Everyone is talking about the sinking of the Titanic – and they should be. The people, the stories, the technology, and especially the tragic ending, are legendary. It has been one hundred years since she sank. Books have been written, movies made – and remade in 3D. But somehow, we can’t seem to forget what happened or miss a chance to hear the remarkable, mysterious story again.

Numerous theories still abound analyzing the never-ending question: “Why did it happen?” The very word “Titanic” has become synonymous with words like enormous, monumental, gigantic, massive, huge and immense. But most of us aren’t picturing a monumental home run or an enormous successful product launch. No, the word Titanic has also been seared into our brains as a massive failure.

Here are some Titanic facts: It took three years to build her, would cost about $400 million in today’s dollars and the Titanic was thought to be unsinkable. For the next week, you can see the passenger list free of charge at Findmypast.com. This list records the names, port of departure, occupation, nationality, age, class of travel, destination and country of intended residence of those who sailed from Portsmouth, England, and Queensland, Ireland, on April 10 and 11, 1912.

 Before her maiden voyage, people called her a crowning achievement of human ingenuity. A living, breathing example of man conquering nature, a model to emulate how things could be done and perhaps the finest high-tech marvel of the (relatively new) 20^th Century. The ship inspired hope and awe. And yet, somehow, everything went horribly wrong.

While it may seem abrupt to jump straight to “lessons learned,” I believe it is important for everyone living one hundred years later to ponder the question: Are we susceptible to the same problems that led to the sinking of the Titanic? I think the answer is yes.

Other tragic events such the Challenger disaster in 1986 (part of at NASA’s space shuttle program) have most of the same scary characteristics as the Titanic disaster. Every time I watch the actual video of the Challenger disaster on CNN, I somehow hope for a different ending.

The horrible events that took place on September 11, 2011 also have many of these same elements. Yes, terrorists deliberately caused those planes to fly into the World Trade Center towers and there are other differences. And yet, these historic events must cause us to stop and rethink our technological and even security approaches or we will certainly fall prey to the same mistakes again.    

No, these five pragmatic lessons are not new. In fact, several go back to Biblical times. But we humans constantly seem to forget them. Yes, these are also relevant in lesser situations that may not reach today’s global news networks.

Please understand that I am an optimist, I’ve been called a technophile by critics. Nevertheless, we need to learn and apply these lessons for small, medium and large size technology projects at work and at home.

Five Lessons for Technology and Security Professionals from the Sinking of the Titanic:

1)      Pride Comes Before a Fall – Numerous experts start with overconfidence when they discuss the “unsinkable” Titanic. One author describes Titanic Arrogance. Here’s an excerpt:

The first few years of the 20th century, when the Titanic was built, were full of brash optimism based on remarkable advances in science and technology. It was a time of peace, progress and endless promise. Things were getting bigger, better and faster—the age more opulent and prosperous. “What could possibly stop the engines of progress or the captains of industry at their controls?” the book’s prologue asks.

The Titanic thus embodied a spirit of invulnerability characteristic of the times. In fact, when at the beginning of her maiden voyage one of the deck hands was asked whether the ship really was unsinkable, he replied, “God Himself could not sink this ship!”

Wow – sounds like today! Our immediate reaction should be “watch out.” Whether in sports, in politics or in technology adoption, we need to be wary of claims of the invincible. Things can, and certainly will go wrong. The 9/11 attacks used rather simply means to overcome complex technology defenses. We need to hope for the best and plan for the worst. As described before in other blogs, humility needs to be at the top of the list of lessons learned for security pros.

2)      Don’t forget the people and the process – We have heard it hundreds times, successful projects require well-thought out plans for people, process and technology areas. And yet, we always focus on the technology and underestimate the people and process aspects of situation.

In the case of the Titanic, numerous sources insist that the real mistakes happened by the crew after the Titanic hit the iceberg. In fact, one author says the Titanic sunk because of a steering mistake. We make the same mistakes today, but focusing the majority of our efforts on “new black boxes” while ignoring or downplaying the people and process side of the equation.

