Since posting a blog on the Apple iPad's effect on government standards a few weeks back, I've received several questions from around the country regarding Michigan Government's processes surrounding the enforcement of enterprise standards. This topic seems to have generated a lot of interest from readers. Here's a quick overview of some of our controls.

Almost all state and local governments have laws, policies, rules and regulations regarding purchasing various hardware and software products and developing technology standards. But enquiring minds want to know how we control purchases, enforce policies, provide guidance, and manage the product standards once they are determined. Are there any "best practices" that I can share from Michigan on policy and standards governance? Beyond credit card limits and purchasing work flow approvals, how do we manage the formal approval process for requests and get to "yes" for our business customers? When do we bend and who gives in when business areas come to us with genuine (essential) requirements and real needs - and not just wants?

 Actually, there are several helpful items I can share. After we consolidated technology into one agency eight years ago, it took us several changes to get where we are today. We hope and believe that our architecture is fairly flexible to meet a variety of circumstances, but some would argue otherwise. Our standards exception process has gone through at least three rounds of modifications over the past few years - and it has been painful at times.

As general background, you can access several relevant documents at this website which cover Michigan's Enterprise standards .  Our DTMB administrative guide lists many of our government-wide policies (see the 1300 and 1400 series policies on this page for some of the technology-related items). We are in the process of updating our technology plans and issuing a new strategic plan this summer, but the background provided in our current strategic plan from two years ago may be helpful.  

Like most governments, we have committees to pick products, evaluate requests for proposals (RFPs), and ad hoc cross-functional groups to look at all aspects of service delivery. We also have an enterprise architecture team to assist with difficult situations, refresh technology plans, offer advice, etc. These individuals and groups can offer "solution assessments" that help various agencies decide on the most appropriate solution to solve their business problem. They offer help on security controls, explain which "zone" servers need to sit in, explain what products are supported, and much much more.  

But the $6 million question is about enforcement of standards in security, technology architecture, and how do we deal with inevitable exceptions?

 All technology purchases in the state need to go through our department. We have service catalogues which describes infrastructure services and pricing from PCs and to networks. Changes to firewalls, networks, or other devices are controlled through the ordering and internal request for change (RFC) process, and this prevents unauthorized changes from occurring.

But what about stuff like the Apple iPad that's not on the list? In Michigan, we have a Technology Review Board (TRB) and an Executive Technology Review Board (ETRB) to provide oversight.  The TRB is a formal group that oversees exception requests. They deal with one-off problems and are empowered to grant temporary exceptions up to 6 -months. Longer exceptions and appeals go to the ETRB - which contains senior execs from all parts of our organization. Think of the ETRB as our technical "Supreme Court" for technology decisions, with representatives from all part of the organization (including the customer liaisons, CTO, deputy directors, CISO and others).  

Requests to the TRB (which comes first) or ETRB are made via online templates, and must contain the business case, return on investment (ROI), life cycle costs, support plans, and other relevant items.  The format and discussion is very structured and efficiency in the process is maximized. While this may seem very complex to many readers, the process works well. ETRB decisions are made on 2-3 cases in an under an hour, and the ETRB usually meets twice a month for 60 minutes or less. Emergency meetings are called when needed, and the group has even convened by phone.

The interesting thing is that quite a bit of role-reversal ends up happening amongst ETRB members. The security guys sometimes argue for business customer service and agency reps argue for security changes. The board is fair and management enforces the rulings all the way down the management chain, so everyone has skin in the game. The focus is always getting the agency business process working, and any risks identified with the technology exception is accounted for via signature by the business customer.      

Best of all, the "word" gets out to staff. Technical architectures and standards means something. If you don't follow the rules, your case will quickly get thrown out.

For example, exceptions for 6 months are reviewed in six months - and you'd better come back to the board with the system fixed or security flaw remediated. (Yes, we have an excellent "secretary function" keeping track of all exceptions and timelines for the TRB and ETRB.) Checkpoints are added to check status of changes.

The auditors love this process because it has real teeth and is based on repeatable processes. The businesses get to argue their security case, and no one (usually) ends up being the "bad guy."  Most decisions end up being unanimous now, although that wasn't true four years ago when we started the TRB/ETRB.    

