Design Thinking and Business Process Redesign in Enterprise IT
Everything we do in government is all about achieving quality service delivery to our communities. A lot of that can be achieved through design thinking and business process redesign, but it can often be a challenge when you have a team of people who were never empowered to think outside of the transactional box. Mark Wheeler sees this as one of the biggest responsibilities he is called upon as Philadelphia’s CIO. Possessing years of GIS-related experience, Mark brings a passion for innovation, as well as the top-notch leadership, communication, and planning skills that all IT leaders need to have. He now joins Abhijit Verekar to share how he and his team are navigating the challenge of finding technological solutions that work to improve service delivery in their massive jurisdiction.
Listen to the podcast here:
Design Thinking and Business Process Redesign in Enterprise IT
My guest is Mark Wheeler from the City of Philadelphia. Mark is the CIO. It’s a pleasure to have you, Mark.
Thank you. It’s a pleasure to be here.
As I was doing research for this show, LinkedIn is such a good tool and I was on there on your profile and what struck me is you don’t come from an IT background. Your world is zoning planning and GIS. It’s related. Tell me, what’s your story? How do you find yourself in this chair?
It’s an untraditional path to a CIO position. I started in the waste management field. I came out of college and was enthusiastic about the environment. I had focused on environmental science as an undergrad and helped my university set up its first recycling program. This was in the late ‘80s. I graduated in the early ‘90s and ended up getting this job later on in my twenties. Once I could articulate a vision for myself and build up some professional skills, I became a waste prevention specialist for the Hudson Valley Environmental Management Council, which was part of the greater Cornell Cooperative Extension system. This was funded by nonprofits so it was a grant-level position.
I moved from Michigan for a salary of $19,000 and scraping by for a while. What was great about that is I was on the cutting edge of everything that we call sustainability and innovation. It wove these ideas of we’re not going to focus on recycling as a government any longer. I was serving multiple counties, it wasn’t just for Duchess. It was this mid-Hudson Valley region and there was a group out of New York City that had provided some of the seed money. They were called in form. They help set the framework for this that was preventing waste at the source and thinking about an economy that can reuse its waste materials as feedstock. It’s one of the most important policy decisions that we can actualize. We need somebody to be able to help do this. I focused on businesses and colleges.
The way that I get into IT is at one point they were asking me to do more than waste prevention and “Can you help with household hazardous waste programs setups?” We had a GIS lab at the non-profit. I was looking at what the lab was doing, and it hit me. I was like, “If it’s all about location and we know where people live and we know what population does these, we know what the roadways are, can I use this to figure out the best place to put these household hazardous waste collection programs?” The woman who was running the lab was like, “Yes. You made the connection. Let’s do it.”
She gave me a little tutoring, and then the next person who came in gave me even more tutoring. I went and I thought, “I’m going to do this for graduate school.” I explored a program at UAlbany and had a great professor take me under her wing and point me in the direction of technology transformation. GIS is a transformative technology. Maybe you focus on this or maybe you don’t but you need to keep your eye on the fact that innovations are going to constantly happen. I want you to be able to think about how innovation diffuses, how you galvanize it, how you get people excited about it, how you talk the language to get a business to do something different that improves the delivery and outcome.
I realized that if I was going to do this, I should be pairing up all of my skillsets. I’d been working in government or with governments. I had been working quasi in planning at a community level in years in this technology skill, so going into planning seemed to be the right choice professionally. That’s where I got my graduate degree and I focus on quantitative planning with them. I get to start and I continue to work in GIS again for state or county government spots in New York and New England. I come to Philadelphia and there is an incredible need within the city government to continue to pair all of that up. The need with the data. Can the data help us make better decisions? I kept building on that skillset over and over again. The ability to speak publicly, to communicate to the public in their language at whatever level they’re at with technology served me very well. I kept moving up. I went from being a planner to the Chief Geographic Information Officer and then was asked to be the CIO in 2018.
You’re the second person I know that has taken the GIS route to the CIO position. It bolsters my thinking that to be an IT leader, you have to have some skills but also most importantly, to be a good communicator and planner. Innovation can mean a lot of things to a lot of people, but you’ve applied it in a certain way. Tell us a little bit about how you think about innovation and how you apply that to your job.
