When Keith Jones joined the State Department as its chief information officer in January 2021, he was surprised by the bureaucracy.
Jones spent his entire federal career in working for the Justice Department or the Homeland Security Department and thought he’d knew how the system worked.
Jones, who recently left after 17 months as the CIO of the State Department, said he tried cut through the bureaucracy to deal with some long standing cultural challenges.
“I come from out of DOJ and then DHS, where culture is a lot different, a lot flatter, less bureaucracy in place. But when there is bureaucracy and layers upon layers of bureaucracy, in particular, in the IT realm of things, it really becomes challenging over time to really get things done,” Jones said during an exit interview on Ask the CIO. “We accomplished a lot of different things, but at what cost? We had to really set aside certain things in order to get things done. I worked at the department with my IRM team really binding them together and changing that culture. But at the same time, culture remains the biggest obstacle that the IRM bureau faces across the department.”
Specifically, Jones said the culture around cybersecurity and the continued challenges in working with Diplomatic Security. He said the underlying “turf wars” between the two organizations remains present in many of the things he was trying to accomplish.
“A CIO is put on the spot on various occasions, but you don’t have the authority to say, ‘hey, I don’t want this appliance and I want that appliance on the network.’ How do we fight these fights against adversarial cyber attacks that are going on every day when we struggle to coordinate internally?” Jones said. “There are things that can run a lot smoother within the department from a cybersecurity standpoint.”
Over the years, other State CIOs and executive leaders have tried to fix this challenge. In December 2020, State created a new position, enterprise chief information security officer, who has broad authority to oversee all aspects of cybersecurity, meaning any bureau that maintains their own cyber infrastructure will be responsible to the E-CISO for meeting all required cyber standards.
In 2017, State created a new office within Diplomatic Security to try to herd the cyber cats, the Cyber and Technology Security (CTS) directorate.
IRM to change, evolve
Jones said despite all of these efforts, the fact that State had to name an E-CISO shows just how far the culture needs to change.
“A department is typically able to identify their CFO or their CISO, and you don’t have to say enterprise because it’s really a job that is respected across the enterprise,” he said. “At the end of the day, they also are responsible for working with Congress and when things come up, it’s not DSS who is front and center at the table when that happens. The authority for cybersecurity has to come when the enterprise says, that when that person speaks, unless there is something that clearly the secretary’s office sees otherwise, it should not be a discussion or a long drawn out deliberation, in order to make decisions around any event or something of that nature.”
Part of how Jones took on the overall culture of the State Information Resources Management (IRM) bureau is by changing its name.
He said the IRM bureau, hopefully, will soon become the Bureau of Diplomatic Technology, as long as the final memos are signed off in the coming weeks.
“There’s a lot of positivity and change that coincides with that, especially from a morale standpoint, just really reenergizing and refocusing the expectations around that, I think it will be really, really good. It’s kind of exciting too,” he said. “For those leaders that are there, a lot of them, when I had opportunities to appoint three senior Foreign Service specialists for CIO office leadership positions, it was different than what had happened in the past. Traditionally, within this IRM bureau, it’s been a bureau of entitlement. I’ve sat in this position for X number of years, so therefore, I’m deserving I go sit in that seat. Well, when I placed the new principal deputy CIO, the two deputy CIOs for foreign operations and the deputy CIO for operations, they actually interviewed for the position, and it surprised many that folks that felt they were moving into the position may not have necessarily moved there.”
Jones said the name change and refocusing of the IRM bureau isn’t going to necessarily address the cyber oversight and authorities challenges, but it will begin to create more cohesiveness across the entire department around technology.
“I really wanted this to be something that I didn’t identify or brand. I wanted this to be something that the leadership team as well as those across the bureau had a voice in. There was a poll out there where individuals actually cast votes or weighed in on their thoughts on what potential name changes would be,” Jones said. “I’m quick to say all the time, at the end of the day this isn’t my bureau, this is our collective bureau. We do things as a team versus something that’s going to be pushed top down, that everyone would potentially just reject.”
Three directorates focused on the customer
The Diplomatic Technology Bureau will be led by the CIO, but also include three other directorates. The business solutions delivery directorate, where the office will engage with the mission areas, do application development and provide an enterprise platform for applications.
Meanwhile as part of the renaming, State is rebranding the cyber operations directorate and the business management and planning directorate.
The cyber directorate will include the E-CISO, while the business management and planning directorate will include the enterprise architecture office and the Office of the Chief Technology Officer.
“The major changes there for the bureau is really breaking up and consolidating some of the redundant functions in both foreign operations and headquarter operations where we found they were competing a lot for the same work in where one would do something one way domestically and then another office would do would do something a different way,” Jones said. “We are really bringing those two collective bodies together, and then taking what is services and infrastructure and taking what’s engineering, and really making sure things go a lot smoother.”
Additionally, Jones said he prioritized creating better relationships with both the mission areas as well as the technology leaders who oversee Consular Affairs, Diplomatic Security and other bureaus. Jones created an internal CIO council to include assistant secretaries and technology leaders to help prioritize investments, provide agencywide updates to projects and address any obstacles to modernizing technology.
“When you start looking at the application development, the platforms there are in place to develop in a safe and secure way so that we don’t have a lot of shadow IT where folks are going off and creating their own environments, we want to make sure they know which environment to use and they’re free to develop leveraging their approved tools and technology in order to get things done,” he said.