Bottom line, the boards take the good, the bad and the ugly. We make lemonade out of project lemons. Our goal is to offer customer-focused answers while enforcing enterprise standards - a tough thing to do. 

 So what about that iPad you want - I mean  need? Submit your business case, and we'll take a look. Otherwise, you can fight for whatever you'd like during the next enterprise architecture technology refresh cycle.  

So what's your government's process for enforcing standards and balancing customer service? I'd love to hear other approaches.  I will also answer any follow-up questions.

There's been some tough press lately for cloud computing. Recent conferences on the topic have turned more negative as very high expectations are slow to be met.

Computerworld Magazine described this rising frustration in a recent article which highlighted comments from the recent SaaScon conference . Here's a short excerpt:

"Cloud computing users are shifting their focus from what the cloud offers to what it lacks. What it offers is clear, such as the ability to rapidly scale and provision, but the list of what it's missing seems to be growing by the day....

Judging from interviews with individual attendees and comments made during panel discussions here at the SaaScon conference, it's clear that there's a need for industry agreements."

Meanwhile, Network World offered this debate entitled Cloud: Ready or Not? The two experts essentially agree that cloud computing technologies will become big business, but both points of view list near-term problems with cloud adoption.

For more on this topic, there are plenty of other articles listing the cloud computing challenges in 2010 and beyond. The National Association of State CIOs (NASCIO) is highlighting cloud computing in a breakout session at their mid-year conference in Baltimore with a session entitled Cloud Computing and State Government: What is the Forecast .  There are even some free webinars with public sector panelists, including yours truly, describing what they are currently doing in their state with cloud computing.  I also wrote this recent article on the topic: Is Cloud Computing More Secure ?    

But the point of this blog is that the next steps in this critical cloud debate are occurring. The conversation is heating up on many fronts and inside many different industries - including government.

Experts say that group change requires four stages: forming, storming, norming and performing . It seems to me that technology evolution often goes through similar stages. If so, we are now in the "storming" stage, in my opinion.

What are your thoughts on cloud computing?  

iPad fever is here! On a weekend that celebrates Easter, the NCAA Final Four and record warm temperatures over half the country, everyone seems to be talking about the latest must-have, cool-tool the Apple iPad .

Just in case, you haven't seen it on TV or noticed any long lines out in front of Apple stores, the iPad has been covered by news outlets and technology magazines for several months. So if you can't beat them, join them. (Hence this blog on what it means for technology staff who need to adjust to this new normal.)

Maybe you were one of the thousands standing in line around the world to get an iPad. You've got to get your hands on this latest technology toy, which I must admit seems very attractive. Maybe you're even reading this blog right now on an iPad?

Or perhaps you're thinking: "Here we go again." Let's talk about that.

Government professionals, especially infrastructure staff, are struggling globally with truly implementing this concept of enterprise technology standards .  Yes, there are plenty of good government technical architecture examples to look at such as these websites in North Carolina or Minnesota .  But I'm referring to the problem that companies like Gartner and Unisys call the Consumerization of IT .

So here are some basic facts:

·         Technology professionals around the world decided long ago that standardization can save dollars . Consolidation and efficient use of technology is difficult if there are hundreds or thousands of different types of hardware and software all over the enterprise that needs to be supported.

·         Governments at all levels issue and follow numerous standards and policies.

·         Most governments issue contracts which standardize on the desktop and mobile technologies which employees can purchase for work.

·         Many employees want something different than what's available. New iPads may fall into this category (at least for a time).

·         Government technology staff, and especially security staff, struggle with being labeled as the disablers when they deliver the bad news to staff.  "You can't have the latest innovative technology!" (Not good.)

·         Government often lags industry in adoption of new technology. This can be either perceived or real. Making the case for new technologies such as iPads can be difficult and/or take time to build an ROI. However, private sector firms struggle with these same issues.

·         Employees often bring their personal devices to work and plug them in causing a variety of security, data synchronization  or other problems.

·         Trends like " bring your own pc to work " are slow to be adopted in governments.

What's a technology manager to do? This certainly appears to be a Win-Lose proposition, at least for now. (We're the losers either way). I've know a few people that just opened things up to whatever people wanted. While they were short-term heroes, they no longer work for those companies or government offices.

