Failure of boards and mangers to address information security is expensive and the preventable, poorly handled Equifax breach may end up costing the company as much as $1.5 billion in direct costs by the time it all plays out (SeekingAlpha, 9/29/17). This lack of management attention was clearly demonstrated when Equifax acting CEO, Paulino do Rego Barros, Jr. told a congressional hearing “he wasn’t sure whether the company was encrypting consumer data.”
This problem is systemic and pervasive across the business landscape. In a January 10th article, the Wall Street Journal reported that “Board committees dedicated to information technology risks and strategy are still rare. Just four Fortune 100 companies operate one.” Moreover, only 37% of corporate directors “feel confident the company they serve is properly secured against a cyberattack,” In the broader arena of SMBs and local governments, board and management oversight of information security is even rarer and 37% seems grossly optimistic.
An even more disturbing revelation from that WSJ article was that some boards have “devised a response plan, including creating of a bitcoin account from which to pay ransoms.” I suppose there is a justifiable and quantifiable business case for this position from the board’s perspective, but it really sticks in my ex-military craw that any organization would negotiate with and reward criminals. Prevention and resilience are better policies.
What’s the role of the board and management?
There is no mystery about what boards and executives should be doing to ensure their organizations are paying attention to information security. Section 5 of ISO/IEC 27001 describes 18 requirements for “top management” with respect to developing an organizational information security management system (ISMS). These requirements include policy development, resource allocation, continual improvement, documentation, reporting, and a great deal more.
NACD (National Association of Corporate Directors) offers a 16-hour cyber-risk certificate course for directors. Upon completion of the course and an exam, participants receive a certificate from Carnegie Mellon University. NACD also publishes a free, informative, 44-page Cyber-Risk Oversight Handbook that describes “five principles for effective cyber-risk oversight,” along with a wealth of other information that includes an appendix with 48 questions boards should be asking management about Cybersecurity.
For local governments, ICMA publishes Local Government Cyber Security: Getting Started as well as other information. This guide has some useful information, but it doesn’t begin to approach the depth and quality of the NACD handbook. I would recommend that school board members, county commissioners. and city council members download and read the NACD handbook as well as the Growing Impact of Cybercrime in Local Government. The public sector doesn’t take cybersecurity seriously and local governments are in possession of huge deposits of PII and PHI.
My problem with the discussions of “the cyber” from both of these organizations is that they fail to address the broader discipline of “information security.” This isn’t simply a matter of semantics and cyber-risk has to be understood in the broader context of an overarching information security (InfoSec) program to be truly effective.
To put it simply, if senior leadership isn’t an integral part of your information security program, you don’t really have a program. Boards and executives should routinely devote CPU cycles to the issue, just as they would to any other critical business issue.
Making the case
The argument for comprehensive information security programs for even very small enterprises is simple, powerful, and backed by a constantly growing body of evidence. Failure to secure information costs money – and lots of it. The Anthem breach, in which the company was found to be neither negligent nor liable, cost them roughly $414 million and the Target breach cost $230 million (SeekingAlpha).
While the fiscal argument may make the best case for a security program, it sometimes takes a while to get traction because executives in smaller organizations may not immediately see how these gigantic breaches relate to their business. Consequently, one of my preferred techniques for making the case is to get the corporation counsel or municipal attorney involved from the start.
Bring lawyers and money
Lawyers begin making the connections faster than the rest of the team, especially if regulatory compliance issues are involved. They quickly connect the dots between stupid mistakes, negligence, breach, forensic and regulatory investigations, fines, public embarrassment and the inevitable litigation. In most organizations, the lawyers tend to be highly regarded and they can see the whole movie playing in their head. They instinctively know that they won’t be playing the part of the hero unless they get the show going so they do a pretty good job of rallying the troops.
In one organization for which I developed a comprehensive policy, the process took several months of collaborative work with a large committee of stakeholders that included board members, management, HR, attorneys and staff. The discussions sometimes became contentious, but the team approach was worth the effort because everyone was invested in the final product. It took the organization two years to fully implement the policy and when the first periodic risk assessment came due, one of the Director’s said “you mean to tell me that this is going to cost money?”
Yeah, it costs money; but it costs a hell of a lot less money than a breach.
You might appreciate my video on Equifax breach:
© Copyright Jeffrey Morgan, 2018by
NIST Cybersecurity Framework
Version 1.0 of the NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF) celebrated its fourth birthday in February. The CSF is a “risk-based approach to managing cybersecurity risk… designed to complement existing business and cybersecurity operations.” I recently spoke with Matthew Barrett, NIST program manager for the CSF, and he provided me with a great deal of insight into using the framework.
NIST (National Institute of Standards and Technology) is a division of the U.S. Department of Commerce, and they have been involved in information security since the 1970s. On May 11, 2017, President Trump signed Executive Order 13800 requiring all federal agencies to use the CSF, so if you conduct business with these entities, you are likely to hear a great deal more about it in the near future.
Current State of Cybersecurity
To begin the conversation, I asked Matthew what he thought about the current state of cybersecurity in business and government.
