CHIPS Articles: A Conversation with David M. Wennergren

Prior to the Deputy DoD CIO job, Mr. Wennergren served for four years as the Department of the Navy Chief Information Officer (DON CIO), where he was responsible for the development and use of information management/information technology (IM/IT) for the Navy – Marine Corps team.

On Oct. 26, 2010, Defense Secretary Robert Gates named Teri Takai as the new DoD CIO. As a part of the Secretary's ongoing efficiency efforts, the position of Assistant Secretary of Defense for Networks and Information Integration will be eliminated, and so Takai will serve just as the DoD CIO. Joining her as the new DoD Deputy CIO is former Department of the Navy CIO, Robert J. Carey. Mr. Carey was named Deputy DoD CIO in October. In an interesting twist, this is the third time that Carey has succeeded Wennergren in a position. Carey took over as DON Deputy CIO when Wennergren became the DON CIO in 2002, and then again took Wennergren's place as DON CIO when Wennergren moved to the DoD position in 2006.

An optimist and change-leader, who advocates collaboration, teamwork and process transformation to enable successful IT change, Mr. Wennergren brings tremendous passion and vision to any undertaking. Wennergren was one of an inspired group of naval leadership who led the DON to "think like an enterprise" in IM/IT planning and management.

The Office of the Deputy Chief Management Officer is responsible for Defense Department business process change, strategic planning, performance management, IT acquisition reform and the successful deployment of the department’s large business IT projects, such as Enterprise Resource Planning systems.

CHIPS talked with Mr. Wennergren in November as he prepared to move to his new job and asked him to discuss the role of the DoD CIO and his vision for the future as the DoD's Assistant Deputy Chief Management Officer.

CHIPS: Can you discuss some of the accomplishments of the DoD CIO organization? Some pundits said the organization was hampered in what it could accomplish by its limited authority and lack of resources.

Wennergren: It was a great ride, and the team accomplished a lot. And it went by so fast. I certainly don't think we were hampered by a lack of resources; but rather that we are a part of a huge and complex organization that has had a long history in information management of not always working together as a united enterprise. We're dealing with issues of significant cultural change, trust and the willingness to relinquish personal control. It’s like the old saying: 'If these were easy changes, they would have already been done.'

There are a lot of things that we have accomplished in the last four years that I'm very excited about. We paved the way to be an integrated DoD information enterprise. First we aligned ourselves to a common mission and purpose to create an information advantage for our people and our mission partners. Galvanizing our team, we then developed the first-ever DoD-wide information enterprise strategic plan and roadmap, and are using Wennergrenthese goals, objectives and measures to vet all the IM/IT work done by the DoD to see if it is aligned to the department’s mission and vision. Because if it’s not helping to accomplish our goal, why should we be expending our energy on it? Our strategic planning process is highly collaborative, using a wiki-based approach to ensure that all of the DoD components can collaborate on what the goals and objectives of the plan should be and what the roadmap should look like to accomplish those goals.

Today, it is much less about building another big IT system and much more about understanding how data can be exposed and Web services can be developed rapidly and reused across the organization. We have our net-centric data and services strategies in place, and through the work of our communities of interest, we have seen a number of functional areas that have adopted the idea that if you can expose your data, you can deliver new information capabilities much more rapidly than you would have done in the very recent past.

As you look across the organization, you will see examples of how that data strategy has been put into place. [For example,] in maritime domain awareness, I can get on any DoD computer and immediately see the status of commercial vessels, cargos and crews around the world. Similar advances have been made in Blue Force Tracking and in the ongoing work to find IEDs (improvised explosive devices). And now we have a service being made available to DoD military installations to help assess whether a visitor to a base is a good guy or bad guy before we grant them access — instantaneously and on-the-spot. These are just a few examples of people using the data strategy.

The power of a service-oriented world is that you don't have to automatically replace a legacy system with another big system that takes years to deliver and never delights anyone because it is trying to appease everyone. Instead, you could take advantage of a 'Web services world' where there are core enterprise services that are delivered at the corporate level, like smart cards, public key infrastructure, collaboration, messaging, and more. Local commands don't have to duplicate this work and can then focus their energies on using the enterprise services while they quickly build out the services and applications they need for their specific mission or functional area.

We put into place the first set of core enterprise services that are mandatory for use across the entire Department of Defense: collaboration service, content staging and content discovery. There is now a list of 10 or 12 enterprise services, like people directory services, attribute services, and machine-to-machine messaging services, that are going to be added to that list of core services that everyone has to use.

