IT Governance in the Wake of 9/11
The 2001 terrorist attacks on the
“representatives […] met […] to discuss the current threat. Attendees report that
they were told not to disseminate the threat information they received at the
meeting. They interpreted this direction to mean […] they could not send out
advisories in the field” (9/11 Commission Report, 258).
Most of this threat information was never analyzed or disseminated until the attacks took place. Situations like the one mentioned above took place throughout the decade leading up to the 9/11 attack and increased as the attack loomed. Some, if not many of the misunderstandings and miscommunications leading up to the 9/11 attacks could have been prevented if there wan in IT governance system enabling government employees to share and act upon the information collected on individual terrorists and their operational abilities. The 9/11 terrorist attack showed the deep flaws in domestic terrorist policies.
The increase in the proliferation of communication technology and communication software in the 1990’s has made it difficult for government entities to adopt successful policy to manage and facilitate information capture and sharing. This paper will briefly describe the shortcomings in the government’s Information management leading to the 9/11 attack and the current plans to correct these shortcomings by forming the Department of Homeland Security. Finally I will discuss IT Governance policies designed by Weill and Ross, and suggest IT governance decisions and archetypes for the Department of Homeland Security.
The fall of the
Five years after Freeh’s attempt to re prioritize the FBI’s counterterrorist involvement, the FBI developed and issued a new plan that would promote
“cultural change […] within the FBI. The plan mandated a stronger intelligence
collection effort. It called for a nation wide automated system to facilitate
information collection, analysis and dissemination” (9/11 Commission Report, 76).
This plan failed due to a lack of resources both human and financial. Managers in the FBI were unwilling to move agents from drug enforcement to terrorism and increase spending on counterterrorism despite an increased counterterrorism budget. Managers resisted the addition of a new division intended to increase analytic capability, and the FBI’s departmental information systems were often incompatible with each other. Furthermore the FBI “lacked the ability to […] capture or share its institutional knowledge [… or] to condense the information [in order to] retrieve or disseminate it” (9/11 Commission Report, 77) to the appropriate departments.
FBI managers, agents and congress were unsuccessful in creating a program to address the growing terrorist threat in the years after the cold war due to the lack of a strong information technology infrastructure. The FBI Director has little power to enforce change among the managers and little knowledge of the best information policy to promote within the department. The director increased the number of agents abroad but those agents were unable to communicate with the domestic agents. This prevented the increase in human resources from affecting the amount of information available to agents within the bureau. Furthermore, the Director cannot control the amount of funding allocated to the FBI or funding use, therefore he cannot ensure enough capital is being applied to the information managers or information systems.
Agents in the FBI were also prevented from discussing their findings on the terrorist suspects with the Justice Department due to a law passed in 1978 meant to “separate foreign intelligence surveillance from ordinary law enforcement surveillance” (http://www.eff.org/Censorship/Terrorism_militias/fisa_faq.html) . The Foreign Intelligence Surveillance Act (FISA) was meant to prevent agents from abusing their power while compiling information on suspected terrorists. This legal restriction was misunderstood by FBI intelligence and criminal agents on both sides of “the Wall” and as a result there was a serious lack of information flow between the FBI agents.
This problem is not unique to the FBI. In the CIA a similar deficit in the power structure prevents the Director of Central Intelligence from making long term information structure decisions. The CIA has been charged to “collect, analyz[e] and disseminat[e] information from all sources” (9/11 Commission Report, 86) and report pertinent information in a report to the President. This task is made difficult by the fact that a new DCI is appointed with each new president. In this instance DCI George Tenet was retained, but now he had to brief the new president. Any concerns Tenet may have had needed to be re-represented to the current president and approved for action. The DCI does not have the power to reallocate funding and personnel within the intelligence community and his power largely depends on his personal relationship to the president (9/11 Commission Report, 86). In this atmosphere it is extremely difficult to control the collection and analysis of information within the agency, and accessing and following up on outside information becomes impossible.