“I think there is a bit of an awakening going on to the true importance of just how foundational cybersecurity is,” he says. “It used to be that businesses were based on trust, and it is still the case. Increasingly, we’ve built out our technological infrastructure and more and more important over time is digital trust. I’m not sure whether all parties understood when they were implementing those technologies just how much that pendulum was going to swing from traditional trust models to the digital representations of those trust models. It’s not an overnight thing. There’s a cascade. I see a ripple that has started that hasn’t completed its way across the pond.”
The CSF in a Nutshell
If you have worked with other security standards or frameworks based on best practices or compliance approaches, the CSF provides a different viewpoint. It is not intended to be used as a standalone framework for developing an information security program. Rather, the CSF is designed to be paired with other frameworks or standards such as ISO/IEC 27000, COBIT 5, ANSI/ISA 62443, and NIST SP 800-53. It is also meant to be customized rather than being used as a process or activity checklist. The CSF has three components – the core, tiers and profiles.
The core of the framework has five functions – identify, protect, detect, respond and recover. These functions can be thought of as outcomes and aligned with them are 22 categories, 98 subcategories, 125 outcomes and 287 informative references (controls). The core, with all the informative references, is also available in Excel format which can make a handy template to add to your cybersecurity policy and control toolkit. According to Matthew, becoming comfortable with these five functions and the associated concepts at the leadership level tends to be the first stage of the adoption curve.
Determining the organization’s tier is often the second step in adoption. The tiers are a useful tool and they “provide context on how an organization views cybersecurity risk and the processes in place to manage that risk.” There are four tiers: partial, risk-informed, repeatable and adaptive. Although the tiers don’t officially function as a maturity model, it is difficult for me not to see them as such.
However, Matthew explained the CSF’s position on maturity models: “We take exception to the way maturity models are applied where everyone has to get the highest mark on the maturity scale. That’s a great ambition. Rooted in the real world of things, we know that people have budgets, and those budgets are finite. More so than the way people tend to implement maturity models, we’re trying to highlight that you can pick and choose.”
“In my mind’s eye,” Matthew continued, “I picture a tier that isn’t even on the map. A tier zero. There’s a group of people who have managed to short-list high-impact items, and that’s about all they do relative to cybersecurity. For most people, that’s a temporary stopping point. Some people stop there and never get to dynamic, iterative cybersecurity risk management.”
Based on my own personal observations in the field, most SMBs, local governments and even many larger entities probably fall into Tier 1, and the only way to realistically get to Tier 2 is for management to become risk informed. However, getting executives and boards interested in information and cybersecurity is a formidable hurdle.
If an organization is truly a part of national critical infrastructure, remaining at Tier 2 would be troubling. Tier 3 is the first tier that defines organization-wide policy as a requirement, and I would personally see Tier 3 as the minimally acceptable target for most organizations, but this is my opinion rather than NIST’s or Matthew’s.
The tiers do provide a solid tool for organizational management to realistically evaluate their cybersecurity program and make rational, pragmatic, informed business decisions for program improvements going forward. Taking the leap from Tier 1 to Tier 2 is probably the most difficult step for most organizations. Once an organization gets to Tier 2, management has accountability and consequently more motivation to move forward.
NIST recommends that the framework be “customized in a way that maximizes business value,” and that customization is referred to as a “Profile.”
Matthew believes that all cybersecurity programs have three things to do and three things only:
- Support mission/business objectives;
- Fulfill cybersecurity requirements; and
- Manage the vulnerability and threat associated with the technical environment.
The CSF provides a seven-step process for creating or improving a cybersecurity program using a continuous improvement loop:
- Prioritize and scope
- Create a current profile
- Conduct a risk assessment
- Create a target profile
- Determine, analyze, and prioritize gaps
- Implement action plan
Profiles can be used as a tool to provide a basis for prioritization, budgeting and gap analysis.
One of my personal rants is on the disinterest so many executives show toward information security. I am always irritated when I see IT and security managers unilaterally commit an organization to cyber risk without obtaining informed consent from senior management. Often, these staff members make decisions that are far outside the scope of their roles and authority, and I think some executives prefer their own blissful state of ignorance. This leaves too much room for managers to claim “I never knew. Mistakes were made.” Like both ISO 27001 and COBIT 5, the CSF clearly defines management’s role in information security processes, so the CSF can be used as a powerful tool to engage boards and managers and hold them accountable for risk and budgeting decisions.
Matthew’s response to my rant was diplomatic. “I wonder whether the very nature of cybersecurity professionals makes us hold on to risk decisions rather than distribute them portfolio style. Smaller, less impactful risk decisions that are distributed. Distribute decisions, empower folks, and there is accountability around that empowerment, as well.” The CSF provides tools to distribute this risk.
Adoption and Implementation Trends
Results from a 2015 Gartner poll claim that about 30% of organizations have adopted the CSF and by 2020, 50% of organizations will have adopted it. I am skeptical of this assessment. Based on personal observation of the SMB and local government sectors, I would be astonished to find that even 25% of them have formal information security programs based on any framework or standard, let alone the CSF.
