At the NASCIO Annual Conference in Seattle last week, former Texas CIO Todd Kimbriel presented the results of a new study from NASCIO and Accenture that examined where states are in cloud adoption — 89 percent of survey respondents reported that a hybrid cloud is their ultimate goal — and what challenges they’re encountering on the way.
One major barrier Kimbriel brought up was budgeting, which Pennsylvania CIO John MacMillan said comes from the difference between consumption of cloud services, which is elastic, and budget, which is not; state budget cycles complicate that further.
“What’s holding us back from adoption is having our budgets ready to deal with that consumption orientation,” MacMillan explained. The NASCIO study found that 54 percent of states report that opex spending is best for cloud management because it allows for fluctuation of consumption, rather than a capex model with fixed, upfront investments.
Plus, MacMillan noted, moving to the cloud doesn’t necessarily save money, since CIOs have to think of the transition costs in addition to longer-term financial impacts.
Another sticking point the study found in cloud adoption was inconsistency in terms of how states define what the cloud actually is. Forty percent of respondents reported that they use the NIST definition of cloud computing, while 20 percent said they use the term to refer to any off-premise computing.
This lack of a shared definition is a problem, said Arizona CIO J.R. Sloan.
“Language matters, especially when it comes to cybersecurity,” Sloan said. “If we don’t agree on what a cloud is when data is sitting out there, we now have shared risk.”
Interestingly, the survey showed that while CIOs feel the cyber workforce is suitably trained to move a substantial portion of government services into the cloud, cybersecurity is still cited as a barrier to cloud adoption. This issue came up at another session at the NASCIO conference, where former Colorado CISO Deb Blyth said that whether cloud increases or reduces security risk depends on how its configured.
She cited faulty configuration as a factor in the 2017 cyber attack on the Colorado Department of Transportation, when an on-premise service was connected to the cloud as a test, opening an external line for bad actors to exploit. If state IT had been able to detect what was in the cloud, Blyth said, they could have more easily prevented the attack.
Washington CISO Vinod Brahmapuram predicted that, along with adaptive automation and trust in identity and access management, one major area where state CIOs will see a shift in the coming years is around “well-architected cloud options” that don’t compromise security.
