Top Priorities For State CIOs: 2016

Today's CIOs frequently find their priorities split between opposites. They must maintain existing systems and services that have formed the backbone of traditional IT. But they also have to find the money to invest in the real-time, data-driven, customer-focused initiatives that form the backbone of the new technology infrastructure that modern organizations are built on, or they risk getting left behind. Think about Uber and the taxi cab business, Netflix and the video store, Amazon and the retail book store.

Government CIOs face these same challenges, and a recent survey of the membership of the National Association of State Chief Information Officers (NASCIO) shows how the US state technology priorities both align with those of private sector organizations and how they differ.

[Looking for the 2016 cheat sheet for CIO priorities? Read 10 Skills CIOs Need To Survive, Thrive In 2016.]

"On one hand, the state CIO really has to be pragmatic. They have to be the person talking about the life cycle of these monolithic IT systems," Darryl Ackley, CIO of New Mexico, told InformationWeek in an interview. Ackley is also the current president of NASCIO. "On the other hand, you've got an increasingly short time frame to adopt new things like Web and mobile. And it's not just a tech problem. It's also a staffing and resourcing problem."

Ackley said state CIOs must balance these priorities -- the cost center of traditional IT versus the business-savvy adviser on Agile development and implementations -- while at the same time navigating cultural, political, and resource challenges.

State CIOs face budgeting challenges. In most states, Ackley said, IT is charged to various departments as a shared service, but the rates for those services are set based on the previous year's data. Plus, rates are not just based on this data. They are set by committee, so proposed rates face a long path to approval.

It's within this storm of opposing forces, politics, and trends within the greater technology market that CIOs must implement initiatives for state technology agendas. Here's a look at the 10 top priorities for US state CIOs in the new year.

Elite 100 2016: DEADLINE EXTENDED TO JAN. 15, 2016 There's still time to be a part of the prestigious InformationWeek Elite 100! Submit your company's application by Jan. 15, 2016. You'll find instructions and a submission form here: InformationWeek's Elite 100 2016.

The question of disaster recovery and business continuity has been at the bottom of NACSIO's list of priorities for the last few years.

"It is one of those things that can be difficult to make much progress on," New Mexico CIO Darryl Ackley said. "It's a perennial issue, like cyber-security. If something goes wrong and we are not prepared, it will be bad for the state CIO."

The issue can also be difficult to explain to other agencies. Some agencies will view outages as IT failures and ask why they should deal with picking up the pieces. Ackley said the challenge is to get agencies to create a game plan for outages instead of focusing on blame.

According to the priorities list, NASCIO's disaster recovery/business continuity category includes improving disaster recovery, business continuity planning and readiness, pandemic/epidemic and IT impact, and testing.

This year marks the first time Agile development has hit the Top 10 priorities list for NASCIO, and Darryl Ackley, NASCIO president and N.M. CIO, reports that there have been some early adopters among state CIOs, including Jim Smith from Maine.

Many state governments may have trouble implementing Agile development, however. That's because the contracts they forge with external providers are incredibly detailed. For instance, a contract might specify that the developers create a certain screen for an application. Then they must create a specific next screen. States require these kinds of contracts because they may have been burned by contractors in the past. Yet, such contracts are more the "waterfall" development style.

"That's completely incompatible with Agile," Ackley said.

According to the priorities list, NASCIO's Agile and Incremental Software Delivery category includes iterative design, incremental development of software solutions, and the design modifications, prototyping, and addition of new capabilities necessary as part of the development process.

There are several challenges in this category, according to NASCIO president Darryl Ackley. One of the biggest is the fact that so many current IT leaders are Baby Boomers who are nearing retirement age. While there are plenty of Millennials entering the workforce, there's a big empty gap in the middle.

"So you've got a lot of folks with decades of history and cultural knowledge about the systems, and then you've got a large number of entry-level folks. To them, the way we do things makes no sense. 'Why do I have to fill out a form to develop an app?'"

Other challenges include the lengthy bureaucratic process for recruitment, having a unionized workforce, and retaining some of the entry-level Millennials who do not plan to stay with their jobs for their entire careers.

In New Mexico, Ackley said, there was no mechanism to create internships for IT workers, so that was a program he had to put in place when he arrived in 2011.

"Our job classifications are incredibly rigid," he said.

According to the priorities list, NASCIO's Human Resources/Talent Management category includes human capital/IT workforce; workforce reduction; attracting, developing, and retaining IT personnel; retirement wave planning; succession planning; support/training; and portals for workforce data and trends.

Why isn't budget, which pays for everything, higher on the list? Because the priorities that rank higher are the ones that state officials recognize as important, so CIOs must put them first in order to get the budget to fund those initiatives. There also isn't much that state CIOs can do to control budget.

NASCIO president Darryl Ackley explained that while non-IT state agencies are either generally funded or federally funded, IT is treated as a service that is charged as a fee to the agencies that use it. Then there's a federal requirement that IT break even year after year. Yet the fees that are set are based on last year's data about IT use. By the time the fees are charged next year they are based on two-year-old information.

"If I start doing well on a service, I have to ask for the budget to be increased to pay for it," Ackley said. But those changes can't happen dynamically. It's an annual budget process.

"The budget is not Agile at all."

According to the priorities list, NASCIO's Budget and Cost Control category includes managing budget reduction; strategies for savings, reducing, or avoiding costs; and dealing with inadequate funding and budget constraints.

This year marks the first that this priority has appeared on the NASCIO top 10 priorities list. The elevation of this priority is all about CIOs working to move from the back room to the boardroom as technology becomes the underlying framework of everything we do, according to Darryl Ackley.

"This is about our transition into how we are helping drive the agenda of the administration," Ackley said.

