A Better Brand of Information Security
A U.S. Defense official leads the charge for a less restrictive, more effective approach.
David Wennergren is an unlikely prophet for a new approach to information security -- one that’s more friendly to Web-based social media and information sharing. Wennergren is deputy CIO for the U.S. Department of Defense (DoD), an agency that most would expect to be among the world’s most locked down.
It’s not that Wennergren takes cyber-security, which we cover more in-depth in Data Lockdown on page 42, lightly. He points out that the DoD is a prime target for cyber-crime and cyber-mischief by some of the most sophisticated hackers on the planet. What he objects to is the notion that government agencies can halt cyber-threats by blocking employee access to popular Web destinations like YouTube, or clamping down on the use of smartphones and other mobile devices.
“You can’t hope to stay ahead of threats if your security strategy consists of blocking access to a website,” Wennergren says. “First, it’s really easy to work around website blocking. Second, for every site you block, a thousand more sites will pop up tomorrow.”
Unfortunately, that’s the approach taken by many state and local government agencies. The problem, he says, stems from treating information security and information sharing as two separate issues.
Considering them independently creates tension between security chiefs -- who want to lock out anything they perceive as a risk -- and the rest of the workforce, where employees expect to use social media sites and their iPhones to get work done. Instead of blocking these resources, agencies should deploy tools like secure Web browsers and stronger access controls that let employees safely use the websites and devices they need -- along with providing cyber-security training to help workers avoid risky situations.
Wennergren calls the approach “secure information sharing,” a notion that encompasses strengthening information security, but doing it in ways that promote safe sharing and collaboration among new communities of users. “If you get it right, you will enable yourself to be a 21st-century information organization,” he says. “If you get it wrong, you’ll be left hopelessly behind.”
Transforming the information security paradigm will be crucial to improving government performance -- and fundamental to the public sector’s ability to attract the next generation of qualified employees. Wennergren co-chairs the Federal CIO Council, a group of 28 CIOs and deputy CIOs from executive branch agencies. The organization recently worked with Don Tapscott, author of Growing Up Digital: The Rise of the Net Generation, to study how government can become an employer of choice for the first crop of American workers to grow up with the Internet.
Not surprisingly, the report, Net Generation: Preparing for Change in the Federal Information Technology Workforce, points to Web 2.0 technologies as the key ingredient for the future workplace. The brightest young employees -- not to mention a fair number of older ones -- will seek employers that let them use the collaborative websites and mobile devices they already rely upon in their everyday lives. It’s up to government agencies to determine how to do that, while still protecting sensitive information and critical computer systems. By the way, it also points out that public-sector managers must accept the idea that not all work needs to be done in an office and that employees can be working while they’re listening to music on headphones.
Ultimately, the report throws down the gauntlet to state and local government agencies throughout the nation that reflexively block employee access to social network sites or restrict the use of mobile devices -- even as the agencies themselves acknowledge the importance of Web 2.0 by posting videos to YouTube and launching iPhone applications for citizens.
“We should take some comfort in the fact that the Net generation has a desire for public service -- they want to make a difference,” Wennergren says. “So we should be able to attract them as long as we don’t let the technologies and processes of the past slow us down.”
If the DoD can think differently about these issues, shouldn’t state and local agencies be able to?