Leslie Fiering, research VP at Gartner, told SC Magazine, "The goal is to collect and develop IP that can go directly to silicon and bring security down to the hardware level. The embedded security will run outside the OS with a broad variety of software developer hooks. It is highly unlikely that Intel will make any of these proprietary or in any way specific to McAfee.... Bringing security down to the hardware level is particularly critical at a time when exploits at the OS level are getting more sophisticated on PCs and mobile OSs are still highly immature in the security arena."
Renee James, Intel's senior vice president of software and services, told USA Today, "It's true in mobile solutions that we will have more enhanced security hardware, It is an accurate assumption that in the mobile devices market we will be doing integration into the chip."
Rich Mogull from Securosis.com had a very interesting perspective. He said that Intel bought McAfee for three reasons:
1) The name - "Yes, they could have bought some dinky startup or even a mid-sized firm for a fraction of what they paid for McAfee, but no one would know who they were. Within the security world there are a handful or two of household names; but when you span government, business, and consumers the only names are the guys that sell the most cardboard boxes at Costco and Wal-Mart: Synamtec and McAfee...."
2) Virtualization and Cloud Computing - "There are some very significant long term issues with assuring the security of the hardware/software interface in cloud computing. Q: How can you secure and monitor a hypervisor with other software running on the same hardware? A: You can't. How do you know your VM is even booting within a trusted environment?"
3) Mobile Computing - "Meaning mobile phones, not laptops. There are billions more of these devices in the world than general purpose computers, and opportunities to embed more security into the platforms."
So what does this mean for government? I'm staying out of the analysis of how this will affect medium-term products, pricing and competition with Symantec, Trend Micro and other security companies. However, it does underline three trends that express the central importance of cyber security for the next decade.
1) Cyber security is still hot - and getting hotter. This reality may seem obvious, but recent Gartner surveys of priorities from CIOs has seen security drop to the bottom half of the top ten list. A few years back, security was the #1 issue. To illustrate this point, here's another 2010 priority list - from a different source. The same trend can be seen in the 2010 NASCIO list of top State CIO priorities - with security at #6.
However, a deeper look at these lists and the technologies reveal that security is an important component of all the items at the top of these lists - in areas such as virtualization and data center consolidation. The fact is that technology leaders are demanding that security be built-in for these solutions and projects. In many ways, security has evolved into something new.
2) More specifically, this cyber security trend is heading up and down at the same time. In the second decade of the 21st century, security will be moving into "the cloud" (or cloud computing) and into mobile devices that are getting smaller and more powerful. It remains to be seen if Intel can be successful with building effective security into their chips in the same way that anti-lock brakes and air-bags are getting safety built into newer cars. It is pretty clear that Intel (and others) want to try and build more security into the chip sets. Security is becoming more of a "must-have" and less of an "optional extra" in order for new technology offerings to succeed.
3) Prepare for more acquisitions and an evolving landscape in the security space. Over the past few years, Symantec and McAfee have been buying smaller security companies on a regular basis and filling in holes in their offerings. This trend will continue, but now even bigger companies (like Intel) are buying the largest security companies (like McAfee). Will other large communications and/or technology companies buy security companies? Will the likes of AT&T, Microsoft, Google, IBM, HP, EMC, AMD and/or others keep buying into this space? Probably - in fact this is already happening with smaller security companies. A blog on Symantec's website asked if Symantec would be bought next?
These are interesting (and exciting) times. I certainly did not see this pending acquisition coming. Nevertheless, it looks like more change is coming. Hold on to your seat belts.
What are your thoughts on this pending Intel purchase of McAfee?
Lately, I am thinking that the answer may well be yes - we are witnessing a fundamental shift in technology service delivery for government. However, I think the full transformation could take up to a decade (or more) to complete.
In my opinion, the tech giants are starting in the email and office suite space and will succeed in making these commodity purchases for governments over the next few years. Meanwhile, more complex applications and mission-critical data will be moving into "government clouds" which are private and more secure. Bottom line, we have started down this new "yellow brick road" but certainly have a ways to go to arrive at the "Emerald City."
There are many people saying that recent announcements are game-changers. Here's a quick rundown on several interesting articles and related research on this cloud topic:
InfoWorld: Google removes cloud security barrier for government
ZDNet: The federal cloud: Another Microsoft vs. Google battleground
eWeek: Cloud Computing: Google Apps Leads Microsoft in Federal Cloud Race: 10 Reasons Why It Matters
Government Technology Magazine recently did this story on the Google certifications for government. I have also written several blogs and other articles on Cloud Computing security issues and offered recommendations to government technology executives on the cloud. A few months back, CIO.gov released the Federal CIO Council's report on the "State of Public Sector Cloud Computing."
Last week, the Digital Daily pointed to recent implementation challenges in LA, in this article Cloud Computing: Good Enough for Government? Microsoft told us back in February that FISMA-compliant cloud offerings are coming this year. I expect to see those offerings over the next few months, which will mean that they will match Google's FISMA-compliant offerings - with a similar price. These offerings also ensure that data is stored in the USA to help us with potential legal issues.
