The Navigators

Chief information officers must steer clear of security breaches and hacker attacks while scanning the horizon for innovations to improve performance.

More than a year after a massive data breach at the Veterans Affairs Department put chief information officers across government on high alert, safeguarding systems from hackers and streamlining platforms for authorized users remain the top priorities for agency information technology gurus. But the two mandates pull in opposite directions-one requires fast response and preventive action, the other takes forethought and prognostication. Only CIOs who are adept at both can negotiate rough waters and keep their agencies on course.

The May 2006 theft of a VA laptop that contained the Social Security numbers of 26.5 million veterans capped a series of high-profile public and private sector data loss slip-ups, outraged lawmakers and privacy advocates, and propelled agencies into action.

Since the breach, CIOs have gotten good at negotiating rapids without ending up in the drink, says Karen Evans, Office of Management and Budget administrator for e-government and IT. They must "balance the risk of providing services and sharing information with information assurance and securing systems." Successful CIOs embrace the challenge and integrate IT security in their missions, Evans says.

For Stanley Lowe, the Federal Trade Commission's acting CIO, data security is "the first and most important thing I think about." FTC holds reams of highly sensitive records, including internal corporate memoranda, companies' pre-merger papers and files on identity theft victims. "We have to build security into our work while simultaneously re-examining our posture," he says. "Can we do it better? Are policies too restrictive? Are they not restrictive enough?"

Lowe, who is spearheading a massive overhaul of the commission's IT architecture, works closely with privacy and security chiefs "to make sure I'm not driving us off a cliff" with his ambitious agenda. The self-described "geek at heart" in May replaced Stephen Warren, who left to be deputy assistant secretary at the Veterans Affairs Department Office of Information and Technology. Lowe rolled up his sleeves to help overhaul the FTC's Web site and supervise the construction of a multimillion-dollar data center at FTC's aging Pennsylvania Avenue headquarters in Washington.

Commerce Department CIO Barry C. West also kicked off big projects when he assumed the post last year. For 10 months, he oversaw the agencywide encryption of more than 35,000 laptops and countless handheld devices. He also launched an e-mail consolidation program that eliminated the need for seven disparate systems. The Office of the Secretary's switch to Microsoft Outlook should be complete by late September and other divisions will convert throughout 2008.

West cites security as his biggest concern, followed by IT workforce issues. Making sure technical employees receive training to stay current and devoting adequate time and energy to strategic planning are critical, he says. "So often we get caught up in the day-to-day work and we forget to take time out to look at the big picture," West says. "We spend much of our resources in the operational mode. It's difficult to plan for the future."

At the Education Department, CIO William Vajda believes data insecurity has "put an appropriate emphasis on the kind of investment and attention we need to pay to the stewardship of information in today's day and age." Vajda, who got the job last year, says IT chiefs "need to make sure we're handling data in a prudent way," especially amid calls for information transparency. IT personnel at his agency also have made great strides "in the area of making technology more ubiquitous" while managing security, he says.

'Third World IT'

The State Department has had to get creative, too. The agency has a unique challenge since much of its technology is half a world away at 265 embassies and consulates around the globe, says CIO James Van Derhoff. That is why one of his main missions is mobile computing. Giving employees remote access to e-mail and unclassified networks at home as well as while traveling "has been a real boon to productivity," he says. About 8,000 State staffers are mobilized and the gains have been tremendous, Van Derhoff says.

When teams were deployed to Sudan's troubled Darfur region and could not set up a local communications infrastructure, they accessed State systems via satellite telephones. And when a truck bomb rocked Karachi, Pakistan, and it was too dangerous for embassy employees to get to work, they were "totally productive, but safe at home," he recalls. State also must contend with Third World IT systems. "I doubt that the CIO of the Interior has to worry about brownouts on a constant basis" or bandits stealing embassies' copper wiring, says Van Derhoff, a career diplomat.

He has firsthand knowledge of the difficulties associated with managing government technology abroad. For more than 30 years, he served in many parts of the world and most recently directed a regional IT center that provides support to State employees in 85 countries.

Keeping State's overseas workforce trained to use the latest technologies also is a challenge, but distance learning has helped. In 2002, only about 1,500 employees completed electronic coursework offered by the Foreign Service Institute. Last year, the number soared to more than 11,000, he says.

'Keepers of the BlackBerrys'

Lisa Schlosser, the Housing and Urban Development CIO, is equally proud of her office's recent work in the field. Her pet project on the heels of Hurricane Katrina was creating a nationwide database of available, affordable rental properties. HUD partnered with the Federal Emergency Management Agency on the effort, she says.

The National Housing Locator, populated with data from commercial and nonprofit Web sites, was so successful that VA has started using it to find homes for veterans, she says. The Web portal ushered in a new era of "federated search" at HUD. This capacity to simultaneously search a number of databases is at the heart of HUD's enterprise income verification system, which was fully deployed last year. It allows public housing administrators to visit a single source to verify the income levels of housing applicants, Schlosser says. The Health and Human Services Department had the income data, and HUD got permission to tap into it. During the program's short tenure, it already has decreased improper payments by half and helped the agency get off the Government Accountability Office's high-risk list, where it languished since 1996, she says.

The true challenge for government CIOs, Schlosser says is "to continue to grow as a business leader and understand the business you're supporting." Agency IT chiefs once were seen as keepers of the BlackBerrys, she says, but now they need a seat at the CXO table to help departments meet strategic goals.

Modernizing HUD's legacy systems while rolling out new technologies-Web-based data-swapping tools, for example-takes up much of Schlosser's time. Reengineering the agency's mature mainframe to meet new business requirements is a constant pressure, she says, noting that some parts of the department's IT infrastructures are 20 years old.

Schlosser is one of only a handful of government CIOs who have stayed on the job since a gaggle of them graced the cover of Government Executive's June 2005 issue, OMB's Evans points out. "I'm not sure what that means," she laughs. "All the rest have retired or left the IT profession in one way or another." Studies show the average tenure of a government CIO is 18 months to two years, so the math seems to be about right, she says. Even Schlosser, a military reservist, soon will leave her post for a year's deployment overseas.

Staying Off the List

In the four years since Evans has been at her post, she has observed a lot of progress in transparency. The governance of governmentwide IT initiatives is more upfront now as are the funding mechanisms, she says. One big accomplishment has been publicly releasing OMB's management watch list on a quarterly basis. Public release means anyone can see how agencies compare when it comes to correctly planning IT investments, Evans explains.

OMB also routinely makes public its high-risk IT project list, which is aimed at ensuring that agencies and programs meet their intended goals and produce results. The roster does not necessarily reflect projects at risk, but instead documents those requiring special attention from agencies' top brass. In recent years, accountability for IT systems has been institutionalized throughout federal agencies and offices. "Can it improve? Absolutely," Evans says. "But when we walk away at the end of this administration, it will be hard to stop the momentum."

Andrew Noyes is a senior writer for National Journal's Technology Daily.