Sunday, July 17, 2022

My CISM Journey - The True Value of Certifications

 Certifications can be important for many different reasons. Perhaps you need a certification for a certain job or to be promoted. Or perhaps you have a commitment to continuous improvement. Maybe you just like collecting them like an alphabet soup Pokemon challenge. 

My reason was different. I have worked in cyber security for decades. I have toiled in the trenches, built authentication systems, lived through breaches, sold infosec investments to budget-minded leaders, built cyber security teams, and most importantly led in the cybersecurity area. All while being a CIO or in a technology leadership role.  Hell yes, I want credit for all that. So I decided to demonstrate all my competence by grabbing the Certified Information Security Manager (CISM) cert from ISACA. One of the two or three most respected cybersecurity certifications. Piece of cake. I know all this.  

Thats how it started. That is not how it ended. As they say it is the journey, not the event. 

The first thing I noticed was that the certification covered a wide range of material. Some of which I was not deep in. Whoops. No worries, I can read up on that and round it out. I scheduled the exam, studied up on that one area and took a practice test. I scored 65%. I will never forget that number. Imagine my horror. This is supposed to be material to validate my experience, not call it into question. 

I needed a new plan. I purchased recent editions of the recommended study manual. I like videos, so I subscribed to LinkedIn Learning (not an endorsement, just a fact) and listened to 13 hours and 8 minutes of Mike Chappel tell me what I needed to know. I organized my notes in OneNote, highlighted the exam hints, organized it, etc. That took over a month. Now I'm ready. Even Mike says I am ready and Mike is the MAN. Another practice exam. This time I scored 75%. 

What? I almost gave up at this point. With decades of experience and all these videos with this really smart guy Mike, and I still don't have a lock on this?   

Being hard-headed is one of my traits. I hate to give up. I took a fresh look at the certification and realized something. The certification wasn't about validating my experience. It was about demonstrating my knowledge of the ISACA "way", which represents the industry best practice. It dawned on me that I was not as good with "industry best practice" as I thought I was. 

I invested in one of the "official" study guides. Read all 500+ pages of it, highlighting as I went. I also subscribed to an online testing service for exam practice, taking at least 4 simulated exams. This took another 3 months, all on personal time. 

My practice exams were scoring me in the 85% range. I thought I was ready, so I stopped delaying the on-line home-video enabled proctored exam and took it the day before a beach vacation, and two weeks before they were scheduled to change the content of the exam. No pressure. The at-home proctored exam experience should be the subject of another blog post. Hint: Proctor and Proctologist share more than a common root word in the ancient greek. 

So I passed. I cannot tell you how relieved I was. ISACA makes it almost impossible to tell how well you did. I don't think I killed it, but I did well enough. It was 5 months almost to the day from when I started studying.

What worked for me as I prepared was using a variety of materials. The videos helped, but they were not enough. The book was great, but didn't have the hints the videos did. The online testing was invaluable as a simulation of the exam, but didn't have background material. It took all of them to prepare me. 

I work in a shop where I am very fortunate to have a talented CISO and a great cybersecurity staff. I noticed along my certification journey that I started asking different questions and appreciating their approaches to problems. "You have been reading up, right?" is what one of them asked. This is when I started seeing my growth. 

My mistake was in thinking I had nothing left to learn. I learned a ton in this process and I started applying it before I passed the exam. My employer, my staff and my customers have noticed the difference. As a leader in IT, ask yourself what role certifications play in the development of the people that you lead. 

Growth is the true value in certifications. Not validation. It took me 5 months to figure this out. It all starts with a commitment to professional growth. If you have to ask yourself if you really need to get a certification, then you probably don't. If you ask yourself about whether you need to grow in your career, then certifications should be part of your journey. 

Sunday, April 5, 2020

I Had a Plan

"Everybody has a plan until they get punched in the mouth."