(One side note of caution: true FISMA compliance requires much more that just secure hosting by Google or Microsoft or others. It requires end-to-end security which includes our databases, PCs as well as office environment policies, procedures and even training. I worry a bit that these "compliant answers" are somewhat over-hyped in that government officials who may not know any better will think that they "done" with security if they just use one of these FISMA compliant services.)
For more technical details on this topic, you can also read this PC Magazine blog entitled: The Changing Cloud Platforms: Amazon, Google, Microsoft, and More
So what can readers do to learn more? I like these six questions that Accenture recommends IT Executives ask regarding cloud computing. (Click on the recommendations and conclusions boxes when you get to this website.)
My view is that as we see even greater pressure to cut costs in 2011 and beyond, all of us will incorporate elements of these new cloud computing services into our offerings, if you don't already have them implemented. There's is no doubt that government technology execs will also need to improve their contract monitoring and vendor management skills in this new online world.
What are your thoughts on these new, improved "cloud offerings" in government?
This surprising message from many banks to their customer base is becoming more popular as online bank robbers are getting more sophisticated, patient and dangerous. Gone are the days when marketing brochures insisted that online accounts were just as safe as traditional banking with a teller. The new message seems to be: "We're in this battle together, so can you please lend a hand?"
I have seen several respected colleagues go back and forth between these two communities, such as Greg Garcia who went from US Cyber Czar at the Department of Homeland Security (DHS) to a senior executive position at the Bank of America working on identity management and cybersecurity. Other banking colleagues participate on the same panels at security and technology conferences such as RSA and GovTech South Africa.
What are your thoughts on this topic?
How much email is too much? New survey results from Harris Interactive found that 50 emails a day may be the breaking point for employees. Other key findings include:
· Small-business users are feeling the brunt. A staggering 94% of small-business employees said 50 emails is their limit.
· Gender makes no difference. Men and women are equally stressed -- 94% of men and 95% of women cited the number 50.
Despite numerous studies and reports suggesting that too much email is a bad thing, is anything really changing? Not yet.
I've known for a decade that email was a critical app. What's become even clearer to me lately is that Blackberry support for executives is now the must-have (7x24x365) "Super" app. That's right, when the messaging system is down (and yes, this includes iPhones Xs, Droids, or whatever new device is coming next), no one is comfortable in the exec suite.
Nevertheless, this is the new normal. I see no helpful trends in sight. In fact, I think our challenges are increasing with newer, faster (4-G) mobile devices. (My teenage daughter wants me to up her number of IM messages on her cell phone, so the next generation isn't slowing down.)
Some staff are feeling burned out. Almost two years ago the LA Times proclaimed that our email Inbox has become an In(sane)-box. "It happened with cigarettes. It happened with red meat. And carbs. And SUVs. And now it's happening with e-mail. The preferred communication channel of millions of Americans is no longer cool." Some companies even declared email bankruptcy - and started over with new accounts.
There's no doubt that, as a society, we've come a long way from the days when Tom Hanks and Meg Ryan captivated America in the movie You've Got Mail.
In Michigan State Government, we block over 90% of incoming email from the Internet. (We've determined that these messages are either spam or contain viruses.) And yet, I still receive an average of between 100 and 200 emails every business day. I sometimes wonder how I get anything done when I add in text messages, tweets, social networking sites like LinkedIn and Facebook, phone calls and more.
Last summer, I wrote about work-life balance and some strategies to unplug on vacation, but I must admit that it has been very difficult to disconnect over the past year. (Note to self: there must be a reason why I seem to return to this subject every year right before summer vacation.) Meanwhile, Americans continue to spend more time online at home and work. The number of night and weekend (work-related) contacts (or family interruptions) has certainly grown for me. A few months back, we had an email outage over one weekend in two government agencies which resulted in my weekend being blown up.
So what can we do now regarding messaging? There are plenty of helpful tips for managing email. One of Ross Mayfield's best points in Forbes is to move from a push technology (anyone can send you an email whether you want it or not) to a pull technology where you subscribe or access what you want.
My advice is to take a step back once or twice a year and examine your email and other online habits. Is your email inbox working? Are changes needed? For important contacts and trusted partners who contact you via email, establish a protocol or working pattern that allows you to work on the most important priorities first.
What about your inbox? How many emails do you receive daily? Any strategies to help others?
Please leave a comment below and share your thoughts on email at home and work.
Put in the other terms, my (real life) friend was telling me that I was linked (had a connection which is similar to a "friend" on Facebook) to someone who had an online connection to one of the alleged spies.
I immediately checked out my friend's facts. It was true. I had accepted an invitation last year to connect to a person who was in one of the security groups that I was also in. At the time, this individual wanted to make me aware of several "hot job openings" for senior executives in my field. That contact never went anywhere, but now I was kind of "guilty by association." I presume that many others are in the same boat, since the recruiter has thousands of LinkedIn connections.
