How CIO John Edwards modeled CIA’s IT security after McDonald’s to stop shadow IT
When you eat at McDonald’s, no matter where in the world, you expect a Big Mac to taste like a Big Mac. Some parts of the experience may vary location to location, but at the core, all McDonalds franchises are rooted in the same expectations.
CIO John Edwards has replicated that franchise model with IT security operations at the various branches of the CIA. Rather than trying to control every IT team across spy agency — which he said would often result in secretive, unapproved shadow IT operations at branches with specific mission needs — Edwards decided about two years ago to treat those teams like franchises, freeing them to personalize their IT while remaining in sync with his team overall.
“We went out to our mission partners and explained what it is to be a franchise out in the business world, and they got it,” he said last week at FedScoop’s IT Modernization Summit. They’re able to manage and run their “own stuff,” Edwards said, “but there’s a brand you must maintain, and there’s some standards that you must meet.”
Edwards said the strategy isn’t really “technical, but it really is having a material difference.” Under the model, a franchise management team of about five works to ensure core IT security consistency across the agency. He even brought in the man who operated franchising for McDonalds to explain how the model works, using the Big Mac as an example.
“The lightbulbs went off, they got it,” Edwards said. “But in this case our brand, what we were really going for, is IT security. That was our No. 1 thing.”
Two years later, “every single mission entity at CIA is a franchisee,” he said. And now what that means is “when a vulnerability comes out, I know who’s got what, I send them a fix, it gets implemented, and we’re rock solid right away.”
FBI CIO Gordon Bitko, who was on a panel with Edwards at the summit, said the bureau has gone down a similar road as the CIA to address similar challenges with its56 distributed field offices. “They’ve all thought of themselves over the years as their own IT shops because they all have very specific, unique challenges they’re faced with,” he said. “That’s led to this very fragmented environment.”
Bitko has focused on implementing core shared services at the enterprise level across those field offices to drive some consistency: “ensuring security by consolidating networks by moving people to the cloud as quickly as we can, by thinking about how we deliver those capabilities in a mobile way and empowering people to work remotely, but then encouraging people to build on top of those what are their mission-specific, unique needs.”
The FBI hasn’t gone “quite as far down the road as the [CIA] has yet,” Bitko said. “But that’s the direction we’re headed. We’ll deliver secure, reliable, core infrastructure services, core platform services, but then we’re going to enable and empower and encourage people to innovate and to drive new technology at the mission edge.”