cio survey may 2013 v5 low res

8/22/2019 CIO Survey May 2013 v5 Low Res

1/32

TechAmericas Twenty-Third Annual Survey of Federal Chief Information Ofcers

MAY 2013


2/32

TechAmerica

TechAmerica is the leading voice for the U.S. technology industry, the driving force behind productivity growth and job creation in the

United States, and the foundation of the global innovation economy. Representing approximately 1,200 member companies of all sizes

from the public and commercial sectors of the economy, it is the industrys largest advocacy organization and is dedicated to helping

members top and bottom lines. TechAmerica is also the technology industrys only grassroots-to-global advocacy network, with ofcesin state capitals around the United States, Washington, D.C., Europe (Brussels), and Asia (Beijing).

Learn more at www.techamerica.org.

Grant Thornton LLP

Grant Thornton LLP is the U.S. member rm of Grant Thornton International Ltd. Grant Thornton International Ltd and its member rmsare not a worldwide partnership, as each member rm is a separate and distinct legal entity. In the U.S., visit Grant Thornton LLP atwww.GrantThornton.com.

Grant Thorntons Global Public Sector, based in Alexandria, Va., is a global management consulting business with the mission of

providing responsive and innovative nancial, performance management and systems solutions to governments and internationalorganizations. We provide comprehensive, cutting-edge solutions to the most challenging business issues facing government

organizations. Our in-depth understanding of government operations and guiding legislation represents a distinct benet to our clients.Many of our professionals have previous civilian and military public sector experience and understand the operating environment of

government. Visit Grant Thorntons Global Public Sector at www.grantthornton.com/publicsector.

About the Sponsors

Table of ContentsExecutive Summary 1

About the survey 3

Budget 4

Policy, Governance, and IT Management 6Acquisition 10

Human Capital 12

Mobility 15Cyber Security 18

Conclusion 24

Appendix A: List of CIOs Interviewed 26Appendix B: List of Interviewers 27


3/32CIO Insights: Leading Innovation in a Time of Change1

Budget

The budget is the top concern of CIOs. While budgetcuts drive CIOs to improve efciency and sparkinnovation, they also hinder investments in moderntechnologies needed to support the mission. Today,more than 76% of IT spending goes to operations andmaintenance (O&M) and infrastructure. As one CIOstated, We should have moved off of legacy systemsve years ago but we dont have the money to modernizethe way our constituents want. This constraint is drivingCIOs to look creatively at ways to save and reinvest bybuying services rather than making risky, large, multi-year,capital investments. To do this, CIOs need an effectiveway to understand and manage IT costs and performance.But CIOs say they are not there yet.

Policy and GovernanceMost CIOs say achieving true efciencies will be justan aspiration until they have control and oversightover IT budgets, though a few cautioned against givingthem complete control. We asked CIOs how they areimplementing OMBs 25-point plan. More than 94% ofrespondents said they have or will deploy cloud services.They are also consolidating data centers and employing

Executive Summary

Each year TechAmerica and Grant Thornton LLP

survey federal Chief Information Officers (CIO) on

issues most affecting the community. CIOs had a lot to

say about budget, policy and governance,

acquisition, human capital, mobility, and

cybersecurity.

agile development, though slowly. CIOs areleveraging PortfolioStat, because they believe itgives them insight into the total scope of theirIT.

AcquisitionAcquisition remains a major managementchallenge. As a risk to government operations,IT acquisition perennially appears on listsof major management challenges. However,CIOs are hampered by challenges facing theacquisition workforce and its overrelianceon inappropriate acquisition strategies. CIOswant a faster process enabled by a workforcecollaborating with CIOs and their programmanagement counterparts.

Human CapitalJust like the budget, human capital remains atop concern. Experienced federal employeesare retiring rather than living with no pay raises.Recruitment and retention lags CIO needs. ManyCIOs suggest new hiring rules and tools to xthe talent problem. Despite these challenges,most CIOs did not anticipate a change in thenearly equal mix of Federal employees andcontractor staff.


4/322 CIO Insights: Leading Innovation in a Time of Change

MobilityMobile devices are standard now, but CIOs are racingto keep up. As we approach the one-year anniversaryof OMBs Digital Strategy, CIOs are increasinglyrelying on mobile platforms to equip their workers.CIOs say they need employees with mobility skillsnow, though mobility adds security and governanceconcerns, issues that have yet to be resolved. Anumber of agencies adopted bring-your-own-

device (BYOD) policies, adding complex policy andgovernance questions.

Cyber SecurityBOTS, viruses, scareware, trojans, password crackers,phishing, keyloggers and malware are a few of themethods cyber villains use to attack federal agencies.Among the grim ndings from CIOs surveyed is therate at which attacks are replicating and evolving.Cyber security incidents continue to rise and theypose serious risks. Cyber attacks jumped 13% last yearalone, so it is not surprising that Federal spending

on cyber security would increase by $1 billion inscal year 2014 under President Obamas budget.Their magnitude is compounded by increasingsophistication. Among CIOs greatest needs is atrained cyber workforce, exacerbating an alreadydire human capital situation. Cyber security threatsare both external and internal, and while there arethree times as many external threats as internalthreats, internal threats can be more signicant. So,CIOs report they have already begun working withthe private sector to combat cyber threats moreeffectively.

ConclusionIT is essential for every agencys operations,but to get its true benets, it must be effective,cost efcient, secure, and well supported. CIOsmust adapt to rapid and continuous evolution oftechnology with decreasing budgets, smaller andless prepared workforces, and ineffective acquisitionsupport. Security threats add exponential challenges.Not a job for the faint of heart.