This is not the first time something like this has happened to me. But the previous time, I was a bit more culpable. Once I gave an upbeat LinkedIn recommendation to a colleague that I knew well and liked as a person. This government staff member did good work and had a good reputation - until he committed a crime and went to jail. (It turned out that I didn't know him as well as I thought.) I quickly learned that I could undo (withdrawal) my online recommendation for this person, and I did so.
As I researched "the good, the bad and the ugly of social networks" further, I found out that many HR professionals and lawyers have suggested that online recommendations are a bad idea in the first place. That is, recommendations are not recommended, for a variety of reasons. Even when there are no negative employee/boss situations that arise, some bloggers suggest that these recommendations can be seriously flawed - due to conflicts of interest. Some managers may even recommend staff so that they are more likely to leave.
So here I am on 4th of July weekend, wondering if I should stop accepting LinkedIn invitations. Should I change my social networking habits? Should I stop connecting to other professionals online? I meet many people at conferences and often try to establish a connection with them on LinkedIn within the next month. Does this still make sense?
After more research, I've also discovered that LinkedIn has even clamped down on super connected users. Most experts say that quality matters more than quantity. And yet, I have always used LinkedIn as a good substitute for keeping track of business cards which can become out of date. Using LinkedIn, I can easily keep track of friends and colleagues that I worked with in England, back in Maryland and even former State of Michigan employees who move one. This pattern has served me well, and best of all, my database of contacts updates itself with the latest contact information automatically.
What conclusion did I reach? Should I fear being "guilty by association" online? Should I encourage others to stop using these social networking tools? I've decided to march on - with a few minor modifications.
Why? If you're not guilty there is nothing to fear. I think a consistent "middle of the road" approach still makes sense. As long as we don't go overboard with these tools, they can help us to become more productive, well-informed and (yes) connected. They can even lead to new opportunities - like joining interesting online groups, speaking at conferences or writing for magazines.
Sure, we need to to keep an eye on how things evolve to protect our professional online reputation and our virtual integrity. But let's not throw the baby out with the bathwater. I say keep using social networking tools like LinkedIn, when supported by company or government policies.
Meanwhile you can ask me to connect online - but I might say no or hit that archive button.
How about you? Have any stories you can share about online "friends" or "connections" gone bad?
]]>
"The ruling essentially maintains the status quo of allowing employers to implement policies preventing employees from using company communication equipment for personal use.
But Bart Lazar, an intellectual-property lawyer whose expertise includes privacy and security involving electronic communications, said the narrowness of the ruling leaves open scenarios in which employees could keep private communications made on company equipment."
The ruling was widely covered by both newspapers and technology magazines. Here are a few examples:
LA Times - Supreme Court rules in favor of California police chief who read employee's texts
Southern CA Public Radio - No sexting on the job!: Supreme Court upholds search of text messages at work in City of Ontario v. Quon
Computerworld - Supreme Court ruling lets employers view worker text messages with reason
USA Today - Justices uphold search of officer's texts
Washington Post - Supreme Court rules on employer monitoring of cellphone, computer conversations
For other similar topics and stories, you can visit the Electronic Privacy Information Center (EPIC).
So what does this Supreme Court ruling mean for government technology executives today? In my view, this ruling is very important, since it reconfirms the status quo in a unanimous decision - which is pretty unusual for the Supreme Court. This (admittedly narrow) ruling is unlikely to be overturned anytime soon. So here are a few suggestions:
1) Go back and check your acceptable use policy. Do you specifically declare that state and/or local employees and contractors have no presumption of privacy when working on government networks (with government - issued technology)?
2) Is the policy clearly explained and available to all employees? What training is in place?
3) Do you use a splash screen which lists the policy as employees are logging onto the network?
In Michigan, we are currently updating many of our policies for social networking and other new online situations. However, our acceptable use policy has contained these three basic elements (listed above) since at least 2003. But while we have further to go over the next year in modifying our policies and training, it seems to me that every state and local government needs to reaffirm these basics policy elements right now. The federal government should do the same as well.
What are your thoughts on this new ruling - which reaffirms the status quo on workplace privacy?
Later, if the gas tank is running low, a couple of taps on the phone's screen locates a gas station and downloads directions, so the navigation system is programmed and ready when the driver reaches the car parked blocks away."
This is the vision articulated by Delphi Holdings LLP and described in this recent Detroit News article entitled: Key fob morphs into high-tech wonder. The idea: turn that device on your key chain that unlocks your car into a conduit between your smart phone and your car.
While Bluetooth technology is popular today, consumers want even more integration in the future - allowing internet access and exchange of data to mobile apps.
While expensive cars have similar (or even more advanced) features available now, this new technology may be made available for less expensive cars at a much lower price.
So what does all of this have to do with government technology? Check out this article on some of the latest advances in RFID asset tracking with key fobs. Here's an excerpt: "This active key fob RFID tag which is well suited for personnel tracking and access control application, vehicle identification, or for use in applications where keys need to be tracked, such as in prisons, hospitals and government offices."