Ineffective information infrastructure governance is repeated throughout the government in the years before 9/11. In an annual report by the Gilmore Commission it was found that between 2000 and 2005 “there [had] been a half dozen Congressional attempts to reorganize the Executive Branch’s efforts to combat terrorism, all of which failed” (Wise, 2002). Not only did efforts to correct the deficiencies in the government fail, none of the agencies mentioned in the 9/11 commission report had an effective mechanism for developing and managing information technology to facilitate information sharing. Al Qaeda operatives were able to move in and out of the country without investigation because Border Control at airports and other points of entry did not have relevant information about them. For example, some INS departments were using paper lists to identify potential terrorists and prevent them from entering the country, updates on criminal profiles lagged, and suspects constantly slipped through the agent’s fingers.
In order to combat this problem, the Department of Homeland Security was created in 2003 to eradicate organizational dysfunction in the intelligence community. DHS
“leverages resources within federal, state, and local governments, coordinating the
transition of multiple agencies and programs into a single, integrated agency
focused on protecting the American people and their homeland”
(http://www.dhs.gov/dhspublic/interapp/editorial/editorial_0515.xml)
from terrorist attacks by Islamic fundamentalists. Integrating these departments is another attempt to reorganize the “fragmented, uncoordinated, and politically unaccountable” (Wise, 2002) governmental departments that dealt with terrorism in the past.
Creating DHS as a cabinet department positions the president at the forefront of homeland security and places primary responsibility for the nation’s safety with him. Proponents believe that national safety should conform to a hierarchical model which provides a definite framework for assigning accountability and progress. DHS’S opponents dislike the hierarchical structures that have been proven ineffective for operational situations in the past, such as the Drug Enforcement Agency. The most common example of the dysfunction of hierarchical systems can be found in the Drug Enforcement Agency’s losing battle with the drug trade. It took the Office of National Drug Control Policy 10 years to “develop specific performance-tracking methods and to link them to the necessary budgets, and to apply lessons learned in the field to improve planning and implementation” (Wise, 140) time we do not have in the war on terror. Opponents to the Department of Homeland Security point out the fact that the DEA was successful in sting operations at the beginning because their structure was similar to that of the drug traffickers. When the DEA was amended and added to the cabinet, their operations became less effective.
Current Department of Homeland Security hierarchical organization places the Chief Information Officer and other managers at the bottom of the organization separate from all other departmental functions. In this position the CIO does not have much power to influence decisions improving the infrastructure that supports information sharing. Not only are these management officers separate from DHS as a whole, they are separate from the individual departments that will benefit most from information infrastructure management. In order to overcome these structural weaknesses, DHS needs to move toward a streamlined network of networks and away from their archaic hierarchical structure to combat international terrorists.
Before 9/11 government employees were discouraged from sharing information or seeking to change the system. These organization wide restrictions were born out of the Cold War, a time when the U.S was in constant danger of KGB infiltration. Now there is a recognized need to “foster inter-connected systems, […] that reinforce rather than duplicate individual efforts” (Securing Our Homeland) to share information on known or suspected terrorists. In this new system the government intends to promote personal responsibility among employees by investing in human resources before equipment or technology (Securing Our Homeland). The new organization also seeks to support proactive decision making by fostering individual efforts.
Understanding the importance information infrastructure and technology governance has on the Department of Homeland Security requires appreciation of the difference between information and information technology. Information consists of all the knowledge agents collect on specific events or situations gathered or received through communication or intelligence work. Information technology refers to hardware, software, and databases used to store, analyze and disseminate that information. Changing the organizational hierarchy in the intelligence community will not result in any changes in the way information is managed. DHS cannot prevent another terrorist attack if the underlying information infrastructures remain neglected.
The Department of Homeland Security will not effectively change government accountability unless it adopts IT Governance strategies proposed by Peter Weill and Jeanne Ross. “IT Governance” teaches organizational managers to “specify the decision rights and accountability framework to encourage desirable behavior in the use if IT” (Weill, 8). IT governance empowers managers to make positive changes and control the trajectory of those changes. IT demands a cost effective long term investment that current and future managers can guide and revise. If there is no governance mechanism in place IT investments may weaken the departments that introduced them, and discourage the entire organization from making or improving policies in the future.
DHS’s current focus on human resources and communication will only fix one part of the problem; progress depends on technology meeting information needs as well as human resource needs. Weill and Ross identify the key assets in any corporation: human, financial, physical, IP, information and IT, and relationship assets. IT governance is the most important and most overlooked area in many organizations simply because most managers take IT governance for granted, do not understand technology, or they think IT will govern itself. Each of the asset categories mentioned above has its own recognized governance structures, but IT is constantly overlooked. Why? Market performance has proven that superior information management will increase long term productivity and goal realization across the board, yet many managers are intimidated or lax in applying these mechanisms.
The first step in this process is to recognize the importance of information technology within the organization. Next managers must observe current IT governance practices in their organization and determine the strength and weakness of each governance mechanism. Who is responsible for making the decisions? How is ineffective governance corrected? There is a delicate balance between information governance and desirable attitudes within the organization. The Department of Homeland Security needs to implement an information governance program that supports their intra agency information sharing goals. Implementing the same IT governance standards across throughout the intelligence community will make it easier for employees to use the same information collection, analysis and retrieval systems.
Managers can strengthen or weaken the acceptance of information governance by participating in and enforcing governance decisions or remaining inert thus defying company goals. Once managers enable the business to work toward common IT goals, create a common viewpoint and use existing working standards for governance, the organization can begin the reorganization process. Low level managers and employees are also important in governance acceptance; they provide valuable input that will improve infrastructure, and their lack of input will prevent important governance revisions or adjustments. Developing IT governance decisions that create greater value for the company usually means working with managers and employees from each department potentially affected by the change. Governance decisions need to be made for IT Principles, architecture, infrastructure, business applications, and investment and prioritization (3-1) in order to have a smooth running system. Involving people from each business unit in the decision process entails revising governance policies and/or the mechanisms for those policies.
Managers must adhere to the decisions they make and understand that changes will not happen quickly or only as a result of hard work. Managers must focus on the problems that can be solved, then choose the most important solution for the problem. Managers in charge of IT decisions must decide if IT investments target organizationwide strategic goals or support methodological processes. In order to do this, organizations must clarify business strategy, measure and manage the amount spent and value derived from IT, assign accountability, and learn from each new IT governance implementation (Weill, 2).
Integrating the five IT decisions is the next step in creating IT governance for the organization. Identifying IT principles will help organizations determine the most common uses for information technology, and make any decisions relevant to the day to day processes of the organization or company. Some useful principles for any organization to support are the standardization of processes within and between departments and operational efficiency. Information architecture helps solidify the principles set forth by managers by providing a skeleton strong enough to support other governance policy decisions.
For example, standardized data representation enables processes standardization. If all employees are looking at the same input fields in the same location on a form or computer screen, there will be greater organizationwide integration. Such architecture would be useful in the department of homeland security. Employees could easily determine situational or individual importance or potential danger without translating or reanalyzing departmental forms. There is a point where the general architecture must give way and allow precedence to departmental needs. Architecture is merely a stage for business application and data needs to build upon and create a foundation for other governance mechanisms.
Once the principles and architecture are in place, organizations can invest in IT infrastructure. This includes the hardware, software packages, and telecommunications employees will use in their everyday practice. It is important to invest in the products employees will use rather than the least expensive or the most popular. An organization that requires its employees to travel or gather information in the field would do well to invest in laptops, PDA’s, and cell phones with wireless capabilities and any necessary training to facilitate communication between the office and the field. The return on investment from providing these expensive tools may outweigh the initial purchase price as employees expedite services more efficiently.
Once the principles, architecture, and infrastructure are in place, an organization must make sure they are meeting the business application needs. At this stage managers must balance creativity on “identifying new and more effective ways to deliver IT value [. . .] and discipline [. . .] architectural integrity” (Weill, 40) within the framework they set for themselves. Organizations must not invest in new infrastructure to satisfy one department, or disregard the architectural framework if managers are unwilling to implement it. Applying business application needs also means the organization must make use of “a constant flow of experiments to seize new market opportunities and avoid obsolescence” (Weill, 41) in the three decisions. Organizations must also insure that managers at all levels understand the policies and procedures the IT committee put into place. Taking the time to explain and train employees on structural changes in the organization will increase the success of current and future adjustments.
Lastly organizations must decide how much to spend on IT. There is no standard formula explaining the ratio between organization size and IT budget. Each organization must analyze historical ROI and goal realization before deciding the future IT budget. Aligning all five key IT decisions into one cohesive unit requires the managers in each major department to work together. How can an organization decide which manager or department has more weight? Who is most qualified to make IT governance decisions?
Weill and Ross suggest one of six governance archetypes for deciding who has IT governance decision or input rights (figure 3-1): business monarchy, IT monarchy, feudal, federal, IT duopoly, and anarchy. Using political descriptions for the archetypes makes the governance structure transparent for managers. Organizations must decide the best archetype by analyzing their organization, determining which governance method will best realize their future goals, and implementing that method.
Organizations should choose the best archetype for making the five IT decisions, or use the archetypes as a guide for creating a unique decision making body. A team of high level senior managers make IT decisions for the entire organization in a business monarchy, relying on input from department units throughout the organization. Business, finance, IT, and operations managers must come to committee meetings ready to work as a team. A unit may have to give up some of its wants to gain infrastructure or architecture that will promote organizationwide benefits. In an IT monarchy IT professionals make decisions for the entire organization. The organization forms a committee of IT managers from the largest business units who are responsible for making IT principles, architecture, and infrastructure decisions, then returning to their unit to implement business application needs and investment decisions.
Feudal decision making consists of each business unit making independent IT decisions for local or departmental needs. In a large organization, this model creates interdepartmental disconnect as units undermine or disregard company goals. In contrast, Federal decision making seeks to balance business unit and organizationwide needs. Integrating unit and company needs in a feudal system is a difficult balancing act as managers strive for fair and equitable decisions. Business units are solely responsible for funding their own projects and bearing the burden for failed architecture or infrastructure experiments. Problems arise when small business units are overlooked when forming and implementing architecture decisions, or more importance is granted to larger departments who do not have organizationwide goals in mind.
IT duopoly makes up for the shortcomings in the federal system by focusing on either “corporate [or] local business representation” (Weill, 62) in the organization, but not both. IT executives and one other unit work together to decide the best IT principles, business application needs, and IT investment, allowing IT management to decide architecture and infrastructure separately. IT duopolies are structured like a T or bicycle wheel for maximum benefit. In the T structure an executive committee comprising of business managers is on the horizontal axis and the IT committee on the vertical axis with some overlap where the axis meet. This structure allows both committees to interact in the decision making process and keep expertise separate. In a bicycle model, IT management is at the hub of the enterprise and the business units are connected around the rim by relationship managers (spokes). In the other archetypes, business managers are making unqualified decisions about IT, and IT may make impractical decisions for business unite to apply. Business unit managers have input on architecture and infrastructure decisions when they have little or no expertise, and IT managers are assuming they understand the applications their architecture decisions will support.
The last archetype, anarchy, is similar to feudal decision making. Like feudalism, business units make independent decisions based on local needs, but in anarchy all standard organizationwide goals are avoided. Anarchies work best when business units need to react quickly to customer or market needs, and usually only last until the organization can form the necessary governance archetype.
Implementing IT governance decisions requires several mechanisms for communicating and applying organizationwide goals: decision making structures, alignment processes, and communication approaches (Weill, 86) which will help smooth the transition period. Decision making structures allocate decision making responsibilities to managers based on the archetype used to form IT governance goals. For example, in a federal archetype each business unit will apply the new governance decisions in a manner consistent with their application needs.
Alignment processes involve techniques for “securing widespread involvement in the effective management and use of IT” (Weill, 96) in local departments that will support the organizations five key IT decisions. This process includes manager approval for investments, allowing exceptions for architecture, researching service agreements, and assessing value from IT. Using these criteria for aligning governance decisions helps organizations operate at full capacity while continuing to grow and change. Exception approval prevents business unit managers who disagree with or misunderstand governance decisions from investing in new architecture or infrastructure that deflects from the IT principles formed by the decision making unit. Managers must discuss any proposed investments with the business unit and decide if the change will further organization goals, or if an architecture exception can needs to be made. Preventing investment mistakes within business units will save the organization lots of capital in the long term
The architectural exception process allows business units flexibility in adopting archetypal governance decisions that negatively affect business application needs. The exception process also prevents business units from investing in architecture that undermines the organizations standards. Another method for aligning the implementation process is to analyze the quality of IT goods and services the organization provides. When an organization researches and negotiates products and services available internally and externally, to maximize investment value, it realizes greater value from IT investments. Business and IT managers must formally track ROI and business value generated from IT policies and the governance mechanisms they put into place as a way to recognize necessary changes.
