Getting the message out
Everyone talks about best practices, but like messages in a bottle, best practices are difficult to find. Should agencies be trying harder?
Editor's note: A sidebar to this story was updated at 5:20 p.m. Aug. 22, 2007. Please go to Corrections & Clarifications to see what has changed.
At a recent State Department information-sharing session attended by information technology vendors in Oklahoma City, an official said the winner of a competitive bid for a call center contract would be expected to manage the service desk in accordance with the Information Technology Infrastructure Library (ITIL) and other best practices. Up went the hand of Gordon Brown, president of Plexent, an IT service management firm in Dallas. Is the service desk currently running ISO20000 or ITIL processes? he asked.
Not hardly, was the officials response. They point-blank said they would require ISO20000 and ITIL, but they readily admitted that they werent quite ready for it themselves, Brown said. He has seen a marked increase in the number of federal IT contracts put out for bid that require one or more best-practice regimens, including ISO20000, ITIL and the Capability Maturity Model. The federal sector is attempting to use vendors to help them share these common best practices, he added.
Brown said the federal government is using private-sector contractors to rev up public-sector adoption of best practices, a process that until now has lurched forward erratically.
They are saying We know weve got to cure ourselves, and were going to force you to help us get cured, Brown said. Theyre saying, Hey, the commercial world is getting gains from this. There are huge efficiency numbers, and we need to leverage that.
The federal government is becoming more aware of the need to use IT best practices. Adopting optimal standards across government promises savings, increased interoperability, more robust security and improved customer service. But thats easier said than done.
It hasnt become a routine part of many agencies businesses, said Fred Thompson, former vice president of management and technology at the Council for Excellence in Government. Its hard to keep it active and dynamic.
The federal IT network is a vast hodgepodge of disjointed, heterogeneous and incompatible hardware, software, policies and procedures. Its a mix of creaky legacy mainframes and state-of-the-art systems run by baby boomers from the punch-card era and Gen Y hotshots who scarcely remember a world without cell phones or Internet service.
Adopting, sharing and using best practices are largely matters of getting various parts and people to move in the same direction.
If you can get everybody to go to drivers ed school, Brown said, you can get them to use best practices.
Best Practices Committee
From Total Quality Management to Kaizen and Six Sigma, the impulse to improve and refine is always present. In an era of tight budgets and hyperconnectivity, however, the stakes are higher. IT increasingly is interwoven in the fabric of peoples lives. The discovery and proliferation of best practices has the potential to affect the quality of work, play and government. Momentum for sharing IT best practices has been growing for several years. Milestones in the movement include creation of the CIO Council in 1996 and its establishment of a Best Practices Committee.
Early in its life, the CIO Council moved to collect and disseminate examples of successful IT projects. The initiative was undertaken, in part, as a counterbalance to stories about IT nightmares, such as the drawn out efforts to modernize systems at the Internal Revenue Service. Contributing to the impression of IT as a salvage yard filled with wre
ked cars were numerous reports from the Government Accountability Office and agency inspectors general and an ambitious study, C
omputer Chaos, by the office of then-Sen. William Cohen (R-Maine).
Another former senator, Ernest Hollings, a Democrat from South Carolina, once remarked that federal IT specialists couldnt run a roadside watermelon stand even if they were given the watermelons and the highway patrol flagged down cars for them.
The relentless chronicling of IT failures lowered morale but did little to help the people who were trying to get it right. Learning to manage IT projects by rehashing IT mistakes, although not completely useless, is like studying medicine only by doing autopsies, said Alan Balutis, former chief information officer at the Commerce Department who is now director of Cisco Systems Internet Business Solutions Group. A lot of projects come in on time and under budget and deliver and lead to tremendous improvements. Its important to document those.
Notwithstanding the IRS well-documented IT troubles, for example, the agency processes tens of millions of electronic tax returns annually, an efficient and cost-effective leap forward. A decade ago, electronic returns were virtually unheard of.
