How states can improve cybersecurity on a budget
October 19, 2017
Commentary: Isaac Kohen, CEO of Teramind, says some of the biggest threats come from inside the organization and provide an accessible opportunity to tighten the perimeter.
Commentary: "Recovering" Maryland state chief information officer David Garcia explains how lack of communication, ambiguous documents, and restrictive and outdated processes have hamstrung the way government buys technology.
David Garcia is the former chief information officer and Secretary of Information Technology for the state of Maryland. He held that role from Febr...
“Government IT procurement.” These words, spoken together, cause anyone who has ever been involved with the procurement process to instinctively recoil. Personally, I have seen this reaction on the streets of industry and also within the halls of government.
But I’m getting ahead of myself.
When I was approached to serve in state government, my first reaction was doubt. Why would any practical IT entrepreneur risk being tied to a political administration? It is a possible career killer, for sure. Simply put, one misstep could yield a negative news headline, quickly followed by a public request for your resignation. Boom. That’s all it takes, and a once-bright career is over.
Furthermore, I was “that guy,” the one who vowed never to pursue state contracts again. I had experienced a number of issues directly and believed them to be systemic and prevalent among state governments.
So why on earth did I take the job, you ask? Long story short, I decided to stop complaining, roll up my sleeves, and start fixing. Yes, I agreed to serve, in part, for the chance to reform IT contracting within a state government.
So here is the reality of the situation: Government IT procurement is an alligator-filled swamp that is as treacherous for the agency as it is the vendor. The swamp is made up of murky, outdated processes, and the alligators are the lawyers. (Special shoutout here to the MD AGs in the DoIT. Those alligators were instrumental in finding ways to get IT done.)
One side wants the best solution at the best price the marketplace can deliver. The other side wants to successfully provide that solution for a fair but profitable price.
Simple, right? Not so fast…
While there are a number of problems that seem to hinder the procurement process, let’s focus on one in particular: communication.
Once the procurement process has begun, there are many legal issues that constrain communication. Once the request for proposal (RFP) is released, the government has an obligation to assure a fair and equitable selection process. No specific vendor should have access to any information that others do not, so all communications are formal and public.
Trust me, a 100-page solicitation and 100-page vendor proposal are incredibly ineffective forms of communication. Project delivery is often strained as a result, and IT contractors end up managing to the contract instead of focusing on the real business need and timely, successful project outcomes.
Now, this is true once the process has begun. Communication can be improved. It just has to happen from the get-go.
There are a lot of actions that can be done prior to procurement. In Maryland, we worked hard to keep our vendors informed and engaged. We regularly “telegraphed” our general IT direction, pain points, and goals. This was done though a number of initiatives.
Vendor Day was an outreach program we implemented that discussed the direction and vision for IT in the state. At quarterly meetings, vendors would acquaint themselves with both our procurement staff and department leadership. This provided vendors with direct access to department members and opened a dialogue in which they could discuss where the department was heading.
Vendors attending these events would know that the Department of IT was fully committed to delivering on the governor’s promise to lower cost, increase department efficiency, and respect the tax dollars of hardworking Marylanders. They also knew that the state was moving away from waterfall development, and that keeping state systems safe was our highest priority.
These events proved to have several benefits. For one, our staff came to understand the industry’s concerns. Second, and more importantly, our first-time vendors learned in a face-to-face session how the state’s process worked, something oddly uncommon in state government.
Meetings and Calls
The department leadership knew that communication was a critical component in the procurement process. Our senior staff welcomed all reasonable meetings, so much so that vendor meetings were a near-daily occurrence within the department. Those who wanted more information (pre-RFP) got it.
Most importantly, vendors that were involved in the process knew both the department and governor’s IT direction.
Clarity During the Bid Process
Improvements were also made in our public responses to questions during the RFP process. Our position was to give thoughtful responses to questions posed by our vendor community, and to explain our position. If a vendor took exception to a term, we would fully explain why we were or were not willing to budge. No longer would one-word answers be acceptable. (That one word usually being “no.”) Our position was to respect the vendors’ bid and proposal (B&P) dollars, and ensure we received the best possible proposals to the benefit of all involved.
Let’s talk about the 800-pound mainframe in the room: the RFP
The perception within the vendor community is that when it comes to procurement, government is often secretive and unable to deliver clear, concise RFPs. In my experience, this perception isn’t entirely unfair. The truth is, government often struggles internally with a number of factors that contribute to producing a quality RFP. Subsequently, this struggle translates to failed IT projects and wasted taxpayer dollars. These failures are then seen within the halls of government as the albatross that is tied to administrations for decades.
Given this all-too-familiar sequence, procurement teams overcompensate with onerous RFP terms and conditions (T&C) that place the burden of risk on the vendor, leaving litigation as their only remedy.
I personally believe the RFP is the single largest factor in failed public IT projects.
Sure, IT projects fail for a number of reasons, but it is a rare thing to call the folks that drafted the RFP back into the room when the project is blowing up. Far too many RFPs are written by people who have limited IT experience and are usually disconnected from the project’s delivery.
Often times, I have found that well-intentioned administrators are more beholden to the process for the process’ sake, rather than committed to actual successful outcomes. Many of these processes have been in place for decades. When was the last time we questioned their effectiveness in producing successful outcomes?
The bottom line is that administrators who tightly align the process of RFP production to both their IT technical staff and CORs will benefit by reducing failed outcomes. This single internal communication alignment will solve a number of clarity issues that shroud the RFP.
So why all the focus on the RFP?
In the end, both industry and government want the same thing: fair and open procurement that leads to successful implementation. While the devil is always in the details — clarity and open communication can go a long way in removing hindrances to the RFP process. The process can be dark and murky, but it doesn’t have to be. If government takes the time to communicate with industry — telegraphing its position in advance, keeping those paying attention in the loop — it will help drain the swamp, and that’s good for everyone.
From February 2015 until January 2017, David Garcia was Maryland's chief information officer under Gov. Larry Hogan. Now, Garcia has returned to NMR Consulting — a company he founded before joining state government.