Implementing governance also means using formal methods to communicate “IT governance decisions and processes and related desirable behaviors throughout the enterprise” (Weill, 104) thus ensuring each manager understands the implications inherent in the governance standards. Governance committee members use announcements, formal committee meetings, and web based portals as facilitation tools to encourage an organizationwide understanding on important standardization policies. Announcements create a transparent atmosphere where managers know what to expect from the IT governing committee in the near future. They clarify objectives and form a rallying point for business units to realize common goals. Committees must also include non conformists in the communication process. Some business unit managers may qualify for infrastructure or architecture exceptions or may feel their point of view will not be respected. Discussing concerns with renegade managers may solve an organizationwide problem no one else was willing to tackle.
Formal committees at the executive level provide a forum where business unit concerns can be addressed, progress assessed, and governance decisions can be renegotiated. Formal and ad hoc committees are important at all levels of IT governance implementation as the organization experiments with governance mechanisms. Web based portals are another formal method that encourage managers to be proactive, research governance standards and policies, and communicate any concerns or disagreements they may have. Announcements, bulletin boards, infrastructure requisition forms, and architecture exception processes are all available on the web based portal and provide constant and consistent communication with business unit managers.
Determining which IT governance works best depends on managers recognizing desirable behavior within the business units and the overall organization. Governance managers must integrate enterprise setting, governance arrangements, governance awareness, governance performance, and financial performance (Weill, 119) with the five key IT decisions to make governance work. It is not enough for all the high level decision makers to know the policies, lower level management must understand the policies as well. IT must be cost effective, it must support further asset utilization and organization growth, and it must facilitate business flexibility in the market (Weill, 121).
In top performing firms more managers understood and could describe IT governance, they interact more often, have clearer objectives, and had diversified business objectives such as growth or innovation. Top performers also granted less architectural exceptions and had fewer IT governance changes in a fiscal year. High performance depends on consistent education and application of the IT principles and less on the amount of capital or time spent on investing in infrastructure and developing IT principles.
Government organizations (GO's) have to be especially prudent when making IT governance decisions due to the political implications and funding difficulties inherent in federal ownership, control, and/ or oversight. As a result of these constraints government and non profit organizations need to focus on those IT governance decisions that focus on increasing good will. Government organizations need to balance three "interconnected factors [. . .] to generate value in any [non profit] organization: environment, capabilities, and value" (Weill, 191) in order to fulfill their obligations to citizens who depend on them.
The government's environment (market) consists of citizens, patrons, and elected officials, all of whom have a co dependent relationship with the organization. GO's must provide a service to citizens while maintaining the budgetary and regulatory limits implemented by elected officials and other oversight committees. Organizational capabilities include their ability to provide timely, consistent and inexpensive products and services to their customers (Weill, 193). Other companies may be required to support capabilities through legislation or regulation, such as building codes, or insurance laws, or the GO may have contracts with other agencies to provide services that increase its capability.
Public value includes the material goods and services, and the social equity government organizations provide for all its citizens. Goods such as disaster relief, education, and police protection are dispensed on a need basis, no matter how much it costs to provide it. Equity refers to an organizations market correction work. Organizations that expose companies who prevent public goods from being equally distributed or who punish those who endanger the population are contributing to public equity. Good will is ethereal and difficult to asses. Government organizations must communicate with the population and markets they serve to ascertain whether they are achieving goals. Tracking the number of new homes wired for electricity or the number of crimes prevented is one way to measure performance. Another is to measure levels of certain activities such as crime or job creation.
