Gershon report into Oz Gov IT: Good, but some holes
Posted by Dave Bath on 2008-10-16
I’ve been going through the Gershon report into the federal government’s use of ICT. It’s not too bad, and is more comprehensive and honest than I’d hoped, apart from some glaring holes.
I’ll give mere mention to the great discussion of the lack of a environmentally responsible approach, the lack of a proper datacentre strategy, the overuse of contractors rather than public servants, and the recommendations to expand the role of AGIMO, where I’m going "hear! hear!" to Gershon’s views and recommendations, having only minor quibbles apart from the shocking absence of ValIT and ISO/IEC 20000(see the "Notes" section below), as well as no mention of the value open source in the body of the text apart from noting what Brazil and the US DoD are doing (see 2.12.7).
What is truly telling about the shocking state of things is the lack of governance outlined in chapter 1. Let’s hope Lindsay Tanner, the responsible minister, who is doing lots of good (but unheralded) work, uses this as justification for banging the table and heads together.
So, I’ll give a few gory quantitative details that show the extent of the problem, which I’ll blame half on wilful ignorance by CEOs and enterprise architects, and half on resistance to acknowledging their past and existing sins so things might improve. The figures come as no surprise to me – I fought the good fight against this when a public servant in EA (Technical policy and standards guru), got stomped on, got the scars and burns, and still haven’t recovered 5 years down the track.
- Gershon surveyed 41 agencies that fell under the "FMA Act", a.k.a. Financial Management and Accountability Act 1997 (Cth) and related regulations. Of these…
- Only 7 (17%) used Software Engineering Institute at Carnegie-Mellon Capability Maturity Model Integration toolset (see also wikipedia entry), the standard way of measuring how well you are managing what you do. These have not been formal assessments, merely informal ones, but at least that’s a start. A maturity model is basically something that lets you assess how much you have you’re sh*t together, for real, rather than suits in back-slapping, ar*e-covering mode.
- Only one other agency (2%) has plans to use SEI CMMI.
- Only 11 (27%) use COBIT (see also the wikipedia entry which I did a little work on a few years back) which allows benchmarking of maturity levels of major information management processes at a level even suits can understand. (It is disappointing that the associated tool to help get value, Val IT was not referenced in Gershon’s glossary, nor discussion, no recommendations. Again refer to the notes below for more details.)
Gershon’s report is a must read if you fall into one or more of the following categories:
- An Oz IT professional.
- A senior public service manager
- A parliamentarian or one of their "Hollowmen" (including the good hollowmen working for Tanner I’ve met).
The report is worth a quick scan if you are:
- A citizen worried about wastage and lack of service from the government.
- A public servant who is annoyed at the way your IT (doesn’t) work.
- It is extremely disappointing that Gershon doesn’t have ISACA’s Val IT in the glossary, as this is a companion to COBIT that assigns responsibilities to CEO’s, CFO’s and other senior managers for getting value from IT investments. This is perhaps the major flaw in the report. I’m hoping there is a "confidential version" that highlights how few agencies use it – and it will only be a subset of those that use COBIT. Note that I wrote the bulk of the wikipedia entry on Val IT. Look through the summary, check out the Val IT FAQ at isaca.org and wonder why it wasn’t cited by Gershon.
- Again, I’m disappointed that while Gershon mentioned ITIL he didn’t mention ISO/IEC 20000, the recent international standard that covers ITIL domains. (I only made small anonymous contributions to ITIL and MOF wiki entries).
- If you are interested, you can see a list of my non-anonymous wiki contribs and my wiki user page and see that most of them relate to IT governance.
- Previous posts on poor government information management:
- "Vic Gov recordkeeping slammed by auditor" (2008-03-21)
- "NOIE re-incarnated and poor protection of critical infrastructure" (2008-03-21)
- "AGA proves government doesn’t know what it does" (2007-02-22)
- "Human Services too dumb to manage a smart card" (2007-02-22)
- Others in related categories: