Network security may be threatened by rising workloads and shrinking budgets.
Caption: Ken Theis, director, Michigan's Department of Information Technology
When Terry Childs, a network engineer for the city and county of San Francisco, locked co-workers out of the city's computer network in July 2008 and refused to hand over access codes - even to the police - it took a jail-side visit from Mayor Gavin Newsom before the rogue IT worker surrendered the password.
Childs' actions caused a sensation in the IT community. In particular, the blogosphere lit up with comments on the ramifications of San Francisco's network administrator-turned-malcontent hacker. Seattle Chief Technology Officer Bill Schrier blogged that Childs "apparently had a disdain for other administrators, staff and management in the [IT] department." InfoWorld's Senior Contributing Editor Paul Venezia blogged that Childs was "a disgruntled network admin."
But some comments revealed that Childs had supporters. "I sympathize with Mr. Childs' would-be goal of protecting the network," wrote one person in response to a July 28, 2008, blog post by Eric Knorr, another InfoWorld editor. "I got to tell you I don't think Terry meant to do anything malicious at all," wrote another. And still another stated that San Francisco was "making a scapegoat out of Terry Childs" because the city "dropped the ball" by not securing the passwords sooner rather than later.
Childs' motives may be debatable, but the threat posed by insider sabotage definitely isn't. In 2007, the National Association of State Chief Information Officers (NASCIO) released a report, Insider Security Threats: State CIOs Take Action Now! that suggested public scrutiny of government employees may reduce aggressive oversight and compliance regarding insider threats. The report cautioned CIOs about IT experts within state IT departments who have a hacker mentality. "This person is perhaps the most dangerous of all due to his or her expertise and resulting ability to exact a significant amount of damage which could garner unfavorable headlines," the report said. Although the NASCIO paper doesn't detail the underlying causes, it does show insider attacks are rising rapidly.
These findings mirror a 2006 survey conducted by the U.S. Computer Emergency Readiness Team, a federally funded research and development center for Internet security expertise, which found that 68 percent of cyber-attacks originated from within an organization.
Stress could be one factor behind the rise in internal attacks. In October 2008, Robert Half Technology surveyed IT organizations and found workers are not only accomplishing more with fewer resources these days, but the cutbacks are taking a toll. Thirty-six percent of CIOs interviewed said bigger workloads are the greatest source of stress for their teams. Twenty-two percent cited the pace of new technology as the biggest stressor, followed by office politics at 18 percent.
Workloads are not a new problem in the public sector. Government IT departments have been under pressure to maintain the status quo or cut back for some time and the bad economy doesn't help. Data from the 2008 Public CIO Annual Reader Survey found that 68 percent of respondents saw either no change or a decrease in staffing levels, and 58 percent saw no change or a decreased budget.
In October, the Center on Budget and Policy Priorities reported that at least 39 states faced budget shortfalls, while half of the states had already cut spending for fiscal 2009. With IT viewed as a major cost in government, CIOs and their workers - in virtually all government sectors - should expect to see further pressure to curtail IT budgets, along with a rise in worker-related stress.
We Must Balance Our Budget
If rising workloads and shrinking budgets contribute to stress, then San Francisco has had plenty of it. "I think we're on our eighth consecutive year of budget shortfall," said Chris Vein, CIO of San Francisco. "And San Francisco is a jurisdiction like many where we have to balance our budget. We can't deficit spend; we can't borrow. And the reason that the eight years becomes important is that by this time, you've done just about everything that you can that will not cause pain."
When the public leaders decide to reduce funding, IT is often at a disadvantage, Vein said, because the people in charge of the purse strings don't always know how IT works.
"Most policymakers' eyes glaze over when you start talking about technology. They don't understand it; they don't have time to understand it," he said. "So it becomes very difficult for them to understand when you say that budget cutting will have a negative impact and a far-reaching impact on the ability of an organization and municipality to meet the mission of providing services to their citizens."
In Michigan, IT workers have contended with a major consolidation initiative and budget trouble, according to Ken Theis, director of the state's Department of Information Technology. The combination has added to workers' woes. "Major budget challenges have occurred in the last five years," he said. The consolidation involved phasing out jobs, and the remaining employees had to take on more work than they would've had otherwise.
"We had an early-out program that took about 20 percent of our staff out of our organization. We were not able to replace any of them," he said.
Since state government didn't allow the Department of Information Technology to replace any of its retirees, the remaining employees had to pick up the slack. "People were working, not only harder and more hours, but with technologies and platforms that they had never worked with before," Theis said.
Back in San Francisco, budget restrictions forced Vein to lay off some staff. "[With] so many years of budget cutting, I couldn't absorb these cuts anymore, and that meant I had to lay off staff that I no longer had money coming in to pay for," he said.
Vein said he tried to save as many jobs as possible and best utilize available resources by implementing a change-management strategy that involved transferring the management of some business units' out of the Department of Technology's purview and into the business units themselves. He said he felt that this would save his department some long-term headaches.
"While I understand and believe in the efficiencies of centralized support, sometimes when you have the application divorced from the business owner - i.e., not in the department - there can be a tendency for the department to just blame the central IT department for any failures of the department application and not take ownership," he said. If departments manage their own applications, it's Vein's belief they'll assume more responsibility and gain a better understanding of what it takes to manage them.
