Getting the message out

Everyone talks about best practices, but like messages in a bottle, best practices are difficult to find. Should agencies be trying harder?

At a recent State Department information-sharing session attended by information technology vendors in Oklahoma City, an official said the winner of a competitive bid for a call center contract would be expected to manage the service desk in accordance with the Information Technology Infrastructure Library (ITIL) and other best practices. Up went the hand of Gordon Brown, president of Plexent, an IT service management firm in Dallas. Is the service desk currently running ISO20000 or ITIL processes? he asked.“Not hardly,” was the official’s response. “They point-blank said they would require ISO20000 and ITIL, but they readily admitted that they weren’t quite ready for it themselves,” Brown said. He has seen a marked increase in the number of federal IT contracts put out for bid that require one or more best-practice regimens, including ISO20000, ITIL and the Capability Maturity Model. “The federal sector is attempting to use vendors to help them share these common best practices,” he added.Brown said the federal government is using private-sector contractors to rev up public-sector adoption of best practices, a process that until now has lurched forward erratically.“They are saying ‘We know we’ve got to cure ourselves, and we’re going to force you to help us get cured,’ ” Brown said. “They’re saying, ‘Hey, the commercial world is getting gains from this. There are huge efficiency numbers, and we need to leverage that.’ ”The federal government is becoming more aware of the need to use IT best practices. Adopting optimal standards across government promises savings, increased interoperability, more robust security and improved customer service. But that’s easier said than done.“It hasn’t become a routine part of many agencies’ businesses,” said Fred Thompson, former vice president of management and technology at the Council for Excellence in Government. “It’s hard to keep it active and dynamic.”The federal IT network is a vast hodgepodge of disjointed, heterogeneous and incompatible hardware, software, policies and procedures. It’s a mix of creaky legacy mainframes and state-of-the-art systems run by baby boomers from the punch-card era and Gen Y hotshots who scarcely remember a world without cell phones or Internet service.Adopting, sharing and using best practices are largely matters of getting various parts and people to move in the same direction.“If you can get everybody to go to driver’s ed school,” Brown said, “you can get them to use best practices.”From Total Quality Management to Kaizen and Six Sigma, the impulse to improve and refine is always present. In an era of tight budgets and hyperconnectivity, however, the stakes are higher. IT increasingly is interwoven in the fabric of people’s lives. The discovery and proliferation of best practices has the potential to affect the quality of work, play and government. Momentum for sharing IT best practices has been growing for several years. Milestones in the movement include creation of the CIO Council in 1996 and its establishment of a Best Practices Committee.Early in its life, the CIO Council moved to collect and disseminate examples of successful IT projects. The initiative was undertaken, in part, as a counterbalance to stories about IT nightmares, such as the drawn out efforts to modernize systems at the Internal Revenue Service. Contributing to the impression of IT as a salvage yard filled with wreked cars were numerous reports from the Government Accountability Office and agency inspectors general and an ambitious study, “Computer Chaos,” by the office of then-Sen. William Cohen (R-Maine).Another former senator, Ernest Hollings, a Democrat from South Carolina, once remarked that federal IT specialists couldn’t run a roadside watermelon stand even if they were given the watermelons and the highway patrol flagged down cars for them.The relentless chronicling of IT failures lowered morale but did little to help the people who were trying to get it right. Learning to manage IT projects by rehashing IT mistakes, although not completely useless, is like “studying medicine only by doing autopsies,” said Alan Balutis, former chief information officer at the Commerce Department who is now director of Cisco Systems’ Internet Business Solutions Group. “A lot of projects come in on time and under budget and deliver and lead to tremendous improvements. It’s important to document those.” Notwithstanding the IRS’ well-documented IT troubles, for example, the agency processes tens of millions of electronic tax returns annually, an efficient and cost-effective leap forward. A decade ago, electronic returns were virtually unheard of.John Newton, co-founder of Alfresco, an open-source enterprise content management company, traces the genesis of IT best practices in the public sector to agencies such as the Federal Aviation Administration and the Food and Drug Administration, whose missions directly affect the lives of many people.Early efforts at identifying and sharing best practices focused on case studies of successful projects, with a particular emphasis on refining procedures for procuring IT. At the time, inefficient project management too often resulted in the acquisition of yesterday’s technology at today’s prices.