During the time I worked on that effort, I got to know a number of the IADB staff. One of them who was born in  Spain, married an American wife, and now lives in the US, told me that in his opinion there was one particular thing that made America unique. It was that unlike any other country America was founded on the principal that all Governmental power was derived from the people. In most countries, he said, the opposite was the case. In other countries, rights were conferred by the Government.

I am not enough a student of International Political Science to know how accurate that conversation was. But I do believe in the first part, that is that the premise of the American experiment was that Governmental power was “derived from” not “established for”.

Quoting from the Declaration of Independence, a document which will be often quoted today, July 4th, but not paid enough attention to:

“”We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty, and the pursuit of Happiness.—That to secure these rights, Governments are instituted among Men, deriving their just powers from the consent of the governed.”

As a second generation American, all of my grandparents were born in Europe, I remain thankful that I am able to be a small part of this continuing attempt to expand the barriers to freedom that America has and continues to represent. I continue to believe that freedom is at its most basic not “freedom from” but “freedom to”.

While I worry that currently we are losing our way a bit, like most American’s for these over 200 years, I remain optimistic that the experiment will continue unabated.

Happy July 4th to all friends of liberty.

Many people have a permanent signature that has some generic sign-off like “Gratefully yours” or “Many thanks” or  ”Respectfully yours” or something like that and then their first name on the final line.

However, there are tons of emails where this signature ends up being jarring.

“Dear Second Rate Person,

You have been unreasonable for ever. You don’t return calls, you don’t respond to emails.

Your company provides lousy customer service.

Your children are ugly.

I can’t even believe you found someone willing to mate with you for money let alone be a fellow parent.

Respectfully yours,

- Me”

And such is the electronic world we live in today.

Early in the broadcast was a story about how much money was being spent on the campaigns this year. The slant of the story was how awfully high the money being spent was. They estimated the total was perhaps $3B which I would agree seems like a large number to me.

Toward the end of the broadcast they had an article on Halloween. They remarked on how much was being spent on Halloween costumes this year. Their estimate was perhaps $2B, again a fairly large number.

On the other hand, it occurred to me that if you added the candy that was also bought I strongly suspect the total was significantly higher than $3B total, when added to the costume cost.

So in other words, they were saying that it is bad if we spend as much on deciding who will serve in the entire House of Representatives, 1/3 of the Senate, and most of the Governors in the United States as we do on Halloween costumes and candy.

Now I am as cynical as the next person about politics these days but I wonder if the NBC news editors didn’t see at least some irony in those two stories. I am sure the way people these days, few others will either.

“Did I want anything”, she asked. “What do they sell at Target?”, I wondered aloud.

“Well,” she said, “would you like detergent?”

“What?”, I responded in confusion, “Detergent?”

“Yes”, she said, “Would you like some laundry detergent for your clothes?”

“You know,” I said, “In almost 30 years of marriage, I can honestly say you have never asked me that question before. I have no idea as to if or what detergent I would need. I have never figured out which kind works with what kind of clothes or in what circumstances. I just take the container closest to the washing machine and hope that is the one that would work best.”

That last part got me to thinking. There is a lot in my life over the years where that approach, take the closest thing and use that, has explained how I deal with issues that are not critical to me.

When I was in college and got to my senior year I was able more and more to take the classes I chose; not just because I was moving to electives but also because juniors and then seniors had a higher priority in class selection. My senior year I selected all my classes by how close they were to each other. I was able to arrange a number of classes so they followed each other and were in exactly the same classroom.

A good friend of mine provided me advice I often follow when attending a larger lunch or dinner. He told me that he felt he only had a certain number of correct decisions that he was able to make in any one day. He would identify the most important person at the table and then order whatever they ordered, saving the number of decisions to be made for other times. Not only do I often follow that, but I use that story to flatter the person I am copying, thus achieving two goals; saving decisions and sucking up.

In business, whenever I face a problem I do not have much background in, my first thought is to find some organization or person that I admire and see how they solved that problem and then copy them.

I use an 80/20 rule to show emphasis. I believe most successful people 80% of the time make decisions based on experience, sort of mental muscle memory. That allows them to concentrate on the 20% of the decisions they are not as familiar with, rather than having to think about everything. It occurred to me that these habits I follow are my attempt to increase the amount of decisions that fit into the 80% side.

One other piece of information I wanted to pass on. Some may wonder if the fact that I do my own laundry is a sign of someone who is trying to share household chores and be a sensitive, albeit aging husband. Sadly the answer is no.

When my two daughters were younger they would take clothes from my wife and use them, later it was jewelry. When it came time to doing laundry, fights would break out between my two daughters and between them and Ellen. I got tired of being involved with the struggles and decided to separate my laundry and do it myself so I wouldn’t have to deal with any of it. On reflection, this was a corollary to the above. It has served me well over the years and now is second nature. Or at least it will remain so as long as my wife leaves the right detergent near the washer.

For example, one of the proud moments in my younger political career happened when I was active in College Republican politics in the state of Maryland. One of the young women active in the Notre Dame club, a college in Baltimore, told me that even though we generally were on different sides, she always respected me. The reason was that unlike most of the other male CRs I treated her the same that I treated male CRs. I expected her to keep her word, to work hard, and on and on. Most others expected less from her because she was ‘cute’, which she was.