 Mike Tyson

On Sunday March 1st I was on a train back from the NACo conference in DC. Great conference, lots of helpful cyber security stuff. Beautiful day on the train. The pandemic was just sort of on the horizon. I saw one person in the Union Train Station with a mask. No gloves. Lots of other weirdness (normal for Union Station), but little concern.

From the train I reached out to a few people and said something to the effect of "hey, we should probably talk to other local government CIOs about preparing for this pandemic thing, in case it becomes a big deal." 

Alan Shark and Dale Bowen at the Public Technology Institute / CompTia agreed with me and took me up on it. I talked to some other CIOs and checked all my message boards. We did a webinar in about a day and a half about how to prepare, how to make a plan, what to expect. I did a blog post to summarize it, gave lots of advice. Very sage of me. It was sort of like Evander Holyfield telling people he had a plan for defeating Mike Tyson. This is where the above famous quote from Tyson comes from.

I would have been better off advising people to go out to eat and get a haircut while they still could.

Mike Tyson was expressing what military strategists have said for hundreds of years. No plan survives first contact with the enemy. Look up the quote by Prussian field marshal Helmuth von Moltke the Elder if you want a classy version of this. Sun Tzu probably said the same thing. What Tyson and Helmuth were expressing is that the plan isn't the point. The point is how you react when the plan goes south, and every plan does go south at some point. So you "planned" on an orderly distribution of laptops as employees were sent home in dribs and drabs as the situation perhaps worsened. How did you react when the word came down overnight that EVERYONE was to stay home? 

I received an spam email from a vendor during this crisis that really set me off. His point was essentially that I would be remembered by how I reacted during this crisis, and anything other than to use his products would tarnish that. Lets just say I reacted negatively to his email. 

But, I think he was more right than he was wrong. I think our localities, not individual departments, will be remembered for how we reacted during this crisis.

Think about this from an local government technology leadership perspective. We are well positioned to react to this, after we got punched in the face. We are used to dealing with demanding users. We are used to doing more with less. If telework (so necessary now) exists anywhere in the local government it is in the IT department. Stay home and work you say? No problem. Been trying to sell telework for years. New business processes? We have been creating these on the fly for years. Not enough laptops? Well, we know where the laptops (and bodies) are buried. Gonna need you to work long hours... Yeah well, how do you think all those enterprise projects and weekend roll-outs happen? 

Not that this has been easy, it hasn't. IT staff have worked and worked and worked some more to keep the services flowing to the customers that can help our citizens. But at least we (the IT folks) are wired for it. We know what to do, and we are getting it done. I have checked in on over two dozen local government CIOs via phone and message boards, and they are all stepping up, being leaders, executing.       

So remember, you (the technology leader in local government) make it look easy because you are really good at what you do. We all got punched in the mouth, and we reacted well.   

So what do we do now? That will be the subject of another blog post. Here's a hint: transitioning back to any kind of "normal" in the local government offices is gonna be a real bear. Lets hope we can work with local government leaders to plan this a bit more, and maybe not get punched in the face quite as hard.  

And (shameless plug) check out my podcast with Alan Shark on the CompTia feed, should be up in a couple of weeks. More sage advice and reflections. Stay well and wash those hands people!  

Monday, March 2, 2020

Pandemic Planning - CIO Style

Technology leadership is never easy. During times of crisis planning and mobilization, it is even harder. Expectations have never been higher for CIOs to enable the business to deliver services. So take a deep breath, relax, and read on.  

The largest responsibilities of a municipal government during a pandemic is to continue to provide existing services and to provide for emerging citizen needs related to the pandemic. So for CIOs the question is how best to support the organization during this unusual time.  

"Social Distancing" will influence your plans to a large degree. At scale, and in a worst case scenario, employees may refuse to come to work. Citizens may refuse to come to city hall. Air travel may have to be suspended to certain areas of the country. These are all areas you can prepare for.  

No magic bullets exist, but there are some things the CIO can do to make the situation better. My focus is on local government technology leadership, but regardless of your industry I hope you find this helpful!  

