Andy Blumenthal Talks about Cloud Computing

Here is the podcast from MeriTalk Silverlining Series (August 2009)

Powered by Podbean.com

Andy Blumenthal Talks about Cloud Computing

Andy's Cloud Computing Presentation on MeriTalk

Introduction

First let me start out by saying that cloud computing brings us closer than ever to providing IT as a utility such as electricity, where users no longer need to know or care about how IT services are provided, and only need to know that they are reliably there, just like turning on the light. This is the subscription approach to using information technology, where base services are hosted, shared, and you pay only for what you need and use.

In cloud computing, there are a number of basic models. First, in public clouds, we have a multi-tenant, shared services environment with access provided over a secure Internet connection. In contrast in a private cloud, the IT shared services is behind the company’s firewall and is controlled by in-house staff. Then, there is also a community cloud, which is an extension of the private cloud, where IT resources are shared by several organizations that make-up a specific community.

The advantage to cloud computing—whether public or private—is that you have a shared, enterprise-wide solution that offers a number of distinct advantages:

1. Efficiency–with cloud computing, we build once and reuse multiple times—i.e. we share resources—rather than everyone having their own.
2. Flexibility–we are more nimble and agile when we can quickly expand or contract capacity on-demand, as needed—what some call rapid elasticity. Moreover, by outsourcing the utility computing elements of our IT infrastructure, we can focus our internal efforts on building our core mission areas.
3. Economy (or economy of scale)–it’s cheaper and more cost effective when we can tap into larger pools of common resources maintained by companies with subject matter expertise. They then are responsible for ensuring that IT products are patched, upgraded and modernized. Moreover, we pay only for what we actually use.

Issue

So cloud computing sounds pretty good, doesn’t it? What then is the big issue? Plain and simple it comes down to—Is cloud computing effective for the organization? And what I mean by that is a few things:

• First is customization, personalization and service: when you buy IT computing services in this shared services model, do you really get what you need and want – or are you just getting a canned approach, like the Model T that came in one color, black? For example, when you purchase Software as a Service are you getting the solution you need for your agency or the one built for someone else?
• Next is security, privacy, and disaster recovery. This is a big deal because in a public cloud, you are capturing, processing, sending, and storing data outside of your proprietary infrastructure. This opens the door for theft, manipulation, or other ways of our data being compromised by criminals, cyber-terrorists, and even hostile nation-states.
• Third, and maybe most important, is cultural, especially in a very individualistic society, like ours, where people are used to getting what they want, when they want, without having to share. For example, we prefer owning our own vacation home to having a time-share. We love the concept of a personal home theater. Everyone now has a personal cell phone, and the old public telephones that were once on every corner are now practically extinct. And most people prefer driving their own cars to work rather than using mass transit—even though it’s not environmentally friendly. So the idea of giving up our proprietary data centers, application systems, the control of our data, in a cloud computing model, is alien to most and possibly even frightening to many.

The Reality

So how do we harmonize the distinct advantages of cloud computing—efficiency, flexibility, and economy—with the issues of customization, security, and culture?

The reality is that regardless of customization issues, we can simply no longer afford for everyone to have their own IT platforms—it’s wasteful. We are recovering from a deep financial recession, the nation has accumulated unprecedented levels of debt, and we are competing in a vast global economy, where others are constantly raising the bar—working faster, better, and cheaper.

Moreover, from a technology standpoint, we have advanced to where it is now possible to build an efficient cloud computing environment using distributed architecture, virtualization/consolidation, and grid computing.

Thirdly, on a cultural level, as individualistic as we are, it is also true that we now recognize the importance of information sharing and collaboration. We are well aware of the fact that we need to break the stovepiped verticals and build and work horizontally. This is exemplified by things like Google Docs, SharePoint, Wikipedia, and more.

In terms of security, I certainly understand people’s concern and it is real. However, we are all already using the cloud. Are you using online banking? Are you ordering things online through Amazon, Overstock or other e-commerce vendors? Do you use yahoo or Google email? Then you are already using the cloud and for most of us, we don’t even realize it. The bottom line on security is that every agency has to decide for itself in terms of its mission and ability to mitigate any risks.

How to Choose

So there are two questions then. Assuming—and I emphasize assuming—that we can solve the security issues with a “Trusted Cloud” that is certified and accredited, can we get over the anxiety of moving towards cloud computing as the new standard? I believe that since the use case—for flexibility, economy, and efficiency—is so compelling, that the answer is going to be a resounding yes.