2 CIO Insights: Leading Innovation in a Time of Change



PurposeTechAmerica has surveyed federal CIOs for 23 years.Through these surveys, top IT ofcials, oversight groups,and congressional staff share their views on challengesfacing federal CIOs. As in past years, TechAmericareceived outstanding support from the federal CIOcommunity and from Grant Thornton LLP, whichsponsored and supported this survey.

MethodologyWe conducted this years survey interviews during thelate winter and early spring of 2013. This provides theIT community with a point-in-time assessment of thethinking of key federal IT opinion leaders. TechAmericasFederal Committee, through its CIO Survey Task Group,conducted this years in-person interviews. Teams ofTechAmerica member rm interviewers met with 41CIOs, information resources management ofcials, andcongressional oversight committee staff. Throughoutthis report, we refer to them as CIOs. (See AppendixA for a list of those interviewed and Appendix B for

the interviewers.) The CIO survey Task Group selectedinterviewees based on their involvement in previoussurveys, enterprise challenges, and relevance of IT totheir organizations mission. This report reects thethoughts and words of interviewees to the maximumextent possible. However, to preserve anonymity, noresponses are attributed to specic individuals.

Readers may download copies of this and prior surveysat www.grantthornton.com/publicsector under theheading public sector publications.

About the Survey

Top Concerns

We asked CIOs to identify their top concerns for2013. As you can see in Figure 1, CIOs chosebudget and people as their top two concerns.This is consistent with views expressed in otherGrant Thornton-sponsored surveys. Cybersecurity ran a close third. While budget is alwaysan issue, recent years have introduced a newthreat the never-ending reduction. CIOs wereconcerned about sequester as far back as 2011,and in 2013 it materialized. But, it is not over.The sequester is a full decade of budget cuts,paring spending through 2021. It does no goodfor CIOs to develop short-term solutions likedeferring training and stretching out replacementcycles. They must completely rethink the waythey operate and serve their customers.

Figure 1: CIOs Top Concerns



The federal government is adopting scal restraintnot experienced in a generation. Figure 2 depicts ITspending as reported in the Presidents Budget.

CIOs Deal with BudgetRealities...

Permanently smaller budgets motivate creativebehaviors among CIOs and other governmentmanagers who depend on IT. Instead of treatingbudget reductions as a disease, CIOs are using cutsto enhance efciency and spark innovation. Here aresome examples: Taking an enterprise view of contracts and

infrastructure to reduce redundancy Moving from long term implementation to more

agile, focused buying by the drink through sharedservices

Providing tablets to eld staff instead of laptops,

saving more than $2500 per employee Eliminating travel costs by deploying secure

webinar capabilities Virtualization and cloud migration. One CIO said

the move to cloud based email saved $20 million Standardizing desktop and laptop congurations

in one agency reduced service costs 60% Using segment architecture to cut business

intelligence platforms by 67%

Consolidating applications, renegotiatingcommodity IT contracts, and eliminating orcanceling underperforming projects.

CIOs criticized the mindless nature of sequester,which treated critical infrastructure projects and lowpriority ones the same. CIOs believe they can dealwith a future where funding is lower, but they needexibility to adjust to changes and priorities. We

need to increase the emphasis on realistic budgetcuts vs. across the board cuts.A number of CIOs identied multi-yearappropriations as an easily implementedimprovement to IT budgeting. They believe thismatches the long timelines many IT projectsneed if they are to be implemented successfully.Some agencies and CIOs already have multi-yearappropriations and they support the additionalexibility and increased certainty they provide.Another CIO promoted the idea of Cut/Keep/Reinvest. As an alternative to spending one-year

money at the end of the scal year on things theymay not need, why not allow CIOs to keep a portionof their unused budget to reinvest, returning theremainder to Treasury. Many states have done thiseffectively.

Budget

Figure 2: Federal IT Spending, Presidents Budget, FY 2014



...but there is only so much theycan do.Of course, smaller budgets dont always have a silverlining. We asked CIOs about new risks from budget cuts.Here are some things they shared: Less or no seed capital to support consolidation or

innovation projects. Sometimes you have to spendmoney now to save more money later.

Increased cyber security attacks or a major, sustained,undetected hack of agency systems.

Increased hardware life cycles. The longer hardware

goes between replacement, the greater the chance ofcatastrophic failure.

Quality. Sometimes quantity can be maintained withthe same or less funding, though quality often suffers.

Keeping legacy systems operational. An obviousrisk of deferring new systems is the need to operateexpensive, higher maintenance legacy systems.

Training. When agencies defer or eliminate stafftraining, it is harder to sustain the skills needed in anIT workforce.

So, where are we headed? CIOs understand the

budget environment is in a prolonged no-growthphase, and they can deal with that reality aslong as Congress makes reductions strategicallyand rationally. No one knows whether the nexttechnology innovation will save or cost money;but in the interim, the CIOs are making the bestof a bad situation.



Do CIOs have enoughcontrol over IT Spending?Especially with declining budgets, most CIOs donot believe they can be responsible for how agenciesinvest IT funds if they do not control the IT budget.You cannot be effective as a CIO until you have

majority control, says one CIO. Yet most CIOs lackdirect control over the bulk of IT spending. Figure3 shows the average percentage of IT spendingcontrolled by the Department CIOs, bureau CIOs,and program ofces. CIOs agree these are roughestimates because understanding the true extent of ITspending is elusive.

OMBs memo, Chief Information OfcerAuthorities (M-11-29), was designed to enhanceCIO authority. But 73% of respondents say itproduced no change. One CIO described it as adesired responsibilities memo rather than anauthorities one. On the positive side, 92% ofrespondents say they have a seat at the table whensignicant agency decisions are made, even if notdirectly related to IT.

