Recently, Virginia's Governor Tim Kaine announced a new Online Suggestion Box. This new online community is much more than just a place to input ideas. Rather, the site allows users to:
"Submit ideas so that others can comment and vote on them;
Vote on other ideas to promote them; and
Discuss ideas in forums with others and collaborate.
Ideas are then made searchable by issue area, keyword, date, or author.
Suggestions have widely ranged from implementing a statewide recycling program, to increasing the state cigarette tax, to legalizing hunting on Sundays."
This new Virginia ideas portal is a great step that is getting a lot of press. It certainly gets citizens interested in improving government and discussing the pros and cons of new suggestions or old ideas in new ways.
I happened to be down in Virgina (speaking at their COVITS conference) when the announcement was made by their Governor. The buzz created by this new Web 2.0 interactive site is real. I'm sure other states will follow their lead.
As I thought more about this concept, it occurred to me that a similar approach could be used for security (or other IT) enhancements. No, I'm not talking about social networking for geeks, but interaction between end users and IT staff around the country. Nor am I talking about your current help desk, but an electronic suggestion box for IT (and even security) ideas.
While this may open-up Pandora's box to things we can't pay for, it could also help us improve security awareness. I suspect many of the suggestions would help local offices or work areas improve their situation. Some end users may even learn what policies and solutions already exist.
But before I forge ahead into a training pilot, I'd like to hear your thoughts on IT suggestion boxes. Does this idea make sense - for security? Is this too narrow?
I feel comfortable saying that cyber security in government isn't getting any worse but I'm not sure how much of an endorsement that is. The problem, as we all know, is that the threat landscape is constantly changing so while user awareness overall in the public sector is getting better, the incremental gains may not be maintaining pace with the dangers. There are some points of light though. I'm seeing more documented incidents and the good news is that I don't think it's because there are more incidents but rather that people are now recognizing them as incidents and reporting them. Thats encouraging because if users begin to understand what a security incident is, they can understand their role in preventing them. Most state governments are still very decentralized so funding isn't always spent as efficiently on the right security tools as it could be but the fact that we universally recognize security as a problem is progress. Just like the private sector though, we need to get better at addressing information security holistically and from an enterprise perspective because tackling individual security issues in a one-off fashion just doesn't work well in the long run. As you say, there are many aspects of "computer security" but as custodians of so much personal citizen information, I still believe that protecting that information needs to be a priority for state governments.