Get Plugged In & Start Early 
No municipal planning for a pandemic response can be complete without the technology and risk management folks at the table. Find out who is organizing your locality response, and invite yourself to the meetings. Be a pest if you have to. Don't assume they will call you when they need you. You can begin by getting your IT staff together for a discussion. There is a good chance that whatever you plan for won't come to pass. Even if you don't need it, the planning exercise is productive. Make sure you document, document, document so that the next time this comes up you are that much better prepared. Remember that disasters have a way of happening more than once.

Vendors - Better Together
Think about the vendors that might help you the most, your suppliers for PCs, internet bandwidth, server equipment, telephony and cloud facilities. Ask them what they are hearing. Tell them if you may have purchase orders on the way to them. If you have a small staff find vendors to help you with implementing strategies. 

Dusty COOP Plans
Most COOP plans are not up to date. Face it, COOP isn't something most of  us do well. But, the COOP plans do hold some value. So don't just disregard them if they are old. Make notes along the way about what needs to be improved. Review the COOP plans for the impacted business units too, not just your IT function. 

The Money Game
I can tell you after one planning meeting with my folks, a pandemic technology response is not cheap. Get in front of the money people early, and often, even if you don't have solid numbers. Guess, estimate and use your judgement. Be aware if your locality enacts "emergency procurement" rules. Get purchase orders entered/approved/signed before you need them. Your CFO or budget director should be high on your list of people to coordinate with. 

Can We Talk
Don't forget about voice communications. Conference calls, bridge lines, cell phones, call forwarding and other services will be in high demand when employees start staying home to work. Think about where your largest call centers are, and how they might be managed. When citizens stop coming to city hall, how do you bring city hall to them? Unless you have all your services on-line, the solution will involve voice technology.  

Now is not a time to introduce risks into your organization. Don't throw your security policies out the window, you need them now more than ever! There will be scams and crooks that will take advantage of the emergency. Make sure people who are new to working remotely know the basics of how to stay secure and how to treat confidential information. Boil it down into a simple document for them and make them read it. People are always the weakest link in the cyber chain, and you cannot afford to have that chain broken during an emergency. Unless you have weeks and weeks to plan a response, don't try for a moon-shot with what you are trying to implement. Converting 2,000 employees to Office 365 as part of an emergency response is not a good idea. 

Set Expectations
Tell your municipal leadership what they can expect from you and your department. Be clear about what you need. In many cases it may just be to have someone make a decision! Meet internally first and let your folks weigh in. In my first meeting the desktop manager was able to tell me how many employees already had laptops, that was really helpful. Another employee brought up concerns I would not have thought of. 

The Whole Pie
Think about all the parts of the puzzle. If it is a mass-telework event, then consider the endpoints and how you will use your tools to manage them. Do you have a policy that will help with employees using personal equipment? Is your WAN link to the internet sized for this? Can your firewall/IDS/IPS support more bandwidth? If you need to run an information campaign, who can you get to make quick changes to the website, do you have the web masters that you need? What about remote clinics, do you have the ability to connect them? Make sure you attend and stay active during the municipal planning meetings, always asking yourself "what technology do they need to do that ..." 

If you have processes for on-boarding employees for VPN access, multi-factor authentication, loaner laptops, web site changes, MIFIs, etc. make sure they are easy to follow. Put documents that need to be signed where people can easily find them online. Poorly written procedures and service descriptions become a nightmare when scaled to lots of people using them at the same time.

Rearrange Staff
Unusual events like a pandemic may put pressure on certain parts of your organization. If the event places pressure on your helpdesk, desktop or customer relationship managers, plan to move staff around to fill in the holes. Be up front with people that it is a temporary assignment and that everyone has to abide by "other duties as assigned", assuming there isn't an organized labor restriction on this. 

At some point, you will need to make a plan to "return to normal", which may be harder than it seems. Employees may be burned out and need some time off. Users with new laptops may like having them at home and be reluctant to return them. Contact the vendors and thank them for their response, or castigate them for the lack of one. By all means, make sure you do an after-action and learn from the experience! 