John Newton, co-founder of Alfresco, an open-source enterprise content management company, traces the genesis of IT best practices in the public sector to agencies such as the Federal Aviation Administration and the Food and Drug Administration, whose missions directly affect the lives of many people.
Early efforts at identifying and sharing best practices focused on case studies of successful projects, with a particular emphasis on refining procedures for procuring IT. At the time, inefficient project management too often resulted in the acquisition of yesterdays technology at todays prices.
You always run into problems, Balutis said. When you do, what are the practices that people have used to get themselves out of trouble? If we study those success stories, we can improve our batting average and improve the capability of project managers running other initiatives.Passing it on
Deciding to adhere to best practices raises a host of questions: What is a best practice and who determines that a practice is best? Are best practices universal? How do agencies and individuals identify, collect, store, deliver and use them?
Best practices are extremely valuable. They are like gold nuggets, said Emory Miller, who spent 36 years with the federal government, primarily in IT positions, before becoming senior vice president of government affairs at Robbins-Gioia, a program management consulting firm. But how do you distill informainformation in a manner so that people who are doing something similar can determine easily if a best practice does or doesnt apply to them?
The exchange of best practices happens in at least three ways. There is the repository approach, in which developers of optimal processes and procedures deposit them in a bank from which others can withdraw them as needed. In theory, repositories have the advantage of scale and accessibility, but they tend not to be user-friendly.
We struggle when we try to formalize best practices and develop repositories, Miller said. Its a nice thing to do. It looks good. But when you engage a person in a dialogue, you learn a lot faster. When we get too mechanized in how we organize best practices, we may not be efficient, he added. The more collaboration we have among people of like objectives, the more efficient we are.
Second is the forum approach, in which IT practitioners gather at conferences, workshops and symposia to share proven ideas. Technological advances notwithstanding, many IT experts view putting people in the same room and tapping into communal wisdom as the most effective means of sharing best practices. However, physical constraints limit scalability.
Martha Dorris, president of the American Council for Technology, s
id IT managers and practitioners must occasionally step off the merry-go-round, meet peers and take stock of how well they are
haring and adopting best practices.
Everybodys really up to their eyeballs in trying to do more with less and trying to push things to the next level, Dorris said. Sometimes its difficult for people to take time and step back and do the things theyre supposed to do.
A variation on the forum approach is electronic collaboration among participants using e-mail lists, wikis and other online tools. For most feds, those tools are outside the mainstream.
Wikis make you wince a little bit because of the nature of what a wiki is, said Charles Scruggs, a vice president of American Systems, an IT and consulting company. If you turn to a resource like a wiki, you dont know if the information put there is legitimate.
A third way to disseminate best practices might be called the directed approach. An example would be making compliance with best practices a requirement in vendors contracts or to otherwise raising expectations of compliance.
You could say that the recent contract [the Office of Management and Budget] signed with Microsoft for a standard Microsoft configuration, mainly oriented to security, is taking it one step further than [voluntary] best practices, said Phil Kiviat, a partner at consulting firm Guerra Kiviat and former chairman of the CIO Councils Outreach Committee. OMB had been trying to get people to share this information and finally put it into place with a contract.
Similarly, the report cards that OMB and Congress use to grade agencies compliance with the Federal Information Security Management Act have increased pressure on agencies to meet federal IT security standards.
Its very public. Its measurable, and it creates accountability against a set of ideal practices, said David Link, chief executive officer and co-founder of ScienceLogic, an IT management firm. Its a set of reasonably specific guidelines. The government is stating that if you want to have your electronic security house in order, here are the things you need to follow to accomplish that.
The Education Department offers another example of the directed approach to best practices. In its outsourcing contracts for IT functions, including network management, e-mail, help desk, and security reporting, the department sets vendor performance benchmarks based on ITIL standards.