The next question is, once we accept the need for a cloud computing environment, how do we filter our choices among the many available?

Of course I’m not going to recommend any particular vendor or solution, but what I will do is advocate for using enterprise architecture and sound IT governance as the framework for the decision process.

For too many years, we based our decisions on gut, intuition, politics, and subjective management whim, which is why statistics show that more than 82% of IT projects are failing or seriously challenged.

While a full discussion of the EA and governance process is outside the scope of this talk, I do want to point out that to appropriately evaluate our cloud computing options, we must use a strong framework of architecture planning and capital planning and investment control to ensure the strategic alignment, technical compliance, return on investment, and risk mitigation—including of course security and privacy—necessary for successful implementation.

How Cloud Computing fits with Enterprise Architecture:

As we move to cloud computing, we need to recognize that this is not something completely new, but rather an extension of Service Oriented Architecture (SOA) where there are service providers and consumers and applications are built by assembling reusable, shared services that are made available to consumers to search, access, and utilize. Only now with public cloud computing, we are sharing services beyond the enterprise and to include applications, data, and infrastructure.

In terms of a transition strategy, cloud computing is a natural evolution in IT service provision.

At first, we did everything in-house, ourselves—with our own employees, equipment, and facilities. This was generally very expensive in terms of finding and maintaining employees with the right skill sets, and developing and maintaining all our own systems and technology infrastructure, securing it, patching it, upgrading it, and so on.

So then came the hiring of contractors to support our in-house staff; this helped alleviate some of the hiring and training issues on the organization. But it wasn’t enough to make us cost-efficient, especially since we were still managing all our own systems and technologies for our organization, as a stovepipe.

Next, we moved to a managed services model, where we out-sourced vast chunks of our IT—from our helpdesk to desktop support, from data centers to applications development, and even to security and more.

Finally, the realization has emerged that we do not need to provide IT services either with our own or contracted staff, but rather we can rely on IT cloud providers who can offer an array of IT services, on demand, and who will manage our information technology and that of tens, hundreds, and thousands of others and provide it seamlessly over the Internet, so that we all benefit from a more scalable and unified service provision model.

Of course, from a target architecture perspective, cloud computing really hits the mark, because it provides for many of the inherent architecture principles that we are looking to implement, such as: services interoperability and component reuse, and technology standardization, simplification, and cost-efficiency. And on top of all that—using services on a subscription or metered basis is convenient for the end-user.

Just one last thing I would like to point out is that sound enterprise architecture and governance must be user-centric. That means that we only build decision products that are valuable and actionable to our users—no more ivory tower efforts or developing shelfware. We need to get the right information to the right decision makers to get the mission accomplished with the best, most agile and economical support framework available.

Andy's Cloud Computing Presentation on MeriTalk

How to Strengthen the Office of the CIO - Part II

Punlished at Government Technology

[Editor's Note: This article is the second in a series that explores the CIO Support Services Framework in government.]

In Part 1 of The CIO Support Services Framework, I presented the six major components needed to support the public CIO in managing IT strategically and proactively. In this article, I will explain what IT best practices framework inform these six components and propose a structure for implementing it.

The six CIO Support Services Framework (CSSF) functions are distinct areas that require subject-matter expertise and need to be managed based on the various IT best practice frameworks. While I am not endorsing any particular best practice government or industry framework, below is a sampling according to CSSF functional area:

Enterprise Architecture (EA) -- Federal Enterprise Architecture (FEA), Department of Defense Architecture Framework (DoDAF), and The Open Group Architecture Framework (TOGAF).

Capital Planning and Investment Control (CPIC) -- Office of Management and Budget (OMB) Circular A-130--"Management of Federal Information Resources" and the Control Objectives for Information and related Technologies (COBIT) by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI).

Project Management Office (PMO) -- the Project Management Book of Knowledge (PMBOK) by the Project Management Institute is the de facto standard project management best practices from initiation through project closeout.

Customer Relationship Management (CRM) -- the IT Infrastructure Library (ITIL) by the United Kingdom's Office of Government Commerce (OGC) and International Standards Organization (ISO) 20000--"IT Service Management." While both are very much operational frameworks, they can also be used to guide service and support at a strategic level in the OCIO.

