Applying innovation to federal agencies’ processes is much more than simply buying the latest technology – it takes an understanding of the government ecosystem, an A-to-Z plan, an emphasis on security, and leadership, to name just a few factors identified by Luke McCormack, the CIO at the Department of Homeland Security.

Speaking at the Brocade Federal Forum last month, McCormack walked the audience through a list of criteria for changing how the government purchases and uses IT. The first step, he said, is to understand what people need to do their jobs. And more than that, understanding the entire workflow from beginning to end. The next step is to invest the time up front, during the planning process, to make the technology simple and intuitive to use.

“We can call sing together but not all talk [at once],” McCormack said, explaining the need for one leader to be assigned on a project, then held accountable for the project’s performance and results. That leader must be empowered to bring in an experienced team to help meet the project’s goals, he said.

Building the technology solution should incorporate agile and iterative practices, McCormack said, to improve and streamline its development and implementation. Just as important, the agency should look to structure its budgets and contracts to support the delivery of a solution that meets its requirements.

As for choosing the technology itself, “Choose a modern technology stack,” McCormack said. “That’s the Lego blocks … They may work well when you bring them in, [but] over time they may not.” Using this building-block approach will make it easier in future to update and upgrade, or even to overhaul the whole thing and salvage pieces that can be re-used.

McCormack said selecting open source should be the default decision. “It’s here … We’re doing a lot of [interagency] work on this … It’s crowdsourced and pressure tested.”

Look to automate testing and deployments. “When you can get to the point you can actually do this, it’s incredible what you can deliver,” McCormack said. “You need all the other parts of the ecosystem, but the power is incredible … [We’ve] gone from years to months to weeks to deliver capability.”

Security and privacy must be managed through reusable processes. “It’s important that we continue to engineer these right into the processes,” McCormack said. He echoed Federal CIO Tony Scott’s earlier speech that called for the end of passwords. Two-factor identification, then moving to derived credentials, “and then we start working our way up the stack,” he said.

Data should be used to drive decisions, he suggested. “It’s about instrumentation … Where is the problem? What is the user behavior? What is the latency? All those things.”

If the goal is to innovate – investing millions of dollars to acquire new technology, overhaul processes and procedures, even retrain employees – don’t overlook the physical space. “The physical environment matters. When you tear the walls down, magic happens … there’s flow, air, space,” McCormack said.

The final consideration, though it’s an overarching one, is having “just enough governance,” he said. “We learned over time that we needed good governance.”

That does not mean existing governance doesn’t need an overhaul – it does. After changing processes, system architecture, physical architecture, setting out costs and schedules and performance requirements, creating a new ecosystem that workers need to adjust to, it makes sense that governance should be addressed, he said. “Some of the traditional governance was well intended; [it] was put in place to lower risk. But if governance doesn’t line up with this new way of doing business, it actually increases risk … We’re working through that now to make sure we have just enough.”