Every year or so I am lucky to be invited by Dr. Robert McCreight who teaches a graduate class on National Security and Technology to be a guest lecturer on Cybersecurity.
Since the classes I teach at the University of Maryland and Syracuse University are on-line distance learning, it is always a treat for me to have actual live students in the same classroom as I am to interact with. This year the exchange of information was really great, Dr. McCreight has a wonderful class. For all of these activities, I deal with what I call the “avoidance of appearing like an idiot in front of people syndrome”, which forces me to at least to scan and keep up with the literature before the class is held.
While I am one of those people who learn best by doing, being able to talk to and/or discuss with bright students is still very helpful and fun to do.
I have posted my presentation below and during the next few weeks hope to write a few columns based on the later slides, of course I have still not written my last two posts I promised on cloud computing, as as usual what I plan to do with this blog and what actually happens continues to diverge.
On slide 13, I put a quote from Professor John Mueller, who is the Woody Hayes Chair of National Security Studies at Ohio State University, parenthetically a title which gives one pause for a number of reasons. I really like to read Professor Mueller’s papers not because I agree with all of them but because he is a contrarian. It is from those people who do not follow the crowd, that much can be learned.
Professor Mueller basically claims that the ability to predict what a terrorist would do is so small and the cost of protecting everywhere so high that we need to rethink our entire approach to national security. He has written a number of papers on this subject including doing mathematical analysis of the value of the lives saved or lost, which I expect makes some readers uncomfortable, but in the end makes a pretty strong case that we are throwing a lot of money down a bottomless well and not achieving very much with the investment.
I do not have enough expertise to figure out if he is right or wrong, but wanted to mention the related issue which his premise touches on which is prioritization.
The lesson from Professor Mueller is that prioritization in order to work has consequences. That is, when one decides what is a high priority and what is a low priority, then more attention and resources need to be invested in the high priority items – this is the easy part – and less attention and resources need to be invested in the low priority items – AND THIS is the actual hard part.
Interestingly to me, there is lots and lots of attention in the Government in how to create and implement performance based measurements. Doing so in the Government has difficulties not present in commercial situations in large part due to the less clear goals or at least less agreed to goals that a Government program may have. But as hard as creating a performance based approach is, in reality in the end it is the easy step. Much, much harder is acting on the results.
Taking ownership for NOT dealing with a low priority item is not a goal for most Government managers. If you do so and something goes wrong unexpectedly with the area you didn’t get to, you will own the negative results which is not so hot in our blame-first, analyze-second culture. Thus regardless of how we prioritize and how we measure performance there is a tendency to peanut-butter the investments, spreading them around so everything gets at least some attention and none, including the potentially identified high-priority items, get solved.
The lesson from this to me is that it is as or more important to focus on getting agreement from all stakeholders, and their management, as to how to prioritize and the implications of prioritization as it is to create the measurement systems. If the implications are not agreed to up front in a public fashion, then even after performance is measured, you will still end up not acting on the results.