“Information assurance is one of the day jobs. That is, balancing the business benefit of acquiring IT and protecting and securing IT against cyber threat. Assessing risk management equals business benefit versus cyber risk. It is an increasing part of the role I fulfil. It has changed as one of the areas of responsibility,” says John Taylor, CIO of the Ministry of Defence.
“As we get more and more networked – information can flow more freely and we can benefit from that – we need to be much more concerned that it is secure.
That’s where I sit. I interact with lots of different parts of the business and I have a wide span of influence because information is inherent in everything we do.
The consequences of getting the information assurance piece wrong brings everything back to zero.” It used to be that the defence took place on land, at sea and in the air. But the traditional role of the Army, Air Force and even Royal Navy in places such as Iraq and Afghanistan has changed from ‘win the war’ to ‘win the war and police the peace’. Because they are now performing reconstruction and policing roles (systems administration in the broadest sense) information technology has become key to the forces at every level (see A soldier’s view, overleaf). It is also where the performance and equipment of the forces are open to most scrutiny.
In terms of threats to the UK and its infrastructure it is cyberspace where IT is key. How the MoD keeps its information secure – and what is happening in cyberspace to counter the threat – Taylor is keeping under wraps.
What he does say is that there has been a shift in defence thinking and there is recognition of the explicit value of information within the services.
“We are passionate about the defence vision. With the threat of global terror we embrace change along all lines of development,” he says.
Go back seven years to when Taylor took up the post, and his future role must have looked somewhat different. The MoD, an organisation of 90,000 civilians and 300,000 military personnel, operated as autonomous business units each with its own business processes, each sourcing and running its own technology infrastructure. Facing the same HR, finance, logistics and procurement challenges as other organisations, Taylor set out to bring some order.
That meant implementing huge changes in the MoD IT function and changing attitudes in the broader defence community. Achieving the culture change meant “we needed to better understand the pace at which the industry was moving,” he says.
This change was brought about by projects including DII (Defence Information Infrastructure): the framework for other large scale MoD projects; DECS (Defence Electronic Commercial Services): an electronic marketplace for defence procurers and suppliers; The Joint Personnel Administration system: a single repository of military personnel information.
And, looking at the operational front, Command and Battlespace Management (Land) (CIP) “three projects procured as a single entity which serves the Army, Navy and RAF with battlefield management technology”. ‘Combat’: common software tools for operational planning; ‘Infrastructure’: to enable the concurrent operation of other battlefield information software applications (BISAs) and ‘Platform BISA’: a project to integrate battlefield information systems into armoured vehicles. Use is currently limited to situational awareness until BCIP 5 is fielded at the end of the year in Warrior, Challenger and Scimitars armoured vehicles.
But operational support is not just about deploying technology in battlefield situations. Dealing with the information management requirements of an organisation with a ‘global footprint’ and diverse needs first meant defining a strategic rethink.
“The MoD has always had a strong technology focus. What was really needed was to get information seen more as a corporate asset, along with money, equipment and people.
We really needed an information strategy – part of the rationale for my appointment was to put that in place and drive it forward.”
“In terms of IT function itself – where that has changed is in two main respects, we’ve moved from an environment where we’ve done a lot of management service delivery to systems being outsourced .
“The remit that I got was to drive out costs from the IT function, built on the wider defence change. That meant better acquisition and management of our IT infrastructure. Deploying common applications, with some configuration but not building our own and maximising the advantage of the investment we’re making in the market through things such as enterprise-wide agreements.” Change meant technology being deployed to improve management and using the technology itself to drive out management and application costs.
Savings were projected by taking the ‘as was’ model and projecting how much it would cost if there was no change. Once the costs of the changes were arrived at through competitive tendering the savings and benefits were calculated. That was the benchmark position. Then the MoD started looking at doing the IT acquisition and service management better. Overlaid on that were the business benefits – for example network deployment and common applications for HR management. First it looked to network offices to cut down on the management overhead, then used the network as a platform for applications such as HR.
The MoD used to have six HR systems just for civilian staff, on the military HR front each service had distinctly separate HR processes. Taking a joint approach meant staff could take greater responsibility for their own HR through self service with further benefits derived through a harmonisation of approach .
Resistance to change was inevitable, says Taylor.
Getting over it was addressed by first setting projects out not as IT programmes, but as business programmes. “You make sure that each of these programmes has a senior civilian officer driving the process change.” Though vast in scale, and not without its critics, the Public Accounts Committee criticised Bowman CIPs over cost and frustration with lack of functionality. With another National Audit Office investigation never far away, it is the additional security factor that is the main differentiator between the MoD and other change programmes faced by big organisations.
At a frontline level, it is hard to envisage a better example of how networked information benefits meet network risks .
In the operational planning space, Taylor says there is a network enabled capability programme. “Fair to say we’re seeing good information management making its way into operations management .
IT is helping commanders with operations record keeping and they are getting better at applying technology enabled information management principles,” Taylor says.
Security fears aside it would appear so far so standard in terms in terms of change management.
Yet there may be one other area where the MoD programme could stand out. Many CIOs aspire to deploying systems that can be retooled and reused for other applications. Among his many projects, Taylor hints that the systems are being studied both within the MoD and by the Foreign and Commonwealth Office as possible platforms to enable collaborative working in post-conflict situations. The phrase, ‘if you seek peace prepare for war’, is attributed to the fourth century Roman General Vegetius. In 2007 it might be possible to do both using the same IT systems.
John Taylor has worked for the MoD for 35 years and says he is the first man at the MoD to have been given such a broad set of responsibilities. Officially he is the Department’s Senior Information Risk Owner (SIRO) and e-Champion, as well as being the Senior Responsible Owner (SRO) for the Defence Information Infrastructure (DII) and Command and Battlespace Management (CBM) programmes. He also oversees the arrangements for the Department’s compliance with the Freedom of Information (FOI) Act.
His actual job title is Director General of Information Systems and Services. “But if you want to call it CIO, that’s OK,” he says.
IT but not as we know it – a soldier’s view
Brigadier Michael Lithgow, CBE, is managing partner, defence and security at Gartner Group. He has over 30 years experience in defence including deploying IT and communications in hostile environments.
Is the MoD an IT enabled organisation?
Brigadier Lithgow: “If we are talking about MOD in totality – it is enabled for network capability. It is IT but not as we know it. From aircraft to armoured personnel carriers to ships, warfare is completely IT enabled. Is the MoD as a government department IT enabled? That is a different question. Common infrastructure and common applications are major steps forward but there is some way to go before transformation is complete. The MoD is a much more complex environment than people realise, very federated in nature, not hierarchical. The successes have come in providing the building blocks. Bowman CIP and DII are huge steps forward without which it would not be possible to deliver shared situation awareness.”
Is the MoD agile in its acquisition?
BL: “It is in quite a difficult position because of the high level of accountability and dealing, in the most stringent terms, with security of information. The first priority is to be absolutely sure that everything is secure. So in a sense it is not a case of keeping pace with the industry but inevitably it is going to be slightly slower.
It is a case of not always wanting to be on bleeding edge. First it needs to work, have the necessary functionality and have the potential to develop incrementally.” John Taylor, CIO, MoD