Truthfully, I don't have any easy answers for you. There seem to be so many new cool technology gadgets coming out all the time. Will we ever keep up? I honestly doubt it.

I have seen answers in some circles which ban everything in sight, but those only seem to be accepted by staff when secret clearances are involved. (If you lose your clearance in the DoD, you're out of a job.)

The other extreme is just: "Trust me or I won't tell anybody." However, I don't see that working very well in the long run either.

Computer industry answers seem to either be company-specific or not very practical. Oftentimes you hear - "just buy all my products and you'll be fine." Excuse me, please go back and read the first part again. Your product is not the one that my customers are waiting in line for at this moment.  

I'd love to hear your thoughts and experiences. How is your government dealing with all the new toys - from smart phones to iPads? Anyone wait in line over the past week at an Apple store? Plan on bringing the iPad to work? Inquiring minds want to know.

I was jogging on my treadmill when I saw the breaking news on ABC - Moscow subway bombing just occurred. It was Monday morning, March 29, and I stared at my television in disbelief. My wife walked in the room as I pointed to the TV, "That's the same metro station that we were in four weeks ago. That's just a few blocks from Red Square."

After I watched the horrible scenes , I felt the same shock that I've felt several times since 9/11/2001. Those feelings hit me when I watched the coverage of the bombs going off on the London underground and after the trains were bombed in Spain. "That could have easily been us. We were just there!"

Why Were We in Moscow?

Back last fall, I had been invited by IDC Russia to be the morning keynote speaker at their IT Security Roadshow 2010 in Moscow. They asked me to speak on cyber crime, identity theft and online trends in protecting businesses and governments globally. The audience was primarily Russian businesses, and their list of sponsors was largely the same technology companies that we are familiar with in the USA.

Still, I was initially very skeptical about going. As a former NSA employee back in the 80s and someone who still works with law enforcement agencies in Washington DC, I was nervous about their intentions and safety in the land of our former Cold War enemies.  But as I asked more and more questions of the IDC conference organizers, I became reassured. In addition, respected colleagues from agencies in Washington DC and Michigan encouraged me to go. Others even pointed to the upcoming EastWest Institute sponsored: Worldwide Cybersecurity Summit in Dallas as an example of how we need to foster new cross-border partnerships to fight the bad guys online. 

So after getting the necessary permissions and visas, my wife and I decided to turn the trip into a European vacation and wedding anniversary time away in Moscow and Rome. Our plan: three days in Moscow, followed by four days in Rome - while our in-laws watched our kids.

When we first arrived, it was a bit awkward. Our bags didn't make the connection from Germany to Russia, and we were stuck at the airport for several extra hours. Later, we almost missed our ride to the hotel since our driver was hard to find in the crowd, and he didn't speak English.

Still, we had a wonderful time sightseeing, and our Russian hosts were warm and friendly. Our college-age tour guide in Moscow spoke great English, and she took us to all the famous sites in Moscow - arriving by their Metro (subway). As we walked around the city, it was hard for me to believe that I was vacationing in Moscow in March. Our favorite tour was inside Saint Basil's Cathedral .  The food was ok. (As you'd expect, the meals were much better in Rome.)

 The IDC conference itself ran smoothly on Wednesday morning. The facility was a Holiday Inn with excellent technology and everything you expect to see at US technology events. I was amazed at their mastery of so many languages and especially near-perfect English. They had a translator who listened to my words in English and rebroadcast the speech simultaneously in Russian to those who wore iPod-like devices that they were given at the door. (Questions at the end were translated into English for me using a similar device.) I was intrigued to find out that the same translator regularly works with former United Kingdom Prime Minister Tony Blair.

At the end of my session, the questions that the audience asked were almost identical to the questions I typically receive at US events or at a conference I spoke at on vacation last year in South Africa . These were businessmen and women who were dealing with the same cyber problems, budget cuts and personnel challenges as most of us. They described their online threats and computer problems in terms which were very familiar. Their #1 security vulnerability (by at least 3 to 1 in a show of hands) was company insider threats. Yes, they were worried about their own employees' behavior.  