I’m lucky with the innovation program here at the Office of Innovation and Technology, it’s right in our name. We had been set up in 2014. We have a strong team working at it that laid the groundwork. We have an innovation academy. We’ve had dozens of staff go through that academy and seed city government with innovative thinking and skillsets that can help people bring ideas to the forefront, help people strategize around those, and implement. Even do some process mapping, although we’re a little weaker on that. That’s a place I would like to get us stronger as a team, and not stronger as we can’t do it with one person. I want more people to be able to have that skill. I’ve been working on that with our project management team going back to 2019 to get them trained in user design thinking and process mapping. I know I’m leaping ahead of where I should have started.
My point being is that in IT the first thing I realized within the first two months I was CIO. I can remember this moment sitting at my desk, it’s February. I’ve just gotten the position in January. I’ve been elevated as interim. It hit me that we’re going to run these major projects and we’re purchasing these solutions, but unless we have a skillset that is ubiquitous across our IT teams in design thinking, process re-engineering, and good communication skills, we are doing half of the job. IT can’t simply deliver a technology solution and integrate it and help you stand it up. We have to be the group that speaks at a personal level and hand holds the business through the process of change management, dealing with all of the human being’s frustrations about change and fear about change. We have to have a handle on that. It has to be a component of the project. It has to be funded. It has to be staffed. It has to be thought through. It has to have its own set of milestones per se. We have to be able to do process mapping. Unless we get the business to understand their own status quo, to help them and us articulate what’s our outcome, and then map back from that, we’re going to achieve it.
In my first two months, I had to deal with two failed major IT projects. One of them was about to go into litigation and we were trying to avoid that. What was at the crux of those was failed change management and a failure to see that you have to take the opportunity with every single project to evaluate your process. You’re either going to force bad process into a new solution and replicate problems or you’re going to set expectations that IT can somehow solve every problem you have, and it’s this magic bullet that bends corners and goes through walls and does everything else magically. The reality is it’s only going to solve maybe 70% of your problems. The rest of it is up to you through management, change management, process design, and talking to your users. You have to make changes and no one was telling that to the business. Not one of our project managers knew how to articulate that. Not one of our contracts had a change management component with the lead or process change component. There was nothing available.
I worked in 2019 to start setting all of that up through training, through a lot of conversations with executives about the necessity for this and how they were going to have to put it in their budgets, to helping our project management office learn how to articulate those components. We would have them contractually and we would be able to offer those services and then marrying that with our innovation team. Our innovation team was trying to get at this going back to 2014 and now I had a clear path in which to either insert them or to lay that over as process change process. We would activate the graduates of the innovation academy as almost like sleeper agents. Let’s bring out the bear when there’s a major project. We need to pull them out and elevate them. They’ve got the skills and they know how to work together now.
It all comes down to what is the purpose of technology. It’s a tool to solve certain business problems. If you start with the tool itself, you can spend your lifetime perfecting the best chisel you’ve ever made that can cut through rock. Defining the problem and talking about the business process is critical. I’ve built my career around it and I’m glad to hear you talk about that. The other thing that ties into all of that is you have an innovation consulting program in your group where you provide consulting services inside and outside the city. Tell me a little bit about that.
That was envisioned by our Deputy CIO Andrew Buss when he was the Director of the Innovation program. He hired Eliza Pollack, who is now our Director of Innovation and she has taken that program to new heights. She has built-in tools, workshop ideas, and parachuting into situations where a team is struggling, either with cohesion. They’re struggling to articulate the problem and how they’re going to solve the problem. It’s like process mapping. They’re truly not able to see the outcome that they want to achieve and how to walk back. They haven’t yet learned that they’re living in a lot of what I call process mythology. There are ways that we do things in government that we don’t understand why we do it so we build a mythology around it to say, “This is the way it has to be. There’s a law behind this, an ordinance, a regulatory requirement. The software can’t do it so we must do it this way.” I call them myths because we haven’t challenged any of it to know whether it’s true or not. We set up our own boundaries that don’t need to be there.The reason why innovation is so challenging in government is because we’re hired to replicate processes, not to improve upon them. Click To Tweet
Eliza is good at getting people to recognize that they have the power to create ideas, to bring ideas to the table, to push past those boundaries. She has a number of creative workshopping tools to do that. The thing that needs to be said is that the reason innovation is challenging in government is because we’re built to be the dinosaur intentionally. We are built to safeguard the democratic process and deliver health and safety. You invest in water pipes and sewer pipes. You invest in a licensing program and then you expect to run it. You’re expected to continue to run it. Civil servants aren’t hired to innovate. They’re hired to perform a process. There’s never an expectation that you should be doing continuous improvement and that we want you to come up with ideas to improve this process because there’s a mythology around it. Truly there is a regulatory process and you have to have step A to get to step C. You can’t skip anything in between because there’s a chain of custody and all of these. Many details have to be documented. There has to be transparency and there has to be feedback to the user and all of that.
We limit ourselves purposely to innovate. When you enter these sticky situations where you’re trying to improve service delivery and you’ve got a team of people who don’t know how to do that, it’s because no one’s ever empowered them to think outside of their transactional job. The structure of the job reinforces the fact that I’m not asked to innovate. I’m not asked to improve anything. I’m here to take a slip of paper A, put it through a process and give you an outcome at C. You have to challenge all of that status quo and Eliza is very talented at doing that.
You mentioned toolsets. What kind of toolsets is she using for process mapping specifically?
Process mapping is one but a lot of it is discovery. Even in COVID with Zoom and Teams, she still has her flip chart, white paper, or whiteboard and marking things up. She will do something called rose, bud, thorn where you map out possibilities. You don’t treat a dead end as truly a dead end but you’re marking it as a challenge. She has to read her audience. I can’t remember all of the workshop tools that she has but I’ve experienced at least 4 or 5 myself and it’s based on the problem. It’s also based on where the audience is at. People who haven’t ever been asked to articulate anything at a table can’t necessarily jump into a rose, bud, thorn. It’s a bit of therapy. It’s something you start a sentence basically with a solution, and you have to reflect that person, and then add to it. Everything is added to what you are building but you have to reflect. That’s something people aren’t used to doing either. It’s like, “Did I hear you, and understand what you said so I can repeat it back to you when you confirm it?”
It’s critical and I like to call it going back to eating veggies. You can buy something that you put in without having put the thought through it, and the system doesn’t work. Three years into implementation, it’s a ball of yarn. You don’t know where to start. You then have to go back and fix what should’ve been done in the beginning. Kudos to you for doing it right. We get inserted in many situations where, ‘Save the project, AV.”
We’ve called them venting sessions before when the innovation team has the skills to do a real workshop where people get to do it. I don’t want to say in a gaming way but it is more than sitting there and expressing an opinion. It is a structured activity that is designed for people to think about what is troubling them the most about this process, articulate it, and connect it to the process. We’ve had to do that after the fact where there have been big IT implementations that at the 11th hour, they seem to be going South. It has something to do with the adoption and people being able to implement the final solution. Eliza has had to surface a great deal of frustration in those teams. You do it in a structured way that then points them to solutions. It can’t just be a venting session. I know from the feedback that one of the things people say the most is, “I finally felt heard. I finally felt like someone was listening to the problem I’ve been saying we’re going to have with this IT solution over and over again. Now we have a way to solve it.”
On the flip side, there are people that finally connect the dots. They’ve been doing their lane for twenty years and don’t see why anything needs to change. They don’t see the downstream or upstream problems, and those sessions bring out frustrations. The first few sessions when you start talking about a process, they’re always venting sessions. They then turn into like, “I’m starting to buy in and see the big picture.” It’s fascinating to me. I was able to look at your IT strategic plan that you guys put in place in 2019. It’s different from the ones I’ve seen or done before in the sense that you’re not just looking at your internal systems. You are but a big component is connecting to your community and entrepreneurs that are in the city or around you. What according to you are some of the foundational elements of a good strategic plan?
