White Paper

Classified Work and the Modern

IT Organization
How to build IT efficiencies into classified areas

1
A Knowledge-Driven Consulting® White Paper
© 2010 Hitachi Consulting Corporation
Contents

Introduction .................................................................................................. 3

Staffing -- Using a Matrix to Manage Skills and Knowledge ................... 3

Closed-area Matrixes: Greater Complexity, Greater Rewards ................ 4

Governance and the Open-area Bias ........................................................ 5

Communicating Governance Value to Closed-area Leadership ............ 6

Why Common Processes Matter in Closed Areas ................................... 6

Open Areas as an Application Development Proving Ground ............... 7

Security-conscious Development in Open Areas .................................... 7

Closed-area Testing Results ...................................................................... 8

Conclusion ................................................................................................... 8

Author Bios .................................................................................................. 8

About Hitachi Consulting Corporation ...................................................... 9

About Hitachi, Ltd. ....................................................................................... 9

2
Introduction
Aerospace & Defense (A&D) companies exist in two worlds, open and closed,
unclassified and classified. For IT organizations tasked with supporting both
areas, the seemingly minor differences can be the source of huge challenges.
There are additional complexities involved in providing closed areas with the
level of support and the technical tools they need – a feat that open areas take
for granted.

Competitive companies require robust, increasingly networked suites of tools

and applications. Unfortunately, the move toward unified enterprise-wide
application suites can be at odds with the nature of classified areas, where strict
network isolation is an important security measure. The isolation of classified
areas can limit adoption of project governance processes and tools. Other
security requirements prompt lengthy testing and approval processes for any
application or tool to be deployed in a closed area. Classified programs require
“cleared” people for support, offer limited clearance slots, share knowledge on a
need-to-know basis, and maintain isolated information networks. Each of these
requirements creates a hurdle for IT as it supports classified programs and
adversely impacts the ability to share information across the business.

This might mean that many classified programs employ outdated information
systems as compared to their unclassified counterparts. They may receive
minimal IT support, employ non-standard processes, or use a large variety of
unsupported software and hardware. These programs remain loosely governed
from an IT perspective, and, as we look to future advancements in information
technology, the divergence between classified and unclassified programs may
worsen. The goal for IT should be to provide classified areas with the same level
of agile, responsive support that unclassified areas take for granted. Smart
companies can build upon their experience with open areas to create
responsive, closed-area-friendly IT organizations. In this paper, we‟ll discuss
ways to leverage open-area IT efficiencies in closed areas, focusing on staffing,
governance and application development.

Staffing -- Using a Matrix to Manage Skills and

Knowledge
Positioning resources with the right skills, in the right place, at the right time is an
ongoing issue for many companies. Strong skill sets are in high demand and
organizations that lack the ability to
effectively forecast resource demand find
themselves faced with a huge competitive
disadvantage. One common issue these
companies face comes from having
individual resources that are the only
sources of knowledge for specific
applications. In this scenario, both the
company and the resource are at a
disadvantage – the resource cannot move
on to different work, and the company
cannot flexibly deploy the resource based
on need. Fortunately, there is an effective
tool for reducing this problem: the staffing
matrix.

By implementing a resource infrastructure

matrix of skills and availability, IT
organizations are able to employ human capital management techniques to
balance supply and demand. A matrix with staffing data points provides a holistic
view of an organization‟s resources. This tool helps organizations cross-train

3
their people on multiple projects and technology, eliminating the single-resource
issue mentioned above. IT organizations can reduce and eliminate the downtime
that occurs when resources are individually siloed into applications or programs.
This leads to lower operating margins and an improved balance of skills and
abilities.

With a resource matrix, the IT organization is able to instead resource load

based on historical need and future strategy by selecting from a pool of
resources cross-pollinated by technical skill, solution knowledge and current
work load. In addition to the clear cost benefits, - it also affords the IT resources
an opportunity for continual learning and career growth as their skill sets widen.
This can, in turn, lead to lower turnover which allows an IT Organization to grow
rich in solution knowledge while avoiding productivity dips.

