Getting face time with the boss when it comes to information security is a hard thing to do in government. Much like the electricity that keeps lights on in our homes, we only begin to think of cyber security when there is a breach or a high-volume displacement of data. CivSource recently sat down with Mike Maxwell, Symantec State and Local Government National Director, to talk about what happens when the lights of cyber security go out, and what kinds of emerging trends he sees developing alongside technologies like mobile and cloud computing.
“For nearly every state, security is an arena consumed with challenges – it’s an ever-changing landscape.” Mr. Maxwell began. “State budgets have not been growing for a while and that trend is likely to continue.”
Mr. Maxwell says that one of the emerging key trends facing SLG is something that is facing the federal government and also the commercial sector, which is the proliferation of mobile devices. Whether the device is owned by the government or owned by the individual who uses it for work, mobility creates a whole set of challenges for government organizations, especially those agencies who deal with individuals’ Personally Identifiable Information, or PII.
A related trend is the “consumerization” of the IT computing environment, Maxwell says. “Government employees, and more importantly citizens and constituents, want to interact with government where and when they may.” Mr. Maxwell pointed out that more and more governments are delivering services through the Internet and that citizens not only demand that option, but they expect it.
“Consumerization is leading constituents to require their governments be able to [deliver services and information] via a handheld, iPhone, iPad or any number of devices that citizens choose to use.”
He indicated that there has been an “evolving focus of IT from an infrastructure-driven world to an information-driven world.” Model trends of virtualization and cloud computing lends itself towards a device-agnostic, information-centric environment, he continued. “To a degree it doesn’t matter what device I’m using, where its located, where I’m accessing it. The device and location come secondary to information itself.”
Mr. Maxwell said what is important, from a security standpoint, is being able to authenticate that someone accessing information is who they say they are. “The security model is much more centered on the information itself,” he said, “There needs to be a set of checks on access and use of information.” Organizations need to verify that a user can access information, then they need to have controls around what can be done with that information, he said. “We’re doing a lot in the areas of encryption, managing data loss, and developing controls over what can and cannot be done with certain kinds of data.”
This can be much easier said than done, but according to Mr. Maxwell, states who approach security from a management policy standpoint are able to more easily deploy and leverage security.
“Technology is not the difficult part. Management, leadership, policy and political challenges have to be met to have an organization structured in such a way that they can tackle the issue.”
He said that generally legislative activity has been needed to address security in fundamental ways. A number of states have done things like use legislative mandates to consolidate IT budgets under one area. One such state is Colorado, who’s state-level IT reorganization was profiled in a series published last March.
In the three-part profile, a number of legislative bills and executive mandates allowed Colorado to align its IT operations along functional bands, instead of in agency silos – a move that has allowed the state to transform its IT environment and more readily control access to the state’s sensitive information.
“Being able to managing the content of your information and being aware of what is sensitive and what is not will be really key in the next few years,” Mr. Maxwell concluded.