However, CSF has been used and customized by a diverse group of organizations such as the Italian government, the American Water Works Association, Intel, the Texas Department of Information Resources, and many others. Case studies can be found on the NIST CSF website.
It’s always good to look at information security programs from multiple viewpoints and the NIST CSF provides many excellent tools to do just that. NIST provides many additional materials on using the framework and they can be found on the CSF Homepage. The site also has an excellent 30-minute video presentation of Matthew providing an overview of the framework.
This article first appeared in Security Magazine.
© Copyright Jeffrey Morgan, 2018
Health care providers are 12,000 times more dangerous than school shooters
Every well-run business relies on some form of risk assessment as part of its decision making process. Threats are assessed and prioritized according to their relative impact and probability and the business takes appropriate action based on that information. Or so one hopes.
In public policy, this isn’t the way it works. Two perfect examples of public policy overreach not based on credible risk and threat data are school shootings and climate change.
School shootings are horrific events that should never happen and I can’t even imagine the pain this causes for the families of the victims. However, school shootings are low-risk, high-impact events. In the big picture, the probability that someone will be killed in a school shooting is about the same as getting struck by lightning or being killed by a cow. I used 2015 data, where available, to build the chart above.
School shootings vs. medical malpractice
In 2015, 21 people were killed in school shootings while medical malpractice killed an estimated 251,000 according to a Johns Hopkins University study. Other studies put the number as high as 330,000. In 2015, you were 11,952.38 times more likely to be killed in a hospital than in a school shooting.
Medical error is the third leading cause of death in the United States and it kills nearly 700 people every single day or about 29 people every hour. More people die from medical malpractice every hour than are killed by school shootings in a year. Today, more Americans will be killed by medical malpractice than have died in all the school shootings in the entire history of the United States.
Where are all the posturing politicians on medical errors? Why aren’t news trucks lined up outside of hospitals profiling the doctors and nurses who may have just killed a patient? Why aren’t policy makers proposing trillions of dollars in spending and draconian regulations to address this travesty?
You are about 4 times more likely to be killed by an insect than you are to be killed in a school shooting. Yet, school shootings bring out calls for billions of dollars in spending, new regulations, and limitations on constitutional rights. There is no evidence that any of these proposals will prevent another school shooting. There is a great deal of evidence, though, that political cronies will become wealthy from policies that won’t work. Why won’t these work?
A cascade failure
The Marjory Stoneman Douglas High School tragedy was clearly a systemic cascade failure where those entrusted with the safety of students failed to do their jobs at every level. The school board, school administration, FBI, SROs, deputies, and many more all failed to fulfill their responsibilities over a long period of time. Nikolas Cruz was a known threat actor and no one did anything about him.
In the private sector, Robert Runcie, the incompetent superintendent, would already be ancient history as would Broward County sheriff, Scott Israel. They would both have been handed walking papers immediately and they should be facing criminal charges and civil litigation for their negligence. This event wasn’t caused by lack of laws or resources; it was caused by incompetent management and governance.
We don’t need to throw fantastic sums of federal money and new federal laws at the issue of school safety. What we do need are public sector employees who will actually do their jobs. Moreover, these issues should be addressed at local levels where citizens can make their own risk assessments based on unique requirements, cultural factors, and risk appetite. Heavy-handed, one-size-fits-all solutions from distant Washington bureaucrats aren’t the answer.
Risk and climate change
Climate change is another issue where proposals for risk mitigation are completely out of proportion to the actual risk. If meteorologists could accurately predict tomorrow’s weather, I might find dire predictions of the climate 100 years from now to be more credible. If a single climate model actually accounted for the climate over the last 20 years, I might be inclined to take it seriously.
Predicting the future is risky business – just ask any investor or financial manager. For some reason though, policy makers take apocalyptic, Nostradamus-like predictions of our future weather seriously. And, why not? Billions of dollars for ineffective school security programs are small change compared to the sums of money involved in “fixing” the climate. Fixing the planet could make someone his or her first trillion and all of their political cronies will be richly rewarded.
Bureaucrats at the United Nations, the most incompetent and expensive bureaucracy the world has ever known, actually believe they can fix the climate. Or maybe they just know they can become wealthy and powerful on a journey to nowhere. No one today will actually be around to see whether or not the predictions are right, so what difference does it make?
Emotional reactions never create good policy and we really need politicians at all levels of government who are capable of cool-headed, objective risk assessment.
© Copyright Jeffrey Morgan, 2018
What are the 4 characteristics of great IT services and how can you ge there? I provide three ways to improve your IT services. Watch my 7-minute video on improving your IT services. This video is for county and municipal executives and managers, public sector board members, and small and medium business owners and managers.
© Copyright Jeffrey Morgan, 2018by
Are you asking the right questions?
So, you are looking for new enterprise or departmental software or some other type of major system. Maybe you are looking for a new ERP system, an EHR, a 311 system, or an EDMS? Maybe you need a major hardware upgrade as a solo project or as part of a new system project?