Monday, November 11, 2019

IT Compliance - It's whats for dinner.

NOTE: Please excuse the format of this, it is from my speaking notes for the Public Technology Institute Fall 2019 CIO Leadership forum. I was asked  to speak, briefly, on IT compliance. I figured what the heck, make a blog post out of it. 

 Managing IT Compliance Policy and Privacy

IT Compliance can be an enabler and help you deliver better service to your customers. See if you still agree with me by the end of this chat.

QUESTION: When you hear the word "compliance" what is the first thing that pops into your brain?
Penalty. Internal Audit. Standards? 

Government is the most highly regulated industry of all. Because we have the most lines of business, it stands to reason we will have the most compliance to worry about. And, because our funding is not our own, we have compliance efforts because we are just the stewards of the resources. Those are two of many reasons why compliance is important to us. 

Consider as we go through these challenges whether a particular compliance activity is elective, or mandatory.

So I have three primary challenges for us to consider and some thoughts on how to handle them.

Support for IT Compliance Efforts
Part of the problem here is that the workforce and the government leaders you deal with don't understand the WHY of what you are trying to do with compliance. They Get the WHAT and they get the HOW. Always start with why!  And, don't pull a mom on them and say things like "Because we have to…".

Most bureaucrats understand compliance, in their own area. Talk to an accounting director about GFOA, GAAP standards and GASB. Tell them you can't meet a certain GASB standard and watch them pucker up.

The good news is that everyone in leadership is in charge of compliance with something.  Leverage that! It can help move initiatives.

Example, the AUP (acceptable use policy) that everyone in my locality has to click through before they logon to the county network, mandated by Virginia elections infosec standards. It was important for county leaders to know it was a reaction to a compliance need, for elections. Put it in terms they can relate to, get out of your office and communicate it, use your personality, they  will support you whether it is an elective or mandatory compliance effort. 

Compliance in a fast changing technology world
Compliance used to be simple before smartphones, clouds and distributed networks. As we have adopted technologies that have pushed the "edge" of computing out to the end user over lots of networks, compliance has become tougher. Distributed technologies were not created to enhance our ability to be compliant, just the opposite. 
Compliance is one of those functions that you have to work into the culture of technology change. We all have a distinct culture for technology change. You might be adverse to it and slow to adopt, or you might find value in being an early adopter. Either way we consider a great number of aspects of the technologies when we look at them for adoption. Impact on data.  Cost implications. Customer expectations. Education needs.  Alignment with strategic plans. 

QUESTION: Who takes care of IT compliance in your department? 
If you don't have a name to answer that, or at least a group, you have a problem. 

When we adopted Office 365 we reviewed the list of compliance standards, there were like 50 of them. I remember asking the question "how do we know that’s all we need? Whats missing?" It was crickets, no answer.

Make sure someone is in charge of understanding both the compliance side of the house and the technology changes, and have them advise you. In small shops that might just be you. Remember this may be a good thing for you and drive adoption of new products. AirWatch was purchased by my locality primarily because we had a compliance need, now it drives a lot of efficiencies for us.

Tension: Compliance/Privacy and Openness/Transparency
I've always been fascinated by the ying and yang of privacy & transparency in government. Government is supposed to be very transparent with the way we conduct business and spend the money that is trusted to us. At the same time we are supposed to protect the privacy of the uses of much of that money and exactly who it helps.  How are we supposed to balance this? Think about it like this, for an individual piece of information (report, request, business transaction), what is the default level of openness? Two types of organizations:
Information closed/restricted by default - Open by exception (or need).
Information open/available by default - Closed by exception (or need).

QUESTION: Which are you? Do you start with yes and look for a reason to say no? Or do you start with no and ask to be convinced of a need?

