5 Lessons Learned from the Advanced Management Program at NDU

In the last post, we discussed some great educational opportunities for government employees you may not have heard of. In this post, we’ll talk about some lessons my classmates and I learned from the Advanced Management Program (AMP) class hosted by National Defense University (NDU).

Top 5 Lessons Learned

I’ve boiled down 14 tough but terrific weeks into 5 key lessons learned. Hopefully you can use these nuggets of information in the challenging times we face ahead:

1. VUCA. Wait…what? Yes. VUCA. Say it with me. “VOO-cah.” It’s fun! More importantly, it stands for Volatility, Uncertainty, Chaos and Ambiguity. If you didn’t know, that’s what we get paid to deal with as mid to senior leaders. We don’t get the easy stuff. And there’s more VUCA coming in the lean financial years ahead.

For many, getting out of the mindset that there’s a textbook solution to your problems can help you face them in a more realistic manner. Most of the time, if it were a simple solution, your subordinates wouldn’t have bothered you with it. So get used to operating in a VUCA environment. Besides being fun to say, it’s what you signed up for as a leader.

2. Mission Comes First: IT Security and Mission Accomplishment. A major focus of AMP is on information assurance. We spoke a lot about the internal fights going on between the two dominant IT security philosophies: the current, inflexible “compliance” or “checklist” philosophy and the more recent “risk management” philosophy.

Here’s the major lesson learned in this area. If complying with security checklist items will cause the mission to fail, you may want to re-evaluate things. We can’t have security for security’s sake. We have IT security policies to help accomplish the mission. The two areas are not necessarily in conflict at all times. But when they are, the mission must take priority. As someone from an operational background, this one definitely rang true to me. And it leads to a further discussion of…

3. Risk management is the answer. We had a running joke in the class that whenever we were stumped with a question, we were always safe by answering “risk management!” in a clear and convincing voice. But all kidding aside, this philosophy fills a lot of gaps that the current compliance culture leaves in our security models.

Risk management is a huge topic. But it boils down to these lessons from my NDU professors:

  • Security is tough to measure because it’s binary (you’re either secure or you aren’t), but we can measure risk
  • Unfortunately, we can’t eliminate all risk no matter how hard we try
  • We can mitigate some risk
  • We must assume our networks are already breached

Given all the above, we have to accept that we can’t eliminate every risk. Compliance with every checklist ever made won’t change that fact. But we can manage the residual risk that remains after mitigation to best protect our key asset: the data.

4. Culture is a bigger problem than technology. We all know this. We’ve seen it in our organizations. Changing the prevailing culture is much tougher than implementing a new technology. Getting people to adapt to the new software suite is a lot tougher than installing and monitoring the new software suite. And guess what. Changing culture is another job under our duty titles as mid to senior level leaders.

Many guest speakers offered lessons on this same concept. Many others mentioned the book “Leading Change” by John P. Kotter as a great work on the subject. Regardless of your source, realize that changing your organization’s culture is probably one of the hardest jobs you’ll have – especially in the federal government.

5. “Semper Gumby.” You’ve just finished the last slide in your presentation on the new program. The one your boss has been worked up about for months. The one you’ve been staying late for. And then the word comes in. “Project cancelled – thanks for the effort.”

Everyone’s been here. And there are a couple of common reactions. The first is punching a hole in your monitor, followed shortly by words best not uttered in public. After you get that out of your system, there are a couple things you can do. Dwell on it. Or, remember the phrase taught to us by NDU professors: “Semper Gumby – Always Flexible.”

Put simply, change happens. There are things you can control, and things you can’t. Especially in government. If you successfully separate the two in your mind, and flex around the uncontrollable changes, you’ll be a better leader.

And lest we forget, growing better leaders is what programs like AMP are all about.

Leave a Comment


Leave a Reply

Veronica Wendt

Excellent points, Chris. As both a graduate of AMP and a current faculty member at the NDU iCollege, I couldn’t agree with you more.

I would add one more point: never stop maintaining and growing your network. Collaboration from unexpected places has the potential to help when the inevitable change happens. All the best as you step back into your day-to-day work.

Jolly Sienda

Thanks Chris for a great write up. In fact, January 23, 2012, AMP 44 begins. The National Defense University (NDU) iCollege is accepting applications for the September 2012 AMP 45. To learn more, please visit the website at: http://www.ndu.edu/icollege

Jolly Sienda

Public Relations and Marketing Management Consultant, NDU iCollege

Joshua Brand

Semper Gumby is the an unofficial moto of the Coast Guard (known by many CG members)! “Semper Paratus” is the official moto.

Nateria Dickey

I love the phrase “Semper Gumby”! Great article, thanks for sharing this EXTREMELY relevant to the times information.

