Q&A: David M. Wennergren
Change Leader
Making Data Visible, Accessible and Understandable
David M. Wennergren
Deputy Assistant Secretary of Defense
(Information Management and Technology),
DoD Deputy Chief Information Officer
David M. Wennergren has served as the deputy assistant secretaryof defense for information management and technology/deputy chief information officer since November 2006. He is responsible for providing top-level advocacy in creating a unified information management and technology vision for the Department of Defense and ensuring the delivery of the capabilities required to achieve the department’s transformation to net-centric operations. In addition to his duties as DoD deputy CIO, Wennergren is the vice chair of the Federal CIO Council. He also serves as the chair of the Department of Defense Identity Protection and Management Senior Coordinating Group, which provides senior oversight and coordination of biometric, smart card and PKI initiatives across DoD.
Before coming to the Office of the Secretary of Defense, Wennergren served for four years as the Department of the Navy chief information officer (DON CIO) and as the department’s critical infrastructure assurance officer. Prior to becoming the DON CIO, he served for four years as the DON deputy CIO for enterprise integration and security.
Wennergren received his bachelor’s degree from Mansfield State University, and his master’s degree in public policy from the University of Maryland. He has received the Department of the Navy Distinguished, Superior and Meritorious Civilian Service Awards, the Secretary of Defense Meritorious Civilian Service Award and the Office of the Secretary of Defense Exceptional Civilian Service Award.
Wennergren was interviewed by MIT Editor Harrison Donnelly.
Q: Until a few months ago, you were the Department of the Navy CIO. How do you see your role changing now that you’ve become the deputy assistant secretary of defense (information management and technology)/deputy CIO of the Department of Defense?
A: The good news is that, in assessing the priorities for the DoD CIO team, we were working on the right set of initiatives at the Department of the Navy. In a sense, the new job gives me an opportunity to put my money where my mouth is, so to speak. In my Department of the Navy life, I had to help ensure that the Navy and Marine Corps worked effectively together. Now, I get to help ensure that there is enterprisewide alignment of the efforts of all of our armed services.
Q: Speaking of priorities, you recently identified a list of Top 10 IT priorities for DoD. Number one on the list, at least as they appeared in print, was developing a net-centric data strategy. How would you characterize the importance of this area?
A: At the heart of our DoD vision of net-centric operations is the recognition that there has been a fundamental shift in the world of information technology to understand the importance of enhancing the flow of knowledge across the DoD enterprise. So much of the benefit of net-centricity comes from the simple message of knowledge management: If the right information is available to the right person at the right time, better, quicker and more effective decisions will result. Knowledge flow happens when we move away from the world of stand-alone and stovepiped data bases to actually being able to serve up data to be shared, and that’s why the successful implementation of our net-centric data strategy is so important.
The implementation of our data strategy is paying huge dividends, with communities of interest [COIs], springing up across the department. Our Maritime Domain Awareness COI brought together the Navy, intelligence community, Coast Guard, Department of Homeland Security and the Department of Transportation to make data on commercial and military vessels exposed and available. Rather than spending millions of dollars and taking years to build yet another IT system to replace the existing databases and systems, we were able in a few short months and a few hundred thousand dollars to dramatically improve vessel tracking and awareness across government. The premise is simple—organizations interested in a common issue get together to make data visible, accessible and understandable. I view the successful implementation of our data strategy as one of the most important near-term deliverables in achieving our vision of net-centric operations.
Q: So then how does your data management effort relate to other on-going DoD and federal efforts to improve information-sharing?
A: Our net-centric data strategy and soon-to-be-published netcentric services strategy provide the key tenets and direction that will allow us to successfully take advantage of Web services and service-oriented architecture [SOA], and drive us to rapidly become more net-centric. We recognize though that there are a number of other changes that must take place to truly embrace an informationsharing culture—issues such as policies, processes, education and training, and cultural change. So, in parallel to our data and services work, we have also published a DoD information-sharing strategy and are working on an accompanying information sharing implementation plan to tee up the other specific actions that must be achieved in addition to our data work.
Q: Where does the department stand today on the topic of enterprise software?
A: The work of our DoD Enterprise Software Initiative [ESI] has been of tremendous value to the department. DoD-wide enterprise licensing agreements leverage our buying power, provide needed capabilities more quickly and reduce administrative burdens for both government and industry. We have agreements in place with dozens of companies that have resulted in cost avoidances to the department of more than $2 billion. I’m very excited about one of our ongoing ESI effort, which is co-branded as a federal government SmartBuy initiative for data-at-rest encryption products. It’s a truly groundbreaking effort that will address the critically important issue of protecting data on laptops, PDAs and so on.
This will be the first DoD ESI/SmartBuy initiative that will not only be available for all federal agencies, but also to state and local governments as well, helping to raise the bar on security as well as reduce costs for government agencies across the nation. We’re also very proud of the work that the DoD team has done with Microsoft to develop a secure configuration of the Vista operating system for use across government. So it’s not just about leveraging our buying power to reduce costs, but also focusing on making sure we’re buying the right things.
