The cyber safety of our infrastructure plays a critical role in the health of our democracy
Mar 13, 2023
Organizational change happens at the employee level, but it requires strong change leaders to guide the effort. Keeping a close eye on access permissions and providing consistent messaging are two key ingredients to achieving success.
I was appointed the CIO for the state of Wisconsin in November 2012. This position also allowed me to serve as Division Administrator for the Division of Enterprise Technology (DET). DET manages IT assets for the state of Wisconsin and provides several technologies to agencies including computer services, voice-data-video telecommunications, and print and mail services. While state CIO, one of my accomplishments was collaborating with more than 30 other state agency CIOs to consolidate all agency data centers into a single enterprise.
I also worked extensively with the Wisconsin National Guard, National Governors Association (NGA), and the Department of Homeland Security to protect 16 Critical Infrastructure/Key Resource Sectors. In 2013, following the multi-agency data center consolidations, I implemented the Zscaler Internet Access solution to improve Wisconsin’s security posture. There are two things my decades of experience in the public and private sectors have taught me about successfully implementing digital transformation:
- The processes for continuously managing access must be as robust and reliable as those that grant or remove access.
- Communication is the difference between success and failure, and leaders must provide clear, consistent, and concise messaging throughout the life of a project.
Continuous access management
Access management must happen across an employee's tenure, not just the endpoints. To illustrate the first point, consider the process that occurs when a new employee is hired. They are assigned a PC. This workstation is connected to the domain, configured properly for official duties, patched up, and ready to go. Likewise, the user account is properly provisioned with all the permissions necessary for the employee to complete their work. This onboarding process is generally optimized, as IT teams have repeated the steps hundreds or thousands of times. The same is true of off-boarding. The PC is removed from the domain, the user account is terminated, and all access permissions are revoked. Unfortunately, onboarding and out processing are the only two times users and devices are likely to have their permissions properly configured.
Access rights tend to become bloated the longer a person stays at an organization. As people assume new positions and roles they accrue additional access and permissions. What about the old access users no longer need? These rights are often forgotten. Over time, this repeated process inevitably leads to an accumulation of excess access rights. My first piece of advice is to have a continuous process in place to remove unneeded access before it leads to far greater problems.
Consistent, persistent messaging over time
My second recommendation, maintaining consistent communication, is particularly important for leaders and drivers of change. I advise executives to communicate their message seven times in seven different ways. The messaging must be persistent and communicated through multiple venues such as PowerPoint, voicemail, text, email, etc. Throughout the transformation journey, leaders must be clear about why changes occur and keep employees updated on the current progress. Frequently repeating the transformation plan and goals will help combat several key points:
- Confusion over key terms such as “zero trust” and ambiguity over expected outcomes
- Message distortion that naturally occurs as directives pass through multiple layers of management
- Loss of focus that occurs as people leave the project and new members come aboard
For example, change leadership often starts at the governor's or CEO's office. The executive issues a mandate for change and sets goals for the organization. The order could be as brief as “you will adopt zero trust principles,” or “you will adopt a zero trust philosophy in protecting our assets.” Yet even simple messages can become mangled when projects drag on. Without continually specifying what zero trust ultimately looks like, or how the framework will be applied to business-critical resources, the end result could be disastrous. This is especially true when messaging is passed throughout the organization in piecemeal fashion.
Likewise, many workplaces are organized in a hierarchy. There may be multiple layers of management between those directing changes and those performing the work on the ground. Messaging must remain consistent as it passes through each layer of management. This can be achieved by forming an oversight committee that regularly meets to ensure all stakeholders are on the same page.
While CIO for Wisconsin, I met every Monday with the deputies of major cabinets to reiterate the message and the mission. For four solid years, each deputy returned to their home offices bearing an identical message about what we were doing, how, and why. Keeping everyone informed of the plan and working toward the same goal was critical for our success.
Stay focused for success
Organizational change happens at the employee level, but it requires strong change leaders to guide the effort. Changing technological processes and practices in a large organization is a daunting task, and requires a multitude of skills to accomplish. However, in my experience, keeping a close eye on access permissions and providing consistent messaging are two key ingredients to achieving success.
What to read next
From Wisconsin’s former CIO: Cybersecurity must be a national priority
Ransomware, critical infrastructure, executive orders, oh my… [podcast
Recommended