Closed-area Matrixes: Greater Complexity, Greater

Rewards
Classified areas face constraints similar to those of typical IT organizations, but
they also face additional hurdles: required clearance levels and program slot
availability. These areas often
experience the need for rapid
development and maintenance of IT
systems, yet are stymied by a lack of
resources that have the technical skill,
the solution knowledge, the bandwidth
and the clearance. By adding a fourth
dimension – required clearance level -
- to the established matrix model,
classified areas are able to achieve
shorter solution cycle times, faster
productivity gains and mitigation of the
“single point of failure” risk.
Simply staffing all technical resources
with clearances is not the answer, as
the programs face an inability to
accurately forecast the amount of IT
demand. This leaves resources either
bored or overloaded – a hazard in either respect. An improved way is to create a
true IT organization matrix model across a larger business unit that is able to
address the needs of multiple programs or process areas within a classified
environment.
To implement this matrix model in a classified area, the IT organizations involved
in supporting the mission area or other business process area would need to:
1. Disposition the existing systems and solutions by technology and then
by required clearance level across the entire organization. This includes
software, hardware, applications and networks. The clearance level
indicated would need to be at the lowest level needed in order to
support all aspects of the IT solution, while meeting the clearance
requirements of the program.
2. Assess, once a clear landscape has been established, a current state
of qualified IT resources. This current state assessment will establish
the relative skill sets and solution expertise of the IT resources that
exist.
3. Develop a gap analysis. Armed with what you need and what you have,
a gap analysis is easily developed. This gap analysis will create the
following actionable data points:
• Are there gaps in technology skill sets?

4
 • Can the technical skills be filled through additional training
or does it require a specialized resource?
• Are the IT resources sufficiently cleared?
• What knowledge gaps exist and how can they be addressed
(i.e. knowledge transfer, one-time system documentation,
etc.)?
Once the initial analysis is complete it may become clear that the amount of work
necessary to stand up a well-staffed, matrixed team is actually not quite as
daunting as it may first seem. Oftentimes, once the IT landscape is understood
at a macro level it becomes clear that with some relatively minor adjustments to
roles and responsibilities, and training, the organization is ready. Most of the
resources needed may already be present, and staffing the remaining slots is
easier if some pieces are already in place. Development of necessary training
and creation of a knowledge repository are largely complementary efforts.
Companies can also build a “buddy system” to ensure at least two resources are
capable of working on any single solution or technology – this should be
developed in parallel with identifying initial resources. While the initial effort
associated with closing the gaps and readying the resources requires an initial
investment in time and money, properly executed, the return would be fairly rapid
and substantial.
One final – but critical – component of the closed matrix staffing model is
defining and maintaining the necessary staffing thresholds for knowledge, skills,
and clearance levels. A knowledge, skill set, or clearance level typically takes a
certain amount of time for a new resource to acquire. Based on the time needed
for requirements that are part of the closed-staffing matrix (including both the
time required to learn the skill or gain the clearance, and the typical time to hire a
new resource if needed), organizations may establish threshold levels of staffing.
If their available resource pool hits the identified minimum number of Top Secret-
cleared employees, that company knows there is a need to bring on additional
resources. If the pool drops below the threshold, that company knows they are at
risk of being unable to staff upcoming programs. Smart long-term forecasting is
essential for effectively managing staffing, particularly when it comes to cleared
resources.

Governance and the Open-Area Bias

Implementing common processes can provide a variety of benefits to an
organization. Every common process already known by a new team member is
an item that does not have to be taught. From time reporting to training access to
knowledge sharing applications, this translates directly into less ramp-up time
and a quicker move to expected productivity levels. The limited slots available for
most closed area work can make transitioning resources considerably more
difficult than in open areas, but shared processes substantially cut down on the
effort and time needed for an effective transition. Maintaining consistent
processes across all programs – closed and open – can also improve reporting
efficiencies by standardizing metrics, improve cross-program communication,
and allow for tool standardization based on the process in question.
Unfortunately, closed areas are often lost in the shuffle to deploy these new
processes.

When rolling out new governance processes, companies can forget that
unclassified areas are fundamentally more accessible than their classified
siblings. In unclassified areas it is generally more convenient to communicate
with many employees at once than it is in any classified area. Company
leadership may decide – deliberately or not – that the bang-for-buck ratio is too
low for it to be worth engaging some smaller closed areas. Leaders find it easier
to enforce governance processes in open locations, as oversight is simplified
thanks to more flexible security and the corresponding ease in access.

5
Communicating Governance Value to Closed-area
Leadership
Small closed-area projects may not have clearance slots available for direct
access from those groups requesting process changes and compliance.
Although the message of new processes may reach the closed areas, there is
often little oversight regarding process implementation and few consequences
for not deploying the process. On the surface, there is little incentive for closed-
area leaders to add to their workload and push process adoption on the other
closed-area employees. Corporate leadership needs to ensure that the benefits
of standardized processes and tools – improved ramp-up time for new
resources, decreased expenditure on niche tools, improved compatibility across
the enterprise, etc. – are not lost on the people who run closed areas.

