Q&A: David M. Wennergren

Written by Harrison Donnelly

MIT 2009 Volume: 13 Issue: 11 (December)

Prior to his current assignment, Wennergren served for four years as the Department of the Navy chief information officer (DON CIO), during which time he also served as the DON critical infrastructure assurance officer. Prior to becoming the DON CIO, he served for four years as the DON deputy CIO for enterprise integration and security.

Past assignments also included: head, Plans and Policy Branch within the Shore Installation Management Division, Office of the Deputy Chief of Naval Operations (Logistics), economic support team leader on the DON Base Structure Analysis Team during the Navy’s Base Realignment and Closure (BRAC) process for BRAC-93 and BRAC-95, Commercial Activities Program planning and review in the Office of the Deputy Chief of Naval Operations (Logistics), participating in the Navy’s BRAC- 91 process, and working as a management analyst at both the Naval Industrial Resources Support Activity and the Naval Air Technical Services Facility.

Wennergren received his bachelor’s degree in communications/ public relations from Mansfield State University. He was a recipient of a Secretary of the Navy Civilian Fellowship in Financial Management, culminating in a Master of Public Policy in Public Sector Financial Management from the University of Maryland’s School of Public Affairs.

Wennergren was interviewed by MIT Editor Harrison Donnelly.

Q: You recently issued a memo urging adoption of open source software. What are your goals in this area, and what else needs to be done to bring those goals about?

A: Of all the policies we’ve released this year, the open source memo has garnered a lot of attention. I wanted to send out a memo on the use of open source software to reiterate our position and help clear up some misperceptions and confusion. Today, it’s imperative that we move with speed in delivering new information capabilities. Things like the use of open source software, where appropriate, and a preference for COTS technology can help bring speed and agility to our IT development efforts. It’s really a statement of some fundamental tenets: the value of continuous and broad peer review to improve reliability and security; the power of mass collaboration; the alignment to standards and open architecture; the need to rapidly prototype, use and enhance; and the importance of minimizing costs for development, maintenance and licensing. That said, the bottom line of the memo is to continue the education and awareness process— that you shouldn’t avoid considering open source for the wrong reasons, but that consideration should be a part of examining all your options and then making the right choice. You need to find the right tool and approach for the job at hand.

Q: In a recent speech, you referred to “hype” surrounding the concept of cloud computing. How would you assess the current state and potential of cloud computing in DoD?

A: Our information world is changing so rapidly. And one of the primary challenges of change is getting people to step out of their comfort zone and try a new approach. I have found in my career that it is often easier to get people to be willing to embrace change if it’s a change for which there’s a lot of enthusiasm. I call it “riding the waves of change.” If you look back over time, there are moments of inflection, tipping points if you will, where you can leverage the enthusiasm that people have for a new idea to help effect change more rapidly—think about times like the advent of the personal computer, the emergence of the World Wide Web or the proliferation of personal digital assistants, Blackberries and iPhones. I believe we are at that moment for three important efforts: movement to a serviceoriented approach, the Web 2.0 phenomenon and the emergence of cloud computing. I think during the speech, I mentioned the importance of separating the promise of the new idea from the hype surrounding that new idea.

For cloud computing, there is a huge opportunity for the department, or any large, decentralized organization. In the most basic sense, we have been on an evolution that begins with the idea of moving away from a world of many underutilized and over-cooled server farms, which grew up out of a preference for maintaining personal control over your servers and systems. I’ve jokingly referred to these control-oriented people as “server huggers,” who have been at times reluctant to give up their boxes. But the idea of virtualization is really just the starting point for the value of cloud computing. In DoD, the Defense Information Systems Agency [DISA] has unveiled the Rapid Access Computing Environment [RACE]. RACE provides the opportunity for people to buy computing capability as they need it; dynamically provisioned, scalable and you only pay for what you use. Efforts like this, coupled with DISA’s Forge.mil work, which provides an environment where developers can find the tools they need to build and test their apps, begin to show the power of leveraging cloud computing to reduce costs, improve your environmental footprint and develop new capabilities much more rapidly. Now imagine a future where we work on moving our desktops to the cloud. Not only could we advance the cause of providing our workforce with the ability to easily get to their data and desktop applications from wherever they are, but we could also reduce the complexity and cost of managing desktops. In fact, if done right, using the cloud to do desktop computing could improve security, by eliminating some of the vulnerabilities and touch labor, patching and defending that currently goes into managing desktops.

