One of the things I learned during my time as the Chief Information Officer at the US Department of Transportation is that one of the core competencies of the Federal Government is looking over someone else’s shoulder, that is the provision of oversight.
The CIO has three major organizational best friends providing helpful advice. First there is the Office of Management & Budget (OMB) which has the added lever of having a big impact on how much money you will potentially get in your budget in coming years. Second if you are associated with a big program, and at DOT there was always something going on at the Federal Aviation Administration (FAA), which was a big program, then the Government Accountability Office (GAO) got involved. Often, by the way how OMB rated programs and how GAO rated programs were slightly different so fixing for one did not always fix for the other, but that is another story for another post.
And finally there was the internal to the Department based Office of Inspector General (IG). IG’s investigate many things but one of their required areas of focus relates to how Information Technology is provisioned within an agency or department.
The reason this is on my mind starts with a report written by WFED’s Jason Miller, about a recommendation by the Council of the Inspectors General which suggested changes in how to measure the quality of cybersecurity implementation (I was interviewed briefly by Francis Rose, who does the WFED in-depth afternoon show, about the recommendations).
By the way, the phrase Inspectors General is one of those great two-word combinations where the plural comes in the first word not the second, which is, for reasons I am not sure I can explain, appealing to me. In retrospect, I have a tiny bit of regret not to have gone to Johns Hopkins University, where, even though I guess it is only one Johns, it still sounds like the first word is plural. Such is the working of a not always focused personality.
The suggestion by the Inspectors General itself is pretty interesting, recommending that the Federal Government move to a security maturity model which I think is an excellent idea (again a topic for a future post). But what was really interesting to me was that the Inspectors General as a group had collectively put together the recommendation. It is not obvious that during my time at DOT such a group action would have been likely to happen.
One of the lessons I learned, too late to be of as much use as it could have been, is how useful these oversight organizations could be, especially the Inspector General’s office. While there is of some necessity a bit of an adversarial role, after all I had to twice testify on the hill related to IG reports (not my favorite experience), if handled correctly the oversight reports had great value in leveraging the rest of the organization to cause change which otherwise would not occur. Even if no one wanted to listen to the CIO’s office, avoiding a really negative report by the IG could cause actions to happen that had been avoided, often for years.
A problem that would arise however was when different oversight groups provided different direction. This was true when GAO and OMB (or the IG) disagreed. It was also true when the IG at one department disagreed with the approach by the IG at another. However, when the IG’s provide a collective direction, it sends a much more powerful message. It also makes it easier to tell other parts of your Department that we had to listen since it was going to treated consistently everywhere.
A good step by an often overlooked part of the Federal Management landscape.