STATETECH: The cybersecurity threat landscape is always evolving. What keeps you up at night?
TONG: I still feel like we’re not doing enough. We need to do more from within. In many cases, we can prevent mistakes by end users with better training, for example. We can do more to remind everyone what they should be doing so we don’t leave the door open and allow vulnerabilities to be exploited.
STATETECH: How has the state’s use of cloud evolved over the past couple of years?
TONG: Cloud migration has been a focus of the state of California for a while. More than four years ago, the state adopted a cloud-first policy. With anything that is built brand-new, we should consider cloud as the first choice. And whenever we can, migrate to cloud as a first choice.
However, through the past several years, we’ve seen that migrating to cloud is not as easy as some might think, especially when you have large legacy systems that are not cloud-ready. We have switched our focus to encouraging cloud adoption rather than simply insisting on cloud-first.
Be smart. Be strategic. Be thoughtful about what it will take to actually move a solution into a cloud environment when it was not designed to be that way. Or make a very concerted effort to plan anything that is brand-new in the cloud.
STATETECH: What lessons learned would you share with your peers who are not as far along on cloud migration?
TONG: Going to the cloud is a journey, not an overnight destination. Many of my peers are facing my situation, where they have a lot of existing systems to consider. They must conduct a cloud readiness assessment, which California did for every single one of our major systems, whether it was a simple “lift and shift” to go to the cloud or it required design and building out.
Look at the budget ahead of time and set expectations on the timing required to develop a realistic plan for going to cloud. Do that assessment up front and then decide what things can go in easily and what things require more time.