Getting the message out

At a recent State Department information-sharing session attended by information technology vendors in Oklahoma City, an official said the winner of a competitive bid for a call center contract would be expected to manage the service desk in accordance with the Information Technology Infrastructure Library (ITIL) and other best practices. Up went the hand of Gordon Brown, president of Plexent, an IT service management firm in Dallas. Is the service desk currently running ISO20000 or ITIL processes? he asked.“Not hardly,” was the official’s response. “They point-blank said they would require ISO20000 and ITIL, but they readily admitted that they weren’t quite ready for it themselves,” Brown said. He has seen a marked increase in the number of federal IT contracts put out for bid that require one or more best-practice regimens, including ISO20000, ITIL and the Capability Maturity Model. “The federal sector is attempting to use vendors to help them share these common best practices,” he added.Brown said the federal government is using private-sector contractors to rev up public-sector adoption of best practices, a process that until now has lurched forward erratically.“They are saying ‘We know we’ve got to cure ourselves, and we’re going to force you to help us get cured,’ ” Brown said. “They’re saying, ‘Hey, the commercial world is getting gains from this. There are huge efficiency numbers, and we need to leverage that.’ ”The federal government is becoming more aware of the need to use IT best practices. Adopting optimal standards across government promises savings, increased interoperability, more robust security and improved customer service. But that’s easier said than done.“It hasn’t become a routine part of many agencies’ businesses,” said Fred Thompson, former vice president of management and technology at the Council for Excellence in Government. “It’s hard to keep it active and dynamic.”The federal IT network is a vast hodgepodge of disjointed, heterogeneous and incompatible hardware, software, policies and procedures. It’s a mix of creaky legacy mainframes and state-of-the-art systems run by baby boomers from the punch-card era and Gen Y hotshots who scarcely remember a world without cell phones or Internet service.Adopting, sharing and using best practices are largely matters of getting various parts and people to move in the same direction.“If you can get everybody to go to driver’s ed school,” Brown said, “you can get them to use best practices.”From Total Quality Management to Kaizen and Six Sigma, the impulse to improve and refine is always present. In an era of tight budgets and hyperconnectivity, however, the stakes are higher. IT increasingly is interwoven in the fabric of people’s lives. The discovery and proliferation of best practices has the potential to affect the quality of work, play and government. Momentum for sharing IT best practices has been growing for several years. Milestones in the movement include creation of the CIO Council in 1996 and its establishment of a Best Practices Committee.Early in its life, the CIO Council moved to collect and disseminate examples of successful IT projects. The initiative was undertaken, in part, as a counterbalance to stories about IT nightmares, such as the drawn out efforts to modernize systems at the Internal Revenue Service. Contributing to the impression of IT as a salvage yard filled with wreked cars were numerous reports from the Government Accountability Office and agency inspectors general and an ambitious study, “Computer Chaos,” by the office of then-Sen. William Cohen (R-Maine).Another former senator, Ernest Hollings, a Democrat from South Carolina, once remarked that federal IT specialists couldn’t run a roadside watermelon stand even if they were given the watermelons and the highway patrol flagged down cars for them.The relentless chronicling of IT failures lowered morale but did little to help the people who were trying to get it right. Learning to manage IT projects by rehashing IT mistakes, although not completely useless, is like “studying medicine only by doing autopsies,” said Alan Balutis, former chief information officer at the Commerce Department who is now director of Cisco Systems’ Internet Business Solutions Group. “A lot of projects come in on time and under budget and deliver and lead to tremendous improvements. It’s important to document those.” Notwithstanding the IRS’ well-documented IT troubles, for example, the agency processes tens of millions of electronic tax returns annually, an efficient and cost-effective leap forward. A decade ago, electronic returns were virtually unheard of.John Newton, co-founder of Alfresco, an open-source enterprise content management company, traces the genesis of IT best practices in the public sector to agencies such as the Federal Aviation Administration and the Food and Drug Administration, whose missions directly affect the lives of many people.Early efforts at identifying and sharing best practices focused on case studies of successful projects, with a particular emphasis on refining procedures for procuring IT. At the time, inefficient project management too often resulted in the acquisition of yesterday’s technology at today’s prices.