Q: It’s interesting that you mention the potential to improve security, since security is often mentioned as a concern of cloud computing. Can you elaborate on that?

A: Yes, in the case of moving the desktop to the cloud, if done right, I believe we could enhance security and reduce some of our vulnerabilities. Typically in the cloud computing debate, the concerns about security arise from concerns about being a part of a public rather than private cloud. I could be flip and say it’s a part of human nature to say things like, “I’m happy to move to the cloud as long as it’s not your cloud.” The reality of the situation, though, is that there will be things that are best served by being a part of a private cloud, where you understand the boundaries, who is with you in the cloud and so on. And frankly, it will only be natural for people to want to take some small steps into cloud computing by working on private clouds first. But we will have to keep our eyes open when the trade space about the power of mass collaboration argues for being part of a bigger cloud.

Q: You mentioned three important initiatives, including cloud computing. What are you doing with Web 2.0 technologies and what are the chief challenges and opportunities you see in this area?

A: There is an explosive growth in the adoption of Web 2.0 capabilities across DoD. Wikis provide both speed and greater collaboration and information sharing. As an example, we developed both the Web 2.0 policy document that we’re currently working on, and our new Department of Defense Information Enterprise Strategic Plan using wikis to engage stakeholders to contribute content and agree on approach. And we’re not alone; the use of wikis and blogs is expanding across the department. Couple that with the speed with which Web 2.0 mash-ups allow new capabilities to be quickly rolled out and reused, and you have quite a phenomenon going on. If you want to be adept at information sharing, you really need to recognize the power of mass collaboration and social networking—to go beyond the boundaries of the organization to find new ideas, and to speed the sharing and building of knowledge. Frankly, if you want to be an employer of choice for the young women and men coming into our workforce, you’re going to have to provide them the tools that are available to help unleash their creativity and innovation. There are, of course, risks and vulnerabilities associated with using the Internet. As information leaders our goal must be to ensure responsible and effective use of Internet-based capabilities. We need to take advantage of the tools, while remaining vigilant about issues like operations security, privacy, identity theft, education and awareness, and improving our abilities to protect our users from malware and other threats.

Q: Since you just touched on it, what are the most pressing information security issues facing the department?

A: It’s a very important topic, and it’s why I keep saying that, “Today, it’s all about effectively managing information in a contested environment.” I think the two top priorities for CIOs in both government and industry are information sharing and information security. In his book, Polarity Management, Barry Johnson describes how, while some things in life are a single problem to solve, there are many challenges that face us that are actually a polarity of two things that must be managed together. If you optimize on one aspect of the polarity, you inevitably do so at the expense of the other aspect. In his book he uses the example of breathing, and how inhaling and exhaling are done for different purposes, but optimizing on only one would certainly be at one’s great peril. In the world of information management we face a number of polarities: between change and stability, between the local organization and the larger enterprise of which it is a part, and—the one that’s germane to this conversation—between information sharing and information security.

If you think of security in a vacuum, you will opt for solutions that block access and otherwise minimize risk. If you only think of sharing without thinking about security, you will introduce unnecessary risks. I’d ask you to do me a favor for the next day or so, and try using different language. Try using the phrase “secure information sharing” in your conversations for a while, and help foster thinking that recognizes that we must be able to share with an ever increasing set of unanticipated users while we simultaneously continue to improve the security of our networks, information and people. The result will be like the phrase about a high tide raising all boats. You’ll be forced to think differently about security in a way that improves the flow of information rather than hampering it. You will be forced to start having conversations about risk management rather than risk avoidance.