3)      Thinking Our Invention is “Too Big To Fail” – As noted before, experts felt the Titanic was beyond stoppable – but underestimated the power of an iceberg. Here’s a quote from Michael Kaplan:

The 1,517 people who drowned in the Titanic disaster did not die in vain. In inquiries on both sides of the Atlantic and new international agreements for maritime safety, we began to make the rules necessary for a bigger and better-connected world. We now admit that scaling up size increases complexity; the larger systems become, the greater the likelihood of unseen contingencies. Every project risks its iceberg. Nothing is too big to fail; instead, the bigger it is, the more insidious and thus devastating its modes of failure must be.

Recently, analysts have even been using this “too big to fail” warning to describe our perspective on the US or world economies. I’ve also heard experts discuss similar questions related to the Internet, cloud computing, certain companies or certain local projects that seemed foolproof. Buyer beware.

4)      Health and Safety Comes First – I find it interesting to contrast the beginning versus the ending of the Titanic movie. One cannot fail to be impressed with the beauty and wealth displayed on the ship at the start of the voyage, but none of that mattered when the ship was sinking.

While the list of passengers and their stories is fascinating, the lessons for us revolve around the battle for hearts and minds of the people during emergencies. How well have we planned for various scenarios? What is most important if (and when) things go wrong? Is the focus of our product on the bells and whistles or on what truly matters? How do we communicate? Bottom line: are we prepared?

5)      True stories are always the most intriguing, interesting, relevant and effective for our customers. - Experts are divided on why we are so fascinated by the Titanic stories, but one thing is clear – it really happened. We long to hear about the families, the fortunes lost, those who helped and those who didn’t. There were survivors and brave men and women who gave up their lives for others.

As we try to get the attention of our customers, stakeholder and executives today, we need to ask more questions and learn more about: What has really happened in our field of technology and security expertise. What “real life” experiences have others had? How do we benchmark against others?

 Even when we ask the question “what if” this cyber attack occurred, we tend to talk about the scenario in terms that people understand. For example, we say there is a coming “cyber Pearl Harbor” or an “electronic 9/11.” Why? Because Pearl Harbor and 9/11 really happened. People can relate to those historic events.  

 As a current security professional, I find that most customers want to hear about true stories from other places and how those facts relate to them. We can learn from an historic event that happened 100 years ago, compelling stories that are true can last more than a lifetime.  But have we forgotten what the survivors learned?

According to Politico and other sources, Mark Weatherford has been named as the new deputy undersecretary for cybersecurity at the Department of Homeland Security (DHS). Mark will fill the role formerly held by Philip Reitinger, who resigned in May.

Politico wrote: “Weatherford will manage the department’s cybersecurity operations, which include overseeing the agency's partnership with the private sector and security of the dot-gov network. The Obama administration gave DHS an elevated role in managing the federal government’s cyber defenses in its legislative proposal released this spring, making Weatherford a key player for the government.”

Weatherford is currently the Chief Security Officer at the North American Electricity Reliability Council NERC), and will begin his new role with DHS in mid-November.

Mark is well known amongst state and local government leaders for many reasons. He was the Chief Information Security Officer (CISO) in both Colorado and in California. Mark was also a regular security blogger and columnist for Government Technology Magazine and PCIO Magazines. Some of his posts can be found here.   

Mark has been a leader in the wider security community for years with a wealth of knowledge and expertise. He was active in several cross-government organizations including the Multi-State Information Sharing & Analysis Center and National Association of State CIOs.

 In my opinion, Mark is an excellent choice by DHS. I think he will do a great job and be a respected friend and colleague to state and local government technology and security leaders around the country. He understands our needs and vulnerabilities, and Mark also grasps the global cybersecurity problems facing America.  

 More than that, Mark is a thoughtful executive who has both military service and hands-on experience dealing with every aspect of our cyber ecosystem. He “gets it” when it comes to addressing the vast task in front of him, including the training needs and culture change that is required for governments, private sector businesses and even families to succeed online. Mark’s an enabler who wants to get meaningful projects done to protect our sensitive data and critical infrastructure from attacks.

While this endorsement may sound too positive with no negatives, I have no hesitation in backing Mark Weatherford.  No doubt, he has a very tough road ahead. There will be new threats, politics and unexpected challenges from all over the place. How long he stays in this role may be determined by events beyond his control. Nevertheless, I can think of no one better to help the cyber community right now.

