Technology Management Strategy

This is a DRAFT strategy.

Note 1: The authoritative source (and latest version) of this Strategy is on ESDC’s internal network

Note 2: Some of the links within this strategy are accessible only within the ESDC corporate network. These links are marked (ESDC only).

Situational Awareness

The Government of Canada (GC) released its Digital Ambition in 2022, a list of priorities and plans to fulfill the ambition of the GC’s Digital Strategy as per the aspirations of the GC’s Digital Standards. At the same time, ESDC launched the Benefits Delivery Modernization (BDM) Programme seeking to transform its Programs Service delivery to be digital.

The GC and ESDC are embarking on this journey while most of ESDC’s technology infrastructure is suffering from chronic technical debt affecting existing critical technology solutions that Programs depend on. The GC’s cloud smart strategy seeks to incentivize and prepare departments in migrating current workloads and deploy new ones to the public cloud or SSC end state data centre.

These ambitions and resulting technological demands all converge to IT organizations creating a risk of not being able to keep pace of relevance and, as a result, inhibiting the department to fulfill its digital ambitions.

Specific to ESDC’s context we see that:

The department runs 53 social benefit programs¹
That delivers 116 services to Canadians²
That are enabled by 435 Corporate IT Solutions, 116 of which are mission critical³
That employs more than 40,000 employees, distributed across 25 Branches⁴
That has 75 IT-Enabled Projects approved and started, one of which is the first project of many from the BDM Programme ⁵

This seems to place IT organizations in an impossible situation to maintain operations, build new, integrate old and new, and transition from old to new without affecting Program operations.

As digital encompasses service delivery, data, identity, cyber security, and technology, how can an IT organization realistically succeed in this environment?

Strategic Goals

IT exists to enable Programs to deliver services to Canadians. If Programs meet their service standards⁶ and Canadians are happy with its delivery, then IT succeeds. This User Experience aspect of Program service delivery puts IT at the forefront since technology is now a medium for Program service delivery.

ESDC is equipped with multiple strategic functions. It’s the combination of those strategic functions that make up “Digital”:

Service Strategy (a mandate of SSPB) and Identity Management (a mandate of ISB) are being transformed as part of the BDM Programme’s Business Change Authority(ESDC only)
Data is the mandate of the Chief Data Officer (CDO) who has produced ESDC’s Data Strategy (ESDC only)
Information is the mandate of the Chief Information Officer (CIO), delegated to the DG of Business Solutions and Information Management (BSIM), who has produced ESDC’s Information Management Strategy(ESDC only)
Cyber Security is the mandate of the Designated Official for Cyber Security, the DG of Enterprise Operations, who has established a Cyber Security Program(ESDC only)
Information Technology is the mandate of the CIO, delegated to the DG of Strategy, Architecture, and Business Relations (SABR). This document serves as the Strategy for Information Technology.

This highly complex and distributed environment requires different levers: it is not about asking for more money for technology investments using committees to oversee approval and compliance, but rather investment in a skilled public service; fit-for-purpose governance and policies; explicit support for empowered, multidisciplinary teams that work together in lockstep, from policy to implementation and iteration.

To that effect, this IT Strategy focuses on three main goals:

1) Change the approach to funding technology

Digital is a game changer. Treasury Board has now codified that Program services use technology for their delivery which resets the relationships between policy, delivery and evaluation. This means technology is no longer a back-office function but a medium.

Saying “the website is not what we do” is no longer an option. For Programs to inform realistic policy agenda, to timely respond to new insights, and to deliver at the speed of relevance, they require timely access to technology services.

The current mechanism Programs use to engage with technology services is to launch temporary projects so that the Corporate function of the department can then evaluate its capacity to prioritize and assign work. This inadvertently promotes risky behaviours that are incompatible with digital-era practices.

Funding technology-related work in the digital era requires seeing technology as products, and for the IT organization providing services associated to those products to timely adjust their capacity based on product demands, not project demands.

Progress on this goal is measured by:

A) Percentage of Applications from ESDC’s Corporate Solution Directory that have onboarded the IITB Product Management Framework (data source: PPRC⁷)

B) Percentage of IITB’s Budget that is categorized by ESDC’s Corporate Solutions (data source: IITB Resource Management)

2) Raise Awareness on the costs and risks of using technology for Programs Service delivery

Risks equate to Data and Information. Technology is but a tool, the asset the organization cares about is Data and the story it tells (Information). Stemming from Data and Information is the privacy, security, and now ethical concerns of using technology as part of Programs service delivery.

Although theTB Policy on Service and Digital puts the accountability towards technology risks on multiple officials, the integrated management requirement starts shifting the responsibility towards Programs by having sufficient understanding on the implications of using technology (legal, security, ethics).

Costs equate to Programs needing to be realistic in their digital ambition as difficult prioritization decisions over limited capacity will need to be made, and the purchase of commercial software comes at a price.