According to the priorities list, NASCIO's Enterprise Vision and Roadmap for IT category includes the vision and roadmap for IT; recognition by administration that IT is a strategic capability; integrating and influencing strategic planning and visioning, with consideration of future IT innovations; and aligning with governors' policy agendas.

This priority moved up in position for this year's list. Darryl Ackley said legacy modernization can be tricky because it's something everyone knows they have to do, but it's not the big glamorous project that will win you the support and accolades that you need early on to help drive other projects.

"Once you've been on the ground for a while, you realize this is going to be a perennial pain point," he said. "A lot of state CIOs would rather focus on building hovercars, making the state Agile, or going mobile. But the reality is that you will spend a lot of time doing legacy modernization. You have one foot in each lane."

This could mean legacy mainframe systems that haven't been maintained or updated. For instance, Ackley's team spent months updating one such system to be able to accommodate an extra digit in records. It was painful, but necessary.

According to the priorities list, NASCIO's Legacy Modernization category includes enhancing, renovating, and replacing legacy platforms and applications, and working on business process improvement.

This year marks the first time business intelligence and data analytics have shown up on the priority list.

"Across the states you are seeing senior policy officials who are starting to crave the ability to make decisions based on data," Darryl Ackley said. For instance, in his state of New Mexico, officials want to use longitudinal and demographic student data to look at socio-economic impacts and improving student outcomes. For higher education, data can be used to ensure that students graduate ready for the workforce.

Ackley said there are many use-cases, including ones in public safety and judicial case management.

Implementation of these kinds of systems is still fairly uneven across the states. "There are bright spots across the country, but for lots of folks it's early days."

According to the priorities list, NASCIO's business intelligence and data analytics category includes applying BI/BA within the enterprise, communicating value, building expertise, delivering shared services, exploring big data, and data analytics.

State CIOs provide technology and technology services to multiple agencies, but those departments don't all operate on the same infrastructure. In an ideal world, all state agencies would use the same standard technologies, thus simplifying the IT maintenance and support required. But people get attached to the systems they use.

Even as state CIOs push to cut costs by getting all agencies to use the same systems, agencies can resist change and push back. The challenges here are very much cultural and political, rather than technical. Darryl Ackley said his best approach for selling the idea of centralized IT to detractors has been showing them the potential cost savings.

"There are some instances where I've been able to say, 'Here's what we are spending on ten systems that all do the same thing. Here's what we would spend if we were on one system for that.'" Those kinds of numbers speak for themselves, but there will always be influential holdouts with their own numbers to sell their own agendas.

"You've got to pick your battles, or pick the hill that you want to die on," Ackley said. He frames the discussion this way: "Please see centralized IT as the canvas on which you can paint your masterpiece."

There are no best practices for state CIOs here, Ackley warned, with each state presenting a unique set of stakeholders, challenges, and politics. But there are individual state CIOs who have managed to "crack the code" for selling consolidation and centralization.

According to the priorities list, NASCIO's consolidation/optimization category includes centralizing, consolidating services, operations, resources, infrastructure, data centers, communications and marketing "enterprise" thinking, and identifying and dealing with barriers.

Cloud has been in the top three of the NASCIO priority list for the last four years, Darryl Ackley said, and it's been on the Top 10 list since 2010.

"A lot of the driving forces for cloud in the states are similar to those in the private sector," Ackley said. Those include being able to deploy new systems without deploying new hardware infrastructure. But this varies widely state-by-state, he said, depending on local rules and statutes regarding where data lives -- in house or in the cloud.

Some states are very progressive in moving to the cloud. New Mexico is in pilot mode with such a program, Ackley said. Meanwhile IT organizations in state governments face challenges in educating procurement personnel on how to deal with the cloud.

According to the priorities list, NASCIO's cloud services concerns include cloud strategy, proper selection of service and deployment models, scalable and elastic IT-enabled capabilities provided as-a-service, governance, service management, service catalogs, platforms, infrastructure, security, privacy, and data ownership.

The issue of security and risk management tops the list of state CIO concerns for the third year in a row, and it's been on the list since 2006.

As more state systems are exposed online to the public, security necessarily becomes a greater focus.

"Every time we put a system online, we are exposing it to cyberattack," Ackley said. The big challenge for state CIOs is often how to apply 30 or more different security standards for each of the agencies that can interact with the public online. Tax and revenue departments will have different needs than licensing agencies, for example.

"We are only as strong as the weakest link."

There's also been a rise in attempted hacks and attacks over the past several years, Ackley said. He should know. Security is Ackley's specialty. Before joining New Mexico as its CIO, he worked at a research institute focused on cyber and system protection at a public college in the state.

NASCIO's Security and Risk Management category includes governance, budget and resource requirements, security frameworks, data protection, training and awareness, insider threats, third-party security practices as outsourcing increases, and determining what constitutes "due care" or "reasonable."

The issue of security and risk management tops the list of state CIO concerns for the third year in a row, and it's been on the list since 2006.

As more state systems are exposed online to the public, security necessarily becomes a greater focus.

"Every time we put a system online, we are exposing it to cyberattack," Ackley said. The big challenge for state CIOs is often how to apply 30 or more different security standards for each of the agencies that can interact with the public online. Tax and revenue departments will have different needs than licensing agencies, for example.

"We are only as strong as the weakest link."

There's also been a rise in attempted hacks and attacks over the past several years, Ackley said. He should know. Security is Ackley's specialty. Before joining New Mexico as its CIO, he worked at a research institute focused on cyber and system protection at a public college in the state.

NASCIO's Security and Risk Management category includes governance, budget and resource requirements, security frameworks, data protection, training and awareness, insider threats, third-party security practices as outsourcing increases, and determining what constitutes "due care" or "reasonable."