County and Municipal Executive’s Guide to Cybersecurity

Cybersecurity Myths

by Jeffrey Morgan

Download this guide in PDF.

Information and cybersecurity are somewhat mythical subjects and many misconceptions abound. Here are a few examples of the many myths surrounding cybersecurity:

  1. Information and cybersecurity programs are built on technology.
  2. Cybersecurity programs are expensive.
  3. Information and cybersecurity programs should be managed by Information Technology staff.
  4. The greatest cybersecurity threats come from outside your organization.
  5. Your IT staff would be able to detect a breach or other anomaly.

Do you believe in any of these myths? If so, keep reading because all five of these statements are false.

Why should municipal executives care about cybersecurity?

Information and cybersecurity problems cost money.

According to the 2018 Ponemon Institute Data Breach Study[i], the average total cost of a data breach is $3.86 million. Data breaches aren’t the only type of devastating cybersecurity problem and global costs for ransomware are expected to reach $11.5 billion[ii] in 2019. Malware can quickly bring a halt to your business activities and we have seen municipal services brought down for over a week because of infections that were a result of failure to follow policies and procedures.

Non-fiscal consequences of information security problems may have a more significant long-term impact on your organization than fiscal consequences and may include loss of reputation and litigation.

Cybersecurity incidents are a reflection of organizational management.

Information Security disasters are almost always a reflection on organizational management and the worst time to find out that you didn’t have a comprehensive cybersecurity program is in the aftermath of a breach. Most cybersecurity events occur for one of three reasons:

  1. People didn’t do what they were supposed to do (i.e. patching, backing up, checking logs).
  2. People did something they weren’t supposed to do (i.e. using inappropriate web sites, inserting flash drives, opening links on phishing e-mails).
  3. People have no idea what they are supposed to do (lack of policy, procedures throughout the organization).

Knowing what your staff is doing is a basic management responsibility. Show me a cybersecurity incident, and I will show you a chain of supervision and management failures that go all the way to the top of an organization.

Boards and governing bodies are beginning to see it this way too, and currently, senior C-level executives lose their jobs in roughly one-third of breaches[iii] and other cybersecurity events.

Quite simply, information and cybersecurity are management responsibilities and good information security programs require ongoing management attention. Managers don’t need to be cybersecurity or technical experts; they do need to ensure that appropriate controls, policies, and procedures are in place. Your IT department isn’t the solution; management principles are.

What fails in cybersecurity incidents and breaches?

Depending on what research you read, somewhere between 60 and 90 percent of cybersecurity problems are caused by human error. In my experience, 90 percent sounds about right, although it could easily be closer to 100 percent. This all fits right in with W.E. Deming’s theory that 94% of problems in an organization are a result of management failures.

Major information breaches occur daily and only a small percentage of these make headline news. The most infamous of these include Equifax, Marriott, Yahoo, Target, and Anthem. In many local governments and smaller enterprises, the cybersecurity programs are not sufficiently robust to even identify whether a breach has even occurred.

A small sampling of 2018 information security incidents from the county and municipal sectors includes:

  1. City of Atlanta
  2. St. Lawrence County, New York
  3. Adams County, Wisconsin
  4. Otsego County, NY
  5. 50 central New York school districts

What most breaches have in common is that technology didn’t fail – people failed. Policies, procedure, and management failed. In the Equifax breach, someone failed to apply current patches to servers with known vulnerabilities. The CEO, Richard Smith, lost his job over the incident, but he wasn’t the culprit who failed to patch. He did handle the incident poorly, though.

If you take a proactive approach to cybersecurity, you have control over what you do and how you do it. However, in the aftermath of a breach, you may find your organization under investigation by the US Office of Civil Rights if the breach involved PHI and criminal charges may be involved as well. Your response may be dictated by state and federal regulators and you will have lost control of the process. A proactive approach to cybersecurity is clearly more desirable.

How would you handle a breach?

How would your organization be able to identify a breach? In the case of Adams County, WI the breach went on undetected for over five years and resulted in the disclosure of PHI and PII of over 250,000 residents. Five years! Would your staff be able to detect a breach?

Would you know how to respond to a breach? When it comes to cybersecurity, you must know how to respond to disasters before they happen and developing an incident response plan is part of the process of building a comprehensive information security program. A disciplined approach forces you to think about everything so that when a disaster of some sort does occur, you are prepared to deal with it immediately. However, if you have taken a comprehensive approach to cybersecurity, a disastrous problem is far less likely to occur. And, if it does occur, the response and cleanup is considerably easier.

Should cybersecurity programs be built on technology?

Most information and cybersecurity programs are caused by people, so why are most cybersecurity programs built on technology? The foundation for a great cybersecurity program is policy and procedure.

Often, when I talk to executives and managers, their response to information from me is something like, “Wow. This is great information. I’ll show it to my IT people.” This is a pretty clear indication that they didn’t hear anything I just presented. This is understandable; most managers have been conditioned to believe that information security is an IT responsibility.

As an executive, you will be held accountable for a serious cybersecurity incident, especially if the problem was caused by lack of policy, procedure, and management oversight. 

Is cybersecurity an IT responsibility?

The conventional wisdom in local governments is that information and cybersecurity are functions that should delegated to an IT Director or CIO. As is the case with most conventional wisdom, this view is wrong.

Cybersecurity is often treated as a form of black magic where wizards practice their secret arts in the data center. In reality, the processes, procedures, and activities that your staff should be performing routinely are well-known and widely published. Are your staff members following these publicly available standards?

Over the last several decades, many comprehensive standards and frameworks for information and cybersecurity have grown and matured. These frameworks have been developed by large workgroups of brilliant people who have devoted their professional careers to the study of information security. Local governments rarely implement these frameworks and instead rely on ad hoc programs designed by staff members untrained in information security practices and procedures. None of these standards or frameworks recommends delegation of cybersecurity to IT staff; all of them recommend comprehensive approaches that include the participation of directors, executives, and senior managers in building a comprehensive plan.

The good news is that this problem is simple to fix. Building a solid, standards-based cybersecurity program is a team effort and the majority of controls that should be implemented are not technical in nature, but administrative.

Major components of a cybersecurity program

How do you know if you have a standards-based cybersecurity program or an ad hoc one? It is easy to identify a real cybersecurity program and six elements distinguish a comprehensive program from a poor one:

1.            Comprehensive Security Policy. For most municipal governments, this document should probably consist of 25 or more pages and at least 40- 50 policies, but probably many more. Good security policies are typically developed over a long period of time

2.            Acceptable Use Policy. This document describes standards for using company-owned resources, ownership, reporting requirements, etc. but may also address the use of social media, work-at-home policies, and a great deal more.

3.            Risk Assessment Report. Risk assessments are a requirement of every standards-based security framework. If you don’t have a relatively current risk report, your security program doesn’t meet the standards of any generally accepted information security framework.

4.            Documentation. Extensive documentation demonstrating compliance with your organization’s security policy should be readily available at all times. Do you have evidence that backups are validated? Are logs checked? Excellent documentation is a required component of a true information security program.

5.            Management participation. Participation of directors and senior managers in an information security program is a requirement. For most county and municipal governments, managing and understanding the scope of information and the regulatory requirements are beyond the knowledge, skills, and abilities of the IT staff.

6.            Accountability. A good cybersecurity program requires participation of staff and management throughout the organization. Responsibility and accountability for the many tasks must be clearly documented so everyone understands their part.

There are many moving parts to a good cybersecurity program and the formula for it looks something like this:

Standards, Frameworks, and Regulations

There is no reason for the existence of ad hoc information security programs, especially in the public sector. There are numerous generally accepted and widely available frameworks for building a comprehensive information security program. These are either free or dirt cheap and they describe exactly how to build an information security program in any organization. A comprehensive approach is not expensive and there are not necessarily capital expenses involved.

You can use any of the following documents to begin building a comprehensive information and cybersecurity program.

ISO/IEC 27001[iv]

This is the international standard for building an information security program. It is available from the ANSI web store for $138. It is roughly 30 pages and describes exactly how to build a comprehensive security program for any organization from scratch.

NIST Framework for Improving Critical Infrastructure Cybersecurity[v]

This framework was created by NIST (The National Institute of Standards and Technology) and it is a risk-based approach to developing a cybersecurity program. It is available for free.

HIPAA Security Rule[vi]

The HIPAA Security Rule is a federal regulation (45 CFR parts 160, 162, 164) for protecting PHI, but it can also be used as a framework for building an information security program. If you have PHI (most counties do) to protect, you could start your program by building it on HIPAA and then use one of the other frameworks to supplement what HIPAA misses. A common misconception about HIPAA is that it is an onerous regulation that is difficult to comply with. In truth, HIPAA sets a low bar and you will definitely need to supplement a HIPAA compliance program with additional policies and procedures.

Action Plan – How to build a cybersecurity program – first steps

Building a comprehensive, standards-based cybersecurity program is a straightforward process. In general, we recommend an approach something like this:

  1. Establish a governance committee.
    The membership of your governance committee should include people who are expert in various aspects of the information you maintain. For a county government, this might include the county recorder, corporate compliance, public or mental health, human resources, the county attorney, and information technology. A senior executive and a board member should also be on the committee.
  2. Get a risk assessment.
    Risk assessment is an absolute requirement. If you have someone on the staff skilled in this, you can do it internally. If your organization has never gone through a risk assessment process, you should contract an outside firm for the first one unless you have staff members who are capable of objectively performing one.  Risk assessments should be carefully scoped.
  3. Create an asset inventory
    A complete, current inventory of all your information assets including digital data, applications, physical information (paper records), and hardware is an absolute requirement. Most local governments don’t have this information in detail that would stand up to any kind of audit.
  4. Create a comprehensive security policy.
    A primary responsibility of your governance committee will be to draft a comprehensive security policy that addresses your organization’s unique needs relative to risk. The policy should be approved by your governing board. You can and should build your program on any of the three frameworks described above. You’ll have to decide which one is the most appropriate depending on your unique business requirements.
  5. Create a risk management plan
    The risk assessment process will identify many shortcomings in your information security program. It is the responsibility of your board and senior executives to identify risk appetite and priorities for risk mitigation.

How much work does it require?

Does all you have read so far sound straightforward and simple? It is.

There is no reason for any local government agency not to implement a comprehensive cybersecurity program. While the steps are simple, it may not be easy to implement and the problems you encounter are more likely to be administrative and procedural rather than technical. Technical implementation of a cybersecurity program is the easiest part; getting the management structure right is much more difficult.   

If you proceed down the path to standards-based cybersecurity, you may find that it takes six months to a year to put all the policy and procedural components into place, get a risk assessment, make a plan, and implement it, but this all depends on the availability of resources and your commitment to the project.

How much does it cost?

Building a security program on standards and best practices may require no capital expenditures but it requires time and attention from managers throughout your organization. In general, local governments don’t lack the funding for technical controls and many of them already have all the required technology in place. What local governments are generally missing are clear policies, procedures, and accountability.

Getting Help

If you would like assistance with your program, give us a call. We provide comprehensive management services for information security and can help you through every step of the process. Visit our website for more information on our services for local governments.

For a detailed multimedia overview of cybersecurity in local government, watch our video, Cybersecurity, risk, and liability in local government.

[i] 2018 Ponemon Institute Data Breach Study.

[ii] Top cybersecurity facts, figures and statistics for 2018.

[iii] One-third of data breaches led to people losing jobs.

[iv] ISO/IEC 27001

[v] NIST Framework for Improving Critical Infrastructure Cybersecurity

[vi] HIPAA Security Rule

Facebooktwitterredditpinterestlinkedinmailby feather
Tags : , , , ,

Free risk management workshop

Facebooktwitterredditpinterestlinkedinmailby feather

Download our free risk assessment tool


By Jeffrey Morgan

Download our free risk assessment tool for county governments and behavioral health organizations.



© Copyright Jeffrey Morgan, 2018

 Facebooktwitterredditpinterestlinkedinmailby feather

Tags : ,

Cyber week – free risk assessments for counties and city governments

By Jeffrey Morgan

Get a free risk assessment for your county or municipal government organization.

Have you ever had an information security risk assessment? Risk Assessment is the cornerstone of a solid, standards-based information and cybersecurity program. If you don’t have a risk assessment, you don’t have a cybersecurity program.


© Copyright Jeffrey Morgan, 2018

 Facebooktwitterredditpinterestlinkedinmailby feather

Tags : , , , , ,

Cybersecurity, cyber risk, and liability in local government organizations

By Jeffrey Morgan

In this video, “Cybersecurity, cyber risk, and liability in local government,” I ask and answer 11 questions that local government executives and elected officials should be able to answer about their cybersecurity programs and it provides actionable information on building a cybersecurity program in the public sector. Watch it now! In 28 minutes you’ll get a complete overview of cybersecurity in the public sector, learn how to evaluate your program, assess your risk, and build a comprehensive standards-based program from the executive perspective. Questions answered include:

1. What kind of information do local governments collect and maintain?

2. Is local government regulated?

3. What regulations apply?

4. What are the risks?

5. What’s the liability?

6. How are they assessing and managing risk?

7. How do you build a cybersecurity program in the public sector?

8. What does the management structure look like?

9. How do you staff it?

10. How much does it cost?

11. What are the responsibilities of directors, managers elected officials and staff throughout the organization?

Watch it and don’t forget to subscribe. If you like it, LIKE IT and thanks for watching.

© Copyright Jeffrey Morgan, 2018

 Facebooktwitterredditpinterestlinkedinmailby feather

Tags : ,

The HIPAA Wall of Shame


By Jeffrey Morgan

PHI Breach detection in county government

The Office of Civil Rights (OCR) maintains a list of HIPAA breach investigations which currently lists over 400 open breach investigations.

One interesting breach is Adams County, Wisconsin which was leaking information undetected for over five years from 2013 and it highlights the lack of controls counties have in place for detection of security anomalies.

It’s pretty easy to determine whether or not counties have appropriate controls in place. The first question to ask is do they have a risk assessment? If your local government organization doesn’t conduct ongoing periodic risk assessments, you aren’t compliant with the HIPAA Security Rule. So, if you don’t have a risk assessment, get one so you can identify potential problems.

There are roughly 40 policy requirements for the HIPAA Security Rule and HIPAA sets a low bar in comparison to ISO/IEC 27001 and NIST CSF.  If your county security policy doesn’t have these 40 policies in place, with corresponding processes and procedures you aren’t compliant with HIPAA.

We offer a low-cost 90 minute HIPAA workshop to help you assess your level of HIPAA compliance. The worst time to find out that you aren’t compliant is after a breach!

© Copyright Jeffrey Morgan, 2018

 Facebooktwitterredditpinterestlinkedinmailby feather

Tags : , , , ,

HIPAA for Counties and Behavioral Health

By Jeffrey Morgan

HIPAA’s not just for hospitals

Most counties and behavioral health organizations aren’t compliant with the HIPAA Security rule, but don’t take my word for it. Download the HIPAA Security Rule directly from HHS and read it over the weekend. If you want to talk about it, grab a 30-minute slot in my calendar and we’ll discuss your security policies and procedures at no charge.

Read more about our HIPAA services for counties and behavioral health organizations.

For more background, read Jeff’s articles on HIPAA

© Copyright Jeffrey Morgan, 2018




© Copyright Jeffrey Morgan, 2018

 Facebooktwitterredditpinterestlinkedinmailby feather

Tags : , , , ,

RIP Cooper

Cooper, June 2018

By Jeffrey Morgan

The rich green scent of dairy cows wafted off the pasture and blew the bitter blue diesel smoke away from my face as I drove our tractor to dig a grave for Cooper. Sweat poured out and soaked my shirt with a toxic cocktail of shock, grief, anger, and guilt. Only a few hours had passed since Cooper was brutally murdered by my neighbor.

What if I had reacted more quickly? What if I hadn’t been so busy watching the new puppy? Had any aspect of the day gone just a little differently, Cooper would still be with us. Five days later, the guilty self-recriminations still loop relentlessly as my mind continues to replay the last few seconds of this beautiful dog’s life.

Cooper was the sweetest most innocent guy I’ve ever known and he joyously greeted every visitor to our house. When people came to fish in the pond, he always accompanied them and made sure they were doing it right. He even went ice fishing in the middle of winter. He was a Corgi mixed with some sort of hunting dog – maybe a Bassett Hound or Beagle. Whenever the tenant farmer came to drop off or pick up his cows, Cooper always helped load and unload the trailer. He was shaped like a fat sausage with short, stubby legs and his head was a little too big for his body. We often called him names like dork and shrimp but it didn’t seem to hurt his self-esteem a bit.

Cooper on a playdate

My wife always said that Cooper should wear a cape. He flew around the yard like Super Dog with a huge smile on his face and it was hard to believe those little legs could propel his chubby body so quickly and with such precision. When we gave him and Riley beef bones, they would go to separate sides of the yard to chew. Cooper would soon be slinking off with his signature Elmer Fudd swagger to bury his bone and then return to steal Riley’s.

When he slept in our bedroom, Cooper would throw the same little tantrum every night. He would get on his Sealy Posturpedic dog bed, roll around, and whine about having to sleep on the floor like a dog. Once we were sound asleep, he would quietly climb on our bed. If my stepdaughter was here, Coop would almost always sleep with her. She provided him with a pillow and blanket right next to her and I dreaded breaking the news to her most of all because of the deep bond that had developed between them.

Cooper and Hannah, November 2017

Coop’s arrival

Last year on Memorial Day weekend, only a few weeks after the passing of my English Shepherd, Birdie, some hunters we know stopped at our house with Coop in the front of their truck. They had found him wandering the woods on Armenia Mountain and brought him to their cabin for the night so he wouldn’t be devoured by the local coyotes. They said they were looking for the Animal Shelter, but that was total bullshit. They knew I would give him a home. My wife was in the shower so I took him upstairs on a leash to get her approval.

Who knew then what trouble he would be? We live on a two-mile dirt road with only four households on it. There is little traffic most of the year and we have over 1000 feet of fence surrounding our yard which we began shoring up immediately. The larger dogs can’t escape, but the system wasn’t designed for dwarves. We succeeded in securing the roadside fence but there were still places he could fit through on the pasture side.

Cooper never respected the fence and he was constantly escaping and running down the road. When I called for him to stop, he would turn around, look at me, and then make a mad dash for it. It was a game. As a jolly trickster, he loved all games. I would dutifully hop in the car to retrieve him and sometimes he would run a mile or more before he was out of breath. Then he would just hop in the back seat and ride home content that he had outsmarted me yet again. Over the last year, he had gotten better about the running but never gave it up entirely. Recently he had taken up woodchuck hunting and I was there for his first confirmed kill.

Coop in the window, August 2017

We tried a shock collar starting last fall, but he didn’t seem to care. Once he was running after something there was nothing that could make him stop. One night last winter, I chased him across a field of deep snow as he ripped across the frozen pond to see what the coyotes were making such a fuss about.

Cooper was a tire biter. He didn’t just chase cars; he went to the front and would try to herd the vehicle. On the few occasions when this happened, I was usually already out in the road trying to stop him. Invariably, the people would laugh, stop their cars, and wait for me to catch him. Sometimes they would even open their doors to hop out and pet him as he innately trusted all people. Our road isn’t really on the way to anywhere and people generally aren’t in a big hurry to get nowhere. Like almost all dogs, most people are decent.

Cooper and Draco napping, January 2018

The Murder

Last Wednesday, Cooper had snuck out to hunt woodchucks and finally came back to one of the gates. I called him in but he wouldn’t come. I had our new Great Dane puppy on a leash and I had to take her and Riley inside and lock them in my office. I didn’t need three dogs out in the road. When I got back outside, Cooper had already dashed off to the field across the street. I walked down to get him and he wouldn’t come so I went back to the house to get truck keys as he almost always comes to me if I am in a vehicle. I glanced out the window and saw my neighbor driving down the road very slowly and Cooper appeared from nowhere nipping at the SUV’s front tires. The vehicle was moving so slowly that all the nasty old curmudgeon had to do was stop. At that point I was already in motion and heading out the door. I was only out of sight of the incident for a few seconds.

Once I got out of the gate though, I could see Cooper lying in the road and panic set in. He was rolling his head around as I called out to him and the old bastard’s vehicle was long gone. Coop’s eyes said it all to me. “Jeff, I really fucked up this time, but why didn’t you keep me safe?” The old shit had slowly run him over, dragged his body 25 feet down the road, and sped off. Cooper’s lovely life force blew away with the wind as I held him.

There is not the slightest doubt in my mind that this was malicious intent. He killed Cooper on purpose.

The Killer

My neighbor is the sort of mean junkyard dog who only bites when your back is turned. He is always snooping in everyone’s business like a malevolent Gladys Kravitz and he is the type who drops a dime if he sees you doing some work on your property without a permit. A malicious gossip, I have never heard him say a kind word about anyone over the 35 years I have known him. We have done him and his family a number of favors related to their property but I can’t think of a single time they have ever reciprocated.  A poisonous, greasy trail of bad karma lingers wherever he has been.

My experience with dogs is that they will always come and apologize for some bad deed, but my neighbor hasn’t been dog enough to knock at my door and explain himself. The difference between dogs and humans is that badly behaved dogs can generally be fixed — they almost always want to be good regardless of the abuse and maltreatment they may have suffered previously. While humans have the choice and the capacity, they rarely choose to become better people. This is why relationships with dogs are generally more rewarding than those with humans.

In his late 80’s, my neighbor will be meeting his maker before long and I suspect he will have a great deal to explain when that time comes. I hope an accounting for what he did to Cooper is at the top of the list. While my neighbor qualifies for several of the circles of hell, there surely must be a tenth circle for cruelty to animals.

The Burial

Digging Cooper’s grave allowed me to take my mind off of the horrific chain of events for a little while. I am not the best front end loader operator and digging in the rocky, Pennsylvania soil is always a challenge. I decided to bury him next to Lucy, our Great Dane who passed away in 2016. Cooper never knew Lucy, but he loved all dogs, people, and he even tolerated cats. He is now part of the DNA of this land forever.

Cooper and Riley, November 2017

The laughter, joy, and happiness Cooper brought to our lives will be with us for the remainder of our days, but we are all still devastated. I can’t help but feel that my wife and stepdaughter both hold me responsible, and I can’t blame them if they do. It was my job to keep Cooper safe and I failed when he needed me most. It’s a painful addition to a long list of lifetime failures – the things I have gotten wrong — the failure to recognize what was important in real time rather than in retrospect.

While the guilt will fade over time, it will come back periodically and stab me in the heart with its cruel, razor sharp blades.

Rest in Peace, Cooper. I’ll try to do better.

Cooper on the porch, May 2018


© Copyright Jeffrey Morgan, 2018

 Facebooktwitterredditpinterestlinkedinmailby feather

Tags : , , ,

Stoners in the workplace

By Jeffrey Morgan


Stoners at the donut shop

It’s maddening. I pull up to my local branch of a national coffee and donut chain and here’s how the conversation goes.

“I’d like an extra large extra extra and a large extra cream please.”

“Uh . . . What was that again? A large cream and sugar and a large cream and extra sugar?”

For Christ’s sake! They take coffee orders for a living and can’t even get a two-item order right.

Blame it on weed

I blame it on Pot, Reefer, Ganja. How much marijuana do you have to smoke to make your brain function that poorly? All over the country, though, legalized marijuana is being pushed hard by pandering politicians. How will legalization affect society, commerce and the workforce, though?

In my view, no one should ever spend a single day in jail or prison for possessing or using any substance whatsoever. Certainly, no one should have a felony conviction because of this behavior. If you are committing other crimes to feed your habit, though, they can lock you up and throw away the key. Substance use, abuse, and addiction are not excuses for criminal behaviors like property crime and violence.

Just because I don’t believe in incarceration of drug users doesn’t mean that I think using drugs is a good idea. On the contrary, it’s a horrible idea. My wife is a behavioral health executive and former substance abuse therapist and she finds current trends like marijuana legalization and “safe” injection sites to be alarming. She sees the human cost of substance abuse every day and has a difficult time seeing the issue from the libertarian point of view. She has some good points and we both agree that prevention and treatment are better solutions than arrest, incarceration, and permanent criminal records that marginalize people’s lives forever.

Drug-related vehicle accidents now kill more people than alcohol-related accidents and the problem is continuing to get worse. Currently, there are no national standards for measuring drug impaired driving.

Cost of the drug war

However you look at it, the drug war has been an unmitigated disaster. The DEA’s budget alone is around $2.9 billion a year and they employ nearly 10,000 people. I don’t know what the hell they are doing with all that money, but I am pretty sure it would take me about 15 minutes to figure out where to go buy drugs if I wanted them. With the cost of incarceration and all the other federal, state, and local agencies involved, the drug war costs about $80 billion a year and well over $1 trillion has been spent on it since the 1970s. We seem to have little to show for it except for a lot of people in jail and prison for victimless crimes.

There are currently 79,036 people incarcerated in the federal prison system and nearly 200,000 in state prisons for drug crimes. About 44,000 are in state prisons solely for possession. In 2016, there were nearly 1.6 million arrests for drug law violations in the US, roughly 85% of which were for possession. This doesn’t seem like a wise use of scarce resources.

The drug war has created an all-you-can-eat feeding trough for the entire Government Drug Industrial Complex that includes law enforcement, correctional officers, judges, social workers, probation officers, case workers, therapists and other well-paid public sector employees. Additionally, attorneys, private prisons, pharmaceutical companies, drug testing companies, and a host of other private organizations are also sucking at the public teat but doing little to actually win the war. There is simply no incentive to do so. Politicians and lobbyists for the $80 billion industry are no doubt keen to keep the feeding frenzy going.

Sleazy politicians across the entire political spectrum all love the drug war. From the tough on crime, “Let’s hang ‘em all” district attorneys and judges to the “free tuition, legal pot, and Medicare for everyone” socialists, it’s a win-win from the point of view of getting elected.  States like California, while requiring drug free workplace certifications from vendors have legalized marijuana. While smoking pot may be legal, you won’t be able to get a job with a company that does business with the state. How much sense does that make?

International drug trade

The drug war in the US is small potatoes compared to the international illegal drug trade which is estimated to have a value of more than $500 billion annually. How much of that money makes its way to politicians to maintain the status quo? It’s enough money to buy entire third world governments with plenty left over to influence policy in the western world.

Many people think that corporate leaders are akin to the worst criminals in the history of mankind. However, I know of no incidents of corporate executives cutting off heads, cutting out hearts, and chopping rivals into little pieces. I would much prefer a transparent, corporate drug trade to the system now in place. Again, there is no incentive to change this. $500 billion can buy you a lot of politicians. Open, legal drug trade would change the production and distribution landscape entirely and those profiting from the illegal drug trade, whoever they are, won’t give up their golden geese so easily.

The drug war has cost us all our freedom

In addition to the human casualties of the drug war, we’ve all lost our freedom. Civil asset forfeiture, DWI checkpoints, and stop and frisk policies should be anathema to every American citizen. That we are not all joining hands to end these affronts to freedom is the inevitable result of a poorly educated population that believes rights come from the government. Few Americans have even a basic understanding of Constitutional rights and far fewer understand the concept of natural rights.

Drug addiction is yet another form of imprisonment and politicians at the state and federal levels love to imprison their subjects – every one of us. Like 30-year mortgages, seven-year car loans, welfare, and six-figure student loans for worthless degrees, legal drugs will be yet another form of control the government can exercise over you. A stoned population is a complacent one and your new drug dealer will be the State. Like everything else run by the government, your legal drugs will cost a great deal more than the private sector version.

How drugs affect business and work

In many states, a felony drug conviction can limit your ability to get professional licensure as a barber or hair stylist. Do you really care if your hair stylist smokes pot?

I’m ok with baristas, hair stylists, musicians, screen writers and the like smoking pot or using any other substances they wish.  If they are too dysfunctional, I will simply patronize another business. Like excessive, visible tattoos and piercings however, drug use, even if legal, can and should limit your career options and this isn’t an example of the white patriarchy at work; it is common sense.

Who wants to be a passenger in a jet operated by a pilot who goes flying on Alaskan Thunder Fuck after work every night? I don’t want potheads operating heavy equipment, driving trucks, doing surgery, or performing any other activities where they may endanger other people and those employed in these professions should continue to be regularly tested for drugs that impair cognitive and motor ability. I don’t even want stoners doing data entry. Stoned, drunk, and hungover employees are bad for business.

Just because you can legally use, doesn’t mean employers have to hire you and tolerate your scrambled brains. At least not yet, but I’m sure some such legislation will be forthcoming. Employers already can’t inquire about criminal history in some states. What’s coming next and how will legalized drugs affect how work gets done in your business? Will you soon be forced to hire criminals and drug users and give them “equal” pay?

Legal drugs and a welfare state don’t mix

Another policy issue with liberal drug laws is the question of the welfare state. Do we really want to pay people to sit on their asses, smoke pot, and watch The View all day? Personal responsibility and accountability have to be components of liberal drug policy. Marijuana was legal until 1937 and opium was legal and freely available until 1909. Back in those days, if you didn’t work, you didn’t eat and for most people, work meant hard physical labor. Drug use and abuse resulted in serious personal consequences. It still does, but our social safety net allows for people to make bad decisions and choose marginal lives at the expense of their fellow citizens. If you want drugs, you damn sure better pay for them yourself. But, that’s not the way things work in our society now. Promising free stuff is a good bet at election time.

It strikes me that the logical next step after legalization will be to add marijuana to the list of entitlements and include it as part of the SNAP allowance. You can go to the grocery store, get your “free” munchies and pick up your “free” weed before you head back to your “free” apartment to Netflix and chill on your “free” Internet connection.

Enlightened drug havens?

Many people point to Amsterdam as a paradise of enlightened policy. Have you ever been there? It’s a seedy place. Most Americans, even “social liberals” tend to be a puritanical and prudish group of people. The outrageous debauchery, open drug use, and overt sex trade in Amsterdam would offend the sensibilities of many, if not most Americans regardless of whether they consider themselves to be liberals or conservatives.  Hamburg, Berlin, Bangkok, and a host of other cities share similar traits. If you haven’t experienced the “night life” in these cities, it is something everyone should experience at least once. Most of us wouldn’t want this sort of behavior happening in our neighborhoods.

I have been an ardent proponent of total drug legalization for the last 40 years, but I know that it’s not all Unicorns and balloons. Drug abuse is a serious problem, but the drug war, at least the way it has been conducted isn’t the solution. Drug use isn’t a moral issue; it’s an issue of liberty and natural rights.

© Copyright Jeffrey Morgan, 2018

 Facebooktwitterredditpinterestlinkedinmailby feather

What’s new with ISO/IEC 20000

By Jeffrey Morgan

Is there anything more exasperating than dealing with a service organization that has failed to implement even the most basic process and quality control tools? Not in my book. Those pesky critters who ate my broccoli and Brussels sprouts this summer are a distant second to IT service providers that fail to deliver uniformly high-quality services for a reasonable price.

The 1980s-style MIS (management information systems) is still with us, and no makeover will make it more attractive. What can you do?

Reengineer and reinvent, of course. But you don’t need to do it all by yourself. One of the simplest ways to reinvent your IT service organization is to use ISO 20000 as a foundation.

