No one today would dispute the importance of information technology in the modern world. But as federal IT budgets shrink and the threat of persistent cyber adversaries increases, we are seeing a tension between the need to reduce IT procurement costs and the imperative to remain agile and vigilant in the cyber fight. These stresses have resulted in an impulse to commoditize IT, often without fully incorporating a strong cyber posture and without considering the costs that will come after the procurement.
Risks in cyber abound, and as more devices are added to the network, the attack plane only grows wider.
Every federal government leader I have seen speak in the past 5 years has addressed this in some way. Their common message: We need agile IT procurement that lets us respond quickly to emerging threats.
The Dangers of Commodity
When we treat IT as a commodity, it rapidly falls to a common set of minimum requirements. When I want to buy a pen, my requirements are simple: I can hold it in one hand, it writes in black ink and will last five years. We don’t need a pen to do much more than that, and we can buy pens from almost any supplier because there isn’t much difference between them.
IT is different. Why treat IT — the necessary enabler for everything an organization does and which supports all of its decision-making —like a box of pens?
Learn all about Cisco’s bold new network.
Buying a server or a router is more like buying fighter jets than pens. Sure, there are common capabilities within the product line. But the true value of IT infrastructure today lies in non-traditional outcomes that are now possible. Whether it is simplified and centralized management of the network, deep data packet visibility or the ability to reduce energy consumption, commodity buying never allows us to innovate to that level. Instead, we see the deployment of solutions that aren’t so different from what we saw in 2007.
Most importantly, unlike a pen, there are costs to IT that are borne immediately after the hardware is bought, and for the rest of its useful life. As a rule of thumb, 70 percent of an IT budget is usually allocated to operations and maintenance, while only 30 percent is allocated to new procurements. In many data centers today, power consumption is only now being measured and reported, even though it is clearly an associated cost. Cisco factors environmental impact and costs such as power into its overall approach to designing and building data centers.
The Death of Innovation
Too often, agency executives see the Lowest Price Technically Acceptable (LPTA) solution as an attractive prospect. It means they’ll get their needs met for a minimal expense. However, it also means they will get minimal work. LPTA means engineers are motivated to deploy hardware in the most cookie-cutter methods possible, resulting in little customization.
Read “Acquisition 101: When a Bargain Isn’t a Bargain” at GovExec.
I recently spoke with a CXO-level executive who bragged of his work in driving affordability in IT by using a low cost evaluation model. But he also told me he expected he would get innovation from his systems integrator. He looked a bit taken aback when I explained that in the low cost model, the SI was motivated to deliver the minimum, and use the most basic engineering techniques to deliver the solution.
Moreover, OEM hardware and software providers are rated by how inexpensive their solutions are. Often the result is a solution that looks very similar to one requested years prior, and uses hardware nearing the end of its lifecycle.
Imagine if you bought a new car that sat in a warehouse for four years before you started using it? In LPTA, innovation dies because the SI is unlikely to take a risk for such a minimal return, nor is an equipment provider going to give away features for free.
What Does It Really Cost Me?
By working through the LPTA contracting model, which allows for commodity procurement, we rapidly see the pitfalls. My pens costs 25 cents each. It sounds like a bargain, but what if I have to throw out half of them because they don’t work for long?
Now imagine a company introduces Pen 2.0, which can integrate with the older pens, brings new features and costs 75 cents per pen? Under an LPTA philosophy, the government will never see it. In fact, if only one manufacturer offers Pen 2.0, the government couldn’t even make 2.0 technology a requirement as it would be unfair to competition. The makers of Pen 2.0 could choose to bid Pen 2.0 at a lower price, often taking a loss, just to get it into the federal market — which has the added risk of making that the new normal pricing for Pen 2.0, eroding the maker’s profit margin, and therefore taking funds out of innovation.
Consider another example: The military needs trucks to carry personnel and equipment through combat zones. If the only requirement is at the commodity level — a truck needs to carry stuff — they will have a range of inexpensive options to choose from. But in reality, the truck needs to protect personnel against roadside explosives and snipers, and to be reliable. Thus, in the Joint Light Tactical Vehicle competition, the awardee (Oshkosh) was able to demonstrate that their vehicle had six times longer between breakdowns than their competitor. This is a critical factor that might not have been evaluated if we simply said “It’s a truck and we need to carry stuff on it.”
In IT speak the corollary is clear: If we remain focused on the most fundamental requirements — that the network has to be capable of transporting data — we ignore some crucial areas which should also be evaluated. For example, imagine if you could reduce 67 percent of your management costs through automation? In a recent deployment of our newest Software Defined Access portfolio, our management consoles and our automated management and policy enforcement, we were able to reduce a commercial company’s human involvement by just that number. Two-thirds of their IT employees are able to focus on things more important for the company now that we have automated the common tasks of network management. Imagine that efficiency boost as the Department of Defense is rapidly re-deploying personnel to fight the war on cyber threats.
But there are several other areas that we see routinely that arise from the commodity focus over a total cost of ownership. Factors including equipment lifespan, re-training of employees on different technologies, gaps created by OEM interoperation, and dozens of others all combine to create a significant red flag for IT and acquisitions leadership, and one which is likely to get a little worse before it gets better.
Lastly in the cost of acquisitions, we have attempted to decompose requirements into a siloed domain, where we look at individual aspects of IT, and recompile them in production in a hope that standards based engineering results in a “plug and play” model for users. While we are strict proponents of a standards-based architecture, many of the issues our users encounter involve connecting between OEMs.
To use an analogy I picked up from another customer, standards-based solutions are the right answer — but the standards are like a six-lane highway in which IT makers pick paths that don’t always align perfectly with others. This highway is where the gaps are found and where integration and troubleshooting costs can grow out of control.
The Solution is the Solution
When considering competing solutions, it’s not always obvious which is the best answer. Other major procurements can offer guidance, though. When we consider that JLTV example above, there were a minimum set of requirements which laid out and then a series of other ideas which would be of help to troops in dangerous remote locations. In this evaluation, Oshkosh clearly took their experience in the development of mine-resistant, ambush-protected (MRAP) vehicles, and in commercial trucking, and developed a solution that fused the minimum requirements with other benefits.
But the procurement team didn’t attempt to buy tires from one provider, an engine from another, transmission and frame from a third and then cobble it all together in a body shop. They bought the end-to-end solution instead.
We have to redefine how we look at IT today. It has to be comprehensive and capability-focused. Instead of simply buying a router or a computer or a server, we need to look holistically and evaluate IT like it was any other piece of complex equipment.
Imagine an Air Force base receiving an IT solution– routers, switches, servers, telephony all in a pre-configured package. It would replace their current solutions, many of which were probably developed incrementally — a router here, a switch there, a few servers added later. The solution clears up any friction, and allows a fresh start with fewer gaps. Moreover, by focusing on the base holistically, we are able to engineer a more capable solution, offer highly competitive pricing and monitor the costs of operating against stated objectives. Most importantly, this approach allows many OEM’s to compete. Through this we drive innovative solutions for the warfighters.
Moving Ahead
The reality is that we are in a time of change. We in the industry are pushing again and pushing back hard against our adversaries. We are developing comprehensive changes in how we work, live and play through what we are doing with IT. We are owning it from end to end.
Our government is also changing, looking at new and better ways to procure IT. Now is the time for federal organizations to assess the impact of commodity-based acquisitions against value-based purchases. They will quickly realize the positive budgetary impact with the value-based approach.
To select the right cyber fight strategy struggling with tight budget or to pay more with a Ransomware threat, that’s the main and wise decision to take.