By granting lenience for closed-area process adoption, leadership may

inadvertently offer tacit approval of this behavior. Senior leaders need to help the
local leaders in closed areas understand the value of implementing standardized
governance processes. Changes that may seem arbitrary – particularly to
closed-area employees who may have reduced access to corporate
communication – are typically driven by real business needs and can provide
measurable value when implemented. Because classified programs are often
followers to their unclassified counterparts in the implementation of governed
processes, companies have real-world examples available to show program
management the value of implementing those processes. The ability to gather
standardized metrics based on common governance standards, for example, can
provide executives with an accurate dashboard view that allows for improved
resource allocation. It may not be apparent to local leadership and closed-area
workers, but the value of such a change is very real.

Why Common Processes Matter in Closed Areas

When dealing with disparate closed areas, a counter-intuitive „quick hit‟ for most
large A&D companies is to develop and define processes specific to closed
areas, even if these processes do not exactly match those used in open areas.
Expectations should be set against achievable process change. While it may be
desirable, dictating an enterprise change to one set of common processes may
be logistically impossible.

The reality for many companies is that there are as many independent
governance processes as there are closed areas. The best way to start changing
this is to sync processes wherever possible, shrinking the overall number of
different process groups until only one group remains. Moving immediately from
the current state to a model where open and closed programs share the same
processes may be too much of a jump for some organizations, but companies
can gain traction by standardizing all closed-areas processes as much as
possible.

A company with only two process trees – open and closed – will find this much
easier to manage than independent processes for individual closed areas. This
represents an important step on the path to enterprise-wide unified common
processes positions, as it positions the company to unify all processes in the
near future. A single set of closed processes – even if different than in open
areas – is much easier to administer and monitor than independent processes
for each closed area.

6
Open Areas as an Application Development Proving
Ground
Application development is a complicated endeavor when security requirements
are not a concern. Is it any wonder that application development for closed areas
consistently lags behind open areas in speed and capability? As companies
continue to embrace enterprise suites of applications they face an ever-
increasing need for effective closed-area development. A starting point for
improved closed-area development is to more effectively leverage open-area
Proofs-of-Concept (POC) and proven tools.

Isolated systems typically only get one shot at deployment and will then move to
a sustaining mode, and the sustaining mode for isolated systems means
repairing bugs/issues becomes exponentially more difficult. The use of well-
tested tools is a significant time/cost saver. To that end, building a POC in the
unclassified world utilizing tools common to the unclassified business gives the
business experts a concrete example of the technology. Since most business
professionals are not familiar with the full range of capabilities of the tool
infrastructure, this becomes an excellent opportunity to validate potential
solutions to the issues identified during the requirements discussions. Typically
the first few releases of any application always have some need for
improvements. A business that works out those issues first and then deploys to
classified areas will avoid the difficulties associated with version upgrades in a
closed area.

Open-area POC development also benefits from the ability to more effectively
embed technical experts with business experts. The earlier this happens the
better developers will understand business requirements, and this gets the
product closer to meeting all business needs. An application that does a poor job
of meeting business requirements in open areas is a poor candidate for
conversion to closed areas, so effective use of POCs can have a significant
positive effect on any development effort.

By creating a successful technology solution for one customer, many customers

gain confidence in your solution. They have proof that the claims and the POC
were correct. While these specific, proven solutions can be further tailored to
specific programs, many of the classified programs can probably take it with
minimal modification – especially if it addresses core business functionality.

Security-conscious Development in Open Areas

How applications and tools are developed, deployed and retired can significantly
contribute to overall corporate health. To achieve economies of scale, a large
company may attempt an enterprise-wide consolidation and standardization of
applications and tools. When it works, such a move can pay dividends by
decreasing maintenance costs, improving collaborative capabilities, and
simplifying related processes. However, completing an effort like this across
independent closed areas is anything but simple.

The biggest issue consistently faced when rolling out a new application or tool to
closed areas is security. New systems have to be tested and vetted on a level
that is not required in open areas and, when tools are initially created for open
use, the designers rarely build them with closed-area security in mind. This
means that a tool that works perfectly in open areas may require revisions to
enhance its security capability before it can be deployed in closed areas. During
the POC, the solution‟s ability to maintain a secure environment in the
unclassified world can be tried and tested. This provides a great starting point for
the enhanced security closed areas may require. It also serves to put program
management and the customer at ease as they discuss implementing the
solution.

