Agency heads: It takes more tech than you think
Agency heads, acquisition officers and even CIOs don't need to be hard-core techies. FCW's four-part look at the expertise that's really required to make federal IT run.
Do agency leaders need to know more about the inner workings of IT to do their jobs effectively and safeguard national secrets? For many experts, the answer is yes.
Tech is now “part of the fabric of everybody’s lives,” said Montana Williams, senior manager of ISACA’s Cybersecurity Practices.
When the recent Office of Personnel Management breaches triggered a national debate about cybersecurity, National Review’s Jim Geraghty lashed out at Katherine Archuleta, the OPM director who resigned in the wake of the breaches. He said her performance was part of “a troubling pattern of incompetent management from Obama appointees selected more for their political loyalty than for their expertise, skill or leadership abilities.”
Geraghty highlighted Archuleta’s lack of an IT or cybersecurity background and claimed she did not appear to have “any expertise in the vitally important human resources and recordkeeping functions OPM is supposed to serve.”
But she’s no outlier. At the 24 agencies governed by the Chief Financial Officers Act, most agency heads have legal, political and/or public administration backgrounds.
There are a few exceptions: Secretary of Energy Ernest Moniz has a background in physics and has served on technology and security commissions; Secretary of Defense Ashton Carter has a background in technology, physics and security; and National Science Foundation Director France Córdova has had extensive scientific training.
In light of the OPM breach, should the old conventional wisdom — that a good leader knows how to lead people but not necessarily how to do those people’s jobs — go out the window when it comes to cybersecurity?
It’s still about people
At the end of the day, leadership and management skills are still the key.
“Surround yourself with the right people who have the right technical skills, and ask the right questions” was Williams’ prescription for agency heads. “Be willing to hold people accountable.”
Leaders need to “understand [cybersecurity and IT] at the basic level,” he added, but they don’t need an extensive cybersecurity background. “Large hospitals are not run by doctors,” he said by way of an analogy.
Patrick Malone, executive-in-residence at American University’s Department of Public Administration and Policy, said, “I haven’t ever seen any [federal employees] complain, ‘Dammit, I wish my boss knew more about some Windows 10 update,’ What people are crying about is their agency’s culture.”
According to Malone, feds say they need a culture of “compassion, trust, learning, collaboration and caring.”
Good leadership might also be a key to attracting and retaining cybersecurity pros. Those skills are in short supply nationwide, and an approaching spike in the numbers of feds eligible for retirement threatens to widen the government’s existing cybersecurity skills gap.
Some observers say one of the mistakes that undermined OPM was putting cybsersecurity in the hands of program office employees who did not have the relevant background.
“Soft skills” — though Malone said he is no fan of the dismissive connotations of that adjective — unlock “the real magic of leadership”: attracting the right talent, encouraging them to give their best and retaining them.
“If you create the right environment, the tech skill will come,” Malone said. “The only way we’re going to get the technical talent — and the only way they’ll stay — is if leaders make them want to stay. Otherwise, you’re going to lose them to IBM, lose them to Apple.”
Know the risks
Gregory Wilshusen, director of information security issues at the Government Accountability Office, said agency heads need to have a core understanding of what kinds of sensitive information their agency collects, how it’s protected, the damage that would be done if the information is compromised, and who controls and interacts with the agency’s systems in the cloud.
“Just because you start to migrate systems to the cloud doesn’t mean you’re absolved of responsibility,” he said.
In the future, it shouldn’t be a requirement that agency heads have deep IT knowledge. If they do, “that would be a bonus but not the determining factor,” Wilshusen added.
So would OPM have done a better job of detecting and responding to the breaches if a tech-savvy leader had been in charge?
Williams said yes, adding that someone who understood the risks would have immediately cut off KeyPoint Government Solutions’ system access when it became clear that the contractor had been hacked.
But Malone said the leader’s role is to foster an open environment, not necessarily understand all the technology. In such an environment, an agency employee who had a solution to the problem would have felt comfortable bringing it up, he added.
Wilshusen said the public administrators and lawyers who currently lead agencies are probably capable of picking up the tech knowledge they need as they work, and they’re likely doing so now.
“I would imagine there’s a lot more on-the-job training after what happened to Secretary Archuleta,” he said.