It will certainly be interesting to see how this market develops. What is not in doubt is the power of mobile devices when they interface with smart phones and more. The Bill Gates prediction a few years back, in which everything in the home and work is connected to a network which communicates with our car and more, certainly seems to be coming true.
The question that government technology professionals need to ask is not whether we will be integrating our government apps with key fobs and smart phones, but how will we do it. We need to watching these trends and not building new stovepipe solutions that will be unique islands that won't work with commercial off-the-shelf devices.
So how many government apps will we eventually connect to your personal key fob? I'm not sure yet, but I suspect we'll find our sooner rather than later.
What are your thoughts on smart key fobs?
]]>
vGov is a joint federal effort with the Department of Agriculture, Department of Homeland Security, Air Force and National Defense University iCollege joining forces to create the vGov virtual world behind a secure firewalls that require authentication to enter. The virtual world will initially be limited to federal employees.
One thing for sure, the technology used to create these virtual worlds is not just a game. Virtual World News described the USDA contract and the technology which is pretty cutting edge. Here's an excerpt:
"... Like many enterprise-class virtual worlds, Teleplace's is designed for use in training, collaboration, and project management. What sets Teleplace's solution apart is that it allows application sharing across platforms, even through firewalls or cloud computing systems. Another key component of Teleplace's solution is vPresence, a communications suite that combines VOIP, text chat, and video conferencing features within a single virtual conferencing center...."
I can easily see this virtual world interface taking off, not just in the federal government, but also in the state and local government spaces. I anticipate virtual worlds for training and interaction in a business environment, which is currently limited in popular virtual worlds like Second Life. In my opinion, virtual worlds are currently viewed as games by most professionals, but I see that changing in the coming few years. Here's a good article describing the evolution of virtual worlds and training in global businesses.
I also see this trend becoming more widespread in the next few years, and we'll all have avatars within less than a decade in my opinion. In the meantime, bleeding edge adopters of fun workplace training will be busy creating virtual worlds for governments and businesses with appropriate controls, dress and acceptable use provisions. I'm not sure if Second Life will be the ultimate leader or not, but vGoc points the way for all of us.
To learn more about vGov, you can watch this video which describes vGov in detail.
Any thoughts on virtual worlds being used for training? Do you have an avatar?
]]>Try typing "free storage" into a Google search, and you'll get almost 47 million results. Here are a few highlights:
Mozy.com offers: "2GB, Absolutely Free - Not A Trial! Fast, Secure, And Free."
Squidoo.com offers: "Up to 45 GB Free Online Storage Not Trials. No CC req.100% Free."
Over on the sponsored links we see Huddle.net which offers free document sharing and: "Free 100% Secure, Get Up To 25GB Store and Edit Documents Online."
Why would you want to do this research? Well, I can think of many reasons. For one, your users probably are. Even if the services are not free, the top online storage prices may be so attractive to some customers that they just get their credit cards out - without asking for permission from anyone.
If you are thinking that I am advocating this approach, you should read my recent article on the topic: Is Cloud Computing More Secure? There are many, many questions that must be answered prior to using one of these low cost storage providers in the cloud. Some of those questions include: Who owns the data? Where is my data? Do the laws of that country protect privacy rights? What are the terms and conditions? How can that company use my data? Is the data available 7x24x365? Can I get my data back if they go bankrupt? Can I switch providers easily? Is our data secure? Are you sure? Can I legally enter into this agreement for my government? How do I audit you? Can I see your logs? The list goes on and on.
A recent cloud security survey of U.S. and European IT security professionals conducted by CA and the Ponemon Institute found: "... About half of the respondents don't believe the organization has thoroughly vetted cloud services for security risks prior to deployment. It also showed that 55 percent of respondents are not confident they know all the cloud services in use in their organization today."
There are many recent blogs on this topic, such as this one from Information Week's George Hulme. Commenting on the lack of understanding that security pros have regarding what cloud services that are in use in their organizations, George says, "Let's hope that the end users are employing some common sense, and not moving corporate financial information, trade secrets, customer data, or health related information to the cloud. Unfortunately, we don't know what data is moving to the cloud because IT departments have no clue how their end users are using cloud services."
So where does that leave us as IT executives in government? We clearly need to perform an "As Is" assessment of current Internet usage (or cloud computing usage) first. This includes an understanding all Software as a Service (SaaS) activity as well as cloud storage usage and other relevant activity.
In Michigan, one of our first steps was to use our web monitoring capabilities to monitor and block unauthorized cloud connectivity. Yes, we fully embrace the power and opportunities brought by cloud computing. We are running a cloud storage pilot, and we are expanding our cloud storage over the coming year. We will be publishing a new strategic plan that includes many exciting cloud offerings.