 I'm glad Mark took the job, and I wish him all the best. I am confident that he is the right person for this job as we head into 2012.

What are your thoughts on this appointment?

 There have been several recent articles and reports that offer ways to save Information Technology (IT) dollars. The lists of potential cuts are worth reviewing, but I urge some caution as well.

According to Computerworld, Gartner is urging IT managers to reexamine many common practices with an eye towards stopping ineffective or wasteful approaches. One conference in Florida urged “creative destruction” by killing spending or making radical changes to business as usual. For example, here are a few of the 16 items suggested:

-       Stop recommending IT mega projects.

-       Make people accountable for IT spending. Have business units acknowledge, with a signature, the ongoing cost of an IT service they need.

-       Terminate applications that aren't delivering value. Gartner estimates that operating expenses can be reduced by 20% by 2014 by decommissioning applications.

-       Abandon level 1, 2 and 3 tech support, where the more complex the problem the higher the skill level sought to address it until it reaches the people who built it.

-       Cancel most IT chargeback systems, which take an extraordinary amount of effort and expense to charge back what is a small amount of revenue.

-       Stop seeking competitive bids. Most companies keep their existing vendor.

While I like many of these suggestions, public sector organizations are committed to open, competitive contracts – so the last item must go. In addition, I’m not in agreement with the canceling of IT chargeback systems. (How would this really work?)

Nevertheless, I like many of the 16 items, such as stopping the mega-projects. Lists like these provide excellent food for thought. When government budgets get cut, new opportunities and new ways of thinking can emerge. Creative thinking is a must. Old paradigms and “turf battles” must be eliminated.

In addition, take a look at this blog which offers ways to save or redirect government dollars. One of the items includes a US Department of Interior Transformation Plan that will reportedly save $500 million.

Another blog from TechAmerica offers ways to save through innovation – not cuts. They offer six IT policy recommendations, including these first three:

1. Implement policies and actions that will increase collaboration and communication between the private sector and state and local government in all areas of technology acquisition, deployment and service delivery.

2. Innovation in government programs, in parallel with efforts to move to more cost-effective support functions, must now be considered management and fiscal policy imperatives.

3. Appoint a strong, visionary IT officer with authority to align technology assets, operations and services across the enterprise.

Whatever your approach, the current economic environment requires IT leaders to offer a list of cuts, or things they will stop doing, along with ways to implement new projects with a return on investment.

We can all take a hard look at ways to save. What approaches have you seen work in government?

It was Thursday night, October 6, 2011, and we were listening to Michigan Governor Rick Snyder share his thoughts on the soon-to-be launched Michigan Cyber Initiative. About seventy-five Fortune 500 technology and defense executives, leaders from federal, state and local governments, university presidents, keynote speakers and other VIPs were gathered at the Eastern Michigan University in preparation for the Cyber Summit the next day. The picturesque room, overlooking a golf course with a lake, was decorated with Detroit Tiger banners, in preparation for game five between the Tigers and Yankees in a few hours.  

Governor Snyder quickly raised the bar: “If people walk away tomorrow saying that we had a nice conference with good speakers, we will have failed. We need everyone walking away saying that it is time to act now on cyber – whatever their role.”

Who Spoke?

While only time will tell if we achieved that ambitious goal, the Michigan Cyber Summit was unlike any previous technology event that I’ve ever experienced. Here are a few of the reasons why:

The agenda was packed with featured speakers including:

- Michigan Governor Rick Snyder

- Secretary Janet Napolitano, Department of Homeland Security 

- Howard Schmidt, White House Cybersecurity Coordinator and Special Assistant to the President

- Congressmen John Dingell, Mike Rogers and  Hansen Clarke

In addition to our public sector leaders, the lunch keynote presentation by Richard Stiennon offered an informative and thought-provoking global view on cyber.

The afternoon breakout panels in five tracks contained participants that are generally tough to get as keynote speakers for other events - with senior execs from Facebook, Microsoft, Google, Symantec, AT&T, Comcast, Unisys, IBM and many others.