7
Since many enterprise applications have their roots in open-area development
efforts, smart companies will track their anticipated enterprise needs well ahead
of the start of development. When building a potential enterprise system,
providing additional up-front funding for enhanced security development for
classified programs can reduce future development spending. This allows
designers to build the solution with enhanced security inherent in the design
(versus an add-on security capability inserted post-deployment). This has the
benefit of enabling faster roll-out to closed areas, which in turn can allow faster
retirement of legacy systems. It also allows a more consistent spend level for the
life the project, simplifying related budgeting. Baking the cost of additional up-
front development can be a difficult pill to swallow, but the investment pays off by
avoiding a haphazard development lifecycle and inconsistent requirements and
resources needs.

Closed-Area Testing Results

One final process improvement that can pay quick dividends is enterprise-wide
standardization of application security testing/compliance for internal closed-area
deployments. Some companies – particularly larger ones that have expanded
through significant mergers – have closed areas that do not honor the test
results of closed areas operating on different programs or for different business
units. As a result, an application that is tested and approved for deployment at
closed areas in one business unit may have to undergo that testing again for a
different business unit. This slows deployment and program adoption, and
increases testing and legacy maintenance costs. Being able to conduct a single
series of tests to „certify‟ a system for use in all (or many) closed areas within
one company can simplify the deployment process and reduce process-related
overhead.

Conclusion
The challenges of having classified and unclassified operations continue to
complicate the landscape for providing consistent and efficient IT services to
meet diverse needs. Through application and process governance, human
capital management practices for staffing, and security-conscious application
development, A&D companies can overcome the hurdles associated with
classified programs. Better support, more consistent tools and processes, and
increased portability of personnel are all achievable if organizations are prepared
to dedicate the necessary time and resources to the effort. Increased
standardization means lower maintenance costs, fewer stovepiped systems, and
smoother resource transitions. Companies that can correctly implement these
changes will realize a valuable competitive advantage and find themselves well-
positioned to handle the next challenges of the information age.

Author Bios
Brian Mulnix, is a manager in the Aerospace and Defense (A&D) Practice at
Hitachi Consulting with eight years experience in the industry. He focuses on
application development/maintenance, benefits achievement and workforce
transformation. He works out of Los Angeles and can be reached at 703.899.6089
or via email at bmulnix@hitachiconsulting.com.

Mike Louie, is a senior manager in Hitachi Consulting‟s A&D Practice. He has more
than 18 years of experience in the industry in a variety of leadership positions. He
primarily handles workforce transformation services, and has been a guest lecturer
at USC's Marshall School of Business on the subject. Mike works out of Los Angeles
and can be reached at 714.883.1398 or via email at mlouie@hitachiconsulting.com.

8
Chad Nelson, is a manager in the A&D Practice with more than six years of
experience in the industry. With Hitachi Consulting, Chad specializes in
workforce transformation, organizational change, and IT strategy. Chad regularly
speaks at Arizona State University‟s W. P. Carey School of Business on topics
related to career management. He works out of the Phoenix and Los Angeles
areas and can be reached at 480.495.9089 or cnelson@hitachiconsulting.com.

About Hitachi Consulting Corporation

As Hitachi, Ltd.'s (NYSE: HIT) global consulting company, with operations in the
United States, Europe and Asia, Hitachi Consulting is a recognized leader in
delivering proven business and IT strategies and solutions to Global 2000
companies across many industries. With a balanced view of strategy, people,
process and technology, we work with companies to understand their unique
business needs, and to develop and implement practical business strategies and
technology solutions. From business strategy development through application
deployment, our consultants are committed to helping clients quickly realize
measurable business value and achieve sustainable ROI.

Hitachi Consulting's client base includes 25 percent of the Global 100 as well as
many leading mid-market companies. We offer a client-focused, collaborative
approach and transfer knowledge throughout each engagement.

For more information, call 1.877.664.0010 or visit

www.hitachiconsulting.com.

About Hitachi, Ltd.

Hitachi, Ltd., (NYSE: HIT / TSE: 6501), headquartered in Tokyo, Japan, is a
leading global electronics company with approximately 360,000 employees
worldwide. Fiscal 2009 (ended March 31, 2010) consolidated revenues totaled
8,968 billion yen ($96.4 billion). Hitachi will focus more than ever on the Social
Innovation Business, which includes information and telecommunication
systems, power systems, environmental, industrial and transportation systems,
and social and urban systems, as well as the sophisticated materials and key
devices that support them. For more information on Hitachi, please visit the
company's website at http://www.hitachi.com.

© 2010 Hitachi Consulting Corporation.

All rights reserved. “Building the Market Responsive Company,” “Knowledge-Driven Consulting,” and “Dove Consulting”
are all registered service marks of Hitachi Consulting Corporation. “Business Intelligence at the Edge of the Enterprise”
and “Performance Management at the Edge of the Enterprise” are service marks of Hitachi Consulting Corporation.