Microsoft is set to launch new devices running their Windows Phone 7 (WP7) operating system (OS) on Monday. While this is being labeled by industry experts as a vital new offering from Microsoft, new questions continue to arise for global enterprises. What mobile platforms should be allowed? Should standards be set to limit user choices or should customers be able to choose an iPhone, Blackberry, Droid or any other mobile device? The “cool factor” and business benefit may be real, but what are the hidden costs?

What is clear is that the battle for mobile apps is heating up, and the mobile OS space has moved up to become a core issue for CxOs over the next few years (along with cloud computing, identity management, data analytics, virtualization and a few other hot topics). Not only are the stakes very high, the issues are complex for government infrastructures.

Nevertheless, most companies and governments are gearing up to support multiple smartphones, according to a Network World article that acknowledges the headaches it will cause. According to the article:

“A recent Forrester survey shows that businesses are already revising their client computing strategies to incorporate smartphones from multiple vendors. One reason is that it's easier to attract top employees if you let them use their favorite smartphones for business and personal use. And while that strategy may work for the front office, it's a challenge for IT staffers who must keep up on security threats on multiple OS platforms.”

 So what are the headaches? This InformationWeek article lays out many of the Mobile Device Management (MDM) issues that must be addressed. It all starts with the policy, and a few of the items that need to be included are:

·     “Remote wipe/remote reset

·     Hardware control: Include camera on/off, Bluetooth on/off, Wi-Fi associations to certain SSIDs only, and access to internal or external storage

·     Mandatory authentication methods for gaining user interface access

·     At-rest encryption: Whole disk or file-by-file

·     Firewalls: Protection from unwanted inbound IP connections to the device via the Wi-Fi or 3G/4G radios

·     Anti-malware: Protection from malicious software code for operating system components or files that make their way onto the device, such as via e-mail”

I recently told a group of internal staff members to begin thinking of mobile devices the same way that they think about laptops. That is, what are the risks for our teleworkers and/or laptop users (including offsite at hotels and restaurants) in the enterprise today? Sure, there are real differences, but we have the same risks such as malware, acceptable use for websites visited, protecting information and identity management issues in both places. The truth is that laptops are getting smaller and lighter (becoming netbooks) and smartphones can do many more things. This trend will only continue.

This National Association of State CIOs (NASCIO) Research Brief is a great place to start in learning more on the topic of “Security at the Edge.”

NASCIO Conference Day 3

Day three at the NASCIO conference began with a keynote session led by Thornton May, who is an IT Futurist, Executive Director and Dean at the IT leadership Academy and Author of The New Know: Innovation Powered by Analytics. This session was interactive (we broke into short table discussions at several points in the talk and reported back via a traveling microphone). If you ever get a chance to see Thornton May live - do it!

This was my favorite session of the three days. Thornton May is not only a thought-provoking speaker, his presentation was fun and funny with a very different type of supporting graphics. He makes his points through great questions and a wealth of stories which help provide possible answers using data/analytics.

He started by stating that we are in a unique moment is history. Our key questions should be: What has changed? And what will change? He asked the audience to offer three things that will be different three years from now. (This was a table discussion topic for three minutes.) Some report-out answers included:

• Leaders will be challenged to do more with less
• Staff will work for multiple companies
• More part-time workers
• A more polarized political situation
• Security issues will grow in the world
• More connectivity with government to citizen engagement
• More online self-service with government

Thornton May asked the audience members to discuss trends in the answers they heard, which included:

• More shared services
• Leadership changes
• Better connectivity
• New world of virtual work with more choices
• Security issues

Thornton jumped into the theme that "Next" will be different, so what are you doing about it now?

In 2005, a survey of senior business executives said that Information Technology (IT) was 24% effective. In 2009, 23% of senior business leaders said that IT was effective. He stressed the point that we need to use data better to drive results. Information such as:

• $75 billion is wasted on IT projects every year
• 80% of our IT dollars are being spent to "keep the lights on."
• Research says that the next 5 years will be ugly for state and local government budget revenue

As for answers to improving, we need five skills to be successful in the new normal according to the speaker:

• Self knowledge
• Other Knowledge or empathy
• Environmental Knowledge or sense making
• Movement Knowledge or Vision
• Value Knowledge or Innovation

Innovation is converting ideas into cash. Invention is converting cash into ideas.

