Punlished at Government Technology
[Editor’s Note: This article is the second in a series that explores the CIO Support Services Framework in government.]
In Part 1 of The CIO Support Services Framework, I presented the six major components needed to support the public CIO in managing IT strategically and proactively. In this article, I will explain what IT best practices framework inform these six components and propose a structure for implementing it.
The six CIO Support Services Framework (CSSF) functions are distinct areas that require subject-matter expertise and need to be managed based on the various IT best practice frameworks. While I am not endorsing any particular best practice government or industry framework, below is a sampling according to CSSF functional area:
Enterprise Architecture (EA) — Federal Enterprise Architecture (FEA), Department of Defense Architecture Framework (DoDAF), and The Open Group Architecture Framework (TOGAF).
Capital Planning and Investment Control (CPIC) — Office of Management and Budget (OMB) Circular A-130–“Management of Federal Information Resources” and the Control Objectives for Information and related Technologies (COBIT) by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI).
Project Management Office (PMO) — the Project Management Book of Knowledge (PMBOK) by the Project Management Institute is the de facto standard project management best practices from initiation through project closeout.
Customer Relationship Management (CRM) — the IT Infrastructure Library (ITIL) by the United Kingdom’s Office of Government Commerce (OGC) and International Standards Organization (ISO) 20000–“IT Service Management.” While both are very much operational frameworks, they can also be used to guide service and support at a strategic level in the OCIO.
IT Security (ITS) — the Federal Information Security Management Act (FISMA), various Federal Information Processing Standards (FIPS) from the National Institute of Science and Technology (NIST), and International Organization for Standardization ISO/IEC 17799 — Information Technology Code of Practice for Information Security Management.
Business Performance Measurement (BPM) — the Balanced Scorecard (BSC) by Kaplan and Norton from Harvard Business School — examines financial, customer, internal business process, and learning and growth measures for the organization.
Although each of the six main functional areas and their supporting best practice frameworks are unique, they can and will overlap, and it is imperative that the OCIO develop a simple and streamlined process for managing these, so that IT and business personnel are not confused or burdened by redundant or circuitous IT processes that hinder, rather than spur innovation and agility. For example, while EA planning guides CPIC IT investment decisions, those decisions inform the next round of EA planning — it is inherently cyclical. Nevertheless, we must ensure that the overall process flow between all six areas is as clear and simple as possible.
I like to use the example of a Monopoly game board as an analogy for how IT processes should ideally progress from “Go” all the way through — logically, and more or less sequentially — without project mishap, ending up on the OMB Watch List for risky IT projects, the equivalent of landing in Monopoly “jail.”
The CSSF provides the functional resources to fully support the OCIO and provide the capability to move from simply fighting day-to-day operational problems to strategically managing IT service provision, improving performance and increasing program and project success, through:
Each of these OCIO component functions is helpful in managing IT by providing the CIO the capability to better plan, invest, execute, service, secure and measure — but these are not stand-alone functions — they are all necessary and complementary.
An organization can have the best EA plan, but without the structured investment processes of CPIC, the plan will not drive, guide, influence and shape IT investment decision-making. In fact, I would propose that CPIC is an enforcement mechanism for carrying out the EA plan.
Similarly the organization can have a wonderful CPIC process for making IT investment decisions, but without a PMO to develop and enforce sound PM policies and practices, IT projects will continue to fail miserably. With an effective PMO, we will have more successful project execution, but without CRM to manage customer requirements and service and support issues, we run a very high risk of rolling out IT capabilities that the customer neither wants nor is happy with. Further, CRM will increase customer satisfaction, but without ITS, CIOs will not ensure the security of the information and systems that the users are depending on.
Finally, with ITS, CIOs will provide users for information security, but without BPM, will miss the opportunity to perform structured performance measurement and management, so that the CIO has visibility to how IT is performing in all areas and on an ongoing basis and can take timely corrective action as needed.
Most organizations either don’t do any of these CSSF functions well or they don’t do them all. The six components need to be executed together — the whole being greater than the sum of its parts. Further, I would propose that the six CSSF functions be implemented under the auspices of the CTO of the organization in order to centralize and holistically manage the functions in support of the CIO.
The result is that the CIO is better supported, without being overwhelmed, and the CTO has a clear mandate for strategically implementing the CIO’s vision for the organization.
Of course, one of the biggest challenges to implementing the CSSF is finding and allocating the needed funding to support these OCIO functions. IT operations tend to be underfunded already and stuck in the perpetual firefighting mode. Executives often fearf siphoning the needed money or people away from the short-term firefight to work on long-term strategy and implementation. This is a serious mistake!
Firefighting is a losing battle if you attack only the symptoms, but never address the cause or core strategic issues. Moreover, in the fast-paced technology environment of the 21st century, no IT leader can afford to be looking backward — managing legacy systems that do not leverage modern technologies, techniques and methodologies for information sharing, collaboration and business intelligence.
If you are spending close to 100 percent on IT operations today, is it really unreasonable to allocate 3 to 5 percent of this to strategy, planning and control? Of course, this needs to adjust when IT budgets get extremely large or small and as the complexity of the organization shifts.
As the prior chief enterprise architect of the U.S. Coast Guard and of the United States Secret Service, I have always been a deep proponent of EA and CPIC to drive better IT investment decision-making. However, now as the chief technology officer (CTO) of the Bureau of Alcohol, Tobacco, Firearms and Explosives, I more fully understand how the CSSF functions and interplay are needed for the CIO to perform effectively.
Clearly EA and CPIC are not enough to adequately support the CIO’s needs, and thus, they need to be extended with PMO, CRM, ITS and BPM. Moreover, these areas function best that function together for the reasons I mentioned prior — it’s a clear domino effect, where astute planning, sound governance, skilled project management practices, competent customer service, solid IT security and meaningful performance measurement are all necessary for the CIO to manage IT more strategically and effectively.??This is why I firmly believe that the CIO Support Services Framework is how we are going to have to manage IT to achieve genuine success for the CIO in the 21st century and beyond.
Andy Blumenthal is chief technology officer at the Bureau of Alcohol, Tobacco, Firearms and Explosives. A regular speaker and published author, Blumenthal blogs at User-Centric Enterprise Architecture and The Total CIO. These are his personal views and do not represent those of his agency.