; and the third, to protect federal IT assets and information.
“There are some challenges in [that last one],” Scott said, “but it’s not unique to government.”
There is a fourth, underlying objective, which serves as a foundation to the other three, he said – the government’s manpower requirements.
“There are two issues there. An awful lot of people are retiring out of government in the next few years, [and] as that knowledge walks out the door I want to make sure we have the right leaders,” he said.
Behind each objective there are specific actions being carried out. “My definition of success is speed to market. In today’s world speed means everything,” Scott said.
Which means investment.
“The modernization of the federal IT environment has to be one of our priorities,” Scott said. “What’s the solve for these issues? [Congress doesn’t] like to hear it, but we just have to replace [infrastructure], particularly in the cyber security space.”
Scott pointed out there are many very large, siloed IT systems designed 30 to 40 years ago that are trying to support missions, citizens, and objectives that have changed dramatically since their introduction. Nor were the systems built with cybersecurity in mind.
“It’s like retrofitting an airbag into a ’65 Mustang,” he said. “So we just have to replace a lot of what we have. That has to be our most important agenda.”
Scott told the old joke about the government having two kinds of CIOs – those who have been hacked who know it, and those who have been hacked and don’t know it.
“A lot of money is spent on preventing” intrusions, but the government needs to improve detecting and remediating intrusions, Scott said. He compared the cybersecurity landscape to firefighting, that establishing uniform building codes is both more cost-effective and better at prevention than simply having a fireman stationed on every corner.
“A lot of things we’ve done are aimed at preventing the [cyber] fire from spreading, and we’ve got pretty good at it,” he said. But spending on cyber security normally is calculated as a percentage of an agency’s IT budget – when the budget goes up, security spending goes up.
“I think we ought to look at it on a risk basis … What is our appropriate response?” Scott said. “It can’t be a percent of the budget or some other arbitrary number.”