As individual organizations use these enterprise services, rather than try to duplicate them, they can focus their energy on bringing innovation and improvement to their areas of expertise. If you are the logistician, you can build logistics services, and if you are the meteorologist, you can develop weather services and you can post the services where they can be reused and improved by others.

I am thrilled with the work the Defense Information Systems Agency has done to help make this vision a reality. They have their first cloud computing offering called RACE, the Rapid Access Computing Environment. DISA also created Forge.mil, which is the common development environment where you can develop and test your applications in the environment in which they will have to operate, and then you can post the code for reuse.

There is a lot of work bringing us together to function as an enterprise rather than as individual stovepipes or as individual components. This year we had a great partnership with the intelligence community, who owns physical security policy for the Department of Defense, to create a Web service that will be available to every gate guard on military installations so that when somebody wants access and they swipe their identification [card], it will reveal whether or not there are outstanding warrants on them or if they are a suspected terrorist. These kinds of uses with data being available real time as a service anywhere are some of the things that I am really excited about that we have accomplished.

We have turned a corner on recognizing that the Web 2.0 phenomenon is the way business will be done and not just a quality of life issue or a way of keeping track of friends and family. It really is the way that work will get done in the future.

We published for the first time ever a policy on the use of Internet-based capabilities like social networking services so that we could both improve security and ensure that our people have access to the tools they need to get the mission accomplished. It was an effort that has helped our organization begin to embrace the idea that security in the 21st century can’t be just reactive, we can't just block access to websites and assume that people will still be able to get their job done. Instead, we have to recognize that people need to have access to things like social media and social networking services and use them appropriately. Through a combination of educating and training our users, coupled with technology tools, like content filtering at our gateways, you can have an informed and protected workforce that can still watch a YouTube video or connect with somebody on Facebook to get the mission done.

We also published guidance to help people recognize that open source is a viable option and should be considered in new development work. In addition, the Enterprise Software Initiative, co-chaired by my office and the Department of the Navy CIO team, has been a huge success, and continues to pay big financial dividends for us. Through the use of enterprise licensing agreements, we are up to about $4 billion in cost avoidance for the department over the last decade.

We have done a lot of work with architecture so that for the first time ever we have a DoD Information Enterprise Architecture, a strategic-level architecture that all mission areas and all DoD components have to comport with, which allows users to comply to common business rules and then build reference architectures and solution architectures within their organizations. Likewise, we have done work to improve the DoD Architecture Framework so that people can have the right kind of architecture artifacts. If you are doing an Enterprise Resource Planning solution, you will need different architecture documentation than if you are developing a Web service.

Another thing that I am very excited about is the importance of the workforce of the future. The DoD CIO team was instrumental in putting together (on behalf of the whole Federal CIO Council) a Net Generation workforce report. If you haven't had a chance to look at it [ www.cio.gov/pages.cfm/page/Recruiting-the-Net-Generation], I would commend it to you. I think it came out well. We had a partnership with Don Tapscott, the author of 'Wikinomics' ['Wikinomics: How Mass Collaboration Changes Everything'], 'Growing Up Digital' and a number of other books. I think it is valuable wherever you work, whether you are in government or industry, whether you are an IT leader or any federal manager, to understand the Net Generation, which is the primary workforce that we would like to attract and retain.

Baby boomers like me are getting ready to retire and Generation X, which comes after my generation, is a smaller population. In the Millennial Generation, or the Net Generation as Don Tapscott refers to them in his work, there is a larger population and they are going to fill leadership positions at a younger age as baby boomers leave the workforce. The good news is that the Net Generation has a desire for public service; the bad news may be that if you don't provide them with the tools and technologies they use to manage their lives, and you don't give them the right kind of leadership opportunities, and encourage and mentor them, they may not stay. I think it is a challenge that we all need to be thoughtful about. In the guide there's some good information to help you understand the values, norms and beliefs of the Net Generation, as well as showing you how you can use the federal system to be an employer of choice.

I do love change management, and that's why I am really excited about the Deputy Chief Management Officer team.

If you look at the traditional portfolio of many CIOs, a lot of the work that I have enjoyed most is the work that CMOs do. The DCMO team is responsible for business process change, business process reengineering, strategic planning, change performance management, and planning the future for business IT capabilities. It’s a tremendous opportunity to look at the end-to-end processes of the department, and focus on process improvement first and then insert technology appropriately to deliver new capabilities much more rapidly.

