PM Magazine, June 2020 by PM Magazine

Cyber Leadership 16 Good Cyber Hygiene 22 Urban Cyber Terrorism and Risk Management 28

THE

CYBERSECURITY ISSUE

JUNE 2020 ICMA.ORG/PM

2020 ICMA Coaching Program Thrive in local government!

Visit ICMA’s Career Center for more coaching resources Plus…. • Digital archives • Career Compass monthly advice column • CoachConnect for one-toone coach matching • Live speed coaching events, talent development resources, and more. Learn more at

icma.org/coaching All webinars are 90 minutes, and will be held at the same time of day: 10:30am Pacific, 12:30pm Central, 11:30am Mountain, and 1:30pm Eastern

UPCOMING FREE WEBINARS Thursday, June 18 Lessons in Value-Based Leadership: Leading with Principle Wednesday, September 9 Managing Hostility in Public Discourse: Living in an Age of Anger Thursday, October 22 Charting Your Future: Developing Your Personal Strategic Plan Thursday, November 12 Sponsored by ICMA-RC, ICMA Premier Level Strategic Partner

Talent Management in the 21st Century: Growing, Attracting, and Retaining Your Best

Register at icma.org/coachingwebinars Can’t make it to the live webinar? Register and get an automatic email notice when the recording is available. Visit icma.org/coaching or email coaching@icma.org to join our email list!

JUNE 2020 VOL. 102 NO. 6

CONTENTS

F E AT U R E S

The Role of the Cyber Leader in Times of Crisis

Practicing Good Cyber Hygiene Don’t forget to “wash your networks,” too! David Broyles, CNA Special Activities and Intelligence Program

Urban Cyberterrorism and Risk Management City size doesn’t matter. Barry L. Schalkle, JD, CPA; and Cyrus Olsen, PhD, Cyber Security Warriors, LLC

Cyber Continuity Planning Go big or go home. Dawn H. Thomas, Center for Emergency Management Operations

Cybersecurity Should Be Making Your Organization More Awesome How to get more interesting outcomes than simply reducing cyberattacks. Benjamin Edelen, Boulder, Colorado

D E PA RT M E N T S 2 Ethics Matter! Conflicts of Interest

14 Women in Leadership Matters of the Heart

15 ICMA Local Government Excellence Award Spotlight

Preparing Local Youth for the Job Market While Reducing Recidivism

49 A Day in the Life Local Government Management Fellows

SPECIAL SECTION: COVID-19

Heed these considerations in your digital transformation efforts. Kevin C. Desouza, Queensland, Australia

5 ICMA COVID-19 Resources

8 Look Beyond the Crisis

Cover images: the_lightwriter/stock.adobe.com, kishivan/stock.adobe.com

6 The Difficult Road to Reopening

International City/County Management Association

metamorworks/stock.adobe.com

Coordinating to address today’s greatest population health challenges. Joshua Franzel, PhD, Center for State and Local Government Excellence

52 Professional Services Directory

Your IQ on Emerging Technologies: Mind the Gap

The Workforces of State and Local Government and the Public Health Sector

the_lightwriter/stock.adobe.com

fizkes/stock.adobe.com

The changing world relies on cyber leaders to manage through the known unknowns. Dr. Mike Lewis, Trillium Health Resources; and Dr. Tim Rahschulte, Professional Development Academy

JUNE 2020 | PUBLIC MANAGEMENT | 1

ETHICS MATTER!

Conflicts of Interest Solving Real-World Dilemmas

BY MARTHA PEREGO, ICMA-CM

Did you know that the ICMA Code of

Ethics references conflicts of interest 11 times? Guidelines address conflicts that may stem from performing your official duty, personal relationships, investments, private employment, giving policy advice, advocating for your personal cause, and confidential information, just to name a few. The sheer coverage on the issue serves as one more reminder: it’s critical for public leaders and staff to discern when they have a conflict of interest and address it the right way. Here are a few real-world conflicts of interest scenarios members raised with ICMA and our advice on how to address the issue. Scenario 1. Supporting Our Tax Base

MARTHA PEREGO, ICMA-CM, is director of member services and ethics director, ICMA, Washington, D.C. (mperego@icma.org).

The local economic development corporation (EDC) approached the city council seeking an endorsement of the EDC’s plan to support local businesses suffering from the impact of COVID-19. The plan they are promoting is to crowdfund zero-percent interest loans via an established global micro-lending service. They want the city to contribute funding and will also market this to individual and corporate contributors. The city council voted to endorse

the project and contribute funding. One of the elected officials owns a business in town that would be a potential beneficiary of the program. As the supporters began their effort to market the program, they asked for support from the city manager. The city manager immediately raised critical questions. Is it a conflict of interest for staff to give their personal financial support to the program? What if they just want

Public Management (PM)

International City/County

Public Management (PM) (USPS: 449-300) is published monthly by ICMA (the International City/County Management Association) at 777 North Capitol Street. N.E., Washington, D.C. 20002-4201. Periodicals postage paid at Washington, D.C., and at additional mailing offices. The opinions expressed in the magazine are those of the authors and do not necessarily reflect the views of ICMA.

icma.org

EDITORIAL OFFICE: pm@icma.org

June 2020

REPRINTS: To order article reprints or request reprint permission, contact pm@icma.org.

Management Association

SUBSCRIPTIONS: U.S. subscription rate, $46 per year; other countries subscription rate, $155 per year. Printed in the United States. Contact: 202/289-4262; subscriptions@icma.org. POSTMASTER: Send address changes to Public Management, ICMA, 777 N. Capitol Street, N.E., Suite 500, Washington, D.C. 20002-4201. ARTICLE PROPOSALS: Visit icma.org/pm to see “Editorial Guidelines” for contributors. For more information on local government leadership and management topics, visit icma.org.

2 | PUBLIC MANAGEMENT | JUNE 2020

icma.org/pm ICMA 777 North Capitol Street, N.E. Suite 500 Washington, D.C. 20002-4201

ADVERTISING SALES: 202-367-2497 Tilman Gerald The Townsend Group, Inc. tgerald@townsend-group.com ICMA MEMBER SERVICES: 800.745.8780 | 202.962.3680 membership@icma.org

ICMA Creating and Supporting Thriving Communities ICMA’s vision is to be the leading association of local government professionals dedicated to creating and supporting thriving communities throughout the world. It does this by working with its more than 12,000 members to identify and speed the adoption of leading local government practices and improve the lives of residents. ICMA offers membership, professional development programs, research, publications, data and information, technical assistance, and training to thousands of city, town, and county chief administrative officers, their staffs, and other organizations throughout the world. Public Management (PM) aims to inspire innovation, inform decision making, connect leading-edge thinking to everyday challenges, and serve ICMA members and local governments in creating and sustaining thriving communities throughout the world.

hvostik16/stock.adobe.com

to keep their favorite lunch spot in business? What if that favorite lunch spot is owned by the elected official? Can they fund a loan for the elected official’s business? In exploring both the “what” and “how,” this scenario presents some interesting twists. On the “what” side of the equation, the program has the green light from the city council. That is key to maintaining a harmonious relationship moving forward as the city manager promotes the program

2019–2020 ICMA Executive Board PRESIDENT

Jane Brautigam* City Manager, Boulder, Colorado PRESIDENT-ELECT

James Malloy* Town Manager, Lexington, Massachusetts PAST PRESIDENT

Karen Pinkos* City Manager, El Cerrito, California VICE PRESIDENTS

International Region

Tim Anderson Chief Administrative Officer, Waterloo, Ontario, Canada Sue Bidrose Chief Executive Officer, Dunedin City Council, New Zealand Robert Kristof City Manager, Timisoara, Romania

and staff decides whether to participate. It’s a loan, not a gift, so contributors will conceivably be made whole in the end. It’s a zero-interest loan, so lenders do not financially gain from the transaction. Supporting local businesses would not be a new ask since some staff already frequent some of the businesses that would benefit. On the “how” side, the loan platform requires the lender to select the recipient for the loan. The lender can elect to reveal or conceal their identity from the forward-facing website. But it’s not clear from the platform whether the recipient knows how their loan was sourced. That should mitigate concerns about a quid pro quo, correct? The short answer is no! The approach creates a direct relationship between the lender and the business. If staff contribute to a business operating in the city, that direct funding presents the opportunity for a conflict of interest, in fact or appearance, to occur. The fact that the source of the loan may not be known to the business doesn’t really cure the issue. The ethical concerns are heightened if the potential beneficiary of the program happens to be an elected official given their role and responsibilities. Weighing all the factors, the advice is that the city manager, assistant manager, department directors, any staff who represent the manager or support the elected officials, and any employee who serves in a regulatory role should not participate in the program. City employees, some of whom may be residents, have a vested interest in the future of the local economy. They care about the quality of the city. There is nothing wrong with them wanting to personally support the local economy and this program would afford them the opportunity to do so without personal financial gain. On the other side of this equation, however, is the role and responsibility of city staff in managing and providing public services to these businesses, and for some, the regulatory function they play. Continued

Midwest Region

Southeast Region

Wally Bobkiewicz* City Administrator, Issaquah, Washington**

W. Lane Bailey* City Manager, Salisbury, North Carolina

Clint Gridley* City Administrator, Woodbury, Minnesota Molly Mehner* Deputy City Manager, Cape Girardeau, Missouri

Laura Fitzpatrick* Deputy City Manager, Chesapeake, Virginia Michael Kaigler* Assistant County Manager, Chatham County, Georgia

ICMA Executive Director Marc Ott Director, Member Publications

Lynne Scott lscott@icma.org

Managing Editor

Kerry Hansen khansen@icma.org

West Coast Region

Newsletter Editor

Kathleen Karas kkaras@icma.org

Michael Land* City Manager, Coppell, Texas

Maria Hurtado* Assistant City Manager, Hayward, California

Graphics Manager

Delia Jones djones@icma.org

Design & Production

picantecreative.com

Raymond Gonzales County Manager, Adams County, Colorado

Edward Shikada* City Manager, Palo Alto, California

Northeast Region

Peter Troedsson* City Manager, Albany, Oregon

Mountain Plains Region

Heather Geyer* City Manager, Northglenn, Colorado

Matthew Hart* Town Manager, West Hartford, Connecticut Christopher Coleman* Town Manager, Westwood, Massachusetts Teresa Tieman* Town Manager, Fenwick Island, Delaware

* ICMA Credentialed Manager (ICMA-CM) ** Serving the region from a different location as is permissible in the ICMA Constitution.

FPO-FSC Logo

Scenario 2. Historical Preservation: All in the Family

The town owns a house dating back to the early 1800s that is vacant and in need of serious renovation. The property is adjacent to municipal facilities. The town manager proposed demolishing the house to expand parking for the municipal facilities. That plan was met with substantial opposition from the neighbors since the house is part of the historic district. In a compromise, the town agreed that it would actively market the property for sale and if there were no buyers within 18 months, the house would be

cautiously. Assuming that the town manager is not assisting in any financial way with the purchase, there are several steps that can be taken to reduce the conflict of interest and promote confidence with all parties that the sale was entirely legitimate and in the public’s best interest. Consider the following: • Review state and local laws and ethics regulations. In some states, this transaction may not be permitted. • Assuming there is no legal obstacle, the town manager should recuse him or herself immediately. Advise both the elected board and staff of the recusal.

It’s critical for public leaders and staff to discern when they have a conflict of interest and address it the right way. demolished, and the town would proceed with their plans. The town put the property on the market and had some inquiries, but no formal offers. Most recently, the town manager’s son, who was looking for a home in the town, saw the listing and inquired about the purchase. Immediately, that inquiry set off concerns. Isn’t it a conflict of interest for the son of the town manager to purchase town property? Are there any steps that could be taken to cure this conflict? Is this an insurmountable conflict? Depending on the efforts made by all parties, probably not. Arriving at the intersection of work and personal life, the town manager needs to tread

• Get an appraisal. • Consider using a sealed bid process to establish the parameters of the sale, including base price rather than a negotiated sale. • Think ahead. If the son is successful in the purchase, consider how the town will provide oversight of any building permits and inspections. When facing a conflict of interest, it’s wise to review Tenets 3, 5, 7, and 12 of the ICMA Code of Ethics and consult with ICMA’s ethics staff.

PROFILES OF LEADERSHIP AND MANAGEMENT IN ACTION “ The ICMA Voluntary Credentialing Program is an invaluable asset in fostering and enhancing my long term development as a local government manager. The designation is truly an honor to myself and local government managers across the world.” Kayla J. Thorpe, ICMA-CM Village Administrator/Clerk Village of Butler, Butler, Wisconsin

Demonstrate your commitment to professional development and lifelong learning. Join the growing number of those who have earned the ICMA-CM designation. ICMA Credentialed Managers are viewed with growing distinction by local governing bodies and progressive, civically engaged communities. For more information, visit icma.org/credentialedmgr

View a list of credentialed managers and candidates at icma.org/credentialed

4 | PUBLIC MANAGEMENT | JUNE 2020

SPECIAL SECTION: COVID-19

ICMA COVID-19 Resources

ocal government managers throughout the world are working tirelessly to protect, support, and lead their communities through the COVID-19 pandemic. ICMA continues to develop and curate resources to aid local government leaders and staff in their response to the outbreak and looking beyond the pandemic at reopening their communities. Here is a list of the latest resources in the form of blog posts, articles, podcasts, and more. Visit icma.org/coronavirus for the latest updates. On the ICMA Blog (icma.org/blog-posts)

• • • • •

Internet Access and Service During COVID-19 Employment Law Adjustments for COVID-19 Eight Ways to Boost Your Mental Health Seven Strategies for Managing Uncertainty Reopening Our Communities: Managing in the Middle • Update 4: Around the World Cities Begin to Reopen • Cities in China Using Health QR Codes to Speed Reopening • Seven Things to Consider When Reopening Communities Articles (icma.org/coronavirus)

• Spanish Language Resources for COVID-19 • Reopening Our Communities: Establishing A Recovery Team • COVID-19 Recovery Team Checklist • Emergency Relief and Cost Recovery Resources • After COVID-19: Is There a Place for Telework in Local Government? • Impact on Public Health • Economic Recovery • Tools and Techniques for Managing COVID-19 Recovery Costs • Dealing with Your Own Stress: Coping Strategies in the COVID-19 World • Understanding the CARES Act and Other Recent Federal Legislation for Local Governments • Moving Beyond the Current Crisis: A Plan to Re-Open Our Communities • The Role of EMS in Local COVID-19 Responses • Budgeting During a Crisis Past webinars on COVID-19 available on-demand as well.

peshkov/stock.adobe.com

Podcasts (icma.org/local-gov-life-podcast)

JUNE 2020 | PUBLIC MANAGEMENT | 5

SPECIAL SECTION: COVID-19 BY MARC OTT, ICMA EXECUTIVE DIRECTOR

The Difficult Road to Reopening We must learn from each other, monitor the results of the actions we take, and work together to lead our communities through this difficult time.

orn by advocates hoping to slow the spread of COVID-19 and those hoping to slow the downward spiral of the economy, local governments are placed in the middle with dwindling revenues, trying to hold the fabric of our communities together. As professional managers and administrators, it is our job to help inform policymakers as they determine a path forward. We must offer solutions to help maintain the public health of the residents while also creating opportunities for economic and social stability. Additionally, we must establish a culture and workplace environment where our public servant staff members are valued and respected.

