Fact: In marking its five-year anniversary earlier this month, the Department of Homeland Security released a fact sheet touting the department’s accomplishments in that time, including “establish[ing] the Computer Emergency Readiness Team (US-CERT) to provide a 24-hour watch, warning, and response operations center, which in 2007 issued over 200 actionable alerts on cyber security vulnerabilities or incidents. US-CERT developed the EINSTEIN intrusion detection program, which collects, analyzes, and shares computer security information across the federal civilian government. EINSTEIN is currently deployed at 15 federal agencies, including DHS, and plans are in place to expand the program to all federal departments and agencies.”
Analysis: I’m not going to write, in this post at least, about US-CERT and EINSTEIN in particular. I will point out that some writers have been skeptical of “Big DHS” progress on cyber security up to now, and the anniversary was an occasion for much cynical commentary.
Charles Cooper in his popular Coop’s Corner blog on CNet wrote that “when it comes to network security, DHS appears to be more of a wet noodle than even its sharpest critics assumed… Talk with security consultants and former government officials involved with DHS and you come away wondering what these folks do all day.”
I wouldn’t go that far, and even Coop acknowledges that “The government-led effort to shore up the nation’s cybersecurity still remains a work-in-progress,” which leaves room to run for people like newly-appointed National Cyber Security Center director Rod Beckstrom.
In response to my recent post about Rod and his published thoughts on the value of decentralization, I got an email from a reader, well-placed within the DoD bureaucracy to have witnessed many foibles of centralized IT management, asking the following:
Do you think IT organizations in general can be (or should be) centrally managed and still be innovative at the same time? Do you think we get it right by consolidating all IT resources? Or do you think we [therefore lose] some of our ability to be innovative in our enterprise consolidation efforts? Would like to get your unbiased opinion.
I’ve written about the balance between smart central enterprise planning, and innovation before; I do believe that the one can lead to the other. It ain’t necessarily so, of course, but the alternative (anarchic or polyarchic autonomy) is just way, way too messy and expensive from an enterprise standpoint – especially in a government setting, where regulatory and budgetary concerns are enormous.
So how do you balance? I am a big believer in “IT Centralization” and yet also a big and firm believer in “Innovation Decentralization.” Not that paradoxical, as I’ll sketch briefly….
The following activities can and should be successfully centralized, given visionary and consistently determined (i.e. “strong”) leaders:
Infrastructure design and provisioning
Network design, provision, management
Data centers design, provision, management
Back-office systems (HR, Finance)
Commodity hardware choice and purchasing
Utility/middleware software choice and purchasing/licensing
Information Security (including architecture, all IS/IA systems, patch management etc.)
Data architecture and metadata standards
SOA design and governance
Provision within SOA of a rich set of services on a flexible user-friendly development platform (as examples, think PopFly, Silverlight, AJAX, Ruby on Rails, etc.), with easily-learned code libraries and gadget-tools.
I believe that if the former are all done in a determined way, and I mean DONE not just talked about, then you have the opportunity for the following: total decentralization of everything else.
One valuable product of that list, if it’s done well, is essentially the creation of “Enterprise Cloud Services.”
To continue, I believe that the following activities should and can be controlled in local fashion, i.e. by end-users and distributed business-unit leaders (you can read that in a DoD context as extending down to individual soldiers or intell analysts, frankly):
- Autonomous development and management of dynamic combined-services “systems”
- Creation of any end-user “tools” (using a Software + Services approach)
- Collection and tending of any user-specific data; given #11 above, this will allow enterprise-wide or network-wide discoverability of all data, but end-users will “manage” the data they care about
- Bandwidth allocation on dynamic basis (prioritization delegated to local or unit managers in managed-voting schemes)
The latter list, I could go on and on with… but you get the point. In general, I think a well-run cost-effective centralized enterprise can provide a really flexible and powerful platform for the periphery to “innovate” on.
In some ways, you do it so they never know the difference, those creative types at the edge; they may even think they’re being very rebellious and whipping up their own solutions, when in fact they’re using enterprise-paid-for software platforms and an enterprise “Cloud” of services to assemble them. I honestly believe that any COCOM J2, for example, would be happy not having to worry about where the servers are, or if they’re hot, as long as he/she can pull the data needed in an immediate way and see it correlated with some other data feed or plotted on a navigable map, all to his or her own liking.
(I like saying “he or she” because one of the smartest J2s I ever met was Gen. Mary Legere of US Forces Korea, now assistant deputy chief of staff for intelligence, Multi-National Force–Iraq.)
This overall schema — strong central management enabling common-platform innovation anywhere — was our guiding principle while I was at DIA, and while we never achieved all of it, we were certainly well on the way to putting the major pieces in place by 2007 thanks to a great CIO, Mike Pflueger (who himself moved on to SAIC).
Filed under: Government, innovation, Intelligence, Microsoft, R&D, Technology Tagged: | 2.0, AJAX, back-office, budget, bureaucracy, business, CERT, Charles Cooper, cio, cloud, cloud computing, cloud services, cm, CNET, cocom, cocoms, code, configuration management, Coops Corner, cyber defense, cyber security, cyberdefense, cybersecurity, danoviz, data, data centers, datacenter, datacenters, Department of Defense, development, DHS, DIA, DoD, e2.0, EA, einstein, enterprise, Enterprise 2.0, enterprise architecture, finance, gadget, gadgets, Government, hardware, Homeland Security, information assurance, information management, information security, infosec info sec, infrastructure, innovation, Intelligence, intrusion detection, iraq, IT, IT management, j2, korea, management, Mary Legere, mashup, mashups, Microsoft, Microsoft PopFly, Mike Pflueger, MNF-I, NCSD, network, network security, networks, operations management, ops management, patch management, Pentagon, pflueger, PopFly, programming, R&D, Rod Beckstrom, ROR, Ruby on Rails, S+S, SAIC, service-oriented, services, SOA, software, software plus services, south korea, tech, Technology, USFK, web, web services