What CIOs should do next

A wide-ranging discussion by public- and private-sector IT leaders revealed key drivers for achieving positive mission outcomes.

cio feature

Federal CIOs, like their private-sector counterparts, lead the integration of IT and organizational strategy. They must balance the daily needs of operational IT across their enterprises with IT's potential contributions to longer-term mission goals, while at the same time overseeing policy and resources in a challenging fiscal environment.

 

U.S. government CIOs are also in the midst of working with their C-suite colleagues to implement the Federal IT Acquisition Reform Act, which strengthens the role of CIOs in budgeting and acquisition and fosters a governance framework for agencies' IT, functional and mission leaders.

 

Given the expanding role for CIOs to help apply IT to addressing key mission objectives, the IBM Center for the Business of Government recently hosted a CIO Leadership Forum with several dozen public- and private-sector IT and C-suite leaders. The non-attribution session explored how CIOs can best drive change in their organizations.

 

Central themes included:

 

  • Modernizing the IT that underpins aging infrastructures by taking advantage of the rapid growth in modern cloud, analytic, mobile and cognitive platforms.
  • Making cybersecurity actionable rather than compliance-oriented.
  • Capitalizing on the revolution in mobile computing.

 

Here are the major findings and recommendations from the forum participants.

 

1. CIOs must address strategic imperatives for success

 

Participants discussed general considerations for how CIOs and IT leaders can most effectively work across the C-suite in delivering value to any organization, public or private. Key findings included:

 

  • CIOs must focus on data that can indicate organizational performance and service quality. Although IT can change over time, analysis of the data produced on IT platforms can lead to insights that often go unobserved.
  • As data comes to an organization from multiple new sources, including mobile and even wearable devices, privacy concerns must be addressed to protect that data and retain citizen, consumer and employee trust.
  • At the same time, it is important for CIOs to lead in understanding the value of new technologies and how they can best be adapted to support agency and company missions. That includes a focus on mobile platforms as a base for new applications because a growing number of users access information via mobile devices rather than traditional computers.
  • Adopting new approaches to technology design and implementation -- including agile and DevOps environments, which government CIO and digital services teams have increasingly used in following commercial best practices -- can enable CIOs and their government and industry colleagues to provide cost-effective and rapid benefits.
  • Finding talented IT professionals is a challenge, and organizations should identify how best to build an effective IT workforce, including partnering with educational institutions to strengthen computer science and other engineering disciplines.

 

2. Modernizing IT is about business, not technology

 

Participants agreed that before focusing on a particular technology path, CIOs and other IT leaders should reach out to their business partners and develop shared objectives. Consensus should be crafted regarding IT's value to the mission and the service quality in delivering that value for external and internal customers.

 

Within that context, CIOs can then develop transformation plans for IT that tie to key organizational outcomes and not simply how fast or efficiently the technology operates. Similarly, CIOs can build a business case for modernization funding by identifying a way to measure return on investment through metrics that are relevant to business needs.

 

Another key business strategy for modernization involves determining which technology should be delivered in a common way across the agency or business as a shared service -- with collective investment to ensure currency in shared infrastructure -- and which applications should be owned locally in a bureau or operating division.

 

Effective organizations often make those decisions through a governance framework that balances the needs of individual units with the overall enterprise, where decisions are made by leaders from multiple offices across the agency or company.

 

Roundtable attendees noted that such an approach has proven successful in public and private enterprises. Indeed, industries that have very different uses cases (e.g., utilities, defense, sports, health care, homeland security) all provide a service to a population, have real-time requirements and can benefit from IT modernization that supports their business goals.

 

Within the context of a business guidepost for modernization, participants discussed the CIO's responsibility to develop and lead an IT strategy that supports business outcomes. That strategy can be built from key elements that include:

 

  • Implementing a bimodal architecture that recognizes that public- and private-sector enterprises will rely on existing infrastructure and new innovation in parallel. Mission-critical functions often must continue on legacy systems, and CIOs must innovate accordingly.
  • Identifying new pathways to modernize within the bimodal framework that use emerging technologies, including cloud, analytics and cognitive computing.
  • Creating agile environments to test new pathways by enabling experimentation and rapid iteration in a "sandbox" where developers can try different approaches before scaling up in a production setting that addresses business needs.

