Audit: County tech section deeply flawed
An independent analysis of the beleaguered Mesa County Information Technology Department indicates it suffers from a lack of funding and leadership, a significant shortage of staffing and gap in employee skills, and aging infrastructure — black marks that have eroded the department’s credibility and contributed to a massive security breach last year.
The review, performed last month by Bellevue, Wash.-based consultant Pacific Technologies Inc., paints the department as a rudderless, reactive one that is constantly putting out fires and devoting little or no resources to strategic planning or future investments.
“In recent years, the County’s IT department has suffered from a loss of credibility — primarily stemming from a major information security breach in 2010, but exacerbated by occasional unplanned system outages, poor communication with other departments, a lack of business application support staff, and frequently shifting priorities,” the introduction to the analysis reads.
In an interview this week, Interim County Administrator Tom Papin credited IT staff with holding the department together in spite of the assortment of problems. But he acknowledged employees have been “drinking from the fire hose without the county having in place a strong vision or direction of where we’re heading with IT services.”
County leaders are now in the process of implementing a number of recommendations made by Pacific Technologies, including hiring a department director, filling IT positions left vacant because of budget cuts, and appointing an oversight team consisting of department heads who rely on IT’s services the most to help coordinate projects.
IT co-managers Troy Flick and Rick Corsi said they understood the department’s weaknesses prior to the initiation of the study and that it contained no surprises.
“We were really pleased with the results and the recommendations,” Flick said. “We’re looking forward to implementing all of the recommendations that will be approved.”
The county commissioned the study after a longtime IT employee mistakenly posted thousands of sensitive records to an unsecured county website in the spring of 2010 as part of an effort to integrate computer databases among Grand Valley law-enforcement agencies. The files, which dated back 20 years, included personal information about Sheriff’s Department employees, names of confidential informants, and emails about crime victims and homicide investigations.
The blunder wasn’t discovered until last fall, and county officials remain unclear about how many people obtained the information and what was done with it. The employee who inadvertently posted the information no longer works for the county.
Pacific Technologies indicated in its report that the breach was caused by a combination of “critical IT skill gaps and unprofessional behavior by a few IT personnel.”
The consulting firm identified a number of departmental strengths. It credited employees with: responding quickly to basic service requests; providing strong support for functions such as geographic information systems and document and electronic-records management; forming positive relationships with some users; maintaining technical expertise in some areas, such as the county’s website; and taking steps to alleviate recent security and outage issues.
But the number of weaknesses and areas of improvement identified in the analysis were more than double the strengths. Some of the most notable points include:
Lack of executive leadership and long-term IT strategy
Without a director or structure to guide IT investment and policy decisions, major IT decisions are made on a makeshift basis by individual department managers with inadequate or limited analysis. The absence of a director means the county lacks a champion for technology at the executive level, according to the report.
The IT Department hasn’t had a director since Tim Ryan left in 2008. After his departure, then-County Administrator Jon Peacock assigned Assistant County Administrator Stefani Conley to oversee the IT Department, although Conley had no experience managing IT operations. Conley resigned earlier this month to, as she said, pursue other job opportunities.
Commissioner Janet Rowland said while Conley was a capable manager, she also was overseeing human resources and didn’t have much time to devote to IT. Rowland said that meant nobody was lending a long-range perspective to the department.
“There are a lot of people in our (IT) department who are experts in certain aspects of IT, but there was no one with the 30,000-foot view,” she said.
Inadequate funding of IT operations and maintenance
Pacific Technologies compared Mesa County’s IT operations and maintenance spending per citizen and workstation with five of its recent county clients and found Mesa County ranked last in spending per workstation and next-to-last in spending per citizen.
The study found the county spends $3.4 million — just 2.5 percent of its total operations and maintenance expenditures — on technology operations and maintenance, which is at the bottom end of the consultant’s target range.
The 17 full-time positions dedicated to IT operations and maintenance, which is 1.8 percent of total countywide staff, also is below Pacific Technologies’ target range.
“Current spending levels limit the availability of IT support personnel, hinder investment in necessary IT equipment (particularly servers) and encourage suboptimal short-term solutions,” the analysis says.
IT skill gaps in numerous areas
A skills survey conducted by Pacific Technologies identified a lack of advanced capability in critical infrastructure-support areas, including information, network and video security, and mobile network access. No employees performed above an intermediate level on a selected skills analysis. In addition, the report found there is no staff training and no mentoring or supervisor training for IT managers.
“Ultimately, IT skill gaps and inadequate workforce planning diminish business user productivity and impact delivery of county services,” the report says.
Unplanned outages, aging infrastructure
The analysis found there have been eight unplanned, countywide system outages since the beginning of 2009, impacting email, voice mail and shared-drive access. The outages were caused by drive failure, system freeze, power supply failure and flawed implementation of a planned period of downtime.
The report said the outages raise questions about the security and reliability of the county’s technology, diminish IT’s credibility and may reduce citizen confidence in government services.
Pacific Technologies also noted 64 percent of the county’s servers and 38 percent of its workstations are aging or out-of-date. Half of the county’s operating systems no longer have vendor support or will lose vendor support in 2013.
RESPONSE TO RECOMMENDATIONS
While the county is moving to hire additional IT employees, county officials say they are not exceeding budgeted expenditures.
Money for the IT director position will come from the planning and economic development director post that’s been vacant since Kurt Larsen was laid off in March, Papin said. The application period ends July 8, and the appointment of a director will be the first major task undertaken by incoming County Administrator Chantal Unfug.
The county intends to hire an IT operations administrator, a reclassified position. County officials may also consider outsourcing some IT functions to the private sector.