There are four IT "New Knows" that we must understand:

1. Where are we?
2. Where do we want to go?
3. How do we get there?
4. How do we convince others to come along?

The key to being successful is to have mutually agreed upon objectives with the business. Our questions will bias our answers, so we need to go to the destination and work backwards (or be outcome focused.)

His main point was that we need to see data differently. In four years we will have (at least) twice as much data as we have now. We are at an inflexion point, and everything is moving faster. Things are out of sync, and the CIOs need to be bringing synchronization back. Look for big picture trends and focus on the outcomes.

Thornton showed again that he is an optimist who is passionate about improving IT/business results - by the numbers. (I plan to buy his book.)

The last session of the NASCIO Conference was: Leadership in Tough Times: Implications for the Transition. The session was moderated by Jerry Mechling who is the Research VP at Gartner and an Adjunct Lecturer in Public Policy at Harvard's Kennedy School of Government. The panelists were Teri Takai, California CIO; Phil Bertolini, CIO of Oakland County, Michigan; and Stephen Fletcher, CIO for the State of Utah.

The focus of the discussion was on the just-released paper from Harvard University entitled: Leadership for the New Tough Times: Priorities for IT-enabled Government Innovation. The dialogue was fascinating with each of the panelists telling stories and sharing insights on how to change government culture and work differently in these very difficult budget circumstances.

The paper offers insights for the transition and preparing for the new administrations. I will post a link to this excellent paper when it becomes available soon.

I'm at the NASCIO Annual Conference in Miami this week, and there is record attendance.

The opening keynote by best-selling author Don Yaeger was inspiring and funny. He told a series of stories from playing one-on-one basketball with Michael Jordan to being mentored by the great basketball coach John Wooden. His major focus was the characteristics of greatness, and here are a few of his 16 points:

Point 1 - It's personal. They hate to lose more than they love to win.

Point 2 - They understand the value of association. You'll never outperform your inner circle. (Who do you spend your time with that pushes you?) Mr. Yaeger told several great stories about Bill Walton being pushed by Swen Nater in practice more than anyone else during the real games.

Point 3 - Greatness is measured by your heart. "You cannot live a perfect day without doing something for someone who cannot repay you." (By John Wooden)

The "secret sauce" that set this opening apart was the emotional story behind every point made - especially the Warrick Dunn stories. Mr. Yaeger emphasized that we each can choose to get bitter or better when we face adversity, and Warrick Dunn chose to get better despite setbacks.

After the opening, I attended a breakout session - Cybersecurity: Emerging Threats, Evolving Roles. The speakers were David Taylor, Florida CIO; Will Pelgrin, president and CEO of the Multi-State Information Sharing and Analysis Center (MS-ISAC); Srini Subramanian, security lead for Deloitte, and Randy Vickers, director of the U.S. Computer Emergency Readiness Team (US CERT).

The panel discussed emerging threats, and Randy started by saying the traditional threats, such as phishing, malware, insider threats and external hackers, are getting much more sophisticated. The best medicine is information sharing and partnering through the GFIRST portal and MS-ISAC.

Mr. Vickers also urged the audience to sell cybersecurity better with new ROI reports and discussions on what's at stake for reputations in states. This will lead to implementation of more best practices.

Will Pelgrin emphasized the speed of change in cybersecurity. He pointed out five areas of concern, including: end of life software, not patching old devices, new technologies such as smart phones, human behavior challenges and new forms of attacks for external bad guys.

Srini Subramanian discussed the need for enterprise privacy officers in states as he discussed the recent Deloitte Survey of States. He quoted one response which described their cybersecurity challenges as being, "an over-the-top suspense movie" that few would believe.

David Taylor said that CISOs obviously need more resources around the country, and he asked Randy if the federal CISO model and/or FISMA was the answer.Randy responded by saying that FISMA had its problems and the federal space still was not best practice. Still, FISMA 2010 was much better.