Government organizations must review their architecture and infrastructure budgets with a governing board which often compromises IT principles, business applications, and investment and prioritization needs. Organization heads must justify investments by stating they will "reduce costs or enable new capabilities" (Weill, 196) which puts pressure on decision makers to produce high performance principles and may stifle experimentation and system design. Issues arise when assigning responsibility for new governance when one department must fund new investments for the entire organization, or is held solely accountable for all outcomes of an architecture experiment.
If we apply the principles set forth in Weill and Ross, it becomes obvious that the Department of Homeland Security lacks solid IT principles, and does not use IT to promote desirable behavior. The 9-11 commission report details the woeful inadequacy and bureaucratic mismanagement in the intelligence communities prior to the Terrorist attacks. To correct this problem President Bush subsumed several important agencies within the new organization to prevent further mismanagement in the event of a future attack.
The Department of Homeland Security's mission states:
"We
will lead the unified national effort to secure
deter terrorist attacks and protect against and respond to threats and hazards to the
Nation. We will ensure safe and secure borders, welcome lawful immigrants and
visitors, and promote the free flow of commerce" (Securing our Homeland)
and the core values are integrity, vigilance, and respect. Such a broad statement mandates all encompassing IT decisions for the new department. IT principles need to support communication and information management in all the organizations departments. DHS will include 9 federal agencies including the Coast Guard, INS (now U.S. Citizenship and Immigration Services), and FEMA (now Emergency Preparedness and Response) each of which will retain most of their autonomy.
DHS's IT principles should mesh with its mission statement; the necessary business principles to realize this alignment are: integrated databases and computers, fast response time, flexibility, and inter agency communication. The corresponding IT principles are architecture integrity, compatible infrastructure, long-term investment strategies, and increased oversight of IT value. IT architecture is the barebones system that supports infrastructure and business applications by "organizing logic for data, applications, and infrastructure, captured in a set of policies, relationships, and technical choices to achieve desired business and technical standardization and integration" (Weill, 30). DHS should adopt IT architecture that steadfastly supports communication among its many government agencies.
Terrorists are not state sponsored organizations like the KGB was, and there is little danger of a terrorist operative using the DHS's IT structure as an attack plan. DHS's strength lies in the ability to store, analyze, and retrieve pertinent information gathered from around the globe. Business units should be able to adapt existing IT architecture to their needs, and not develop independent architecture standards because better ones are lacking. Compatible infrastructure will smooth networking capabilities and encourage interaction throughout the department due to the integrated services DHS provides. Each department under DHS's jurisdiction shares responsibility for protecting the country and each unit within the organization provides a service to American people. This service depends on standardized application of infrastructure decisions. When managers know their systems and interfaces are consistent throughout the organization, they will feel a greater connection to the mission they are supporting.
The last decisions affecting DHS is IT investment and oversight. In the past business units were afraid to speak up and demand changes in spending. There was no looming threat and many machines and systems were allowed to deteriorate. After the 9-11 attacks the importance of regular investments in new technology and prerequisite infrastructure was recognized.
The best way to manage the IT principles mentioned above is to gather input from a federation of units and form an IT duopoly for decision making. Each departmental unit in the Department of Homeland Security has its own mission statement and IT needs. Using the federal archetype for inputs to decision making will create equity in the decision making process and allow each unit to a fair chance to pitch for their application needs. IT professionals are best qualified to make IT decisions, and balancing their expertise with department managers will make sure the organization adopts the policy most suited to its needs.
Implementing these principles will
require hard bargaining and compromise from managers and directors who are
accustomed to focusing on the political instead of the practical outcome of
their decisions. IT principles that support cohesion within the Department of
Homeland security by focusing on the "unified national effort to secure
Works Cited
The
9/11 Commission Report: Final Report of the National Commission on Terrorist
Attacks Upon the
Electronic Frontier Foundation: http://www.eff.org/Censorship/Terrorism_militias/fisa_faq.html
Weill, Peter
and Jeanne W. Ross. IT Governance: How Top Performers Manage IT Decision
Rights for
Wise, Charles R. Organizing for Homeland Security. Public Administration Review. March/ April 2002. pp.131-144
United
States Department of Homeland Security. Securing Our Homeland: