What CIOs should do next

Federal CIOs, like their private-sector counterparts, lead the integration of IT and organizational strategy. They must balance the daily needs of operational IT across their enterprises with IT's potential contributions to longer-term mission goals, while at the same time overseeing policy and resources in a challenging fiscal environment.

U.S. government CIOs are also in the midst of working with their C-suite colleagues to implement the Federal IT Acquisition Reform Act, which strengthens the role of CIOs in budgeting and acquisition and fosters a governance framework for agencies' IT, functional and mission leaders.

Given the expanding role for CIOs to help apply IT to addressing key mission objectives, the IBM Center for the Business of Government recently hosted a CIO Leadership Forum with several dozen public- and private-sector IT and C-suite leaders. The non-attribution session explored how CIOs can best drive change in their organizations.

Central themes included:

• Modernizing the IT that underpins aging infrastructures by taking advantage of the rapid growth in modern cloud, analytic, mobile and cognitive platforms.
• Making cybersecurity actionable rather than compliance-oriented.
• Capitalizing on the revolution in mobile computing.

Here are the major findings and recommendations from the forum participants.

1. CIOs must address strategic imperatives for success

Participants discussed general considerations for how CIOs and IT leaders can most effectively work across the C-suite in delivering value to any organization, public or private. Key findings included:

• CIOs must focus on data that can indicate organizational performance and service quality. Although IT can change over time, analysis of the data produced on IT platforms can lead to insights that often go unobserved.
• As data comes to an organization from multiple new sources, including mobile and even wearable devices, privacy concerns must be addressed to protect that data and retain citizen, consumer and employee trust.
• At the same time, it is important for CIOs to lead in understanding the value of new technologies and how they can best be adapted to support agency and company missions. That includes a focus on mobile platforms as a base for new applications because a growing number of users access information via mobile devices rather than traditional computers.
• Adopting new approaches to technology design and implementation -- including agile and DevOps environments, which government CIO and digital services teams have increasingly used in following commercial best practices -- can enable CIOs and their government and industry colleagues to provide cost-effective and rapid benefits.
• Finding talented IT professionals is a challenge, and organizations should identify how best to build an effective IT workforce, including partnering with educational institutions to strengthen computer science and other engineering disciplines.

2. Modernizing IT is about business, not technology

Participants agreed that before focusing on a particular technology path, CIOs and other IT leaders should reach out to their business partners and develop shared objectives. Consensus should be crafted regarding IT's value to the mission and the service quality in delivering that value for external and internal customers.

Within that context, CIOs can then develop transformation plans for IT that tie to key organizational outcomes and not simply how fast or efficiently the technology operates. Similarly, CIOs can build a business case for modernization funding by identifying a way to measure return on investment through metrics that are relevant to business needs.

Another key business strategy for modernization involves determining which technology should be delivered in a common way across the agency or business as a shared service -- with collective investment to ensure currency in shared infrastructure -- and which applications should be owned locally in a bureau or operating division.

Effective organizations often make those decisions through a governance framework that balances the needs of individual units with the overall enterprise, where decisions are made by leaders from multiple offices across the agency or company.

Roundtable attendees noted that such an approach has proven successful in public and private enterprises. Indeed, industries that have very different uses cases (e.g., utilities, defense, sports, health care, homeland security) all provide a service to a population, have real-time requirements and can benefit from IT modernization that supports their business goals.

Within the context of a business guidepost for modernization, participants discussed the CIO's responsibility to develop and lead an IT strategy that supports business outcomes. That strategy can be built from key elements that include:

• Implementing a bimodal architecture that recognizes that public- and private-sector enterprises will rely on existing infrastructure and new innovation in parallel. Mission-critical functions often must continue on legacy systems, and CIOs must innovate accordingly.
• Identifying new pathways to modernize within the bimodal framework that use emerging technologies, including cloud, analytics and cognitive computing.
• Creating agile environments to test new pathways by enabling experimentation and rapid iteration in a "sandbox" where developers can try different approaches before scaling up in a production setting that addresses business needs.