Ignoring for a moment that one reason I treated her the same was as much due to my social ineptness as anything else, I would say that I tried to carry that goal of equity to my professional life pretty consistently.

But that is not why I am posting this.

One of my standard comments about gender has been to note that in my house there are almost all women, my wonderful wife and two amazing, now college graduated, daughters. The only other male over the course of my marriage was a neutered male cat. I tell people that each day my goal over those twenty-some years has been to avoid doing whatever it was that caused that cat to end up like that.

When I last told that story a few days ago, Liz Renninger’s, http://www.linkedin.com/pub/liz-renninger/0/460/661, immediate response was “Well, I guess you failed.”

And thus one of my favorite stories about myself may have to be retired.

The theme of the conference was Lowering the Cost of Government with Technology though the panel’s comments ranged from cost issues to government 2.0 and social networking to cyber-security in general.

The panel was moderated by Chris Dorobek, the afternoon co-anchor for WFED. The other panelists included Vance Hitch, the Department of Justice CIO, Pat Howard, the Chief Information Security Officer, CISO, for the Nuclear Regulatory Commission, Dr. Ron Ross, a key figure in defining security requirements and policy at the National Institute of Standards and Technology, NIST, Gary Galloway, the Deputy Director for Information Assurance at the Department of State, and Rue Moody, the Director of Strategic Technology at Citrix.

I was called on first after the introductions to frame the conversation based on the pre-meeting discussions the panelists had held. I discussed four issues.

First, there is an inherent conflict between data sharing and data protection. In my opinion, you cannot do both perfectly. Even though almost everyone will take the position that you will have to pay attention to both, it is important to pay attention to which way you lean and why and the implications. I noted how impressed I was towards the end of the last administration, when Mike McConnell, then the Director of National Intelligence, DNI, talked about if he had to take some security risks in order to increase the ability to share information within the Intelligence Community, he would. I am sure that I am not capturing the nuances of his talk, but the messaging was very powerful. It is a position that those who know me recognize I agree with very strongly.

Second, security is difficult to measure and more importantly there is little agreement among security experts as to what metrics to use. This is a particular problem for those agencies and departments who do not have security as part of their day job.

What I mean by that last sentence is that those departments who have security as part of their primary mission have a great deal of day-to-day experience in making tradeoffs involving security spending. Even if the rationale for decisions is merely experiential as opposed to quantitative, over time senior management gets to be fairly experienced at making these kinds of decisions.

For most civilian departments and agencies this is not as true. Trying to decide if taking money from safety inspections, which might be an agencies primary mission, and spending it on cyber-security is a difficult decision to make. Without defined metrics the likelihood of making the correct decision isn’t very high.

I was heartened in reading recently about the establishment of a Security Metrics Task Force by Vivek Kundra and the Federal CIO Council, http://it.usaspending.gov/?q=content/blog, chaired by Vance Hitch, who discussed this during his remarks at the panel, and Rob Carey, the Department of the Navy CIO.

Third, it is hard for people in large organizations, especially governmental organizations to prioritize; that is, to implement the results of risk analysis. The fundamental reason is that prioritization requires someone to decide to work on one set of requirements and thus to NOT work on the rest of the requirements. Few, if anyone, wants to be the person who is associated with the latter decision, the not work on part. If anything bad happens that could be associated with a requirement that is in the lower set of priorities, that will get extra attention from the various oversight groups that look over the shoulders of IT providers in the Federal Government. As someone who had the pleasure of testifying on the hill I can promise you it is not a goal for most people.

The end result is that often organizations try to do everything and thus end up doing very little of anything.

Finally, I noted that the general overemphasis on protecting the end-points of networks is starting to be balanced against the need for creating systems that are resiliant and have high-availability. Obviously, it would not be a good plan to ignore investments in protection against bad guys getting into networks. But it is equally important to recognize that regardless of the level of protection built into an architecture, at least some bad guys will get through. Therefore, it is also important to think about how to make sure systems stay up and running with protected data even while a system has been otherwise penetrated.

As hard as it is to build in protections and to measure the results, it is harder still to do the same for regarding building resiliant systems. Thus the greater emphasis on protection first, which i believe still needs to be adjusted further.

One point which I didn’t make as well as I would have liked at the Conference is the fact that security has both positive and negative cost implications. It can be positive if there is greater standardization which tends to lower support costs and can do so dramatically if done well. It can be negative if there is no clearcut methodology to making investment decisions. Without associated risk management and security metrics, security spending becomes an endless investment with no well-defined result.

Many thanks to Goldy Kamali for inviting me to be part of the panel and for putting together a great conference. Everyone who missed it missed some great discussions and networking opportunities.

One of the first discussion topics for our class dealt with an excerpt from one of our textbooks relating to where the security function should report within an organization. 

The excerpt said “In these cases, the information security manager generally reports directly or indirectly to the CIO but in some cases may report to the CFO or, unfortunately, even to Operations.”