You might have already had discussions with vendors, or possibly you even know which product you want to purchase. Perhaps you are planning to purchase the ERP from TBQ International for manufacturing because that is what everyone in your industry uses and it seems like a safe bet. Or all of your neighboring Counties use O’Riley Technologies, so you think it will work for you. Maybe you called Bill, the Public Health Director from your neighboring County and he says Navajo Software makes a great EHR product and that is a good enough recommendation for you. You just want to get the project done.
The big problem with word-of-mouth recommendations is that YOU will be the one responsible for the success or failure of the project – the people who casually advised you will have amnesia about their recommendations if the project fails.
Regardless of where you are in the process, let’s step back and start over from the beginning.
60% of Projects Fail
According to the Project Management Institute, 60% of projects fail. Based on my own observations, the success rate for municipal software projects is probably lower than 40%. Government agencies rarely publicly or even privately admit that a project failed. Spectacular, expensive failures occur in the private sector as well, and the corporate landscape is littered with the carcasses of dead software projects where managers and executives have been forced into early retirement because of outrageous multi-million dollar cost overruns or outright failures.
Projects don’t succeed or fail by accident and you want to be overseeing one of the minority of projects that actually succeed. Whatever decision you make, your organization will be bearing the fruit of or suffering the consequences of your decision for the next 15 – 20 years, or longer. Large systems become a generational legacy, especially in the public sector. Regardless of the type of system you are seeking, the approach to purchasing the system should be the same. You need a rigorous methodology that incorporates staff buy-in and proven techniques for getting the features you need to make better business decisions. That system and the vendor’s culture must mesh successfully with your organizational culture. The vendor will be your business partner for the life of the product and thirty year old systems are not unusual in the public sector.
Why Projects Fail
Here are some common reasons why large software projects fail:
• Top Down management, planning and execution.
• Failure to identify and enumerate specific business goals and objectives.
• Failure to understand current, “as is” business processes.
• Failure to comprehend and plan for the entire scope of the project.
• Weak communication and stakeholder management.
• Failure to establish end-user buy-in.
• Failure to account for organizational culture.
• RFP doesn’t match your requirements for software and services.
• Underestimating the services required to configure the product.
• Underestimating or omitting training.
• Failure to plan for implementation.
• Insufficient or poor project and stakeholder management.
• Lack of Experience.
I recently read a report written for a manufacturing organization written by a Big 4 consulting firm. The report was extolling the virtues of a top-down management approach to the company’s ERP project. The project was already over budget by $15 Million and the meter was still ticking. I suppose the consulting firm was scrambling for excuses for their disastrous management of a project that will eventually come in 300% – 500% over budget.
I couldn’t disagree more with the Big 4 firm when it comes to top-down management of large projects.
You can’t build airplanes in the air and you don’t build a pyramid starting from the top. Large software procurement and implementation projects must be built from the ground up with a strong foundation that results from giving the stakeholders who will actually be using the system a prominent seat at the table. Yes, you need strong executive support for a major software/business reengineering project, but executives may never use the system. If you don’t build a robust foundation provided by the people who actually understand the granular level of all the organizational business processes, the project will be difficult, seriously over budget, or may fail completely. Succeeding at these types of project requires top-down, bottom-up, and inside-out management. You must examine every aspect from every angle.
Lack of Experience
Lack of experience is another major reason why large system projects fail. Large system procurement and implementation projects are events that occur only once or twice in the career of many employees in the public sector. If you are an executive in a very large public sector organization, you may have full-time professionals who specialize in software procurement and implementation projects. However, there are 3033 County governments in the United States, over 19,000 municipal governments, and nearly 14,000 independent school districts. The vast majority of these organizations cannot afford to employ experienced full-time system procurement and project specialists. If you are an executive in this real world of municipal government, what do you do?
The Role of Organizational Culture
Even when expert, internal resources are available, there may be cultural issues in organizations that can make projects involving significant change impossible. I once worked on a project for a Fortune 100 company that employed a large staff of professionals who could theoretically have performed the large migration project they were undertaking. However, their institutional culture made it impossible for them to complete the project. The ultra-stratified management structure and extreme risk aversion made the execution of such a project impossible for them to implement internally and they had to contract a small army of risk-tolerant consultants to do the work.
RFP’s From the Internet
Unfortunately, many organizations begin the process of software procurement with an RFP. Even worse, they sometimes use an RFP that was downloaded from the Internet and written for another organization with different requirements, different business processes and an entirely different organizational culture. The truth is, the same piece of software that works for your neighboring county, school or city may not work for you. There are hundreds of commercially available ERP products for municipal governments. When you factor in Utility Systems, Public Safety Systems, Records Management Systems, Tax Collections Systems, Traffic Management Systems, Public Health Systems, Code Enforcement Systems, and the like, there are thousands of products from which to choose. How do you navigate such a massive set of choices?
