OpenGov spoke to Aaron Liu, Chief Information Officer (CIO) at the Department of Justice in New South Wales. Mr. Liu talked about getting the basics right, consolidating onto common platforms and common systems wherever possible. He talked about moving to the cloud, their innovative approach to ERP implementation and discussed public access to information.
Can you tell us about your role?
I am the Chief Information Officer for Department of Justice, NSW. We are a complex organisation. We look after the courts and tribunals , correctional services, juvenile justice, liquor and gaming. We also provide services to a number of agencies such as Trustee and Guardian, Information and Privacy Commission,. We also have Arts within our portfolio at the moment.
What are your areas of focus in the short to medium term?
Our foremost priority is getting the basics right. That involves consolidating onto common platforms and common systems wherever possible.
We have completed our basic work on ICT infrastructure and the network layer. We have moved to cloud services within NSW government data centres. A lot of the technology platforms have moved to as-a service model.
Our next priority is moving forward to exploit those opportunities within those platforms and start on a journey of application and data consolidation.
We are moving the ERP to a consolidated platform in an as-a-service model.
Can you tell us more about the ERP consolidation?
Our ERP solution is quite different compared to how ERPs have been established in the past. It took us a while to get the model right. We wanted the advantages of cloud as a service but also have a commercial construct that could appropriately manage the risks of going to cloud.
For us, moving to the as-a-service model had some risks. What if the vendor decides to exit the market, what if they go bankrupt? Operations being interrupted even on temporary basis, correctional officers, judges not getting paid, is unacceptable.
So, we negotiated a fairly innovative commercial construct with the vendor, who had done something similar for the Singapore government. We took it a step further however, negotiating comprehensive transition out scenarios and leveraging shared corporate services standards developed within NSW government, as a pre-blueprinted software- as-a-service solution for ERP.
Part of that innovation included a transparent commercial model for managing customisation. We followed a concept called adopt and adapt. The consumption based pricing model ensures we take up 90% of the functionality, based on NSW government standards out of the box. The remaining 10% is available customised to enable it to fit our local business needs, in areas that won’t necessarily be commoditised.
That allowed us to almost turn upside down the way we implemented the ERP. It was one of the most rapid ERP implementations, consolidating 8 separate ERPs and multiple solutions. We were able to do it because we used pre-blueprinted business solutions. So, it’s just a matter of deploying them very rapidly across multiple business units. It’s not the normal Waterfall approach. Other clusters such as Family and Community Services have now taken advantage of our model and have also signed on. This means broader benefits for government are already being realised.
When was this process started?
The contractual negotiations probably took the longest. They happened over a period of around 12 months. Our first proof-of-concept, that we called Wave 0, went live within 6 months. Subsequent waves basically dropped massive implementations every 6 to 9 months.
We are in the midst of it. We have a wave going live around the end of October or November. We expect to complete the project within 12 to 18 months.
What are the challenges you face in the process of digital transformation?
Part of it is being agile enough and building the leadership and capability. Innovation in some ways needs to be driven from the top and encouraged from the bottom. It needs a cultural change. We have to move internal IT people, government executives, business people to think differently about how they currently do things, as opposed to moving forward with the status quo. We have to challenge old assumptions.
There are unique risks for government, which might not exist in the private sector. Having the right framework, so that we are able to utilise opportunities and innovations safely is a key challenge. For instance, creating a risk-based framework that enables cloud to be adopted, while mitigating the risks.
What is your basic approach for moving to the cloud?
I think cloud is just a different way of consuming what was traditional IT. We have to ensure that the we fully understand the TCO (Total cost of ownership), the risks, the opportunities within the cloud. We cannot go at it blindly, just because it is the fashionable thing to do. We approach it in a way that allows us to obtain the benefits but manage the risks associate with it.
It does not have to be public cloud. We need to consider whether we use private cloud in a Gov DC environment, or public cloud within a Gov DC environment, or public cloud beyond a Gov DC environment. The buzz word right now is hybrid cloud. Different workloads and different use cases will fit in different models.
But for me, cloud is default way of doing things. There’s nothing left on premise for us.
There are some areas, where the risk might be a little bit higher than we would like it to be. We have agencies with quite sensitive information. So, I don’t foresee everything going to public cloud in the short term. There will be some degree of hybrid. But that will shrink over time, as market innovations in public cloud capability catches up and exceeds on-premise in terms of security and compliance.
What are you doing in terms of cybersecurity?
We need to build up our cybersecurity capabilities. We have moved from being reactive in information security to being pro-active.
But cybersecurity requires thinking beyond the traditional ISO 27001 risk-assessment approach. It actually needs us to almost think like the hackers, the people who want to steal your data or impact your services.
In some cybersecurity threats, the motives and operations are actually not technology-driven. They are more about social engineering, practice and culture. So, cybersecurity today requires a holistic and multi-layered approach. Cyber security needs to consider us to think differently about incident management and response in a different way. Breaches will happen. No amount of investment in technology can prevent it. Its how we manage incidents, communicate with the community and respond to breaches that is sometimes overlooked.
Are you working on anything to improve access of information by the public?
Yes, we have done some initiatives. We still have a long way to go. The challenge for us is cleaning up the legacy. But now that we have started on the clean-up journey and we are fixing the basics, we can look at exposing the data to citizens.
For example, we have a crime tool in the Bureau of Crime Statistics and Research, an agency within the Department of Justice. We worked in an innovative way with a small vendor for exposing quite rich crime statistical data for NSW in a net-based interface. It actually drills down quite deep into statistical information. It’s the first of its kind in the world.
We have also provided services for accessing data around things like family history and genealogy. Some of those are revenue generating as well.
Government has a wealth of information. We have to decide what should be freely accessible, what should be protected.
Some of the challenges that we have to face revolve around privacy and security. We have to ensure security for the information we hold. We have to consider the purpose the information was originally provided for.
The trend is to use that information in multiple ways. We have to put some forethought into what the implications of that information might be. There might be unforeseen outcomes. We need to take care to make sure we get that right.
For instance, consider the addresses of offenders living in the community and the details of their crimes. Is that something the public has a right to know? Does that mean that person will not get insurance or something? Will that affect their job prospects?
There are ways of exposing that information without impacting privacy, like de-identification of the data. We have to explore those and find the correct balance.