San Francisco's new CISO comes from Kaiser Permanente, Deloitte
January 18, 2018
The recent hire fills a gap in the city's IT security leadership that been left without a full-time replacement since May.
Commentary: Consultant Luis Estrada draws on his experience as the former deputy chief information officer of Maryland to urge an organizational transformation throughout government that transcends technology.
Luis Estrada is a senior consultant at NMR Consulting, where he enables modern, agile IT in traditional organizations. Between 2015 and 2017, he al...
Government IT is in crisis.
We have overruns and delays that result in tremendous waste. We have mounting technical debt that is absorbing most of our IT budget, leaving less each year for innovation. Our cybersecurity risk is increasing uncontrollably, and our aging systems are becoming more difficult and costly to protect.
But this is not simply an IT crisis. The system of government itself needs repair, and there is no reset button. We have to do the hard work of digging out from where we are — we need an organizational transformation and culture change.
So, how bad is it?
Distressed projects, major failures, mounting technical debt, and a growing cybersecurity threat combine to form an unsustainable environment in government IT.
The federal government's modernization and new development efforts rarely succeed. The Government Accountability Office (GAO) says that "federal investments in information technology (IT) have often resulted in multimillion dollar cost overruns and years-long schedule delays, with questionable mission-related achievements."
Wow. That is a scathing report that speaks to the magnitude of the problem. Our projects cost millions more and take years longer to deliver – and this is the norm. Can it get any worse? Well, we're not sure, because even when IT investments do deliver, they are of questionable value.
Most of the IT budget is spent to simply run what we already have, not to adapt to the changing world around us. We keep legacy systems on life support because our investments in new development are not paying off. The GAO shows a consistently high portion of our budget — more than 75 percent — goes to operations and maintenance, and there is a steady decline of funds available for new development. This means new development is stressing operations rather than relieving the burden, leaving less available for innovation the next year and perpetuating the cycle.
On top of all of this, our cybersecurity situation is dire. Federal agencies have reported a 1,300 percent increase in cyber incidents from 2006 to 2015. Tom Bossert, the president's homeland security advisor, recently reported that the federal government sees "additional volume and occasionally additional successes that trouble us." The systems we have are under continuous — and growing — attack, and the applications we deliver are riddled with vulnerabilities that are allowing our adversaries to succeed.
Web application attacks account for a whopping 40 percent of confirmed breaches. According to some reports, public sector applications are riddled with vulnerabilities. Technology is advancing quickly, but application vulnerabilities haven't changed much. The Open Web Application Security Project’s top 10 vulnerabilities have seen little change over the years. Yet about 76 percent of our applications fail these tests upon initial inspection, and 64 percent are always vulnerable. We aren't getting any better, probably because there is a high demand for more code and more functionality without enough emphasis on security.
This cannot continue.
What is so different in government?
It is important to understand how government is different than the private sector — not as an excuse, but so we can properly design solutions for this unique environment.
In government, there is oversight over oversight on top of oversight. Each branch of government oversees the other. Agencies within the branches oversee their sister agencies. The political parties are watching each other. Commissions and committees and interest groups are also always watching. Citizens don't trust government, are skeptical as hell, and — oh, by the way — are both the customers and the shareholders. If an agency makes one wrong move, it will be used against them.
We must embrace oversight.
Oversight and transparency are here to stay. It's what we the people want and it serves a purpose. Government agencies should not ignore or circumvent oversight. Instead, agencies should work with their oversight bodies on seamless transparency and build compliance into their processes so audits aren't so daunting. But beware of oversight that forces how things are to be done. That is not the role of oversight. Agencies have the responsibility and authority to execute and should have the courage to do what is best. They should not use oversight as an excuse for processes that do not work.
Government is also in the unique position of juggling many important priorities that compete for resources.
What is more important, child welfare or law enforcement? Taking care of the elderly or at-risk youth? Transportation or public health? Even when we all want things like lower poverty, healthier populations, or a better economy, how much should we invest and how can we judge performance? If it costs $1 million to move the needle a little bit, was it worth it? How about $10 million or $100 million? Think of the children!!! There are often moral, social, political, or other unquantifiable factors involved that make it difficult to say.
Alignment is key.
The people vote for leaders who set strategy and priorities. Agencies should value investments and efforts that deliver on those strategies, while staying true to their missions. If your department's mission focuses on the environment and the leadership's strategy is to improve the business climate, are you at odds? No.
Departments should look beyond their boundaries to apply their expertise and services to help further leadership's strategy, regardless of where it is being carried out. Find a way to get to "yes" — to get to the best possible outcome within the constraints of the situation. It will never be perfect. Ideally, we would have the best environmental protections in a thriving economy. But in reality, we have limited resources and must balance priorities. So play your role and bring the perspective of your agency to the table to arrive at the best possible result.
Frequent leadership turnover is a reality of government that translates into frequent changes in strategic direction that can further exacerbate the issue. When a civil servant sticks her neck out to support an initiative, a change in leadership can put her at odds with the new strategic direction. She can be seen as a threat because she is aligned with the old regime. Better for government employees to avoid taking risks, keep their heads down, focus on their job description, and wait it out.
Organizational agility is absolutely necessary to solve this problem.
We know there is frequent change and must therefore be more agile — able to move and change direction and adapt quickly. Make sure our investments are producing returns regularly rather than huge multi-year initiatives that don't pay off until the end, if ever. When a change in strategy occurs, we should be able to change direction and use our resources to iteratively and meaningfully chip away at that strategy without pulling the plug.
This means dropping the project-centered focus in favor of long-lived programs, buying capabilities and capacity rather than projects and requirements, and aligning things like budgeting, procurement, and oversight to support smaller cycles with ongoing, real-time performance measures.
It is difficult to bust the silo mindset in government. Each department has its own budget and authority, each has its own workforce and function, and each views the other as a competitor for funds and good favor with their party or leadership. External oversight agencies are a threat to operations. It appears to many a zero-sum game — for one to win, another must lose. It is not actually a zero-sum game, but the political motivation is strong.
We don't elect a high-performing team as president. We elect a single man or woman. Same with department heads. In business, you might be appropriately rewarded for playing your part on a larger team. But for a department to recognize that real improvement for the citizen will come from investing in their sister agency, they are giving up an opportunity for a win. Combine this with the challenge of frequent turnover and, as a department head, you don't have time to wait your turn.
Cross-functional, cross-agency programs should be the norm. What makes agencies unique? Their missions, areas of responsibility, and expertise. Not their IT infrastructure or administrative processes.
To achieve any given goal, agencies should play their role in the larger effort. Too often, though, each department only looks internally and builds a full-stack capability to meet its own goals. We create initiatives that are totally scoped within the boundaries of a single department, guaranteeing that it will not produce the best overall value to the enterprise.
This is highly inefficient. Consider a company that registers a trademark with USPTO, pays taxes to the IRS, or acquires a license from the USDA, or the person who deals with a dozen different agencies to help them through hard times. Each interaction is different, duplicative, time-consuming, and extremely burdensome. The end-users, our constituents and businesses, don't care which agency delivers the service. What if programs were customer-centered and cut across departments to work for the people, not the bureaucracy?
All of this causes government employees to avoid risk and do whatever it takes to keep up appearances. It is safer to keep the lights on with the legacy systems we know than to risk new development. If we do attempt new development, we are more worried about offloading risk onto the vendor than anything else. When it inevitably fails or experiences overruns and delays, we don't want the failure to stick to us or whatever politician or party is in power.
Leadership needs to drive this change.
Only leadership can create an environment that protects their people when they take appropriate risk. Fail small, fail fast, and deliver frequently — all agile concepts that translate beyond IT. Our culture must shift away from this risk aversion to one of courage and innovation. A small failure can teach us more through experience — and cost less — than big, upfront, expert planning that cannot keep up with the rate of change.
W. Edwards Deming, a management guru of the 20th century, is credited with saying "people are already doing their best; the problems are with the system." The system is producing poor results. There is no technology solution that can fix it — installing a new software package or moving to the cloud is not going to fix it. More oversight is not the answer - we already have plenty. Different people or a better workforce is not the answer. Government employees are not inherently inferior to private sector workers.
We need organizational transformation, and it won't be easy.
Transformations often start with a crisis, some imperative that makes change essential. Small startups threaten even the largest, most established brands. Customer expectations seem to shift suddenly and drastically, leaving traditional businesses behind. Companies may lose market share or go out of business if they fail to transform. It's dog-eat-dog out there.
But not so in government. Unlike private institutions, government can't go out of business. Agencies don't have existential threats from other agencies. A startup agency can't unseat an established agency. (Though that would be an interesting experiment.)
Without the risk of going out of business, what incentive does an agency have to undertake this transformation?
On May 11, 2017, President Trump signed an executive order on cybersecurity, but the implications are wider and deeper than just cybersecurity. In the press briefing, Tom Bossert stated that "modernizing is imperative for our security, but modernizing is going to require a lot of hard, good governance." He highlights the crisis in government IT, and lays out the imperative of modernization for security's sake.
Is this the spark we need?
70 percent of transformation efforts fail. Most people that lead change never want to do it again.
There have been groups like the U.S. Digital Service and GSA's 18F to help spark the transformation needed. President Trump created the American Technology Council to help along those same lines. But these efforts are focused on IT. In today's digital world, everything is IT and IT is in everything. We can't pin this one on the IT geeks and let everyone else off the hook.
The problem is systemic, and requires a systemic solution. With this executive order, we are getting the top-down support needed to allow groups like 18F, USDS, and ATC to succeed. Bossert said "we view our federal IT as one enterprise network."
This is an important start of the culture change. It busts the silo mindset pervasive in government, and forces departments to recognize the big picture. It puts focus on the purpose of the whole as opposed to the desires of each of the 190 individual departments.
But what kind of continuous push will be needed to make this stick?
There's no denying the crisis. This crisis is different than anything the private sector has faced. Government can't go out of business. The only way out is to evolve from where we are. There is no starting over.
But we know how to approach this. We can't design a perfect solution up front. We must use iterative and evolutionary methods. More importantly, we must do the hard work of good old-fashioned organizational culture change. There is already a large body of knowledge across several disciplines that we can learn from, but if we do this right, we will uncover a new way of working that is uniquely government.
This article does not do the problem justice, so let's keep the conversation going. What do you think are the underlying causes? What will it take to resolve these issues? Please leave comments and let me know what you think, or connect with me on LinkedIn to keep the conversation going.