However, we don't want unauthorized cloud providers entering and leaving through the back door either. This would be penny-wise but pound foolish. While these various low-cost options may seem enticing to end users, they provide perhaps even more problems than other undesireable storage options (like putting data on USB flash drives) - if these new relationships are not managed appropriately. Information is vital to the running of every area within government, and we can't lose control of that data inventory.
Let me end on a positive note. Cloud computing will transform government IT Service delivery. Positive changes are already beginning to happen. The opportunities are immense. Many of these companies offer excellent service, and I appreciate what they do. We don't want to appear defensive or dismissive of their value.
Nevertheless, we need to implement cloud services legally, safely and with excellence. Include your clients in this discussion and help them understand what is at stake by getting out their credit card and sending sensitive government data off to a free or low cost cloud service without following proper procedures. This service will not be "free" or "low cost" if you lose your information or run into other trouble. In fact, it will cost much more.
What are your thoughts on this topic? What is your government doing?
On Tuesday afternoon, a pre-conference session on Identity Management was held. We heard updates on ongoing activities in several states, Washington DC and federal agencies, and we discussed the upcoming draft document entitled: The National Strategy for Secure Online Transactions. If you're looking for more information on this new national strategy, here's another article on this topic. The discussion and break-out sessions were excellent. This issue is sure to be a hot topic in coming months, so stay tuned for more updates on this pivotal aspect of digital government. (I plan to spend more time blogging on this topic later this summer.)
The Weds afternoon members-only session began with a presentation by Federal CIO Vivek Kundra. Here's an excerpt from the NASCIO website:
"Kundra challenged the CIOs to identify two areas where states and the federal government can collaborate on addressing challenges in information technology. Federal and state government spends billions a year annually on technology. With limited resources in federal and state government to carry out critical and non-critical services, we must work together in a state-federal IT partnership to find solutions and tools to get the maximum return on investment from information technology."
After Mr. Kundra, we heard from the Director of the US CERT, Randy Vickers. Mr. Vickers, who recently moved from "Acting Director" to become the formal US CERT Director, did a very nice job of articulating the various priorities that DHS is working on right now within the National Cyber Security Division (NCSD) and within a variety of public sector and private sector committees and working groups. The importance of fusion centers, the opportunity for more state CIOs to obtain security clearances, and pilot programs on cyber security, were just a few of the topics Randy mentioned.
The opening session on Thursday morning was perhaps my favorite session. The topic was: "Perspectives from Great Leaders: Visionaries, Role Models and Innovators." The moderator was Peter Harkness, founder and publisher emeritus, Governing. The speakers were Martha Dorris, Deputy Associate Administrator, Office of Citizen Services, US General Services Administration, Phyllis Kahn, Representative, State of Minnesota and Bill Purcell, Lecturer in Public Policy and the Director of the Institute of Politics, Kennedy School of Government, Harvard University.
Here were some interesting topics/comments that were discussed by this excellent panel:
· Leaders understand where the organization is, where they need to go, and what the gaps are. They execute and deliver results.
· Leaders act as a "heat shield."
· Leaders are respected - but less fear used as a technique (than in earlier generations).
· Leaders are on point and bring everyone home safe.
· The debt crisis is the most predictable crisis we have ever faced.
· Great quote: "I have friends on both sides of that issue and I'm with my friends."
· Unhelpful techniques include concepts like "year of the child." (So next year we won't care about children?)
Other great sessions included Howard Schmidt's lunchtime keynote, new developments in wireless broadband, breakout sessions on topics like cloud computing and discussions on smart strategies with tight budgets.
Overall, I found the mid-year conference to be extremely valuable. The networking with colleagues from around the country was great, and the interaction amongst the states during the working sessions provided a unique opportunity. The federal government sent several high-level executives that clearly want to partner with the states in new and exciting ways.
The upcoming elections this fall have also focused everyone's attention in several ways. CIOs are asking what can be accomplished in the next six months that will show meaningful and lasting results. Many leaders within NASCIO are predicting that we will see many new CIOs by this time next year, so a big focus in the hallways was preparing for fall transitions and for new administrations in state capitals beginning in January. Some speakers predicted that CIO influence will also continue to rise.
If you are a state IT exec and missed the conference and/or you are thinking about the rest of 2010, I urge you to attend the NASCIO Annual Conference this fall. The investment in time and resources is well worth it. In fact, I find that I always get much more out of these NASCIO events than I put in.
If you were in Baltimore, I'd love to hear your thoughts on the NASCIO 2010 Midyear Conference. Please leave comments below.
Almost all state and local governments have laws, policies, rules and regulations regarding purchasing various hardware and software products and developing technology standards. But enquiring minds want to know how we control purchases, enforce policies, provide guidance, and manage the product standards once they are determined. Are there any "best practices" that I can share from Michigan on policy and standards governance? Beyond credit card limits and purchasing work flow approvals, how do we manage the formal approval process for requests and get to "yes" for our business customers? When do we bend and who gives in when business areas come to us with genuine (essential) requirements and real needs - and not just wants?