Chris Kibble

Thanks for all your comments! The iCollege at NDU certainly did a good job of teaching these lessons.

Josh Brand – thanks for that background, always interesting to see how those phrases develop

Gary Jones

Great insights Chris – and just as relevant for those of us in the UK Civil Service!! Thanks for sharing

Wll definitely use ‘Semper Gumby’!!

Paul Alberti

Excellent sumary. I am an AMP graduate – way back in 2000 I believe. It was a long hard 14 weeks, but worth it. Congratulations for completting it. I will send this around to a few people, I need to renew my efforts to get people to attend.

Tam Walton

This was a great article and very inspiring! There should be a logo drawn or bumper sticker given out. I teach a youth group about mentally preparing for the workforce and think this would be a great end to my presentation.

Avatar photo Bill Brantley

Well, everyone talks about culture change but few do anything about it. I’m hoping that 2012 is the year that Open Government moves from focusing on big data to really opening up government by changing the cultures of the agencies.

Paul Alberti

Bill, how would you change cultures? What would you like to see and how would you measure success? I agree we talk about culture change, but I do not usually see any details on what that means.

Amalia Bozoki

Thank you for sharing. Changing the established culture is one of my biggest challenges whenever we implement new applications and/or systems which usually involves automating manual processes. Resistance to change mostly comes from the seasoned/older employees who are set in their ways. One good example is when we stopped mailing Leave and Earning Statement (LES), and were made available on-line. It took a lot of change management classes and training. Mind you, some still opted to received their LES thru snail mail and don’t mind the extra amount. I guess, my point is how can one be more influential and effective when implementing change???

Chris Kibble

Paul – good to see fellow AMP graduates on GovLoop!

Tam – thank you, glad you liked it

T Jay – that patch is awesome! Did you make that yourself or did you find it somewhere?

Bill & Amalia – I’ll be honest, I agree that culture is the biggest challenge, especially in the government workforce. I have seen only a couple examples of actual cultural change instituted from the bottom up. Most have been initiated from the top down. I do think that we may have increased cultural change approaching if the large numbers of more experienced federal employees retire in the near future as currently predicted.

My plan remains to try to get buy-in from top leadership while advocating for changes amongst peers and subordinates. I also have “Leading Change” by John Kotter on order from Amazon to get into more specific actions. So many of our guest speakers quoted and recommended it that I felt I had to get a copy myself.

Sandra Lopez

Changing the culture can be accomplished, however it is done very very very slowly. And btw Kotter’s book addresses this fact. When you are working in the business of CPI, Lean, et al it is imperative that you never loose sight of this perspective. Change, real change…takes time. If you keep this in mind you can plan for the ebbs and tides of change, develop and keep contingency plans in place, and most importantly don’t be discouraged.

Jay Johnson

@Chris – No I found it on the internet and used it for my Fantast Football avatar this season.

My organization has been using Kotter change model to manage change for several years now. The results have been great!

Avatar photo Bill Brantley

@Paul – Good questions and I wish I had some definite answers for you. As I discovered during my dissertation research, there are over a million academic articles alone on organizational change (not to mention the number of books both academic and popular) but there is very little agreement even among the experts on how to affect cultural change.

That’s why I created the group on Culture Change and Open Government and hope to hold an unconference sometime in 2012 to examine such questions.

Veronica Wendt

@Britton – I agree that clear and concise communications is essential. As a member of the NDU iCollege faculty, I am open to improving the quality of the education I offer our students. Could you give an example of how you would improve the language? For instance, how would you re-phrase, “we don’t get the easy stuff” to be more precise?

Chris Kibble

@Briton: Just so I’m clear…you’re saying you don’t like those two paragraphs on VUCA?

All kidding aside, lots to reply to. You’ve been hard at work!

– Some more detail on VUCA for you. VUCA is an acronym used by some faculty to sum up the environment of Volatility, Uncertainty, Chaos and Ambiguity that leaders find themselves making decisions in. VUCA is not a set of things. It describes a decision-making environment. In other words, it’s a reminder to mid & senior level leaders that they’ll be expected to make strategic, high-risk decisions without all the facts in a chaotic, confusing environment. Does that help?

– The article goal was to summarize 14+ weeks in ~700-800 words max. for a broad audience. Given the constraints, it was tough to craft a 120-word summary on the concept of senior-level strategic decision making in chaotic environments in a way that was engaging to read. Any suggested rewrites?

– I intentionally took a light, conversational tone because, well, it’s a blog. To each his/her own

– Regarding your quotes below:

“If you, as a manager, are dealing with only the “hard stuff” (because you are obviously not dealing with “stuff” that could be described as “easy”), I cannot help but infer that you are correlating the competence and trustworthiness of an individual with the difficulty of the tasks assigned them.”

— That is not my implication

“I think we can all agree that there could be any number of reasons why a “subordinate” might bring something to your attention.”