Unfortunately, there is no blueprint for professional city, county, and town managers to follow. The reality is that every decision we make will have unknown impacts on the well-being of the people we serveâ&#x20AC;&#x201D;physically, emotionally, and financially. What we must do during this time is learn from each other, monitor the results of the actions we take, and work together to lead our communities through this difficult time. What We Know

Social distancing is working to slow the spread of the disease. For some communities, the lack of resources for adequate testing and contact tracing to reduce the spread of the

An outdoor open-air cafĂŠ in Vilnius, Lithuania

Michele Ursi/stock.adobe.com

6 | PUBLIC MANAGEMENT | JUNE 2020

What We Must Do

Ultimately, we need to make certain that we provide clear guidance and policies that follow federal guidelines to reduce the spread of the coronavirus, while at the same time being creative and flexible to allow innovative solutions to take hold. For example, cities from Vilnius, Lithuania, to Ashland, Virginia, have been closing streets to create open-air shopping and dining areas that can safely accommodate social distancing. This can help ease concerns from residents, while allowing retailers and restaurants to increase foot traffic. When it comes to how to manage the reopening of businesses, churches, community amenities, and other facilities, local governments need to lead by example. We need to establish guidelines for screening employees and patrons. We need to make these guidelines part of our community-wide reopening efforts. We need to meet with all sectors to identify potential solutions for safe reopenings. We need to partner with local nonprofits and bring their resources to the table to support the community in ways that government cannot on its own—

iStock.com/JannHuizenga

coronavirus makes social distancing the only viable tool to slow the spread. And while strict social distancing measures urged by the CDC have successfully flattened the curve in terms of the spread of the disease, it has also resulted in the highest recorded monthly job loss in U.S. history.1 The job loss, economic impact, and social impact in our communities has created demand for more relaxed social distancing measures. Yet, the federal guidelines to determine when to begin relaxing restrictions continue to be out of reach for most states.2 At the local level, there is a wide variance in how specific communities have been affected by the virus and by the resulting economic impacts. And so, local governments are working with their states to develop reopening guidelines that test different tactics to see what may work to stimulate economic recovery while minimizing further spread of COVID-19. As businesses continue to open and residents are able to engage in more activities outside of their homes, research from the University of Maryland shows that loosening stay-at-home orders significantly reduces the likelihood of people following social distancing practices.3 The more activities people are permitted to engage in, the less diligent in following social distancing practices they become. Outbreaks are likely in workplaces where employees are in close proximity. This has been a significant issue in the food production industry as food processing plants nationwide continue to flare up as COVID-19 hotspots.4 We also know that downtown office buildings are highly susceptible to spreading the disease. With commuters traveling from different locations, individuals placed in close proximity in elevators and meeting rooms, and the number of surfaces that are touched (from door handles, shared restrooms, even the company coffee machine), the spread can occur quickly if we are not diligent about maintaining personal hygiene and implementing social distancing policies.

particularly given the significant reductions in revenue we have experienced and the further reductions we anticipate. We needn’t create policies and guidelines from scratch. We are all facing similar challenges. We all need to restart our communities safely. We all need to find ways to protect our most vulnerable populations. We all need to figure out a way to provide health screening and protection to underinsured workers, who are at greater risk of serious health complications if exposed to the coronavirus. The challenge ahead is great, but together, we can ease the burden. ICMA Connect (connect.icma.org) is proving to be an invaluable resource to learn from others. Continue to use ICMA Connect to describe how you are managing the crisis in your community. Provide content that we can share with our members around the world and we’ll keep creating resources for icma.org/coronavirus that reflect these best practices. And in September, we will be able to Unite with our members around the world—through the ICMA Annual Conference (icma.org/unite), which will be a digital experience like no other. We are all in this together. There is no one right decision, only difficult ones ahead. Proper planning, listening to our residents and businesses, and learning from each other is the only way we will succeed in moving through this trial-and-error phase of reopening our communities.

MARC OTT is executive director of the International City/County Management Association (ICMA).

ENDNOTES AND RESOURCES:

https://www.bls.gov/news.release/empsit.nr0.htm https://www.whitehouse.gov/openingamerica/ 3 https://data.covid.umd.edu/findings/index.html 4 https://www.cdc.gov/mmwr/volumes/69/wr/mm6918e3.htm?s_cid= mm6918e3_e&deliveryName=USCDC_921-DM27224 1 2

JUNE 2020 | PUBLIC MANAGEMENT | 7

SPECIAL SECTION: COVID-19

LOOK

BY KEL WANG AND MICHAEL SAMBIR

BEYOND

THE CRISIS Strategy management can help municipalities address the pandemic and prepare themselves for other challenges beyond.

our community has been hit by the coronavirus pandemic. As the steward of your community, your council and local government are working hard to respond to a changing reality. From setting up a work-from-home policy and keeping up essential businesses, to closing down public facilities and identifying and implementing necessary financial measures, it is a test of your organization’s operational readiness and responsiveness. But it can also be an opportunity to improve your municipality’s strategic capabilities. Even before the pandemic, your organization was already being challenged by the external environment, such as dealing with complex and interconnected issues and meeting ever-changing community expectations and internal conditions like fiscal constraints and competing priorities. So how can you leverage this opportunity and look beyond the crisis? Here we introduce strategy management, a new discipline that can help municipalities address the pandemic and prepare themselves for other challenges beyond. We will use the pandemic as an example throughout this article to illustrate its key concepts and components. 8 | PUBLIC MANAGEMENT | JUNE 2020

The Essence of Strategy Management

The heart of this new discipline is a series of lines of sight: 1. Looking Forward

Imagine your local response planning work started in January and your health authority began issuing instructions and orders and storing medical equipment at the same time. Would your community have been better off? Anticipating future conditions is easier said than done. But looking into the cases where this was done well, we can clearly see that the actions can be transferable. The city of Surrey, Canada, activated their emergency operations center on February 17, 2020. Alberta Health Services in Canada, took a proactive step and stockpiled additional emergency supplies including masks, gloves, and gowns back in December 2019. Both Surrey and Alberta Health Services were responsive to the news about the situation in Wuhan, China. This was not done by intuition. It requires ongoing monitoring of global and local issues and being able to sift key events that impact your community and your organization. To develop this capability (a forward view) in your organization, it is important to scan the environment, understand key implications to your community and your organization, and manage them proactively—and be able to do all three continuously. To help you apply this approach to the not-too-distant future (fingers crossed) when the pandemic is under control and over, we list a few questions for your consideration: • What will likely change in your community? • What will be the implications for your organization? • What will be the opportunities and threats? • How can you address them accordingly?

Olivier Le Moal/stock.adobe.com

2. Looking Into

Public organizations are trusted by the community and the people we serve. It is important for us to understand the needs of the community and people so we can better serve them. Since the beginning of the crisis, municipalities are making big decisions to enforce physical distancing: closing down or limiting access to public facilities and open spaces, allowing staff to work from home and moving council meetings online to name a few. Those are measures to fight against the pandemic from the municipal perspective. In the meantime, what can municipalities do to ease the challenges the community is experiencing, in addition to just maintaining the public health standard? This requires us to look inward with a community- or citizen-centric lens. There are different and intersecting groups within the community: residents, businesses, essential workers, and vulnerable populations to name a few. Each relies on different municipal services and infrastructures. Oakland and Denver have opened up the city’s underused roads for pedestrians to get outside safely, keeping six feet apart. The city of Toronto, Canada, has launched a business support center to help local businesses access government support programs. The city of Winnipeg, Canada, is analyzing the transit schedule to better accommodate essential workers. The town of Sidney, Canada, has opened a shower facility and collaborated with the local food bank for the vulnerable populations. Or you could simply follow the city of Lethbridge, Canada, and ask the community’s input directly on how the pandemic has affected their daily life through an online survey. To develop this capability (an in-depth view) in your organization, it is important to recognize the existence of a range

of needs and desires in your community as not everyone has the same need. The one-size-fits-all service approach will probably work for many of us, but certainly not for every one of us. To be able to capture the diverse needs, you will need both demographic data and behavioral data. The former helps you understand the characteristics of your local population while the latter helps you know how they access your services. When you overlay this information with the services you provide, you start to gain an in-depth view of the “hidden” demand of your community instead of learning them from the media or your council. To help you apply this approach to your local community, we list a few questions for your consideration: • Who will likely have different needs when you are enforcing physical distancing measures? • What are their characteristics? • What do they need? How do they access the services differently? • How can you address the diverse needs accordingly? 3. Looking Around

Our organization is like a human body. You want the left hand to know what the right hand is doing. When the organization is set and ready to move, you want all areas in sync. Looking around presents an internal view across your organization. It includes a series of commitments that have to be in place to ensure coordination and collaboration in the delivery of the actions you identified in earlier views. Across the globe, leaders of different countries and at different levels of government are championing their respective response initiatives and demonstrating the values and behaviors the people in the organization and the community should portray. Canadian JUNE 2020 | PUBLIC MANAGEMENT | 9

SPECIAL SECTION: COVID-19

Prime Minister Justin Trudeau was in selfisolation for 14 days after his wife tested positive for the coronavirus. Moreover, he left the podium to grab his coat during a live press briefing on a chilly day, saying, “I’m supposed to model healthy behavior. I am going to grab my coat and I’ll be right back.” In addition to the leadership, many organizations have committed resources and identified the pandemic response as an organizational priority. Canadian

Chief Public Health Officer Theresa Tam—despite criticism of her downplaying the severity of the virus and being slow in self-protection measures, such as wearing masks in public—continues to advise the government on issues of the pandemic and guide public health measures. As of April 30, the epidemic curve was flattening. Tam remarked, “That’s got us all quite excited about what that means.” To develop this capability (to be

Strategy Management LOOKING FORWARD •

What will likely change in your community?

•

What will the implications be to your organization?

•

What will the opportunities and threats be?

•

How can you address them accordingly?

LOOKING INTO •

Who will likely have different needs when you implement?

•

What are their characteristics?

•

What do they need? How do they access the services differently?

•

How can you address the diverse needs?

LOOKING AROUND •

Is your leadership ready to walk the talk, not just have the talk?

•

How can you mobilize resources to support the actions?

When it comes to accountability, are we just trying to find someone to blame or taking a problem-solving view to get the work done? •

LOOKING BACKWARD What information is relevant and timely to monitor the outcome of our actions? •

What are the implications of the data? What does it mean to the community and your organization? •

•

What actions or decisions are required?

10 | PUBLIC MANAGEMENT | JUNE 2020

responsible) in your organization, it is important to demonstrate the leadership’s commitment through leading by values and examples, to allocate resources and declare priority, and to ensure accountability by taking a positive and forward-looking view in dealing with criticism and failure. To help you apply this approach within your organization, we list a few questions for your consideration: • Is your leadership ready to walk the talk not just talk the talk? • How can you mobilize resources to support the response actions? • When it comes to accountability, are we just trying to find someone to blame or taking a problem-solving view to get the work done? 4. Looking Backward

Not every action we come up with may lead to success, at least right away. It is important for us to continuously review, understand and adjust our course when necessary. We have seen examples around the globe where initial actions may not necessarily be most effective. Lombardy, a northern region in Italy was hit hard by the pandemic. As of April 26, its death toll was 13,629, almost half of Italy’s total number of deaths. “The biggest mistake we made was to admit patients infected with COVID-19 into hospitals throughout the region,” said Carlo Borghetti, the vice-premier of Lombardy. Quickly, they responded by tracing the source and setting up separate structures exclusively for people sick with coronavirus. Despite the overwhelmingly high death figure, people have started to see a few early signs of easing: a few empty beds in the hospital and less crushing pressure on the intensive-care units. While the experience is unique, the approach can be leveraged. To develop this capability (a backward view) in your organization, it is important to leverage an evidence-based approach to reporting, evaluating, and decisionmaking. Reporting is about making the action-related results available in a timely manner. Evaluating is about analyzing and interpreting the data. Decision-making is about coming up with the appropriate course of actions based on the evaluation findings, community expectations, and the reality of the organization. To help

Table 1. A Comparison of Strategy Management, Strategic Planning, and Strategic Management STRATEGY MANAGEMENT

STRATEGIC PLANNING

STRATEGIC MANAGEMENT

Definition

A discipline to guide public organizations to develop and mature a holistic view into the future, the present, and the past to come up with and deliver a series of coordinated actions to meet the needs of the community at present and in the longer term.

It takes a “big picture” approach that blends futuristic thinking, objective analysis, and subjective evaluation of values, goals, and priorities to chart a future direction and courses of action to ensure an organization’s vitality, effectiveness, and ability to add public value.

It involves shaping, implementing, and managing an agency’s strategic agenda on an ongoing rather than an episodic basis…[employing] a purposeful, incremental approach to strategy formulation.

Feature

• Organization-based • Community-centric

• Process/activity-based • Organization-centric

Advantages

• Integrated view of community, environment, and organization • Focus on achievement of outcomes, not just delivery of actions • Can be customized for each organization • Sustainable • Rigorous • Addresses the people side of the strategy

• Creates systematic thinking about the organization and the environment • Promotes learning and discussion about priorities, and what will and will not work • Builds consensus around and commitment to strategic initiatives • External help can be leveraged in the process

• All the advantages of strategic planning • More rigorous than strategic planning • Empowerment • Monitors internal and external environment • External help can be leveraged

Disadvantages

• The value is based on organizational maturity • The development can only be done organically within the organization. It can be facilitated but won’t be achieved by external help

• Community is not front and center • Less rigorous • Focus on implementation, not achievement • Does not address the people side of the strategy • Hard to sustain • The process is sequential and lengthy

• Community is not front and center • The delivery/achievement perspective is mostly missing • Does not address the people side of the strategy • Hard to sustain • The process is sequential and lengthy

you apply this approach within your organization, consider the following: • What information is relevant and timely to monitor the outcome of our actions? • What are the implications of the data? What does it mean to the community and your organization? • What actions or decisions are required? While each capability can be developed or enhanced by its own set of actions, it only represents one dimension of an integrated view to meet the needs of our community. Falling short on one or multiple dimensions will be at the cost of the community and the people we serve. They have to be developed and matured together.

An Evolution from the Past

The pandemic is a vivid example of how strategy management can help municipalities better understand and serve the needs of the community; interpret the complicated and fuzzy world; and do both by bringing the organization together. Strategy management evolved from strategic planning, which was brought to public sector organizations in the 1980s from the best-run private companies.1 Fast forward to where we are today: the times are uncertain and volatile and the intensity of conversation around strategy in the context of global forces is very high. It has become quite clear that the current environment JUNE 2020 | PUBLIC MANAGEMENT | 11

joyfotoliakid/stock.adobe.com

SPECIAL SECTION: COVID-19

We will be caught by surprise if we cannot look forward. We will fail to meet the needs of our community if we cannot properly assess their needs. We will be stretched in multiple directions if we cannot look around within our organizations. And we will keep repeating the same mistakes if we cannot look backward and learn. where public organizations operate differs vastly from that of 40 years ago. Organizations need tools to better understand the needs of the community and the world around us, and to better deal with complex issues and meet community expectations. And we have to do all of that with increasingly constrained financial resources and move the entire organization in one direction. How can strategy management add value compared to its close siblings—strategic planning and strategic management? (See Table 1.)

cannot look around within our organizations. And we will keep repeating the same mistakes if we cannot look backward and learn. Fighting the pandemic may be the project of the year, or the next few years; a piece of work that happens at a point in time. But the world is connected, change is constant, and our community’s expectation is evolving. That’s why we believe developing and maturing your organizational strategic capabilities through strategy management is necessary. Is your organization ready for it?

Conclusion

Many say the pandemic is a once-in-a-lifetime event, but we can’t ignore the information available to us. Both George W. Bush (in November 2005) and Barack Obama (in December 2014) warned of the next pandemic in speeches at the National Institutes of Health. In 2015, Bill Gates told the world that we humans are not ready for the next pandemic. In 2019, the Trump administration’s Department of Health and Human Services carried out a pandemic simulation tagged as “Crimson Contagion,” which played out a viral outbreak originating in China that could kill close to 600,000 people in the United States alone.2 Is it possible that the information is available and we just don’t have the lines of sight to really see it? We will be caught by surprise if we cannot look forward. We will fail to meet the needs of our community if we cannot properly assess their needs. We will be stretched in multiple directions if we 12 | PUBLIC MANAGEMENT | JUNE 2020

KEL WANG is corporate performance lead, city of Edmonton, Canada (kel.wang@edmonton.ca). MICHAEL SAMBIR is director of service improvement, city of Edmonton, Canada (michael.sambir@edmonton.ca).

ENDNOTES AND RESOURCES

Berry, Frances Stokes and Wechsler, Barton. 1995. “State Agencies’ Experience with Strategic Planning: Findings from a National Survey.” Public Administration Review 55(2): 159-168.) 2 https://theconversation.com/coronavirus-is-significant-but-is-it-a-true-blackswan-event-136675?utm_medium=email&utm_campaign=Latest%20from%20 The%20Conversation%20for%20May%201%202020&utm_content=Latest%20 from%20The%20Conversation%20for%20May%201%202020+CID_b242b6 558c8844fc380ad46ed50bd2de&utm_source=campaign_monitor_ca&utm_ term=Coronavirus%20is%20significant%20but%20is%20it%20a%20true%20 black%20swan%20event 1

WOMEN IN LEADERSHIP

Matters of the Heart

What is the heart of your community saying?

