IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Budget, Cybersecurity Are Barriers to State Cloud Adoption

At the NASCIO Annual Conference in Seattle, state chief information officers explored the challenges they're encountering as they move systems to the cloud and how to navigate them moving forward.

lobby of the 2021 NASCIO Annual conference in Seattle
Cloud services made their first appearance on the National Association of State Chief Information Officers’ (NASCIO) list of state CIOs’ top 10 priorities in 2010, and the way governments approach cloud has come a long way in that time. In the past several years, there was a shift away from a gung-ho “cloud first” strategy to what many CIOs called “cloud smart,” and while IT leaders still see cloud as the way forward, they’re taking a measured approach.

At the NASCIO Annual Conference in Seattle last week, former Texas CIO Todd Kimbriel presented the results of a new study from NASCIO and Accenture that examined where states are in cloud adoption — 89 percent of survey respondents reported that a hybrid cloud is their ultimate goal — and what challenges they’re encountering on the way.

One major barrier Kimbriel brought up was budgeting, which Pennsylvania CIO John MacMillan said comes from the difference between consumption of cloud services, which is elastic, and budget, which is not; state budget cycles complicate that further.

“What’s holding us back from adoption is having our budgets ready to deal with that consumption orientation,” MacMillan explained. The NASCIO study found that 54 percent of states report that opex spending is best for cloud management because it allows for fluctuation of consumption, rather than a capex model with fixed, upfront investments.

Plus, MacMillan noted, moving to the cloud doesn’t necessarily save money, since CIOs have to think of the transition costs in addition to longer-term financial impacts.

Another sticking point the study found in cloud adoption was inconsistency in terms of how states define what the cloud actually is. Forty percent of respondents reported that they use the NIST definition of cloud computing, while 20 percent said they use the term to refer to any off-premise computing.

This lack of a shared definition is a problem, said Arizona CIO J.R. Sloan.

“Language matters, especially when it comes to cybersecurity,” Sloan said. “If we don’t agree on what a cloud is when data is sitting out there, we now have shared risk.”

Interestingly, the survey showed that while CIOs feel the cyber workforce is suitably trained to move a substantial portion of government services into the cloud, cybersecurity is still cited as a barrier to cloud adoption. This issue came up at another session at the NASCIO conference, where former Colorado CISO Deb Blyth said that whether cloud increases or reduces security risk depends on how its configured.

She cited faulty configuration as a factor in the 2017 cyber attack on the Colorado Department of Transportation, when an on-premise service was connected to the cloud as a test, opening an external line for bad actors to exploit. If state IT had been able to detect what was in the cloud, Blyth said, they could have more easily prevented the attack.

Washington CISO Vinod Brahmapuram predicted that, along with adaptive automation and trust in identity and access management, one major area where state CIOs will see a shift in the coming years is around “well-architected cloud options” that don’t compromise security.
Lauren Kinkade is the managing editor for Government Technology magazine. She has a degree in English from the University of California, Berkeley, and more than 15 years’ experience in book and magazine publishing.