This story originally appeared in Workflow Quarterly: The Resilience Issue
The popular image of the public sector is the DMV: long waits, sclerotic bureaucracy, and ancient systems and processes that resist change or innovation. A recent ESI ThoughtLab and ServiceNow survey of more than 1,000 C-level executives would seem to support that stereotype.
According to this research, the public sector is behind private companies when it comes to investing in resilience and risk management, even in the face of increased cyberattacks, ransomware, and other threats during the pandemic. That, however, isn’t the whole story, according to Bob Osborn, ServiceNow’s chief technology officer of global governments. Osborn, who has held high-level federal IT jobs for the U.S. Army, U.S. Transportation Command, and the National Nuclear Security Administration, says that the pandemic has changed the public sector, perhaps for good.
In general, I would agree with that. There are agencies that have the maturity, resilient processes, and preparation from a technical standpoint to demonstrate resilience. Other agencies, not so much.
Most agencies rely on legacy technologies that require a great deal of manual intervention whenever there’s an issue, an outage, or an emergency. But there’s a caveat. Agencies like the Department of Homeland Security that focus on emergency response, defense, and security tend to have better resilience profiles than, let’s say, the IRS.
I look at resiliency through three lenses. Those are: avoidance of outages, response to an outage, and then the ability to be resilient without having an outage. It applies to every level of government. So whether it’s a physical loss of power, destruction of a datacenter due to some natural occurrence such as a hurricane, a flood or an earthquake, or a cybersecurity incursion, how quickly can you be up and running again? How fast can you get people back into their workplaces if they are required to be in physical presence with the system to do their job?
The second part of the definition is recovery, the speed to recover services that are lost. Resilience is all about putting together people, processes, and technologies that demonstrate redundancy and the ability to take a hit and keep delivering the services citizens expect.
In the next couple of years, most government agencies will catch up in terms of resilience.
Regardless of the emergency, we need the ability to respond to unforeseen events. We saw this during the pandemic, when organizations developed new applications and processes that allowed us to meet public needs in new ways. I’m talking about things like COVID testing sites and apps that track testing and vaccination status.
As we go forward, the old definition of resilience, which measured how quickly you could respond to an outage and maintain service delivery, needs to expand to include these other use cases.
In this time of COVID, if you have a business that has to send people home to work and it takes them two weeks to establish the VPN so that they can work from home, the business loses some money. If the government has a disruption that causes people to work from their homes and it takes two weeks to regain their capability to deliver citizen services, people may die.
So the urgency of the mission and the purpose of the organization is directly reflective of the type or level of services being provided in government. People are relying on those services. And they’re relying on the government to have thought through resiliency, redundancy, recovery, and avoidance to be able to continue to deliver those services—and then actually deliver even more services when there’s an emergency.
At every level of government, at the federal, state, local, provincial, and municipal levels, by their very nature they view the world through hindsight. Something happens? It either went well or it didn’t. Let’s have hearings and find out what went wrong and figure out how we’re going to fix it going forward. We have some really talented people in government who are thinking about the “what ifs” and they’re being very imaginative about what might happen and how we might avoid it, but then you run into the funding problem and the prioritization of programs.
Now you compound that challenge with the issue of maintaining legacy technology. At some federal agencies, up to 91% of the IT budget is spent maintaining legacy technology. That leaves nine cents for innovation. On every dollar. That puts the challenge into some perspective.
Then when an emergency hits, like the pandemic, the money falls out of the trees. Right now, many agencies are flush and looking to spend money. How can we make sure that we get accountability? How can we manage the vaccines? How can we do this, how can we do that? And the agencies are responding very well. Most agencies have really stepped up.
In their understanding of the value of technology and their desire to provide the latest capabilities, they’re not behind at all. Almost every agency has a strategic investment plan to modernize their technology and processes, and to deliver the types of resiliency that we’re talking about.
The pandemic actually allowed them to accelerate those plans, because although they had plans, they weren’t able to get funded. The planning was there, the thought processes, their intention to do it. What the pandemic did was push the government to say, we’re going to do something fast and here’s all this money. Well, now they can accelerate their strategies and they’re catching up very rapidly. In the next couple of years, most government agencies will catch up to the private sector in terms of resilience.