SEC CIO leads efforts to move agency to the cloud

Pamela Dyson is shepherding a determined, if incremental, effort to move her agency’s applications to the cloud.

Dyson was named the CIO at the Securities and Exchange Commission in February, after having joined the agency in 2010, when she joined an ambitious initiative to modernize and improve efficiencies in the SEC’s IT infrastructure.

Dyson shared her thoughts on the cloud-enabled Software-as-a-Service (SaaS) model during a recent presentation hosted by Federal Computer Week, explaining that the SEC’s Office of Information Technology holds out four overarching IT priorities: modernizing its aging infrastructure, improving business agility, harnessing big data and analytics, and what Dyson calls digital transformation — updating applications and access to better serve end users.

And for many of those applications the SEC is looking to the cloud and the SaaS model, while taking care to ensure that the sensitive data and systems the agency oversees remain secure.

“We want reusable highly scalable and flexible platforms,” Dyson says. “We want to strengthen our cybersecurity and continuous monitoring posturing — that’s very important whether we’re working on-prem or in the cloud.”

The determination of whether or not to roll out a SaaS application at the SEC “has a lot to do with timing,” Dyson explains. The regulatory agency is charged with drafting and implementing rules for the securities industry, a process that is guided by deadlines mandated in statute or by the commission’s own timetable. In that context, the consideration of a cloud deployment can become a question of whether or not the technology will support the agency’s regulatory mission.

The SEC, like many other federal outfits, continues to run numerous legacy systems and applications, many deeply rooted in the agency’s computing environment.

As a first step, the commission set about doing some of the spadework to modernize its infrastructure. That meant virtualizing and dramatically consolidating its data-center operations, reducing the footprint from tens of thousands of square feet to fewer than 5,000, according to Dyson.

The SEC has been judicious in its move to the cloud, though Dyson’s team has already transitioned several key applications to a SaaS model, including its response tracking system, a CRM application, and the Market Information Data Analytics System, or MIDAS, a program that gathers billions of proprietary data points from the 13 national equity exchanges that are then made publicly available.

The commission has also moved to the cloud its emergency notification system, the program that can send out an alert to all SEC employees in the event of an emergency. That means that the SEC had to commit to push employee data outside its internal systems, but reasoned that the security concerns were manageable and that a level of redundancy was prudent for an emergency response system.

“All information is stored securely in the cloud,” Dyson says. “So I know that there’s some personal information there, but we have secure parameters around the information to ensure that it’s secure at all times.”

Cloud security and culture issues more perception than reality

Government officials have long cited security as one of the chief points of resistance about moving to the cloud in the public sector, though some observers suggest that the issue might be more a question of perception than of any legitimate vulnerabilities associated with the cloud.

“Protecting data in the cloud solutions is one of the core business functions for the public sector cloud provider, so they are expending an extraordinary amount of resources in data protection, data security, backup of data,” Dyson says. “I can assure you that your data is safe.”

In addition to security, one of the central challenges with effecting a cloud migration in the public sector can be overcoming the obstacles that can come from the organizational culture, where different units of an agency might be accustomed to managing their own narrow IT shop and reluctant to turn those processes over to an outside provider.

Moreover, some in the vendor community note that the perception of the cloud as a monolith persists in the public sector. Count among those Sarah Jackson, Oracle’s vice president of public sector application sales consulting for North America, who says that service providers can help their cause if they take the time to assure prospective government clients that cloud deployments can be tailored to fit a given agency’s business needs.

“Certainly when we talk about the cloud, you know, one size does not fit all,” Jackson says. “So the way that you combat these concerns and the kind of hesitance that maybe some of your business units might have about the cloud is to convince them to change that cultural stigma that the cloud is vanilla, that if you go to the cloud you have to be exactly like your other peers who might be in that same cloud. And that is just simply not true.”