It's been said that a budget crisis is IT's time to shine. On the surface it may seem counterintuitive. But many argue that when the chips are down, technology solutions, if deployed appropriately, can drive efficiency and cut costs. However, as any public-sector IT veteran can attest, such a strategy can be a tough sell -- or, worse yet, the legislature has bought into technology as a viable solution to budget woes and starts issuing unfunded mandates to "do more with less."
Such was the situation in New York -- a state that, like most others, is in the midst of a budget meltdown. But even with severe financial woes, the business of government must go on. One job New York Deputy CIO Rico Singleton had before him was to improve the state's IT security. The challenge was to do it with a fraction of the money they'd spent on security in years past.
One approach many state agencies are taking to trim expenses is growing their mobile work force. Employees who work remotely don't need state vehicles, offices and a lot of the things that cost employers money. One thing they do need, however, is security for their mobile devices. So when Singleton was tasked with improving statewide IT security while also cutting costs, he had to factor in the mobile work force too.
Singleton started looking across the state at purchasing patterns that could be aggregated for enhanced buying power and economy of scale. During the state's annual technology planning process -- when agencies submit technology plans for the ensuing year -- IT security became the leading candidate for an enterprisewide overhaul, thanks in part to the New York State Office of Cyber Security and Critical Infrastructure Coordination having issued a requirement for encryption on all mobile endpoints.
According to Singleton, more than half the state's agencies had already standardized on McAfee security software. "So if you look at leveraging your current install base, and you see that they've already deployed in more than 50 percent of the agencies, then obviously there is a prime opportunity there to potentially leverage that value and savings," he said.
Singleton got in touch with former Kentucky CIO Mark Rutledge, who now serves as director of government strategies of McAfee. The two began discussing options for meeting the cyber-security office's requirements for cutting costs.
During those discussions, Singleton said the state gained an understanding of what products it would take to achieve 100 percent endpoint protection. "When we looked at what the agencies were currently procuring, we saw that we had only, on average, about a 10 percent level of protection across the enterprise."
In other words, the ad hoc approach meant the state was achieving only about 10 to 15 percent of the IT security it should have as an enterprise. The reason for the ad hoc approach, from an agency position, was that it was too expensive to buy multiple products or suites of products. So instead, agencies were procuring the security components they deemed most critical.
Singleton said that spurred him to find out if Rutledge could come up with a product suite that would work across the enterprise, offer total protection and cost the state less money.
"We have quite a few customers in the state of New York, and we held a majority of the security products," Rutledge said. "So when it came to New York wanting to find ways to maximize its budget spend, increase its security posture and meet mandates, McAfee decided that New York has been a good partner for us and we wanted to be
a good partner for them. We got together and worked out this opportunity that is beneficial to all parties involved."
Singleton and Rutledge hammered out a solution, in fact, that works to both parties' benefit. That solution came in the form of an enterprise license agreement (ELA). An ELA is not a new concept in government IT. But it is relatively new to government IT security, according to Singleton and Rutledge.
The ELA between New York and McAfee includes a total of 11 products that secure state IT resources end-to-end, including mobile devices. Using the established model of procuring IT security solutions with state rates on state contracts, it would have cost nearly $32 million to achieve this level of protection, according to Singleton. The McAfee deal cost less than $2 million and frees the state to offer unlimited licenses to its agencies. Also part of the negotiation was allowing New York to extend the agreement to counties, which like many state agencies could typically afford only the security pieces that were absolutely necessary.
"One of the reasons we fought so hard to include [the counties] is because we got a lot of input and feedback from the counties that said this is something they would like," Singleton said. "There are counties and small agencies that are paying $30 to $40 per user. When now, with the state enterprise agreement they are going to be able to get it for $3 to $4 -- whatever the cost equals out to. So it's a huge opportunity that they would not previously have had. I've already had a number of counties reach out to me that want to sign up and participate."
The $30 million question is what makes it so much cheaper to do it this way? Singleton said it's all about standardization. Across 200,000 PCs, laptops and mobile devices, and more than 100 state agencies, breaking through the silos and moving to standardization is the key.
"We can manage all 11 products with one client and one agent running on desktops across the agency, across the enterprise," he said. "That's a huge administrative advantage for us."
But getting agencies to standardize is difficult. That's where the ELA came in, as a carrot and stick.
"We removed cost from the equation, we made it more affordable, we gave them the opportunity to deploy as much as they wanted to protect their environment," Singleton said. "We're hoping as a result of that we're going to see an increase of uptake into the adoption of these other products, securing our environment, lowering total cost of ownership for the state."