This statement is often associated with IT folks who say that “our IT environment is too complex” or “we’ve got a different culture here” or “we have too much legacy technology to be innovative” or any one of a hundred other reasons. While there will always be a few organizations whose missions do require unique solutions, the reality is that very few are really all that special when it comes to IT, and I’m convinced that government agencies served by IT teams that foster or accept these kinds of expectation limitations will always be less secure than they might be.
So why do so many departments and smaller subordinate organizations within large state and local government enterprises continue to own and manage so much of their own IT infrastructure and service offerings? Is the requirement for email service that different between agencies and departments? Are training needs so unique that different agencies need different applications? With vast data stores in both on-premises data centers and in the cloud, are multiple data management platforms the most efficient way of providing information security? Are multiple help desk infrastructures really necessary?
I think not and, more importantly, I believe that most smaller government agencies and departments would be hard pressed to prove that delivery of email, management of data, delivery of training or help desk management qualifies as a core business function.
The cloud has been the biggest catalyst for technology change over the past decade, and while most state and local government organizations find themselves in some state of transformation in that direction, far too many continue to cling to legacy ideas about owning and managing their own technology. I think it’s a control issue without a legitimate business requirement. While I certainly don’t mean to minimize how complicated it can be, with a vast number of unique infrastructures, variations in the sensitivity of the data and the data life cycle, and the scale and scope of software applications, at the macro infrastructure and service delivery level the fundamental technology is not really that unique.
More directly to the cybersecurity issue, is there a need for the products and services required to control, monitor, scan and alert an organization regarding security deficiencies or vulnerabilities to be all that different between suborganizations? Outside of specific regulatory security compliance requirements, it’s difficult to say why they would be.
The cloud has democratized technology to the point where it rarely makes economic or security sense for suborganizations to procure and manage their own siloed technologies when a smaller subset of capabilities deployed across the entire organization would provide for the three foundational principles of security: confidentiality, integrity and availability. More centralization results in consistency of information, superior visibility, cost efficiencies and greater economies of scale than the ad hoc decentralized implementation approach many state and local government IT organizations employ today. From a purely security perspective:
- The more infrastructure you have, the more infrastructure you have to keep secure.
- The more data you have scattered across your environment, the more places there are for that data to leak or be compromised.
- The more variations in your security technologies, the more technical security training and support is required.
- The more products and services you have in the enterprise, the higher your overall procurement and management costs.
The concept of a truly enterprise IT environment results in an efficient aggregation of technology across suborganizations that creates vast efficiencies. Cybersecurity becomes horizontally consistent across the vertical lines of government organizations. Just like the somewhat standard nature of email or help desk functions, information security tools and services can be rationalized into the enterprise to provide much higher levels of security while simultaneously decreasing costs and the overall security footprint.
Some people argue that centralizing security introduces the danger of single points of failure. That is certainly a consideration, but just as we should never have just one product or service, we also shouldn’t have dozens. The economic reality is that we simply can’t afford everything we’d like, so we need to make smarter decisions about how to protect the enterprise. While some agencies and departments and some individuals will have diminished levels of control, the growing cyber-threat environment makes it much more important that we begin losing the “we’re different here” mentality and start addressing information security from an enterprise perspective. The question I think a lot of CIOs and information security leaders need to ask is, “Are we really that special?”
Governing's opinion columns reflect the views of their authors and not necessarily those of Governing's editors or management.
