GovLoop - Knowledge Network for Government

5 Lessons Learned from the Advanced Management Program at NDU

In the last post, we discussed some great educational opportunities for government employees you may not have heard of.  In this post, we’ll talk about some lessons my classmates and I learned from the Advanced Management Program (AMP) class hosted by National Defense University (NDU).


Top 5 Lessons Learned

I’ve boiled down 14 tough but terrific weeks into 5 key lessons learned.  Hopefully you can use these nuggets of information in the challenging times we face ahead:


1. VUCA.  Wait…what?  Yes.  VUCA.  Say it with me.  “VOO-cah.”  It’s fun!  More importantly, it stands for Volatility, Uncertainty, Chaos and Ambiguity.  If you didn’t know, that’s what we get paid to deal with as mid to senior leaders.  We don’t get the easy stuff. And there’s more VUCA coming in the lean financial years ahead.

For many, getting out of the mindset that there’s a textbook solution to your problems can help you face them in a more realistic manner.  Most of the time, if it were a simple solution, your subordinates wouldn’t have bothered you with it.  So get used to operating in a VUCA environment.  Besides being fun to say, it’s what you signed up for as a leader.


2. Mission Comes First: IT Security and Mission Accomplishment.  A major focus of AMP is on information assurance.  We spoke a lot about the internal fights going on between the two dominant IT security philosophies: the current, inflexible “compliance” or “checklist” philosophy and the more recent “risk management” philosophy.

Here’s the major lesson learned in this area.  If complying with security checklist items will cause the mission to fail, you may want to re-evaluate things.  We can’t have security for security’s sake.  We have IT security policies to help accomplish the mission.  The two areas are not necessarily in conflict at all times.  But when they are, the mission must take priority.  As someone from an operational background, this one definitely rang true to me.  And it leads to a further discussion of…


3. Risk management is the answer.  We had a running joke in the class that whenever we were stumped with a question, we were always safe by answering “risk management!” in a clear and convincing voice.  But all kidding aside, this philosophy fills a lot of gaps that the current compliance culture leaves in our security models.

Risk management is a huge topic.  But it boils down to these lessons from my NDU professors:

  • Security is tough to measure because it’s binary (you’re either secure or you aren’t), but we can measure risk
  • Unfortunately, we can’t eliminate all risk no matter how hard we try
  • We can mitigate some risk
  • We must assume our networks are already breached

Given all the above, we have to accept that we can’t eliminate every risk.  Compliance with every checklist ever made won’t change that fact.  But we can manage the residual risk that remains after mitigation to best protect our key asset: the data.


4. Culture is a bigger problem than technology.  We all know this.  We’ve seen it in our organizations.  Changing the prevailing culture is much tougher than implementing a new technology.  Getting people to adapt to the new software suite is a lot tougher than installing and monitoring the new software suite.  And guess what.  Changing culture is another job under our duty titles as mid to senior level leaders. 

Many guest speakers offered lessons on this same concept.  Many others mentioned the book “Leading Change” by John P. Kotter as a great work on the subject.  Regardless of your source, realize that changing your organization’s culture is probably one of the hardest jobs you’ll have – especially  in the federal government.


5. “Semper Gumby.”  You’ve just finished the last slide in your presentation on the new program.  The one your boss has been worked up about for months.  The one you’ve been staying late for.  And then the word comes in.  “Project cancelled – thanks for the effort.”

Everyone’s been here.  And there are a couple of common reactions.  The first is punching a hole in your monitor, followed shortly by words best not uttered in public.  After you get that out of your system, there are a couple things you can do.  Dwell on it. Or, remember the phrase taught to us by NDU professors: “Semper Gumby - Always Flexible.”

Put simply, change happens.  There are things you can control, and things you can’t.  Especially in government.  If you successfully separate the two in your mind, and flex around the uncontrollable changes, you’ll be a better leader.

And lest we forget, growing better leaders is what programs like AMP are all about.

Views: 2223

Tags: 2, jobs, leadership, project management

Comment

You need to be a member of GovLoop - Knowledge Network for Government to add comments!

Join GovLoop - Knowledge Network for Government

Comment by Chris Kibble on January 9, 2012 at 9:06pm

@Paul and @Erica

Thanks for the posts.  I’m actually fortunate enough to be in the Information Assurance Scholarship Program (IASP) that I talked about in an earlier post.  Fantastic program.  So I get to complete my Masters degree before heading back to the Air Force. No idea where my next assignment will be, especially with the big changes expected to come down in the budget this month!

Comment by Chris Kibble on January 9, 2012 at 9:04pm

@Britton – Sounds good, that works.  No harm, no foul.

Comment by Chris Kibble on January 9, 2012 at 8:32pm

Pat Fiorenza - thanks.  Yes, I wish I had more room to cover AMP lessons but it could fill a couple chapters!

You know, that quote "Security is binary" is one I honestly didn't buy into at first.  I thought – well, there are shades of being secure!  And that essence of “shades of gray” is exactly what the quote is tapping into. The overall context is: we need to replace our old absolute way of thinking (our information must be completely secured, no questions asked!) with a relative scale (have we effectively mitigated the risk to our data?).  In that sense, I definitely do agree with the quote.

The instructors were trying to explain that the notion of “security” is used too lightly.  Lots of things people label as "secure" are, in reality, not secure.  The example used was that many people would call their homes “secure” when they lock the door before leaving for work each day.  But is that house really secure?  Are we saying there is no possible way that someone could get into the house?  No.  There is usually always a way inside.  In other words, there is, and will always be, risk involved.  Few things can every be totally "secure."  So, it is some semantics.  But the general idea is that we should replace the absolute notion of security with the sliding, relative scale of “risk”.