Will emphasized the importance of collaboration and reporting, and suggested that more command and control was not the answer. He encouraged an approach to win over agencies and gain respect by actions. He did say that some policies must be mandatory - but encouraged giving 18 months to implement them.

Randy basically agreed, but he also responded by saying that we all need "sticks and carrots." He said, "CISOs must have the authority to protect networks from attack."

David Taylor stated that security policies in Florida have the effect of law, and Florida has taken an approach to partner with auditors and assessors to certify systems statewide. Srini added that 80% of states have a good plan, but the implementation of security programs were struggling. In addition, 90% want a singular approach similar to FISMA.

A discussion on scorecards and grading cybersecurity offered a mixed view - with several panelists stating that scorecards offer a good "snapshot of the past." Will suggested that states pick an approach and go with it.

The panel wrapped up with a refocus on shared services within cybersecurity. Randy emphasized the need to work together across state/local/federal boundaries. Cyberstorm III was an example of a good activity to gauge readiness and overall progress.

Microsoft released the new Internet Explorer 9 (IE 9) beta web browser this past week, and the initial reviews from technology critics and even competitors like Google are positive. Here’s what news.com.au in Australia had to say:

“Internet Explorer 6 struggled to cope with the demands of the modern web user right from the start, and IE7 and IE8 didn't do enough to differentiate themselves to convince people to upgrade.

Now the software giant seems to have bounced back (with IE 9).”

As for new features, I like this high level summary at mintywhite.com which reports specific improvements in the following areas: 

• Better Performance
• JavaScript engine
• Better Usage Of Hardware
• Better Web Standards Support
• Enhanced CSS3 Support
• ECMA Script feature enhancements
• Added HTML5 support
• SVG features
• Developer Tools addition

The finished version of IE 9 is expected in the middle of 2011, but there should be new versions of Google’s Chrome and Mozilla Firefox next year as well.  This battle of the browsers should continue to be very interesting over the coming year, as it has been in the past.

Meanwhile, developers may want to start learning and taking advantage of new features in IE 9. This Internet Explorer Beta Guide for developers is worth looking at for web teams – who usually worry that new browser releases may cause havoc on websites. Early testing is an important step in ensuring that the final browser products work with government portals as well as our office automation teams.

Meanwhile, on a personal level, I downloaded the new beta versions on a home computer and played with the new Microsoft browser this weekend while watching college football. (I even researched this article with IE 9 beta.) It’s too early to really tell, but I think IE 9 runs quicker than IE 8. (To be fair, I also experiment and use Google Chrome and Mozilla Firefox as well.)  

What are your web browser preferences?

There have been quite a few headlines lately about the current challenges facing Virginia's government technology infrastructure . From this IEEE Spectrum article, to Computerworld in the USA to the United Kingdom's version of the Computerworld Magazine, the situation has been covered globally in the mainstream and technology press.  Virginia Governor Bob McDonnell has even announced an independent review of the recent "unacceptable" computer outage .   

For the past few weeks, many technology professionals around the country have quietly been watching and hoping for the best for our colleagues in Richmond, Virginia. Despite online criticism , technology leaders in other governments recognize the potential ramifications for all of us. Several of us believe that technology and security pros in government need to do some infrastructure-searching and ask: could a similar failure happen on my network? This is one of those "moments in time" when technology professionals need to take a step back and ponder those nebulous "what ifs."

Honest technology veterans not only recognize that such outages can happen, we have lived through several mini-crisis situations. Over the past two weeks, I've received calls and e-mails from respected colleagues around the country with comments such as: "We recently had a major outage as well... that almost caused a similar (widespread) impact. We were very fortunate that.... (some good thing happened)."  Somehow, in each case, they pulled through and stayed below the public radar.

Or, as the Washington Post stated in a quote of an Arizona technology analyst named Robin Harris: "People in the industry are watching ... as this unfolds. There's a lot of 'there but for the grace of God go I' kind of thinking."

No, we don't have insider details regarding what happened in VA.  In fact, as I write this blog, I know little more than what's available from public reports. (Our team will be getting briefings from related technology vendors this week, but those discussions will be under a non-disclosure.)