Several CIOs support House Committee onOversight and Government Reform ChairmanDarrell Issas draft bill, the Federal InformationTechnology Acquisition Reform Act (H.R. 1232),because they believe it will do more to enhancethe authority of Department CIOs. Released forcomment on September 20, 2012, the bill wouldrequire CIOs to approve agency spending onIT and the hiring of agency employees with ITresponsibilities. The bill would consolidate authorityin one CIO per Department. Bureaus, ofces, or

subordinate agency organizations could not havetheir own CIOs. The majority of respondentsbelieve the bill would improve efciency andaccountability.

The Department of Veterans Affairs CIO, whooversees Departmental IT spending, is a goodexample of the bills proposed approach. Somerespondents, however, do not think, One size tsall where IT budget authority is concerned. Thisis a politically sensitive issue and many powerfulcomponents oppose centralized CIO control.

Different agencies have different structures. Onerespondent suggested a middle ground -- a mix ofbudget visibility, accountability, and responsibility.Another suggested that Departmental CIOsown infrastructure and spending on enterpriseapplications and software, while component CIOsand programs controlled spending on their missionapplications. The debate over IT governance is justgetting started.

Policy, Governance, and IT Management

Figure 3: Average Percent of IT SpendingControlled By:



How Are CIOs Spending

Limited Dollars?Figure 4 shows the average percent of IT spending bycategories reported by the respondents.

We were disappointed to see an average of 76% of ITspending on O&M and infrastructure. This investmentto keep the lights on is akin to throwing money downthe drain and constrains CIO efforts to modernize and

protect against cyber threats. Money neededto innovate is not available. Despite attemptsto adapt to a constrained budget environment,many CIOs felt stuck in neutral, unable todeliver new, needed services to enhanceachievement of agency mission.

Over 60% of CIOs do not feel condentin their ability to estimate and track ITexpenditures. The cost of IT should not

simply be the price of a piece of equipmentor a software license. CIOs need cost modelsthat provide the total cost of ownership for ITproducts and services. A lot of IT spendingis embedded in programs, one CIO says,and it also varies by operating divisions.Improving CIO understanding of the total costof operations and associated performance ofIT investments is denitely an area in need ofimprovement.

Figure 4: Average IT Spending by Category



Takeaways from the 25-Point PlanWhile the 25-point plan is not driving agency ITpriorities, it helped them identify areas of focus.Data center consolidation and cloud computing aretwo areas with staying power. Ninety-four percentof respondents said their agencies have or will adoptpublic or private cloud services. Im a big believerin the cloud, said one CIO, because it allows thegovernment to provision services faster and cheaper.

Agencies see cloud computing as an opportunity toreduce government-owned data centers and providehosting services more inexpensively because privatesector data center availability and expandability isfar superior to governments. Several Departmentshave or will employ enterprise level cloud contractswith a limited set of vendors. They envision a cloudbroker model so customers can go to a web site toprocure and access cloud services at will. Respondentsacknowledged many challenges to implementingcloud computing: Agencies have not gured outhow to procure cloud with strategic sourcing, and

most acquisition people do not understand cloudcomputing. CIOs say: Cloud is a big priority, but there are serious

cost and security constraints preventingimplementation across government.

Some cloud providers new to the federalgovernment are not aware of the impact oflegacy applications. Cost cutting is freezing legacyapplications, and that makes adopting cloudsolutions harder. Right now agencies are movingofce tools such as email to the cloud. However,few agencies are moving large systems such as

procurement, payroll, or human resources systemsto the cloud. And, the reality is that moving to thecloud does not always save money.

PortfolioStatIn March 2012, OMB launched PortfolioStat,asking CIOs to examine their IT portfolios, identifycommon areas of spending, reduce duplication, anddrive down costs. Agencies identied more than $2.5billion in cuts. In its March 27, 2013 memo, FiscalYear 2013 PortfolioStat Guidance: StrengtheningFederal IT Portfolio Management (M-13-09), OMBasked agency heads to embark on PortfolioStat

2.0, which merged 30 reports and data collectionrequirements into just 3: (1) a progress report onagency strategic IT goals, objectives, and metrics,as well as any cost savings or cost avoidancesfrom these efforts; (2) an Information ResourceManagement (IRM) Plan; and (3) the EnterpriseRoadmap.

Some other comments on PortfolioStat: Strongly support PortfolioStat and believe it

has potential, but it is too early to tell whether itwill accomplish the goals. Agencies have not yet

achieved the objectives of Clinger-Cohen toempower the CIO. PortfolioStat is another toolthat can empower the CIO.

Increased transparency was helpful. However,one thing that was not useful was comparisonswith other agencies because those may not beapples-to-apples comparisons when no one hasnormalized the agency data.

It is too early to say if PortfolioStat helpsto rationalize IT. It has cut redundancy, butprograms do not want to share applications ona functional level.

PortfolioStat is establishing transparencyand discipline in the acquisition process. It isrequiring a culture change and better businesscases.

There are many holes, but one thingPortfolioStat has done is make us take acritical look at the things we do. Unfortunately,PortfolioStat is not consistent with howagencies report or manage IT acquisitions.