IT Security (ITS) -- the Federal Information Security Management Act (FISMA), various Federal Information Processing Standards (FIPS) from the National Institute of Science and Technology (NIST), and International Organization for Standardization ISO/IEC 17799 -- Information Technology Code of Practice for Information Security Management.

Business Performance Measurement (BPM) -- the Balanced Scorecard (BSC) by Kaplan and Norton from Harvard Business School -- examines financial, customer, internal business process, and learning and growth measures for the organization.

Although each of the six main functional areas and their supporting best practice frameworks are unique, they can and will overlap, and it is imperative that the OCIO develop a simple and streamlined process for managing these, so that IT and business personnel are not confused or burdened by redundant or circuitous IT processes that hinder, rather than spur innovation and agility. For example, while EA planning guides CPIC IT investment decisions, those decisions inform the next round of EA planning -- it is inherently cyclical. Nevertheless, we must ensure that the overall process flow between all six areas is as clear and simple as possible.

I like to use the example of a Monopoly game board as an analogy for how IT processes should ideally progress from "Go" all the way through -- logically, and more or less sequentially -- without project mishap, ending up on the OMB Watch List for risky IT projects, the equivalent of landing in Monopoly "jail."

The CSSF provides the functional resources to fully support the OCIO and provide the capability to move from simply fighting day-to-day operational problems to strategically managing IT service provision, improving performance and increasing program and project success, through:

Planning (EA)

Investing (CPIC)

Executing (PMO)

Servicing (CRM)

Securing (ITS)

Measuring (BPM)

Each of these OCIO component functions is helpful in managing IT by providing the CIO the capability to better plan, invest, execute, service, secure and measure -- but these are not stand-alone functions -- they are all necessary and complementary.

An organization can have the best EA plan, but without the structured investment processes of CPIC, the plan will not drive, guide, influence and shape IT investment decision-making. In fact, I would propose that CPIC is an enforcement mechanism for carrying out the EA plan.

Similarly the organization can have a wonderful CPIC process for making IT investment decisions, but without a PMO to develop and enforce sound PM policies and practices, IT projects will continue to fail miserably. With an effective PMO, we will have more successful project execution, but without CRM to manage customer requirements and service and support issues, we run a very high risk of rolling out IT capabilities that the customer neither wants nor is happy with. Further, CRM will increase customer satisfaction, but without ITS, CIOs will not ensure the security of the information and systems that the users are depending on.

Finally, with ITS, CIOs will provide users for information security, but without BPM, will miss the opportunity to perform structured performance measurement and management, so that the CIO has visibility to how IT is performing in all areas and on an ongoing basis and can take timely corrective action as needed.

CIO Support Service Framework - Implementation Structure

View more documents from ablumen.

Most organizations either don't do any of these CSSF functions well or they don't do them all. The six components need to be executed together -- the whole being greater than the sum of its parts. Further, I would propose that the six CSSF functions be implemented under the auspices of the CTO of the organization in order to centralize and holistically manage the functions in support of the CIO.

The result is that the CIO is better supported, without being overwhelmed, and the CTO has a clear mandate for strategically implementing the CIO's vision for the organization.

Of course, one of the biggest challenges to implementing the CSSF is finding and allocating the needed funding to support these OCIO functions. IT operations tend to be underfunded already and stuck in the perpetual firefighting mode. Executives often fearf siphoning the needed money or people away from the short-term firefight to work on long-term strategy and implementation. This is a serious mistake!

Firefighting is a losing battle if you attack only the symptoms, but never address the cause or core strategic issues. Moreover, in the fast-paced technology environment of the 21st century, no IT leader can afford to be looking backward -- managing legacy systems that do not leverage modern technologies, techniques and methodologies for information sharing, collaboration and business intelligence.

If you are spending close to 100 percent on IT operations today, is it really unreasonable to allocate 3 to 5 percent of this to strategy, planning and control? Of course, this needs to adjust when IT budgets get extremely large or small and as the complexity of the organization shifts.

As the prior chief enterprise architect of the U.S. Coast Guard and of the United States Secret Service, I have always been a deep proponent of EA and CPIC to drive better IT investment decision-making. However, now as the chief technology officer (CTO) of the Bureau of Alcohol, Tobacco, Firearms and Explosives, I more fully understand how the CSSF functions and interplay are needed for the CIO to perform effectively.