But before we get to potential action steps for the rest of us, let's put this situation into historical context.  From Y2K to 9/11 to the Northeast blackout of 2003 to spreading viruses to malware attacks to lost or stolen laptops, technology leaders are constantly being asked to prepare for and react to unexpected emergencies. Other times, the technology doesn't work as expected. Email fails - even for Google . Mission-critical systems can't communicate, or networks go down in strange ways. Tech leaders worry about losing backup tapes containing sensitive information. Insider threats, such as this incident in San Francisco in 2008, can get out of control.

No doubt, government technology shops know these things. We have onsite and offsite backups, DR plans, real-time redundancy, alternative systems, business recovery plans and more. We've dealt with weather emergencies and the aftermath of 9/11. We prepare with exercises like Cyberstorm I, II & III. We test our processes and procedures to prove we can respond and recover. 

We've all been audited, and we respond with new approaches that are foolproof - until the functions don't work as advertised in a crisis. Perhaps the scenario that was tested is not the one that occurs. Which leads us back to that tough question - what about my government's technology infrastructure? We think about vendors and products. Where are our biggest weaknesses? How can we mitigate those risks and/or prepare for the unknown?   

Don't get me wrong. Following ITIL and building good DR plans are very important and we can (and need to) continue to improve in these areas. And yet we still know that unexpected things do happen. How will your team respond? Who will they call? What is done in the first few minutes is often very important in how the recovery effort will proceed for the following days and/or weeks.

So here are five things to ponder before technology fails:

1)       Think people, process and technology. Are the DR plans workable? Has your staff been trained to execute quickly? We have found that people issues are the hardest to prepare for and resolve. In addition, emergencies generally go bad when two or three of these are involved in an incident - and not just a single failure of technology or a human error.

2)       Communication is the key in a crisis. Answer this: Who will your team members call and when? What will they say? Just like the fire department: How fast can the team respond? Also, proper expectations need to be set regarding recovery, or the trust will disappear between partners. Is the front-line ready?

3)       Look for the gray areas in DR and business continuity plans. In Michigan, we've found that technical staff are often uncomfortable making the call to go to backups or pull the trigger on major recovery efforts. Techies tend to try to fix the problem themselves and not tell anyone. If you get management involved to quickly escalate issues, additional resources with a wider view of the problem can often remediate the issue before it spreads. Looking back, gray areas in our plans have hurt us. After the fact, we play "Monday morning quarterback" and realize we should have brought in vendor expertise earlier or gone to "Plan B" faster.

4)       You can never outsource the responsibility. Where does the buck stop? No matter how good our vendor partners are, the government will always answer to the public when business functions are not available. Build a joint team and practice together with contract partners, but remember who will own the end-to-end result. Know the boundaries of contracts and test plans across those boundaries. Be accountable.

5)       Practice makes perfect - almost. Run drills, conduct tabletop exercises, talk about lessons learned from previous incidents, share stories, ask "what if" questions. Test scenarios . I like this quote from Vince Lombardi:   " Practice does not make perfect. Only perfect practice makes perfect."

Despite our best efforts, bad things will continue to happen to our technology infrastructures. It is part of our job to help staff prepare for those situations. Like a respected football coach with a talented team and a good game plan that goes bad for any number of reasons, we need to be flexible enough to adjust and still win the ballgame. Or perhaps, after a tough loss, we need to bounce back and salvage the season.  

Virginia's government technology team may have done everything properly and yet still be confronted with this difficult situation. We will know more details soon enough. And yet, they are known around the country as an excellent technology program with a respected reputation for excellence and leadership. This fact alone should cause each of us to pause and take notice.

Regardless of the outcome, they are also respected partners in government who have shared best practices with other states at National Association of CIOs (NASCIO) conferences. I am sure Virginia will bounce back and grow stronger through this.  

For the rest of us, as we get ready to come together for the annual NASCIO conference in Miami at the end of this month, many will be thinking about Virginia's experience. We have entered a new decade where hardware, software, security, centralized data centers, cloud computing, mobile devices and more must work together. The complexity will be a challenge for every state and local government as we strive for increased efficiency.

 Therefore, we need to be looking internally and asking (one more time): If technology fails, now what?

I'd appreciate hearing your views on this situation or on similar challenges in your government technology program.