These examples, used by Dr. Ryan and others can really help move the framework of cyber community thinking towards risk management as opposed to “security by checklist compliance” that has traditionally been used.  Dr. Ryan’s paper (that I linked to) describes it much better than I could in the limited space.  Hopefully I didn’t butcher it too bad Dr. Ryan!

BTW, I wish I could have quoted by name many of the other NDU iCollege professors because they really are a great bunch.  Especially one Professor D. who I hope is feeling much better! But, I didn’t have time over the holidays to verify permission from them.  Therefore, I went with a conservative interpretation of the university’s non-attribution policy and left the names out. Rest assured there are many other great minds like Dr. Ryan teaching at the iCollege. 

Comment by Paul Alberti on January 9, 2012 at 3:37pm

The sign of success - drawing fire instead of support!  I have been enjoying the blog and the interest over the weekend.  Probably another sign of success is when people participate on weekends and holidays. 

Remembering my 14 weeks at the AMP - it is alot of work but very rewarding even before the graduation ceremony.  I am curious though Chris - what will you do now that you have completed the AMP?  Will you continue in the same position or take on something new? 

Comment by Erica Schachtell on January 9, 2012 at 3:30pm

great post.  sorry to see you received such harsh criticism.  on the other hand, that must mean you're doing something right  ;-)

Comment by Pat Fiorenza on January 9, 2012 at 12:06pm

This is a great post - lots of interesting information and room for a lot of interesting discussions. Sounds like you covered a lot of information in a short period of time and had some great in-class discussions. One of the lines that caught my eye is:

"Security is tough to measure because it’s binary (you’re either secure or you aren’t), but we can measure risk"

The challenges for security must be enormous, each project is going to have different procedures and policies to follow, and as you mentioned, you never really know when you are at risk or how to properly assess your risk - I could see this being an area of enormous stress for a leader. Also interesting to think about the challenges of culture, and the difficulties/challenges related to leading a culture shift. Good stuff all around.

Comment by GovLoop on January 9, 2012 at 11:45am

Hey guys - I'm actually a big fan of this blog post.   I asked Chris to write a couple posts about his experience and they were both really good and actually top 5 blog posts in the community the last week (as can seen with 22 awesomes)

I'm okay with some feedback  but let's remind ourselves of a couple points from the guidelines - http://www.govloop.com/page/engagement-guidelines

DO: 3. Treat others as you want to be treated. Simple rule. But makes sense always.

DON't 4. Excessively criticize an idea/person. Constructive debate is good. Name-calling is no good. 

Comment by Chris Kibble on January 7, 2012 at 6:48pm

@Britton - let's switch to PM for further discussion, thanks.

Comment by Chris Kibble on January 6, 2012 at 10:55pm

@ T Jay Johnson - nice! This internet thing is amazing, is it not?  I keep hearing good things about Kotter, looking forward to reading it

Comment by Chris Kibble on January 6, 2012 at 10:16pm

@Briton: Just so I’m clear…you’re saying you don’t like those two paragraphs on VUCA?

All kidding aside, lots to reply to.  You've been hard at work!

- Some more detail on VUCA for you.  VUCA is an acronym used by some faculty to sum up the environment of Volatility, Uncertainty, Chaos and Ambiguity that leaders find themselves making decisions in.  VUCA is not a set of things.  It describes a decision-making environment.  In other words, it’s a reminder to mid & senior level leaders that they’ll be expected to make strategic, high-risk decisions without all the facts in a chaotic, confusing environment.  Does that help?

- The article goal was to summarize 14+ weeks in ~700-800 words max. for a broad audience.  Given the constraints, it was tough to craft a 120-word summary on the concept of senior-level strategic decision making in chaotic environments in a way that was engaging to read.  Any suggested rewrites?

- I intentionally took a light, conversational tone because, well, it’s a blog.  To each his/her own

- Regarding your quotes below:

“If you, as a manager, are dealing with only the "hard stuff" (because you are obviously not dealing with "stuff" that could be described as "easy"), I cannot help but infer that you are correlating the competence and trustworthiness of an individual with the difficulty of the tasks assigned them.”

-- That is not my implication

 

“I think we can all agree that there could be any number of reasons why a "subordinate" might bring something to your attention.”

-- I agree. As an aside, I probably should have chosen a better word than “subordinate” for a broad, federal government audience.  I can assure you “superior/subordinate relationships” are phrases used daily in my (military) environment without negative connotations. It just describes rank and hierarchy. Not a put down.

 

“To suggest that you only get to do the "hard" jobs and people only bother you with problems because they simply are too stupid to do them themselves reeks of a sense of entitlement and self-importance."

--The use and implication of the terms “stupid”, “entitlement” and “self-importance” are yours alone.  Please don’t associate those thoughts with my post.  The concept discussed was that senior leaders get handed the toughest problems.

“The graduates of NDU's Advanced Management Program might better serve themselves, and their subordinates, if they were able to write and communicate clearly.”

-- Clear, concise writing is indeed a valuable skill.  One that I know I’ll spend a lifetime trying to master.  I envy the great writer’s ability to convey complex concepts in short, simple terms. 

-- You seem to have lots of writing expertise to share with others.  Can you please share some examples of your best writing with us?

© 2014   Created by GovLoop.

Badges  |  Report an Issue  |  Terms of Service