My only complaint (not really) from Moscow was the pictures they posted on their website after the event. (I assure you, I was not disco dancing.) Either the photographer was shooting from strange angles, or I'm much more acrobatic than I realize. You can click on the translate button at the top of the page to read the captions. (Notice how the other speakers look so reserved compared to me.)

After the event, we had a very nice lunch with the conference organizers before leaving for the airport. Their descriptions of the online challenges facing businesses in Russia made me feel as if we could have been in another large US or European city. My wife and I truly enjoyed the experience. We returned home safely to Michigan, eight days after we left. I didn't plan to be writing a blog describing the trip - until the bombs went off last Monday.

 So what's my point? We live in a small world that knows no borders when it comes to crime. As IT professionals, we understand the fact that the Internet is global, and we can be attacked from anywhere on the planet at any time of day or night. We discuss threats we face from Russia, Nigeria, South Africa and everywhere else, but there are potential partners in those countries that want to help in the fight against malware and online crime.

 Indeed, several of the professionals I spoke with at the conference fear cyber attacks from the USA and China . That's all the more reason for us to work together, when it makes practical sense, with their criminal justice organizations and other "good guys" to stop the cyber criminals in every culture.

Don't get me wrong. I'm a loyal, flag-waving American who loves baseball, hotdogs, apple pie and Fords. My family enjoys living in Michigan, and I have minimal desire to move to Russia or South Africa. (However, they were both wonderful places to visit on vacation.) Nor did my slide deck or side conversations break any new ground regarding cutting-edge cyberspace protections, identity theft or malware sources overseas.

I also realize that I don't know these people very well. Just as in the USA, I would need to build more trust with specific individuals and organizations before collaborating on complex projects. It's true that there may have even been some bad apples in the room while I was speaking.

New Partnership Opportunities

Still, I sense a common cause amongst technology professionals around the world who want to fight cyber crime together on a global basis.  I don't think I'm naïve in wanting to partner where it makes pragmatic sense. Yes, I realize that our countries have different interests in many economic, political and military areas. We don't agree on a long list of items.

And yet, we're all fighting terrorists (in both cyberspace and our physical world). In fact, New York, Washington DC, Atlanta and other global cities tightened subway security after the bombs went off in Moscow. We need to fight all forms of crime together. We need to build global partners, and many US technology companies have offices in world-wide cities including Moscow.

 I made several new professional contacts and even "online friends" in Europe. More than that, the bombs going off in the Moscow Metro (killing dozens of innocent people) made me think even deeper about this question: who are our 21 st century enemies?  

Right now, I'm feeling Moscow's pain. I'm praying for their people. That could have been me in the news.    

I'd love to hear your thoughts on this topic - feel free to leave comment below.

 In my twenty-five years as a security and technology professional, I have never seen so many hot headlines around technology issues. Whether you are reading the papers, watching TV or surfing the web, the tech headlines are almost rivaling March Madness and the Health Care stories. Let's jump right in:

Google Pulls Out of China :  Of course, this is the hottest story out there right now, with daily updates. The stakes are high on so many fronts, and all aspects of this story are being reported by many sources. Here are a few perspectives: 

ComputerWorld articles and blogs ranged from announcing that Google stopped censoring in China to asking questions like: Does Google really need to be 'in' China at all.

Newsweek described the situation as An Unstoppable Force Meeting an Immoveable Object .

Here's an excerpt:  " Google's bottom line won't be greatly harmed in the short term, as only an estimated 1 to 2 percent of the company's revenues currently come from China. But if Google departs China for good, the losses are incalculable. With 400 million Web users and climbing, China is far from a fully tapped market . Baidu, Google's biggest Chinese rival, today has roughly 65 percent market share, and will now lengthen its lead even more."

The Washington Post focused early on the Google users who worried that they might lose an engine of progress .  However, some reported that the Chinese Internet users would not care much.  

Others are speculating on what comes next , which will likely be a pattern for many months to come.

Changing subjects, many people are talking about a CIO.com article which declares that we'll all be working for tech vendors one day (soon).  While this is another take on outsourcing and the commoditization of IT, the topic is not new. (I said something similar over 18 months ago in an article on cloud computing.)  And yet, it seems to be popular right now, so I encourage you to read the article.