Revolutionary. Transformational. Moonshot. Organizational transformation is about finding new and better ways to achieve your mission. Tackling and solving long standing problems. Engaging more successfully with customers and stakeholders to achieve common interests. Creating a culture that links the workforce to your mission, and where the creativity and contributions from your workforce are visible in your mission success.
Successful organizations are able to identify, deploy, and scale new technology, new approaches, or new methodologies to solve long standing needs or meet new direction. In other words, innovate.
Innovation can be a powerful catalyst in the transformation journey. To harness its potential, you must:
1. Focus and prioritize your innovation efforts
2. Engage and empower stakeholders and the workforce motivated to tackle critical needs
3. Determine what is needed to scale your innovation to full implementation
In the national and homeland security space, we often use an analytic framework to channel and prioritize our focus.
• Risk is a function of threat, vulnerability, and consequence. Just because terrorists are interested (high threat) in certain operations, doesn’t mean we are automatically at high risk.
• The decision to invest in a solution to a given risk depends on the assessed return on that investment. Decisions to mitigate a threat or risk aren’t based solely on understanding them.
This analytic framework lets us prioritize which of the prevention efforts we chose to invest in; to counter the threats, vulnerabilities, and risks we face. It also enables us to explain why, in some cases, the right decision is to invest in our ability to respond, should the risk materialize, rather than trying to prevent it. Accurately assessing risks and determining whether to invest in solutions can be particularly challenging when you are attempting to evaluate them across multiple cooperating organizations, with differing decision-making cultures, access to information, risk appetites, and/or access to funds. Most importantly, it can help you identify where you need a game changer – a true innovation – to change the equation.
Public-private partnerships (P3) can be brought more intentionally to a wider variety of security investment needs. Traditionally, P3 constructs were prevalent across infrastructure projects, such as toll roads and bridges. They are now expanding globally, including space travel, healthcare, and community resilience. This is an area with a lot of opportunity.
It is important to note, however, that labeling something as a P3 doesn’t automatically make it work. Some (inside and outside of government) have seen “public-private” as just code for using private sector funding instead of an appropriation to fund agency investments. This view increases the closer the parties are to those areas where the Administration or Congress decided to “transition” activities over the last decade that had been paid for by agencies previously, by cutting agency budgets. In the most concerning instances from a security perspective, the private sector entities have chosen to hold off on investments with the aim of forcing Congress to restore funds. Lack of standards or direction from the Government can also be a hinderance, as private sector entities may be hesitant to invest until such time as the regulatory entity sets the minimum requirements.
Most often, there is a disconnect in one of the calculations listed above. For example, when we used to look to explain threats to critical infrastructure entities, whether new types of physical threats, like unmanned aerial systems, or cyber threats, we would often hear that the overall risk was low (e.g., state sponsored cyber actors would only take proportionate action), or that even if the event occurred (e.g., if a section of pipeline was blown up or an airport IT system was taken offline), there was such redundancy in the system, that it wasn’t worth spending the money to close the gap. These calculations can flip just as fast. However, after Gatwick airport and the airlines lost millions in revenue to an unmanned aerial system incident, airports worldwide have been looking at investments to protect against a similar incident. Similarly, the Colonial Pipeline ransomware attack has fundamentally shifted the understanding of the risk, and what level of investment is appropriate to insure against that risk. And, sometimes neither the federal government nor the non-federal entities involved have access to the needed funding, or legal framework, and don’t have the political clout needed to sway the entrenched interests.
That being said, there have also been some impressive accomplishments. What is it that makes engagements successful when others don’t?
• Strong relationships and sharing of information that leads to an agreed upon understanding of the risk, as well as agreement on how to mitigate the risk.
• A positive return on investment for both the public and private sector entities. This return on investment can be in terms of direct financial benefit, but it can also be in cost avoidance, such as an investment to insure against a shutdown. It can also be in the ability to provide an improvement in customer experience or the ability to increase capacity – which in turn can result in future revenue for a private sector entity.
• Access to funding needed, at regular, predictable, and reliable intervals – for both the public, and private sectors.
• Public recognition of the value from, and acceptance of, the government-private delivery model.
As we consider what’s next, proactive investment to enable successful P3s – across a diverse set of use cases – would assist in making imagination persistent and sustainable.
Options could include:
• Authorizing legislation that encourages greater collaboration between agencies, regulated parties, and 3rd party solution providers. This type of legislation could direct the convening of stakeholders (like the Critical Infrastructure ISACs) or require promulgation of standards.
• Rethinking procurement and acquisition rules to decrease “vendor lock” and solution obsolescence and increase government and industry collaboration. Creative uses of existing authorities, such as NASA’s use of Other Transaction Authority and Small Business Innovation Research to advance commercial space flight, should be used as examples to train personnel, and expanded to other agencies.
• Investing in federal organizational structures, processes, and the necessary workforce to build a critical mass well versed in P3s, and with the capacity to support them.
• Building more healthy private sector markets that address security needs and private sector interests. The best markets have multiple skilled solution providers, who are incentivized to continuously improve upon their products and services, including opportunities for small businesses.
• Providing timely access to investment funding. There are a number of unfortunate examples where everyone agrees a security issue should be addressed, but neither the federal entity nor the operator has the funds, such as instances where the owner/operator of critical infrastructure is a state or municipality and the fees charged are not set to allow for reinvestment. Appropriations could be made available to support pilots, where they will provide assurances to investors of a potential return, if they provide the needed capital.
• Establish new, and expand existing, structures that enable multiple agencies, or agencies and stakeholders, to collaborate financially to develop solutions. One of the most known examples in this space is In-Q-Tel. Established by the Intelligence Authorization Act for FY 2000, In-Q-Tel brings detailed knowledge of U.S. intelligence community and other government agency needs to early stage research and development, working with private sector companies, and other investment organizations. Statutory language could authorize additional shared investment strategies, such as jointly managed incubators, that would work on broadening markets and changing processes, beyond technology.
Working through these options will better position us for the next 20 years of innovation and transformation, channeling the best of our imagination into action, and positioning us to meet the security and other needs that we will encounter.