Q: Do you see any signs of progress in raising the bar on security and changing the culture?

A: Yes, and as you point out, much of this is about cultural change, which is all about getting people to step out of their comfort zone to try new things. I believe we’re making great improvements since the days when many people didn’t focus enough on security. Information assurance and cybersecurity are huge national priorities. In DoD, we have been pushing a lot on what I would refer to as the basic “blocking and tackling” that must be done by all organizations, and I’m proud that a lot of our work has been embraced by the rest of the federal community. The rollout and use of the Common Access Card and its public key infrastructure digital certificates has significantly improved network security, providing for cryptographic log on, secure Website access and the ability to sign and/or encrypt e-mails, as well as enabling paperless transactions and the opportunity to improve physical security access at our bases. Our efforts helped to spawn the federal-wide effort known as Homeland Security Presidential Directive 12. We put into place the data-at-rest encryption contract vehicles that are available to every federal, state and local government in the country. We have mandated the use of secure versions of operating systems, now known as the Federal Desktop Core Configuration initiative. We have also reduced our number of Internet access points and are moving our public-facing servers into what are known as demilitarized zones. This effort has served as the impetus for the Federal Trusted Internet Connection effort. We’ve also pushed for the widespread use of host-based security systems.

All of these efforts and more are necessary to raise the bar on security, but they are not sufficient if we truly want to embrace the tenet of secure information sharing. We must also focus on new approaches that will mitigate risks while enhancing our ability to share and seek out knowledge. And this new way of thinking provides new opportunities. Imagine a world where I can get on any DoD computer and find the people and information that I need to get my job done. Imagine then, that when I launch myself to the Internet, I do so using a secure and virtualized browser that helps to protect my network while not impeding my ability to seek out knowledge. Next, envision better protection at our network boundaries to monitor and filter content and further help to reduce the introduction of malware. More broadly, think about being able to use a nongovernmental computer, if necessary, to advance opportunities for telecommuting, connecting while on travel and improving continuity of operations. We need solutions that would allow us to do trusted computing from what we would call untrusted computers, a goal that could both improve our productivity and allow for more self-service transactions. It’s a little like the National Parks tagline, “Take nothing with you and leave nothing behind.” That’s just the beginning of the opportunities ahead of us to embrace the idea of secure information sharing.

Q: The third area that you mentioned at the start of the interview was what you described as a “service-oriented approach.” I noticed that you didn’t use the phrase service-oriented architecture. Was there a reason for that, and are you satisfied with the progress that has been made in this area, and what are your next steps?

A: Yes, you caught me. I didn’t use the common definition of the acronym SOA. The fact of the matter is that effective work doesn’t get done, and you can’t measure results if you don’t have a robust and effective architecture. I find sometimes, though, that invoking the word architecture allows some folks to feel like it is work that can just be left to architects, rather than it being everyone’s job. Also, I’m trying to rise above the debates that surround the phrase SOA, which usually have much more to do with how one approaches SOA than whether one should prioritize on exposing data and using web services. I have seen over and over again how the power of exposing data, decoupling data from applications, and leveraging a service-oriented approach exponentially increases the speed with which you deliver a new capability over the traditional IT system development approach. It’s happening all over the department as well as around the world, and for us, it’s not just in our business and support areas, it’s also happening in the war fighting and intelligence mission areas.