CHIPS: In your time in the office of the DON CIO and as DON CIO you led the Department of the Navy through transformational IM/IT business processes and improvements such as the implementation of the Navy Marine Corps Intranet, the combination of Common Access Card/PKI use and partnership in the Enterprise Software Initiative. As you look back, have these changes met your expectations?

Wennergren: With any change management issue, particularly the ones that are big, you can always reflect back and see that there are a lot of things that you might do differently. The Common Access Card and public key infrastructure certificate use has been a very positive thing for the Department of Defense. Mary Dixon, the Director of the Defense Manpower Data Center and a true leader in the identity management field, called me the other day to remind me that Oct. 6, 2010, was the 10th anniversary of the issuance of the first Department of Defense Common Access Card. At that time, I was the DON Deputy CIO, Dan Porter, my mentor and great friend, was the CIO and Rob Carey, another great friend, was our e-business and smart card team leader. Look how far we have come!

We have 3.5 million people that use the CAC for cryptographic logon to the network, which has significantly reduced successful password cracking into the networks, which is a big deal. It costs a lot of money to clean up when people break into the network. Raising the bar on security with cryptographic access and helping to move away from a world where you have hundreds of websites, all with different user IDs and passwords, as well as being able to use the cards for legally binding digital signatures, are other key accomplishments. You can move away from all those labor-intensive paper processes. I can sign a travel claim and have money in my bank account 24 hours later, and this can only happen because of things like the Common Access Card and its PKI credentials.

On the physical access front, aligning the use of the Common Access Card for access to military installations and coupling that with services that are available to let you know if someone is still a valid member of the community and eligible for access is another important use of the technology.

There is a fascinating dichotomy of change. Some change management efforts are best done locally in an evolutionary approach to change management where you can keep it small and agile with local people involved who have a strong sense of ownership. Whenever it is possible, change that starts locally is always a good thing because it has grassroots support.

But some of the fundamental changes that we have gone through can't happen if they are only done locally, one by one. While you can get people excited about building Web services instead of buying big IT systems locally, we would not have a single Common Access Card if we tried to implement this change locally. Sometimes you have to have a revolutionary change strategy where you just demand change of the entire organization. If you hadn't, you would have 100 different PKI solutions, they wouldn't be interoperable, you wouldn’t be able to share signed e-mails and build interoperable systems that use digital signatures and do all the things that the CAC and PKI give you the power to do.

CHIPS: I read that the DoD may add multiple functions to the CAC to transform it into a debit card to reduce the number of cards personnel must carry. Do you forecast any other leaps in functionality in technologies that the department is using right now?

Wennergren: Yes, we are continuing to expand use of the CAC, which also has a contactless capability on it; we haven't used it a lot yet, but we will be using it more and more. You will be able to use the contactless capability on the CAC to access a building or ride the Metro if you live in the D.C. area instead of having a separate Metro card. We’re also looking at using the CAC to replace the other cards we use for financial transactions aboard ships or on military bases. These are the kinds of things that can happen once you get an enterprise solution into place.

Can you continue to improve how you implement these efforts? Yes. Should you take time to learn from what has happened in the past? Absolutely, as long as you remember that the pace of change is relentless, and your learning about how to improve on the past is at a rate that keeps pace with the technological changes that surround us.

NMCI is another good example of learning from the deployment of an enterprise solution. I firmly believe that the Navy is better off by having implemented the Navy Marine Corps Intranet. There were hundreds, literally thousands of networks, 100,000 legacy applications, differing security models, and absurd tech refresh rates — horribly long for operational commands because operational commands did not have the money that well-funded RDT&E (research, development, test and evaluation) and Working Capital Fund activities had. And there are also lots of valuable lessons learned about how the program was implemented and how it could be improved.

I think the power of performance-based contracting, the power of doing things as an enterprise, like enterprise e-mail, the power of using NMCI as a forcing function to eliminate duplicative applications and networks, the power of moving away from fragmented security architectures on individual bases and moving away from local active directory forests are all things that the other military departments are working on now, and these are all things that NMCI helped bring to the Navy and Marine Corps team years ago.

So there is a lot of positive [change] that came out of NMCI. And it's also true that the world has changed a lot, and the Navy and Marine Corps team has also learned from the aspects of NMCI that didn't work as well in a very joint and fast moving world. And these lessons learned will help the team do even better as they [DON]move to the Next Generation Enterprise Network (NGEN) initiative.