BY HEATHER GEYER, ICMA-CM

Polis spoke to Coloradoans about the need to be more connected in the midst of the COVID-19 crisis, citing 1 Corinthians 13, “And now these three remain: faith, hope, and love. But the greatest of these is love.” Governor Polis referenced scripture as a source of inspiration to demonstrate his belief in the power of the human spirit and provide hope. As a viewer, this was effective and powerful. During the week of April 24, Colorado moved from “Stay at Home” to “Safer at Home,” and the goal is to reach the “Protect Our Neighbors” phase. This is the phase where Coloradoans will be able to socialize more normally, while taking significant precautions. Nothing about COVID-19 has been normal and Coloradoans have been socially distancing since March 26 by executive order. As we interpret executive orders and public health guidelines, I continue to come back to this reoccurring question: how do we as local government nurture the spirit of our community and connect to the hearts of our residents? How do we take the lead in modeling compassion and empathy during this crisis? In Northglenn, our team landed on one form of human connection that I don’t believe can ever truly be replaced and this is the power of a hug. A good old-fashioned squeeze that shows your friend or loved one that you care. So our team created a virtual hug of sorts—the Give a Northglenn Hug program. Residents can cheer each other up during this pandemic by requesting a hug yard sign. Our volunteer coordinator and elected officials deliver the signs. Residents are encouraged to pass their sign along to another neighbor. The response has been overwhelming. Within days of launching the program, we received this thank-you note from a resident that captures the essence of the power of nurturing the spirit of your community: I just want to take this opportunity to say thank you for that wonderful hug. I lost my husband to

How do we as local government nurture the spirit of our community and connect to the hearts of our residents?

HEATHER GEYER, ICMA-CM, is the city manager of Northglenn, Colorado (hgeyer@northglenn.org).

14 | PUBLIC MANAGEMENT | JUNE 2020

Photo credit: Nicole Valdivia

On March 30, Colorado Governor Jared

this awful virus 10 days ago and to see that sign just made my heart feel so warm. I can’t tell you how much I appreciate the city of Northglenn for doing such a heartfelt gesture and whoever sent it to me. I have lived in Northglenn since 1962, and there is no better city. Thank you. We have long months of recovery ahead of us and so many unknowns lie ahead. I believe our responsibility as public servants is to not only tend to physical and financial needs of our community, but more importantly, nourish the spirit of our community by connecting to the hearts of our residents. We must acknowledge the physical and financial suffering, the worry and anxiety, the fear and isolation. COVID-19 is overwhelming and devastating for many of us. Residents are craving connection more than ever before and I believe at the local level we have the ability to provide that connection. By finding opportunities to creatively engage residents and offer them hope during this time, we build trust in government. Authentic leadership provides hope and a simple human act of kindness—love. We each get to choose how we show up in these uncertain times. My advice: share your heart with your community.

ICMA LOCAL GOVERNMENT EXCELLENCE AWARD SPOTLIGHT

Preparing Local Youth for the Job Market While Reducing Recidivism New Hanover County, North Carolina—2019 Recipient, Program Excellence Award, Community Sustainability (50,000 and Greater Population) In 2016, the youth

unemployment rates in North Carolina were among the highest in the nation. In addition, North Carolina was the only state at the time to prosecute all individuals age 16 and older as adults, resulting in a high percentage of job seekers with adult criminal records. New Hanover County had identified the reduction of juvenile recidivism as one of the five highest priorities in the county’s five-year strategic plan. Facing this challenge, the county’s community justice services department staff developed an innovative approach to prepare youth with the soft skills necessary to enter and compete successfully in the local employment market. The approach was the Community Service and Restitution Program, which operates in partnership with more than 40 community stakeholders to facilitate successful completion of courtordered and court-diverted community service hours as an alternative to secure custody for youth ages 6–17. An eight-week job skills development component provides age-appropriate youth with an understanding of the job market and strategies for seeking and obtaining employment. It covers the community context,

personal values, a skills inventory, resume preparation, job application, interview skills, and on-the-job expectations such as time management, teamwork, and work ethic. The job skills development component embraces webbased resources to educate youth on accessing mobile job applications and other professional websites. Youth are coached through the process of creating an email account with a professional and appropriate username to be provided to potential employers.

Youth serve at various locations throughout the county—local churches, retirement homes, food banks, and an array of governmental and nonprofit organizations that strive to provide a diverse and enriching servicelearning experience. Upon completion of the job skills development portion of the program, youth are provided with individualized resource packets that include sample job applications, sample resumes, and a “skill bank” of personalized skill-building sets. Families also receive

an aftercare plan that offers relevant resources. Youth have demonstrated marked improvements in multiple areas specifically targeted by the program: decreased recidivism rates, increased school participation, and an overall increase in the necessary interpersonal and soft skills for entry into the local employment market. Since 2015, the program has served 155 youth, 72 of whom have graduated. Of the 72, only 11 had further adjudications in juvenile court—a recidivism rate of just 15 percent.

JUNE 2020 | PUBLIC MANAGEMENT | 15

The Role of the CYBER LEADER in Times of Crisis The Changing World Relies On Cyber Leaders To Manage Through The Known Unknowns The Harvard professor John Kotter noted correctly that nowhere is leadership more necessary than in times of great change. Nowhere in our living history have present-day leaders been tested more than they are today when it comes to leading change. In times like these the capacity and character of a leader are truly tested and revealed.

BY MIKE LEWIS AND TIM RAHSCHULTE

16 | PUBLIC MANAGEMENT | JUNE 2020

SasinParaksa/stock.adobe.com

JUNE 2020 | PUBLIC MANAGEMENT | 17

As we face this global pandemic together, we are witnessing some truly great leaders in action. Simultaneously, this situation is revealing some truly unprepared leaders. In this unprecedented time emerging leaders can learn what it takes to be truly great; from those leaders succeeding and from those struggling. One lesson (hopefully) being learned is that successful leadership is grounded in preparation for the change, not based solely on the reaction to the change. Cybersecurity leaders have perhaps learned this lesson more than other business leaders over the years. To understand why, a bit of background is important. The Background: From Risk Manager to Cyber Leader

The role of any cybersecurity leader is to enable business operations while preparing for the prospect of risk. Part of this work is ensuring business continuity when a risk becomes realized. Not too long ago, cyber threat was not a risk. At that time, the focus of risk leaders was enabling business continuity if and when a natural disaster like an earthquake, tornado, hurricane, or even a pandemic threatened daily operations and services to customers. Additionally, there has been the need for risk leaders to mitigate against negative implications from physical risk, theft, and the occasional sabotage. Due to the advancement of technologies, how work is conducted, and user expectations, the risk leader and business managers realized the need to ensure preparedness and response to privacy threats that now

The role of any cybersecurity leader is to enable business operations while preparing for the prospect of risk. include compliance protocols such as HIPAA. Extending responsibilities even further, they have become focused on threats against networked devices and personal devices connected at work and at home, including socially mobile applications and cloudenabled solutions, as well as the Internet of Things. All of this responsibility describes the cybersecurity leader today, not the forecast of what’s next. Along the journey, the evolution from risk manager to chief information security officer (or trust officer or privacy officer or the like) occurred and became the leadership role that is to help protect and defend against what the National Institute of Standards and Technology (NIST) refers to as the “world of threats.” This includes everything noted above and more, such as website defacement, cloud-based data storage, defending denial of service attacks, data scavenging attacks, wireless sniffers, unauthorized user access, any compromise of mission-critical information, and specific attacks including phishing, malware, eavesdropping, AIpowered attacks, and generally speaking, people. All that to say, a lot has changed in a relatively short amount of time—and certainly more change is on the horizon. Just a couple of years ago, no one was forecasting 2019 to be “The Year Ransomware

18 | PUBLIC MANAGEMENT | JUNE 2020

Targeted State and Local Governments,” but that is exactly the label placed on last year, according to GovTech magazine. Thinking back on the year, you will likely remember that the Louisiana state government declared a state of emergency after a cyberattack. New Orleans did the same after their attack. Twenty-two towns, cities, and counties were hit with a sophisticated coordinated ransomware attack in Texas. Of course, there was the now-famous hostage situation of the city of Baltimore due to a ransomware attack. Two cities in Florida were also held hostage within a week of one another due to ransomware, and big payments were made. The list goes on and because of the level of such disruption to government business—and the fact that two-thirds of all ransomware attacks in 2019 were targeting state and local government— CISA, MS-ISAC, NGA, and NASCIO came together in July 2019 to broadcast the list of three critical recommendations regarding cybersecurity: (1) Back up your systems daily, (2) Reinforce cybersecurity awareness and education, and (3) Revisit and refine cyber incident response plans. A great list for any cyber leader, but as the great leaders know, there is a capability gap between knowing what to do and how to do it—how to align people, processes, and technologies to get it done and to be prepared. Aligning People, Processes, and Technologies

To address the growing needs of business (since the 1970s), cybersecurity has risen through the hierarchical ranks to earn a place at the executive table

within many organizations. Components of modern cybersecurity can be found in the disaster recovery planning for physical infrastructure, such as roads and bridges; in business continuity and security planning for manufacturing organizations; and in the first versions of internet virus and malware mitigation strategies, which is where cyber was added to risk and security management. Today cybersecurity encompasses an ever-expanding collection of connected services, emerging technologies, application tools, and undefined or unseen threats that can destroy an organization with the click of a mouse. The modern

jijomathai/stock.adobe.com

cybersecurity officer must ensure privacy compliance and auditability, network capability, cloud everything, social apps, team apps, personal apps, organization data on personal devices, and support an increasing array of complexity. Today’s cybersecurity leader must also understand how and where cybersecurity fits into the overall organizational structure, where to say yes and where to say no, without always defaulting to no. Moreover, a cyber leader needs to be proficient in budgeting, balance sheets, human resources, project management, and other organization processes or functions in order to craft the story that conveys how

Three Critical Recommendations:

Back up your systems daily.

Reinforce cybersecurity awareness and education.

Revisit and refine cyber incident response plans.

cybersecurity enables every other organization function and to secure the necessary funding to make the security magic happen. In other words, cyber leaders must understand the business from their business partners’ (and users’) perspectives in order to best align people, processes, and technologies that enable their work in protecting and defending the business. This also means that cyber leaders must be able to speak the language of the executive team, board, and customer. It’s a foundational element to translate security and other IT “geek-speak” into words, concepts, and connections that people outside of the cyber

professions can understand and use to make decisions on defending and protecting by supporting the funding, process, capability, capacity, and interoperability needs of modern interconnected organizations. One other factor distinguishing the great cyber leaders of today from previous disaster recovery, business continuity, and internet risk and security leaders—thinking globally even if your organization exists (predominately) locally. Cyber leaders understand that the planet is connected which means both the good guys and the bad guys can reach you with the same minimal

JUNE 2020 | PUBLIC MANAGEMENT | 19

Testing People, Processes, and Technologies Against Reality

Plans, processes, and digital bunkers are all necessary; the question is are they sufficient? Nothing tests the readiness of a cyber leader, a team, or an organization like reality. Cyber leaders live in the unenviable world of having to prove a negative. A cyber leader cannot call the CEO every Monday to say, “We did not lose any data over the weekend and the organization was not hacked. See how good I am?!” Rather, it is the unfortunate events at other organizations that prove the negative for cyber leaders, albeit on an irregular and unplanned schedule. A few prime examples can be conjured from memory using just one word for each: Snowden, Target, Equifax, Baltimore. Cyber leaders might call on these examples

momius/stock.adobe.com

effort. Recent attacks and the current pandemic are proof of our interconnected world in which no one has immunity. Cyber leaders think and act on an international scale even if the organization they are protecting does not do business past the county line. Their global awareness combined with organization-level thought processes prepare the organization for what’s next. Even when others cannot yet see the threat, cyber leaders are raising the flag, hardening the digital bunkers, defining the business processes, and educating people at every level. The cyber leader’s actions ensure not only organizational survival, they mitigate risks to increase the odds of organization success, no matter where the next threat is emerging.

to support the processes that help them prove the negative through cyber fire drills, penetration testing, simulated phishing attacks, 60-day password policies, and required annual (or better yet, more often) cybersecurity training for all employees and external business partners. In addition, today’s cyber leaders are also being asked to support work from anywhere (WFA) policies, prepare for unknown unknowns, and secure information in places that they may not know exist (e.g., a personal USB drive in a home office, shared team applications, wireless devices such as TVs, phones, and watches). The current COVID-19 pandemic is also an appropriate measure of proving the negative. Organizations that were prepared for once in a lifetime cyber or business events acted according to plan, moved to WFA, and kept production at or near 100 percent. Unfortunately,

20 | PUBLIC MANAGEMENT | JUNE 2020

many organizations lacking true cyber leadership find themselves reacting to the event and struggling to play catch-up as they work tirelessly to bring production back to 40, 50, 60 percent gradually. Hopefully the lesson learned from the current change in cultures, businesses, and organizations

Today cybersecurity encompasses an ever-expanding collection of connected services, emerging technologies, application tools, and undefined or unseen threats that can destroy an organization with the click of a mouse.

is the reality that once-ina-lifetime events can occur more than once in a lifetime. Remember Y2K, the Financial Crisis of 2008, and the Year of Ransomware? Combined with COVID-19 that makes four once-in-a-lifetime events in 20 years. Perhaps once in a lifetime is no longer an appropriate term for a planet that is connected 24 hours per day and measures global events in milliseconds. Modern cyber leaders, CIOs, and CISOs accept and live in that world, which is why we need them. They help us defend and respond to threats and risks when realized. They help us to be prepared. Be Prepared

The world will remain a connected place. This kind of world can be risky, but it can also provide insights that could never be grasped in isolation. Cyber leaders will increasingly be responsible for aligning people, assessing new threats, vetting and implementing new technologies, and working with new stakeholders inside and outside the business. Essentially, they enable organizations to succeed, communities to prosper, and individuals to thrive. To realize these conditions means to prepare for threats and to lead in times of great change. Think about what’s next. We are beyond Y2K. We are beyond the Financial Crisis. We are beyond Snowden, Target, Equifax, and the Year of Ransomware. We will get beyond COVID-19. What will be next? From the extreme to the seemingly mundane, that is a day in the life of a great cyber leader. The great leader works to react to “what’s now” of a random issue and to the “what’s next” of a crisis plan.

Because today’s cyber leaders have earned a place at the executive table, they are also working to manage issues including the economic impacts of a global economy, worldwide supply chain shortages or disruptions, international staffing and personnel risks, as well as changes in geopolitical structures and norms. All or any of which could introduce the next layer of complexity for rapid mitigation to ensure continuity of organization productivity and business success. Life and work will get back to normal, but it will be a new normal. No industry will be the same after COVID-19. As John Kotter said, “Guiding change may be the ultimate test of a leader—no business survives over the long term if it can’t reinvent itself.” How will your organization be reinvented in light of new political systems, WFA expectations, education industries, conference events, travel guidelines, video conferencing, cloud application use, employee safety protocols, and more? No one is immune. Everyone is impacted, some much more than others. As a leader in charge of security, digital security, disaster recovery, information systems, teams of people, and a host of processes all supporting the productive capacity of the organization, how do you know the individuals in your organization are ready to do what they need to do now for the organization and for what’s next? In short, put them to the test. Tests and reality don’t determine leadership capacity and character. Rather, tests and reality spotlight your leadership capacity and character. No plan will prepare you 100

Cyber leaders have been living in a changing, unknown, global, “what’s next” world for years. This is a place they recognize. percent for what’s next; it is simply not possible to know unknowns or everything the future will bring. However, the knowledge, professional voice, and personal character to drive your organization toward a plan of readiness as a place to start when whatever is next emerges—that is leadership applied by the best in the cyber world. Understanding there are known unknowns and creating your framework or checklist to mitigate for what is most probable and for what is most catastrophic with varying degrees of risk, funding, training, and practice—that is leading your organization to take the first steps before whatever is next emerges so that when it arrives the people in your organization are ready and great leadership can be tested and revealed. What was unknown a few months ago and can now be understood as whatever was to be next is the current COVID-19 pandemic and is introducing organizational continuity factors that modern leaders have rarely had to address, including food scarcity, first responder’s triage and fatigue, daily governmental policy and law changes, failed supply chains, mass layoffs in the era of WFA with assets left in former employees’ homes, and so on. The short- and long-term implications to organizations will not be known for years to come. However, the need for cyber leaders to

engage in the organization at the highest level in planned and consistent ways will be one of the lessons learned from the current risk event being realized. Yes, this will be an event. Yes, it will impact the way organizations view the world and alter the definition of security. After all, having a secure cloud infrastructure will not be important if the organization cannot acquire the raw materials and people it needs to stay in business. This is potentially the next big influence for cyber leader roles. As the global supply chain for materials, talent, and market boundaries shift to become more diverse and more independent at the same time, cyber leaders will be asked to evaluate risks that simply do not exist right now. Conclusion

Preparing for and being comfortable with the emerging post–COVID-19 organizational needs is the embodiment of a great cyber leader. Cyber leaders have been living in a changing, unknown, global, “what’s next” world for years. This is a place they recognize. This suggests that cyber leaders are uniquely prepared for the post–COVID-19 world. As such, organization leaders at every level would be wise to elevate their cyber leaders to the executive table if they have not already done so. The skills and experiences that wise CEOs have funded for years are ready to provide significant business value as the new world unfolds. To support their organizations, cyber leaders will need to be more flexible, become more comfortable with new levels of risk, improve and increase training at every level of the

organization as a way to expand frontline defenses, and get comfortable with a phrase they may not like: “I don’t know.” Leaders with character admit when they do not have the information needed to make decisions, then they act to acquire that information. As the changing world relies on cyber leaders more and more, living in and managing through the known unknowns, “I don’t know but I will find out” will be a cornerstone for the next generation of cyber leaders—business leaders.

DR. MIKE LEWIS is the executive vice president of informatics and technology and chief information officer of Trillium Health Resources (www. trilliumhealthresources.org), a local management entity / managed care organization (LME/MCO). He is also the author of Responsibility Art, The Why and You in Leading and Managing. DR. TIM RAHSCHULTE is the CEO of the Professional Development Academy and chief architect of the ICMA Cybersecurity Leadership Academy program (www. pdaleadership.com/icma.) He also serves as advisor to the Cybersecurity Collaboration and is the co-author of My Best Advice: Proven Rules for Effective Leadership. RESOURCES

1. Kotter, J. P. (1999). John P. Kotter on what leaders really do. Boston: Harvard Business School Press. 2. https://www.govtech.com/blogs/ lohrmann-on-cybersecurity/2019-theyear-ransomware-targeted-state--localgovernments.html 3. https://www.dhs.gov/ news/2019/07/29/cisa-ms-isac-nganascio-recommend-immediate-actionsafeguard-against-ransomware

JUNE 2020 | PUBLIC MANAGEMENT | 21

Practicing Good

CYBER HYGIENE DON’T FORGET TO “WASH YOUR NETWORKS,” TOO!

22 | PUBLIC MANAGEMENT | JUNE 2020

BY DAVID BROYLES

he COVID-19 pandemic has re-emphasized the importance of personal hygiene. We have all become familiar with longer hand washings, face masks, and the seemingly impossible task of not touching our faces. But we must also redouble our efforts to maintain good cyber hygiene. As the pandemic has made our world more virtual—with massive increases in teleworking and teleconferencing—the risk of cyberattacks on local government computer networks has also grown. This heightened vulnerability has two causes: an increased attack surface and an increased threat from malicious actors.

Jonas Sjöblom/stock.adobe.com; above: kras99/stock.adobe.com

Increased Attack Surface

The formal calculation of attack surface takes a complete accounting of a computer network’s resources and computes the sum of their contributions to the potential for damage.1 But for our purposes, we’ll consider attack surface to mean the range of individual vulnerabilities that an attacker can exploit to cause damage in a computer network. We see an increase in attack surface because we see an increase in those vulnerabilities as a result of changes in response to COVID-19. First, fewer people are working behind their organization’s protective barriers; they are “outside the wall” on devices that probably have fewer protections (or protections that are less up-to-date) against computer attacks. They are also likely using their home Wi-Fi networks for connectivity, which may have serious vulnerabilities—or no protection enabled at all. With so many people working from home, some local governments and other organizations have rapidly deployed new network infrastructure in order to accommodate the surge in demand for teleworking—both equipment for users and equipment for handling the extra processing. If your organization has purchased equipment that is unfamiliar to your staff, there may be a greater chance of misconfiguration, such as unused access ports left open or administrative permissions set incorrectly. This increases the attack surface, leaving holes that attackers can exploit. Ideally, staff at home are using authorized work computers that allow them to connect to your organization’s network through a virtual private network, or VPN. And these work computers ideally have protections for when they are away from the work environment, such as disabled USB ports. But instead, many housebound local government employees are increasing the attack surface of government networks by using their home computers for work, whether permitted by organizational policy or not. Some activities have a lower risk, such as accessing work email through a web-based interface on a home computer. But some staff may use their home computer to create files, which they then email to their work email address. The chances of people using their home computers for work increases with their frustration levels with work equipment (“It’s too slow” or “It has too many restrictions”) or simply because they prefer their home setup. (“I have three screens and a killer JUNE 2020 | PUBLIC MANAGEMENT | 23

sound system!”) But the chances they are using infected home computers are high: Adaware estimated in 2017 that hackers had control of 100 to 150 million computers on the internet.2 And in 2015, the Anti-Phishing Working Group reported that nearly one-third of the world’s computers had malware on them. Even people who are not primarily using their home computer for work may be using riskier methods while teleworking from home, such as personal email accounts and transferring files from home computers to work computers. They may also try out tools with new or unknown vulnerabilities. For example, Zoom has become a popular platform for videoconferences. In April 2020,

AT LEAST 174 U.S. MUNICIPALITIES HAD RANSOMWARE ATTACKS IN 2019, A 60-PERCENT INCREASE FROM 2018, WITH AN AVERAGE RANSOM OF $1 MILLION PER ATTACK.

researchers showed that hackers could steal Zoom users’ Windows credentials by sending special links through Zoom’s chat interface.3 Zoom quickly patched this vulnerability, but the incident highlights the risks of using new platforms. It also raises questions about what other yet-undiscovered vulnerabilities may still be active. All of these processes increase the attack surface of your network. This risk comes on top of the normal problems, such as people unwisely posting their Zoom meeting links in public places and having unsavory characters “Zoombomb” their meetings.4 New equipment, processes, and tasks also mean that staff may be seeing unfamiliar links to websites or receiving emails from new people and places. Many of these will be legitimate; some may not be. With all of the added uncertainty and strangeness from the COVID-19 pandemic, people are particularly susceptible to sensational news, which potentially makes them an easier target for the click-bait lures such as, “You won’t believe what this politician said about COVID….”

fizkes/stock.adobe.com

24 | PUBLIC MANAGEMENT | JUNE 2020

MALICIOUS CYBER ACTORS ARE INCREASINGLY USING COVID-RELATED THEMES IN THEIR CYBERATTACKS.

In all of these ways, COVID-19 has increased the attack surface for local government networks. As a result, malicious cyber actors have even more entry points to exploit and launch a successful attack on your organization’s computer network. Increased Threat

It would be nice to think that hackers are lying low at this time of global suffering, busily sewing masks. It would also be naïve. Both the historical record and recent intelligence suggest that attackers will try to take advantage of the pandemic. But who are these attackers, and why do we see the threat from them increasing during the pandemic response? The threat generally comes from three sources: 1. Amateurs or lone hackers who are acting for general mischief. 2. Criminals who are financially motivated. 3. Nation-state actors interested in gaining intelligence—and maybe also in generating friction.

individuals decide to take advantage of the chaos and distractions. The U.S. Department of Homeland Security, in conjunction with the Cybersecurity and Infrastructure Security Agency and the United Kingdom’s National Cyber Security Centre, released a report in early April noting that malicious cyber actors were increasingly using COVID-related themes in their cyberattacks. They were phishing using “COVID” in the subject line of emails, distributing malware via COVIDthemed lures, and registering domain names with COVID-related words, where they could host their malware.9 The Need for Cyber Hygiene

Together, the increase in the attack surface and the increased threat means that local managers need to redouble efforts to keep their information technology systems safe, even as they continue to extinguish all sorts of other fires in response to the public health emergency. It would be easy—and might even seem reasonable—to relax on good cyber hygiene In the latter case, the threat particularly standards, making special allowances during comes from regimes that don’t like the United these difficult times. It might even seem to suggest denisismagilov/stock.adobe.com States: China, Russia, Iran, and North Korea.5 These that you are putting human life before computer countries have teams of hackers dedicated to breaking into the systems. But safe and secure computer systems are vital computer systems of other nations, and they have the financial to help those very same humans, and they must remain as backing of their countries behind them to provide the best protected as possible. In fact, the unprecedented demands equipment, tools, and training. Most of these teams target on unemployment claims systems and emergency logistics federal government and industrial systems in order to gain networks suggest that strong networks have a vital role to access to sensitive information or intellectual property. But play in countering the pandemic’s effects. some—particularly North Korea—are not above stealing from Cyber hygiene does not come easily! In April 2020, the banks and blackmailing corporations.6 U.S. Government Accountability Office released a report Although the Russians have shown a predilection for noting that the Department of Defense had not taken targeting U.S. elections infrastructure,7 the greatest threat action on many of the identified deficiencies in its cyber to local governments comes from hackers seeking to enrich posture.10 The report found that by 2020, the Defense themselves. Kaspersky reported that at least 174 U.S. Department had not fully implemented seven of the eleven municipalities had ransomware attacks in 2019, a 60-percent tasks identified in 2015—which originally had expected increase from 2018, with an average ransom of $1 million completion dates in 2016. And local governments must per attack.8 Cyber criminals mostly used phishing attacks, contend with far fewer resources than the U.S. military. It’s with a variety of malware hidden in attachments, links, or easier to identify issues than to implement solutions. software installers. Even so, simple steps can provide powerful protection, All of these attackers, regardless of their motivations, such as ensuring that computer networks, operating currently have greater opportunities to attack computer systems, and programs have the latest patches installed. networks due to the increase of the attack surface from the When the WannaCry ransomware attack hit in May response to COVID-19. Criminal activity generally increases 2017, the exploit used a vulnerability in the Windows in times of turmoil and uncertainty, when less scrupulous operating system to break into computers, encrypt data, JUNE 2020 | PUBLIC MANAGEMENT | 25

THE UNPRECEDENTED DEMANDS ON UNEMPLOYMENT CLAIMS SYSTEMS AND EMERGENCY LOGISTICS NETWORKS SUGGEST THAT STRONG NETWORKS HAVE A VITAL ROLE TO PLAY IN COUNTERING THE PANDEMIC’S EFFECTS. and then demand ransom payments in Bitcoin. Months prior to the attack, Microsoft had released patches to close the vulnerability, but WannaCry was able to penetrate institutions and governments around the globe that had not applied the patches. The United States, United Kingdom, and Australia formally identified North Korea as the sponsor behind the attack.11 With the increase in teleworking, local managers can take additional steps by helping staff better secure their home networks. Simple checklists and links to step-by-step resources can help ensure that basic security measures are in place, such as changing the default password on a Wi-Fi network. But even with the latest equipment and updated security measures, it only takes one click on a malicious link or one activation of a bad file to undermine all security measures. Each local government employee sits on the front line of this cyber battle, and their training and preparation will ultimately determine the outcome.

As governments across the globe respond to the COVID pandemic, we have no idea whether we will see subsequent waves of infection, or even what the next crisis might be. What we do know now is that the world can change rapidly and completely, and we need to provide jurisdictional staff with the tools they need to remain nimble and flexible. The time is now—or in the very near future—for local managers to ask important questions regarding their network security: Did your organization put any IT shortcuts in place? Does your organization have appropriate safety measures in place? Are temporary measures that were put in place during the pandemic still necessary? Can they be updated? Addressing these questions may take time and decrease efficiency for a while. But should a second pandemic wave or some other tragedy hit, they will save more time and increase safety. And so, as you wash your hands for the recommended 20 seconds—or as you ponder whether that random cough might be something more—don’t forget to maintain good cyber hygiene and “wash your networks,” too! DAVID BROYLES directs CNA’s Special Activities and Intelligence Program, which does research in special operations, cyber operations, and autonomy and artificial intelligence for the Department of Defense. He also co-hosts AI with AI, a weekly podcast on artificial intelligence and autonomy. (broyled@cna.org) ENDNOTES AND RESOURCES

P.K. Manadhata and J.M. Wing “A Formal Model for a System’s Attack Surface,” Moving Target Defense: Creating Asymmetric Uncertainty for Cyber Threats, Chapter 1, S. Jajodia, A. Ghosh, V. Swarup, C. Wang, and X.S. Wang, editors, Springer, 2011, pp. 1-28. 2 Adaware. Spyware Statistics. 10 January 2017. 3 Dan Goodin. Ars Technica. “Attackers can use Zoom to steal users’ Windows credentials with no warning.” 1 April 2020. 4 Kristen Setera. FBI Boston. “FBI Warns of Teleconferences and Online Classroom Hijacking During COVID-19 Pandemic.” 30 March 2020. 5 Symantec. Internet Security Threat Report. 2019. Volume 24. In particular, this report noted that in 2018, the United States filed 49 espionage indictments against China (19), Russia (18), Iran (11), and North Korea (1). 6 Ben Buchanan. Wired. “How North Korean Hackers Rob Banks Around the World.” 28 February 2020. 7 Report of the Select Committee on Intelligence, United States Senate. “Russian Active Measures Campaigns and Interference in the 2016 U.S. Election.” 8 Kaspersky. “Kaspersky research finds 174 municipal institutions targeted with ransomware in 2019.” 11 December 2019. 9 U.S. Department of Homeland Security. U.S. Cybersecurity and Infrastructure Security Agency. U.K. National Cyber Security Centre. Alert AA20-099A. COVID-19 Exploited by Malicious Cyber Actors. 8 April 2020. 10 Government Accountability Office. GAO-20-241. DoD Needs to Take Decisive Actions to Improve Cyber Hygiene. 13 April 2020. 11 Thomas P. Bossert. The Wall Street Journal. “It’s Official: North Korea Is Behind WannaCry.” 18 December 2017.

maglara/stock.adobe.com

26 | PUBLIC MANAGEMENT | JUNE 2020

Urban Cyberterrorism and RISK

MANAGEMENT Local government leaders serve their communities as orchestral conductors of policy and planning. This role harmonizes stakeholders, policies, processes, and divergent interests in pursuit of that pure sound of sustainable cities for the future. Alongside the harmonizing nature of management, however, is the risk management task of protection of assets. Here we focus on the risks associated

City Size Doesn’t Matter

with developing ever “smarter” cities. We are particularly concerned with addressing city-wide cybersecurity risks encountered in an integrated smart city, namely vulnerability to cyberterrorism. Intelligent technologies for cities are an empowering dream; we can utilize actionable data to improve traffic, lighting, water maintenance, and efficiently control power grids. At the same time, all these advances require vigilance to the highest standards of cyber protection against increasingly porous attack surfaces in delivery of smart services. Local leaders and their teams need continuing education on best practices to ensure well-designed and risk-minimizing practices that are sustainable with dynamic security risks facing smart cities. | BY BARRY L. SCHALKLE, JD, CPA; AND CYRUS OLSEN, PHD |

28 | PUBLIC MANAGEMENT | JUNE 2020

Could cyberterrorism happen in your city? Suppose all your files are locked and your city operations come to a screeching halt. Cyber lockdown could be worse than any COVID-19 quarantine. If access to services and everything digital within the city is locked, the city and its constituents are assaulted with fear—the terrorist’s weapon. Or worse, your water supply or traffic or emergency services could be compromised and lives lost on an unimagined scale. Even if you resolve the event, it can and often does happen again. Why? Because smart city attack surfaces evolve like viruses and offer multidimensional opportunities for hostile cyber actors. Indeed, this could lead to you or your fellow leaders being dealt an “RGE.” In cyber speak, an RGE is a “resume generating event,” meaning you were terminated. Urban cyberterrorism can and does happen to cities regardless of their size. For city managers, this article focuses on risk management as the “what” and a subsequent article in the July issue focuses on digitally driven automation as the “how” to lead a cybersecurity “identify, defend, detect, respond, recover” cultural transformation along the smart city journey.

