Applying agile principles to public sector change
It is little known fact that before my son was born, I was taking a masters degree in public sector modernisation. Fatherhood meant I had to drop out, but not before making some observations. I also spent a decade in local government, soo I know a little bit more about public service delivery than I sometimes let on at work. Perhaps just enough to learn.
Right now at Jersey Cyber Security Centre we have two critical change projects:
1) creating and delivering a new public body to improve cyber security and resilience, and
2) designing and implementing the legislation needed to support this and make it effective.
Everyone understands the necessity. Most people are supportive. So the top questions I get asked are simple ones: why does it take so long? Does it need to be this slow? Why can't it be faster?
The easy answer is that public sector change takes a long time because there are lots of interested parties whose needs and views need to be considered to get the right outcome, and that the legislative process is an involved one precisely to ensure that this is done.
But whilst that's correct and would apply equally to all public projects, the truth of course is more nuanced.
Sometimes we may not be looking at the challenge of change delivery through the best lens.
Shortly after 2001, I was one of many to sign the agile manifesto for software development. This document went on to start a global movement and change how technology change is done: from grandiose projects that often failed, to iterative change that often delivered.
The agile manifesto states:
We are uncovering better ways of developing software by doing it and helping others do it.
Through this work we have come to value:
Individuals and interactions over processes and tools
Working software over comprehensive documentation
Customer collaboration over contract negotiation
Responding to change over following a plan
That is, while there is value in the items on the right, we value the items on the left more.
If we are honest with ourselves, how much time and effort do we really spend doing the things on the right that are necessary but less impactful, over the things on the left that are most impactful?
The things on the right need to be done, with the result that sometimes there's no time left for the things on the left. Delivery is pushed back: first weeks, then months, then years. And then eventually people begin to wonder if we can get things done at all. For a long time, that was the way of IT projects. Sometimes it still is.
But agile principles can be applied in other fields too, perhaps nowhere more so than where people are most impacted: public services.
So our resolution for Jersey Cyber Security Centre is that in delivering for our community we will seek to put people front and centre; delivering what we can now, and responding iteratively to changing needs.
That means we are putting:
Individuals and interactions over processes and tools
delivered through custom briefings and responding to individual organisational needs, rather than through one size fits all solutions. Walk in to JCSC (and you can!) and we'll seek to understand what your specific challenges are and help you respond accordingly, rather than present you with a template response. (Of course, I appreciate that's easier to do with our small scale).
Working public services over comprehensive documentation
by being iterative and step by step, introducing what we can now rather than trying to fix everything all at once. Public awareness and engagement came first as we could do that on day one, and now we are building and developing the supporting technical services. Those services that require an updated legal framework can come later: it doesn't stop us delivering now.
Stakeholder collaboration over contract negotiation
by listening to stakeholders and seeking to respond to their needs, and seeing governance processes as an enabler of change rather than a constraint on delivery. We don't need to get everything into a document on day one, at least not as much as we need to take the community with us. So we worked first informally, then under a scheme of delegation, and finally we will work under a formal legal framework and governance.
Responding to change over following a plan.
by bringing forward elements of delivery that can be accelerated, whilst accepting that other areas become more complex the more you learn. In some cases that has meant longer timescales than planned, in others shorter. And in some areas we have delivered services we never expected to. Other things we planned to do, we don't. And that's fine - it's about responding to needs and adapting to change.
Delivering a new national cyber security centre from a blank canvas was never going to be simple or quick: if we sought to create perfect from day one, right now we would have nothing but paper and plans. Instead, we have a working capability that is continually improving.
We're on the first steps of many, but it has taken me back and made me ask: how do we do this best? And can agile principles be applied more widely to public sector change to deliver better outcomes? I think perhaps they can.
___
Matt Palmer is an award winning cyber security leader. He currently runs the national cyber defence function for a small island state. He can be found on linkedin or on bluesky.