Q: How do you view the importance of portfolio management?
A: Portfolio management is extremely important for a number of reasons. Portfolio management efforts typically begin with a focus on being good financial stewards, investing in the right IT solutions and avoiding unnecessary duplication. The power of portfolio management, though, is its ability to serve as a forcing function to align the activities and behaviors of our enterprise. Good portfolio management helps you focus on your key missions and processes and understand the things that you currently own, and gives you a road map for the future capabilities and processes that you’d like to see in place.
While portfolio management has been tremendously helpful to us in getting rid of the legacy applications and networks that we no longer need, even more importantly, it has allowed us to re-prioritize our investment decisions to move away from the status quo of legacy mainframe and client-server solutions to the Web-based solutions that are our future. Portfolio management has also helped to improve the security of our networks by moving away from the less secure legacy networks of our past to newer solutions that have considered security from their inception rather than as an afterthought. In addition, these efforts have helped us improve configuration management, and also address the issue of when is the right time to buy or develop the one big system, versus when is the right answer to go after smaller, standards-based solutions that plug into the broader information grid.
Q: What perspective do you bring to your job as a result of having been a military department CIO?
A: For decades, we have embraced a management philosophy and organizational structure that favored centralized policy and decentralized execution, under the premise that decentralized organizations promote agility and being “close to the customer.” The challenge, though, is that decentralized organizations tend to fall into a pattern of local commands developing local solutions to meet local needs. While these local solutions were originally built for all of the right reasons, in our Web-based information age, they create unnecessary duplication of effort, perpetuate stovepipes and miss out on opportunities to create enterprisewide solutions that will enhance information sharing and be more effective and efficient.
To truly be a net-centric organization, we must focus on creating products and solutions that align our efforts to be a part of the broader DoD/joint enterprise. So I’ve learned that a measure of an effective IT leader is to be able to work across organizational boundaries to get people to function in highly effective teams that address not only technology issues, but also issues of cultural change. One of the keys to our success in becoming net-centric will be our willingness to give up the personal control of building and running our own systems for the sake of the benefits that are attained by moving to enterprisewide solutions.
Q: As the Department of the Navy CIO, you were a leader in development of DoD identity-management policies and solutions. Are you satisfied with progress in this area?
A: I am thrilled with our successes in deploying the DoD Common Access Card [CAC] with its public key infrastructure [PKI] digital certificates. It’s one of the most successful smart card/PKI implementations in the world, with more than 12 million cards issued and a current user population across DoD of over 3.5 million people. I think that sometimes we don’t appreciate what a great example it is of the military departments and defense agencies banding together for the common good. Ten years ago we were on a path to have dozens of stand-alone smart card and PKI solutions that would not have been interoperable.
The fact that we have a single solution working across all of DoD is a great achievement. We see the dividends of the hard work that went into this on a number of fronts. We can see the improvement in the security of our networks that has come from replacing user IDs and passwords with cryptographic log-on using the CAC and its PKI certificates. Similarly, Website security has been enhanced as the CAC is used in lieu of user IDs and passwords. We have replaced laborintensive paper processes for travel, personnel, financial management, and so on, by replacing pen and ink signatures with digital signatures using the CAC. We have also raised the bar on physical access security at our bases and addressed privacy concerns through our identity management work. Our CAC/PKI effort has also positioned us to continue to be a federal identity-management leader as we implement Homeland Security Presidential Directive 12 across government.
Having said that, you can of course never rest too long on your laurels, and there is still much more to be done to achieve our vision of identity dominance. We have a vision of a future where the barriers of separate networks are broken down and information that an individual needs is able to be quickly found and understood. To achieve this vision, we have to be successful at three related efforts: identity management, attribute management and data management. I first must be able to prove that I am who I say I am as I enter the Global Information Grid. This is the focus of our efforts with PKI, CAC and biometrics. Second, the net needs to understand and be aware of the attributes about me that would entitle me to see and use information. Attributes could include such factors as citizenship, security clearance, roles and communities of interest. We are beginning to make progress in this area with our ongoing work in attribute-based access control, but more still needs to be done. Third, we have to fully embrace our data strategy, which says that I will be able to find, access and understand all of the information that I need to do my job.
Q: You’ve mentioned security several times in this interview. What are the most pressing information security issues facing DoD?
A: The nature of the threat and the sophistication of the attacks on our networks are constantly growing, and information security is clearly one of our top priorities. The interesting thing is that some of our information assurance priorities have shifted as we have migrated to enterprise solutions that are available over the Web. In a world where local stand-alone systems have been replaced by authoritative databases available over the Web, information assurance priorities must now focus on the survivability and sustainability of our networks and the Internet—that is, being able to get to the enterprise portal to conduct a transaction, and then also ensuring the integrity of the information that is available over the Web. The nature of continuity of operations plans changes in a Web-based world, and regardless of whether it’s because of a natural disaster, pandemic flu or any event that doesn’t allow someone to get to the office to do his or her job, having a strong understanding of how to work effectively from home, on the road or from an alternative site is crucial to our success.