janista/stock.adobe.com, the_lightwriter/stock.adobe.com

Urban Cyberterrorism: Opportunistic, Not Selective

Hostile cyber actors (the bad guys/hackers/for cities, often nation-state sponsored and well-funded) are looking for and finding vulnerabilities in a city’s digital and physical ecosystem. Your city’s weakest link and vulnerabilities make you a potential next victim. These attacks are sophisticated and automated; the intent is to sow fear, distrust, and terror to debilitate a city, or even a nation. Ransomware (one form of attack) is an easy form of extortion. Any breach is very costly to your city, even if you pay the ransom. Smart city risk management is required to avoid becoming that next victim. You must understand, however, that no magic pill, no panacea exists in a zero-trust ecosystem1 that evolves dynamically at computer-mediated speeds. No single new technology or quick fix is enough. Diligent and far-sighted risk management is the only antidote. New models are required for risk management that look at sensor-generated telemetry, multidimensional data used to spawn intelligence about threats, and vulnerability risk estimations. The National Institute of Standards and Technologies (NIST) suggests the following: Assume that an attacker is present on the network and that a [city]-owned network infrastructure is no different—or no more trustworthy—than any non- [city]-owned network. In this new paradigm, a [city] must continually analyze and evaluate the risks to its internal assets and business functions and then enact protections to mitigate these risks.”2 Protective urban cybersecurity is led by the city manager. Smart city cyber-related risks have consequences. Today these consequences are measured in dollars, losses, lives, and risks for which you as manager are accountable. Bad actors are often well financed and staffed, while cities struggle JUNE 2020 | PUBLIC MANAGEMENT | 29

City Management: What Are We Protecting? Real Time/Near Real Time Data

External Data Integration

Personal Identifiable Information

Target

Integrated Data Sources

Business Processes • Assets • Revenue • Infrastructure • Employees • Vendors • Regulatory Compliance

Infrastructure Services • Water • Power • Transportation • Emergency • Public Safety

Advanced Metering/Services

Economic Health • Companies • Public Spaces • Health • Education • Tourism • Reputation

Constituent Safety • Personal Information • Identities • Locations • Well Being • Safety

with overextended services and budget constraints. How should managers then proceed in the face of the complexity of smart city technologies? A 2019 New York Times article highlights cities both big and small that are increasingly the target of hostile cyber actors.3 Many cities think they are too small to worry about such things, or that their firewall and antivirus software protect and secure them. The reality is that urban cyberterrorism is opportunistic, and every city is a potential target as it pursues intelligent city services as a smart city. Key Cybersecurity Dimensions

Smarter city ecosystems have four key cybersecurity dimensions forming an increasingly porous attack surface. These dimensions change dynamically as smart city technologies are implemented: 1. Business Processes: Assets, revenue, infrastructure, employees,

vendors, and regulatory compliance.

2. Infrastructure Services: Water, power, transportation, emergency services, and public safety. 3. Economic Health: Economic wellness of companies, health, education, tourism, and reputation. 4. Constituent Safety: Personal information, identities, location, and safety. These interdependent dimensions and attack surfaces grow as smart city infrastructures mature, which means the monolithic defensein-depth approach, owned by IT, is no longer possible or advisable. The reality is that smart cities require diverse data flowing across technical and organizational boundaries. These data elements need to be integrated at machine speeds with threat responses automated in near real time to mitigate threats in the operational infrastructures like water, transportation,

30 | PUBLIC MANAGEMENT | JUNE 2020

and power grids. For a city manager, a new way of viewing cybersecurity is required. According to research: Small municipalities are particularly vulnerable, as nearly half of attacked cities in 2019 had a population of 50,000 people or less. The analysis also found that two-thirds of ransomware attacks in 2019 were aimed at government organizations.4 Cybersecurity ignorance can result in a city-wide failure in an interconnected city using smart technologies.5 Facing a zero-trust world, how does a local government leader manage these risks and perhaps even lagging cybersecurity capabilities? Cybersecurity: A Risk Management Decision, Not an IT Decision

Risk management is the reduction of uncertainty,6 and the city manager’s role is

leadership. Local government leaders are responsible for thought leadership, decision guidance, accountability measurement, resource allocation control, and ensuring uncertainty reduction for all stakeholders over an extended planning horizon. Risk management decisions are themselves risky, especially in the face of concerns about surveillance and personal privacy and with the impact of major events like the COVID-19 pandemic. To be sure, IT plays a pivotal role since it is the domain of identity and access management in a zero-trust world. But it is the risk created with tightly coupled telemetry and integration of data at rest and in motion across cloud, premise, and operational infrastructures that must be considered in a smart city context. This requires a leadership role at the highest levels to ensure unified, collaborative behaviors throughout the entire city operational infrastructure and organization as a risk

management “security curtain.” Even in corporations the average time to breach detection is 197 days7 and cities often are less invested in tools and skills than most mid- to large-sized companies. General Michael Hayden, former director of NSA/CIA, notes that the citizens of the U.S. face “combat in the information domain” and the fact that “this is not just a cyber threat issue.”8 A local government leader as CEO is not mastering the technology, or doing the work of IT, but rather leading across departments, driving cybersecurity best practice policies, building responsible cultural norms, ensuring IT and other departments are communicating, and making funding allocations to ensure secure sensor infrastructures are available in the operational technologies. They are responsible for risk reduction across this ecosystem.9 Building a cybersecurity first (CSF) culture requires a thoughtful balancing of resource allocations, driving CSF-conscious decisions and orchestration of operations with outside experts using empirical and impactful accountability metrics, not anecdotal assurances that a network perimeter is secure. You and your city cannot make guesses. To make quality decisions you need facts based on reliable data; facts about cross-departmental cybersecurity capabilities and vulnerabilities. Reliable data is generated by enumerating facts about your own digital and physical ecosystem. It is your locality’s data that is important for building decision models and reducing uncertainty to acceptable and measurable levels. Enumeration data is not

easy to obtain, and in many cases is totally absent—but knowing that is progress. Without reliable enumeration data, you cannot build out a clear and comprehensive decision framework for smarter city threat surfaces10 like cloud services, internet of things (IOT), industrial internet of things (IIOT), and digital integration. Cybersecurity first (CSF) as a cultural norm is not a subjective risk matrix, used as a heuristic (subjective guessing or “trust me tricks”) for hopeful cybersecurity decisions about IT infrastructure upgrades. Local government staff need a clear vision of smarter and secure community from their leader. Generating that clear vision requires first building your CSF master plan and a reliable fact-based roadmap. Tight linkages to execution disciplines will increase your probability of success. Without this type of plan, your community could become the next urban cyberterrorism victim, regardless of size. Challenges of Leading a CSF Culture within Local Government

Experts predict a global shortage of 4.07 million cybersecurity professionals in the year 2020.11 In addition, city/county managers are generally not cybersecurity experts and are often at the mercy of their IT engineers. It becomes a daunting task knowing where to start. How does a thoughtful manager lead the smarter city ecosystem in building that CSF master plan and still do their day job? Migration to a CSF ecosystem requires digital, operational, and organizational transformations. A local

government leader must look at People, Organizational Structure, and Policies and procedures, integrating with Technologies (both current and future), Operational planning, and Projects (current and future) across all departments and stakeholders (POP TOP).12 This POP TOP™ method builds a collaborative roadmap that all stakeholders climbing the smart cities mountain together can forge into a CSF culture. Guiding a Reasoned Assessment toward CSF Smarter City Ecosystems

Thoughtful transformation of an entire city ecosystem into a CSF community strongly depends on its leadership. For the leader, however, the critical skill lies in generating followers, then enabling transformative change to create cultural norms, vocabulary, and behaviors. This often requires creating a change management role reporting to the chief administrative officer, empowered to enable cybersecurity priorities for departmental leadership and operational planning.13 Following are three cybersecurity leadership tasks: 1. Establishing Your City’s Security Vision

“Visioning” sometimes conjures images of wasted time and unused documents in the face of operational realities, but it remains a critical exercise in any smarter city journey. The value of visioning lies in generation of vision vectors guiding stakeholders toward a culture of security-mindedness and behavior.14 There are critical components to crafting correct vision vectors as directional guiding principles, with both magnitude and direction, embedded in a matrix

of interests and anchored to a time frame. First, vision vectors need enumerated facts establishing a baseline. This requires a comprehensive cyber assessment, including things like the use of collaborative technologies like Zoom under pandemic scenarios. Let’s be clear, a comprehensive cyber assessment is not a self-assessment, nor is it a check-the-box questionnaire. A proper smart city cybersecurity assessment is a thorough thirdparty analysis of all aspects of your digital ecosystem and its potential for risk. It is not a solution looking for a problem, nor is it a set of technical recommendations. It is not merely a network penetration test by white hat hackers. It needs to cover three critical domains across present state security capabilities guiding smarter city future investments and technological evolution: • Digital Infrastructure: Including IT, OT (operational technologies, analytics platforms, cloud, hybrid, and physical security, also integrations with external vendors and partners. • Security Policies: Both organizational policies and digitally automated policies (like access and identity) and associated standards with procedures clarified in understandable language • Ecosystem Integration Points: Vendors, constituents, other federal and city entities, businesses, and your own organization. Secondly, it should be an ongoing line item in city budgets. Cybersecurity assessment is a city’s annual cyber risk physical that prevents

JUNE 2020 | PUBLIC MANAGEMENT | 31

SMART CITY CHALLENGES Physical security integration and the threat of surveillance

you from being “sickened” by new and evolving threats. 2. Building Your Roadmap and Beginning Your Evaluation

Once you have a vision clearly defined through thoughtful enumeration, you begin building your roadmap and engage in fact-based evaluation of a department’s current state. You evaluate present state capabilities and identify smarter city aspirations and immediate risk holes to be plugged across the ecosystem.15 This suggests cyber-responsible roles in each department, with responsibilities for cross departmental communications, data quality, and policy compliance. 3. Moving Forward

Once you have completed an assessment and finished the evaluation, you are ready for remediation planning with execution road map detail. The execution roadmap identifies where your city goals and risks are today, specifies acceptable risk levels, and defines roadmap detail balancing capability maturity and fiscal limitations rolling across the time horizon for deployment.

resource allocation parameters, you will want to make sure that cybersecurity is reporting to the chief administrative officer.16 You want to make sure clear metrics have been established and impactful departmental accountability is in place to ensure tasks and timelines are met. Combatting cyberterrorism requires daily monitoring of the entire cyber and physical ecosystems and follow up with actionable remediation profiling.17 Third-Party Risk Management

While you strive to protect your city’s smarter infrastructure and network, it is important to protect it with outside “third parties” interacting with your ecosystem. This risk can pose a substantial threat surface to your otherwise well-protected ecosystem. Municipalities, especially smaller ones, often entrust their crown jewels— their residents’ data, their finances, their SCADA systems, and their business platforms— to third-party vendors they trust. However, a breach of your

We will elaborate more in the second part of this series in the July issue. cofficevit/stock.adobe.com

trusted third party often leads to a breach of your ecosystem as a result of credential compromise (stolen secrets). If you don’t think third-party risk is real, we would remind you that the now-famous Target breach was all due to a third-party vendor’s vulnerability. Currently the global IT managed service provider (MSP) giant Cognizant is facing an evolved Maze malware attack that has not only demanded ransom for encrypting data, but stolen a copy of the data as well.18 This emphasizes that while many MSPs offer IT expertise and

services as valued partners, few are cyber experts.19 Third-party risk management (TPRM), the process of holding enterprises accountable to verifiable best practice standards, is difficult in a “verify then trust” world.20 Third-party verification is not asking the third party to answer a series of questions. Self-assessments and questionnaires are unreliable and suspect. MSPs need to have their infrastructure secured by an independent cybersecurity firm and present documentation to that effect. TPRM is about having an

Cybersecurity First Master Plan for a Smarter City TM

ASSESSMENT

Methodology for Developing Your Security Master Plan

Developing a CSF master plan can be daunting. It is not for the uncommitted and is likely will require third-party experts helping you. The initial assessment establishes your priorities as they relate to your most vulnerable cyber risks and your end-state vision. From there, you establish timelines and resource allocation mapping for both fiscal and leadership needs. Within

A city’s security controls should include physical security integration, especially in sensitive areas like industrial control systems and operational infrastructures (i.e., water). A smarter city needs a unified platform that blends IP video surveillance, access control, license plate recognition systems, and more within an intuitive solution. All security operations should seamlessly merge, enhancing situational awareness, and providing users with the power to rapidly respond to emerging situations, detect activity, and audit remediation trails. This is both an opportunity and a risk for a local government leader. Constituents and sovereign standards for surveillance may limit certain capabilities in the interest of responsible cybersecurity.

ENUMERATION

Fact-Based Identification

Delivery

1. Current Security

2. Smarter Evolution

3. Recommendations

Infrastructure

Vision

Gap Analysis

Monitoring and Reporting

Priority Applications Cloud Strategy/Vulnerabilities

Metrics Policies

Data at Rest

Network Segmentation

Data in Motion

Security Operations Reporting Structures

Standards

Organization

Ecosystem Interfaces

Federal State Local Organizational Departmental

Information Technology Operational Technology

Leadership Team/s Security Telemetry and Monitoring

32 | PUBLIC MANAGEMENT | JUNE 2020

REMEDIATION

Objective Review

Governance

Procedures

Execution EVALUATION

Education

Prioritized Targets Risk Priorities Target Mapping

independent assessment and ongoing monitoring of behaviors. This will not only protect your locality, but your vendors as well. TPRM requires deep optics, transparency, strong accountability, and effective collaboration. Achieving effective risk outcomes takes innovation requiring automated risk assessment capabilities informing meaningful cybersecurity management actions and metrics. Your weakest or strongest link?

In cybersecurity, your weakest and strongest links have something in common—they are your employees. Those who are haphazard are the weakest link and put even leading-edge technology at risk. Every CSF master plan must include employee cyber education. Training must be completed semi-annually with education across the board, including the city council, leadership team, staff, and even residents. Education needs reinforcement with periodic phishing campaigns to help determine compliance and effectiveness of your cyber standards. Developing a quality cyber culture through teaching precaution and awareness (not paranoia) will take time, but proper education policies and practices will help transform your city into a smarter city. Call to Action

It is important for you to ask a lot of questions and seek out proven experts with proven methodologies. Local government leaders should ask three questions for focusing departmental risk discussions: 1. Are our identities and access privileges protected with best practices?