“You always run into problems,” Balutis said. “When you do, what are the practices that people have used to get themselves out of trouble? If we study those success stories, we can improve our batting average and improve the capability of project managers running other initiatives.”Deciding to adhere to best practices raises a host of questions: What is a best practice and who determines that a practice is best? Are best practices universal? How do agencies and individuals identify, collect, store, deliver and use them? “Best practices are extremely valuable. They are like gold nuggets,” said Emory Miller, who spent 36 years with the federal government, primarily in IT positions, before becoming senior vice president of government affairs at Robbins-Gioia, a program management consulting firm. “But how do you distill informainformation in a manner so that people who are doing something similar can determine easily if a best practice does or doesn’t apply to them?” The exchange of best practices happens in at least three ways. There is the repository approach, in which developers of optimal processes and procedures deposit them in a bank from which others can withdraw them as needed. In theory, repositories have the advantage of scale and accessibility, but they tend not to be user-friendly. “We struggle when we try to formalize best practices and develop repositories,” Miller said. “It’s a nice thing to do. It looks good. But when you engage a person in a dialogue, you learn a lot faster. When we get too mechanized in how we organize best practices, we may not be efficient,” he added. “The more collaboration we have among people of like objectives, the more efficient we are.” Second is the forum approach, in which IT practitioners gather at conferences, workshops and symposia to share proven ideas. Technological advances notwithstanding, many IT experts view putting people in the same room and tapping into communal wisdom as the most effective means of sharing best practices. However, physical constraints limit scalability. Martha Dorris, president of the American Council for Technology, sid IT managers and practitioners must occasionally “step off the merry-go-round,” meet peers and take stock of how well they areharing and adopting best practices. “Everybody’s really up to their eyeballs in trying to do more with less and trying to push things to the next level,” Dorris said. “Sometimes it’s difficult for people to take time and step back and do the things they’re supposed to do.”A variation on the forum approach is electronic collaboration among participants using e-mail lists, wikis and other online tools. For most feds, those tools are outside the mainstream.“Wikis make you wince a little bit because of the nature of what a wiki is,” said Charles Scruggs, a vice president of American Systems, an IT and consulting company. “If you turn to a resource like a wiki, you don’t know if the information put there is legitimate.”A third way to disseminate best practices might be called the directed approach. An example would be making compliance with best practices a requirement in vendors’ contracts or to otherwise raising expectations of compliance. “You could say that the recent contract [the Office of Management and Budget] signed with Microsoft for a standard Microsoft configuration, mainly oriented to security, is taking it one step further than [voluntary] best practices,” said Phil Kiviat, a partner at consulting firm Guerra Kiviat and former chairman of the CIO Council’s Outreach Committee. “OMB had been trying to get people to share this information and finally put it into place with a contract.”Similarly, the report cards that OMB and Congress use to grade agencies’ compliance with the Federal Information Security Management Act have increased pressure on agencies to meet federal IT security standards.“It’s very public. It’s measurable, and it creates accountability against a set of ideal practices,” said David Link, chief executive officer and co-founder of ScienceLogic, an IT management firm. “It’s a set of reasonably specific guidelines. The government is stating that if you want to have your electronic security house in order, here are the things you need to follow to accomplish that.” The Education Department offers another example of the directed approach to best practices. In its outsourcing contracts for IT functions, including network management, e-mail, help desk, and security reporting, the department sets vendor performance benchmarks based on ITIL standards.“ITIL has surpassed anything OMB and the CIO Council have done,” said W. Hord Tipton, former CIO at the Interior Department and former co-chairman of the CIO Council’s Best Practices Committee.The process by which a business practice becomes a universally recognized and widely followed best practice is similar to the tortuous route that a bill takes to become a law. Just as legislation can be killed by inaction, special interests, lack of funds or a splenetic lawmaker, various pitfalls await the good practice vying to become the best.Some of the forces that impede the proliferation of smart IT are security concerns, inertia, lack of incentives and the inability, at times, to reliably identify best practices. Take the Component Organization and Registration Environment (Core.gov), a repository of reusable business processes and services. It contains a bit of everything — technical components, software code, JavaScripts and Web services. In theory, the Core.gov program exemplifies the e-government ethos, which President Bush has characterized as “agencies working as a team across traditional boundaries...to create more cost-effective and efficient ways to serve citizens.”Three years after its introduction, however, the program is not yet hitting on all cylinders. Despite having about 1,800 registered users, Core.gov has not won over managers who say they don’t want the best practices agenda to distract from their mission.