What is ISO?

Until recently, I used to think of ISO (International Organization for Standardization)  as a producer of standards for large, multinational corporations, but I now see it in a different light. ISO/IEC 20000-1:2011, Information Technology – Service Management – Part 1: Service management system requirements is the international standard for IT service management, and it scales well even in the smallest organizations. At 26 pages, Part 1 is straightforward and manageable. If you work in a small organization with a limited budget, adoption of service management standards makes even more sense because it enables your organization to provide proven, cost-effective services in the context of your unique business model.

I recently spoke with Dr. Suzanne Van Hove, WG2 Convenor, Maintenance and Development of ISO/IEC 20000 – Information Technology – Service Management, within SC 40 (IT Service Management and IT Governance) under Joint Task Committee 1 (JTC1) and Chair of GIT1 (Governance of IT), the U.S. mirror group for SC 40. Suzanne took the role of WG2 Convenor at the beginning of June 2017, and as chair of GIT1, one of her responsibilities is to ensure that the United States participates across all four ISO workgroups. SC 40 currently has seven standards under revision or development across all four WGs.

Standards groups typically meet face to face twice a year to work on the standards with their global colleagues. The next meeting for SC40 is in November of 2017 and for WG2, four standards are currently under revision: Part 1 (Requirements); Part 2 (Guidance); Part 3 (Scoping); and Part 10 (Concepts and Terminology). These meetings are critical, as global consensus is the goal for all standards.

Suzanne received the itSMF USA Lifetime Achievement Award in 2013 and she is also co-author of Pragmatic Application of Service Management with Mark Thomas. Suzanne and Mark both have excellent courses available on

About ISO standards in general

According to Suzanne, standards are generally written and revised on a five-year cycle, and ISO/IEC 20000-1:2011 is slightly overdue but is currently under revision and moving forward to a status of DIS (Draft International Standard). It will be reviewed at the next plenary meeting in 2018 and the forthcoming version will conform to Annex SL, “to provide a universal high-level structure, identical core text, and common terms and definitions for all management system standards (MSS),” so the new document will appear to be a radical change from the current version. Now, all MSS, which includes ISO/IEC 20000 (i.e., ISO 9001 Quality Management, ISO/IEC 27001 Information Security Management, ISO 14001 Environmental Management, ISO 50001 Energy Management, among others), have the same structure making it easier for organizations to comply with multiple MSSs if their business model demands it.

Mapping to other frameworks

ISO/IEC 20000 first appeared in 2005 and the current version was published in 2011. It presently contains 12 parts and additional parts are under development. 20000-1 is the standard itself, while 20000-2 provides practical guidance on application. One exciting component under development is 20000-13, which will contain guidance on the relationship between the standard and COBIT5®, and is anticipated to be published late in 2019. Part 11 maps the standard to ITIL® and Part 12 maps the standard to CMMI-SVC®.

Applicable to organizations of all sizes

Suzanne is also a member of JCT1 SC 7 WG 24, which looks at providing standards for the VSE (very small enterprise) and there are case studies of successful implementation in such organizations.

Suzanne and I didn’t confine our chat solely to the ISO, and we had the opportunity to talk about a few general industry challenges, as well.

The commoditization of IT

“Once IT becomes a commodity, we lose the idea of a service . . . If IT goes down that commodity route we’ve really lost the capability to exploit technology for the benefit of business achievements. Technology is the differentiator. If leadership doesn’t recognize it and let go of the traditional view of IT, they find their organizations not staying at the top of the food chain and losing ground.”

In this area, I think Suzanne is more optimistic than I about the future, because I believe we are already far down the road to commoditization. While I run across many amazing, high-quality service providers, the market for cheap, low-quality work seems to be pervasive.

Service management

“I have taught hundreds of foundation classes in my career, and I can count on two hands the number of people who came from the business side rather than IT. The service management principle doesn’t just rest in IT. It has to be pervasive across the organization.”

Silos and frameworks

Suzanne cleverly refers to organizational silos as cylinders of vertical excellence. Another related topic is the dependence on only one methodology or framework. “I think service management is slowly coming around to the understanding that the best use of these of any of these bodies of knowledge is to know more than one and be able to combine them.”

I hope to talk to Suzanne again in the future, as she is a fountain of wisdom about all things IT service management and I learned a great deal in a short time. One completely new framework I learned about was from the SFIA Foundation, but we’ll save that for another day.


© Copyright Jeffrey Morgan, 2017Facebooktwitterredditpinterestlinkedinmailby feather

Tags : , ,