Why CIOs should be cloud brokers, not blockers

The following article is the transcript of a speech given by Australian Government chief technology officer John Sheridan to a conference entitled “Tomorrow Ready CIO” in Canberra. It covers the developing use of cloud computing by the Australian Government and the measures undertaken by the Department of Finance and Deregulation to provide guidance and procurement support for agencies using the cloud. Sheridan’s major point is the need for CIOs to be brokers, not blockers, of cloud services. A view of the presentation, with short slide annotations can be found here. Sheridan welcomes comments on the speech.

It recently appeared on the blog of the Australian Government Information Management Office under a Creative Commons licence.

analysis In 2008 the government contracted Sir Peter Gershon to do a review of IT across the government, and many of you will have been involved in aspects of that, and know some of the outcomes. Sir Peter made seven recommendations, the one I want to concentrate on today is the recommendation about the Data Centre Strategy.

Our figures show that at the time we were spending some $870 million a year on data centres, and those data centres ranged, as you would appreciate, from very small data centres, maybe a server under a desk perhaps in some agencies, to very large purpose built data centres. Some were outsourced, some were insourced, there’s a whole range of expenditure.

Sir Peter suggested that if we did nothing new over the next ten to 15 years, we would probably incur an additional billion dollars in costs that we would otherwise be able to avoid. So his recommendation was that we do some work in trying to avoid a billion dollars in costs between 2010 and 2025.

The government then developed a Data Centre Strategy which was launched in March 2010, and that Strategy contained a range of actions. I’ll talk about those in a moment. First, please note that a billion dollars’ worth of avoided costs and $3.50 will get a cappuccino. The important thing about avoiding costs is that is money that the government hasn’t given you and doesn’t need to. It’s not about savings, which is a different arrangement. It’s about doing things so you don’t need to spend money, and it can be put to other uses.

Now the data centre facilities work: the first thing we did was set up a panel for data centre facilities. That panel now covers over 20 sites around Australia, not in all large locations, but in very many of them. Having consulted with industry and agencies, we decided that the sweet spot would be procuring 500 square metres as a minimum of data centre space.

But even as we were doing the work it became apparent that people had started selling data centres in terms of power, not in terms of space. Five hundred kilowatts rather than 500 square metres. And we put that in to our work as well.

Over that time, since the panel was established, we’ve signed up over $300 million worth of contracts, and our estimates show that that’s avoided some $24 million worth of costs to date. Now it doesn’t sound much, but we’ve got ten to 15 years to reach that target. And the way that, as you would all know, the way that agencies work is you don’t sort of creep up on the data centre arrangement, it’s something that you do in large blocks, and that changes the way it works. I think it’s important to remember also that there are large agencies in the Commonwealth that might not necessarily need to do some of these things because of the work they’re already doing.

Let me give you a little tour of virtualisation. In 2008/09, the first year that we did the whole of government benchmarking exercise, the virtualisation ratio for government, that’s the number of virtual operating systems to the number of physical servers was 1.6 to 1. The next year it was 2, in 2010/11 it was 2.3 against what was then a Gartner worldwide average of 1.9. Now it doesn’t sound very much when all of us know you can get 15 to 1 ratios on a single core and therefore on a quad core machine you might get 60 to 1 for certain loads in certain circumstances.

But that ratio across the government indicates that it’s quite well developed. Indeed I anticipate that when we look at the 2011/12 benchmarks, we’ll see a ratio then of greater than 3 to 1, representing a doubling of virtualisation in four years. And I think that shows that there is a lot of work going on in government already about building the sort of things that you anticipate in the Cloud Computing area.

I’m very clear when I talk about this, to make sure that people understand that Cloud Computing is a different way of buying IT services. There isn’t any particular magic in the technology, indeed we’ve used the technology in our data centres for some considerable time. Anyone who’s running a data centre now obviously is going to have virtualisation, they’re going to be looking at varying their supply depending on what the load is, they’re going to be working out the best way to get that data centre running most efficiently.

And of course that’s some of the stuff that we see in Cloud. But what we do see in Cloud is a different sort of paradigm that can be addressed. Let’s think about government agency spend on IT for a moment. It’s been constant at $5.2 billion thereabouts over the last three years of benchmarking.

There are about 19 portfolios in government. Six portfolios and their agencies spend 81% of that money. But the next billion dollars is spread over 57 agencies and they’re not the agencies that were in those large portfolios. There are 60 agencies we know, not necessarily those same ones, but 60 agencies we know that spend less than $2 million a year on IT. That means they’ve probably only got four or five people running their IT shop. And they’re looking for ways, obviously, to be more efficient in what it is that they’re doing. They’re trying to find how they can get the best value for their dollar in I.T services.

We know that 39% of the ICT contracts by value went to SMEs in 2011/12. We’ve published all our contracting data across the entire government since 1999 on data.gov.au if you want to have a look at that, you can download it and analyse it all you like if you want.

Fifty seven per cent of the contracts by number go to SMEs. Clearly there’s a demand for looking at work in IT that isn’t in the multi-billion dollar area, that isn’t even in the multi-million dollar area necessarily.

What we’re looking at is a new paradigm of buying IT in these smaller arrangements. In Data Centre as a Service, we didn’t set out with a statement of requirement and say to the vendors that they must meet all these requirements. Instead, what we said is that you must describe to us what it is that you’re selling. You need to talk about whether or not your data centre is secure, whether or not it’s in Australia, what are your service level agreement arrangements, what’s your up time, what’s your help desk? And we categorised those things in to a spread sheet that shows the offerings of what is now some 50 vendors and some 1,200 services being provided.

Now you can see exactly what they are by typing in to your favourite search engine ‘finance dcaas xls‘ and you’ll get to the page that’s got the spread sheet that covers all those services. You’ll be able to look through, running the filters that sit on the spread sheet, and see what services are being provided through the Data Centre as a Service Multi-Use List. Now they’re not all Cloud services, but they’re certainly Cloud or Cloud like services.

We knew that there were other things that we needed to do in order to make sure we could make this easier for agencies to deal with. The first of those was to get a standard head agreement. So under this multi-use list what we’ve actually done is signed all vendors up to exactly the same head agreement. We put that head agreement out on our blog initially, and we took comments about it, and we adjusted it in order to make it better for vendors and for agencies. And I think just as an aside, the use of social media in this sort of policy development work is another interesting change in how we manage IT across government.

Once we got that right we put in also some things that would reduce the legal complexity for agencies and for vendors, because as much as we like to spend our money on IT, I’m sure all of us don’t like to spend it on lawyers. We included compulsory arbitration, so that reduces the risk for these contracts. The contracts are limited to $80,000. Why? Because first of all, in the Cloud you can get a fair bit of computing for $80,000. But secondly, this is below the covered procurement ceiling, and means that the way that you buy those services is dictated by your agency chief executive instructions, and not by the need to go to open tender above $80,000. This speeds up the process and allows agencies to do what it is they want to do in order to buy the services.

We also have a limit for a year, 12 months for a contract. It doesn’t mean that you can’t go out to market again and do the same thing again with the same vendor if you want to, but what you can’t do is roll over the contract year and year and year.

Now it’s interesting that as we’ve put this in place there’s some discussion already about expanding these limits, could we get a bigger ceiling, could we get longer timeframes involved? And I do think there’s some possibilities in order to do that, driven largely by the need to get a head agreement that fits those arrangements. Because as I said, the current head agreement is specifically aimed at meeting these particular levels to reduce risk.

What have we got as a consequence of Data Centre as a Service? We’re getting turnarounds that are surprisingly quick. And I mean we ought to have expected this, but to actually see it happening is interesting. I’ve seen us take a week to get a quote from vendors, we get the best quote, we sign up the vendor, and in my organisation specifically, the team then said to the vendor, OK, well we’ve signed this, we’ve signed up the order, when will the services be ready? And I knew that they were thinking a week or a month, or something like that. And that would have been fine. They were ready the next morning. And this is the change I think, in what we can get out of the Cloud in these smaller things, turnaround times that reduce significantly how long it takes us to get to market and deliver small services. Things that the business needs quickly and immediately, rather than having something that might drag over time.