2. Are our confidential information and data encrypted at rest and in motion? 3. Were our operational control systems implemented with best practices and granular network segmentation? If any of these questions are not clearly answered with fact-based detail, you have reason for concern. This can then lead to dialogue and vision clarification about how your city is protected in a smarter city architecture. Build your city’s vision, get a cyber assessment, and help develop and execute your cybersecurity first master plan. Follow up that effort with third-party cyber verification and validation. With a “verify then trust” culture evolving within your ecosystem, you can link vision to execution and become a smarter city. © Copyright 2020 by Barry L. Schalkle, JD, CPA and Cyrus Olsen, PhD

ENDNOTES AND RESOURCES

Technologically, the smart city environment is a “zero-trust” ecosystem for a city. “Zero-trust” was originally coined by the Forrester group’s John Kindervag in 2010. It assumes that no digital infrastructure is safe, but is presumed to be vulnerable. It has evolved into a model where every single access request—whether it be made by a client in a coffee shop or a server in a datacenter— is rigorously checked or proven to be authorized (Zero Trust Networks, 2017, Gilman & Barth, O’Reilly Media Inc.) Here, in a smart city context, it includes IOT, IIOT, ICS, and data integration technologies under the city responsibilities as digital infrastructures. It is exposed to compromise from within and outside City IT boundaries by interactions with external and internal data and protocols. 2 Adapted from in NIST.SP.800-207draft2, https://nvlpubs.nist.gov/ nistpubs/SpecialPublications/NIST. SP.800-207-draft2.pdf , Zero Trust Architecture, Feb. 2020, p. 1. 3 New York Times, Aug 22, 2019, Updated Aug. 23, 2019. https://www.nytimes. com/2019/08/22/us/ransomwareattacks-hacking.html. In addition, in 2019, CNN reported that “targeted ransomware 1

attacks on local U.S. government entities—cities, police stations, and schools—are on the rise, costing localities millions as some pay off the perpetrators in an effort to untangle themselves and restore vital systems.” https://www.cnn. com/2019/05/10/politics/ransomwareattacks-us-cities/index.html 4 https://blog.barracuda. com/2019/08/28/threat-spotlightgovernment-ransomware-attacks/ 5 Jeff Kosseff, assistant professor of cybersecurity law at the U.S. Naval Academy, stated, “Municipal governments and hospitals…just don’t have the top cybersecurity out there, and the criminals know this.” He added, “You can see loss of life happening if the hospitals are not able to function. What terrifies me is if it happens on a large scale,” https://www. pure.si/cryptocurency/all-we-know-ismoney-us-cities-struggle-to-fight-hackers/ 6 Cyber risk management is not the elimination of risk in a zero-trust world, but the process of reducing uncertainty to a manageable and acceptable level within the scope of available resources. 7 https://securityboulevard.com/2018/ 07/survey-finds-breach-discovery-takesan-average-197-days/ 8 Michael Hayden and Richard Clarke on Greatest Cyberthreats facing America, https://www.youtube.com/ watch?v=FdiAQBXGsMg 9 This is the reason National Institute of Standards and Technology generated the Cybersecurity Framework in 2014 with the latest updated version Draft NIST. IR.8183r1-draft, available at https:// nvlpubs.nist.gov/nistpubs/ir/2020/NIST. IR.8183r1-draft.pdf for manufacturing environment risks. This framework identifies five core areas: identify, protect, detect, respond, recover, to drive an operational cybersecurity culture. 10 A smarter city threat surface is porous by design due to necessary integration of Internet of things (IOT), Industry 4.0 IOT (IIOT), industrial control systems (ICSs), services integration with vendors, digital transformation technologies like machine learning (ML) and artificial intelligence (AI), serverless container services, not to mention the data and platforms needed to provide advanced analytics and reporting. 11 ISC2’s 2019 survey of cybersecurity worldwide. It predicts a shortage of ~500,000 in the U.S. alone. (LATAM: ~600,000, Europe: ~291,000, APAC ~ 2.6M.) https://www.isc2.org/-/media/ ISC2/Research/2019-CybersecurityWorkforce-Study/ISC2-CybersecurityWorkforce-Study-2019.ashx?la=en&hash =D087F6468B4991E0BEFFC017BC1A DF59CD5A2EF7 12 The POP TOP™ methodology is a model used by Cyber Security Warriors and has been applied to large organizations and city departments for intelligent infrastructure planning. 13 This can be the CISO role but must be protected from becoming merely operational as well. This role is the eyes, ears, and heart of the local government leader across departmental smart city interests and needs to be skilled in technology as well as management arts.

A “vector” has both magnitude and direction. These vision vectors first create a target and a magnitude of investments, as well as a directional guide for matrixed execution planning. 15 The local government leader owns responsibility for satisfying all stakeholders, and in the age of increasing surveillance fears, technology may be the least of their worries. Details on how you do this are in part 2, scheduled for July. 16 This can be controversial, but separation of duties of the cyber role from the IT role is critical for proper risk management. The IT role instantiates technical capabilities for least privilege, multifactor authentication, etc., and the cybersecurity role drives policy, compliance, awareness, and threat management with data and standards ensuring smarter city risk decisions are clear and managed across individual department optics. 17 Critical technical elements like secret and key management, identity access management (IAM), potential kill chains, surveillance standards and limitations, and other elements of cybersecurity as a discipline need to be thoughtfully digested with fact-based data to build out actionable remediation roadmaps in conjunction with technical roadmaps. These take the form of infrastructure challenges such as the need for sensor placements, telemetry integration, and other smart city considerations implied by a smarter city evolution. 18 https://www.crn.com/news/channelprograms/cognizant-left-with-no-goodoptions-after-maze-attack-security-expert 19 IT services performed by third-party managed service providers (MSPs) need to have their infrastructure validated by an independent cybersecurity firm, and present attestations for city services security in smarter city architectures. 20 Ronald Reagan popularized the “trust but verify” motto; however, in a zero-trust world, it is inverted. Until verification is visible, trust cannot be given. Only with verified identity and validated authorization as least privilege policy can access be granted. 14

BARRY SCHALKLE, JD, CPA, is a co-founder of veteran-owned Cyber Security Warriors, LLC and has been focused on risk mitigation consulting for most of his career. (barry@ cybersecuritywarriors.city) CYRUS OLSEN, PHD, is a co-founder of veteran-owned Cyber Security Warriors, LLC and is an organizational capabilities physician and infrastructure consultant focused on secure digital transformation and responsible automated machine learning. (cy@cybersecuritywarriors.city)

JUNE 2020 | PUBLIC MANAGEMENT | 33

mast3r/stock.adobe.com

CYBER

Continuity PLANNING BY DAWN THOMAS

34 | PUBLIC MANAGEMENT | JUNE 2020

Go BIG or Go Home LOCAL OFFICIALS AND EMERGENCY MANAGERS know that they, like national governments around the world, have been caught unprepared for how continuity of operations (COOP) really plays out during a pandemic. Some might take away tactical lessons, like the idea that staff should have access to Zoom or Microsoft Teams. But there is a larger lesson that addresses a fundamental lack of imagination necessary to be ready for the next emergency—an emergency that will be dangerous precisely because it is unexpected. This lesson particularly applies to the continuity planning necessary to keep local government functioning in the face of a wide-spread cyberattack. Specifically: It is dangerous to think small.

Let’s compare planning efforts to emergency management exercise efforts. There are many ways to exercise response plans. For the military, exercises often test the response of forces to a convergence of several incidents at once: a war…and a dust storm…and a solar flare… and so on They intentionally stress the system and the capabilities within it. Historically, emergency management exercises tended to be much humbler affairs, with local, state, regional, and federal stakeholders exercising their JUNE 2020 | PUBLIC MANAGEMENT | 35

existing capabilities. The objective was always, “How well can we do those things we think we can do?” There is value in this type of exercise. Performing them often highlights weaknesses in plans, organization, equipment, and/ or training. But they also lack something—a dark imagination that allows organizations to go beyond questions of “How well …?” and into the world of “Can we even…?” Craig Fugate shook up the “humble affair” exercise paradigm, first as the director of the Florida Division of Emergency Management, and then as the administrator of the Federal Emergency Management Agency. During his time at FEMA, Fugate made clear his desire to “go big or go home” with exercises, stressing the agency beyond its breaking point. He became known for the Thunderbolt exercise series, which portrayed several minor and catastrophic incidents at once. And he expected people to perform. FEMA exercised this approach during events like Cascadia Rising, a 2016 exercise with a scenario that featured a 9.0 magnitude earthquake followed by tsunamis and aftershocks that severely damaged Washington and Oregon. Fugate’s goal was to push the nation’s emergency management system to plan and prepare for risks that exceeded its existing capabilities, and to force his own organization and others to think creatively about how to address the gaps. This mentality is critical to planning in an uncertain world, one in which we can’t possibly envision all the threats, or the magnitude of their impacts. Pre-9/11, the average American didn’t imagine that a plane could

take down a skyscraper. And before the coronavirus, who could envision an environment in which we would work from home for months on end, with our pets and children as our questionable-at-best coworkers? Cyberattacks on local governments have not attracted the same level of public attention as 9/11 and COVID-19, but they share the same challenge of having to plan against an environment that was previously unimaginable. Before March 18, 2018, city leaders in Atlanta didn’t have plans that spoke specifically to an attacker using ransomware to close down their municipal courts or block access to user accounts for several city services. Baltimore didn’t plan for many of their city services to be out for over five weeks. And cities generally did not expect a cyberattack would take down their 911 systems, until it happened 42 times between 2016 and 2018.1 Continuity Planning 101

This “go big or go home” mentality has not yet been widely applied to continuity planning, which is the effort to continue mission essential functions despite an incident that affects capabilities. Instead, many jurisdictions have taken a “101” approach, covering the basics of continuity planning to adequately address manageable events like evacuating headquarters because of a gas leak. These basic planning processes have helped jurisdictions identify the mission essential functions that must be maintained no matter what the incident or event. Some organizations have tied essential functions to the facilities and people needed

36 | PUBLIC MANAGEMENT | JUNE 2020

to conduct those functions, and planned for ways of doing them from elsewhere. Many jurisdictions also identified clear lines of succession in case anyone in the leadership chain was no longer available. And many identified clear triggers and mechanisms for returning back to “normal.” The best continuity plans also had the following characteristics: • Relevant to location and organization. • Conscious of the threats that put communities at risk. • Scalable. • Broadly inclusive of all sectors: public, private, and non-governmental organizations. • Trained to and exercised so they could be implemented as intended. The problem is that the basic continuity planning approach—like the standard emergency management exercise approach—lacks imagination. It falls short not only in considering extreme impacts, but also in its basic assumptions about the environment in which the plans will be enacted. Recent examples of Continuity Planning 101 failures include the response to the COVID-19 pandemic and to many jurisdictions’ cyber incidents. Continuity During a Pandemic

Continuity Planning 101 assumes that we have enough equipment, supplies, and personnel to perform mission essential functions. However, as anyone who works in the medical field is well aware, the surge can easily overwhelm our supply of critical equipment and supplies. These shortages—including

things like personal protective equipment, ventilators, and pharmaceuticals—affect how our medical community can perform their mission essential functions. Government managers today are left scrambling to beg, borrow, steal, or invent their way into meeting the demand. Furthermore, throughout the spring and into summer, many industries may be faced with a lack of specific personnel to perform mission essential functions. The first round of absenteeism, due to school closures, illness, and taking care of sick family members, is already affecting localities and will continue to do so in the weeks to come. The World Economic Forum predicts a second round of high absenteeism three to six months after COVID-19’s initial impact due to employee burnout and mental and physical fatigue. Both types of absenteeism will impact our ability to complete mission essential functions. And jurisdictions lack the plans to mitigate this crisis because Continuity Planning 101 lacked the imagination to ask, “How would we do this in an environment with 20- to 30-percent fewer staff?” Continuity During a Cybersecurity Incident

Cyber incidents have likewise challenged basic continuity planning efforts. While many jurisdictions have equipment and strategies to identify, detect, and protect against cyberattacks, far fewer have worked through the hard realities of continuity of their operations through an actual attack. When cyberattacks do strike, many affected jurisdictions find that that their basic COOP plans don’t hold

up. While the plans are adequate for transitioning to an alternate work site, they have much less to offer when it comes to working without access to the systems and data staff need to perform their mission essential functions. Existing plans also lack the specificity needed to guide the response, and major stakeholders such as members of the IT staff are often not integrated into response structures. And plans are untested against an exercise or real-world incident.

information about the attack should be made public. Providing information to the public is critical because citizens worry about their data and the trustworthiness of key democratic systems such as voting and justice. 3 Reporting challenges— that can delay response, as outages aren’t reported in a consistent manner, leaving IT departments without the necessary common operational picture to quickly identify an attack. In addition, the lines

macrovector/stock.adobe.com

3 Communications— including how local managers will rapidly provide information to staff when a cyberattack has severely compromised communications. This includes both immediate communications explaining what to do when the attack begins and ongoing communications, such as how salaries will be provided by payday. Both are critical to response, and yet both may have to be relayed without the benefit of typical emergency

Traditional COOP plans fall short for continuity during cyber incidents in several ways: 3 Coordination— including who is involved in decision-making when it comes to ransomware, decisions to take systems offline, and decisions to activate the jurisdictional Emergency Operation Center. Additionally, most local governments do not have clear escalation levels for an attack, nor the associated action items for each level. Response leadership and staffing may also be unclear; the types of subject matter expertise needed to guide a community through a cyber incident are different from those needed for extreme weather.

communications systems.

3 Resource requirements—which may be very

different from those for a more traditional response. For example, staff might require clean computers, clean servers, local printers, and even fax machines and paper (yes, paper). Importantly, staffing requirements may surge even more during recovery than in response, as departments and agencies struggle to replicate missing or suspect data. 3 Public information challenges—including

public information officers with little to no training or experience in cybersecurity, a lack of pre-scripted messages, and disagreement on when

of reporting are often unclear, and few people outside of IT understand which systems are connected both within and external to the jurisdiction. 3 Investigation—which is a black box for many localities. The involvement of one or more federal organizations and the limits investigations place on remediation efforts are not well understood or planned for. This makes continuity planning extremely difficult, because there is uncertainty about how and when remediation can even begin. 3 The private sector— including cyber insurance companies, whose role is opaque to many local officials. Localities have not included

private-sector capabilities in their COOP plans, and don’t have a full picture of what area companies could be doing to support their jurisdiction during a cyberattack. COOP plans don’t include how cyber insurance companies can support a response. Nor do they cover the responsibilities the jurisdiction has to its private-sector partners in this type of incident. While basic COOP plans have furthered local preparedness for many of the threats that jurisdictions face, they fall short during situations that create an environment very different than the norm. As IT departments around the country continue to make systems and data as secure as possible, it is up to emergency managers to stretch their imaginations and plan for cyberattacks that seriously impact critical systems and data. And as COVID-19 has shown us, we need to be prepared for continuity during an extreme paradigm shift that stretches capabilities to the edge. Once this type of planning is completed, it is critical to document it in a COOP annex or within the base plan. It is then incumbent on the emergency management community to regularly train and exercise staff on the new plans so that they are truly prepared to “go big.”

DAWN THOMAS is the co-director of CNA’s Center for Emergency Management Operations, where she has been supporting homeland security planning, training, and exercises for 16 years. (Thomasdh@cna.org). ENDNOTE

https://www.nbcnews.com/news/ us-news/hackers-have-taken-downdozens-911-centers-why-it-so-n862206 1

JUNE 2020 | PUBLIC MANAGEMENT | 37

Cybersecurity Should Be Making Your ORGANIZATION More

AWESOME

BY BENJAMIN EDELEN

freebird7977/stock.adobe.com

How to get more interesting outcomes than simply reducing cyberattacks Local government cybersecurity programs are missing out on big opportunities to make their organizations more awesome. Security is generally seen as a necessary evilâ&#x20AC;&#x201D;spend a lot of money and impose frustrating limitations on everyone to prevent high-publicity data breaches, theft, and hacks. But our cybersecurity programs can do so much more to benefit the organization.