“You always run into problems,” Balutis said. “When you do, what are the practices that people have used to get themselves out of trouble? If we study those success stories, we can improve our batting average and improve the capability of project managers running other initiatives.”Deciding to adhere to best practices raises a host of questions: What is a best practice and who determines that a practice is best? Are best practices universal? How do agencies and individuals identify, collect, store, deliver and use them? “Best practices are extremely valuable. They are like gold nuggets,” said Emory Miller, who spent 36 years with the federal government, primarily in IT positions, before becoming senior vice president of government affairs at Robbins-Gioia, a program management consulting firm. “But how do you distill informainformation in a manner so that people who are doing something similar can determine easily if a best practice does or doesn’t apply to them?” The exchange of best practices happens in at least three ways. There is the repository approach, in which developers of optimal processes and procedures deposit them in a bank from which others can withdraw them as needed. In theory, repositories have the advantage of scale and accessibility, but they tend not to be user-friendly. “We struggle when we try to formalize best practices and develop repositories,” Miller said. “It’s a nice thing to do. It looks good. But when you engage a person in a dialogue, you learn a lot faster. When we get too mechanized in how we organize best practices, we may not be efficient,” he added. “The more collaboration we have among people of like objectives, the more efficient we are.” Second is the forum approach, in which IT practitioners gather at conferences, workshops and symposia to share proven ideas. Technological advances notwithstanding, many IT experts view putting people in the same room and tapping into communal wisdom as the most effective means of sharing best practices. However, physical constraints limit scalability. Martha Dorris, president of the American Council for Technology, sid IT managers and practitioners must occasionally “step off the merry-go-round,” meet peers and take stock of how well they areharing and adopting best practices. “Everybody’s really up to their eyeballs in trying to do more with less and trying to push things to the next level,” Dorris said. “Sometimes it’s difficult for people to take time and step back and do the things they’re supposed to do.”A variation on the forum approach is electronic collaboration among participants using e-mail lists, wikis and other online tools. For most feds, those tools are outside the mainstream.“Wikis make you wince a little bit because of the nature of what a wiki is,” said Charles Scruggs, a vice president of American Systems, an IT and consulting company. “If you turn to a resource like a wiki, you don’t know if the information put there is legitimate.”A third way to disseminate best practices might be called the directed approach. An example would be making compliance with best practices a requirement in vendors’ contracts or to otherwise raising expectations of compliance. “You could say that the recent contract [the Office of Management and Budget] signed with Microsoft for a standard Microsoft configuration, mainly oriented to security, is taking it one step further than [voluntary] best practices,” said Phil Kiviat, a partner at consulting firm Guerra Kiviat and former chairman of the CIO Council’s Outreach Committee. “OMB had been trying to get people to share this information and finally put it into place with a contract.”Similarly, the report cards that OMB and Congress use to grade agencies’ compliance with the Federal Information Security Management Act have increased pressure on agencies to meet federal IT security standards.“It’s very public. It’s measurable, and it creates accountability against a set of ideal practices,” said David Link, chief executive officer and co-founder of ScienceLogic, an IT management firm. “It’s a set of reasonably specific guidelines. The government is stating that if you want to have your electronic security house in order, here are the things you need to follow to accomplish that.” The Education Department offers another example of the directed approach to best practices. In its outsourcing contracts for IT functions, including network management, e-mail, help desk, and security reporting, the department sets vendor performance benchmarks based on ITIL standards.“ITIL has surpassed anything OMB and the CIO Council have done,” said W. Hord Tipton, former CIO at the Interior Department and former co-chairman of the CIO Council’s Best Practices Committee.The process by which a business practice becomes a universally recognized and widely followed best practice is similar to the tortuous route that a bill takes to become a law. Just as legislation can be killed by inaction, special interests, lack of funds or a splenetic lawmaker, various pitfalls await the good practice vying to become the best.Some of the forces that impede the proliferation of smart IT are security concerns, inertia, lack of incentives and the inability, at times, to reliably identify best practices. Take the Component Organization and Registration Environment (Core.gov), a repository of reusable business processes and services. It contains a bit of everything — technical components, software code, JavaScripts and Web services. In theory, the Core.gov program exemplifies the e-government ethos, which President Bush has characterized as “agencies working as a team across traditional boundaries...to create more cost-effective and efficient ways to serve citizens.”Three years after its introduction, however, the program is not yet hitting on all cylinders. Despite having about 1,800 registered users, Core.gov has not won over managers who say they don’t want the best practices agenda to distract from their mission.