Government Oversight and the CIO
Twelve years ago, Sen. William S. Cohen (R-ME) and Rep. William F. Clinger Jr. (R-PA) brought information technology-related issues to the forefront on Capitol Hill. As a result, the Information Technology Management Reform Act of 1996—more commonly referred to as the Clinger-Cohen Act, or CCA—placed the spotlight on chief information officer (CIO) problems and required federal agency action to address them.
With the CCA, the federal government has the opportunity to improve the way information technology is acquired and information is managed by mandating that CIOs are appointed within every federal executive agency. These CIOs must report directly to their agency heads. Goals, policies and procedures must be established; standards and guidance in efficiency, security and privacy must be promulgated; additional information technology-related authorities and responsibilities must be delineated; requirements for reducing costs and increasing efficiency through improved information management must be established; and major information technology programs with significant deviations in cost, performance or schedules must be reported.
Concerns about computer standards already had been surpassed during CCA introduction by concerns over developing and maintaining both the human and the technological infrastructures necessary for government reforms. The CCA was designed to provide the executive branch with the flexibility to acquire technologies and services incrementally, to enter into modular rather than more costly longer-term contracts, and to obtain information technology and services to fit agency needs. The bottom line is that the CCA provides that government information technology shops are operated as efficient and profitable businesses. Interestingly, many CIOs today confess that they never have read the requirements of this landmark legislation—an obvious shortcoming.
Today, CIO is a job title for the board-level head of information technology within an organization. The CIO typically reports to the chief executive officer or, in major military orga- nizations, to the commanding general or admiral. No specific qualifications are typical, and every CIO position seems to have its own individual job description. Many CIOs with technical degrees are completing management degrees to sharpen their skills for the boardroom and in working with people. Sometimes the role of the CIO is used interchangeably with those of chief technology officer (CTO) or chief information security officer (CISO). Typically, however, the CIO is thought of as being responsible for processes and practices supporting the internal flow of information, while the CTO is responsible for technology infrastructure and effect on customers, and the CISO establishes policy for implementing security.
Some people believe that government CIOs have more influence today but are not regarded as strategic decision makers. Noncompetitive salaries, high turnover, organizational culture and budgetary controls are major issues. Recruitment problems are compounded by salary and compensation disparities between government and private-sector opportunities, which results in government CIOs typically spending less than 18 months in the job. Studies also show that it is common for CIOs not to report directly to agency heads as mandated and that they are performing additional jobs.
Another issue is one of budgetary short-term focus while major information technology projects require long-term planning and implementation. Failure to plan adequately and dedicate resources to computer security creates risks for critical infrastructure such as telecommunications, power distribution and emergency services. A recent Deloitte survey of security practices at more than 100 global technology companies discovered that almost half of them did not have an “in place” information security strategy aligned with corporate goals and business processes.
In October 2000, Sen. Fred Thompson (R-TN) released an investigative report on federal agency compliance with the CCA. It contained three major findings: federal information technology management was suffering from a high CIO turnover; agencies were not complying with capital investment, planning and performance measures; and agencies were not utilizing modular or incremental contracting for major information technology investments.
A major recommendation was that agency CIOs have more authority. But authority also requires accountability. In fact, Rep. Tom Davis (R-VA) notes, “We want to consider funding penalties for agencies who fail and personnel reforms to make sure we have people who will ensure those agencies succeed.”
The CCA built a foundation for better managing information technology acquisition, security, information management, organization, governance and culture. The idea of creating a federal CIO, either inside or outside the Office of Management and Budget, continues to grow. It’s possible that some provisions of CCA and concerns such as cybersecurity will receive attention by the new administration and Congress.
In many ways, we have been muddling along. Thus, it is time for a major step toward achieving CCA strategic business benefits. This step should be to assign CIOs holistic responsibility for the areas noted above instead of allowing competitive activity outside the CIOs’responsibility and domain. After 12 years, it is time to recruit and train better CIOs, eliminate the gap between the CCA and actual practices, and give CIOs the authority needed to succeed.