CIO

Enabling enterprise capability

Overhauling an enterprise IT department’s security, risk and compliance capability is a complex and fraught process. Yet, as David Spaziani of the Department of Internal Affairs discovers, there is a science to negotiating its pitfalls.
  • Ken Lewis (Unknown Publication)
  • 23 June, 2009 22:00

In 2006 Department of Internal Affairs (DIA) CIO David Spaziani was handed the task of assembling the Department’s disparate ICT silos into a coherent whole. The department-wide change process not only achieved this, it did so without an increase in budget or the wholesale exodus of staff, Spaziani said at the recent CIO Leaders’ Luncheons in Auckland and Wellington. New Zealand’s Department of Internal Affairs has been dubbed the “mother of all departments”. It reports to six ministers, administers more than 90 Acts and Regulations, and employs 1400 staff in 21 offices here and overseas.

Spaziani says there was a well understood need for change within the organisation, but it was plans to set up an identity verification service that forced the issue.

Identity verification is a world-leading scheme to provide Kiwis with a single, online ID when dealing with government departments via the internet. This is a technically complex undertaking and only a few other jurisdictions worldwide are working on it.

While identity verification was a tipping point, there were other reasons to undertake a capability review. The department’s disparate roles include sensitive tasks such as overseeing passports, recording births, deaths and marriages, executive government services and civil defence to name a few. These responsibilities demand access to information with flexible, but resilient security.

Back in 2006, it was widely agreed the DIA had some work to do. “Capability underpins New Zealanders’ confidence in DIA services,” says Spaziani, “And a step change was needed.”

Given the sensitivity of the department’s information and its preparations to open much of it up to the net, security was very much centre stage.

There are obvious tensions between providing online services and maintaining a secure and trusted environment. To begin, Spaziani established some guiding security principles.

Security isn’t something that stops people doing their job, he says. Instead, security should be something that enables a business to meet business objectives and people should believe it helps them to do their jobs. It should be simple and not the preserve of an enlightened few. It should save you money when compared to the alternatives.

Internally, the DIA now adheres to strict security and assurance standards. It is also investing in security-related capabilities, such as identity management and intrusion detection.

Change agents

Managing such a wide-ranging change process was a new challenge for Melbourne-raised Spaziani, so he cast around for guidance. Perhaps a little unusually, he found that in laws espoused by the heavyweights of science.

Natural laws apply to IT, Spaziani says, so why not start with Newton’s first law of motion: Every object in a state of uniform motion tends to remain in that state of motion unless an external force is applied to it. Applied to IT, Spaziani says this translates to: “If you don’t act, nothing will happen.”

Then there’s Newton’s third law of motion: For every action there is an equal and opposite reaction. Which becomes: “Actions need their reaction pair”, or “To push, you need something to push against”.

For further instruction, Spaziani turned to the first and second laws of thermodynamics: “Energy can neither be created nor destroyed. It can only change forms”; and, “The entropy of an isolated system not in equilibrium will tend to increase over time, approaching a maximum value at equilibrium.”

Which roughly translates to: “You cannot win (you cannot get something for nothing)” and “You cannot break even (you cannot return to the same energy state)”.

If you’re feeling a little mystified, Spaziani clarifies by stating his own first rule of enterprise capability: “An enterprise capability requires a capable enterprise”.

“This is where Newton’s laws and thermodynamics come together… Enterprise capability is about people. It requires commitment from the organisation, you must continue investing in capability in order to stay in place and it must be cheaper than the alternatives.”

Okay, so how do you create capability? The first goal is to align organisational structures and processes to have the desired governance and accountability outcomes.

Secondly, you need to invest at the start of the service chain with policy. This is followed by standards, capability/sourcing, delivery and support.

Thirdly, select key processes to work on. By doing so, DIA removed gaps and overlaps. “In other words — risks,” Spaziani says.

External experts were also used, but targeted to specific needs and staff learned skills from them.

Common wisdom tells us that change has a habit of spooking staff and customers. Staff attrition then should be a useful indicator of a project’s effectiveness. According to Spaziani, staff turnover between June 2007 and July 2008 was well below the norm for the department and the Wellington IT industry as a whole.

He ticks off key factors in the success of the process:

  • An agreement to invest in the capability;
  • Running an organisational change process;
  • Getting staff to own and drive the implementation process;
  • Development of policies and standards, starting with security;
  • Defining the processes we wanted to implement;
  • Deploy, monitor and improve;
  • Continue to invest.

Capability is a blend of motivation, skills and the right people, says Spaziani. “The right people with the wrong technology can still do great things. The wrong people with the right technology produce chaos.”

Despite its overall success, in hindsight there were areas Spaziani would change.

Don’t try and do everything at once, he says. Make sure you can continue to invest in the system to maintain the capability. Manage all IT systems and processes as assets; that means having long-term investment plans, a benefits review, and consolidate, reuse, refresh and replace. “People change their roles during a change process, so you need to manage that.

“It’s also really important to track savings and improvements — you need to tell people about these.

“I think we also started the project too early in the creative phase of a new initiative.”

Organisational change is a continual process required just to stand still, and Spaziani wants to enhance capability further by exploiting the savings change has already provided. Asset management is an area he now has his sights on.

“Change starts with commitment, requires financial input and some hard work. But it is not rocket science.”

Sidebar: Security concerns heightened by economy

It comes as no surprise that with the changed international economic landscape, there has been a shift in business priorities in the past six months, says Terry Shubkin, head of operations for Unisys in New Zealand.

The economic slowdown had seen new projects put on hold and fewer projects being developed, Shubkin reports at the CIO Leaders’ Luncheon in Wellington.

Talking specifically about security, she points out, “How do you define security… security that makes business sense in these times?”

Security needs to seen in a holistic manner, she says. “It’s about how you keep people in, not how you keep them out. I like to say it’s the difference between ‘littler’ security and ‘bigger’ security. Bigger security is about how you enable people within your company.”

Also of no surprise is that customers are demanding much more and you need to ask what you are doing to help your company do business with members of the public, she says.

Using information from the latest Unisys Security Index survey, Shubkin reports 67 per cent of local consumers believe the global financial crisis and recession will increase their risk of falling victim to identity theft and financial fraud. “So what are they prepared to do?” she asks.

According to respondents, New Zealanders are now overwhelmingly supportive of biometric identification, with 70 per cent happy to provide fingerprints. That sits slightly behind photo IDs and ahead of PINs.

Shubkin says this proves the public is maturing in its view of security and it is up to business to match expectations with workable security services.

Unisys kindly sponsored the CIO Leaders’ Luncheon on ‘Security: Building an enterprise capability’, featuring David Spaziani, CIO, Department of Internal Affairs.