“We’ve never been able to provde a strong enough level of incentive to be 100 percent successful,” said Marion Royal, Core.gov program manager.The odds are seemingly stacked against adopting bestractices. An abundance of older systems has fostered an attitude in some IT quarters of patch first and re-engineer as a last resort. Identification and validation are also issues. “It’s hard to tell a best practice from a good practice,” Tipton said. He added, however, “with the austere nature of essentially all the agencies’ budgets at this point, anyone who is not looking for best practices is missing the boat.” Then there is the perplexing case of the CIO Council’s Best Practices Committee, established, its mission statement reads, “as a focal point for promoting information management/information technology best practices within the federal government.” Arguably, the committee should be the epicenter of best practices in the federal sector. But it is not clear what success, if any, it has achieved.One of the committee’s initiatives is the Solutions Exchange, “a repository of government-owned solutions that may be useful to other agencies.” Several IT and best practices experts interviewed for this story were unaware of its existence. Numerous telephone calls and e-mail messages soliciting information about the committee’s programs went unanswered, including many requests for interviews with George Strawn, co-chairman of the committee and CIO at the National Science Foundation; William Vajda, the committee’s other co-chairman and CIO at the Education Department; and Brand Niemann, the committee’s secretariat and senior enterprise architect in the Office of the CIO at the Environmental Protection Agency. Many factors hasten or impede the adoption of best practices. A lack of desire isn’t one of them. “One of the things we commonly hear from customers is they are looking to repeat the successes that other agencies have had and avoid mistakes that other agencies have encountered,” said Chris Runge, government technical director at Red Hat, a provider of Linux open-source technology. “They’re really just looking, as we all would, to capitalize on the experiences others have had.” The heightened security environment that has pervaded government in recent years has seemingly been at odds with the desire to share best practices, some IT experts say. “The idea of delivering more collaborative applications, improving the level of information and government accountability to citizenry, and creating architecture that supports that are contradictory initiatives because security and availability are sort of diametrically opposed,” said Jeremy Nazarian, vice president of marketing at Lumeta, a network security company. Scruggs said he doesn’t agree that the public sector is stuck in an apparent contradiction. “In terms of information security, people have realized that there is a big difference between the information you are trying to secure and the methodology you are using to secure it,” he said. “You don’t want to share personally identifiable information, but the methods and methodology you use to keep that information secure, you should share that with everybody.”In July, the National Institute of Standards and Technology’s Computer Security Division posted a memo that enumerated best practices for mitigating “the top 10 risks impeding the adequate protection of government information,” as determined by OMB and the Homeland Security Department. The memo, from Karen Evans, OMB’s administrator for e-government and IT, identified inadequate security controls, audit trails and privacy standards among the most prevalent shortcomings. NIST manages the federal agency security practices page and the federal computer security managers’ forum, where IT security experts swap best practices, said Matthew Scholl, a supervisory information security specialist at NIST.“We are looking more and more [at] common vulnerabilities and what are the best practics people use to mitigate those,” Scholl said. “It’s a tricky thing to do because a best practice for one [organization] might not be a best practice for another.”Change is almost never easy. Also, the peculiarities of IT culture, government culture and various agency subcultures can hamper the adoption of best practices.“In government, there is an element of competitiveness,” said Nigel Ballard, government marketing manager at Intel. “Not all agencies are as collaborative” as they might be, and that’s a problem, he said. “You can’t run a business like that. You can’t run a government like that.”
Editor's note: A sidebar to this story was updated at 5:20 p.m. Aug. 22, 2007. Please go to Corrections & Clarifications to see what has changed.



















Best Practices Committee



















Passing it on
































Good, better, best


















Money, security, culture





















Pulley is a freelance writer in Arlington, Va.
X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.