Actually, there are several helpful items I can share. After we consolidated technology into one agency eight years ago, it took us several changes to get where we are today. We hope and believe that our architecture is fairly flexible to meet a variety of circumstances, but some would argue otherwise. Our standards exception process has gone through at least three rounds of modifications over the past few years - and it has been painful at times.
As general background, you can access several relevant documents at this website which cover Michigan's Enterprise standards. Our DTMB administrative guide lists many of our government-wide policies (see the 1300 and 1400 series policies on this page for some of the technology-related items). We are in the process of updating our technology plans and issuing a new strategic plan this summer, but the background provided in our current strategic plan from two years ago may be helpful.
Like most governments, we have committees to pick products, evaluate requests for proposals (RFPs), and ad hoc cross-functional groups to look at all aspects of service delivery. We also have an enterprise architecture team to assist with difficult situations, refresh technology plans, offer advice, etc. These individuals and groups can offer "solution assessments" that help various agencies decide on the most appropriate solution to solve their business problem. They offer help on security controls, explain which "zone" servers need to sit in, explain what products are supported, and much much more.
But the $6 million question is about enforcement of standards in security, technology architecture, and how do we deal with inevitable exceptions?
All technology purchases in the state need to go through our department. We have service catalogues which describes infrastructure services and pricing from PCs and to networks. Changes to firewalls, networks, or other devices are controlled through the ordering and internal request for change (RFC) process, and this prevents unauthorized changes from occurring.
But what about stuff like the Apple iPad that's not on the list? In Michigan, we have a Technology Review Board (TRB) and an Executive Technology Review Board (ETRB) to provide oversight. The TRB is a formal group that oversees exception requests. They deal with one-off problems and are empowered to grant temporary exceptions up to 6 -months. Longer exceptions and appeals go to the ETRB - which contains senior execs from all parts of our organization. Think of the ETRB as our technical "Supreme Court" for technology decisions, with representatives from all part of the organization (including the customer liaisons, CTO, deputy directors, CISO and others).
Requests to the TRB (which comes first) or ETRB are made via online templates, and must contain the business case, return on investment (ROI), life cycle costs, support plans, and other relevant items. The format and discussion is very structured and efficiency in the process is maximized. While this may seem very complex to many readers, the process works well. ETRB decisions are made on 2-3 cases in an under an hour, and the ETRB usually meets twice a month for 60 minutes or less. Emergency meetings are called when needed, and the group has even convened by phone.
The interesting thing is that quite a bit of role-reversal ends up happening amongst ETRB members. The security guys sometimes argue for business customer service and agency reps argue for security changes. The board is fair and management enforces the rulings all the way down the management chain, so everyone has skin in the game. The focus is always getting the agency business process working, and any risks identified with the technology exception is accounted for via signature by the business customer.
Best of all, the "word" gets out to staff. Technical architectures and standards means something. If you don't follow the rules, your case will quickly get thrown out.
For example, exceptions for 6 months are reviewed in six months - and you'd better come back to the board with the system fixed or security flaw remediated. (Yes, we have an excellent "secretary function" keeping track of all exceptions and timelines for the TRB and ETRB.) Checkpoints are added to check status of changes.
The auditors love this process because it has real teeth and is based on repeatable processes. The businesses get to argue their security case, and no one (usually) ends up being the "bad guy." Most decisions end up being unanimous now, although that wasn't true four years ago when we started the TRB/ETRB.
Bottom line, the boards take the good, the bad and the ugly. We make lemonade out of project lemons. Our goal is to offer customer-focused answers while enforcing enterprise standards - a tough thing to do.
So what about that iPad you want - I mean need? Submit your business case, and we'll take a look. Otherwise, you can fight for whatever you'd like during the next enterprise architecture technology refresh cycle.
So what's your government's process for enforcing standards and balancing customer service? I'd love to hear other approaches. I will also answer any follow-up questions.
Computerworld Magazine described this rising frustration in a recent article which highlighted comments from the recent SaaScon conference. Here's a short excerpt:
"Cloud computing users are shifting their focus from what the cloud offers to what it lacks. What it offers is clear, such as the ability to rapidly scale and provision, but the list of what it's missing seems to be growing by the day....
Judging from interviews with individual attendees and comments made during panel discussions here at the SaaScon conference, it's clear that there's a need for industry agreements."
Meanwhile, Network World offered this debate entitled Cloud: Ready or Not? The two experts essentially agree that cloud computing technologies will become big business, but both points of view list near-term problems with cloud adoption.
For more on this topic, there are plenty of other articles listing the cloud computing challenges in 2010 and beyond. The National Association of State CIOs (NASCIO) is highlighting cloud computing in a breakout session at their mid-year conference in Baltimore with a session entitled Cloud Computing and State Government: What is the Forecast. There are even some free webinars with public sector panelists, including yours truly, describing what they are currently doing in their state with cloud computing. I also wrote this recent article on the topic: Is Cloud Computing More Secure?
But the point of this blog is that the next steps in this critical cloud debate are occurring. The conversation is heating up on many fronts and inside many different industries - including government.
