In the constantly evolving industry, IT experts are on the lookout for any innovations, trends or challenges that could potentially impact the future of their products. The growing number of cybersecurity threats targeting the private sector and federal government is resulting in the rapid emergence of new applications and services. When it comes to technology, time is now a luxury, while adaptability has become a necessity.
For Robert Haas, director for applications strategy and portfolio management for HP Enterprise Services‘ U.S. public sector, sustainability in the IT market can be defined by a single word — transformation. Haas recently spoke with The New New Internet to shed some light on the importance of transformation in today’s industry and its effects on the businesses that surround it.
The New New Internet: What drew you to HP in the first place?
Robert Haas: I’ve spent 20 years in the IT industry and was originally interested in management consulting work done by a company that HP eventually acquired. I was doing IT strategy consulting for Fortune 500 as well as government enterprises. That was after spending a number of years doing operations work— implementing systems, operating them and planning for the next stages. I gradually started supporting more government work over time.
The New New Internet: Can you start by telling what application transformation actually means and why is it important?
Robert Haas: Maybe a simple definition is that applications transformation is really an evolutionary change of both business processes and the applications that support them. When you think about an enterprise, virtually every single employee is touched by an application in one form or another. Examples include interacting with citizens, responding to their requests, planning and programming, and conducting an agency’s business. On the military side, they often refer to their business as mission support or performing that mission.
Since you’ve got a business process often closely coupled with the IT that supports it, transformation really involves those two pieces. Transformation becomes more challenging to change one without the other – the most successful commercial and government enterprises are those that have tightly coupled their IT with their business in a way that it’s flexible enough that the IT supports what they are doing almost transparently. That’s really what generates the efficiency.
The challenge on the transformation side is that most of the legacy environments are not geared that way. They were written in a different time with a different set of technologies and a different set of demands. The challenge for us is to make the applications work with the business. The environments themselves have grown pretty much unabated over the last 30 years or so. For example, when DHS was formed, it was brought together out of 22 agencies, and each one had their own environment. To make it efficient, they have to combine their assets and change them such that it supports their mission and their evolving needs.
The New New Internet: That seems like a huge challenge.
Robert Haas: It is a tremendous challenge for most of the enterprises and agencies. You have the legacy environment that consumes a substantial amount of the enterprise IT budget; common figures range anywhere from 60 to 80 percent. Even if you take the midpoint of that, you talk about 70 percent of the IT budgets required to keep the lights on – that really only leaves a small fraction of the budget for investments, innovation and changes. Add to that the complexity of new technologies that are coming out, such as cloud and mobility, the demands the executives, as well as the enterprises becoming more mobile and demanding instant service. Users don’t have time to wait for PCs to boot, so you will see the rise of the tablet market. They need better and smarter phones. What happens if you’ve got inspectors that could reach back into an enterprise and provide information immediately and pull on histories at a moment’s notice? You’ve got information supporting the decision-making process in the field, and that’s an example of how the business is changing and the way our government clients are looking to support their clients.
The New New Internet: How is this connected to better cybersecurity?
Robert Haas: That’s a great question. When you think about those legacy environments, most of the applications were designed for a friendlier cybersecurity environment. Applications transformation affords the enterprise an opportunity to revisit their security posture and eliminate latent vulnerabilities and insecure applications. Really what it offers you is an opportunity to change your security posture.
In fact, improved security should be a direct result of a well-executed transformation. If you think about it in a slightly different fashion, a well-planned modernization approach can implement multiple aspects of a defense in-depth approach as you go through each of the steps. Security defects can occur at just about any point in an application’s life cycle. The purpose of applying security techniques during an application transformation is to eliminate the defects in the design and the operations of the transformed system. New attack methods continually evolve external to the application. The effects of these exploits against these applications for any enterprise or government can be quite devastating and expensive, both for a reputation as well as from a monetary perspective.
When we think about the transformation process and the opportunities for improving security, we really think about applications, modernization and transformation in three phases. We look at these phases in terms of assess, modernize and manage. Assess is really about prioritizing the actions needed to improve the business or the mission to achieve maximum benefit and from a modernization or a transformation in technology and set the stage for achieving the savings that can be reinvested in further transformations. During this phase, security can be improved by either retiring applications or taking old legacy systems out of production that have vulnerabilities and are no longer supported by original developers, vendors or software providers. You also have the opportunity to highlight various gaps in your security posture. Those gaps might include applications firewalls and SIEMs (Security Information and Event Management systems) and those sorts of toolsets that might not exist in your environment, as well as a reporting structure that goes along with it. Then, when you move to the modernization phase, you have an opportunity to really make the rubber meet the road. That’s really where the business processes and the applications are changed to be more efficient. New systems are tested for security vulnerabilities. Security in this area can be improved by evaluating the architecture and the requirements against the stricter standards and changing the applications to meet these standards. This is an area that isn’t often evaluated by many enterprises.
The New New Internet: How come?
Robert Haas: Part of the reason is that security hasn’t really been considered as an early lifecycle issue. The approaches that you hear about today occur in the latter part of the systems lifecycle. Security analysis doesn’t occur as much in the requirements or in the design phase as rigorously as it does in the development, test and operate phases. There are several systems and products that are available to test security, which is very important by the way; you need to test software as it is being developed and do penetration testing afterward. What I am suggesting here is that there are capabilities and techniques that you can use to look at the requirements and the architecture up front so that you can design the security problems out from the beginning and not code them. If the door is in the wrong place on your house, it is pretty hard to fix after your house is built. That’s really what architecting security in is about. That’s one of the things, for example, that we do and we offer to our clients through an enhanced level of security. We do that through our Comprehensive Applications Threat Analysis. That’s really all about that upfront piece.
Many of the older applications are not instrumented to report anomalous behavior and this could be updated during that modernization phase. Then there is the standard management phase where you apply maintenance patches. You might implement application firewalls and solutions like that.
The New New Internet: How does the applications transformation power innovation?
Robert Haas: That’s a timely question, because it really provides an opportunity for enterprises to change the way they think about their business and the way they interact with citizens and their constituents. The research that we’ve conducted revealed that about 95 percent of the executives in public and private sectors consider that innovation to be a critical success factor. Their top reason was future growth. To drive this innovation, the first area where these executives really wanted to focus and invest their money was in the applications and software space that enables more flexible processes. The most successful enterprises are those that are able to support the efficient business and mission processes with equally efficient IT – so it’s the flexibility and efficiency of the IT that really help drive growth.
When you think about how to compare and contrast this with the past systems, most of the legacy systems don’t provide the flexibility needed to change with the demands of the enterprises, governments and their business partners. For example, systems that are coded on mainframes, client servers or even some of the more recent systems that were developed and coded in web platforms – they often are not structured or architected in a way that easily enables changes. Maybe the application doesn’t have an extensible interface; maybe all of the business rules are hard coded in the system and they are not easily changed. Applications transformation gives you the flexibility to rethink how you are going to structure your application and also how you are going to support your business processes. If you are going to change business guidelines on how you are going to handle particular transactions, maybe you would want to architect a facility into your solution that can easily adjust with these business rules so you don’t have to code them all of the time. Now there are much better platforms out there than there were in the past. Maybe your business has multiple cycles and you have bursts of activity — one might use tax returns as an example. At least quarterly, businesses and some people have to file taxes, and then annually, the majority of people have to file their taxes. That is a very seasonal type of operation. Maybe it is really expensive for you to operate the platforms at full capacity and maybe you only need one-third of the processing power that you had before. You could use that extra compute power for something else at the other times. Re-architecting your applications enables you to take advantage of that excess processor power to do other things and thereby lowering your overall total operations expenses and provide your business the flexibility to serve with demand.
The New New Internet: What else is important to know with applications transformation?
Robert Haas: It is critically important to think about how businesses operate and how they think about applications. In the past, enterprises haven’t been forced by budget pressures to address the concerns as rigorously as they are probably going to have to. Couple that with the changing technologies in the market, and we are really at an inflection point where there is a once-in-a-generation type of change. A number of years ago, it was the Internet and now we are all comfortable using the Internet for ordering books and conducting driver’s license transactions over the Internet. This next generation is all about making the information available to the people that can make the decisions with it. It is enabling the employees and the constituents to have better information in a timelier manner. That really requires some serious rethinking of the way enterprises approach their applications.