The pace of technology is fast. I do a one-year internal conversation for my leadership and I do look at it in one-year like, “This is what we’re going to focus on.” There is a continuity at a three-year timeframe of what we can achieve. There are these major goals and some of it is a 2 to 3-year timeframe. I’m maybe articulating phases or steps that now we can achieve or we missed and we still need to focus on. That strategic plan however borrows from the planning field. The people who put that together, including myself all had planning backgrounds. I’m going to mention Andrew Buss. There was Ellen Hwang, who was our Smart City’s Director at the time, also planning on urban studies background.
We collectively thought about the fact that we could take the charrette process that is used in planning to bring community members or different types of communities. In this case, it was the technology companies, the civic tech, the academic and research community that worked in tech and treat them as their own charrettes, and then have a charrette force for city government itself. We pull all of that together to understand what should be the overarching goals, and what were some overlapping problems that people wanted to solve, and how we would set those up as individual strategies. It is a public plan as much as it is an internal plan. It’s less of an internal plan. It feeds into a more focused internal plan. I reflect back on that larger strategy when I’m doing my one-year focus plan. We also have something in our budget process that’s a five-year plan. I have to tie it all together one more time and frame it in a way that the budget office can use for our annual operating, and for the city council to see. The city council wants to see this five-year framing as well. As with planning, each one of those five-year plans should reflect on that bigger plan. This is our comprehensive plan for IT in the city.
There’s got to be a level of translation. You’re starting from planning 10,000-foot level, and then you’ve got a few deputy CIOs on your team. It helps that you have people that sounds like at the same wavelength and see IT the same way. How do you translate vision to something more tangible to people that don’t see it, that are techies, and are like, “Tell me what to do.” What’s your process for filtering that out?
It’s repetition for one. It starts with my executive team meetings that we have on a regular basis. I recognized that I had to keep a formal process to some of those meetings where I would reflect back on our goals and objectives. I let people know from the information that I was getting from them individually in our one-on-ones, where we are achieving those goals, and what was the progress at them. Where did I need to solve for steps that were either being missed or weren’t being executed properly? What I learned over time in my first year and a half was, I have to constantly update that information for them and get it down on paper. That is exactly how you translate it. It’s a lot of conversations to figure out how have people heard my message, how are they putting it into practice, and is it aligning? What practical challenges are we facing in operationalizing that vision? I have to take feedback from my Chief of Operations, Sandra Carter, or the other Deputy CIO like Tom Swanson, who’s head of architecture and data. We have to take in those challenges, figure out solutions, and keep track of it.
The trouble I have is when we’re not documenting those conversations, our action items, and then for me to go back and reframe the plan. I made a commitment to them that I would do a reframing every six months if we needed to. Even in COVID, we were doing that with what was in front of us. I say this and I know a lot of other cities have struggled. There’s been so much going on but I feel like in Philadelphia, if there was any type of specific problem that was being experienced in the nation, we had it here in spades. It seemed like every two weeks there was a new wave of something we had to manage that was entirely unexpected.
I want to say you’re not alone, which you’re not. You’re in a major city in the world, not just in the US. I can imagine that the problems in my hometown here in the City of Maryville, Tennessee, you’ve probably faced it 100-fold. One of the things that are constantly on everyone’s radar is something that you’re actively working on. Is the digital equity, digital divide problem? Tell us a little bit about how’s that? With COVID, I’m sure it’s highlighted everywhere else in the country. How did you guys deal with it?
We’ve had a program in place going back to 2016 when we signed our franchise agreements with Comcast and Verizon. These are cable franchise agreements. These are not internet franchise agreements. We built in a funding mechanism for a program that is called the Digital Literacy Alliance, which is made up of nonprofits and institutions that either worked in the space or were developing programming in the space of digital literacy to focus either on an elderly population, immigrant population, or economically disadvantaged, either geographically or broadly in the city. OIT, my department, on behalf of the DLA managed that pot of money, which was around $800,000 when we started to produce grants. We did two grant cycles a year and they would go out to these organizations to either create new programming or enhance programming. Part of the goal was to build a practice out of this. We would all be sharing information through the DLA in these enhanced programs or new programs and they could build off of one another.