— I agree. As an aside, I probably should have chosen a better word than “subordinate” for a broad, federal government audience. I can assure you “superior/subordinate relationships” are phrases used daily in my (military) environment without negative connotations. It just describes rank and hierarchy. Not a put down.

“To suggest that you only get to do the “hard” jobs and people only bother you with problems because they simply are too stupid to do them themselves reeks of a sense of entitlement and self-importance.”

–The use and implication of the terms “stupid”, “entitlement” and “self-importance” are yours alone. Please don’t associate those thoughts with my post. The concept discussed was that senior leaders get handed the toughest problems.

“The graduates of NDU’s Advanced Management Program might better serve themselves, and their subordinates, if they were able to write and communicate clearly.”

— Clear, concise writing is indeed a valuable skill. One that I know I’ll spend a lifetime trying to master. I envy the great writer’s ability to convey complex concepts in short, simple terms.

— You seem to have lots of writing expertise to share with others. Can you please share some examples of your best writing with us?

Chris Kibble

@ T Jay Johnson – nice! This internet thing is amazing, is it not? I keep hearing good things about Kotter, looking forward to reading it


Hey guys – I’m actually a big fan of this blog post. I asked Chris to write a couple posts about his experience and they were both really good and actually top 5 blog posts in the community the last week (as can seen with 22 awesomes)

I’m okay with some feedback but let’s remind ourselves of a couple points from the guidelines – https://www.govloop.com/page/engagement-guidelines

DO: 3. Treat others as you want to be treated. Simple rule. But makes sense always.

DON’t 4. Excessively criticize an idea/person. Constructive debate is good. Name-calling is no good.

Pat Fiorenza

This is a great post – lots of interesting information and room for a lot of interesting discussions. Sounds like you covered a lot of information in a short period of time and had some great in-class discussions. One of the lines that caught my eye is:

Security is tough to measure because it’s binary (you’re either secure or you aren’t), but we can measure risk

The challenges for security must be enormous, each project is going to have different procedures and policies to follow, and as you mentioned, you never really know when you are at risk or how to properly assess your risk – I could see this being an area of enormous stress for a leader. Also interesting to think about the challenges of culture, and the difficulties/challenges related to leading a culture shift. Good stuff all around.

Erica Schachtell

great post. sorry to see you received such harsh criticism. on the other hand, that must mean you’re doing something right 😉

Paul Alberti

The sign of success – drawing fire instead of support! I have been enjoying the blog and the interest over the weekend. Probably another sign of success is when people participate on weekends and holidays.

Remembering my 14 weeks at the AMP – it is alot of work but very rewarding even before the graduation ceremony. I am curious though Chris – what will you do now that you have completed the AMP? Will you continue in the same position or take on something new?

Chris Kibble

@ Pat Fiorenza – thanks. Yes, I wish I had more room to cover AMP lessons but it could fill a couple chapters!

You know, that quote “Security is binary” is one I honestly didn’t buy into at first. I thought – well, there are shades of being secure! And that essence of “shades of gray” is exactly what the quote is tapping into. The overall context is: we need to replace our old absolute way of thinking (our information must be completely secured, no questions asked!) with a relative scale (have we effectively mitigated the risk to our data?). In that sense, I definitely do agree with the quote.

The instructors were trying to explain that the notion of “security” is used too lightly. Lots of things people label as “secure” are, in reality, not secure. The example used was that many people would call their homes “secure” when they lock the door before leaving for work each day. But is that house really secure? Are we saying there is no possible way that someone could get into the house? No. There is usually always a way inside. In other words, there is, and will always be, risk involved. Few things can every be totally “secure.” So, it is some semantics. But the general idea is that we should replace the absolute notion of security with the sliding, relative scale of “risk”.

These examples, used by Dr. Ryan and others can really help move the framework of cyber community thinking towards risk management as opposed to “security by checklist compliance” that has traditionally been used. Dr. Ryan’s paper (that I linked to) describes it much better than I could in the limited space. Hopefully I didn’t butcher it too bad Dr. Ryan!

BTW, I wish I could have quoted by name many of the other NDU iCollege professors because they really are a great bunch. Especially one Professor D. who I hope is feeling much better! But, I didn’t have time over the holidays to verify permission from them. Therefore, I went with a conservative interpretation of the university’s non-attribution policy and left the names out. Rest assured there are many other great minds like Dr. Ryan teaching at the iCollege.

Chris Kibble

@Paul and @Erica

Thanks for the posts. I’m actually fortunate enough to be in the Information Assurance Scholarship Program (IASP) that I talked about in an earlier post. Fantastic program. So I get to complete my Masters degree before heading back to the Air Force. No idea where my next assignment will be, especially with the big changes expected to come down in the budget this month!