 

3. Mobile solutions can drive citizen engagement

 

Mobile platforms can enable modernization consistent with how users commonly access information via a variety of devices. Forum participants made several key recommendations for capitalizing on mobile solutions, including:

 

  • Looking to mobile as a path for citizen engagement by identifying the population that will interact with the organization via mobile means, determining the most convenient way for those users to interact with the organization and deploying user-centered design to truly understand their needs.
  • Addressing key critical success factors for implementing mobile solutions, including security (the need for secure authentication across mobile devices), culture (the need to determine mission uses for devices and how mobile applications support mission uses in a way that the workforce supports) and governance (the need to drive a business and technical architecture that ties mobile solutions to program outcomes).

 

4. Cybersecurity insights must be actionable

 

The participants agreed that government and industry can no longer simply react to threats. Agencies and companies need the capacity to predict where threats will occur and then respond in real time to threats that change shape every hour of every day. The Department of Homeland Security's Continuous Diagnostics and Mitigation program provides a sound tool for agencies to monitor and address incidents. At the same time, responses must be executable in practical ways based on security built into solutions as the defau  lt setting so that when the default is compromised, enterprises can take immediate action.

 

Government and industry must work together to build partnerships that enable trusted information sharing and joint capability development. Neither sector will succeed by acting on its own. Similarly, government and industry must interact with members of the general public, who access their networks every day, by taking in ideas and promoting sound behaviors that limit vulnerabilities.

 

The research community also has a key role to play in identifying innovative solutions. Government organizations such as the Defense Advanced Research Projects Agency, the Intelligence Advanced Research Projects Activity and the Homeland Security Advanced Research Projects Agency can work alongside investment strategies coming out of the venture capital community and public/private research partnerships such as In-Q-Tel, following the research lead set by industry.

 

Forum participants also identified other levers for achieving actionable cybersecurity:

 

  • Enable the mission and support mission users

 

Any cyber strategy must balance mission enablement with protection. Government provides key information and services every day over open networks; actionable cybersecurity approaches should enable mission delivery and not impede operations, lest the latter result in workarounds that further weaken protections.

 

Different agencies will address the risk balance in different ways. The delivery of social services, for example, will result in a set of actions that allow individuals to learn about, apply for and receive benefits, while the protection of taxpayer information requires strict attention to security and privacy for sensitive personal information. Accordingly, the delivery of practical cyber solutions must account for how an agency's culture affects its employees, beneficiaries and stakeholders.

 

Simple cyber solutions can be implemented with greater success than those that rely on complexity. Enterprises need to take human factors and usability into consideration when determining cybersecurity solutions, which can drive basic building blocks that help address the majority of vulnerabilities created by inadequate practice of basic cyber hygiene, such as improper response to phishing email messages. That inadvertent insider threat can emanate from all levels of an organization -- entry-level staff, C-suite leaders and everyone in between.

 

More advanced solutions must be adapted based on employees' competency to create and maintain technical approaches. Elegant technologies that cannot be implemented well will not be cost-effective.

 

  • Build security into development

 

Participants agreed that, in general, software developers need training in how to build security into applications and increase their cyber analysis capabilities.

 

Most development focuses on maximizing usability and service delivery, with protection bolted on after the fact. Making security central to the application life cycle can significantly reduce basic software vulnerabilities, and development sandboxes can help developers learn how to bolster protections for the next software release. Conversely, when adopting open-source software, enterprises need to assess vulnerabilities in the supply chain behind that application suite.

 

Building security at the data level can complement technical approaches at the systems level, especially in protecting personally identifiable information and other sensitive data.

 

There is a growing movement around the development of resilient solutions that are self-healing -- cognitive approaches that learn about threat and response patterns and can address a breach immediately without waiting for human intervention but while providing notices about such actions as a check for system overseers.

 

  • Embrace governance frameworks that encourage collective action

 

Governance frameworks that promote sound decision-making can significantly enhance an organization's capacity to provide for cybersecurity. Through leadership and collective action, enterprises can create communities of practice that connect experts with mentees.

 

Participants also stressed the need to "celebrate the security hero." Just as law enforcement officers receive commendations for outstanding performance in combating crime in the streets, cyber professionals should be recognized for exemplary performance in combating cybercrime.

 

As the above points demonstrate, CIOs and IT leaders in government and industry can benefit greatly from understanding and implementing effective practices from each sector. What else should be on the table for future discussions? Please share your thoughts by emailing tips@fcw.com or messaging @FCWnow on Twitter.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.