I was interested in getting each of your reactions to this quote and perhaps comment about the value of having security report to the CIO, to the CFO, or to Operations Management. Further, it was reasonable to suggest still other possible reporting relationships for the security operation. Each has advantages and disadvantages, which we will come back to a few times during the course of the class and which I expect each of you to comment on in your Final Paper.

Based on some of the responses, I thought it would be useful to talk a bit about organizational implications in general and provide some lessons learned from my time at the US Department of Transportation.

Organizational Implications

This will not be an exhaustive review of Organizational Theory and its implications, a topic worth a number of classes all by itself. Instead I would like to touch on three topics that relates a bit more directly to the question posed by the excerpt.

Signals Importance

How a senior manager, or any manger for that matter organizes their direct reporting structure sends a signal to people above and below them in the organization as well as to the internal and external stakeholders of the organization.

By signal I mean that the manager is indicating what they feel is most important to them, the functions that directly report, and those they feel relate to each other, how sub-functions are grouped together.

For example, let’s look at the options that the excerpt presented. If the security manager reported to the CIO, then one thing that is being said is that it is the CIO who owns information security. Either this means that security is not important enough to report directly to senior corporate management or is so intertwined with the other CIO responsibilities that it cannot be separately dealt with.

If the security function reports to the CFO, this may convey a number of different messages. It might mean that financial loss is the major implication of bad security. If the CFO also has general oversight responsibilities, this may imply that the security manager has more of an oversight role and that operational security responsibilities exist elsewhere within the organization, perhaps in operations.

If the security function reports to Operations, one of the unfortunate messages that is being sent is that operational requirements dominate security thinking. Typically this occurs when the focus of security is largely technical in nature, how to implement security. Oversight, that is, checking to see if the security is actually working tends to be under resourced.

At the Department of Transportation, the CIO reported to the Office of the Secretary, the information security officer reported to the CIO. As the CIO I was the person responsible for approving and implementing security policies. As much as possible, I made the information security officer visible to senior management, but there was never any question that I was held responsible in the end.

Making Decisions

One of the most, if not the most, critical resource we need to manage is time. We make decisions every day regarding where we spend our time.

These decisions impact what topics we become more aware of and which we do not. People who work with us, for us, or for whom we work, over time will notice which topics are the ones we are most interested in. If our focus or opinion is important to them, that focus will impact what they pay attention to also with their limited time.

While I was at the Department of Transportation I got into an argument with a senior manager from the Office of Management of Budget, OMB, which reports to/is part of the White House. OMB is responsible for approving budgets for all of the Federal Government, the B in OMB, and setting management policies for all of the Federal Government, the M in OMB.  I will note that the B part has typically been more important and had greater impact than the M part.

This person’s contention was that as long as sufficiently robust goals and associated measurements were established that it wasn’t really critical whether someone, in this case CIO’s, reported to the senior management of their Department or Agency, referred to in Federal speak as D/A’s, or to an intermediate manager. In my case the options were to report to the Office of the Secretary of Transportation, that is the Secretary or Deputy Secretary who typically acted as a team or to one of the direct reports to the Office of the Secretary. With clear goals and clear measurements, the CIO would know what they needed to do and how they would be judged.

I disagreed, perhaps partially because I reported to the Office of the Secretary and liked that reporting relationship. My reasoning was that the real issue was whether the ultimately decision maker understood ME enough and my issues, not whether I understood them. If the Deputy Secretary, for example, didn’t see me on a regular basis he, or she, would be less likely to know when to listen to my request for resources or support. They wouldn’t know how to judge how important my request was compared to other requests coming from different parts of the Department.

What Are the Security Function Responsibilities?

Security includes a number of responsibilities. These may be operational, keeping information and systems safe. They may be oversight, measuring how well security is being implemented. They may be policy related, the major focus of this class, which includes defining the rules that the employees and other external stakeholders are to follow when accessing or using the information assets of the organization.

Combining these all into one organization simplifies management a great deal but brings up a number of difficulties. Typically combining operational security with policy security leads to the policy part getting little attention. Tactical requirements always come first since they impact the day-to-day operations of the company. Justifying the overhead investment needed to do both is hard. Also having the oversight function combined with the implementation function can be dangerous. It can be difficult for oversight to work well when the people they are reviewing are part of the same organization.

I will provide a separate document describing how this worked at the Department of Transportation and some of the issues I wrestled with.

Summary

The important message that I would like to convey here is that it is important to not just think about the security function when thinking about its organizational implications. Too often security personnel are completely focused on operational problems or technical issues relating to implementation. This is understandable since normally the responsibilities of the position are much greater than the resources devoted to it; and also because the ability to completely protect systems is very limited so it seems we are continually with breeches.

In particular security management needs to take a broader perspective. In addition to looking downward and worrying about tactics and security implementation, security management needs to look upward in the organization and understand the goals of the company and the goals of their immediate and next level management.

Security requirements need to be articulated in the context of those corporate and senior management goals. This requires you, if you are that manager, to understand those goals well enough to map them into your requirements and plans. If you cannot explain the relationship then getting good decisions will depend on them taking the time to figure those relationships out. Generally that is not a smart approach.