My position in my IT department - Calendars, sharepoint online sites, meetings are all open by default. Make them private when you need to.  I think we can all agree that government should be open and transparent while protecting the privacy of citizens. It is  a lot easier to adopt "open by default" when you understand your compliance responsibilities, and have addressed the first two concerns from above. 

Compliance can be an enabler of IT initiatives and help you deliver better service. 

Wednesday, August 21, 2019

Adulting - CIO Style

I love the Urban Dictionary. I'm not sure why, I guess it makes me feel hip to read through some of the posts. I have contributed a few along the way like the term "Camel Up", my proudest moment.

The Urban Dictionary defines "adulting" like this. I like the part about being a fully developed individual.

Recently I was in a difficult steering committee meeting for a major enterprise project. After the meeting one of my staff members complimented me for my adulting skills. I thought that was odd, and it gave me pause to think about what it means for a CIO to act like an adult.

Don't Match Peoples Emotions
We all know them. The people that keep ratcheting up their gravitas and stress when things don't go their way, or they disagree with a position. I think about when kids throw tantrums, and adults throw tantrums in response. This is not just matching emotions, it is validation of the emotional response. Sure, understand them, even empathize with them, but don't validate them to the point that they think a tantrum is acceptable behavior. Stay calm, keep your voice calm, have relaxed body language. It tends to frustrate the hell out of people, and that makes is a bit fun (guilty pleasure). Others will take their clues from you.

Don't Take Bait
"Well, we know IT can't deliver the product on time, despite the rosy schedules, so lets spend time developing contingency plans" - Said the customer who wants to bait the CIO into over-reacting, and in the process of doing so, agreeing with them. In all likelihood, the customer probably knows they can't make the schedules work in their own department, and they are trying a classic deflection technique. Focus on the big picture, don't get defensive, smile and suggest that with a project as important as theirs, risk planning for all the partners in the project is important.

The Big Picture
It is very easy to get mired in the details. Part of being the adult in the room is keeping in mind what lay at the end of the road. Start with the "why", keep people focused on that. Never miss an opportunity to point out how the staff actions contribute to the journey.

Don't Eat The Twinkie 
I love twinkies. All time best bike endurance race food. Put a twinkie on the table in front of a kid and tell them if they wait 10 minutes to eat it, you will give them TWO twinkies. You will see what kind of impulse control they have. As the adult CIO, you have to leave the twinkie on the table. Don't invest time in project scope changes without solid, solid justification. Don't overreact when staff bring you problems. Don't panic when key staff members resign. Don't take the first offer from the vendor in contract negotiations. Don't be impulsive.

Being the adult is hard, but someone has to do it. Sometimes there might be only one adult in the room, just make sure it is you! Now, gimme that twinkie ...

Friday, March 9, 2018

Leadership Lessons From My Dog

Okay, so my wife I have a dog. This is different for us. I've never had a dog before. I wasn't anti-dog or anything, I was more ambivalent about them. It is funny how fast I went from being dog-indifferent to being a dog-lover!

After years of talking about it, thinking about it, researching it, being encouraged to do it, we got organized and located a reputable breeder of West Highland Terriers (aka Westies). That is a whole other blog-worthy experience. We tried to adopt a rescue Westie, but got tired of waiting.

I am the type of person that looks for inspiration in the ordinary parts of life. I spend a lot of time with my dog, Chester the Westie (#ChesterTheWestie). We walk a lot, play a lot, etc. I've observed some things about him that I can relate to, and being a technologist and leader, I draw some lessons from this.

Your viewpoint is not the only one that counts.
So when I look down the street I see certain things. When Chester, who is much shorter, looks down the street, he sees something very different. It is a valuable viewpoint. He can look under cars, under bushes, into pipes and down storm drains. How many viewpoints do you consider when making decisions? Is your view the only one that matters? As Col. Beak Howell (retired Airforce) used to say, "where you sit determines what you see". Technology leaders need LOTS of viewpoints. 