When we got to COVID, we recognized very quickly that access was going to be a problem in March for folks. Even before we closed, I started reaching out to all of the major vendors to say, “What are you going to do? Are you going to open up access to your public Wi-Fis? Is this going to be free? Can you create a program like internet essentials?” I was talking to some of the other telecoms who would listen, “Are you going to create something like internet essentials for $10 a month that would create opportunity?” That sparked thinking inside of the city government that we may need to do something big and bold. Paying for digital literacy programming was not going to be enough. By the time we got to our budget hearings, I got into a hopeful and powerful conversation with council members, Cherelle Parker, about the need for the city to take a much more aggressive stance on this, and to do something that would deliver connectivity to families who couldn’t afford it or didn’t know that they needed it, in a sense.Anything that improves service delivery should be part of your smart city initiative. And you shouldn’t be afraid to call it that. Click To Tweet
We know that there are some folks who have gotten just fine with a hotspot on their mobile device or their mobile device connecting to the internet. We’re talking about kids needing reliable, high-capacity bandwidth for learning. Doing it from a cell phone wasn’t going to be enough. That’s what I mean by that, wired to the home or in the hands of the child to connect to a laptop or tablet was going to be necessary. We started to strategize in June 2020. I was joined by the Mayor’s Office of Education, the Chief Education Officer, Otis Hackney, and the Mayor’s Chief Policy Officer, Maari Porter. Between the three of us, we operationalized a program with just a few members in two months. Maari focused on the funding, Otis and I focused on how the program should be stood up. We did get some assistance much later on by a center that did get paid for. They helped us. We were struggling to manage everything that we had to do. We were working probably 24/7 to get this done because we had a goal of going live a week before the public-school system started.
What we landed on was to create a blanket contract with Comcast for internet essentials. We could have families come to us, get a code, go to Comcast, and then they would get internet essentials. We also bought thousands of hotspot devices through T-Mobile that we could focus on families that were housing insecure or the child was not going to be in one place at any given moment, and wiring to the household wasn’t going to make any sense. We also partnered with our housing authority and our homeless services program to make sure that those hotspots were being delivered. That’s how we addressed it. I might do it differently. We’re learning how challenging some of this has been and we’re continuing to evolve the program. We’re not stopping with K to 12. We’re thinking about how we deliver that service at a low cost or no cost to the rest of its populous, and to be as creative as we need to be.
I know that you’ve had other guests who have talked about municipal Wi-Fi, and setting up their LTE Wi-Fi solutions. Nothing is off the table for us. It’s an exploration for me that needs to be done so we can document to all of our stakeholders especially the elected officials about why we’re recommending one strategy over another. I don’t want to just jump into one. We need to have a thoughtful, open, and transparent conversation and we’re starting that with both internal and external stakeholders in our working group. We broke up the working group into an infrastructure team. One is looking at policy and legislation that might need to be changed, tweaked, or created. Another team that’s looking at long-term funding. All of those have to overlap because if we’re looking at some solutions from the infrastructure side that are going to take more capital investment than another, that funding team needs to be able to understand, are we looking at the capital? Are we simply looking at foundations? Are we looking at impact investors? Utilizing our city assets in a way that we can monetize those and use the money towards digital equity or digital inclusion services.
COVID or not, that problem is not going away. We’ve been in some meetings with some clients where the solution requires a public-private partnership. If you have people at the table or vendors that are pushing for a certain solution, you may not get anywhere. It gets too noisy when someone’s trying to push a new circuit on you or, “Here’s our service.” This requires some ground-up thinking and you’re right. I’ve had guests that have landed on CBRS as the solution, which is also called Public LTE. In that, you have to have the ISP, the vendors, and the governments working in sync to make that a reality. One of your other projects that caught my eye was Scan First. I know it’s not as global and aspirational as solving for digital equity, but a lot of people struggle, a lot of municipalities struggle with solving the problem of document management. How you’ve handled it at Scan First, when it comes in, scan it and give it back to them. Don’t hold it unless you have to. Tell me a little bit about that program.