In another example about how enterprise initiatives need to continue to change, in the early days of the Enterprise Software Initiative, the focus was on aggregating known buying demand. If you were going to buy 50 licenses from Oracle, I was going to buy 100 licenses, and someone else was going to buy another 100, we could aggregate demand and try to get a better deal. Then the licensing [model] began to evolve from only aggregating known demand to creating enterprise-wide licensing agreements for the Department of the Navy, recognizing that you could get an even better deal if you license your entire organization.

And now our strategy has matured even further, allowing us to do things like the Data at Rest Solutions enterprise licensing agreement [see page 50], where we also picked the products that best met our needs and put into place a vehicle where you can buy only those products. And by the way, we made that contract available to every federal, state and local government in the country so that everybody can benefit from this leveraging of our buying power.

In spite of some of the hype around service oriented architecture, Web 2.0 and cloud computing — they will be fundamental technology changes for the department — and we must take advantage of them. If we understand and use them effectively, we will deliver information capabilities much more rapidly, we will be more agile — and we will delight our customers.

Successful use of service oriented architecture allows you to build Web services and applications much more quickly than you can build big IT systems. If you think about maritime domain awareness, when we want to learn more about commercial vessels and their cargos and crews coming into harbors, we could have tried to replace all the legacy systems in the Navy, intelligence community, Department of Transportation and the Coast Guard with some big new system, but we recognized that it would take years. The right thing to do was to expose data so you could quickly mash things up, overlay it on something like Google Earth and have a result immediately.

So I can go on any DoD computer and stick my Common Access Card in and have situational awareness about maritime domain awareness from any workstation. That's powerful — and it doesn't have to take 80 months to do a big IT system. There is this democratization of technology taking place where a young Navy lieutenant or Air Force major can build a Web service, post it someplace like Forge.mil, where it can be reused in Apps for the Army or the DoD Storefront, and other people can use it, reuse it and build upon it. That kind of stuff happens overnight rather than in weeks or months.

Then if you explore the power of cloud computing, which eliminates a bunch of data centers that are underutilized, over cooled and fragmented, we will reduce costs. And if you could move your desktop into the cloud, use thin clients, where appropriate, be connected from anywhere, and be able to find the people and information that you need to get your job done whether you’re on the road or at home, not only will it improve information sharing but it will also improve security. We spend a lot of money to secure the desktops and laptops that we put in offices. There is a sort of ‘perfect storm’ of technology around the power of cloud computing, the Web 2.0 phenomenon and using a service-oriented approach. If we sync those together we will come up with a world that allows us to go from years to getting new solutions into place to days and weeks.

CHIPS: Do you have a 90-day plan or any immediate priorities as you take on your new job? Does IT play a major role in your vision for improving business processes?

Wennergren: One of the big priorities for the DCMO team is optimizing the end-to-end business processes of the Department of Defense. This is an important shift from our traditional view of only looking at things within functional or organizational stovepipes. If you think about process change first, then you can decide how to insert technology at the right moment rather than what we have done in the past, which is to become enamored with building an IT system.

Rather than focusing first on building a system, we should look thoughtfully at what capability we want to deliver. There are a couple of things going on now that will be helpful in this regard, one is IT Acquisition Reform. Section 804 of the [National Defense] Authorization Act for Fiscal Year 2010 had a provision about reforming IT acquisition, which is another initiative that the DCMO team leads. It will be an end-to-end look about how you determine requirements, how you spend money, contracting, testing, program management and governance.

We are going to look at things differently in order to deliver information capabilities more rapidly. If you think about the result that you want to achieve, you might use a different process. If you decided that you wanted to build an ERP [system], the steps to do it would look significantly different with a lot more oversight and rigor because of the amount of money that you would spend and the complexity of the effort. Deploying a Web service or buying a managed service would have a quicker timeline and a different set of steps.

The IT Acquisition Reform work will be one of the big things we will be working on as well as the IT Consolidation Roadmap. Partnering with the CIO team, there are a number of consolidation and alignment actions that will create an integrated 'DoD Information Enterprise' that aligns the activities of all of our DoD components, as well as increasing effectiveness, improving security and reducing costs. There is clearly great synergy between CIOs and CMOs and information is at the heart of it.

I don't have a 90-day plan. I am going to jump on board and see how I can help Beth McGrath (Elizabeth A. McGrath, Deputy Chief Management Officer for the Department of Defense) with the big portfolio of work that she has. We are hoping to have the IT Consolidation Roadmap to the Secretary of Defense before the end of the calendar year. The IT Acquisition Reform Task Force work is ongoing and should have clear deliverables this fiscal year. We’ll also be looking at some end-to-end processes for the department, like 'procure to pay' and 'hire to retire.'