Clearly EA and CPIC are not enough to adequately support the CIO's needs, and thus, they need to be extended with PMO, CRM, ITS and BPM. Moreover, these areas function best that function together for the reasons I mentioned prior -- it's a clear domino effect, where astute planning, sound governance, skilled project management practices, competent customer service, solid IT security and meaningful performance measurement are all necessary for the CIO to manage IT more strategically and effectively.??This is why I firmly believe that the CIO Support Services Framework is how we are going to have to manage IT to achieve genuine success for the CIO in the 21st century and beyond.

_______________________________________

Andy Blumenthal is chief technology officer at the Bureau of Alcohol, Tobacco, Firearms and Explosives. A regular speaker and published author, Blumenthal blogs at User-Centric Enterprise Architecture and The Total CIO. These are his personal views and do not represent those of his agency.

How to Strengthen the Office of the CIO - Part II

How to Strengthen the Office of the CIO - Part I

Published at Government Technology

[Note: This is a two-part article on strengthening the office of the CIO to improve IT operations. Part 1 examines the six components of a CIO Support Services Framework. Part 2 will explore best practices and implementation.]

Information technology is plagued with what federal CIO Vivek Kundra recently called "magnificent failures." A recent research survey by theStandish Group identified that more than 80 percent of IT projects were either failing or significantly at risk. Another article described the CIO's role as a nearly impossible job, trying to manage day-to-day firefighting with limited to no ability to get control and manage strategically.

We are investing massive sums of money, time and effort, only to disappoint customers, miss the mark on requirements and fail to deliver on time, within budget and to specifications.

The CIO Support Services Framework (CSSF) is an approach for changing the dynamic of failed IT projects and putting the CIO and other IT leadership back in the driver's seat, by ensuring that the structural components for success are identified, elevated and resourced appropriately.

The focus of this article is to identify, describe and link the core elements that make up and support an Office of the CIO for the purpose of demonstrating how that will lead to improved IT operations. When the CIO is properly supported, program and project management can be executed with strategic intent and alignment.

It is not my aim to discuss the pros and cons of the many solid approaches to IT project and program management today, such as the Federal Enterprise Architecture (FEA), Information Technology Infrastructure Library (ITIL), Control Objectives for Information and related Technology (COBIT), Project Management Body of Knowledge (PMBOK), Federal Information Processing Standards (FIPS) and International Organization for Standardization (ISO) 20000. I will say that while each is comprehensive in its own right, they are skewed by a particular emphasis on a particular function. For instance, FEA looks at architecture planning, ITIL on service support and delivery, PMBOK on project management and so on. What the CIO needs for ultimate success is a way to incorporate elements of all of these perspectives into a bigger picture.

CIO Support Service Framework

Image copyright by Andy Blumenthal

So what is the CSSF? It is an IT framework aimed at standing up and strengthening an office of the CIO so that it can lead strategically and drive improved IT operations. The idea is that just as business drives (or ought to drive) technology within the greater organization, so too within the function of IT, the CIO and his or her strategy must drive technology operations rather than just fighting fires.

In the typical IT organization, CIOs are expected to be both strategist and problem-solver, with little supporting strategic infrastructure to guide, influence, shape and drive their key decisions about IT operations. All too often, problems crop up and even the most skilled and well intentioned CIOs are left to make decisions based on gut, intuition, politics and subjective management whim.

Even if the CIO has an IT governance board to shoulder some of this responsibility, together they are still like blind people grasping in the dark for answers. This framework corrects the structural defects in today's IT organization that cause this situation to occur.

The CSSF has six major components:

1. Enterprise Architecture (EA) -- for strategic, tactical, and operational planning in the organization. EA includes all perspectives of the organization's architecture including: performance, business, information (data and geospatial), services or systems), technology, security, and human capital (this last one is currently missing from the Federal Enterprise Architecture).

In EA planning, we develop the current architecture--where we are today in terms of business and technology resources, the target--where we want to be in the future through business process improvement and technology enablement, and the transition plan--how do we get from where we are today to where we want to be in the future.

More mature EA's provide business, data, and systems models, and identify gaps, redundancies, inefficiencies, and opportunities in the business and IT and recommend business process improvement, reengineering, and new technologies to improve organizational performance.

2. Capital Planning and Investment Control (CPIC) or IT governance -- manages the IT investment decision processes of selecting, controlling, and evaluating new or major changes to the IT portfolio ( i.e. to put those plans to work and make them pay-off). CPIC can ensure that IT investments maximize return on investment, minimize or mitigate risk and provide for strategic alignment to the business.

CPIC also helps make IT investments technically compliant by ensuring that desirable IT behaviors are followed, such as information sharing and quality, interoperability, component reuse, standardization, simplification, cost-efficiency, and of course security.

3. Project Management Office (PMO) -- oversees the effective execution on the IT projects. These projects derive from the EA technical roadmap and transition strategy and from IT investment decisions coming out of the governance board(s) in CPIC. Project management is how we manage all facets of a project to include scope, schedule, cost, quality, project resources, integration, communications, and more, from the initiation of a project through its closeout. Project managers typically develop the work breakdown structures, project schedules, and monitor and manage progress to these.

4. Customer Relationship Management (CRM) or IT service management -- for managing service and support to our customer with "one call does it all". As opposed to customer management within IT operations which is focused on helpdesk, availability, break-fix, and support issues, CRM in support of the CIO is focused on serving as IT liaisons to the business responsible for overall customer satisfaction, generating and managing customer requirements, supporting business case development, and handling internal business complaints, issues, and coordinating problem resolution with IT operations.

5. IT Security (ITS) -- how we conduct IT security policy and planning. This function encompasses how we plan, assess, and enforce IT security, and not the actual implementation of IT Security, which is an operational IT function. This functional area includes preparing certifications and accreditations, risk assessments, security plans, vulnerability testing, security awareness training, and security policies. IT security ensures the confidentiality, availability, integrity, and privacy of the organizations information.

6. Business Performance Management (BPM) -- how we measure and drive performance, so we know whether we are hitting the EA target or not. BPM involves identifying performance measures, capturing, analyzing and reporting on metrics, and providing the CIO with IT executive dashboard views to inform which programs and projects that are on track, challenged and in jeopardy of failure.

Typically BPM provides for a drill-down capability, so high-level "red-yellow-green" program/project indicators and milestones can be decomposed into lower levels of detail for trends, analysis and making course corrections. BPM should provide a feedback mechanism for how the IT function is performing and drive continuous process and performance improvement in the CIO organization.

Together these six areas make up a holistic and synergistic set of support functions constitute a fully capable Office of the Chief Information Officer (OCIO) in the center.

In creating a strong OCIO, the CIO Support Services Framework wisely separates the policy, planning and oversight functions from the IT operations. This is beneficial in two main ways: First, this enables the CIO to strategically and proactively direct IT operations, rather than being in perpetual firefighting and reactive mode. Second, the separation of duties -- strategy from operations -- creates a healthier organizational dynamic and interplay in IT, where the fox is not left guarding the chicken coop.

Part 2 of this article will explore IT best practice frameworks and implementation of the CIO Support Services Framework.

_____________________________________

Andy Blumenthal is chief technology officer at the Bureau of Alcohol, Tobacco, Firearms and Explosives. A regular speaker and published author, Blumenthal blogs at User-Centric Enterprise Architecture and The Total CIO. These are his personal views and do not represent those of his agency.

How to Strengthen the Office of the CIO - Part I

Now We All Have Skin In The Game

It used to be that cybersecurity was something we talked about, but took for granted. Now, we’re seeing so many articles and warnings these days about cybersecurity. I think this is more than just hype. We are at a precipice, where cyberspace is essential to each and every one of us.

Here are some recent examples of major reviews in this area:

• The White House released its 60-days Cyberspace Policy Review on May 29, conducted under the auspices of Melissa Hathaway, the Cybersecurity Chief at the National Security Council; and the reports states: “Cybersecurity risks pose some of the most serious economic and national security challenges of the 21^st century…the nation’s approach to cybersecurity over the past 15 years has failed to keep pace with the threat."
  
• The Center for Strategic and International Studies’ Commission on Cybersecurity for the 44^th President wrote in a December 2008 report: “America’s failure to protect cyberspace is one of the most urgent national security problems facing the new administration…It is a battle we are losing.”
  

Cyberspace is becoming a more dangerous place as the attacks against it are growing. Federal Computer Week, June 2009, summarized the threat this way:

“Nation states are stealing terabytes of sensitive military data, including some of the most advanced technology. Cybercrime groups are taking hundreds of millions of dollars from bank accounts and using some of that money to buy weapons that target U.S. soldiers. The attacks are gaining in sophistication and the U.S. defenses are not keeping up.”

Reviewing the possibilities as to why this is happening: Have we dropped our guard or diverted resources or knowhow away from cybersecurity in a tight budgetary environment and now have to course correct? Or, have our adversaries become more threatening and more dangerous to us?