Experts say that group change requires four stages: forming, storming, norming and performing. It seems to me that technology evolution often goes through similar stages. If so, we are now in the "storming" stage, in my opinion.
What are your thoughts on cloud computing?
]]>Just in case, you haven't seen it on TV or noticed any long lines out in front of Apple stores, the iPad has been covered by news outlets and technology magazines for several months. So if you can't beat them, join them. (Hence this blog on what it means for technology staff who need to adjust to this new normal.)
Maybe you were one of the thousands standing in line around the world to get an iPad. You've got to get your hands on this latest technology toy, which I must admit seems very attractive. Maybe you're even reading this blog right now on an iPad?
Or perhaps you're thinking: "Here we go again." Let's talk about that.
Government professionals, especially infrastructure staff, are struggling globally with truly implementing this concept of enterprise technology standards. Yes, there are plenty of good government technical architecture examples to look at such as these websites in North Carolina or Minnesota. But I'm referring to the problem that companies like Gartner and Unisys call the Consumerization of IT.
So here are some basic facts:
· Technology professionals around the world decided long ago that standardization can save dollars. Consolidation and efficient use of technology is difficult if there are hundreds or thousands of different types of hardware and software all over the enterprise that needs to be supported.
· Governments at all levels issue and follow numerous standards and policies.
· Most governments issue contracts which standardize on the desktop and mobile technologies which employees can purchase for work.
· Many employees want something different than what's available. New iPads may fall into this category (at least for a time).
· Government technology staff, and especially security staff, struggle with being labeled as the disablers when they deliver the bad news to staff. "You can't have the latest innovative technology!" (Not good.)
· Government often lags industry in adoption of new technology. This can be either perceived or real. Making the case for new technologies such as iPads can be difficult and/or take time to build an ROI. However, private sector firms struggle with these same issues.
· Employees often bring their personal devices to work and plug them in causing a variety of security, data synchronization or other problems.
· Trends like "bring your own pc to work" are slow to be adopted in governments.
What's a technology manager to do? This certainly appears to be a Win-Lose proposition, at least for now. (We're the losers either way). I've know a few people that just opened things up to whatever people wanted. While they were short-term heroes, they no longer work for those companies or government offices.
Truthfully, I don't have any easy answers for you. There seem to be so many new cool technology gadgets coming out all the time. Will we ever keep up? I honestly doubt it.
I have seen answers in some circles which ban everything in sight, but those only seem to be accepted by staff when secret clearances are involved. (If you lose your clearance in the DoD, you're out of a job.)
The other extreme is just: "Trust me or I won't tell anybody." However, I don't see that working very well in the long run either.
Computer industry answers seem to either be company-specific or not very practical. Oftentimes you hear - "just buy all my products and you'll be fine." Excuse me, please go back and read the first part again. Your product is not the one that my customers are waiting in line for at this moment.
I'd love to hear your thoughts and experiences. How is your government dealing with all the new toys - from smart phones to iPads? Anyone wait in line over the past week at an Apple store? Plan on bringing the iPad to work? Inquiring minds want to know.
After I watched the horrible scenes, I felt the same shock that I've felt several times since 9/11/2001. Those feelings hit me when I watched the coverage of the bombs going off on the London underground and after the trains were bombed in Spain. "That could have easily been us. We were just there!"
Why Were We in Moscow?
Back last fall, I had been invited by IDC Russia to be the morning keynote speaker at their IT Security Roadshow 2010 in Moscow. They asked me to speak on cyber crime, identity theft and online trends in protecting businesses and governments globally. The audience was primarily Russian businesses, and their list of sponsors was largely the same technology companies that we are familiar with in the USA.
Still, I was initially very skeptical about going. As a former NSA employee back in the 80s and someone who still works with law enforcement agencies in Washington DC, I was nervous about their intentions and safety in the land of our former Cold War enemies. But as I asked more and more questions of the IDC conference organizers, I became reassured. In addition, respected colleagues from agencies in Washington DC and Michigan encouraged me to go. Others even pointed to the upcoming EastWest Institute sponsored: Worldwide Cybersecurity Summit in Dallas as an example of how we need to foster new cross-border partnerships to fight the bad guys online.
So after getting the necessary permissions and visas, my wife and I decided to turn the trip into a European vacation and wedding anniversary time away in Moscow and Rome. Our plan: three days in Moscow, followed by four days in Rome - while our in-laws watched our kids.
When we first arrived, it was a bit awkward. Our bags didn't make the connection from Germany to Russia, and we were stuck at the airport for several extra hours. Later, we almost missed our ride to the hotel since our driver was hard to find in the crowd, and he didn't speak English.
Still, we had a wonderful time sightseeing, and our Russian hosts were warm and friendly. Our college-age tour guide in Moscow spoke great English, and she took us to all the famous sites in Moscow - arriving by their Metro (subway). As we walked around the city, it was hard for me to believe that I was vacationing in Moscow in March. Our favorite tour was inside Saint Basil's Cathedral. The food was ok. (As you'd expect, the meals were much better in Rome.)
The IDC conference itself ran smoothly on Wednesday morning. The facility was a Holiday Inn with excellent technology and everything you expect to see at US technology events. I was amazed at their mastery of so many languages and especially near-perfect English. They had a translator who listened to my words in English and rebroadcast the speech simultaneously in Russian to those who wore iPod-like devices that they were given at the door. (Questions at the end were translated into English for me using a similar device.) I was intrigued to find out that the same translator regularly works with former United Kingdom Prime Minister Tony Blair.
At the end of my session, the questions that the audience asked were almost identical to the questions I typically receive at US events or at a conference I spoke at on vacation last year in South Africa. These were businessmen and women who were dealing with the same cyber problems, budget cuts and personnel challenges as most of us. They described their online threats and computer problems in terms which were very familiar. Their #1 security vulnerability (by at least 3 to 1 in a show of hands) was company insider threats. Yes, they were worried about their own employees' behavior.
My only complaint (not really) from Moscow was the pictures they posted on their website after the event. (I assure you, I was not disco dancing.) Either the photographer was shooting from strange angles, or I'm much more acrobatic than I realize. You can click on the translate button at the top of the page to read the captions. (Notice how the other speakers look so reserved compared to me.)
After the event, we had a very nice lunch with the conference organizers before leaving for the airport. Their descriptions of the online challenges facing businesses in Russia made me feel as if we could have been in another large US or European city. My wife and I truly enjoyed the experience. We returned home safely to Michigan, eight days after we left. I didn't plan to be writing a blog describing the trip - until the bombs went off last Monday.
So what's my point? We live in a small world that knows no borders when it comes to crime. As IT professionals, we understand the fact that the Internet is global, and we can be attacked from anywhere on the planet at any time of day or night. We discuss threats we face from Russia, Nigeria, South Africa and everywhere else, but there are potential partners in those countries that want to help in the fight against malware and online crime.
Indeed, several of the professionals I spoke with at the conference fear cyber attacks from the USA and China. That's all the more reason for us to work together, when it makes practical sense, with their criminal justice organizations and other "good guys" to stop the cyber criminals in every culture.
Don't get me wrong. I'm a loyal, flag-waving American who loves baseball, hotdogs, apple pie and Fords. My family enjoys living in Michigan, and I have minimal desire to move to Russia or South Africa. (However, they were both wonderful places to visit on vacation.) Nor did my slide deck or side conversations break any new ground regarding cutting-edge cyberspace protections, identity theft or malware sources overseas.
I also realize that I don't know these people very well. Just as in the USA, I would need to build more trust with specific individuals and organizations before collaborating on complex projects. It's true that there may have even been some bad apples in the room while I was speaking.
New Partnership Opportunities
Still, I sense a common cause amongst technology professionals around the world who want to fight cyber crime together on a global basis. I don't think I'm naïve in wanting to partner where it makes pragmatic sense. Yes, I realize that our countries have different interests in many economic, political and military areas. We don't agree on a long list of items.
And yet, we're all fighting terrorists (in both cyberspace and our physical world). In fact, New York, Washington DC, Atlanta and other global cities tightened subway security after the bombs went off in Moscow. We need to fight all forms of crime together. We need to build global partners, and many US technology companies have offices in world-wide cities including Moscow.
I made several new professional contacts and even "online friends" in Europe. More than that, the bombs going off in the Moscow Metro (killing dozens of innocent people) made me think even deeper about this question: who are our 21st century enemies?
Right now, I'm feeling Moscow's pain. I'm praying for their people. That could have been me in the news.
I'd love to hear your thoughts on this topic - feel free to leave comment below.
]]>Google Pulls Out of China: Of course, this is the hottest story out there right now, with daily updates. The stakes are high on so many fronts, and all aspects of this story are being reported by many sources. Here are a few perspectives:
ComputerWorld articles and blogs ranged from announcing that Google stopped censoring in China to asking questions like: Does Google really need to be 'in' China at all.
Newsweek described the situation as An Unstoppable Force Meeting an Immoveable Object.
Here's an excerpt: "Google's bottom line won't be greatly harmed in the short term, as only an estimated 1 to 2 percent of the company's revenues currently come from China. But if Google departs China for good, the losses are incalculable. With 400 million Web users and climbing, China is far from a fully tapped market. Baidu, Google's biggest Chinese rival, today has roughly 65 percent market share, and will now lengthen its lead even more."
The Washington Post focused early on the Google users who worried that they might lose an engine of progress. However, some reported that the Chinese Internet users would not care much.
Others are speculating on what comes next, which will likely be a pattern for many months to come.
Changing subjects, many people are talking about a CIO.com article which declares that we'll all be working for tech vendors one day (soon). While this is another take on outsourcing and the commoditization of IT, the topic is not new. (I said something similar over 18 months ago in an article on cloud computing.) And yet, it seems to be popular right now, so I encourage you to read the article.