Most agree PortfolioStat puts CIOs on the path to betterunderstanding how they spend and manage IT. Weexplored whether agencies were using agile developmentmethods, and all respondents said they were, though withvarying degrees of maturity and success. Respondentssaid agile would help them reduce risks of investmentin inefcient, long term IT programs. One organizationsaid it developed agile acquisition guidelines to helpprocurement better understand how to buy IT in a

more modular way. Other comments on agile suggestedthere are challenges to resolve. Our staff lack the skillsneeded to oversee contractors agile development.Agile is good when an agency knows what its wants,said one respondent, but it doesnt always provide a bigpicture roadmap needed to gauge progress. Regardlessof the challenges, CIOs believe agile is here to stay andrepresents a move in the right direction.

Analytics and Big DataSeventy-eight percent of respondents rated their levelof maturity with analytics as 3 or less on a scale of 1

to 5, 5 being the most mature. CIOs cited a need forbetter approaches to analytics and improved dashboardcapabilities. Others reported redundancy in analyticefforts across the enterprise and suggested the conceptof a Business Intelligence Center of Excellence to reducedisparate use of analytics across the enterprise. AnotherCIO said the benets of analytics were limited by the lackof ability to share data within and across organizations.Many agencies shared common challenges with big data,including (1) how to clean existing data and migrate datasilos into one place; (2) lack of a common authoritativesource of data; (3) poor data quality; and (4) the need for

policies and processes to tag and access data. One CIOsaid at an enterprise level many executives struggle toknow what data we have, why we have it, and how wecan use it?

CIO Insights: Leading Innovation in a Time of Change 9



Acquisition and the CIOAcquisition remains a major management challengeand one that is foremost on the minds of CIOs.As a risk to government operations, informationtechnology acquisition appears perennially on GAOsHigh-Risk List and Inspector General lists of majormanagement challenges. However, concerns aboutthe ability of the acquisition workforce to helpCIOs with their major acquisitions and an apparent

overreliance on the use of inappropriate acquisitionstrategies are not helping resolve these challenges.CIOs want a faster process enabled by a competentworkforce collaborating with CIOs and their programmanagement counterparts.

The Acquisition WorkforceVirtually every respondent indicated challenges remainwith the acquisition workforce. The key changeneeded is improvement in the acquisition workforce,one CIO said. That comment is also consistentwith a recent survey of acquisition ofcers, 71% of

whom believe acquisition workforce challenges haveworsened over the last two years.

What needs to change to improve the acquisitionworkforce differed among respondents. CIOs said theacquisition workforce needed better training, greaterunderstanding of information technology conceptsand practices, and an improved partnership betweenIT and acquisition professionals. They also need tolearn how to support the changing needs of IT userswhere we are moving from building and buying ITsystems to buying by the drink.

CIOs described several important initiativesto address acquisition workforce challenges.They mentioned as a positive development thefact that the Federal Acquisition Regulationnow requires continuing education or refreshtraining as a condition of maintaining onesFederal Acquisition Certication for ContractingOfcers Representatives. The General ServicesAdministration (GSA) is also working to create

a comprehensive Acquisition Professional tolook at the acquisition structure more holistically.In addition, GSAs Federal Systems Integrationand Management Center may offer a model forcentralizing the expertise necessary to support morecomplex IT acquisitions.

Acquisition StrategyA key concern of CIOs was the ability of theacquisition workforce to tailor the acquisitionstrategy to the complexity of the IT project.Generally, CIOs responded that the acquisition

workforce and the CIO need to collaborate onthe appropriate acquisition strategy, though thepreviously mentioned weaknesses in the acquisitionworkforce make this difcult. One CIO said,Acquisition professionals at my agency cannotseem to understand and approve anything outof the ordinary, which proves very frustrating.Many IT procurements are, by their nature, long,complex, and expensive. They also often requirehighly technical, proven skills to ensure successfulimplementation. However, there is an increasingreliance on lowest price technically acceptable

(LPTA) procurements, which, according to someCIOs, do not give agencies an adequate opportunityto factor value into the procurements. Too often,CIOs reported, LPTA is a default strategy thatdoes not t all acquisitions. If we are buying atrue commodity, LPTA may be appropriate, butotherwise it may not offer CIOs the best value,one CIO said. Another policy maker commented,IT acquisition should be based on capabilities, notprice.

Acquisition



The future of IT AcquisitionWhen asked what lies ahead for IT Acquisition, CIOsgave a slight edge to an increased use of strategic sourcingfor commodities. A close second was a greater reliance onthe use of strategic sourcing for services, though there isa lack of clarity in how this will work. Strategic Sourcingis an initiative of OMBs Ofce of Federal ProcurementPolicy in which multiple entities pool their buying powerso the buyers get greater value for their contracting dollar.

Sixty percent of respondents expected to see continuedgrowth in the use of multi-award blanket purchaseagreements (BPAs) for buying IT services. All of theseinitiatives or activities seek to centralize buying in a selectfew places so the government can leverage its size andscope to get better value and price from its vendors.

A major legislative initiative that colored many CIOresponses was legislation under consideration by theHouse Committee on Oversight and GovernmentReform. According to the Committee Chairman,Congressman Darrel Issa (R-CA), the legislation would

establish a Federal Commodity IT Center to serve as afocal point for coordinated acquisition practices and themanagement of government-wide IT contracts. It wouldalso designate certain agencies as the go-to centers forcomplex IT acquisition for other federal agencies, offeringstreamlined contracts and technical expertise. While notall CIOs were convinced of the need for legislation, manyof the provisions address the very concerns many CIOsexpressed.

Clearly, CIOs want a more nimble, responsive, tailoredacquisition system and a talented acquisition workforce

with whom they can partner to get the greatest valuefor the taxpayers IT investment. Shared Services andincreased use of BPAs are just a few of the tools thatwill help CIOs accomplish their mission. In addition,legislation may be coming to clarify lines of authority andenhance acquisition policies and practices.