Risks equate to Data and Information. Technology is but a tool, the asset the organization cares about is Data and the story it tells (Information). Stemming from Data and Information is the privacy, security, and now ethical concerns of using technology as part of Programs service delivery.

This goal directly points to the efforts by ESDC’s Chief Data Officer and Enterprise Information Management team.

Progress on this goal is measured by:

A) Percentage of Programs that identified technology’s on-going expenses in their periodic Treasury Board Submission Renewals (data source: Programs Treasury Board Submissions)

B) Degree of Data and Information literacy (data source: Data and IM Strategies desired outcomes and measurement methods)

3) Modernize IITB’s software delivery capabilities

This goal directly points to Foundational Capabilities identified in the IITB Strategic Priorities(ESDC only). In particular “higher velocity and quality through the adoption of modern ways of working” and “maturing cloud services capabilities”.

Technology is no longer a “package” that you purchase at a store and install. Technology, including infrastructure, has become software services that are configured, consumed, and that keeps on improving over time. Demands for their use require a variety of internal IT services for their effective and secure delivery, but ultimately when a Program seeks technology services, they seek to obtain software services.

Project demands, maintenance, migration to the public cloud or end state data centre, are all sources of requirements that inform the “Application’s” roadmap (a grouping of software). The ability for an IT Organization to execute and make progress on all demands submitted to it is heavily dependent on its ability to perform more frequent and smaller software changes.

Progress on this goal is measured by⁸:

A) Decrease in lead time for change: the time code changes take to go from check-in to release in production (data source: TBD, may be a combination of Application’s source code repository and IT change record)⁹

B) Increase in deployment frequency: the rate at which software is deployed to production or released to end users (data source: IT change record)

C) Decrease in change failure rates: the change failure rate measured by how often deployment failures occur in production that require immediate remedy (data source: IT change record)

D) Decrease in time to restore: the time it takes from detecting a user impacting incident to remediating it (data source: National Service Desk record)

E) Decrease in Cyber Security Vulnerabilities: the number of cyber-security vulnerabilities registered per application (data source: Vulnerabilities Registries)

Coherent set of actions

A coherent set of actions is necessary to align resources, internal policies, and maneuvers in a coordinated fashion to support each other as opposed to fighting against each other. This set of actions needs sufficient buy-in at a sufficient level of authority to provide cover for the personnel that will be doing the work.

