What can I learn from a Defense Industry CIO?
The challenges faced by Defense Industry CIO’s, in many ways, are similar to those of any other CIO, but in recent years some important differences have emerged. Being cognizant of what it takes to be an effective CIO in the Defense industry might help others to improve their edge even if leading in a different environment. For years CIO’s have been told they have the background, perspective, talent, and imagination necessary and required for their companies to succeed. Today all it takes is one small slip and you are out of a job, or worse – you become utterly irrelevant.
Let’s start with the obvious – cybersecurity. In the industry there is a saying: if you claim that you haven’t been hacked, you are either a liar or a fool who is not aware that he is being hacked. For Defense companies, new recent federal government regulations require them to follow the NIST 800-171 framework for protection, regardless of corporate size. This framework consists of 109 cybersecurity directives that must be followed by the Industry by no later than December 2017. In the meantime, each time a Defense contract is won, the winning company must provide the DoD CIO a list of all directives that have yet to be implemented.
A good CIO’s will balance internal and external capability to achieve full control of their domain at a reasonable cost
Cyber threats come from all the same places that often attack “regular” companies (e.g. thieves, ransomware, scammers, etc.), but Defense CIO’s must also deal with hacktivists who on principle oppose the U.S. military, other nations (even those called “friends”) who are actively trying to spy on American technology, U.S. enemies looking for payback for some real or perceived wrong-doing who try to break and destroy the company’s infrastructure, and the insider threat – that rare but real disgruntled employee who wants to throw a cyber-bombinside the network on his way out.
Since corporate profits on federal contracts are generally limited by the Government and are nowhere near the profits that can be generated in the private sector, the Defense CIO must be very effective in order to provide the cyber protection and technology necessary to stay competitive in a shrinking Defense pie. This means the CIO is under unrelenting pressure to keep IT costs to a minimum in order for the company to stay competitive on its overhead charges.
IT staff, far more than machines, is what most often makes IT expensive. Keeping IT employees motivated and happy minimizes costly turnover, and it keeps corporate IT proprietary knowledge of infrastructure and processes from walking out the door. Some CIO’s see this as an impossible task and often don’t even pretend to try. Furthermore, Defense Industry has the additional problem of clearance. IT people typically require security clearances at different levels. Potential new employees with financial problems, bankruptcies, DUI’s, or any other less than stellar lives will not get a clearance and thus are out of the hiring and already very shallow pool of applicants. Even when dealing with “angels”, the background checks and interim (temporary) clearance approval process takes between 70-80 days. How many great potential candidates will hangout waiting for that long?
Considering the CIO’s constraints already mentioned, it is blatantly obvious that extremely low turnover of good employees is one major key to success. In my case, I’ve been able to keep stellar IT staff using some simple, but proven techniques:
1. I promise the employee that their jobs will not be boring, and I deliver on that promise
2. I assure them that they will have opportunities to improve their skills and develop their talents
3. I tell them that I cannot pay the highest or lowest salary in the industry, but that I will try to make their work environment as pleasant as possible
4. I ask them to give me their word of honor that they will stay for a minimum of 2 years and tell them that if they fail to keep their word, I will not take them to court or bad mouth them to others, but that both the employee and I would know that they lack integrity.
At the last point they usually look at me somewhat astonished that I’m taking their word, but the truth is that only one person has failed to keep their promise in over 20 years. Even when they leave 8 or 9 years later, they often say “but I kept my word!”
A final point on staffing is to always be on the lookout for those employees who are not bad enough to get fired, but bad enough to create morale problems with your high performers. Often waiting too long to fix such a problem will create a chain reaction of staff resignations that quickly become expensive while setting you back on all your projects.
Although most “regular” companies might invest time in creating dazzling and flashy apps for their customers, successful CIO’s in the Defense space use instead those resources to create internal customized automation allowing the company to minimize IT bodies, while providing the same or better IT services to the enterprise. This comes handy since much of today’s cyber-attacks are automated and humans are not fast enough to respond or review tedious amounts of data looking for the proverbial needle.
Even with all the restrictions found in the Defense arena, good CIO’s will balance internal and external capability to achieve full control of their domain at a reasonable cost. Government approved cloud services and supplemental temporary IT staffing can give the CIO leverage on expertise, speed, accuracy, and scalability of internal projects. Considering that every aspect of the enterprise is touched by IT, it is imperative for the success of the CIO to stay very tuned to the cybersecurity challenges while, at the same time, be keenly aware in conserving IT staff excellence.