 National Cybersecurity Awareness Month Kickoff:

 The event was designated as the national kickoff for Cybersecurity Awareness Month and was streamed live on Facebook. As I walked around yesterday, I kept running into people from all over the country that are well-known cyber experts – who weren’t even speaking. I suspect this was because our partners got onboard and helped recruit many of the best to be there. These partners included groups like the National Cyber Security Alliance, the Washtenaw County Cyber Citizenship Coalition, the Multi-State Information Sharing & Analysis Center (MS-ISAC) and DHS’s National Cyber Security Division (NCSD).    

The local media coverage as well as the national press coverage was excellent, with very positive feedback. Some of the coverage included:

WDIC Detroit - Michigan Announces Cyber Initiative

 SC Magazine – Cybersecurity Awareness Month Launched

Sacramento Bee: Facebook Live Covers National Cybersecurity Month Launch

Smart Grid: Secretary Napolitano’s Remarks at the Michigan Cyber Security Summit

 Looking Back and Forward

This was actually our 4^th Cyber Summit in Michigan, with the first cyber summit being held in 2008. However, there is no comparison between this event and the first three that we held. Not only was attendance three times higher this time (600 v 200), the participants, buy-in and level of discussion were at an entirely different level. (The summit was actually sold-out more than two weeks in advance.) We had a nice beginning in 2008, but this is a new day with a new sense of urgency.

The bottom line is that Governor Snyder clearly is passionate about this cybersecurity topic. He “gets it” when it comes to the importance of Internet safety and online protection in every aspect of our economy. He also sees this issue in economic terms - with plans for growing private sector technology and cybersecurity jobs in the state. More than that, he is leading the charge and driving the change in “dog years.” His leadership and the support of everyone around him is bringing new partners around the country, allowing this event to happen quickly (only 12 weeks of planning).

The next question becomes: so what? Or perhaps: now what? We have some momentum and high expectations. The time for specific action is now. Our state has new partners at another higher level of engagement on this issue. Many sidebar planning meetings occurred that will help propel new projects within the Michigan Cyber Initiative forward with support and aggressive timeline for deliverables. You can learn more about this and see our toolkit at www.Michigan.gov/cybersecurity.

Final Thought

 When I first became CISO in May 2002, we built the Secure Michigan Initiative in eight months - but gaining top-level executive buy-in was a battle. I was proud of our team's pioneering efforts given the resources we were provided. That plan delivered a bottom-up approach to transforming state IT security at the time, but the going got tougher as other priorities often trumped cybersecurity. Still, we did eventually implement almost two-thirds of that security plan on a smaller-than-expected budget. 

  Coming back as Michigan's new CSO - with physical and cybersecurity in one office, I see the Michigan Cyber Initiative differently. Our previous plans never received this much attention - which is a good and bad thing. Admittedly, the threat landscape has changed. Now, we not only have the Governor’s full support, but his leadership and experience on this cybersecurity issue. I think that we can accomplish much more with that clear priority and stronger executive support, but the stakes are higher as well. The plan is ambitious, but so are the challenges that face each state and our nation in cyberspace.

  I am an optimist and a believer in the Internet’s ability to transform government service delivery for the better, but the bad guys are also getting better online as well. From cloud computing to smartphones to the smartgrid, state and local government efforts on cybersecurity will enable or disable innovation.

The reality is that many criminals and other countries are ahead of us. We have work to do. We must partner in new ways. Time will tell if we succeed.

What are your thoughts on this cyber challenge in 2011?  

As reported by Government Technology Magazine last week, Michigan is merging physical and cyber security.  I will be moving to the newly created role of Michigan Chief Security Officer (CSO) in October. The reaction from my friends and colleagues from around the country has been all over the map – ranging from “Great move” to “Are you really ok with this?” Here’s a brief look at some of my thoughts about the change and the technology and security industries as we head towards 2012.

Some Background:

When I moved to Chief Technology Officer (CTO) and Director of Infrastructure almost three years ago, I didn’t think I would be returning to focus full-time on security. I was broadening my scope of duties and vastly expanding my horizons by running the day to day back-office functions like networks, datacenters, office automation, project management, client service center, field services and enterprise architecture. I took a crash course in developing budgets and rates for our services. No doubt, I was “drinking from a fire hose” the first year. I had to implement many of the security policies and procedures I had created as CISO – and that was not easy. A few of my early thoughts included, “What was I thinking when I signed that restriction?”

