A messy scandal left California's IT governance structure in shambles. The state's Department of Information Technology (DOIT) shut down last year, largely for its role in a controversial software license agreement with Oracle Corp. Nobody knows what the state will do; and everybody is wondering how to fill the vacuum.
The current situation is strikingly similar to the failed implementation of a new DMV database system nine years ago, which cost California as much as $51 million and triggered widespread scrutiny of the state's ability to build and manage IT systems. Following the DMV system's failure, then-Gov. Pete Wilson convened the Task Force on Government Technology Policy and Procurement to determine which parts of California's IT machine were broken and make recommendations for fixing them.
"California is in the midst of an IT crisis where the dangers of not changing are greater than the dangers of changing," the task force wrote in its September 1994 report.
Those words ring just as true today. California is operating without a central IT agency, which is responsible for articulating a statewide strategic technology vision, overseeing agency IT projects and approving agency IT expenditures.
Pessimists would say the state is in dire straits. Optimists might contend that California's latest IT disaster puts the state in the right place at exactly the right time. DOIT's closing may have created temporary IT-management turmoil in California, but it also gives the state an opportunity to implement some new ideas, potentially making California a test tube for redefining the role of state CIOs and creating a new model of IT governance for other states to follow.
As California's policy-makers ponder their next move, they sit on the cusp of an emerging debate over how much power a state CIO and centralized IT agency should wield.
Getting the Balance Right
The rationale for rigid centralized control of IT projects and purchasing held that IT is important enough to merit a Cabinet-level presence in states, and such a presence cultivates an environment in which CIOs can implement enterprise-wide technology changes.
The wisdom of that approach is increasingly questioned. A growing argument is that new Internet-based technologies and a changing political landscape within states -- where agencies are gaining power -- create the need for a more collaborative approach to IT management.
"This debate over centralized versus decentralized or strong versus weak is really coming to the fore," said Sharon Dawes, director of the University at Albany's Center for Technology in Government. "Neither extreme model works very well. Complete decentralization gives you no economies of scale and no way to build a common, robust infrastructure you can afford to support -- and we know that has problems.
"Complete centralization forces all decisions that should be made at various levels of authority -- or at various points in the system based on where the knowledge lies -- to a single point, and that doesn't work so well either," she said. "Everybody is struggling to find the right middle ground."
In large part, the debate focuses on where to centralize IT resources, because some aspects -- network infrastructure, electronic signatures, payment processing, IT work force investments, adopting technology standards -- lend themselves to that approach, Dawes said.
"Those things need a central point of view; everybody benefits from having a standardized, well-understood infrastructure and way of doing certain things," she said. On the other hand, agencies themselves possess business and programmatic knowledge unique to their missions.
"What's really needed is to connect those two areas of strength in a way that makes sense and delivers value for the state as a whole," she said.
No More Enterprise
Because of the Internet's reach and its ability to improve information delivery and accessibility, moving to an "interoperability architecture" is perhaps the biggest challenge governments face in the future, said Chris Thomas, chief strategist of Intel Corp. It's a potentially jarring change, given governments' penchant for enterprise thinking and building architectures that support an enterprise point of view.
Governments need to move from an enterprise architecture to an interoperability architecture, where disparate systems work together but don't control each other's destinies. Jurisdictions can focus less on individual computing systems and more on services that groups of interoperable systems can provide, Thomas said, because application interfaces now open into standard data formats that allow different architectures to communicate.
"If we take a backwards look at the world, everything was moving toward a centralized architecture because everything needed to be controlled because nothing could work together," he said. "There was no way for me to get information from you, so I may as well put it all in my databases."
To Thomas, the danger in that approach is that once a particular agency creates such a database and supporting set of systems, it must depend on other agencies to comply, when it's practically impossible to force compliance on those other groups.
"What the Internet has done is force organizations to open those systems up so other people can make use of them," Thomas said.
In the new scenario of interoperability, a CIO would not dictate to agencies a single approach for conducting business. Instead, the CIO would focus on building collaboration among agencies, encouraging agencies to create systems that share information with other agencies without requiring their system architectures to align, such as using document-based XML Web services.
