Australian Tax Office: Bill Gibson, CIO

Bill Gibson, CIO of the Australian Tax office, spoke to ZDNet.com.au about why he doesn't completely trust open source software; how the ATO handles security and why competing vendors will have to learn to work together.
Written by Munir Kotadia, Contributor

Bill Gibson, CIO of the Australian Tax office, spoke to ZDNet.com.au about why he doesn't completely trust open source software; how the ATO handles security and why competing vendors will have to learn to work together.

Which technologies are you particularly excited about?

Gibson: We are very interested and excited about collaboration technologies at the moment, and we see there is real application for benefits to be had internally in the organisation through the use of such technologies. We in the tax office haven't done a great deal with such things as instant messaging even, and just the equivalent of NetMeeting type arrangements and technologies.

So we are starting to explore that right now and we have got a pilot of about a hundred users that are equipped with little ultra-light laptops and have got cameras and such, and we are exploring how video conferencing, how access to being more easily able to share information during a conversation, how that benefits their day to day work experience. We think it could be quite powerful.

Previous to this, the best we have been able to do is through e-mails. And we have found that people use e-mails a great deal to communicate almost in real time. They are writing a dialogue on e-mail. I think also just the ability to get closure on issues in real-time would be very, very powerful. For example, you are in a meeting with some colleagues, and a relatively straightforward or well-bounded question comes up, and you can answer on the spot.

And so what happens is you tend to delay being able to progress even further, but if you can get that answer at that point in time, then I think that may give you closure, or it may in fact allow you to move onto another path that you can further explore and get real value from.

We are using the Microsoft Live Communication Server because that integrates best with our environment. We are a heavy Microsoft Office user. We use a lot .NET-type technologies.

Compared to last year, will you spent more or less on IT in 2008?

Gibson: At this stage, I would say that we will not spend any more than we spent last year. The pressure on the IT area, the demand on IT within the ATO is still intense. It is a very key enabling part of our business operation. And so I would expect us to be spending more or less the same as we were spending last year. We will distribute how and where we spend that a little differently though.

How is the ATO outsourcing strategy evolving?

Gibson: We are clearly going to a multi-sourcing environment where we will spread it over three major bundles of network, and computing, and end user computing. But I think there is an equally big challenge in the vendor community to deliver real customer value and service as distinct to doing what is profitable for them. And so we've got a lot to do in terms of getting ourselves ready as to how we govern the suppliers. But I think the suppliers have to reflect on what the customers' needs are.

If you look at where the whole outsourcing community is going, we are going away from well for large corporates we are going away from whole-of type bundles to splitting it. That means some vendors who didn't like to work together in the past will now have to work together, because they will be providing complementary services. So I think there is a whole lot of change required on both sides of this particular customer supplier continuum.

What are the ATO's most innovative tech projects over the past year?

Gibson: One of the big improvements for us has been the implementation of our CRM and case management systems. Through their Siebel platform, we are using for that. And that has really led to some quite improved customer -- we call them clients -- experience.

Previously we would have a view of an individual's obligations on to say income tax and they might have some GST obligations. They were held together in two separate two systems. We have now brought that all together so that in one screen, in front of our officers' view, we have got all of them in one screen, so they can see all correspondence, all activities that have been pursued between our sales and that taxpayer. That is helpful because it gives us that full context view, so that we can make better decisions then as to how we will treat a particular circumstance that is facing a taxpayer.

We have introduced some technology. There is an automated call-back, so you nominate to be called back by the ATO, and we have found that that has been a very well received initiative.

It means that I can go off and do something else and then the ATO will call me back and if I take the call, good, the conversation can continue. I don't need to take the call then. We will call back a second time and/or a third time. And so it can be when you are ready to talk with us, not just when we are ready to talk to you. And that has been very, very well received.

How much open source software does the ATO use?

Gibson: The principal open source we are very comfortable with, the issue for us has been that we have yet to really find an enterprise application on which we could leverage this. We have got a number of components within our operating environment that utilise open source technology but we have not found an office -- I don't mean a Star Office or a Microsoft office -- we have not found an ATO office-wide type of application that we are yet comfortable with.

We are very, very focused on security and privacy and the obligations that we have as an agency to ensure that we protect those rights of citizens' information in that respect. So, we've continued to have concerns about the security related aspects around open source products. We would probably need to make sure that we will be very comfortable -- through some form of technical scrutiny -- of what is inside such a product so that there was nothing unforeseen there.

But when we find one, there's no reason why we would not embrace that, and perhaps something like the standard office software could be a starting point. And we may explore that as part of our end user computing outsourcing bundle, which we will kick off in the second half of this year. So we will do some planning in the second half of this year for something that will need to be in place by June of 2010.

How important is mobile computing to the ATO?

Gibson: We have been trailing a number of technologies for the last 12 months, which will allow our staff to be able to access, in a secure way, ATO systems wherever they are and irrespective of the time. They can be in the office, they can be out of the office. They can be in an airport lounge, they can be in a hotel. They can be overseas.

A whole different range of connectivity offerings have been trialled by some hundreds of our officers, utilising such technologies, whether it be 3G type telephony, broadband at home, all of those connections.

Until very recently, we've not been comfortable that the telecommunications providers have been giving sufficient network coverage to allow us to lock this in. We were planning two years ago to equip our officers who needed to do field audits with a capability to download to their laptop all of the related information about a particular taxpayer that they were going to have a discussion or review with.

We've now decided we don't have to preload that, because we have demonstrated satisfactorily that we can do that in real time in situ. That's where we'll be over the next 12 months. We'll be looking to expand and deploy that type of capability in a widespread production use.

How much do you spend on security and what measures do you take to protect taxpayer data?

Gibson: For those things that are uniquely security, probably about five percent of our budget is aimed at those hard security, easy to measure items. But it's hard to then extract, what about the logic that's in an application that helps underpin that?

It's probably going to be closer to 15 or 20 percent of our budget is security related, although the obvious ones that you can touch -- you've got these boxes that do the security gateway, we've got these people who do security audits and so forth -- is probably about a five percent measure. But it's much broader than that because security is quite pervasive through our layers, whether it be application, look procedures, infrastructure, network. It's across a lot of that, little bits all over the place. It's hard for me to be able to qualify in a detailed way.

The thing that concerns us most is identity theft, and being therefore able to masquerade or perform some fraudulent activity. We're very concerned about that, and so we're looking to where other technologies are going that could help give protection not only for us but for end users and our clients. Because there's as much a threat for them -- even if we're completely locked down -- for them to inadvertently disclose financial, or even their own tax affairs.

Any laptop that we take out of the office is fully encrypted and it's very difficult to break. It's got a very hard strength encryption algorithm on it. We're also looking at making sure there's no persistence of data on these devices, so it's almost like thin-client and you don't actually hold the data there. It's really just a view of what's held back in a secure location.

We have also implemented a range of security gateway filters so that the only information that is really saved -- to other than these tightly controlled locked down devices -- is unclassified information. If it's In Confidence or above we block it at the datacentre type gateway so that that won't go out.

E-mails are examples of that. We recently implemented a security classification regime, which requires everything to be tagged and then, depending on the tagging, that will be allowed out or transfer to this or that type of device -- or not. We're controlling that quite comprehensively.

Do you make use of Web 2.0 technologies?

Gibson: We're thinking about how we might use Web 2.0 for some of our corporate processes rather than some of these internal, "how you work together" type of processes. We've yet to really explore that. Web 2.0 for me at the moment, there's value there clearly around the social networking capabilities. I'm not sure yet how we translate that into a business networking environment but we know that the collaboration stuff will be really beneficial to us.

I think that we also be exploration redesign of such things as our Web sites, how we might integrate some of those Web 2.0 principles or technologies to help our interaction with the community. We're looking at could we have some sort of click to call. If you're on the Web, on ato.gov.au, and you are confused about something and want to talk to an individual at the ATO, we would ideally like to be able to offer that facility. You've explored this, you want to actually talk to a real person who can help you. Just on a click we can use the Web technologies to take them into one of our contact centre areas to help them through their complexities of the tax system. That's some years away but there are other sorts of things that we think could have real value for us.

As a CIO, how do you measure your success?

Gibson: There are the obvious hard ones that we are all accountable for -- such as you have to deliver a particular agreed functionality time frame at a particular cost. That is easy to say, but it is also hard to do when you're running very large programs. You know, some 150 related projects as part of a program. Nonetheless, they are still some of the key measures that we use.

We can say we did what you wanted and we did it on time and to budget. But because sometimes the business problem itself is either so complicated or grey, then it's sometimes not the right thing to just go down and say we've done exactly what you've asked us to do. That might have been a less than precise statement of what was needed.

In the past, I've been in situations were IT delivered exactly what was asked of it. However, it wasn't the problem that the business was trying to solve. That was partly because we hadn't engaged broadly enough -- this wasn't at the ATO -- with the user community, so we were getting a narrow view of what the problem was. Also, we spent too long developing it. So, what had happened was, you built something, but the problem had shifted so that you delivered a solution to a problem that was yesterday's, not today's problem. Measures of that type of satisfaction and comfort are very important to me as well.

Editorial standards