Don't bark at everything.
Chester is a terrier. A very cute terrier, but a terrier none the less. They are a bit barky as dogs go. I like Chester to bark when folks come to the door. I do not like it when he barks at leaves in the yard, or his reflection in the sliding glass door (although that is really cute). Knowing when to bark, and how loud and how long is a tough tough thing to teach a dog. It is even harder for us as leaders. If you bark at everything, loudly and longly, your organization will ignore you and avoid you. Choose your barking wisely and make sure you wag your tail more than you bark.

Puppies change rapidly.
When Chester was 8 weeks old, he changed almost daily. He did new stuff, learned new tricks, and found new and inventive ways to be cute. He never stayed the same. Now that he is 11 months old, we still work with him to learn new things. Dogs love learning new tricks, just love it. The focused attention they get from us in the process is what they crave. That is what we should be after with our employees. Constant change, constant improvement, continuous learning. Technology is constantly changing, and we need to encourage people to change too. Your people will love the fact that you want to invest in them and help them grow and develop in their careers.

My dog has more friends than I do.
Chester goes to "doggie day camp" twice a week. He plays with other dogs, like a lot of dogs, for 8 full hours a week. He has friends in the neighborhood he plays with on walks. He LOVES to meet new dogs. There are absolutely no dogs he won't sniff, circle, and play with. My dog is a lot more welcoming than I am. When Chester meets a new human, he rolls over on his back for tummy scratches. Automatically. He is being vulnerable when he does that. Chester sets a great example of being welcoming and inclusive. You want people to trust you and follow you? Be vulnerable. Want more friends? Set aside time for play, and stop working all the time.

Amazing what a dog can teach you! Hope you have enjoyed this. This post is approved by #ChesterTheWestie.

Friday, March 2, 2018

Innovation - Plant Your Garden Well

​Innovation is a big topic in civic circles these days. Creating value out of new approaches and ideas is at the heart of this. But first, an interesting example of innovation. 

The picture below is of bio-sensitive tatoo ink. Imagine not having to sample your blood to see the glucose level, just look at your tatoo and it will tell you by it's color if you need insulin. Or, if your are dehydrated. Or, if your white-cell count is up. Or, any number of other indicators. Just one example of innovation I came across recently​. ​​

Such a buzzword, Innovation. Means so many things to so many people. Can't live without it, can't be a successful organization without it, gotta have it. In local government we won't be designing bio-reactive tattoo inks, but we can have equally impactful innovations that help thousands of people.

I gave the keynote address at a lottery tech conference in October, and this is what they wanted to hear about. It gave me a great chance to get my thoughts together on the topic.

So what exactly is innovation? Ask ten people, you will get ten ideas. This isn't like project management where we can summarize the project by scope / schedule / budget. Innovation strikes a chord with many people, not always in a popular way. The first challenge is to get everyone on the same page.

I like to think of innovation like a vegetable garden. You don't just throw seeds into a weed patch and shout "GROW". You have to spend time preparing the ground. You have to get the soil right. You have to water it. You have to till it. You have to keep the critters out of it. All of this has nothing to do with what is planted, but it has a lot to do with how well things grow. A properly prepared and cared for garden will grow an amazing variety of vegetables.

I cannot drive innovation by telling people - "hey you, go innovate and do some stuff" any more than a seed will grow on it's own. It doesn't work like that. The correct culture needs to be in place. Preparing your organizational culture is sort of like preparing the garden.

Companies have made fortunes by helping organizations determine what innovation is, and what it means to them. I've spent some time over the last year looking at this. I am convinced that our capacity for innovation will grow as our culture grows and changes, as we till and prepare the soil.

Over the next blog posts, I will lay out for you the following:
  • The Myths - Stuff you will hear people say about innovation, where it may be misguided, and how you can deal with it. 
  • Innovative Culture - The three things you need to focus on to have an innovative culture. Will be three separate posts. 
  • Obstacles to Innovative Cultures - Here is the stuff that gets in the way of innovation. ​

So, stay tuned. More is on the way! Nothing like a goal and a commitment to incentivize me to keep up with the blog.