Still Asleep at the Wheel?

ne good outcome of the Y2K fiasco might be that senior managers will understand the importance of paying attention to information technology management and the risks of failing to do so, says the president's Y2K czar, John Koskinen, the original "make lemonade when someone gives you lemons" guy.

Koskinen's message was hopeful at Government Executive's second annual Government Technology Leadership Institute (www.govexec.com/tech/leader) last December, which was devoted to planning for and reacting to crises. An expert in management disaster recovery, Koskinen shared lessons learned from his long, successful career as a corporate rescue artist and, more recently, as deputy director for management at the Office of Management and Budget.

Thanks to folks like Koskinen, the Y2K problem has captured management attention. It has demonstrated vividly how dependent our processes are on sophisticated information technology-from banking to medical care to air traffic control. It has shown how vulnerable we are to failures in those systems and how dire the potential consequences if we are unprepared.

But a couple of other lessons may be lost entirely. While not diminishing the potential harm from hackers, Y2K shows us what happens when we rely on technicians to make management decisions and we slip into denial as soon as a problem arises. The result is an expensive crash effort to solve it. Most IT managers will admit that at this stage, not only is remediation expensive, it is often too late to update and reengineer systems. That sure meets the definition of managerial incompetence.

Not every potential problem is preventable or even foreseeable, but early detection and prompt action can often mitigate the damage. Y2K planners are teaching us the importance of contingency planning such as keeping paper copies of records before Dec. 31, 1999. The Federal Reserve plans to put more cash into the system, in case nervous citizens rush to withdraw their money. Responsible publications like
Consumer Reports are telling us that stockpiling a little bit of food and water and getting fresh batteries for our flashlights is not a bad idea.

Despite these clear lessons, there is little evidence that senior managers will not retreat into their traditional avoidance behavior when confronted with IT issues. "Get good people and give them the resources and discretion to get the job done," you might argue. Besides, can senior managers really be expected to get into the kind of detail that would allow them to detect Y2K problems?

The newspapers in recent weeks have been replete with examples of why continuing inattention to computer security borders on management malpractice. You need only ask the senior managers at the Department of Energy's Los Alamos laboratory or those who were hit by the Melissa computer virus or the agencies that have been hit with denial of service attacks by forces protesting NATO actions in Yugoslavia. Yet, we continue to be afflicted with a "can't happen here" attitude. Major computer incidents happen to someone else.

As a first step, getting good people and giving them as much latitude as possible is vital. But how do you know they're good? When you hire an accountant or chief financial officer, you examine applicants' credentials, check references and use techniques such as intuition to make a selection. Then you monitor the employee's performance. You engage an independent authority, in this case usually a CPA firm, to evaluate your accounting systems, and you invest in training. Are your technology resources so much less important than your financial resources that they don't deserve similar vigilance?

Can you personally assure that the seeds of the next Y2K problem are not being sown? Probably not, but through auditing and training you can expose your staff to experts who will find the next vulnerability long before it becomes a crisis.

Here's what can you do:

• Hire real experts, and make security a full-time job.
• Insist that they periodically use one of the many commercially available scanning tools to evaluate your network and report to you what they found. If they found nothing, have them try another tool.
• Make sure your systems are audited periodically by an outsider.
• Invest in training. No professional can stay current without guidance. The hackers are learning new tricks every day.
• Subscribe to a security information clearinghouse like Carnegie Mellon University's Computer Emergency Response Team (www.cert.org) or a government CERTs.
• Don't overlook internal threats. Y2K was not the evil plot of some outsider.
• Develop a recovery plan. The question is not whether you will have an incident but when.

  Most important, nothing is more effective than periodic requests for briefings on the state of your systems. Ask where the vulnerabilities are. If you are told that you have nothing to worry about-worry.

  Franklin S. Reeder heads The Reeder Group, a Washington-based consulting firm, after more than 35 years in government. Contact him at freeder@govexec.com.