I believe that the answer is neither. While our enemies continue to gain in sophistication, they have always been tenacious against us and our determination has never wavered to overcome those who would threaten our freedoms and nation. So what has happened?

In my view the shift has to do with our realization that technology and cyberspace have become more and more vital to us and underpins everything we do--so that we would be devastated by any serious disruption. As the Cyberspace Policy Review states definitively: “The globally-interconnected digital information and communications infrastructure known as “cyberspace” underpins almost every facet of modern society and provides critical support for the U.S economy, civil infrastructure, public safety, and national security.”

We rely on cyberspace in every facet of our lives, and quite honestly, most would be lost without the connectivity, communications, commerce, productivity, and pleasure we derive from it each and every day.

The result is that we now have some serious “skin in the game”. We have something to lose--things that we deeply care about. Thus, we fear for our safety and survival should something bad happen. We think consciously or subconsciously how would we survive without the technology, Internet, and global communications that we have come to depend upon.

Let’s think for a second:

What if cyberspace was taken down or otherwise manipulated or controlled by hostile nation states, terrorists, or criminals?

Would there be a breakdown in our ability to communicate, share information, and learn? Would there be interruptions to daily life activities, disruptions to commerce, finance, medicine and so forth, concerns about physical safety or “accidents”, risks to critical infrastructure, and jeopardy to our ability to effectively protect ourselves and country?

The point here is not to scare, but to awaken to the new realities of cyberspace and technology dependence.

Safeguarding cyberspace isn’t a virtual reality game. Cyberspace has physical reality and implications for all of us if we don’t protect it. Cyberspace if a critical national asset, and we had better start treating it as such if we don’t want our fear to materialize.

Now We All Have Skin In The Game

The Cloud is a Natural Evolution of IT

Cloud computing is bringing us closer than ever to providing IT as utility, where users no longer need to know or care about how the IT services are provided, and only want to know that they are reliably there—just like turning on the light.

This rent-an-IT model of cloud computing can apply to any portion of an organization’s IT architecture, as follows:

• Service architecture—for application systems, there is “software as a service” (SaaS) such as Google Apps suite for office-productivity or Salesforce.com for customer relationship management. And for developing those systems, there is “platform as a service” (PaaS) such as Google Apps Engine (GAE) or the Defense Information Systems Agency (DISA) Rapid Access Computing Environment (RACE).
• Information architecture—for storing the data used in systems, there is “storage as a service” such as Amazon’s Simple Storage Service (S3).
  
• Technology architecture—for hosting systems, there is “infrastructure as a service” such as Amazon’s Elastic Compute Cloud (EC2)
  

The big advantage to using hosted IT or cloud computing is that it provides on-demand information technology—again like your electricity usage; the juice is there when you need it. Additionally, by outsourcing to specialist IT providers, you can generally get more efficiency, economy, and agility in providing IT your organization.

Of course, there are challenges that include ownership, security, privacy, and a cultural shift from a vertical (stovepiped) to horizontal (enterprise and common services) mindset.

From my perspective, cloud computing is a natural evolution in our IT service provision:

1. At first, we did everything in-house, ourselves—with our own employees, equipment, and facilities. This was generally very expensive in terms of finding and maintaining employees with the right skill sets, and developing and maintaining all our own systems and technology infrastructure, securing it, patching it, upgrading it, and so on.
   
2. So then came, the hiring of contractors to support our in-house staff; this helped alleviate some of the hiring and training issues on the organization. But it wasn’t enough to make us cost-efficient, especially since we were still managing all our own systems and technologies for our organization as a stovepipe.
3. Next, we moved to a managed services model, where we out-sourced vast chunks of our IT—from our helpdesk to desktop support, from data centers to applications development, and even to security and more. But apparently that didn’t go far enough, because we were still buying, building, and maintaining our own IT instances for our organization, but now employing call centers and data centers in far-flung places.
4. And finally, the realization has emerged that we do not need to provide IT services either with our own or contracted staff, but rather we can rely on IT cloud providers who will manage our information technology and that of tens, hundreds, and thousands of others and provide it seamlessly over the Internet, so that we all benefit from a more scalable and unified service provision model.
   

The cloud computing model takes the CIO/CTO and their staffs out of the fire-fighting mode of IT management and into the drivers seat for managing IT strategically, innovatively, and with a focus on the specific mission needs of their organization.

The Cloud is a Natural Evolution of IT

6 CIO Tools for Managing IT Risk

“The consequences of not managing risk have hit Americans square in the jaw.”-- Government Executive magazine, March 2009

Too often CIOs see themselves very literally as managing IT. What they need to do is manage risk along with all of the other key leadership issues such as innovation, information-sharing, collaboration, and so on.

Context

The IT environment today is part of a larger social, political, and economic context that is more fraught with risk than ever. The mortgage meltdown, the financial crisis, job losses, volatility in commodity prices (e.g. oil), and so much more—it seems like it will never end. I would add that recently we had birds collide with an airline in NY, satellites that collided in space, and submarines that collided from France and the U.K. Oh, let’s not forget Russia’s invasion of Georgia and the terrorist attacks in India in November that killed at least 173 and wounded 308 and the Asian Tsunami in 2004 that killed over 225,000 people from 11 countries.

This is scary beyond belief!

Is G-d punishing us, teaching us, ignoring us?

Expectations

Whatever is going on, people are crying out for help--they are praying, and they are also turning to their government for “recovery” (as in the Recovery Act), “bailout” (as in taxpayer bailout), “relief” (as in the Troubled Asset Relief Program). The CIO is operating in an environment in which risk management is increasingly something that the average citizen expects from their leaders (and IT is not immune):

--“Citizens are increasingly calling on government to prevent bad things from happening and to ride in to help when they do.” (Donald Kettl).

--“American want life to be less risky…[and so] without realizing it, federal officials are risk managers at their core.”

--“The public, not only demands that the government manage the consequences of risk, but that it deals with problems before they turn into catastrophes. Merely reacting to risk is eroding the people’s trust in government.”

Challenges

While risk management is clearly a critical need, it is also more difficult than ever, for the following reasons:

--Pace and impact—“the problem now is the rapid pace of the challenges—that whatever it is that happens punishes and punishes instantly.”

--Scope—“’we obviously don’t want to get to a state where the government is running everything.’ But with no clear definition of the limit, the number of public risks the government should manage appears endless.”

In my opinion, cost is a huge factor as well. Just the financial crisis so far has cost us trillions of dollars and added to our debt probably for generations to come, and at a time when we are already on the brink with unfunded social security and Medicare liabilities for the baby boomers that are quickly nearing retirement and is feared will overwhelm the system. How much more financial burden can the system take before there are dire consequences?

Framework

There are no easy answers to these trying times or to how we manage the incredible risk that we seem to face virtually every day. However, there are three common approaches to risk management set forth by Moss:

--Reduce it (or eliminate it, if possible)

--Spread it

--Shift it

We often reduce risk, by having a backup plan (such as in IT having backup and recovery), and we mitigate risk by spreading or shifting it (such as through insurance policies or government social programs, and so forth).

6 Tools for CIOs

These lessons in risk management are critical to professionals in information technology, a field that is always in rapid transition with changing products, skill sets, and practices and where the scope of IT impacts almost everything we do (from online finance, health IT, e-commerce, robotics, and more). And where the price of keeping up with Jones in technology is does not come cheap to any organization these days.

In IT, where more than half of projects are over budget or behind schedule and many end up cancelled all together, we need to manage project risk. Here is a suggested toolkit for CIOs to do so:

--First, we need an architecture plan to ensure that we are aligning to business requirements and complying with technical requirements. This helps reduce the risk that we are doing IT the “wrong” way.

--Second we need to have sound IT governance to manage the selection of our investments, the control of cost, schedule, and performance, and the evaluation for lessons for the future. This helps reduce and spread the risk that we are doing the “wrong” IT investments.

--Third, we need solid project management to guide projects from initiation through close out in a defined, repeatable, and measureable way. This helps reduce the risk that we doing projects the “wrong” way.

--Fourth, we need robust IT security that protects our data from manipulation, interception, interjection, or other malice. This helps reduce and spread the risk of our IT working “wrong”.

--Fifth, we need adept customer relationship management so that we are fully engaged with our customers in building solutions that meet their needs and solves their business problems. This helps spread and shift the risk that we are managing our IT customers the “wrong” way.

--And sixth, and not least, we need to focus on our human capital to ensure they have the leadership, motivation, tools, and training to perform at their peak. This helps reduce and spread the risk of human error.

Together, these six CIO tools are the keys to the kingdom when it comes to managing IT risk and we can never take risk management for granted.

6 CIO Tools for Managing IT Risk

Cybots to the Rescue

In the Star Trek series Voyager, the (cyb)Borg wants to assimilate everyone (literally every species and they are given numbers to keep track of them) throughout the galaxies into their collective. They are an existential threat to humankind. And it makes for some great science fiction entertainment.

In real life though, the cybots are coming not to harm, but to help people.

Government Computer News, 23 February 2009, reports that Oak Ridge National Lab is working on developing cybots (software robots) to defend us in cyberspace.

Cybots are “intelligent enough to cooperate with one another to monitor and defend the largest networks.”

What makes cybots more effective than the software and hardware security we have today?

“Instead of independent devices doing a single task and reporting to a central console, the cybots would collaborate to accomplish their missions.”

The end state is a virtual cybot army deployed so those seeking to do us harm in cyber-warfare will themselves be the ones for whom “resistance is futile”.

Could cybots end up like the the Cylones in Battlestar Galactica or the machines in Terminator that turn on humans?

The Cybots have a programmed mission such as “network monitoring and discovery, intrusion detection, and data management.” So the hope is that they stay true to those things.

However, to me it seems completely plausible that just as cybots can be developed for defensive capabilities, they can also be programmed for offensive cyber warfare. And if they can be used offensively, then we can end up on the wrong side of the cybots someday.

Where does this leave us?

It seems like cyberspace is about to get a whole lot more complicated and dangerous—with not only human cyber-criminals and –warriors, but also cyber robots that can potentially wreak Internet havoc.

In terms of planning for future IT security, we need to stay technologically on the cutting edge so that we stay ahead of our adversaries as well as in constant control of the new defensive and offensive cyber-weapons that we are developing.

Cybots to the Rescue

Coming Soon: A Federal Chief Technology Officer (CTO)

What is the role of the Federal Chief Technology Officer (CTO) that we are anxiously awaiting to be announced soon in the President-elect Obama administration?

There are some interesting insights in Federal Computer Week, 8 December 2008.

CHANGE: Norman Lorenz, the first CTO for OMB, sees the role of the Federal CTO as primarily a change agent, so much so that the title should be the federal chief transformation officer.

TEAMWORK: Jim Flyzik, the Former CIO of the U.S. Department of the Treasury, and one of my former bosses, sees the CTO role as one who inspires teamwork across the federal IT community, and who can adeptly use the Federal CIO Council and other CXO councils to get things done—in managing the large, complex government IT complex.

VISION: Kim Nelson, the former CIO of the Environmental Protection Agency says it’s all about vision to ensure that agencies “have the right infrastructure, policies, and services for the 21^st century and ensure they use best-in-class technologies.”

ARCHITECTURE: French Caldwell, a VP at Gartner, says the CTO must “try to put some cohesion and common [enterprise] architecture around the IT investment of federal agencies.”

SECURITY: Dan Tynan, of “Culture Clash” blog at Computerworld’s website said the federal CTO should create a more secure IT infrastructure for government.

CITIZENS: Don Tapscott, author of “Wikinomics: How Mass Collaboration Changes Everything,” seems to focus on the citizens in terms of ensuring access to information and services, conditions for a vibrant technology industry, and generally fostering collaboration and transformation of government and democracy.

This is great stuff and I agree with these.

I would add that the following four:

INNOVATION: The Federal CTO should promote and inspire innovation for better, faster, and cheaper ways of conducting government business and serving the citizens of this country.

STRATEGY: The Federal CTO should develop a strategy with clear IT goals and objectives for the federal government IT community to unite around, manage to, and measure performance against. We need to all be working off the same sheet of music, and it should acknowledge both commonalities across government as well as unique mission needs.

STRUCTURE: The Federal CTO should provide efficient policies and processes that will enable structured and sound ways for agencies to make IT investments, prioritize projects, and promote enterprise and common solutions.

OUTREACH; The Federal CTO is the face of Federal IT to not only citizens, but also state, local, and tribal governments, international forums, and to the business community at large. He/she should identify stakeholder requirements for federal IT and align them to the best technical solutions that are not bound by geographical, political, social, economic, or other boundaries.

The Federal CTO is a position of immense opportunity with the enormous potential to drive superior mission performance using management and IT best practices and advanced and emerging technologies, breaking down agency and functional silos in order to build a truly citizen-centric, technology-enabled government in the service to citizen and country.

Coming Soon: A Federal Chief Technology Officer (CTO)