Following a rigorous and disciplined methodology for the procurement process will vastly increase the probability of a successful outcome. Maybe you already have a system that works well. Below is a summary outline of the system I have used and honed since my first large software procurement in 1996. If you are experienced at software procurement and implementation projects, this information may seem to be self-evident. However, considering the number of failed municipal software projects I have seen, the message hasn’t really gotten out yet. Notice that the RFP finally comes up in Step 8.
- Draft a Project Charter
- Establish a Procurement Committee & Appoint a Project Manager
- Conduct a Business Process Review
- Identify and Document Goals, Objectives and a Preliminary Budget
- Conduct a Needs Assessment
- Analyze and document your Information Technology Infrastructure
- Document Environmental Factors and Organizational Culture
- Draft and release an RFP (Request for Proposal) or RFB (Request for Bid)
- Review Proposals and Prepare a Short List for Demonstrations
- Site Visits – Customer and Vendor HQ
- Hold Software Demonstrations & Select a Solution
- Negotiate and execute the Contract
I cover the entire process here. Please feel free to e-mail me if you have comments or want to discuss software procurement in your organization. If you take a sensible and cautious approach using all due diligence, your project will certainly be a success.
If you want to talk about your project, send me an e-mail at firstname.lastname@example.org.
Copyright © Jeffrey Morgan 2015, 2018
e-mail archiving & management
Several years ago, I arranged for a representative from the New York State Archives to provide training in e-mail and document retention for one of my government clients. The trainer did a fantastic job and here are a couple of takeaways she provided:
- Never use your personal e-mail account for official business.
- Never use your government account for personal communications.
- Never, ever send official, intra or inter-agency business e-mail to anyone’s personal account.
This organization also used an e-mail archiving system and was preserving every single e-mail that went in or out of the organization as required by published retention and disposition schedules for different government entities in the state. In other words, hayseed county and municipal governments all over the country have processes and procedures for preserving official, digital communications whereas the federal government seems to be completely lacking in this area.
Let’s take a look at a few examples of our federal government’s complete lack of information governance.
Avoiding FOIA requests
In 2013, the Associated Press reported on top Obama appointees using secret email accounts. Not only were high level appointees guilty of this, the president also engaged in this behavior. This is apparently occurring to some extent in the Trump Administration, as well. The most well-known case, of course, is Mrs. Clinton’s use of her own e-mail server which was used to send and receive classified information and demonstrated gross negligence – a criminal offense. Conveniently, “someone mistakenly deleted Clinton’s archived mailbox from her server and exported files.”
I spent four years in army intelligence during Ronal Reagan’s second term and my colleagues and I might still be breaking big rocks into smaller ones at Leavenworth had we been involved in these sorts of activities. While the high-profile culprits have all gone unpunished, Jake Tapper reported that “the Obama administration has used the 1917 Espionage Act to go after whistleblowers who leaked to journalists…more than all previous administrations combined.”
Then there is the case of two years of missing e-mails for Lois Lerner. Not only did her hard disk crash and need to be sent for destruction, but her Blackberry was mysteriously wiped clean after “congressional staffers began questioning her.” Coincidentally, five other employees who worked closely with Mrs. Lerner also lost e-mail related to the investigation when their hard disks crashed at around the same time. In addition to all this, Mrs. Lerner was also using a personal e-mail account for official business under the name of her dog.
Are you kidding me? You mean to tell me that the IRS has no archiving system or centrally managed mail server with 7 years of backups through which these tragically lost e-mails could have been restored? Had these shenanigans been exposed at a publicly traded company, we would have seen heads rolling and executives doing the perp walk on national television facing up to 20 years in prison under the Sarbanes-Oxley Act.
Missing text messages
Recently, the “premiere law enforcement agency in the world” had to forensically recover five months of missing text messages between investigators in a high-profile investigation. This was the result of a “technical glitch…that affected 10% of the FBI’s employees.” In this particular case, Andrew Napolitano calls for the release of all the raw data to the public; “The government works for us; we should not tolerate its treating us as children.” I completely agree.
Stolen national security documents
Then, there is the case of Sandy Berger, a former National Security Advisor, who stole classified information related to the 9/11 attacks from the National Archives. Don’t worry – he pleaded guilty to a misdemeanor in federal court and was severely punished with 100 hours of community service and a $50,000 fine. A breach of protocol allowed him to remove these documents and there have been a number of other thefts from the National Archives, as well.
In another high-profile case, former CIA Director General Petraeus gave classified information to his mistress/biographer, Paula Broadwell. He pled guilty to a misdemeanor and avoided prison time. In what can only be described as an Inspector Clouseau moment, the CIA boss and Ms. Broadwell were using the draft folder in a shared Gmail account to communicate with each other.
Recent, significant data breaches at federal agencies have included the NSA, IRS, OPM and the USPS.
Information governance by politicians
UK politicians are as clueless as our own when it comes to information security and governance. Apparently, British MPs routinely share login credentials with their staff members.
While the DNC isn’t a government agency, their inexplicable handling of hacked e-mails and the Imran Awan case provides insight into the casual disregard elected officials seem to have for information security and IT management.
