Imagine traveling in a post-COVID-19 world. After you get past thoughts of sun-soaked beaches (or even just the excitement of leaving home), you conjure up images of security screenings that don’t just x-ray your bags, but also screen for contagious pathogens or examine “health passports.” Screening for rapidly shifting health threats would seem like an unattainable goal for any security organization, but we’ve seen it done before.
In the aftermath of the attacks of 9/11, security agencies across the globe quickly realized that screenings could only be accomplished at the scale and speed needed if they were tailored based on different risk assessments. The problem is that threats constantly evolve, meaning that risk assessments and detection capabilities need to evolve as well to keep up. This forces security agencies into an uncomfortable dilemma: either keep systems operating as they slowly drift out of date or take them off-line to update and risk having gaps in coverage.
Fortunately, there is a way out of this dilemma. While there exists an inherent tension between seamless operations and system modernization, a properly balanced approach that emphasizes continuous discovery and accelerates capability deployment through an Agile, DevSecOps approach can help agencies do both.
From enabling veterans to access health care to cybersecurity screenings for critical infrastructure, the ability to modernize mission-critical systems while simultaneously executing operations with zero disruption is non-negotiable.
While the average lifespan of software is approximately six years, and mobile applications closer to two to three years, the lifespan of large government systems is often many decades. Intermittent upgrades may enable modernization of mission-critical systems at a point in time, but they quickly become out of date. While this can be inconvenient for desktops and laptops, it is a serious issue for mission-critical systems, degrading their ability to mitigate the newest, most critical threats as well as take advantage of modern technology approaches that reduce cost and technical debt over time.
Agile + DevSecOps
So how can the government agencies we depend on 24/7/365 continuously upgrade mission-critical systems without the risk of disruption and maintain focus on application, system, and platform security at every step of the way? An entirely new approach is needed—one that pairs Agile and DevSecOps with a willingness to embrace innovation.
Technology never stands still, so building new solutions based on requirements drafted in the past will always result in out of data solutions. The Agile method of software development allows teams to discover requirements as they build, ensuring teams are always working towards the most relevant goals. However, the best requirements are unearthed by real users, meaning that development, security, and operations, all must work together to continuously operate and improve solutions. That is the heart of DevSecOps.
The combination of Agile and DevSecOps results in an IT organization built not only to operate systems, but simultaneously develop new capabilities. And, it enables organizations to do so securely from the beginning by tightly integrating security tools and processes throughout the DevOps pipeline and automating (and embedding) security controls at every stage of the software development lifecycle including operations and maintenance—all while lowering costs along the way. However, agencies seeking to implement (or mature) their own DevSecOps practices should carefully architect their organizational culture and practices to ensure they are taking full advantage of all that DevSecOps has to offer—from automation to continuous security monitoring of production systems and everything in between.
Given the benefits, it is no wonder this approach is showing up across government. Everything from F-22 software upgrades to government background investigations are turning to Agile and DevSecOps to make sure they can provide the most up-to-date, innovative solutions quickly and for less cost.
While DevSecOps transforms organizations to enable them to both modernize and operate at the same time, the challenge can be that many government agencies are themselves just not built to be able to operate that way. For example, in many organizations, funding operations and maintenance of existing systems and acquisition of new systems are separated into different appropriation categories or “colors of money.” This can make it difficult to fund one organization to do both operations and development at the same time. However, in a mature DevSecOps model, organizations can achieve the development agility they need to stay one step ahead and the operational stability they need to support the mission.
Make It a Reality with Partners
If a shift to Agile and DevSecOps is what government agencies need to do to stay at the cutting edge, but those very practices are inherently challenging to achieve within the structures of legacy government IT organizations, how can organizations make meaningful progress?
Partnering with industry, who is less constrained by legacy systems and organizational structures, may be the answer to achieving the agility needed to rapidly respond to new threats. The key is finding partners who not only bring the technical chops necessary to drive this transformation but who can do so without disruption to ongoing systems, driving stability and minimizing risk along the way.
The Transportation Security Administration is a prime example of how government is looking for not just partners, but the right partners. Like many agencies, TSA is looking to industry to partner with them on hard-to-find skillsets such as cyber. These partners become the “safe pair of hands” that government agencies need to advance the mission securely. With deep mission expertise and critically-needed resources, the right partners can help government break the trade-off of operating or modernizing to prepare for the challenges of tomorrow while sustaining mission-critical operations.
Joe Mariani is a research manager with Deloitte’s Center for Government Insights.
Elizabeth Krimmel is a senior manager in Deloitte’s Government and Public Services practice.