I’d say that our two top CIO priorities are information sharing and information security. I sometimes hear people refer to a “balancing” of these two efforts, but in reality it can’t be a balancing act. We can’t operate with a mindset that says we have to choose between more security or more information sharing. Instead, we have to be extremely successful at both. We have to continue to raise the bar on information security while we recognize, encourage and facilitate ever-expanding and non-traditional sources of collaboration and information sharing.
In a vacuum, security can be improved by more and more isolation from the outside world. If instead we make as our priority the need to share information, then we will focus on security solutions that encourage and foster secure collaboration. You know what they say, ultimate security is total isolation. However, if done improperly, the fact that no one can break into your network will also thwart the ability of our people to get out and find the knowledge they need to do their job. In essence, you will have created a self-inflicted denial-of-service attack. In today’s world, your security efforts must recognize the power of information sharing and focus on improving the security of both your networks and systems and the networks and systems of those with whom you do business. In the information age, we are truly all in this together.
Q: You use the word “enterprise” a lot when referring to the transformation that DoD is embarked upon. What are the issues that you are currently facing as you work to get the department to function as a single enterprise?
A: It’s an incredibly large enterprise, with 3.5 million people spread around the world, often in very difficult and challenging situations and environments. Every day, brave men and women serve this nation in the armed services, and risk their lives in harm’s way to maintain our freedom and way of life. We’ve made progress in working together as a joint team over the years, but there is still a lot more to do. We have adopted the tenets of netcentric operations, enterprise portals and Web services. People can get to self-service transactions and authoritative databases in ways never seen before. But we still have a ways to go to align our efforts, to behave like a single enterprise. We are each part of an enterprise that is much larger than our current command or organization.
The solutions that we develop must take into consideration the needs to work across DoD, with our allies and coalition partners and across federal, state and local governments. And, as we replace local, stand-alone solutions, we must rapidly adopt these solutions, and not delay gaining the benefits of working on common, interoperable solutions. Our soldiers, sailors, airmen and Marines must be able to gain access to new solutions much more quickly. We must develop processes that allow us to test, certify and accredit enterprise solutions once for all of DoD, rather than testing the same solution over and over again for each component. Similarly, once we’ve agreed to an enterprisewide policy on something like using CAC/PKI for secure Website access, then we have to stop building new Web solutions that don’t comply with the policy.
I think there are two key issues that we must remain focused on: alignment and execution. First, we must strive to ensure that we are aligned as a DoD team. There is a horrendous drag on traction and productivity when organizations fail to align to a shared vision. It’s crucial that efforts be aligned to a meaningful strategic plan, and that individuals are aligned to the needs, values and priorities of the larger team. It’s only as we move away from a “what’s in it for me” mindset that we will move towards doing what’s best for our joint warfighting team. Second, once you have an aligned organization working on a coherent strategy, you have to ensure that you have put into place a “results based” culture. The things that we measure are the things that we focus on. Effective, outcome-based performance measures are crucial to stay the course and make effective progress towards achieving your goals.
Q: So it sounds like cultural change issues are at the heart of much of the work that you are doing.
A: Absolutely. I think the “C” in CIO is all about change. We are in the midst of a profound transformation in the Internet age. Each of us must be a strong force for positive change, and have a good understanding of how to deal with cultural change issues. As information technology leaders, it is so easy to focus on the vast array of technological issues that face us today. But I believe that the single greatest challenge facing us is to effectively lead change across the organization. While we have to understand technologyrelated issues, the vast majority of your time as an IT leader will be spent dealing with cultural change issues.
It is human nature to be comfortable with the way things have been, and we became extremely comfortable with the notion of being decentralized organizations where local solutions were built to meet local needs. The information age provides us the opportunity to change that, but we each have to be willing to step out of our comfort zone. We must each recognize two things. First, no matter where you work in an organization, you are a change leader. Second, as an IT expert you will set the example that others will follow. You will set the tone that others will embrace. You must be a source of positive energy for those around you. If you are too cynical or too timid about the path ahead, it will resonate and magnify in the hearts and minds of those around you. In their book, “Execution,” Larry Bossidy and Ram Charan remind us, “Leaders get the behaviors that they exhibit and tolerate.”
I believe that there is great power in functioning as a highly effective team. Each of us has the ability to set the tone and put into place the structures that will allow our organizations to effectively face change. We must never lose sight of the fact that as leaders, we each have a “covenant relationship” with the people with whom we work and the organizations of which we are a part. We each have an obligation to create an environment where people are supported, encouraged and challenged, in an environment that fosters innovation and creativity. Information technology leaders must focus on helping their organizations to understand the need for change and to unlock the potential in their teammates to find the best path to the future. Leaders help others find and use their gifts and talents, and achieve their true potential. Leaders listen and seek to understand, and by ensuring that their teammates are supported, encouraged and challenged, we can all move beyond our comfort zones to achieve breakthrough results. ♦