In all of the examples I have covered here, the information belongs collectively to us – American citizens. It doesn’t belong to the miscreants who wantonly mismanage or attempt to it hide from us. These people aren’t our leaders, they are our employees and we have a right to know what they are up to. Radical truthfulness and transparency rather than radical secrecy should be the default stance for our well-paid politicians and government employees.
Governance is a top level function
Good information governance comes from the top, which is why ISO standards call for “top management” to be involved in development of governance policies and procedures for information and IT. When can we expect to see this in the federal government?
This article was first published on CIO.com at https://www.cio.com/article/3252850/government-use-of-it/information-governance-in-the-federal-government.html as part of the IDG Contributor Network.
© Copyright Jeffrey Morgan, 2018by
Information security and cybersecurity are huge problem areas in county and municipal governments. In this six-page article on the subject, I cover the information every county and municipal leader should know including a summary of problems, barriers, specific solutions, and resources. The free document is available here. The intended audience is CEO, CAO, CFO, COO, County or city manager, county commissioner, city council member, or other senior management personnel in the public sector. This is a reprint of my two-part article published in CIO.com last year.
Click below to download.
Want to talk about information security in your organization? Click on the link below to e-mail me and schedule a time to talk.
Don’t hesitate to e-mail me. Initial consultation are free.
© Copyright Jeffrey Morgan, 2018by
I loathe the term digital transformation (DX). Implicit in the term is that there is something technological about it, something digital; a one-time event you can buy or outsource.
I think we should start calling it management transformation (MX). If your management team is doing its job well, the digital transformation never stops. The success or failure of a digital project is a testament to management performance, and digital transformation is a naturally occurring byproduct of excellence in management.
What is digital transformation?
Technology is a means to accomplish business goals, not an end in itself. Unfortunately, much of the extant information on digital transformation identifies technology as the goal. I think this is the wrong approach.
The best definition of digital transformation I have encountered appears in a 2014 MIT Sloan Management Review article and defines it as “the use of technology to radically improve performance or reach of enterprises.” For the purposes of the discussion that follows, let’s understand that digital transformation is really about improving performance rather than implementing technology.
Take a look at this county technology plan and you’ll find meaningless slogans like, “to be a digital county – ready for today and prepared for tomorrow.” The document is full of buzzwords and comes up short in terms of addressing specific, clearly defined business objectives. Technology is presented as the goal rather than as a vehicle for achieving business objectives. The language always puts technology first, with a vague objective appearing to be an afterthought.
On the other hand, this solid county business plan demonstrates that its management team has a strong understanding of how to achieve business goals and improve performance through the thoughtful application of technology.
Exacerbating the problem are vendors willing to sell their version of DX before explaining that managers must completely reevaluate all their assumptions and processes in order to make a new business solution really deliver value. In organizations where due diligence isn’t a cultural value, the harsh realities of an initiative only see daylight once an iron-clad contract has been signed.
Successful transformation of any kind requires management transformation first. The digital part is easy; the management part is an enormous challenge because managers rarely see themselves as part of the problem. Organizations that pursue technology rather than measurable business objectives are the ones most in need of management transformation.
Some standard scenarios
In one typical scenario, a senior manager wants to replace his or her antiquated enterprise application suite with a new one. In county and municipal agencies, this may mean replacing a 30-year-old midrange system. The business processes on which the current system is based may have roots in the 1950s or earlier and all the business functions rely on indefensible manual processing.
Other scenarios might include just about anything – a 311 system, highly automated zoning and code enforcement, or even something as mundane as reengineering payroll, AR and AP functions.
You sit down at the kickoff meeting and someone, maybe everyone, says, “We want to do everything exactly the same as we do it now; we just want new software.” This isn’t a transformative vision. If your management team shares this attitude, they are overseeing dysfunction and decline rather than leading. Buying a product and expecting performance gains to magically appear is delusional.
The correct way to approach these projects is to identify the business, management, and process problems first, establish goals and objectives, and then start thinking about technological solutions that can meet the business requirements. Technology should come last, not first.
In addition to avoiding change at any cost, many local government agencies overemphasize the role of technology and IT in transformational projects. Digital transformation isn’t a technology initiative; it is a core business initiative and should be managed appropriately with the board and senior management providing leadership, oversight and accountability.
Digital projects can quickly become quagmires, the $2.1 billion ACA website being a perfect example. The UK’s National Health Service EHR disaster dwarfed that with a £12.7 billion loss. These losses are frequently blamed on technology, but tech is rarely the problem. Digital project failures are management failures.
I recall one agency that had over 50 concurrent initiatives and projects underway in a single department and they weren’t doing any of them well. As a result, they were throwing boatloads of cash at the problems rather than stepping back and changing their approach by thoughtfully analyzing their objectives and business processes and pursuing a shared vision.
How to get started with management transformation
The MIT Sloan article quoted above identifies nine elements of DX in three major groups: transforming the customer experience, transforming operational processes, and transforming business models and the ideas presented might make a good foundation for your transformation. The authors stop short of telling you how to do it, so I provide the following suggestions for embarking on your own transformational project.
Be brutally honest
Total honesty in management teams is rare, but it’s a requirement to pull off a systemic transformation.