“We’ve never been able to provde a strong enough level of incentive to be 100 percent successful,” said Marion Royal, Core.gov program manager.The odds are seemingly stacked against adopting bestractices. An abundance of older systems has fostered an attitude in some IT quarters of patch first and re-engineer as a last resort. Identification and validation are also issues. “It’s hard to tell a best practice from a good practice,” Tipton said. He added, however, “with the austere nature of essentially all the agencies’ budgets at this point, anyone who is not looking for best practices is missing the boat.” Then there is the perplexing case of the CIO Council’s Best Practices Committee, established, its mission statement reads, “as a focal point for promoting information management/information technology best practices within the federal government.” Arguably, the committee should be the epicenter of best practices in the federal sector. But it is not clear what success, if any, it has achieved.One of the committee’s initiatives is the Solutions Exchange, “a repository of government-owned solutions that may be useful to other agencies.” Several IT and best practices experts interviewed for this story were unaware of its existence. Numerous telephone calls and e-mail messages soliciting information about the committee’s programs went unanswered, including many requests for interviews with George Strawn, co-chairman of the committee and CIO at the National Science Foundation; William Vajda, the committee’s other co-chairman and CIO at the Education Department; and Brand Niemann, the committee’s secretariat and senior enterprise architect in the Office of the CIO at the Environmental Protection Agency. Many factors hasten or impede the adoption of best practices. A lack of desire isn’t one of them. “One of the things we commonly hear from customers is they are looking to repeat the successes that other agencies have had and avoid mistakes that other agencies have encountered,” said Chris Runge, government technical director at Red Hat, a provider of Linux open-source technology. “They’re really just looking, as we all would, to capitalize on the experiences others have had.” The heightened security environment that has pervaded government in recent years has seemingly been at odds with the desire to share best practices, some IT experts say. “The idea of delivering more collaborative applications, improving the level of information and government accountability to citizenry, and creating architecture that supports that are contradictory initiatives because security and availability are sort of diametrically opposed,” said Jeremy Nazarian, vice president of marketing at Lumeta, a network security company. Scruggs said he doesn’t agree that the public sector is stuck in an apparent contradiction. “In terms of information security, people have realized that there is a big difference between the information you are trying to secure and the methodology you are using to secure it,” he said. “You don’t want to share personally identifiable information, but the methods and methodology you use to keep that information secure, you should share that with everybody.”In July, the National Institute of Standards and Technology’s Computer Security Division posted a memo that enumerated best practices for mitigating “the top 10 risks impeding the adequate protection of government information,” as determined by OMB and the Homeland Security Department. The memo, from Karen Evans, OMB’s administrator for e-government and IT, identified inadequate security controls, audit trails and privacy standards among the most prevalent shortcomings. NIST manages the federal agency security practices page and the federal computer security managers’ forum, where IT security experts swap best practices, said Matthew Scholl, a supervisory information security specialist at NIST.“We are looking more and more [at] common vulnerabilities and what are the best practics people use to mitigate those,” Scholl said. “It’s a tricky thing to do because a best practice for one [organization] might not be a best practice for another.”Change is almost never easy. Also, the peculiarities of IT culture, government culture and various agency subcultures can hamper the adoption of best practices.“In government, there is an element of competitiveness,” said Nigel Ballard, government marketing manager at Intel. “Not all agencies are as collaborative” as they might be, and that’s a problem, he said. “You can’t run a business like that. You can’t run a government like that.”