For those of you are are thinking of becoming a political appointee or wonder about the process, it is worth reading.

In December, 2008, I wrote a column about what I learned from personally being a political appointee in President Bush’s Administration for FedScoop, http://fedscoop.com/2008/12/lessons-from-a-political-cio/.

I thought it might be useful to repeat it here:

“As one of the chief information officers who was politically appointed and thus will be out of a job January 20, 2009, I have been reflecting on the lessons learned that I might pass on to the CIOs who will have a chance to serve in the next administration. Perhaps a few of these thoughts may be useful to any political appointee.

I mention six of them here. I suspect given time I could come up with many more.

First, respect, reach out, and work with the career staff that report to you at the agency you serve. You will find them dedicated, caring, competent, and tremendously hard-working. You will learn much from them, and it will be only with their support that you have an opportunity to accomplish great things.

One of the real values that a political appointee can bring is to provide broad-based support (“high air cover”) for those career staff who want to cause change but are not empowered to do so. When you can use your connections to the departmental political leadership to provide that support, take advantage of those relationships.

Second, remember that political appointees can never speak in a whisper. A truly wonderful professor, Shelley Metzenbaum of the University of Maryland, who has done work supporting the Department of Transportation, provided me that insight. I have never forgotten it though sadly not always kept in mind. The point is that I have found that most career staff very much want to be as supportive as they can. However, if you are not clear in what you want accomplished, or if you are like me and think out loud, you will unintentionally provide inconsistent and confusing direction, especially until your staff gets used to how you operate.

Third, participate in the various groups that exist within the government to allow the exchange of information. These include the federal CIO Council and perhaps more importantly the committees associated with the Council. Also participate in those groups set up to allow information interchange between the Government and their partners including ACT/IAC, AFFIRM, ITAA/AEA/GEIA, and NAPA. If nothing else, you can learn what all of these abbreviations and acronyms mean and be entertaining at cocktail parties and other events. By attending and perhaps speaking at these meetings, you will meet truly interesting people who will provide advice that will make your job easier.

Fourth, learn to accept that you will not get everything done, and therefore make the hard decision to prioritize. If you have never been in public service before you will find that unlike the private sector where the goals are fairly simple and the stakeholders relatively consistent in their interests, the opposite is true in government. Private company goals are generally to make more revenue and/or reduce expenses. In the public environment, the goals are less distinct and more complex. Your many bosses on the Hill, in the White House, among the public, and within your own organization often will provide contradictory and ever-changing direction. Try telling a congressional committee or the inspector general that their issue was a low priority and let me know how that goes for you.

Fifth, reach upward as much as you can. The CIO position within government is often or even completely focused downward toward technology optimization. While this is important, the real value you bring is in enhancing your organization’s mission by looking upward. One clear emphasis of the next administration — on social networking and the use of the Internet — will provide new opportunities to make IT useful in enhancing the interaction of the government with the American citizen and other key external stakeholders. Seize the opportunity to be supportive of such efforts — become an Internet gardener.

Sixth, and finally, have fun. I can honestly say that the last two-plus years have been the most enjoyable and rewarding time I have ever had as a professional. I would not have traded one minute — well maybe one or two — for anything. You will have the opportunity to have great consequence at a place that itself has great consequence for the American public. Enjoy it and pass on that feeling to all you work with.”

The theme of the conference was Lowering the Cost of Government with Technology though the panel’s comments ranged from cost issues to government 2.0 and social networking to cyber-security in general.

The panel was moderated by Chris Dorobek, the afternoon co-anchor for WFED. The other panelists included Vance Hitch, the Department of Justice CIO, Pat Howard, the Chief Information Security Officer, CISO, for the Nuclear Regulatory Commission, Dr. Ron Ross, a key figure in defining security requirements and policy at the National Institute of Standards and Technology, NIST, Gary Galloway, the Deputy Director for Information Assurance at the Department of State, and Rue Moody, the Director of Strategic Technology at Citrix.

I was called on first after the introductions to frame the conversation based on the pre-meeting discussions the panelists had held. I discussed four issues.

First, there is an inherent conflict between data sharing and data protection. In my opinion, you cannot do both perfectly. Even though almost everyone will take the position that you will have to pay attention to both, it is important to pay attention to which way you lean and why and the implications. I noted how impressed I was towards the end of the last administration, when Mike McConnell, then the Director of National Intelligence, DNI, talked about if he had to take some security risks in order to increase the ability to share information within the Intelligence Community, he would. I am sure that I am not capturing the nuances of his talk, but the messaging was very powerful. It is a position that those who know me recognize I agree with very strongly.

Second, security is difficult to measure and more importantly there is little agreement among security experts as to what metrics to use. This is a particular problem for those agencies and departments who do not have security as part of their day job.

What I mean by that last sentence is that those departments who have security as part of their primary mission have a great deal of day-to-day experience in making tradeoffs involving security spending. Even if the rationale for decisions is merely experiential as opposed to quantitative, over time senior management gets to be fairly experienced at making these kinds of decisions.

For most civilian departments and agencies this is not as true. Trying to decide if taking money from safety inspections, which might be an agencies primary mission, and spending it on cyber-security is a difficult decision to make. Without defined metrics the likelihood of making the correct decision isn’t very high.

I was heartened in reading recently about the establishment of a Security Metrics Task Force by Vivek Kundra and the Federal CIO Council, http://it.usaspending.gov/?q=content/blog, chaired by Vance Hitch, who discussed this during his remarks at the panel, and Rob Carey, the Department of the Navy CIO.

Third, it is hard for people in large organizations, especially governmental organizations to prioritize; that is, to implement the results of risk analysis. The fundamental reason is that prioritization requires someone to decide to work on one set of requirements and thus to NOT work on the rest of the requirements. Few, if anyone, wants to be the person who is associated with the latter decision, the not work on part. If anything bad happens that could be associated with a requirement that is in the lower set of priorities, that will get extra attention from the various oversight groups that look over the shoulders of IT providers in the Federal Government. As someone who had the pleasure of testifying on the hill I can promise you it is not a goal for most people.

The end result is that often organizations try to do everything and thus end up doing very little of anything.

Finally, I noted that the general overemphasis on protecting the end-points of networks is starting to be balanced against the need for creating systems that are resiliant and have high-availability. Obviously, it would not be a good plan to ignore investments in protection against bad guys getting into networks. But it is equally important to recognize that regardless of the level of protection built into an architecture, at least some bad guys will get through. Therefore, it is also important to think about how to make sure systems stay up and running with protected data even while a system has been otherwise penetrated.

As hard as it is to build in protections and to measure the results, it is harder still to do the same for regarding building resiliant systems. Thus the greater emphasis on protection first, which i believe still needs to be adjusted further.

One point which I didn’t make as well as I would have liked at the Conference is the fact that security has both positive and negative cost implications. It can be positive if there is greater standardization which tends to lower support costs and can do so dramatically if done well. It can be negative if there is no clearcut methodology to making investment decisions. Without associated risk management and security metrics, security spending becomes an endless investment with no well-defined result.

Many thanks to Goldy Kamali for inviting me to be part of the panel and for putting together a great conference. Everyone who missed it missed some great discussions and networking opportunities.