Essential Aspect: Incorporating Security from the Ground Up in Modernization

In the rapidly evolving digital landscape, modernization of technologies has become a priority for many organizations. However, the success of these modernization efforts hinges on more than just adopting the latest technologies.

According to industry experts, the key lies in aligning modernization with the mission and user needs. Shiny new technologies, if adopted without considering user needs, may not be effective if employees do not use them to accomplish the mission. This is a crucial point that leaders, both in the upper echelons and hands-on-keyboards, should bear in mind.

The necessity for security practices is another area that requires universal understanding within an organization. Leaders who are responsible for the final outcomes often assume that the solutions are being built securely. However, the reality can be quite different, with the need for continuous oversight often overlooked.

Contracting professionals are not exempt from this responsibility. In some cases, contracts may not explicitly require security best-practices or enforce accountability measures. This lack of explicit requirements can lead to potential security vulnerabilities.

Employees will find ways to accomplish the mission, but forced use of unsuitable modernization efforts and tools can lead to the emergence of shadow IT. Shadow IT refers to the use of IT systems, applications, and services that are not officially authorised by an organisation.

Everyone in an organization needs to be aware of their individual responsibility for security. This includes understanding the risk and the need for continuous oversight. The educational process often does not emphasise the importance of secure solutions, making it essential for organisations to prioritise security awareness training.

A newer process that integrates real-time security into the development life cycle is Continuous Authorization to Operate (CATO). Unlike traditional authorization to operate processes that are too slow for modern technology and cybersecurity requirements, CATO eliminates checklists and snapshot verifications, instead relying on telemetry and system instrumentation for a never-ending security validation process.

Focusing on security early in the process results in lower costs and easier integration into applications and systems. This is in line with the National Institute of Standards and Technology's Special Publication 800-160, which advocates for security to be built in during design and testing, not added on after the fact.

Notable examples of modernization efforts can be seen in organisations such as the IRS, the White House, and the General Services Administration (GSA). The IRS, for instance, has announced modernization efforts to develop new strategic IT plans that align with its mission and user requirements, planned for FY2026 to FY2030 in coordination with the Treasury Department. The White House AI Action Plan also calls for federal agencies to modernize IT environments to support AI at scale, emphasising secure, scalable infrastructure aligned with mission demands.

Darren Death, the chief information security officer, chief privacy officer, and deputy chief artificial intelligence officer for the Export-Import Bank of the U.S., is a notable figure in this modernization drive. He is at the forefront of efforts to align modernization with business and mission requirements, ensuring that the focus is not just on having the latest technology, but on meeting the needs of the organisation and its users.

The "America by Design" initiative, aimed at modernizing federal services by improving usability and aligning with user needs under a new executive order, is another step in this direction. The GSA is also modernizing procurement systems with AI integration to improve efficiency and alignment with government priorities.

In conclusion, modernization is not just about having the latest technology; it's about meeting business and mission requirements. By focusing on user needs and integrating security into the development life cycle, organisations can ensure that their modernization efforts are effective, secure, and aligned with their mission.