38 | PUBLIC MANAGEMENT | JUNE 2020

JUNE 2020 | PUBLIC MANAGEMENT | 39

Here are some suggestions (in order of effort) for government leaders to tweak their cybersecurity programs to get more interesting outcomes than simply reducing the frequency and damage of cyberattacks. Outcomes like increasing the likelihood that innovation and digital transformation initiatives will succeed, facilitating new lines of communication, and bringing fun and play into otherwise unpleasant topics are well within reach. Every government needs an established cybersecurity program. Depending on the size of your organization, your â&#x20AC;&#x153;security programâ&#x20AC;? could be a team of 20 or a quarter of the attention of your only IT person. If you lead an organization that does not have a security program, the first recommendation is to start one right away. Create a Respectful Environment for Reporting Security Problems

Your cybersecurity program should consider collaborating

with the IT service desk to create a culture of respect for people who report cybersecurity issues and mistakes. Employees are acting courageously when they contact the service desk to admit they clicked a link, replied to a scammer, or entered their credentials on an unsafe webpage. Employees who do this are living the values of their organization, and the information they provide is an essential input for your security program. If employees are shamed or ridiculed instead of being treated with respect, they are being trained to conceal security problems. At the city of Boulder, we set a standard that employees will never be ridiculed for making mistakes, that we show appreciation for employees who demonstrate courage, and that our only goal when people call us with cybersecurity issues is to help everyone recover gracefully. If you are not confident that security problems can be

40 | PUBLIC MANAGEMENT | JUNE 2020

reported in a safe, respectful environment, you should consider asking your security program leader to sit down with the IT service desk team to create a communication standard to address this. This work can be completed in a couple of hours and can result in a radical shift in trust between your IT service desk and employees. Your cybersecurity program can expand on this work by creating other reusable processes with the IT service desk team. Examples of important security processes to get right include handling requests to quickly purge phishing messages from the email system, vendor remote access requests, and requests for local administrator account privileges. High-Quality Communication and Training

Talking about cyber risk is unpleasant to many people. Nearly every organization is required to provide employees

with periodic cybersecurity training and notify employees of the kinds of dangerous messages that are showing up in their inbox. Security programs often take the path of least resistance by re-sending newsletters and asking staff to go through generic staff training modules. If a security program seeks to develop employees who can skillfully protect themselves at work and at home, those employees will have to be provided with high-quality educational material. Email updates, articles, and training that connect with people by incorporating humor, realworld examples, and inclusive language is essential. At the city of Boulder, we develop branding for our security and technology communications so they are consistent, trustworthy, and occasionally hilarious. We include watermarking in our emails so that employees know they are authentic. We know that this works because

German Skydiver/stock.adobe.com

when we forget to include the watermark employees let us know immediately! Our security and training programs collaborate to develop our own cybersecurity training for employees. We film video content for the trainings with a “super spy” theme. That makes our faces recognizable to employees we have never had the chance to meet. We try to make our trainings as playful as possible. In our most recent all-staff security training, we asked employees to consider what they would do if they found a USB key that had the words “puppy secrets” written on the side. “Puppy secrets” is now an inside joke that I have laughed about with people from every single department. Your security program should be having a positive influence on the culture of your organization. If you are not seeing these outcomes, here are some ideas on how you can set different expectations to help the security team improve. Consider asking your security program leader to develop a brand and find creative ways to use that brand to increase the quality of their communication and training. Employees should

receive engaging and relevant messages on subjects like recognizing phishing emails and password management. Employees should also be asked to take cybersecurity training on a regular basis, adding up to at least an hour or two of mandatory training per year. Training should incorporate humor, mixed media, and information about how people can protect themselves at work and at home. Otherwise employees will take the training by hitting the “next” button as rapidly as possible. Watch Your Organization’s Back So It Can Innovate and Digitally Transform

The COVID-19 pandemic has created major technology challenges for all governments. Everyone is scrambling to rapidly transition their employees to remote work, and to transform traditional in-person government services into digital services wherever possible. Many organizations are recognizing that these changes reflect the digital transformation initiatives that they have been working on for the last several years, now with a compressed timeline. These conditions have resulted in more cyberattacks

and a complex environment to protect. As a result, cybersecurity programs might attempt to use their influence to slow down transformation initiatives and ask that innovative ideas be deferred until a more stable time. This approach will result in a security program that does more damage to the organization than it prevents. Security programs leaders are encouraged to learn about their organization’s services and be ready to support those services in new ways. Cybersecurity exists to serve the business and operations of the organization, not to be performed for its own sake. To determine if your security strategy is aligned with the needs of your organization, meet with your security team and ask the following questions: • Have you taken the time to learn about how our departments operated before the pandemic? Do you have a plan for helping them safely present more of their services digitally? • How is the security program aligned with the organization’s vision and values? • Instead of buying more tools, are we taking full advantage of the security platforms in which we have already invested? • Have you worked with the attorney’s office to make sure our contracts include security standards for our vendors? • Have you worked with risk management to make sure we have adequate cybersecurity insurance coverage and we know how and when we will consider activating that coverage?

Government leaders can expect more from their cybersecurity programs than the reduction of cyberattacks. The ideas presented here are just a few examples of the benefits of a cybersecurity program that builds relationships, incorporates play, and is aligned with the whole organization. If you

We set a standard that employees will never be ridiculed for making mistakes, that we show appreciation for employees who demonstrate courage, and that our only goal when people call us with cybersecurity issues is to help everyone recover gracefully. keep these suggestions in mind, you will see a shift your people’s willingness to participate in a culture of protecting each other, and in your organization’s overall resilience. BENJAMIN EDELEN is the chief information security officer of the city of Boulder, Colorado. Benjamin’s program protects the city and through risk management, a people-first security culture, and by getting the basics right. Benjamin holds a bunch of professional certifications, actively presents at government and cybersecurity conferences, and is grateful for the opportunity to make a difference. (edelenb@ bouldercolorado.gov)

JUNE 2020 | PUBLIC MANAGEMENT | 41

Your IQ on

EMERGING TECHNOLOGIES

Mind the Gap Heed these considerations in your digital transformation efforts

stnazkul/stock.adobe.com

BY KEVIN C. DESOUZA

42 | PUBLIC MANAGEMENT | JUNE 2020

overnments’ information systems play an important role in the success of our communities and all trends point to the fact that our communities will increase their dependence on information systems going into the future. Technology is being deployed everywhere— projects for making cities smarter, predictive analytics to mine data for better decisionmaking, autonomous vehicles, and even collective intelligence platforms for cocreating solutions with residents. Yet, in recent times, we have witnessed several incidents that have demonstrated how communities can be brought to their knees due to those vary same information systems which are aimed to assist, not inhibit.

Four U.S. cities—Pensacola, Florida; St. Lucie, Florida; New Orleans, Louisiana; and Galt, California —were all the victims of cyberattacks throughout December 2019 and these attacks rendered their telephone, email, law enforcement, waste, energy, and payment systems inoperable. Often these attacks demand a ransom, and councils find themselves either paying the attackers or employing external cybersecurity and consulting firms to mitigate the situation and repair the damage. In the case of New Orleans, Deloitte was paid $140,000 to investigate the attack despite the city having a cybersecurity insurance policy that wound up covering a portion of the final cost of the attack. In a separate attack in Lake City, Florida, the council reluctantly paid $460,000 to cyberattackers after the entire council systems was shut down.1 In addition to IT being hacked and experiencing irrevocable damage, we have also seen other cases where information systems have been deployed in communities with unintended consequences and/ or pushback from stakeholders. In these cases, while the deployment may have been successful from a systems standpoint, the outcome of the deployments were very undesirable. In Detroit, a $9 million initiative, “Neighborhood RealTime Intelligence Program,” implemented facial recognition software and video surveillance cameras at 500 Detroit intersections. This initiative built on the previous “Project Green Light” Initiative, which installed 500 cameras outside of

businesses capable of recording and reporting real-time video footage to the police. The software boasted of an ability to match faces with 50 million drivers’ license photographs in the Michigan police database. However, recent research has shown that current facial recognition software more often misidentifies black faces than white faces.2 This technology has generated widespread public criticism as residents feel their privacy is compromised and awareness of the racial biases continues to increase. The problems of bias and unintended consequences have also been noted in the private sector healthcare system. For example, risk analysis programs from UnitedHealth Group were found to assign comparable risk scores to white patients and black patients even when the black patients were considerably sicker.3 While these risk-analysis algorithms can be useful in managing hospital resource efficiency, this algorithm predicts healthcare costs as risk rather than sickness. Therefore, an unintended consequence of this algorithm demonstrates that white patients are more likely to receive care management due to their comparable risk scores, essentially reinforcing a racial bias in health care. Finally, in the Kentucky judicial system, a risk-analysis algorithm was implemented to present a score predicting the risk a person would recommit a crime or skip court. The intended consequence was that the justice system would more fairly decide on whether to hold a defendant in jail before trial. Officials hoped to reduce

the number of people in jails, reducing prison expenses and presenting better circumstances to defendants. Unfortunately, the technology did not work as intended.4 Judges in rural counties—who generally had more white defendants—were more likely to grant release without bail than judges in urban counties—who generally had more minority defendants—as the rural judges more frequently overrode the algorithm’s recommendation. Furthermore, it was found that judges in urban areas more often overruled the default recommendation of waiving financial bond if the defendants were black. A New Reality

Throughout local government, information systems are being designed, developed, and deployed today quite differently from traditional transaction processing systems or even your traditional e-government systems. Today, systems being deployed incorporate machine learning algorithms— also referred to as artificial intelligence or AI—that learn on the job. They ingest large volumes of data, are trained to recognize latent pattens in the data, and generate recommendations (outputs). Seldom do these systems have the level of transparency or auditability when compared to traditional information systems due to their complexity and the nature of algorithms. Over the last year, I have spoken to more than three dozen managers who have oversight over communities (e.g., city managers, assistant city managers) and personnel

JUNE 2020 | PUBLIC MANAGEMENT | 43

concerning is the fact that these solutions will be connected to the systems that already exist in the current IT ecosystem raising the possibility of such alarming scenarios as cascading failures across networks. If things were not bad enough, my conversations with developers/builders of systems highlighted another

Critical Considerations

Acknowledging, appreciating, and closing the knowledge gaps between government administrators and system builders is key to ensuring that any digital transformation efforts, especially those involving AI or machine learning systems, are developed in a responsible manner.

being used to generate insights? How are these algorithms being trained to learn patterns from the data? How are the outputs of the algorithms being validated? Have the outcomes been validated on data that is representative of the community? What are the limitations of the algorithm? Is the software code open for inspection? Did the software

technologies that incorporate machine learning) and those that actually build these systems (e.g., IT professionals, data scientists). I was quite surprised to see the knowledge gaps in managers/administrators when it comes to understanding the nature of emerging technologies, especially those that are AI-inspired. Only a handful of local government managers understand the intricacies of current computational approaches. When asked to describe their level of knowledge on artificial intelligence or machine learning, most remarked it was “novice,” and many simply said they had no knowledge whatsoever. This is quite concerning given the fact that IT solutions that incorporate these computational approaches are being designed, developed, and implemented in many communities around the world. What is even more

fundamental knowledge gap: These personnel, while skilled in the technicalities of how to curate data, construct machine learning algorithms, and build data visualizations, often lack the necessary “public values” context. Put differently, they seldom appreciate what is unique about building systems for the public, with public resources, and those that can account for the nuances, diversity, richness, and complexity of the public these systems are intended to serve. Designing systems for the private sector—where one can focus on just improving one or two outcomes and can choose which segments of the marketplace to target—is easier than designing public sector systems that must serve the needs of the entire community. Moreover, public sector datasets are often much more messy, incomplete, and disconnected than in the private sector and this impacts the success of the system.

Toward this end, here are a series of points to ponder when involved in conversations in digital transformation efforts within your communities.

reuse code from prior efforts? If so, why, and if not, why? Who has access to manipulate and alter the algorithms and overall system code?

Nmedia/stock.adobe.com

responsible for building IT systems in communities (e.g., software engineers, programmers, data scientists). One focus of my conversations was to understand the knowledge gaps between managers/administrators who have to commission the design, development, acquisition, and implementation of information systems (especially emerging

44 | PUBLIC MANAGEMENT | JUNE 2020

For the Public Manager/ Administrator On data: What is the data

that is going to be used for the systems? Is the data free of biases? Is the data representative of the community? How secure are our data sources? What are the community’s expectations regarding privacy, security, and use of data? Do you have the necessary social licence to use the data in a manner that is different from what the information was originally collected for? Who will have access to data during the system building effort and why? Do you need to anonymize the data prior to sending it, or providing access, to external parties? On analytics and algorithms: What is the

collection of algorithms that are

On interpretation and insights: How should one

interpret the output of algorithms? What are the confidence levels associated with any outputs? How should personnel interact with system outputs? What happens if a resident disagrees with a judgment made by an algorithm? How should insights gathered from the use of the system be fed back to system designers so that revisions can be made? How should personnel be trained to use algorithmic outcomes to augment their interpretation of an issue? For the System Designer/Builder On data: How should we

handle data to ensure no violation of public values? What are the primary set of

metamorworks/stock.adobe.com

public values that need to be upheld (e.g., fairness, privacy)? How should conflicts among public values be resolved in terms of access to and use of data? What protocols are in place to protect the community from harm in case of data misuse, breaches, or security violations? On analytics and algorithms: How can we

ensure that the algorithms being designed account for outliers in the dataset? How can we involve residents in the design and testing of algorithms? How adaptable are the algorithms to ensure that they can deal with changing conditions in the internal and external environment of the community? How do we ensure that the system being built is financially viable from a maintenance perspective?

How do we ensure that the system is extensible ( i.e., can be extended with new functionality)? How do we build mechanisms to routinely audit the performance of the system? Under what conditions should system use be halted, and what is the backup approach to satisfy community needs? On interpretation and insights: How can we

ensure that the outputs of the algorithm are fair and who interprets its fairness? How can we ensure that there is some level of transparency, traceability, and “model explainability” for the outputs? When presenting outputs as visualizations, have we checked to ensure that we are not inadvertently reinforcing existing cultural and societal biases? How

do we collect and analyze feedback on the system as it is deployed? How do we share confidence levels in outputs in a meaningful manner to augment decisions made by humans? How do we share risks and limitations of using the system?

While not comprehensive, I hope these questions will help the two key stakeholders have meaningful conversations to close the knowledge gap and better cocreate nextgeneration information systems to make our communities more livable, just, sustainable, and resilient.

KEVIN C. DESOUZA is professor of business, technology and strategy; QUT Business School, Queensland University of Technology, Australia. He is a nonresident senior fellow in the Governance Studies Program at the Brookings Institution and a distinguished research fellow at the China Institute for Urban Governance at Shanghai Jiao Tong University. He is also a 2018–2019 ICMA Local Government Research Fellow (kevin.c.desouza@gmail.com).

ENDNOTES AND RESOURCES

https://www.nytimes. com/2019/06/27/us/lake-city-floridaransom-cyberattack.html 1

https://detroit.curbed. com/2019/7/8/20687045/projectgreen-light-detroit-facial-recognitiontechnology 3 https://www.govtech.com/health/ NY-Regulators-Probe-for-Racial-Bias-inHealth-Care-Algorithm.html 4 https://www.wired.com/story/ algorithms-shouldve-made-courts-morefair-what-went-wrong/

JUNE 2020 | PUBLIC MANAGEMENT | 45

The Workforces of State and Local Government

and the Public Health Sector COORDINATING TO ADDRESS TODAYâ&#x20AC;&#x2122;S GREATEST POPULATION HEALTH CHALLENGES

starlineart/stock.adobe.com, melita/stock.adobe.com

Over the past decade, there has been increased interest by many stakeholders in more closely aligning the efforts of general local governments with their local, regional, and state public health department counterparts. There are a variety of reasons for this, from weaving health considerations into all local policies to reducing duplication found within distinct budgets to the sharing of expertise across organizational silos, among others.

46 | PUBLIC MANAGEMENT | JUNE 2020

BY JOSHUA FRANZEL

JUNE 2020 | PUBLIC MANAGEMENT | 47

OTHER RESOURCES • Improving Quality of Life: The Effect of Aligning Local Service Delivery and Public Health Goals Paula Sanford and Joshua Franzel www.icma.org/improving-quality-of-life • Case Studies in Staff Sharing in Local Public Health Rivka Liss-Levinson and Gerald Young www.icma.org/slge-case-studies

• Gender: In 2017, 60 percent of the state and local workforce was female, while 40 percent was male. The public health workforce was 77 percent female and 21 percent male. The remaining two percent identified themselves as other or did not answer.3 • Race/Ethnicity: In 2017, the public health workforce was more diverse than the state and local sector overall. While 57 percent of the public health workforce was white, 67 percent of the state and local government workforce was white. Much of the increased diversity in the public health workforce comes from higher percentages of workers that listed themselves as Black/African American, Asian, and two or more races. • Age: The age distributions of both the public health workforce and state and local sector overall follow the same general distribution patterns, with the public health workforce skewing slightly older with an average age of 48, relative to 44 for state and local workers overall. • Educational Attainment: As one might expect given the knowledge-based roles of many state and local workers, the majority of all state and local workers (67 percent) and public health workers (81 percent) have completed some type of post-secondary education. This higher percentage for the public health workforce is likely a function of the specialized training, certifications, or degrees that are required by statute or organizational policy for many positions, such as epidemiologists, nurses, and health officers. • Salary: Similar to the age distribution, the salary distribution of both the state and local workforce overall and the public health workforce generally follow similar patterns, but the mid-range for public health is $55,000–$65,000, while it is $45,000–$55,000 for state and local government generally. This differentiation, in part, is linked to 14 percent of state and local workers making less than $25,000 (e.g., recreation workers, cafeteria workers, and facilities cleaners), relative to approximately 1 percent in the public health sector. In the summer of 2020, SLGE, with the support of DBF, and in coordination with ICMA, will be releasing the findings of a survey and case studies that explore how general local governments and public health departments are coordinating to address today’s greatest population health challenges, focusing especially on providing safe stable affordable housing, implementing healthy community design, and reducing substance misuse and prescription drug overdose. ENDNOTES AND RESOURCES

See: Workforce of the Future: Strategies to Manage Change [https://slge.org/assets/ uploads/2018/10/workforce-of-the-future-oct-2018.pdf] and Innovations in the Health and Human Services Workforce [https://slge.org/assets/uploads/2019/11/innovations-in-hhsworkforce.pdf] 2 https://www.slge.org/assets/uploads/2020/03/public-health-workforce.pdf 3 An ‘other’ or ‘did not answer’ option is not available for state and local workforce overall. 1

