CIA's AWS Decision Shows It May Not Have Learned From NSA
Let's take a look Edward Snowden and the National Security Agency. As we know now, Snowden's permissions exceeded his clearance, he leaked a ton of information that the Obama administration wishes had been kept secret, and no one connected to the NSA is safe from the federal government's witch hunt.
By all reports, Snowden isn't stupid or nuts, and he passed his background checks. He simply should never have seen the information he had access to, but he didn't like what he saw and decided to blow the whistle. In the months since, the NSA has significantly changed its vetting procedures to assure this doesn't happen again.
You might assume that any branch of government that didn't provide the same protections would have its CIO flogged on site. Yet the CIA recently agreed to use Amazon Web Services. Even using an entity that would remotely host any service from an any intelligence agency, given the Snowden and Manning incidents, might be seen as suicidal for whoever agreed to do it internally and for the firm that agreed to make it happen.
There's a difference between companies that deal regularly with the federal government and those that don't. The ones that do know that critical rules change and naturally factor those changes into protect the client and themselves. New companies think that isn't part of their job and don't realize that, when the crap hits the fan, even if it isn't your fault, you're still going to get covered in crap.
Healthcare.gov Shows Danger of Going With Lowest Bid
We saw this play out with Healthcare.gov, the Affordable Health Care Act website. By all reports it was underfunded and rushed, while the contractor, CGI, had previously been fired by the Canadian government. But it was the lowest bidder.
CGI is supposed to be an experienced federal contractor, and even it couldn't execute Healthcare.gov properly. CGI really wasn't at fault - this project was mismanaged from the start - but the vendor is being tossed under the bus, frequently and with relish, because it didn't protect the folks that decided to use it.
It isn't that IBM doesn't break. It's just better at making sure that, when bad things happen, there are contingency plans to keep the folks who bet their jobs on IBM in those jobs.
Had IBM run Healthcare.gov, it would have assured a successful result, even if it cost margin, because IBM knows that a failure would hurt its brand and its advocate. That's why agencies are willing to pay a little more for IBM; the company assures that its customers' decision-makers are protected. Go to any IBM customer event and you'll see CIOs on stage singing IBM's praises. It's not about the technology; it's about IBM covering the CIO's collective backsides.
Sign up for CIO Asia eNewsletters.