While we have this vision of using more Web services and cloud computing, we still have some big IT systems that are still in the process of delivering. Every one of the military departments has ERPs, and we’ll be helping to make sure those initiatives deliver value and deliver quickly.

In addition, there are some opportunities in aligning strategic planning efforts of the department and focusing efforts on performance management with outcome-based measures to assess the progress of our plans.

CHIPS: Because of DoD's stringent security requirements, the department traditionally has had to delay in deploying new technologies. Are there any emerging technologies that you are watching for possible implementation in the department?

Wennergren: The pace of technology changes so fast, there is always something new going on. We are already taking advantage of the Web 2.0 world, the powers of mass-collaboration and social networking, and the ability to expose data and do mashups overnight rather than spending months or years to build an IT system. This is a radical change, and it affects every aspect of the way we do our business.

And yet we still spend a lot of time talking about building IT 'systems,' we still talk about 'systems views' of architectures and 'systems certification and accreditation,' and so we are a long way yet from fully recognizing the power of a Web 2.0 service-oriented world. The use of Web services and cloud computing are technology shifts that we are going to have to stay on top of, not only if we want to deliver information capabilities more rapidly and more cost effectively, but also if we expect to be an employer of choice for the Net Generation workforce, a workforce that expects to be able to use these tools and techniques.

We will also need to be open-minded about the technology that we use to get our job done. A decade or so ago, I used to have better computing capabilities in my office than I did at my home. I wonder how many of your readers feel that way today. They probably have more computing power at home than they do in their office. Droids, iPads, iPhones, BlackBerries, and the like, are powerful channels that allow users to get work done from anywhere, so we better be thinking about a future that allows users to get on any computing device, whether it is government provided or not, to get the job done. We will have to work through security issues so users will be able to use the best technologies at their disposal.

We need to understand that we have a highly mobile workforce. We can't talk out of both sides of our mouth. We can't demand a culture that demands self-service, but then not be able to provide every reservist or National Guardsman a laptop and also say, 'Oh by the way, you can't use your own device to get your work done.'

We must be a highly functioning information-age organization, ready to embrace and effectively leverage the tools and technologies that are available to us today. And, you know, so much of this comes down to people issues. The technology is out there to allow you to never again have to take eight to 10 years to field a big IT system, to never again be thwarted by the fact that you can't be connected anywhere, anytime to get the job done. It's a world full of change, but one brimming over with tremendous opportunity, and we must seize this opportunity.

CHIPS: One more question, I've always enjoyed hearing about your reading list. What are you reading right now?

Wennergren: I am a huge believer in the power of continuous learning and the importance of leading by example. We did a thing with my CIO team called 'Expanding Horizons,' where I have a wonderful team in Barry and Jeanne Frew, who helped me when I was at DON CIO and have continued to help me at the DoD CIO team. We get the team together five times a year and read a book. And then we talk about how that book has practical applications for leadership, management and information technology for the future. The sessions help align the team, and help us to keep looking outside of ourselves for new ideas and approaches.

There are so many good books to read; let me offer you a couple that get at the heart of some of the issues facing us today. I believe that across the Department of Defense, just like across a lot of large private sector firms, we operate in a low trust environment, and that low trust environment creates a huge tax that you pay in terms of how much it costs to get things done and how long it takes to get things done. There is an interesting book by Stephen M.R. Covey Jr. called 'The Speed of Trust: The One Thing that Changes Everything.' It discusses how you can create high trust organizations.

Another issue that we face across DoD is maintaining a true sense of urgency. For that topic, I'd recommend the John P. Kotter book, 'A Sense of Urgency.' Years ago, Kotter wrote 'Leading Change.' In that book, he talked about the eight steps of change, and the first step was to 'create a sense of urgency.'

Since that time he has realized that this is the key step, and he offers a lot of sound advice on how to create and maintain a true sense of urgency.

There is also an interesting book by Robert Quinn called 'Building the Bridge As You Walk On It: A Guide for Leading Change' which is a powerful book about how to live with change successfully and address change in your personal and your professional life.

There are so many good books out there that there is no excuse not to grab one and take it for a ride. You will not only be expanding your own horizons, but you'll be setting the right example for your teammates too.

For more information about the DoD Deputy Chief Management Officer (DCMO), go to http://dcmo.defense.gov/. For information about the enterprise licensing agreements mentioned by Mr. Wennergren, visit the Enterprise Software Agreements section of this site or www.esi.mil.