Constituents should have high expectations of government. Agencies should also inspire confidence in people that they’re up to the job. When we think about cybersecurity, we should rightly expect that government will diligently protect citizen data, such as the sensitive information we not-so-voluntarily provide to the departments of Motor Vehicles, Social Services and Public Health. Cybersecurity cuts across all of the public sector and is fundamental for people to trust their government.
There are a number of factors that shape the government technology ecosystem related to infrastructure, data and applications. Although many of these emerging concerns have little to do with technology, they could profoundly impact privacy, confidentiality and security.
Interoperability
As we consider the work of delivering citizen-centered services across departments, such as serving homeless veterans or feeding hungry children, having access to data is fundamental to understanding the effectiveness of programs, what services families are using, who is eligible and what could work better.
When programs consider interoperability and sharing data, staff members often first bring up concerns about privacy and confidentiality. In some cases, these discussions quickly result in agreed-upon approaches for identifying and solving problems, such as who can see what data. But it’s rare to find common ground between departments with different missions and responsibilities around protecting sensitive information.
The more likely scenario is interoperability will have to be carefully planned and executed to maintain forward progress and make everyone comfortable about the idea of sharing data. For instance, after many years of identifying data that would help foster kids get psychotropic prescriptions, and in spite of a “competitive demonstration project” a few years ago that showed California exactly how the vendor community would solve the problem in real time, interoperability of systems that “serve” this vulnerable population remains elusive.
Again, most of this process doesn’t involve technology; rather, it’s more about nudging people to help them understand the power of sharing and developing, and finding ways to break down the barriers of opposition. Some healthy angst about privacy and confidentiality will certainly occur. It’s key to fuel these conversations early and often, to engage the naysayers on the path to “yes, we can share.” By designing interoperability as a part of programs, government can strike the right balance between data sharing and security.
The Notion of Agile
Agile is the new darling in government software development, and the federal government is encouraging states like California to consider the agile approach as a way to solve longstanding development issues that have plagued some projects. Although agile software development methods typically are conveyed as a way to avoid failure, agile projects can and do fail spectacularly. What isn’t talked about as much is the role that leadership and the organizations themselves play in project failures.
When it comes to agile software development, security must be part of the agile methodology’s “user stories” and should be managed and tagged as “features” in order to maintain proper focus on the importance of security, privacy and confidentiality. Similarly, “misuse” stories must be crafted and thread through the entire agile cycle. This is a significant process change for the security team, and it also creates pressure on the project team that’s trying to remain small and nimble.
Maintaining an agile pace of development while including security considerations means process efficiency, which is itself a challenge for many public-sector organizations. A Scrum project working on a two-week sprint cycle can’t really wait for a 30-day turnaround on a security review. It’s better to have the security personnel embedded in the project so that security is designed and built in from the beginning.
Another challenge: Public-sector projects sometimes are much more complex than private-sector projects, and agencies must understand and prepare for the impacts of an agile project, which is radically different from a traditional approach.
And the reverse also is true. The agency has an enormous impact on the project, a factor that is routinely ignored. What if your agile teams need data, information or decisions from other parts of the organization that aren’t operating in an agile fashion? What if middle managers want to exert influence over the resources they have provided to the project but don’t quite understand agile methods — how will their fumblings affect the project? Will technology initiatives be able to force changes in organizations accustomed to legacy processes? Time will only tell as California embarks on a major project, the Child Welfare System, using agile methodologies.
While serving in government, I often said we need to pay attention to people and culture when scoping any kind of changes, especially interoperability projects that would revolutionize the way programs deliver services. Workforce is the elephant in the room; we can’t realize progress, innovation or success without buy-in from the workforce. But we routinely pay little or no attention to the care and growth of employees.
Cybersecurity, therefore, must be part of the conversation from the beginning, while we remain diligent throughout to anticipate the sometimes vague factors that are critical to protecting our assets.
Read about more about cybersecurity in the upcoming fall issue of Techwire Magazine, where this article appears.