As noted earlier in this report, CIOs made people,their workforce, as a top concern. This is consistentwith previous federal CIO surveys and surveys ofother government professionals.

IT Workforce Brain DrainIn March 2013, the Ofce of Personnel Management(OPM) released some startling statistics about thefederal workforce: more than 10,000 employees, or

twice what OPM predicted, had submitted retirementclaims the previous month. An IT workforceassessment of more than 22,000 IT professionalsby the CIO Council in April 2013 noted that theaverage age of cyber security employees was between50 and 55. As one CIO said, Forty percent of theFederal workforce is set to retire soon. How willthe government attract the next generation of ITprofessionals?

These statistics provide context for responses to threehuman capital questions we posed. We asked about

recruiting, hiring, and training. One CIO said, Thebiggest issue facing the federal workforce is that wecannot attract good talent. What college student isgoing to look at a public service job when salariescan be frozen for years? Another CIO said, We are

hiring when we are able to, even with hiring freezes,sequestration, the scal cliff, and demotivatingnegative sentiment from the Hill. However, it ischallenging and having a huge impact on morale.A few CIOs said they are working extra hard totry to retain their best people, but it is exceedinglydifcult given the budget crisis and indecision inWashington. Government jobs used to offer securityin a down economy, but this is no longer the case

and having a real impact on CIO recruitment andretention.

Many respondents cited problems with USAJobs,the governments primary recruitment website. Theydid not have resources or know how to use othermechanisms, and a few felt the lack of 21st centuryrecruiting options and challenging federal hiringrules placed a further burden on their ability torecruit and retain the best and brightest.

This employment environment is causing CIOs

to try new approaches to recruiting and retention.A number of CIOs cited increases in the use ofinterns through Student Pathways. This program

Human Capital

12 CIO Insights: Leading Innovation in a Time of Change



offers streamlined developmental programs tailoredto promote employment opportunities for studentsand recent graduates. Another approach was thePresidential Innovations Fellows program, which pairedtop innovators from the private sector, non-prots, andacademia with top innovators in government. Togetherthey would collaborate during focused 6-13 month toursof duty to develop innovative solutions to todays businesschallenges. CIOs also cited the Presidential Management

Fellows program as a source of good talent.

Necessary SkillsWe asked CIOs what skills were most important for theirworkforce and the extent to which their staff possessedthose skills.

Figure 5 shows that 83% of CIOs ratedprogram management as a critical or very criticalskill. When asked whether their workforcepossessed this skill, no CIO responded with atop rating, though all believed their workforcehad average or slightly better than averageprogram management skills. One agency CIObelieved that program management skills and asolid program management ofce are essential

to successful program execution. He advocatedcreating a Program Management Centerof Excellence that could capture and sharebest practices and tools to support programexecution across government. About 75% ofrespondents ranked problem solving as thesecond most critical or very critical skill, and

Figure 5: Skills Critical and Possessed



about 72% ranked creativity and innovation as thethird most critical or very critical skill. When asked theextent to which their workforce possessed this skill,however, no respondents provided a top score forproblem solving and only 14% provided a top scorefor creativity and innovation.

The Future WorkforceWe asked CIOs for their vision of the skills needed

by the future workforce. One CIO said, Innovative,proactive, and strategic with cost awareness from abusiness perspective. Respondents also indicated thatthe current mix of federal workers and contractorswas nearly equal and they did not expect it to change,even though they are seeing more insourcing due tosequestration. We asked CIOs about their currentratios of federal employees to contractors. Theresponses ranged from 20% federal employees -80% contractors to about 50 - 50. One respondentsuggested that reliance on contractors will and mustincrease in a managed services model. Another

suggested a goal of two-thirds federal workforce andone-third contractor. With this balance, CIOs couldmanage risk, get the work done, and allow for somediscretionary funds to hire talented people. AnotherCIO cited favorably the exible support and expertiseoffered by contractors complemented by the oversighthand implementation by government staff.

One CIO stated that program management supportfrom contractors with technical expertise to serveas trusted advisor is in jeopardy. He feared that ifthis support went away, the government would risk a

bigger total cost expenditure resulting from scheduledelays or execution risk. He was concerned that,when contractors depart, the federal workforce doesnot necessarily have the skills to oversee complex ITprojects, which increases risks substantially. AnotherCIO noted that agencies lacked the skills to overseecontractors agile development. Agencies must solvethis shortfall if they are to move from large, expensivemulti-year IT modernization efforts to more modularprojects that produce results quickly and manage costseffectively.

Dealing with Workforce ChallengesRespondents agreed with the need to reform federalhiring tools and rules to make it easier to recruitworkers. Rules must offer pay and bonus exibility,as well, so government can compete with industryfor technical workers. Respondents noted that paysatisfaction is at its lowest level since 2004 basedon the 2012 Federal Employee Viewpoint Survey.Other options noted by respondents included (1)

building on the success of Student Pathways toexpand the number of entrants into the program;(2) developing human capital strategy and IT careerpaths; (3) integrating agile certicate classes intothe CIO staff job series; and (4) creating programmanagement centers of excellence to supportvarious program management disciplines.



In 2011, for the rst time, global smartphone shipmentsexceeded personal computers. By March 2012, 46% ofAmerican adults were smartphone owners, an increasefrom 35% in May 2011. According to GAO, while U.S.government agencies are not responsible for ensuring thesecurity of individual mobile devices, several agencies areinvolved in activities designed to address and promotemobile security. Furthermore, with the premise ofproviding better services to the American people, in May

2012 OMB released a Digital Government Strategy toenable a mobile federal workforce to provide access toservices, anywhere, anytime, on any device.