But the transition also meant moving some of Vein's central IT staff into other departments, along with the applications his department once managed.
"I ended up fairly significantly changing the staffing of the department by transferring out roughly 26 or 27 people and laying off 20 or 21 people," he said.
Did this upheaval cause friction? Definitely.
"These were people that had been there for a very long time, very good workers, very dedicated to their jobs and didn't understand why this was happening to them, didn't understand why I was doing this," he said. Vein added that many discussions with employee unions ensued, which in some cases resulted in grievances. It was tough not only on people who were forced to move, but also on the departments who were forced to receive them.
Talking It Out
Vein said he operated from a position of strength thanks to approval straight from the top.
"This issue was supported by the mayor's office, so that support basically provided the framework for me to move within," he said. Even so, Vein said he wishes he had done more.
"I didn't do enough, and in some cases, I didn't do the right amount of communication. Hindsight is a wonderful thing, but I attempted to do it," he said.
Jeffrey Clouse, CIO of Ohio's Department of Public Safety, also believes in the power of communication during tough times. "I think that the value of communication cannot be overstated, and communication is obviously more than just in words. You communicate a lot with your actions. Obviously keeping employees informed as to where you're going, what's happening," he said. "Being honest - that's No. 1."
Clouse may be in a more comfortable position than other CIOs. One of the Department of Public Safety's subdivisions is Ohio's Bureau of Motor Vehicles, which gets steady funding from driver's license fees and vehicle registrations. In Clouse's 20-year IT career, he's only had to lay off two people.
"So I have not experienced the pain that some of my peers have at those agencies that are on the general revenue fund," Clouse said.
When CIOs ignore lines of communications with their workers, tempers can rise, according to experts. Feelings quickly get hurt when workers believe they are being ignored or not being heard.
That's why Michigan's Theis believes communicating helps employees understand why changes, as painful as they may be, are necessary evils. This approach came in handy during the state's consolidation.
"Rather than having five [or] six different storage technologies or storage devices, we're going to pick one. If you're a technical person who's been supporting one of those other four systems that are going to be shut down, that's not something you like to hear, right? Because it's a huge change," he said. "But then you've got to articulate it - what's in it for me? What's in it for that individual? What's in it for that individual is enterprise. Rather than supporting five, six different backup platforms; wouldn't it be better to support a single platform?"
Workers Speak Up
But CIOs shouldn't necessarily blame the economic downturn as the sole reason for rogue administrators, according to Brent Boland, senior applications developer for the South Suburban Parks and Recreation District in Colorado. Salaries and hours could also be contributors, he said.
In order to decrease employees' stress, Boland suggested that managers get creative in compensating employees even when money is tight. Teleworking and letting employees set their own hours are good ways to start, Boland said.
"If leaders were willing to say, 'I'm going to let you maybe set your own hours,' or 'Go ahead and work from wherever so you don't have to spend the gas money to get into your office,' or 'Go to a four-day workweek if you feel like that'll help you,'" he said.
Some IT workers, like Sherry Lawdermilt, senior programmer analyst for Grand Forks, N.D., aren't concerned yet about the impact of the economic fallout on their workplace.
"It hasn't been an element in our department yet," she said. "We are actually busier than ever just because we did add a new wireless network, but we did not add additional employees to take care of it. So we are doing more with the same amount of people - but not due to budget cuts or anything along those lines."
Lawdermilt said the city government might be more insulated against the widespread layoffs and diminishing resources that plague the private sector.
"In the government sector, you tend to have more of a guarantee first of revenue," she said. "Most of our revenue comes from property taxes as well as permits for building, and with all of that going down, our revenue will decrease. But you still do have some guarantee of that as opposed to the private sector, so I think it is a little more secure."
Changing the Workplace Paradigm
Patrick Hale, deputy director and chief technology officer of the Bureau of Infrastructure Services in Michigan's Department of Information Technology, said workplace stress can be the springboard for greater opportunity, even amid consolidation and downsizing.
"When we're put under this kind of stress, we're having to make these kinds of decisions. It's really a great opportunity for innovation," he said. This innovation starts with assessing employees' needs. "How can we be better? How can we innovate? This really is an exciting time, even though it's a huge challenge. A lot of good can come out of being put under pressure."
Caption: Patrick Hale, deputy director and chief technology officer, Bureau of Infrastructure Services, Michigan Department of Information Technology
The key is listening to the people who are out on the front line, said California CIO Teri Takai. Sometimes, she said, people don't think about how to save time and money until there's a crisis.
"First of all, we try to recalibrate and look at how much we can do, given the budget strength that we have. For instance, we're doing a planning process so that we can really look at what we have the capability for," she said. Takai and department CIOs are also looking at more collaboration to eliminate repetitive processes. This agenda is similar to what's been laid out in Michigan's 2008 IT strategic plan.
Takai admitted that in California, many employees are being asked to accomplish more with fewer resources. She advised IT leaders look closely at the work to re-evaluate what's being done and excise unnecessary tasks.
And, like other CIOs, she agreed that communication is the best way to assess employee sentiment and identify stress levels.
"It's very important that, No. 1, managers are open and straightforward with their employees, and that employees are getting a lot of communication around what's going on," she said.