Unfortunately, that one I don’t have as much insight on. That wasn’t anything that surfaced that I’ve had to champion at my level that’s already underway. The only thing I can comment about that is both my deputies and I have had to realize how important a process that document management is, that scanning, that imaging service. The service that we’re using now has been underfunded. It needs its product team because of the value of it to the city. Those are conversations that we’ve had and making sure that team knows how valuable they are. They have been toiling away without any recognition at all. We surface the value and letting them know. In some cases they needed upskilling. There were new features in the product line. There were modernizations to those tools that we had invested in, that we’ve been working on over the last years.
Unfortunately, that’s the only level of detail I have about that one. I think the Scan First is a product and initiative of our Streets Department and our licenses and inspections teams who have to deal with those plans and those documents all the time. It was a relief for them to do a Scan First operation. We did launch our ePlans, eSubmissions specific to the Streets Department’s need to review any plan that impacts the street itself or any new streetscaping or street improvement or construction that’s tangent to a building. A building permit that we’ve already got a digital submission on. This was one that had been hanging out there waiting to be implemented. We launched that.
It stuck out to me because it’s easy to scan stuff. It’s hard to find it once you’ve done it. A lot of people get caught on, “We’re going to have a scanning project.” It’s not a scanning project, it’s a retrieval project. The fact that you guys are giving the paper doc back to the customer is also unique. A term that gets thrown around a lot in our circles at least is a smart city. What do you think that means to you?
That definition has changed over time because I’ve been involved with that in our smart city discussion and the formation of that smart city plan when I was the Chief Geographic Information Officer. It is one of the more important programs for me to continue on as a CIO. Before I define it, I’m going to get to that with a bit of a story. I was in Barcelona for a week and it was an invitation-only to myself and six other CIOs from the US and a couple from Canada. It was put together by the Catalonia Economic Development and Trade Organization. The entire trip, eight-hour full days or more of conversations with the municipal government in Barcelona and the Catalonian government focusing on this idea that for them, a smart city is an organizing principle. They have worked on innovation programs. They have worked on economic development programs to make use of technology. They have worked on resiliency programs thinking about heatwaves and rising sea levels. For them, smart city is the way to bridge all of those together and move towards unified goals to interconnect all of that work.
What I took away from that was, the use of smart city is not a term I’m afraid of any more or I feel as tired. I know that as human beings, we love novelty, and every so many years, we have to take an idea and reframe it a little bit and give it a new label to get ourselves excited about it. I’m not afraid of this term at all anymore and I’m not tired of it. After Barcelona, I realized that we have sustainability, we have resiliency, we have this innovation program. We have all of these things that can tie together through the use of data for intelligence or the rapid use of data. Any way that we get that data whether it’s by sensors, by human ping’s reporting in, by mobile devices, it doesn’t matter. It is the unified use of data in decision-making that drives very quick and effective outcomes for the citizens and positive outcomes. It’s mostly through a lot of the ways that we automate. We can make those processes work quickly. I know that all sounds amorphous but I would love to see Philadelphia band all of our programs together under the smart city so we keep pushing for better service delivery.
To me, a website where I can go and do all of my transactions, I can file my taxes, and pay my taxes to the city is a smart city initiative. Any green storm-water program that is constantly measuring its effectiveness and giving feedback to the water department, so then they can make operational changes is a smart city initiative. If we are using mobile optical sensors on all of our city vehicles to evaluate the condition of the roadway, and then feed that into machine learning tools that either helps us budget and plan or identify areas that maybe some of our interventions don’t seem to be working and then we can re-evaluate. Was it a materials problem? Was it a mechanical problem? Anything that helps us evaluate and improve that service and do it faster to me is a smart city. We should be living under that goal and philosophy at all times. That’s why I’d like to bridge it together. I don’t think we get a lot out of bridging it by saying like it’s a six-sigma program or anything like that. I would still like to be championing the idea that anything that improves the service deliveries should be part of your smart city initiative and you shouldn’t be afraid to call it that.
I love that you said unified decision-making. At the end of the day, it’s problem-solving and making lives better inside your organization and to the citizens. As you said, a smart city might become something else in a few years. What it does do though is because of sensors and IoT and all of that good stuff. There’s a chance that it opens us up to cyber threats. You have a Chief Information Security Officer on your team. Tell us a little bit without details, your overall strategy for securing Philadelphia’s IT assets?