Focus on performance improvement and quality rather than technology
Even the best technology won’t inherently improve performance – that’s the role of management. Figure out how to improve quality and performance. Keep experimenting, brainstorming, and rethinking as you work through the project and don’t compromise until it is absolutely necessary.
Take a holistic view of the entire organization
For your transformational efforts to produce quantifiable results, the management team must share a common vision of what DX will look like in your organization. They need to be able to see the whole picture with all the moving parts in place. The best managers know how to do this, but most managers need to work hard to imagine what a completely transformed operation will look like once the initial transformation cycle is complete.
Understand current and future processes before applying technology
Apply technology only after understanding all your processes, goals and objectives. Your ideal business models and processes should drive technology, not the other way around.
Banish assumptions and sacred cows
In order to be truly transformational, give up all your assumptions about how business gets done and don’t leave changing even a single aspect of your processes and operations off the table.
Are you ready?
Is your management team up to the task? If they are, you probably already have digital transformation happening. If not, start working on your management transformation, first.
© Copyright Jeffrey Morgan, 2018
This article was first published in CIO.com at https://www.cio.com/article/3247305/government/digital-transformation-in-the-public-sector.html
The politics of net neutrality
Mention net neutrality in a conversation and you’ll get an instant, visceral reaction full of political talking points. You can usually take a pretty fair guess about where a person resides in the political universe based on their net neutrality stance.
Why is this so? And why do we allow politicians to control the dialogue? If you listen to politicians and most news outlets, you would think there are only two sides to the issue – the democrat and the republican side, the liberal and the conservative side, the enlightened and the stupid side. All of the reporting is delivered in fact-free soundbites based on specious, counterfactual arguments about what might happen if big daddy doesn’t step in and ensure fairness.
In my view, there is only one side to this issue – the economic side. In a free society, products and services, winners and losers are chosen by the market (consumers). In societies with less freedom, politicians and bureaucrats choose who wins – usually their classmates from Harvard or Yale.
The term Net Neutrality is deceptive and reminds me a little of Ministry of Truth. There is nothing neutral about net neutrality. Regulation doesn’t create freedom; regulation, by definition, creates control. Regulations lead to bakers getting arrested for selling brownies. Regulation leads to monopolies and higher prices for consumers while keeping innovators out of the market because bootstrap startups can’t afford the high price of entry. Regulations generally deny the existence of inviolable economic laws.
Consumers pay dearly for regulation.
A free Internet
Most people on all sides of the net neutrality issue claim they want a free Internet. What do you think about the following statement?
“One of the dangers of the internet is that people can have entirely different realities. They can be cocooned in information that reinforces their current biases.”
“The question has to do with how do we harness this technology in a way that allows a multiplicity of voices, allows a diversity of views, but doesn’t lead to a Balkanization of society and allows ways of finding common ground.”
So, the Internet is dangerous, and it has to be harnessed — by politicians — because it reinforces our biases. Hmm. Can you guess who made the statement quoted above? This doesn’t sound like a free Internet to me; it sounds like one that is tightly controlled by the government.
I suspect that most of the people who claim they want a free Internet are sincere but delusional in the belief that government will provide such freedom. The thought process probably works something like this:
My people are in the White House now, and they know what they’re doing. I trust them to do the right thing.
At best, this is naïve and Pollyannaish. What happens when your people aren’t in office anymore? I am a libertarian and my people are never in office. I don’t want your people deciding what my Internet should look like. Let’s keep the government out of it and let consumers and the market decide.
In the twenty years from 1995 through 2015, world Internet use grew from 16 million users to 3.8 billion. In the United States, between 2000 and 2016 the number of Internet users has grown from 121.87 to 283.7 million users. That growth all happened without regulation under Title II of the Communications Act of 1934.
This coming year is my 30th anniversary on the Internet. The net has come a long way since I first hopped on in 1988. Back then, it all happened through university mainframe accounts, CompuServe, and GEnie with modems as slow as 2400 baud using telnet sessions. It was still working just fine in 2015 when the FCC decided to reclassify it. The Internet will continue to work just fine without such classification and it will continue to be driven by innovation as long as we can keep sleazy politicians and busy body bureaucrats from transforming it for their own nefarious ends.
Following are some suggestions for further reading on the subject.
- Net neutrality strengthens monopolies, invites corruption. Ryan McMaken, 7/17/2017, Mises Institute.
- The FCC needs to abolish a lot more than net neutrality. Sam Estep, 12/19/2017, Mises Institute.
- Net neutrality and the problem with “Experts.” Ryan McMaken, 12/11/2017, Mises Institute.
- Does net neutrality spur Internet innovation? Roslyn Layton, 8/23/2017, American Enterprise Institute.
- Net neutrality will be reincarnated as platform regulation. Roslyn Layton, 12/20/2017, American Enterprise Institute.
- Net neutrality 2.0: perspectives on FCC regulation of Internet service providers. Stuart N. Brotman, 5/16, 2017, Brookings Institution.