Now of course it’s not for everybody, and for all arrangements. There’s a need to make sure we’ve got a couple of things. And we’ve learnt some lessons already in terms of this. As I mentioned at the outset, vendors were asked to describe what is their security arrangement, are they accredited, what level can they hold data up to, where’s their data centre in order to meet privacy requirements, and things like that.

But we found that one of the things that was still slowing down, to some extent, the running out of the system that’s been built in using Data Centre as a Service, was the need to get the accreditation that’s required under the Information Security Manual, even for unclassified systems. Now obviously an unclassified system needs a lot less accreditation than a classified one. So one of the things we’re now considering is to say to the vendors look, what would be good is if you’ve already done your systems security planning, if you submit those things now, that will increase the speed at which we can get a system signed up. This will help bring these services to market more quickly, to get the sort of effects that clearly the business wants in improving the way IT services are delivered.

Now we’ve done a lot of work about providing guidelines for the use of data centre as a service, but for the use of Cloud Computing generally. (For those of you wondering what this slide is about, they’re actually SA2 guideline missiles. I just thought I’d throw that in to demonstrate that I used to be in Defence.) The guidelines are available online and if you type “AGIMO cloud guidelines” in to your search engine, you’ll be able to find those, and they talk about things like legal and financial guidelines, how to set up Cloud services, the Cloud Strategy that we have already, and the changes that you might make to what it is you’re doing in order to get a better service more quickly.

DSD has also published Cloud security guidelines, and people who are setting up Cloud services for their agencies, I strongly recommend you look at those as well, because they provide a bunch of useful information about what it is you need to do, particularly in the security sense, for setting up services.

So having got all this in place, the question then comes what’s the future around this, how are we going to continue to deal with Cloud services as government IT providers? I think there are a couple of things, some of which you’ll have heard of already today, that are going to influence this.

First is the use of mobile devices, the bring your own device arrangement, the notion of the personal cloud where you store things. These slides are built in an application called Haiku Deck, cost me $2.00 I think, I run it on my iPad. It has a number of advantages, but one of them is that all these slides are creative commons licensed and can be used with appropriate attribution. And indeed if you look at the slides carefully you’ll be able to see where the attribution is on each of them.

The interesting thing is, I didn’t need PowerPoint to build this presentation. That means it’s a change in how we buy IT I think. Now there are going to be reasons to use big applications and to continue to use them, for a whole range of things across agencies. But there’s now an opportunity to get cheaper, faster, targeted services in a way that previously wasn’t possible.

What we know of course, is that business wants services like that, and because they are so cheap, and they can buy them on their government credit card, we’ve got an explosion of IT. And I think it’s interesting if you’ve been in government for a long time, to look at that cycle of IT work. We’re almost at risk of going back to where we were when computers weren’t networked, not because we can’t move information between them, but rather because agencies don’t necessarily know where their important data is if it’s being run on systems bought by the business on applications bought by the business, and held somewhere in the Cloud. What it means, I think, is that CIOs needs to change their approach. Because it’s so easy to go round the CIO in buying these services in the Cloud, if you try and set up a wall, it won’t work. And worse, you might not know that it isn’t working. And business might say, oh well that’s fine, but we wanted it quickly and we were able to do it, and that’s it.

What happens when all of a sudden the business discovers it’s got five or six financial management systems again? When it discovers that it doesn’t know where its data is, again? Where it discovers that important corporate data is distributed in the 2013 equivalent of a million Access databases across the organisation. Who will be blamed? I think it’s clear that the CIO is the one who if not being blamed is the one who’ll be tasked to fix the problem.

So what do I think we need to do? I think CIOs need to become a broker of these services. I think we need to be able to provide Cloud services in a way that the business can use them, but in a controlled way that allows us to see where they are, that provides appropriate services for appropriate business tasks, that keeps a record of where they are, make sure that we don’t duplicate things where duplication is bad, sometimes it’s not. Make sure we know where the corporate data is held, make sure that it’s secure and available. What we’re doing is being ready for tomorrow as a CIO, is meeting the business need in a way that maintains the continuity of IT services. Because if we don’t do that, I am concerned that we’ll find ourselves in a relatively short period of time having to pick up the pieces in a way that won’t be very pretty.

Thank you.