Because of technological advances and increases inmobile services, mobile IT has risen to one of thetop priorities and issues facing CIOs. Encompassingsmartphones, tablets, and other devices, mobility haschanged the way people access and use information,especially in the workplace. From inspecting public andgovernmental housing, to conducting the Census, toadministrative mobile apps such as those used to record

time and attendance, agencies are increasingly using thistechnology to achieve their missions. With the goal ofultimately providing improved information and servicesto the American citizen, mobility is in the forefront offederal CIO agendas. Specically, with the next generationof mobile networks and services entering the federalworkspace, the respondents noted that they are facingincreasing challenges in deploying and securing mobileservices and devices.

Mobility

CIO Insights: Leading Innovation in a Time of Change15



With the increasing use of mobile devices andservices, identifying potential and perceived securitychallenges and addressing those challenges hasbecome increasingly important. Respondentsdescribed how they are working to overcome thesechallenges. For example, two respondents withlarge mobile workforces stated that employees usethe same security policy they would use if theywere connected to the agency network via desktop

computers. The respondents acknowledged,however, their ongoing concern for data security onmobile devices. One respondent said that his agencywas pursuing a container approach, with the focuson protecting the data rather than the mobile device.They could achieve this by data virtualization.Other respondents pointed to the use of built-insecurity on mobile devices, for example requiringpasswords and having the ability to remotely wipedevices if stolen. While some respondents said thatthey have deployed mobile device management,others said that they were working to develop a

The Next-Generation of Mobility ServicesAs the next generation of mobile services emerge,CIOs are determining the resources and expertisethey need to develop and support widespreaddeployment. A number of respondents noted theneed for expertise in mobile application development.Respondents said that this need included personnelwith the right skill sets, with an understanding ofthe agencys mission, in order to make decisions on

which apps to pursue. A number of respondents alsoindicated the need for agency level mobile strategiesto govern the deployment of mobile services. Onerespondent said that while the agency has beenactively using mobile devices for conducting work,a exible mobile strategy would help the agencydene ways that employees and customers can accesssystems. That strategy could also help identify howagencies can deliver public facing information onmobile devices. In January 2012, the Federal CIOkicked off a campaign to solicit input from acrossgovernment and industry to determine which areas

should be included in a government-wide federalmobile strategy. The results gathered from thisonline public dialogue, combined with other efforts,such as a mobile strategy cross-government workinggroup, resulted in OMBs Digital GovernmentStrategy. In February 2013, the Federal CIO bloggedthat GSA was developing a government-wide mobiledevice management program.



policy or were meeting with mobile vendors and theirown IT security staff to determine the best mitigationstrategy. One CIO said that they were currently piloting abring-your-own-device policy that required use of mobiledevice management software to ensure proper securitycontrols. In September 2012, GAO reported that theFederal Communications Commission had also workedwith mobile companies on several initiatives aimed ataddressing mobile security vulnerabilities.

Bring-Your-Own-Device (BYOD) Policies andGovernanceIn addition to determining how best to secure mobiledevices and services, CIOs have had to consider theimpact on policy and governance procedures. Thisincludes whether or not to implement BYOD policies andfurther expanding or creating new governance processesto encompass mobile application development.

As you can see in Figure 6, about 52% of respondentssaid their agencies do not have BYOD policies; however,a number reported they were developing them. Onerespondent said current policy has been effective because

of the generic way it was written. This accommodatedthe rapid pace of technological change without the policybecoming obsolete. This respondent also noted that theinitiatives success hinged on up-front buy-in from unions.While some CIOs were able to implement a BYODpolicy, others noted obstacles, in particular the inadequacyof security and the lack of device uniformity.

In order to better govern the use of mobile devices,many respondents said that they either do not have amobile application development process in place or are

in the process of implementing one. A fewrespondents noted that their agencies are not yetat a point where mobile application developmentgovernance was applicable. One respondent saidthat like any other software development, if anofce wants to create a mobile application, theymust rst develop and submit a business case.

Increased Use of Mobile Applications

While agencies are still dening mobile ITpolicies and governance, most respondentsagreed that security was the greatest barrier tothe increased use of mobile applications. Inaddition to security concerns, some respondentspointed to outdated technology or infrastructureas hindrances, as well as rapidly changingmobile technology. While there are obstaclesto taking full advantage of mobile devicesand applications, agencies have already beenable to expand services and improve missionsuccess. For example, one respondent said

that, with mobile technology the agency wasable to put out sensors that automatically sentinformation on an ongoing basis, rather thanhaving personnel go out to a site and retrievethe information monthly. Another respondentpointed out that when they hit infrastructurelimitations, they were able to continue meetingtheir mission objectives by providing mobilesolutions, such as license plate readers orpassport screening equipment.

Figure 6: Does your agency have a BYOD policy?



Technological innovations are expanding to everyelement of life. Exploding at an even faster rate arecyber criminals lurking on the Internet, attackingeverything from nancial institutions, utilities,transportation, and government.

Emerging ThreatsDoes cyber security remain a leading challenge forfederal CIOs? Absolutely! According to GAO, the

number of incidents reported to the U.S. ComputerEmergency Readiness Team by federal agenciesincreased by 782% from 2006 to 2012. This isnot surprising because of the emphasis placed ontechnology; as a result, mobile platforms, BYOD,and social media are attractive targets for cybervillains. Figure 7 shows that 70% of respondentssaid in the last year alone they have seen as much asa 25% increase in cyber security threats. Accordingto one CIO, There are many parallels between rightnow and the time right after 9/11 with all of thesecurity threats. Cyber security is the new fundamental

terrorism target. GAO and Inspector Generalreports have identied a number of key challengeareas in the federal governments approach to cybersecurity, including those related to protecting thenations critical infrastructure.