- AT&T’s monopoly offers a cautionary tale for net neutrality. Robert Tracinski, 11/29/2017, The Federalist.
- Understanding net neutrality. Peter Van Doren and Thomas A. Firey, 12/14/2017, Cato Institute.
- No, scrapping net neutrality laws won’t kill the Internet. Ryan Bourne. 12/19/2017, Cato Institute.
© Copyright Jeffrey Morgan, 2018
This article was first published on CIO.com at https://www.cio.com/article/3245390/net-neutrality/keep-your-dirty-stinkin-hands-off-my-internet.html
J.S. Bach’s sublime “Fugue in C-sharp-minor,” from Book One of Das Wohltemperierte Klavier (BWV 849) was published in 1722. It has five voices and three subjects, so it is a triple fugue. Let’s take a look at what Bach and his excellent work can teach us about building a rock-solid information security program.
1. Keep it simple
The slow and stately four-note subject is simple but pregnant with possibility. Through each iteration and each addition of a new component, the piece becomes a lovely, dense mesh of darkness and light. Ultimately, the thrilling climax can send emotional waves through your body leaving you weeping, emotionally drained and forever changed. Each element is simple in itself, but when combined, an extraordinarily complex web of sound is created.
If your perimeter firewall has 5000 rules, you’re probably doing something wrong, especially if you are a relatively small organization. Likewise, if your policy documents are incomprehensible to the average end user, there is a problem. One IT staff on which I was doing an assessment claimed their policy was secret, and when I finally got hold of it, it turned out it wasn’t a policy at all – it was simply a copy of a federal agency’s policy framework written in govspeak. There was nothing there that would communicate performance and behavioral expectations to management, end users or the IT staff.
Printed music, a score, is simply a set of instructions for a performer. It’s not music until a performer brings it to life. Bach’s scores provide the minimal amount of information required to do just that and they leave a great deal of the interpretation to the performer (assuming good taste and common sense, of course).
Your information security plans and documents are similar; they’re just documents until you bring them to life and put them into practice. In many enterprises, these documents exist only on a shelf and are never used. Dust off those documents if you have them and make sure they have been implemented, followed and enforced. If you don’t have the documents, you had better get to work. Follow Bach’s lead and keep it all as simple as possible. Don’t count on common sense, though.
Bach chose a five-layer framework for this fugue. How many layers does your security program have? Comprehensive policy, procedures, guidelines, technical controls, administrative controls, physical controls, awareness and training are all part of the mix.
The common mistake I have seen in audits is that organizations often depend on only one layer – technical controls. Many security programs, probably in the majority of enterprises, consist of a firewall and some antivirus software but policy, procedure, guidelines and training are often non-existent. If you depend on technical controls alone, your score is 80-90% incomplete.
Musicians learn resilience, often the hard way, as soon as they begin doing recitals. The only way to be prepared for anything is to over-practice and over-rehearse so that no matter what happens, your fingers keep going even if your brain shuts down. You have a great amount of time to prepare, but only one chance to get it right when it actually counts.
Practicing and planning for the inevitable information disaster is the only way to survive it. If you’ve done this well, you can keep performing without anyone but an expert noticing the glitch. If you do it badly, the show is interrupted and you may never get a second chance.
4. Continuous improvement
A good music teacher shows you how to practice using mindfulness rather than rote repetition. Each iteration should be made better than the last by analyzing every aspect of what you’re doing. Walter Giesking wrote about this sort of approach in his book and he might be considered music’s version of W. Edwards Deming.
What sort of program for continuous improvement do you have in place? It doesn’t happen by itself unless you had a great teacher, coach or mentor. Great performers analyze every aspect of every performance and do a root cause analysis so they don’t make the same mistakes again. Well run organizations and great managers do the same, but the majority keeps making the same mistakes over and over again. Public humiliation in front of colleagues and coworkers doesn’t often seem to be a motivating factor in the business world, but it definitely is in the world of musical performance.
Listen to the voice of your network and your end users and pay attention to logs and metrics. Too many IT directors are tone deaf to the voices of their customers and I have seen many organizations that pay no attention to security logs and metrics at all. They can’t distinguish between the sound of a perfectly tuned network and an out-of-tune one. Don’t be that patronizing, know-it-all ass of a CIO – listen to everything and everyone.
If you are unfamiliar Bach’s c-sharp-minor masterwork, you can listen to Hélène Grimaud’s performance in which the fugue begins at about 3:15. For a different approach, Sir András Schiff’s version begins at about 2:40. There is no accounting for taste and everyone has their favorite.
If you are fascinated by the music and want to learn more, my favorite recording of the entire set is Angela Hewitt’s, which is part of my car mix for long trips. If you are new to Bach, it can be a life-changing experience.
If you want to improve your information security program, there are numerous resources from which to choose. IS0/IEC 27000, NIST, and COBIT 5 for Information Security all provide great starting points. Which is your favorite?
© Copyright Jeffrey Morgan, 2017
This article was first published on CIO.com at https://www.cio.com/article/3240972/data-protection/5-things-js-bach-can-teach-you-about-information-security.html