3. Mobile solutions can drive citizen engagement

Mobile platforms can enable modernization consistent with how users commonly access information via a variety of devices. Forum participants made several key recommendations for capitalizing on mobile solutions, including:

• Looking to mobile as a path for citizen engagement by identifying the population that will interact with the organization via mobile means, determining the most convenient way for those users to interact with the organization and deploying user-centered design to truly understand their needs.
• Addressing key critical success factors for implementing mobile solutions, including security (the need for secure authentication across mobile devices), culture (the need to determine mission uses for devices and how mobile applications support mission uses in a way that the workforce supports) and governance (the need to drive a business and technical architecture that ties mobile solutions to program outcomes).

4. Cybersecurity insights must be actionable

The participants agreed that government and industry can no longer simply react to threats. Agencies and companies need the capacity to predict where threats will occur and then respond in real time to threats that change shape every hour of every day. The Department of Homeland Security's Continuous Diagnostics and Mitigation program provides a sound tool for agencies to monitor and address incidents. At the same time, responses must be executable in practical ways based on security built into solutions as the defau  lt setting so that when the default is compromised, enterprises can take immediate action.

Government and industry must work together to build partnerships that enable trusted information sharing and joint capability development. Neither sector will succeed by acting on its own. Similarly, government and industry must interact with members of the general public, who access their networks every day, by taking in ideas and promoting sound behaviors that limit vulnerabilities.

The research community also has a key role to play in identifying innovative solutions. Government organizations such as the Defense Advanced Research Projects Agency, the Intelligence Advanced Research Projects Activity and the Homeland Security Advanced Research Projects Agency can work alongside investment strategies coming out of the venture capital community and public/private research partnerships such as In-Q-Tel, following the research lead set by industry.

Forum participants also identified other levers for achieving actionable cybersecurity:

• Enable the mission and support mission users

Any cyber strategy must balance mission enablement with protection. Government provides key information and services every day over open networks; actionable cybersecurity approaches should enable mission delivery and not impede operations, lest the latter result in workarounds that further weaken protections.

Different agencies will address the risk balance in different ways. The delivery of social services, for example, will result in a set of actions that allow individuals to learn about, apply for and receive benefits, while the protection of taxpayer information requires strict attention to security and privacy for sensitive personal information. Accordingly, the delivery of practical cyber solutions must account for how an agency's culture affects its employees, beneficiaries and stakeholders.

Simple cyber solutions can be implemented with greater success than those that rely on complexity. Enterprises need to take human factors and usability into consideration when determining cybersecurity solutions, which can drive basic building blocks that help address the majority of vulnerabilities created by inadequate practice of basic cyber hygiene, such as improper response to phishing email messages. That inadvertent insider threat can emanate from all levels of an organization -- entry-level staff, C-suite leaders and everyone in between.

More advanced solutions must be adapted based on employees' competency to create and maintain technical approaches. Elegant technologies that cannot be implemented well will not be cost-effective.

• Build security into development

Participants agreed that, in general, software developers need training in how to build security into applications and increase their cyber analysis capabilities.

Most development focuses on maximizing usability and service delivery, with protection bolted on after the fact. Making security central to the application life cycle can significantly reduce basic software vulnerabilities, and development sandboxes can help developers learn how to bolster protections for the next software release. Conversely, when adopting open-source software, enterprises need to assess vulnerabilities in the supply chain behind that application suite.

Building security at the data level can complement technical approaches at the systems level, especially in protecting personally identifiable information and other sensitive data.

There is a growing movement around the development of resilient solutions that are self-healing -- cognitive approaches that learn about threat and response patterns and can address a breach immediately without waiting for human intervention but while providing notices about such actions as a check for system overseers.

• Embrace governance frameworks that encourage collective action

Governance frameworks that promote sound decision-making can significantly enhance an organization's capacity to provide for cybersecurity. Through leadership and collective action, enterprises can create communities of practice that connect experts with mentees.

Participants also stressed the need to "celebrate the security hero." Just as law enforcement officers receive commendations for outstanding performance in combating crime in the streets, cyber professionals should be recognized for exemplary performance in combating cybercrime.

As the above points demonstrate, CIOs and IT leaders in government and industry can benefit greatly from understanding and implementing effective practices from each sector. What else should be on the table for future discussions? Please share your thoughts by emailing tips@fcw.com or messaging @FCWnow on Twitter.