As cyber security evolves, so do the challenges facingcyber professionals. They must adapt and perform ata high level that allows them to identify and initiatequick responses to threats that change frequently interms of scope and complexity. The governmentis acting quickly to understand cyber risk andvulnerability and hire staff to protect networks andsystems. The need is now for a well-trained federalcyber security workforce to keep the U.S. safe.The CIO Councils 2012 Information TechnologyWorkforce Assessment for Cyber Security, whichprovided a snapshot of governments cyber securityworkforce, reported the majority of the federalcivilian cyber security professional population isabove the age of 40. Some other key ndingsincluded information about the level of prociencyand training: Prociency: participants who had the lowest

percentage meeting/exceeding optimalprociency were in Digital Forensics, andparticipants who had the lowest percentage

Cybersecurity

Figure 7: Extent that threats increased in thelast year (Based on number of incidents)



with advanced or expert prociency were in CyberOperations.

Training: participants indicated a training need inInformation Assurance compliance, VulnerabilityAssessment, and Management and KnowledgeManagement.

Exposing the SourceAre the majority of the attacks coming from external orinternal sources? Two-thirds of the CIOs said externalattacks are the most prevalent. However, just as troublingare those attacks that occur based on internal weaknessesby those who accidently let these cyber villains into thenetwork. One CIO said, Spear-phishing is the top

concern and the complexity is increasing.

Another said that a majority of the attacksare anonymous hacking as opposed to socialengineering.

One CIO summed it up by saying, The keyissue is not compliance but commitment;people supersede technology. Another CIOcommented, An intelligence agency pointedout our vulnerability, and that was good work!Figure 8 shows the allocation of external andinternal threats according to CIOs.

Figure 8: Percent of threats that are external vs.internal



Anatomy of EffectivenessWe asked CIOs what they were doing to reduceinternal threats. While half of the respondentswere neutral about the effectiveness of educationand training and communication, the other half ofrespondents believed that they were effective or veryeffective, as depicted in Figure 9.

Here is what CIOs are doing to manage the risks: Education and communication is the best tool to

deal with it; I used it to create awareness throughdid you know-type blog entries in my formerCIO job, and we have an annual National Instituteof Standards and Technology (NIST) awarenessday.

Employees just click through the training and arenot really paying attention. It is just a check the

box exercise. This year we improved the graphicsand animation to keep peoples attention.

We conducted a phishing exercise on employees;those who fell for it were directed to a page andtold they had been phished. Then we providedsome on-the-spot training and education. Thereaction was actually very positive. About 1520%of those receiving the e-mail took the bait. Wealso provide a fair bit of role-based training forthose with security-related responsibilities. Werethe only agency besides DoD that we know of

who mandates professional certications. Other methods include locking people out of

systems if their training is not complete. Thesystem lockout is effective in terms of gettingthe users attention, but if a person with ahigh caseload, administrative rights, sensitiveinformation processing rights, highly time-sensitive duties etc. gets locked out, it may causeproblems and interruptions to daily duties. Also,

executives who get locked out are not especiallypleased when this happens. In addition to continuous monitoring, we

are rolling out Trusted Internet Connections(TIC). The majority of our trafc will be goingthrough TIC by the end of the year. We are alsorolling out Einstein. We use Homeland SecurityPresidential Directive-12 (HSPD-12), but thatcan vary by departments with some so diversethat effective use is difcult. Im a rm believerthat two-factor authentication is the key, and weneed to drive towards that department-wide for

key systems. One CIO said that virtualization has enabled

them to reduce the number of security incidentsthey faced by 98%, and they are rated as themost secure/compliant component in theirDepartment.

Our contracts contain lengthy security clausesto ensure companies take steps to minimizerisks to security.

Figure 9: Effectiveness to improve/reduceinternal threats



Cost of Cyber UnveiledIs current spending trending in the same direction asthe number of attacks? Sixty-three percent of CIOssay spending has increased by up to 10% (Figure 10).According to one CIO, OMB holds regular Cyber Statmeetings and is aware of the increased costs of security.Another said at their agency, Nine percent of all ITspending is on cyber.

One CIO commented, If Congress wants cyber securityto be a priority it should set the right messages fromthe perspective of appropriating funds, because I dontcontrol all the funding and I cannot direct it to this area.CIOs want legislation that authorizes the appropriationof funds for cyber security and provides it in themission budgets. They also want to have control of theentire agency IT budget. CIOs want less oversight andpaperwork compliance, and more funding for mandatedinitiatives.

Figure 10: Agency Percent increased spending oncyber security



New Rules of EngagementRecently, the President signed Executive Order 13636,Improving Critical Infrastructure Cybersecurity,which created a framework for government andprivate sector intelligence gathering on cyber attacksand threats to privately owned, critical nationalinfrastructure. These are systems and assets injuryor destruction of which would have a debilitatingimpact on security, national economic security,

national public health, or safety. The Secretary ofHomeland Security should use a risk-based approachto identify critical infrastructure where a cybersecurity incident could occur and cause catastrophiceffects. However, commercial IT products andconsumer IT services such as Microsoft, Google,Facebook, and Twitter are excluded. Working

together, government and stakeholders who ownand operate critical infrastructure need to produce apreliminary framework that meets the expectationsof government and private industry and protectsprivacy and civil liberties. What agencies require is aprioritized, exible, repeatable, performance-based,and cost-effective approach, including informationsecurity measures and controls, to help owners andoperators of critical infrastructure identify, assess,

and manage cyber risk.