There was no focus plan until I started around cybersecurity. That was something I realized that had to be done immediately and to focus on. What we did was identify within our units every component that touch information security or data security, however, you want to phrase that. Security was within our architecture. There was a great deal of knowledge and securing our systems by our network operations and network director. When I pulled in and created a new CISO position, I needed someone who could look at all of that and develop a plan with me. Also, have the skillsets that we needed because we did not have investigation skills at that time. Our ability to monitor outside of a set of network tools was limited. We had no comprehensive view.
He had a big task or his team had a big task which was to frame out the plan and start putting it together while we were working on it. Now we have a cybersecurity operation where we do have skillsets in the investigation. We have a policy and education program that spends a lot of its time writing up the policies, procedures, and standards. That’s a much bigger initiative I need to call out, but I’ll finish about security. It’s connecting into our networking team and everything that they need to do and making sure that we’re collectively monitoring that. When it comes to the IoT sensors, much of the strategy around that and how we’re securing them is within the network directors’ view. The thought partnering is by the CISO.
We’re lucky in that respect that the CISO doesn’t have to take on to problem-solve everywhere. We’ve made it clear that security needs to be a part of everything that we do. The chief of architecture, the CISO, the director of networking and operations are all working together to build security policies and put them into place. The way that we started with that was to bring in a consulting team to help us implement NIST, and to map out all of the policies that we had back to this, where we needed to update them and create new ones, or we needed an overarching policy. There were child policies underneath the parent. That’s been one of the best engagements with a partner we’ve had. The KORYAK out of Pittsburgh have been tremendous. Because of them and their recommendations, we now have a compliance office. It’s an office of one at this point with support from our security team.
I announced that to leadership last month, that the office was existing and what our goals were for the office, and how we want to work with the departments to identify a compliance officer in all of their units to help us with audits, to help us with moving those policies forward, and to connect back to their IT operations. I don’t want it falling to the IT director. They can’t be the compliance officer and the IT manager at the same time. I’m lucky that we have buy-in for that at the mayor’s level off of this because they have recognized our audits have not gone well over the years. The compliance is seen as another way to reinforce security. Being able to discuss those policies in layman’s terms is extremely important for me to articulate why we have this, and why we’re slowing down the process of your RFP or your implementation.
The other component of that is to operationalize it. Our project management office has taken those policies and built their framework and we call it The Gates. We have a clear online form that’s a much better way to evaluate the need for a project or a solution. If it’s accepted and we’re funding it or the department has funding. There are milestone reviews by architecture, user-design security on the project to make sure we’re aligned to the policies. We’re getting better at that. We’re in our first year of moving people through that. We’d done a lot of roadshows to alert the departments at leadership levels as to what this new framework is, why we’re doing it, why it may slow down things, why it’s a change in procurement. It’s a change in execution. It’s a change in the RFI RFP process. We are running into some obstacles. There are some vendors who don’t want to play ball with that and make life interesting for us. For solution providers, there are some that are stepping up and others that don’t like it. They don’t want the scrutiny.
The thing about the NIST framework is there are 22 foundational elements of it. I think 18 or 20 of them are boring things like policy and documentation. People don’t realize cybersecurity is 10% sexy blinky light stuff and 90% is the boring management stuff.
It’s guide rails and guidance at the same time. That’s how I look at it. Our IT directors, because we’re a federated operation, they were asking for guidance. They wanted policies. They wanted to know what lane they needed to be in order to be effective at their jobs. I had heard that for the first full year constantly like, “I need to know, Mark. You’ve got to tell us what the guide rail is.” Hiring KORYAK was in response to that in some respects, but it was also the security officer saying, “I’ve got to have a framework implemented and we’re going to need a ton of policies to do that.”
Mark, is there anything else you want to mention or talk about?
No, I’m great. Thank you.
I can talk to you for days. Thank you for making time to come to the show and I look forward to talking to you some more.
Thank you very much. It was a pleasure.
Mark Wheeler – LinkedIn
Love the show? Subscribe, rate, review, and share!
Join the Rethink IT Community today: