A really cool and pragmatic friend of mine, Papa, asked me if “IT Governance” was real or was it just the buzzword du jour. Then he said, “Lil’ Girl, if it’s real, it’s in Wikipedia.” Yes, Papa it’s real. Very real. And it’s a real problem in Government. Sort of like a similar problem we had in … say … Colonial America. More later on why.
First, Papa, Wikipedia’s definition of IT Governance is as follows:
The discipline of information technology governance derives from corporate governance and deals primarily with the connection between business focus and IT management of an organization. It highlights the importance of IT related matters in contemporary organizations and states that strategic IT decisions should be owned by the corporate board, rather than by the chief information officer or other IT managers.
So, IT Governance, the discipline, is of the business, by the business, and for the business. In NASA-speak, that translates to being of the mission, by the mission, and for the mission. So, if there are disconnects between the IT management of an organization and the mission, you can always point the accusing finger at ineffective IT Governance.
Dave McClure writes, in IT Governance in Government Agencies: Frequently Asked Questions, (Gartner, Inc.) that there are signs to ineffective IT Governance. Some of them we see are:
• A less focused IT strategy
• Ineffective data sharing
• An inability to capture NASA-wide IT efficiencies (for example, cost reductions, shared services and consolidation)
• Risk elevation that results in IT not viewed as meeting mission needs, nonintegrated systems, elevated security and privacy problems, and lower use of standards.
• The perpetuation of rogue, duplicative IT spending that ignores potential reuse as well as economies of scale
• A lack of real transparency into IT spending
• Sub-optimized IT organizational effectiveness
• Inattention to benefits realization
• Waste of senior executives’ time, “rubber stamping” decisions
Some of the more infamous NASA examples would be email and IT security. Both issues having their genesis in varying levels of disconnects between the mission and the management of IT. In wrestling with these issues as Goddard CIO for the last three years, I’ve often asked, “Why is this ok?” The answer can be suggested by considering the famous quote, “People get the government they deserve” – or rather, WE get the IT governance that we deserve.
Oh, there she goes again – the CIO that does not take responsibility. Screech!!! Think again. Effective IT governance has many forms – centralized, decentralized and federated. If we had a centralized governance model, or if I were Her Royal CIO-ness Linda the First, I would be Queen of ALL of IT, and make ALL the decisions unilaterally. Many assume the decentralized governance model is NO governance model, but it could work just fine for the right business strategy – though it is multilateral, it is not anarchy. In a federated governance model, we have a hybrid of both the centralized and decentralized model where intentional strategic decisions are made about what is managed in a decentralized fashion and what is managed centrally. The centralized model requires more technical management skills from Her Royal CIO-ness, the EFFECTIVE decentralized model requires more leadership skills from her, and the federated model, favored by this CIO, requires combinations of both.
Then my Dear Papa said, I have no idea what you just said Lil’ Girl, but I think it was strategic, right? So, I took another run at it focusing on the federated model and offered this analogy.
Papa, remember those 13 independent directorates … I mean colonies? As a collective, they had IT security problems … I mean, border security challenges. One weak militia could jeopardize the security of them all. By creating a more perfect union which combined their resources for a common defense, they could be stronger and more secure. So, they created a Federation of sorts, where common things were managed centrally by the Government, and decentralized things fell under the domain of states rights.
At the end of my conversation with Papa, I think he understood that value of IT Governance. But, then he ended the conversation with some quote about if frogs had wings, they wouldn’t bump their [behinds]. It took a while for this city girl to understand what this refined Southern gentleman meant.
Both NASA in general and Goddard in particular have made significant improvements in IT Governance. It will however, take more than a few minutes of effective IT Governance to turn around years of ineffective governance. I think what my Dear Papa wanted me to understand was that this was what CIOs were responsible for ensuring. And that if it were easy, we wouldn’t have CIO’s with bruises on their body parts.
The effective CIO is not a horse holder, being close to the battle but far enough to stay safe, but is a battlefield savvy leader with the bruises of experience, the courage of a soldier, and the skills of a hero.
Linda Cureton, CIO, NASA/Goddard Space Flight Center
p.s. Attention Business Development folks: Before you pick up that phone to call or email me, you CAN’T buy good IT Governance, an organization must live it.