CIO interview: Changing supplier relationships at the MoD

Mike Stone says when he became the MoD's CIO the organisation's IT was far behind modern best practice – but now it has a ground-breaking cloud deal

For the past two years, Mike Stone has worked on a radical plan to modernise IT and IT supplier management at the Ministry of Defence (MoD).

Previously CEO of Defence Business Services, an outsourced contract from Serco providing corporate services to the MoD, Stone took over from the MoD’s interim CIO Yvonne Ferguson in March 2014. His official job title is chief digital and information officer, Ministry of Defence.

For an organisation that has in most parts been extremely secretive about its IT, Stone recently joined up with Microsoft at the announcement of the availability of the software company’s UK Azure cloud.

Recalling the state of the MoD’s IT, he says: “When I arrived at the MoD, I looked at the service provision we had. It wasn’t fit for purpose. In the modern age people have more capability at home than at work.”

For instance, says Stone, people were “enjoying making online transactions at home” – but due to the IT security in place at the MoD, they did not have access to anything at work.

His vision is "defence as a platform" – or DaaP – which Stone says provides a portfolio for delivering IT. “There are three aims. Firstly, anyone with appropriate permissions can log in with a single set of credentials and access a single IT environment.”

The second part of DaaP is to have an evergreen environment, both from a software and hardware perspective. It gets around the challenges the MoD has faced in the past, such as running legacy systems. “We acquire services and they are updated on a regular basis,” says Stone.

The third goal is to rethink supplier management, specifically around proprietary technologies that can make it difficult to migrate off platforms in the future. “We want to radically reduce system integrator lock-in so we can transition easily,” says Stone.

Read more CIO interviews

Among Stone’s first tasks on joining the MoD was to renegotiate a £1bn 10-year major IT contract with the Atlas consortium.

The consortium – led by HP and including Fujitsu, Airbus Defence and Space, and CGI – has been tasked with establishing a modern set of IT systems for the MoD.

The MoD is also spending £550m with Fujitsu to provide global connectivity services for the next five years. Stone says this will increase bandwidth on the MoD’s wide area network 40-fold.

Overall, DaaP is effectively a programme for putting IT into MoD offices. The user-facing side of IT is provided through what Stone calls ModNet. This uses Microsoft technology and makes use of identity and access management, and mobile device management.

Stone says the MoD has also signed a £330 integrated user services contract with BT to provide voice, video and mobile phone services for the next five years.

Azure cloud and connectivity provides the backbone for a new way of thinking about IT at the MoD. In fact, Stone describes the MoD’s use of Microsoft as a full-blown leap into the cloud.

“What we have sought to do is shift the organisation from vertically integrated end-to-end systems – which had their own compute – to a core common computing platform,” he says.

Private Azure cloud

At its heart is a private instance of the Azure cloud, which runs in Microsoft’s UK datacentres, and is managed by Microsoft. The decision to choose the Azure cloud came after Stone met Microsoft CEO Satya Nadella.

“I met with Satya Nadella and asked him if he was prepared to come to the UK, because I wasn’t happy for our data not to be stored in the UK,” says Stone.

In response to the ambitions of the MoD, Microsoft's UK datacentre for the Azure cloud went live on 7 September 2016.

“We are the anchor tenants in the capability being put in place by Microsoft,” says Stone. When asked about working with Nadella, he adds: “Microsoft is a much more humble company. Not everything has to be painted Windows.”

I asked if we could store documents in open document formats, rather than in proprietary formats – and Satya Nadella agreed
Mike Stone, MoD

As an example, Stone says: “I asked if we could store documents in the open document formats, rather than in proprietary formats – and Satya agreed.” Why? According to Stone, the MoD’s Azure cloud is among Microsoft’s most comprehensive implementation anywhere in the world.

The MoD is using Office 365 and Azure for common application services and hosting of data. It is using a private instance of Azure, which has the ability to connect to the public cloud and even Amazon Web Services (AWS). “It is not on-premise. It is being run by Microsoft within rules that they are required to follow,” says Stone.

Among the benefits of the contract with Microsoft for Stone is that anything that goes into the public cloud will be made available to the MoD. These enhancements can then be shared across all elements of defence, he says.

For Stone, shifting to the cloud is about modernising IT working practices. It is, however, a work in progress. DevOps, for instance, is considered by many as a way to streamline IT, empowering developers to deliver code much more efficiently.

Stone says while the MoD’s platform supports DevOps, right now there is not a major DevOps push in the organisation.

“It isn’t huge, but the information systems in the defence [team] has a very innovative approach to secure containerisation. We are also looking at renting bare metal and spinning up networks as and when they are required,” he says. In effect, the hardware is on tap, ready for when an application requires it.

Security of the cloud

Clearly many government departments and other parts of the public and private sector will be closely following the MoD’s Azure implementation. It is not only an ambitious project, but also raises many security questions.

Stone is confident the security is spot on and will offer equivalent levels of security to what the MoD expects from its on-premise IT: “This is going to be no less secure. Rather than rely on boundary, I believe in defence in depth.”

What this means in practice is the MoD will use state-of-the-art threat telemetry to understand the nature of hacking attacks.

Paraphrasing Donald Rumsfeld’s quote on the unknown unknowns, Stone says: “You cannot secure what you don’t know about. We need to decimate whatever gets through.”

For Stone, defence security is a layered approach. “We need endpoint security, behavioural analysis and we have to treat insider threats,” he says.

Read more on CW500 and IT leadership skills