Actions	Teams Involved
1. Establish a Technology Literacy Program	(removed)
Inspired by the US Cloud Smart and ESDC Data Strategies (ESDC only), the Technology Literacy Program seeks to empower IITB employees and executives to better understand modern software and perform competency management. It is to establish foundational courses and skills needed to manage modern software effectively, securely, that benefits Canadians, and necessary to deliver successful technology projects. Acknowledging the government's current financial constraints, the Literacy Program will seek to leverage existing materials and services such as: The Linux Foundation's (e.g. Introduction to DevSecOps for Managers) Institute for Citizen-Centered Services (e.g. Open Source Software for Public Sector Executives) Canada School of Public Service Public Cloud Service Providers TBS Digital Talent Program	(removed)
2. Adopt Product Management for all APM applications	(removed)
Technologies are just tools and remain relevant as long as their owners (“The Business”) continuously invest in it. This investment is not driven by the IT organization but by the business needs. Technologies hardware component may deteriorate over time but their software components need to constantly be worked on. Temporary Projects become one of the many sources of requirements that inform a software product's roadmap over its life cycle. Product Management mitigates the risk of application obsolescence (ESDC only) by keeping them relevant and, as such, ensures ESDC Program services maintains pace of relevance with Canadian expectations. Adopting Product Management requires a different instrument to formalize multi-disciplinary teams outside of temporary projects between “The Business” and IT to enable the sustainment and continuously improvements of APM applications used in Programs service delivery. Authorities to establish such instrument at ESDC is at CIO and CFO level.	(removed)
3. Implement DevSecOps	(removed)
Inspired by the US Air Force's Platform One team, DevSecOps focuses on SecOps (security at runtime) and incentivizes re-using existing software components and applications instead of proliferating new ones (the #1 help for IT Security). Architecture and release management require to adapt to realize the benefits to DevSecOps. Architecture establishes managed services for software factories so development teams can focus on building and deploying secure Program applications with ease in conformance with ESDC's SDLC. Release Management establishes clear guardrails, coded in software delivery pipelines, and actively favours automation to assess the readiness of software to reach production state. Teams (software factories) actively monitor their production software for both user feedback and anomalies to quickly remediate them. IT Security makes use of advance tools to not only monitor in production but automatically respond to threats. DevSecOps is more than pipelines, it ensures IT maintains pace of relevance with Program needs.	(removed)
4. Establish Technology Procurement Mandatory Procedures	(removed)
Adopting commercially adopted open-source software and leveraging industry services to help ESDC integrate and adapt them to Program needs must be seriously evaluated before going to market. Procuring commercial software is one option out of many. Adopting commercially adopted open-source software to help ESDC in ensuring its technology sovereignty and comply with the Directive on Service and Digital requirement 4.4.3.12. ESDC already has an Open Source Software (OSS) Management Framework (ESDC only) that sets direction and guidance around OSS product selection considerations and compliance. Educating IITB executives on the differences between adopting (when a licence grants us the rights) and acquiring (when we purchase the rights to use a licence) software becomes essential. Establishing mandatory technology procurement procedures before going to market, as part of a procurement strategy, and as part of bidding evaluations will mitigate risks of procuring outdated commercial technologies, vendor lock-in, and ensure value is provided throughout the resulting contract's execution. If going to market, the technology procurement strategy adopts modular contracting. If going to market to purchase a commercial software, ESDC ensures its technology sovereignty by establishing mandatory requirements in RFPs, such as open standards and exit paths conditions.	(removed)
5. Establish IT-Enabled Investment Projects Intake Criteria	(removed)
IT-Enabled Investment Projects starts engaging IT Staff when the Investment Project identifies the Program Service(s) it seeks to improve. IT-Enabled Investment Projects are too often started without understanding what problems we're trying to solve, jumping too quickly to purchase a solution looking for a problem, overloading IT operations, causing confusion and duplication of work.	(removed)
6. Implement IITB Governance Study Recommendations	(removed)
Implement the 6 recommendations of the 2021 Governance Study: Transition towards structured data Leverage guardrails Create playbooks Clarify and simplify governance structure Review committees’ membership and decision model Enable asynchronous group decisions. The recommendations target existing IITB governance committees, their structures, terms of reference, proceedings, and decision making process. The recommendations seek to make it easier for IT personnel to find information, obtain timely decisions, and provide a means for senior management to delegate decision making at the adequate level.	(removed)
7. Invest in IT personnel	(removed)
The Canadian Government spent $4.7B in IT contracting for the fiscal year 2021-2022. The Professional Institute of Public Service Canada (PIPSC) noticed a dramatic increase in outsourcing, with ESDC as the second highest outsourcing department. Leveraging consulting firms instead of IT personnel has a demotivation effect on the workforce. It leads otherwise motivated and engaged IT personnel to think “why bother, decision makers are listening to commercial interests instead of public servants”. Personnel has “skin in the game” with a greater ownership of their recommendations and their implementations or results. Consultants may be leveraged to temporarily access new knowledge, but it cannot become a dependency and an influence of commercial interests affecting the integrity of government services. In the GC, the average time to hire a digital specialist from outside of the public service is ~8 months¹⁰, and their average length of stay is less than 2 years¹¹. Teams that are able to hire digital specialists tend to have an attrition rate of 35-40%, and on average have a vacancy rate of 31%¹². The reasons cited for not staying range from not having access to modern tools or training, to having to spend more time navigating bureaucracy and approvals rather than actual delivery, and reporting to leaders who do not understand basic concepts about technology, data or delivery and are unable to advocate for or mentor them. Investing in IT personnel means: Reducing the reliance on commercial consulting firms Perform a mandatory competency-based planning for all IT teams¹³ Implement a promotion program that can bridge IT personnel from IT-02 to IT-05 Create a rotational program that enables IT staff to move to and be exposed to other IT-related functions in ESDC Streamlining HR hiring and mobility rules to incentive employment over contracting Establishing clear improvement targets for all IITB teams necessary to establishing stronger service management capabilities Moving consultation budgets as learning budgets to fund the #1. Establish a Technology Literacy Program Empowering IT personnel to deliver better services by providing them with the tools they need Source Source: Data from ESDC and OCHRO Source See IT Evergreening draft Strategy (ESDC only), goals 8 and 9	(removed)
8. Apply Monitoring and Observability	(removed)
Monitoring is tooling or a technical solution that allows teams to watch and understand the state of their systems. Monitoring is based on gathering predefined sets of metrics or logs. Observability is tooling or a technical solution that allows teams to actively debug their system. Observability is based on exploring properties and patterns not defined in advance. These are accomplishes by: Deploying an IT Service Management System (Configuration Management Database) Equipping the Cyber Security Operations Centre with modern systems (e.g. deploying a Security Information and Event Management) Code Maintainability (both in-house development and integration of acquired/adopted software) Trunk-based development Version control (of both in-house development and acquired software)	(removed)

References

Count of Programs in the 2022-23 Departmental Plan ↩
Count of Program Services in Business Architecture’s Repository (ESDC only) ↩
APM Assessment Dashboard ↩
Workforce Demographic Profile 2023 Q4 (ESDC only) and count of Branches in ESDC’s Intranet (ESDC only) ↩
PMIS Project Centre (ESDC only) 2023-10-20 snapshot (less than 100% completed) ↩
Refer to TBS Directive on Service and Digital requirement 4.2.1 ↩
May change based on the lessons learned of IITB’s Pilot Product Management Framework ↩
From DORA’s key metrics of software delivery performance. ↩
APM (Application Portfolio Management) is a TBS mandated activity that departments need to do. ↩