ITIL has surpassed anything OMB and the CIO Council have done, said W. Hord Tipton, former CIO at the Interior Department and former co-chairman of the CIO Councils Best Practices Committee.Good, better, best
The process by which a business practice becomes a universally recognized and widely followed best practice is similar to the tortuous route that a bill takes to become a law. Just as legislation can be killed by inaction, special interests, lack of funds or a splenetic lawmaker, various pitfalls await the good practice vying to become the best.
Some of the forces that impede the proliferation of smart IT are security concerns, inertia, lack of incentives and the inability, at times, to reliably identify best practices.
Three years after its introduction, however, the program is not yet hitting on all cylinders. Despite having about 1,800 registered users, Core.gov has not won over managers who say they dont want the best practices agenda to distract from their mission.
Weve never been able to prov
de a strong enough level of incentive to be 100 percent successful, said Marion Royal, Core.gov program manager.
The odds are seemingly stacked against adopting best
ractices. An abundance of older systems has fostered an attitude in some IT quarters of patch first and re-engineer as a last resort. Identification and validation are also issues. Its hard to tell a best practice from a good practice, Tipton said. He added, however, with the austere nature of essentially all the agencies budgets at this point, anyone who is not looking for best practices is missing the boat.
Then there is the perplexing case of the CIO Councils Best Practices Committee, established, its mission statement reads, as a focal point for promoting information management/information technology best practices within the federal government. Arguably, the committee should be the epicenter of best practices in the federal sector. But it is not clear what success, if any, it has achieved.
One of the committees initiatives is the Solutions Exchange, a repository of government-owned solutions that may be useful to other agencies. Several IT and best practices experts interviewed for this story were unaware of its existence. Numerous telephone calls and e-mail messages soliciting information about the committees programs went unanswered, including many requests for interviews with George Strawn, co-chairman of the committee and CIO at the National Science Foundation; William Vajda, the committees other co-chairman and CIO at the Education Department; and Brand Niemann, the committees secretariat and senior enterprise architect in the Office of the CIO at the Environmental Protection Agency. Money, security, culture
Many factors hasten or impede the adoption of best practices. A lack of desire isnt one of them.
One of the things we commonly hear from customers is they are looking to repeat the successes that other agencies have had and avoid mistakes that other agencies have encountered, said Chris Runge, government technical director at Red Hat, a provider of Linux open-source technology. Theyre really just looking, as we all would, to capitalize on the experiences others have had.
The heightened security environment that has pervaded government in recent years has seemingly been at odds with the desire to share best practices, some IT experts say.
The idea of delivering more collaborative applications, improving the level of information and government accountability to citizenry, and creating architecture that supports that are contradictory initiatives because security and availability are sort of diametrically opposed, said Jeremy Nazarian, vice president of marketing at Lumeta, a network security company.
Scruggs said he doesnt agree that the public sector is stuck in an apparent contradiction. In terms of information security, people have realized that there is a big difference between the information you are trying to secure and the methodology you are using to secure it, he said. You dont want to share personally identifiable information, but the methods and methodology you use to keep that information secure, you should share that with everybody.
In July, the National Institute of Standards and Technologys Computer Security Division posted a memo that enumerated best practices for mitigating the top 10 risks impeding the adequate protection of government information, as determined by OMB and the Homeland Security Department. The memo, from Karen Evans, OMBs administrator for e-government and IT, identified inadequate security controls, audit trails and privacy standards among the most prevalent shortcomings.
NIST manages the federal agency security practices page and the federal computer security managers forum, where IT security experts swap best practices, said Matthew Scholl, a supervisory information security specialist at NIST.
We are looking more and more [at] common vulnerabilities and what are the best practic
s people use to mitigate those, Scholl said. Its a tricky thing to do because a best practice for one [organization] might not be a best practice for another.
Change is almost never easy. Also, the peculiarities of IT culture, government culture and various agency subcultures can hamper the adoption of best practices.
In government, there is an element of competitiveness, said Nigel Ballard, government marketing manager at Intel. Not all agencies are as collaborative as they might be, and thats a problem, he said. You cant run a business like that. You cant run a government like that. Pulley is a freelance writer in Arlington, Va.