In the last post, we discussed some great educational opportunities for government employees you may not have heard of. In this post, we’ll talk about some lessons my classmates and I learned from the Advanced Management Program (AMP) class hosted by National Defense University (NDU).
Top 5 Lessons Learned
I’ve boiled down 14 tough but terrific weeks into 5 key lessons learned. Hopefully you can use these nuggets of information in the challenging times we face ahead:
1. VUCA. Wait…what? Yes. VUCA. Say it with me. “VOO-cah.” It’s fun! More importantly, it stands for Volatility, Uncertainty, Chaos and Ambiguity. If you didn’t know, that’s what we get paid to deal with as mid to senior leaders. We don’t get the easy stuff. And there’s more VUCA coming in the lean financial years ahead.
For many, getting out of the mindset that there’s a textbook solution to your problems can help you face them in a more realistic manner. Most of the time, if it were a simple solution, your subordinates wouldn’t have bothered you with it. So get used to operating in a VUCA environment. Besides being fun to say, it’s what you signed up for as a leader.
2. Mission Comes First: IT Security and Mission Accomplishment. A major focus of AMP is on information assurance. We spoke a lot about the internal fights going on between the two dominant IT security philosophies: the current, inflexible “compliance” or “checklist” philosophy and the more recent “risk management” philosophy.
Here’s the major lesson learned in this area. If complying with security checklist items will cause the mission to fail, you may want to re-evaluate things. We can’t have security for security’s sake. We have IT security policies to help accomplish the mission. The two areas are not necessarily in conflict at all times. But when they are, the mission must take priority. As someone from an operational background, this one definitely rang true to me. And it leads to a further discussion of…
3. Risk management is the answer. We had a running joke in the class that whenever we were stumped with a question, we were always safe by answering “risk management!” in a clear and convincing voice. But all kidding aside, this philosophy fills a lot of gaps that the current compliance culture leaves in our security models.
Risk management is a huge topic. But it boils down to these lessons from my NDU professors:
- Security is tough to measure because it’s binary (you’re either secure or you aren’t), but we can measure risk
- Unfortunately, we can’t eliminate all risk no matter how hard we try
- We can mitigate some risk
- We must assume our networks are already breached
Given all the above, we have to accept that we can’t eliminate every risk. Compliance with every checklist ever made won’t change that fact. But we can manage the residual risk that remains after mitigation to best protect our key asset: the data.
4. Culture is a bigger problem than technology. We all know this. We’ve seen it in our organizations. Changing the prevailing culture is much tougher than implementing a new technology. Getting people to adapt to the new software suite is a lot tougher than installing and monitoring the new software suite. And guess what. Changing culture is another job under our duty titles as mid to senior level leaders.
Many guest speakers offered lessons on this same concept. Many others mentioned the book “Leading Change” by John P. Kotter as a great work on the subject. Regardless of your source, realize that changing your organization’s culture is probably one of the hardest jobs you’ll have – especially in the federal government.
5. “Semper Gumby.” You’ve just finished the last slide in your presentation on the new program. The one your boss has been worked up about for months. The one you’ve been staying late for. And then the word comes in. “Project cancelled – thanks for the effort.”
Everyone’s been here. And there are a couple of common reactions. The first is punching a hole in your monitor, followed shortly by words best not uttered in public. After you get that out of your system, there are a couple things you can do. Dwell on it. Or, remember the phrase taught to us by NDU professors: “Semper Gumby – Always Flexible.”
Put simply, change happens. There are things you can control, and things you can’t. Especially in government. If you successfully separate the two in your mind, and flex around the uncontrollable changes, you’ll be a better leader.
And lest we forget, growing better leaders is what programs like AMP are all about.