"Giving somebody the job of a centralized architecture for government is actually setting them up for failure," Thomas said. "Providing them with the job of advocating interoperability and driving the standardization of interoperability between the organizations is setting them up for success. That type of change is blowing across the discussion groups in the sense of how people are changing IT because of the nature of the new standardization wave of Web services."
Individual agencies would control how they use technology to accomplish business goals, Thomas added. "Your centralized legislation isn't, 'Here's the products you use; what function you have to accomplish; and here's how you must architect.' It is, instead, 'If you want to play well with others in government, here's the interoperability approach we're asking you to take.'
"That can be legislated, and that can actually provide a tremendous amount of cost savings," he said. In fact, Intel took this approach internally about five years ago when it was awash in middleware packages that business units deployed as needed -- much like governments do. The company saved millions of dollars as a result of the move.
An IT Federation?
Steve Kolodney, vice president and director of AMS' Office of Digital Government and former CIO of Washington state, agreed that the position of CIO is fundamentally shifting. With the challenges of Y2K and implementing first-generation online government services resolved, the role of CIO must evolve, he said.
"We're moving from a centralized view of technology to a federated view of technology, in which everybody gets to play," Kolodney said. "We're in a period in which agency power rises; central power falls; and you get into a confederated arrangement where governance makes all the difference in the world. If that is so, the role of the enterprise person, the CIO, is very different from what it was a year ago or two years ago."
The reality facing California, and practically every other state, is a budgetary nightmare in which shrinking tax revenues are the bogeymen and budget deficits are bottomless pits.
In this scenario, Kolodney said decision-making power is automatically devolved to agencies because they must make business decisions about where and how to cut their budgets -- and in the practical reality of this climate, agencies won't have to listen to a central authority.
Another reality facing IT governance in California is that oversight power has, for now, swung back to the Department of Finance, partially because DOIT isn't around, but also because the Technology Investment Review Unit (TIRU), a division of the Department of Finance, emerged from the Oracle scandal smelling like a rose. About a year after the Oracle contract was pitched to the state, TIRU raised concerns about the contract's viability to directors of both DOIT and the Department of Finance -- concerns that ultimately were ignored.
In this landscape, Kolodney said the best thing a CIO in California can do is shepherd a governance process that fills in the weak spots.
"In my view, the CIO would have three primary functions: to be the adviser to the political process; that means to be the speaker of the story to the governor's office, to the Legislature and to the community of interest; to be the holder of the enterprise architecture; a federated environment has to be architected -- like a community has to be architected -- and somebody has to be the owner of that.
"Number three, somebody has to invoke the governance process," he said. "Somebody has to chair it."
Under this new CIO reality, a process that forces IT project accountability was omitted. To Kolodney, solving that puzzle means creating a public process under the control of a board that drags projects into the sunshine. Perhaps most importantly, this reduces CIO involvement in the day-to-day minutiae of running IT projects -- a very necessary thing. "The structure California chooses might be the first implementation of a new way of thinking about federated government and governance of technology in that kind of arrangement," he said.
Already in Place
If the proof of the pudding is in the eating, at least one large jurisdiction is happy with the federated model now in place. Oddly enough, Dianah Neff, the new CIO of Philadelphia, said she was brought into the city to centralize IT services and management, but soon abandoned that approach.
"When we came in and really looked at the environment here -- how ready the organization was and what it was going to take to move us there -- it was very evident that we had to take it a little slower and find something that worked better for Philadelphia," she said.
Neff said she considered the federated approach to IT governance when she was CIO of San Diego because she liked the idea of a separation of duties with an overlap of responsibility.
"There are certain, defined roles for the central organization, and there are shared, citywide aspects -- vision, strategy and leadership. The departments take ownership of those applications specific to their business, but where we have shared services, like electronic bill presentment and payment, we would have only one such system across the city, and that would be managed by the central organization," she said.
The CIO does have a large degree of power in the federated model: The CIO still controls how much is spent on what, Neff said, and sets standards the enterprise departments must follow when creating internal applications.
The decentralized approach allows the departments to move more quickly, Neff said, but one drawback is that it doesn't give the enterprise the economies of scale, a set of common standards or the possibility of skill sharing across the organization.
"In the federated model, we still let the businesses who know their business be responsible for the departmental applications, and for participating in cross-departmental and citywide applications, and the supported selection of standards," she said. "But the responsibility for driving the budget, making sure we have critical skills, centralizing the financial planning and budgeting, and the tracking and evaluation is done in the centralized organization."
The federated model takes a more balanced look at IT governance and puts some degree of autonomy in departments' hands, but it also requires departments cultivate a new mentality.
"When you're used to being able to do what you want when you want, and you're asked to work more as a team and to sometimes say, 'For the better good of the whole, I may not be able to do my project this time, but this will benefit the city,' that's a different way of thinking," she said, adding that getting people to see outside their agency isn't easy. "It's more of a struggle."
In good times, Neff said, everyone likes the decentralized model; but in bad times, when agencies are held accountable, the federated model makes more sense.
"The federated model assigns accountability across levels," she said. "When you've defined who has what roles and responsibilities, you can attach the accountability to that. The departments are accountable for the implementation of IT services that meet their business needs. It allows you to track and evaluate people's success against what they've come to the table and agreed would be their roles."
If the Shoe Fits ?
One veteran of California's IT wars said something like the federated approach holds promise for the sprawling state. Lynn Wright, deputy director of DOIT under the state's first CIO, John Thomas Flynn, contends California doesn't need to centralize IT authority.
"In my view, DOIT was given far too much responsibility -- such as shutting off projects and approving projects," Wright said. "Those responsibilities should be at the agency level.
"I don't think you can have a central organization -- unless you put 1,000 people in it -- that can do what DOIT was envisioned to do, and that was to approve, control and oversee all IT projects," he said. "There's too much conflict of interest between DOIT and the agencies. There was a lot of pushback from the agencies in the early days, and that probably continued until DOIT reached sunset phase."
Nor does Wright buy into arguments that an iron-fisted central entity could force California's notoriously independent state agencies into building interoperable IT systems and adhering to a baseline set of standards.
"That doesn't happen," he said. "When you have agencies the size of California's agencies -- where you have 10,000 or 15,000 people in an agency -- it's really hard. I don't think you're going to be able to have an organization that can force those things. They have to be sold to the agencies.
"I found agencies were very open to ideas, as long as you were asking them, 'Would this fit in your agency?'" Wright said. "What I really found them resisting was any central direction saying, 'Thou shalt implement this.'"
Strong Is Good
Others firmly believe California should go back to one strong central IT agency. They note that powerful agencies, such as the Department of General Services and Department of Finance, can make other departments do things they might not want to do.
The 1994 task force report called on the state to "establish a position of CIO as an agency head and a member of the governor's policy-making staff." It set forth the primary responsibilities of the state's CIO, which included developing and communicating the state's overall IT vision and direction; coordinating IT planning policy, standards, communication and synergies across agencies; establishing a link between public and private sector in developing long-term partnerships and joint ventures for IT; and developing and overseeing a suitable statewide IT infrastructure.
Some of the task force's recommendations ultimately found their way into the legislation that created DOIT in 1996, but critical components did not.
"California absolutely needs, and will need, an agency such as DOIT," said Jack Hancock, who was chairman of that task force. "The state will go back to having another major problem and the state will create more study groups that will come to the same conclusion we did."
Despite the lack of legislative support and confidence that led to DOIT's closure, Hancock said he does not buy the argument that California is simply too big to administer IT from a central authority.
"You can make exactly those same arguments about the Department of Finance," he said. "You can say agency heads are too big, and they ought to run their own show. But the Department of Finance has a very strong voice, and plans drawn up that are going to be expensive have to be run through the Department of Finance.
"The same things ought to be said for IT," he said. "There are so many models in the private sector -- the big companies; the General Motors and General Electric -- and their CIOs are vested with a lot of responsibility."
Hancock, who spent many years at Pacific Bell, said even he initially thought the "CIO" title was unnecessary when first introduced in the corporate world.
"I've come to accept the fact that it's necessary and performs a very legitimate function," he said. "The state will be missing something if it does not re-create, essentially, or go back to this idea of a central IT authority."
Hancock also said he agrees, in part, with Wright's contention about DOIT's role. California is too big for a DOIT to be involved in agencies' IT systems operations, he said. DOIT should set policy, enforce policies and audit standards compliance.
"Information technology is the way organizations function," he said. "They live on information and the technology, and unless you control it, audit it, have standards, procedures and policies, and enforce responsibilities, it's simply going to be an organization operating at half speed."