We asked CIOs if Congress should modify policiesto strengthen CIOs cyber security posture. OneCIO commented, Representative Darrell Issa hasrecently submitted the Federal Information TechnologyAcquisition Reform Act (FITARA) that would takecomponent CIOs away from the operational organizationand move them under the Department CIO. All ofFITARA is not bad, but this takes some authoritiesand focus away from the operators, by not having them

reporting to component leadership. I dont think thispart is a good idea. Cyber security has changed a lotover the last 11 years since so it makes sense for FederalInformation Security Management Act (FISMA) toevolve, as well. One CIO said, FISMA needs to matchnew legislation. CIOs recommend getting rid of FISMAor updating it to focus on risk versus compliance ofstandards and guidelines (counting widgets or paper-based checklist) -- less about the procedures and moreabout whether they are effective. Many CIOs spoke aboutthe importance of automated, continuous monitoring ofsecurity controls for real-time risk management.

CIOs recognize that things shift and changefrom a technology perspective, so it is importantto focus on securing the information vs.securing devices. Some are using a securecontainer approach on mobile devices, said oneCIO. Containerization creates an encrypted datastore on a device so that access to data requiressecure authentication, independent of any otherdevice setting or restriction. The contents

remain inaccessible even if a device has nounlock passcode, no whole-device encryption,and no security policies. Securing data in acontainer also allows IT to wipe all businessdata from a personal device without affectingpersonal data or applications contain thedata, not the device.

While cyber threats increase, policy and practiceis racing to keep up. There is no greaterimperative, but it remains to be seen whether weare up to the task.



Not surprisingly, the budget continues to be one ofthe top concerns of CIOs. The surprising message, ayear after we heard that across-the-board budget cutsare thought to be the most feasible but least effectiveway to control costs, is that budget are the impetusfor trimming costs in areas where money was notallocated efciently. For example, in the past, CIOshad a hard time consolidating data centers because,in many instances, program ofces owned the data

centers and funded them with appropriations beyondthe CIOs reach. With the emphasis on cost cutting,those program ofces enlist the CIO to help withdata center consolidation so they can save money andredirect it to mission delivery.

Acquisition is a continuing challenge. CIOs cannotaddress major acquisition problems withoutan acquisition workforce up to the challenge.Acquisitions overreliance on the use of inappropriateacquisition strategies also affects CIOs. Although theFederal Acquisition Regulations have served agencies

well for decades, it is time to take a fresh look at howagencies can access the talent of small, innovativerms. These rms have the needed technology toaddress an agencys mission, and agencies can procurethis technology in days or weeks, rather than monthsor years. CIOs can also help agencies reduce therisk of complex IT acquisitions and streamline theprocurement process so as not to burden companies,especially small ones, with complex and expensiveresponses to solicitations that may preclude themost qualied rms. CIOs can help their agenciesleverage exible contract vehicles adapted to agile

development.

One area where Congress could assist CIOs is withthe budget and governance. Because Congressappropriates the vast majority of IT funds directlyto programs, CIOs have little control over howthe money is spent. In some large Cabinet-levelagencies, CIOs control as little as one percentof known IT dollars. By creating an IT Fundfor IT infrastructure costs across agencies, or byappropriating IT infrastructure and cyber security

costs to the agency CIO, Congress could help thereduction of duplication. This could also spurthe consolidation of IT and prevent from makingduplicative IT investments.

Cyber security continues to be a top CIO concern,and will likely always be. Nonetheless, it is refreshingto hear cyber security concerns are not severelyimpacting progress in the adoption of mobiletechnology. Mobile devices are increasingly usedby government workers. CIOs recognize the needto leverage mobility to better deliver the agencys

mission, attract the best employees, now connectedat all times, and gain the appreciation of anincreasingly tech-savvy citizenry that is demanding adialogue with government in real-time.

Conclusion



There can be no doubt CIOs lead in challenging times.However, the silver lining is that CIOs are at theexecutive table and part of strategic agency decisions;they are becoming more and more trusted advisors insolving mission-critical, rather than just classic IT issues.By collaborating with Chief Operating Ofcers, ChiefFinancial Ofcers, Senior Procurement Executives, andthe leadership in the program ofces, CIOs are providingthe value envisioned when the job was created almost

two decades ago. There has been progress, but challengesremain!

CIO Insights: Leading Innovation in a Time of Change25



Appendix A - List of CIOs InterviewedNote: The titles and positions of the government ofcials listed below were current at the time they were interviewed



Appendix B - List of InterviewersNote: The organizations and companies of those listed below were current at the time the interviews were conducted.



We thank federal CIOs for participating in thisyears survey. We also acknowledge the supportand contributions of the sponsoring organizationsand the time and expertise of the individuals listedbelow.

To obtain copies of this report and the surveyquestionnaires, go to any of the websites listedbelow.

TechAmerica

601 Pennsylvania Ave, NW, North Building,Suite 600Washington, DC 20004www.TechAmerica.orgTrey Hodgkins, Senior Vice President,Global Public Sector Government Affairs

Grant Thornton LLPGlobal Public Sector333 John Carlyle Street, Suite 400,Alexandria, VA 22314T 703.837.4400

www.GrantThornton.com/publicsectorGeorge DelPrete, Principal

Acknowledgements


31/32


32/32

TechAmerica

601 Pennsylvania Ave, NW,North Building,

Suite 600Washington, DC 20004

www.TechAmerica.org

Grant Thornton LLP333 John Carlyle Street, Suite 400

Alexandria, VA 22314www.GrantThornton.com/publicsector

cio survey may 2013 v5 low res

Documents