JOSHUA FRANZEL, PHD, is president and CEO of the Center for State and Local Government Excellence (jfranzel@slge.org). 48 | PUBLIC MANAGEMENT | JUNE 2020

bsd555/stock.adobe.com

For these efforts to succeed, one central challenge that public employers must address is the recruitment and retention of professionals with essential skill sets, a need that will continue to be particularly acute for those in public health roles as governments work to mitigate the short- and longer-term effects of the COVID-19 pandemic. With an eye toward implementing effective workforce development strategies,1 it is essential that the similarities and differences between the state and local public health sector and the state and local government workforce overall are known. To this end, in March 2020, with the support of the de Beaumont Foundation (DBF), the Center for State and Local Government Excellence (SLGE) released a firstof-its-kind study, “How Does the Public Health Workforce Compare with the Broader Public Sector?”2 As outlined in this report, in 2017, according to the Bureau of Labor Statistics (BLS), there were slightly less than 20 million state and local employees; 5.1 million at the state level, 14.4 million at the local level. While BLS projections will likely be impacted in the wake of the 2020 global public health crisis, state employment is expected to contract by 1.7 percent between 2018 and 2028, while local employment is expected to increase by 3.1 percent during this timeframe. In 2017, there were around one million public servants working as healthcare practitioners and in technical occupations and support roles, two groups projected to increase by approximately 5.5 percent between 2018 and 2028. While these health care occupations cover many public health positions, they also include others that are not in public health roles such as home health aides and massage therapists, while excluding others such as animal control and health educators. According to two leading state and local public health associations (ASTHO and NACCHO), there are 244,230 public professionals in core public health roles. To understand gender, race/ethnicity, age, educational attainment, and salary demographics of the public health and overall state and local workforce, data sets from BLS and the Public Health Workforce Interests and Needs Survey (PH WINS) were analyzed and compared. Below are some of the key, topline findings:

A DAY IN THE LIFE

Darwin Brandis/stock.adobe.com

A Day in the Life of a Fellow

ICMA’s Local Government Management Fellows give us an inside look on how they spend their days. Days for local government professionals can be very

different depending on the community you serve. While one day could be filled with committee meetings and handling residents’ issues, another day could be spent diving into longterm projects. The ICMA Local Government Management Fellows are upcoming leaders in the field who receive a firsthand look at how local government staff spend their workdays in and out of the office. The Local Government Management Fellowship is a career development opportunity designed to attract recent MPA/MPP graduates (or those from related programs) to be placed in full-time management-track local government positions. Since the program’s launch in 2004, Fellows have been serving in local governments across the country for 12- or 24-month fellowship appointments, during which they receive direct mentorship from a senior government leader at the organization. We caught up with four of our Fellows in our 2019–2020 cohort to learn about their typical day. Although they are not physically in their offices right now, they are teleworking and continuing their normal Fellow duties. Kirstin Hinds Freeport, Illinois

Kristin considers Freeport to be “ruralish” because it “offers a city feel with a walkable and artsy downtown, and just

outside the city are large farms and smaller, closeknit communities.” Kirstin explains, “I enjoy the artsy and homey feel of the city, as well as the pride community members take in being from the area.” Katharine Labrecque Lexington, Massachusetts

Katharine describes Lexington as “a quintessential New England community located in the greater Boston area.” Katharine calls Lexington a “very process-driven community; decisions are made only after public census and robust input.” She says she is given many opportunities to be part of large discussions where new ideas are welcome. Candice Rankin Fremont, California

Candice describes her community as “as the advanced manufacturing hub of Silicon Valley, Fremont is home to a diverse array of companies on the cutting edge of clean-tech, bio-med, auto-tech, and more. That industrial might is paired with beautiful landscapes and distinct neighborhood districts to create a community that is an all-around a great place to live, work, and play.” JUNE 2020 | PUBLIC MANAGEMENT | 49

Ashley Wooten Chamblee, Georgia

Ashley describes Chamblee as “a diverse urban community within the Atlanta perimeter that has seen tremendous growth within the past decade.” She notes that the city is known for its “international flair, industrial roots, and impeccable restaurant scene—especially along Buford Highway.”

8:30 AM Kirstin: I’m at my desk sifting through emails, listening to

voicemails, and prioritizing my to-dos for the day while sipping my homemade, average Folger’s coffee. Before I get sidetracked with more emails and daily tasks, I take time to return phone calls to Freeport residents living in the floodway who called asking for clarification on the various flood mitigation grants. Katharine: Walking in, I stop by my coworker’s desk to offer the highlights of the Select Board meeting held last night. “Did the vote on the Police Station design happen yet?” our public information officer asks, as the item has repeatedly been on the agenda for some time now. “No, not yet,” I sigh. A few minutes later, Jim, the Town Manager walks by and mutters halfjokingly, “I’ve only been gone from my office for a few hours. It’s like I never left.” Our Select Board meeting, like most meetings, adjourned at about 11:30 p.m. It’s safe to stay that our Monday meetings generally last about 5-6 hours. Nonetheless, after some brief chitter-chatter with my coworker, I head over to my desk, grab my coffee, and begin to review my inbox for emails that arrived overnight and confirm my schedule for the day. Candice: My commute ends with a short walk from the BART station, which helps to settle my mind for the day ahead. When I get into the office, I brew a cup of tea and review my calendar for the day. I make sure I’m prepped for any meetings, and then turn to address items on my to-do list. I often check in with the analysts in the office about projects we are collaborating on. Ashley: As a fellow, I rotate departments and work on special projects simultaneously. My cube is located in City Hall, but I am currently doing a rotation in the Public Works Department, where I have a temporary office space. For today, I’ll be starting my morning at City Hall. I go to the break room and put my “sticky bun” k-cup (a current favorite) in the Keurig and impatiently wait for my cup to fill. Then I go back to my desk, quickly grab my notepad and pen, and head to the conference room for the executive team meeting.

11:00 AM Kirstin: Once a week, our city manager leads a staff meeting in

which we discuss upcoming agenda items, our weekly projects, as well as successes and challenges. These meetings include the directors of community development, public works, and public utilities; the police and fire chiefs; the city clerk; and the city manager’s executive assistant. These meetings have been essential in exposing me to the intricacies of the different city 50 | PUBLIC MANAGEMENT | JUNE 2020

departments and in helping me learn about my coworker’s roles and responsibilities. Candice: When we are not working from home in response to a pandemic, I work in City Hall in the city manager’s office. I have rotated through different departments, including Public Works and Economic Development. In addition to these rotations, I participate in several projects at once across departments, so I am often away from my desk at meetings with stakeholders or preparing for and attending community events. By midmorning I have accomplished some tasks and start feeling productive. I might have a check-in meeting with the census outreach team or the Economic Development department which will help to set the goals for the week and keep everyone on the same page. Ashley: After my morning meeting, I head to my temporary home at Public Works. As a fellow, I rotate departments and work on special projects simultaneously. I make my way inside to get settled at my desk and check email. I review the notes the deputy city manager provided me on my project charters so I can make revisions that align with his additional requests. Since I work near one of the building entrances, I often hear PW staff coming in and out the building, and today is no different. I always enjoy when people stop by to say hello.

12:00 PM Candice: Lunch varies day to day. On my busiest days, I eat at my

desk to ensure I’m able to finish the work I need to. On a normal day I eat my lunch while reading a book (currently Range: Why Generalists Triumph in a Specialized World by David Epstein) in a communal space in the office, where I might be joined by a coworker or two. Katharine: I’m grateful that I work for an organization that encourages staff to take advantage of the lunch hour and to use it as a time to rest and recuperate! Sometimes I use the hour to walk or run on the bike path; other times, a coworker and I will have lunch at a restaurant in the town center. Once a month, we schedule a brown bag lunch for the entire office. We share updates, celebrate birthdays, or just enjoy each other’s company—it’s really an excuse to have cake! Ashley: I get a text from a friend I’m having lunch with letting me know they are ready to meet for lunch. I typically eat lunch by myself, especially now that I’m in the PW building. It is nice because it’s a brief second for me to get some “me time” and collect my thoughts before I continue the second half of the day. But today I’m looking forward to grabbing lunch with friends so we can catch up because it’s been a while.

1:00 PM Katharine: What’s exciting about my position is that at any one

time I may be working on three to four different projects! One hour I am working with a committee that I support, preparing the agenda for their next meeting. Thirty minutes later, I get a call from a resident reporting that their trash wasn’t picked up. After making a call into our waste management company, I am scrambling to prepare a salary study for contracts negotiations with our Public Works union tomorrow. I really love the

variety; it keeps me on my toes and continues to motivate me Candice: As a Fellow, I am exposed to all kinds of projects. I throughout the day. have been able to lead grant applications and support outreach Kirstin: Once a month, I meet with my Census Complete efforts. My favorite work involves applying policy analysis to Count (CCC) committee, made up of 24 nonprofit leaders objectively determine the best policies to address new challenges. and community activists, all committed to getting an accurate I enjoy projects that bring together several departments to best census count. Working as the CCC chair and census grant serve the community. manager has required a lot of outreach, meetings, and delivery Ashley: Once I get to my desk in City Hall, I decide to of flyers and promo items with local organizations. If I’m not switch gears and work on one of my “special projects” that isn’t in the office clacking away at my computer with my essential public works related. So, I pull up Visio to continue working oil diffuser keeping me awake, I’m out on flow charts because it’s enough screen meeting with the director of the Freeport movement to help me make it through Public Library or the Greater Freeport the afternoon. These meetings Partnership, or another area business 5:00 PM or nonprofit. have been essential Candice: In the afternoon I might Kirstin: Some days I’m out of the door in exposing me to participate in a business visit. These at 5:00 p.m. on the dot; other days visits consist of economic development I’m working late to meet a deadline or the intricacies of staff, city councilmembers, Chamber just to feel caught up. Either way, I feel the different city of Commerce staff, and members of accomplished and excited for the next the Economic Development Advisory day. There are days where I feel stressed departments and in Council who meet with business leaders and tired, but I ultimately love working in helping me learn about onsite. These meetings allow for the local government and know that the little businesses to better understand what bit of stress is worth it! my coworker’s roles services the city and chamber provide; Katharine: More often than not, I and responsibilities.” and for us it helps to build relationships leave the office every afternoon feeling and better understand the needs of our accomplished. I truly have great mentors — Kirstin Hinds local businesses. The best part of these and coworkers that support me and visits are the tours, which might include encourage me in my role. Occasionally I seeing a solar panel test field, multi-million-dollar lasers, or do feel stressed, where I find myself losing sleep over a project state-of-the-art building automation devices. deadline or an email that I have to send, but I think that’s part of the job. Ultimately, this is the career I want, and it may mean 3:00 PM long evening meetings, responding to elected officials when you Kirstin: I manage a number of grants for two fundamentally want to be spending time with your family, or responding to a different projects: flood mitigation and the 2020 Census. public health emergency. However, that level of dedication and The flood mitigation grants and projects require me to work responsiveness underscores our commitment to the residents with the city’s community development and public works that we serve. After all, we are public servants. departments; county, state, and federal emergency management Candice: By the end of the day I usually feel like I have made agencies; and residents who have been affected by continuous some progress, while also knowing I will have a full to-do list the flooding for years. The census project has involved creating next day! Generally, I have overarching projects that take several partnerships throughout the city to help spread the word weeks or even months to complete, while having small tasks about the census, especially to individuals who are typically come up day to day that may take priority or adjust my longunderrepresented. Outside of these projects, I was encouraged term projects. One of the great things about working in local to join ICMA’s Emerging Leadership Development Program government is that it’s so dynamic. It keeps every day interesting. and a local year-long Leadership Institute course to help build Ashley: Late afternoons and evenings are usually a great time my skills as a leader. for me to catch up with my managers if they are free. I usually Katharine: I tend to schedule a lot of meetings in the stop by and ask them how things are going and catch them up on afternoon. This works best for me because I am able to get my latest projects. Today the city council has their business through my emails and the more routine tasks, but it generally session at 6:00 p.m., so I’ll be walking over to the city’s civic involves getting out of the office and driving to one of the many center to attend the meeting. Long days like this are challenging, municipal buildings, such as the community center, the public but I appreciate them because I know they are preparing me for a works facility, or the library. It’s also a chance to see staff and career in city management. department heads in their element. My immediate supervisor is the deputy town manager. She oversees all my projects and Want to learn more about the LGMF program? Go to professional development and ensures that I am well supported icma.org/local-government-management-fellowship. The next round as we meet weekly. of applications will open in September 2020. JUNE 2020 | PUBLIC MANAGEMENT | 51

Human Resources

MARKETPLACE | professional services

Roger L. Kemp MPA, MBA, PhD ~ National Speaker ~

PUBLIC SAFETY & HUMAN RESOURCE CONSULTANTS

Dr. Kemp provides national professional speaking services on current government topics. Some of these topics include state-of-the-art practices in the following dynamic and evolving fields: - America’s Infrastructure

- Model Government Charters

- Budgets and Politics

- Municipal Enterprise Funds

- Cities and The Arts

- Police-Community Relations

- Economic Development

- Privatization

- Financial Management

- Elected Officials and Management Staff

- Forms of Local Government

- Strategic Planning

- Immigrant Services

- Town-Gown Relations

- Main Street Renewal

- Working with Unions

Roger Kemp’s background and professional skills are highlighted on his website. Dr. Kemp was a city manager in politically, economically, socially, and ethnically diverse communities.

• Fire/EMS/Police Department Audits • Consolidation Studies • Compensation & Benefit Analysis • Human Resource Audits • Employee Handbooks • Executive Recruitment • Nationwide Experience

He has written and edited books on these subjects, and can speak on them with knowledge of the national best practices in each field. Call or e-mail Roger for more information. Dr. Roger L. Kemp 421 Brownstone Ridge, Meriden, CT 06451 Phone: (203) 686-0281 • Email: rlkbsr@snet.net www.rogerkemp.org

(815) 728-9111

mcgrathconsulting.com

Human Resources & Compensation Consulting Contact us today for comprehensive solutions that are transparent, sustainable, and easy to maintain. To learn more, visit www.ajg.com/compensation or contact: Ronnie Charles | 651.234.0848 Ronnie_Charles@ajg.com Mike Verdoorn | 651.234.0845 Mike_Verdoorn@ajg.com

GovHRusa.com 847-380-3240 info@govhrusa.com info@govtempsusa.com

Sign up for our Job Board at GovHRjobs.com Executive Recruiting  Interim Staffing Human Resource Consulting  Management Consulting

Solutions for People Who Pay People.



Professional Development  Class & Comp Studies  

Government Consulting/Administration

Consultants To Management

• Organization and Management Studies • Executive Search • Utility Studies • Compensation and Classification Studies • Privatization • Strategic Planning 5579B Chamblee Dunwoody Road #511 5579B Chamblee Dunwoody Rd. Atlanta, Georgia #511 Atlanta, GA30338 30338 770.551.0403 770.551.0403 • Fax 770.339.9749 Fax 770.339.9749 E-mail: mercer@mindspring.com email: mercer@mindspring.com

Performance Evaluation System 

Cordova Place #726 5511000 W. Cordova Road #726 SantaFe, Fe,New New Mexico 87505 Santa Mexico 87505 505.466.9500 505.466.9500 • Fax 505.466.1274 Fax 505.466.1274 E-mail: jmercer@mercergroupinc.com email: mercer@mindspring.com

ICMA CAREER GUIDES ICMA’s Career Guides are local government professional toolkits to help you thrive, from finding a position to succeeding as a first-time manager, or how to break into the profession from another field, and preparing the next generation through internships and Fellowships.

icma.org/careerguides

Pinpointing Workable Solutions from 18 Offices Nationwide

To advertise, contact Tilman Gerald, The Townsend Group, Inc., 202/367-2497, or tgerald@townsend-group.com 52 | PUBLIC MANAGEMENT | JUNE 2020

Public sector workers make a career out of serving others.

Weâ&#x20AC;&#x2122;ve made a career out of serving them. People who dedicate their lives to serving others deserve an organization that dedicates itself exclusively to them. For over forty years, weâ&#x20AC;&#x2122;ve met the challenge to help public sector workers realize their retirement dreams.

icmarc.org/info AC: 44882-1115-7938

PM Magazine, June 2020

Articles inside

Cybersecurity Should Be Making Your Organization More Awesome