One of the things that we’re doing to help is to ensure that common enterprise services are available and used across the department. Early in 2009, we mandated for use across the department the first of these core services: collaboration, content staging and content discovery. We are now pressing forward on other services to include directory services and messaging services. We don’t hear as much about the successes of our data and services work, because it carries a much lower price tag and associated visibility than the large IT systems. But it’s happening and it’s making a big difference. People often talk about the “democratization of data” as an important feature of this information age, and they are right. In addition, however, there is a “democratization of technology” taking place. What was once done by a number of specialized programmers walled off in a raised-floor room can now be done by a young captain, lieutenant or petty officer in an evening sitting at a PC. It is completely changing notions of speed and agility. And, again, that’s why efforts like Forge.mil are so important, because they are giving our people the tools and the place in which to rapidly develop, prototype certify and reuse new apps.

Q: What help can industry give in achieving your goals? Do you see any areas in which industry is falling short in its relations with the department?

A: A few things come to mind. First, we’re all going to have to come to terms with the shift to the development of services instead of just developing traditional systems. It’s a changing business model where the one big bite at a project is replaced by a series of engagements—spirals if you will—where new capabilities are rapidly developed and deployed in cycles of a few months, not years. But it is a viable business model, and a necessary path. Next, on the front of secure information sharing, we’re all in this together, so I need our industry partners to make sure they’re doing all they can to improve the security of the networks and the protection of their sensitive information. Also, we need to continue to recognize that we are all best served by the strategic partnership between government, industry and academia. We must continue to look at leveraging managed services, performance-based contracting and other mechanisms to allow the best minds from government and industry to work together to create an even brighter future.

Q: In a 2007 interview with MIT Magazine, as well as today, you have emphasized your role as an agent of change. What successes and setbacks have you encountered in that role over the past two years?

A: It’s a subject that I feel passionately about. And if you’re an information leader in any large organization, it does take a fascinating blend of patience and impatience—being impatient about pushing ahead on your transformation efforts while not becoming too frustrated about the unavoidable set-backs that occur as you try to change. I think the last time we talked, I focused on the importance of stepping out of one’s comfort zone, the need for alignment and the importance of creating an executionoriented culture. All of those ideas remain crucially important, but since we’ve already covered them, today I’ll focus on some other pressing issues that face us.

There are two reasons why it continues to be hard for us to step out of our comfort zone, and they’re related. The first is that we love having personal control. And yet, the model for our future is one where we rely upon others to deliver services and capabilities on our behalf. I use the DoD Common Access Card rather than building/buying my own smart card. I rely upon core enterprise services delivered by DISA and others. I get services through the cloud; I rely upon an enterprise solution rather than building my own. All of these instances are cases where we have to get over wanting to do it ourselves and own it ourselves. We have to rely on others to deliver some of the services that we use. We have to rely on one organization certifying and accrediting on behalf of all of us. It speaks to the importance of service level agreements and behaving like an enterprise rather than as standalone organizations. We are making progress, but there is still much work to be done on this front.

The second point is that one of the reasons that we crave personal control is because we don’t work in high-trust organizations. It’s a problem that is prevalent across both government and industry. There’s a good book on the subject written by Stephen M. R. Covey, The Speed of Trust—The One Thing That Changes Everything. In the book he describes the unfortunate impacts in terms of both cost and time that exist in low-trust organizations, and then walks through a good process on how to build and maintain trust. There’s an important and introspective quote early in the book, something to the effect of, “We judge others by their actions, but we judge ourselves by our good intentions.” It’s something to think about. Look, I don’t want my enthusiasm to cause anyone to think that change isn’t hard. But, frankly, in the information world, change is a constantly accelerating thing, and we must be adept at stepping out of our comfort zone to embrace the opportunities that are in front of us. If you want some help, I offer up another great book, Building the Bridge As You Walk On It—A Guide for Leading Change, by Robert E. Quinn. It could help change your life personally and professionally.

Q: Is there anything else you would like to add?

A: I think we’ve covered it; go do good and innovative things, stay focused on behaving like a united enterprise and leverage the tools and approaches that are out there to help continue the department’s transformation to net-centric information sharing. It’s a powerful thing when we all work together to create an information advantage for our people and mission partners. ♦ 

Back to Top