Head of Government at BJSS on the cloud, legacy and security

Kam Bhatoa has spent the last 15 years helping digital leaders in government to deliver better outcomes for citizens. We came together to talk about how the government’s use of the cloud has changed over that period, tactics for compartmentalising the backlog of tech debt and creating security assurances for the cloud.

Tell me a bit about your background.

I have been in the technology industry for over 25 years. I started as a graduate programmer just before the year 2000 bug, where I was helping to remediate systems. Since then, my career has moved to program and account management and for the last 15 years, I've been working with the public sector to help modernise systems. I love the opportunity that we have as digital leaders to deliver services to citizens and through modernisation, impact what they can do to benefit people on a day-to-day basis.

If you reflect on the challenges you were addressing for the government 15 years ago and contrast them with the issues you're tackling today, how would you describe the nature of that transformation?

It's quite similar in some respects. We're still delivering services to citizens, but we're delivering them in a much more digital way. 15 years ago, a lot of the citizen-facing services were paper-based, whether it be going to the post office to renew your driving licence or applying for your passport. Now it can be done with a few clicks. Services to citizens have rapidly accelerated in the last 15 years and at the beginning of my career, a lot of the work that I was delivering was in back end integration. I think the pivot has been driven by the Government Digital Service (GDS) and it's been fascinating to see what they've been able to achieve.

Why GDS specifically?

Well, they're the custodians of digital standards. Those standards have elevated what citizens can expect and what suppliers need to deliver. It enables trust and consistency across the user experience so that when you go to gov.uk, you can trust that the services you're using are authentic and secure. The standards that they've put in place to ensure that services are secure, consistent, and user-friendly has put the user at the heart of what is being delivered. That alignment has been critical in ensuring the uptake of digital services across government.

How has the government's interactions with the cloud changed over the course of those 15 years? 

When I started working in the industry, most government systems were hosted on-premise. It was all about servers and racks and blades and switches and physical infrastructure. The mission back then was to create IT environments with multiple layers of security. It’s been incredible to see that now encompassed within the cloud and to see the expertise in that space. 

What are some of the problems the government is trying to solve when they ask for your help in shifting to the cloud?

It falls across a few areas. Often, it's modernising legacy services to improve performance, resilience, and scalability. Where systems might be creaking at the seams and where they may not be able to cope with the predictive volumes of transactions and users, they need to leverage the cloud to enable them to further enhance the services on offer.

Other times, it's aligning their services to GDS. Some services are outdated and need to be modernised to ensure that they can be secure and user-friendly. 

There are so many conversations right now about Gen AI, but GenAI relies on having a consistent data ontology that sits in the cloud so that you can leverage the capabilities of AI. That comes with its own challenges of course, and needs to be completed with proper governance to leverage the capabilities of hyper-scaling. 

Another trend we’re seeing is the incompatibility between legacy and cloud technologies. You can start to build in the cloud, but if you need to integrate with a legacy system that can often come with blockers, particularly when  releasing new features.

Are there any examples you can give of a time where you’ve supported the government with transitioning from legacy to cloud technology?

We partnered with the Driver and Vehicle Standards Agency (DVSA) where we were tasked with modernising the Driver Examiner Service. The typical image of a driving test is being sat beside the driving examiner as they assess and make records in paper form. This has been a paper-based system for over 85 years and we've worked with the DVSA to modernise that. We looked at the user experience, understood how the examiner interacts with the system, and then turned that into a modern service that sits within Amazon Web Services (AWS). That saved the DVSA approximately $500,000 a year but also reduced the paper that's generated – all enabled by the cloud.

What are your observations about the significance of culture and comfortability with legacy systems in front-line services, like the one you mentioned?

Many of the people that I speak to across government recognise the need to modernise. They also know they need to take employees with them on that journey. At BJSS, we're a part of that solution. It’s true that we do come up against some resistance to change, particularly from employees familiar with the current systems in place, but through a robust change management programme that takes them on the journey and making them part of the decision-making process we can empower those individuals. Keeping them in the conversation is vital.

On the subject of legacy systems, for someone that's a CDO or CIO, it can be hard to know where to start with legacy systems that go back decades. What short-term tactics and long-term strategies would you recommend for someone in their position dealing with a backlog of tech debt?

We know that the government spends around £2.3 billion a year maintaining legacy services and like you say, some of those go back decades. Understanding what you have is the first step, prioritising the critical systems that need updating first. These systems might be the ones that are the most business-critical, those with the highest transaction volumes or with the poorest citizen feedback. Security is also so vital and therefore a key consideration in making sure that we understand which systems need upgrading with the most urgency. Once you know what you have, then you can put a plan together around how to address some of those immediate needs.

You mentioned security. What value or vulnerabilities do you believe the cloud has in providing security to public sector data?

Half of UK businesses have experienced a cyber-attack in the last 12 months, according to DSIT. So, when government departments are migrating to the cloud, implementing robust security measures is a must. The likes of AWS have a security hub or access analyser and encryption software that strengthens the security of their IT systems. They invest in building those security guardrails within their environment so I would always advise to use those. Make sure you're not trying to rebuild something that's built into the cloud as it is, because that just adds extra complexity and extra vulnerabilities.

Having said that, don't assume it's all going to be secure by default just by building a landing zone and putting those guardrails in. You've still got to have checks and balances in place to conduct threat modelling, pen tests, training, and awareness. Technologies are rapidly evolving, so security has to keep pace of that. When we're deploying systems into the cloud, we're always thinking of security by design. So, think about the customer experience, most of us are used to using multi-factor authentication when logging on to banking applications, and government systems should be the same. When it comes to security, the government can learn a lot from the private sector.