We’ve had our struggles – such as increasing our percentage of virtual servers and improving communication with our front-office technology partners who lead our customer service efforts with agencies. We still need to expand communication further across the Michigan. Our new CIO David Behen is serious about customer service improvements with agency directors – so this is happening.

 As expected when I took the job, we’ve had some tough outages as well as unwanted news headlines.  We survived a large incentivized retirement. Those hard days come with the technology management territory.

At the same time, I was blessed with an excellent staff. Our directors were motivated and focused. My number one strategy: more teamwork and cross-group collaboration. Thanks to their daily efforts to build relationships, I believe that we function much more as a single infrastructure entity now and not seven unique divisions.   I truly enjoyed our pioneering efforts in cloud computing in government. I’m proud of the continual drop in rates and improvements in technology and communications service that we’ve seen despite fewer staff. We continue to be recognized as a government leader. Serving as Michigan CTO has been hard but rewarding work.  

Back to the Future:

Now on to a new role. Why? I must admit that this next career step seems a bit like the movie, Back to the Future 2 for me. That is, I’m in the process of doing many of the same things that I did in 2002 when I became Michigan first CISO and started building our Office of Enterprise Security.

I thought that if I ever went back to security, it would be in Washington DC or in the private sector. Indeed, I had offers and looked hard at those tempting options. My thanks go out to colleagues who helped in that job search. Over time it became clear that Governor Snyder was (and is) very serious about growing Michigan into a global leader in cyber security within government and the private sector. The opportunity here was very compelling and reignited my passion with an expanded CSO role.

Building on our successful past and our Governor’s technology experience as CEO of Gateway, we are developing an aggressive strategic plan to make a global difference in cyberspace. One near-term example is the Michigan Cyber Summit on October 7. We will be the national kickoff for Cybersecurity Awareness Month. Our summit agenda is exciting and impressive.

I know that many readers are in government service because they feel a calling to help in ways that go beyond a paycheck. Others want minimal travel so that they can focus on family priorities. Some love their job and look forward to coming into work and using their God-given abilities to change their community, state and/or global industry for the better. These are some of the reasons I accepted this new CSO challenge. I also think it is time for me to focus on where I can the most beneficial impact.

Changing World – Cyber and Physical Security:

Much has changed – including the security threat. While computer security was growing more complex and important, cyber crime has now become the new growth industry.  Security is a part of everything that government does, and our virtual world and physical worlds are merging. This is not just seen in delivering government services, but in homes across the globe with users of Facebook, Amazon.com, virtual world training and more. We need to be enablers of the bright side of the Internet.

While many experts are proclaiming that we’re in a global cyber war, I prefer to think about our current Internet challenges as more like invasive species that threaten our online ecosystem. (I must give credit to our Michigan Governor Rick Snyder who was the first one that I heard use this analogy.)  We are threatened by foreign and domestic adversaries who are attempting to exploit both the physical and virtual aspects of our society.  Sure, a cyber war is possible and perhaps even probable at some point in the future, but I wouldn’t use that term to describe our situation yet.

 Our critical infrastructures, such as the electrical grid, are at risk. We need to partner in new ways across public/private organizations and local/state/federal/international governments. (Yes, we work with Canada in Michigan, and I am sure that southern states interact with Mexico.)

Sorry for rambling a bit in this longer blog, but this is a new direction for me. I wanted to share some of my thoughts on this change. I am excited about the new opportunities that are available in Michigan government.   My friend Will Pelgrin,  CEO at the Center for Internet Security, was right when he told me that I would be back to security before too long. It seems all roads lead to security for me – whether physical or cyber.

As far as this blog goes and my writing for Government Technology Magazine and PCIO Magazine – I’ll still be here, under a new name, probably “Lohrmann on Cyber Security.” The switch will occur over the next month or two. In the meantime, I will continue to write about government technology infrastructure and cyber.   Feel free to send me a note or write a comment on topics you’d like me to blog about. I’m always interested in your thoughts.