Keeping our information safe and using it well

Getting the right balance between security and flexibility has become a really hot topic across local government of late.

Traditionally, the way we’ve kept information safe is to implement as many security controls as we possibly can. We make sure that we have full control over everything and that’s made us feel confident that there won’t be any incidents where sensitive information will get lost.

But the reality is more complex than that. Questions we need to ask ourselves include:

  • Are we designing our systems to reflect the way that our organisations need to work in future?
  • Are the controls we’re implementing proportionate for the information that we’re trying to protect?
  • Are we in danger of simply adding barriers which consume precious time, getting in the way of the real work?
  • Are some of our technical controls actually increasing risk, as people do things like print material or use personal email so that they can get things done while they’re away from their desks?
  • And can we actually afford to provide all the new devices which will help people work in a more mobile way if we insist on providing less flexible ways of accessing our systems?

To quote Mike Bracken from an interesting article I read recently about some of the ICT challenges the US government is dealing with: “In many government services you really only see two voices: the voice of security and the voice of procurement. The voice of usability isn’t in there as well.”

There are two really important reasons why these questions are critical for councils in the current environment…

As I’ve mentioned before in a number of my posts, councils of all political shades are working to deliver services through a more diverse range of partnerships than ever before. For many this is the only way to keep those services running in the face of truly dramatic budget reductions. This means that as well as more collaboration with central government, other public services such as the NHS and Police, and big private sector providers; councils also need to find ways to make it easier for community groups and the public at large to work with us to help find new ways to keep critical public services running. It’s essential that ICT teams find ways to help this succeed, rather than creating barriers which stand in the way of our business strategies.

We also need to find ways to help our people work more productively, taking away the obstacles which reduce efficiency and the time spent on valuable work. But with such large budget reductions can we really afford to provide this across the board in the traditional way? To be honest, I think that notions such as ‘Choose Your Own Device’ which I’ve heard people talk about recently are only going to work for wealthy organisations who can afford to offer a smorgasbord of shiny things to their users. Given the large numbers of people who already have their own smartphones and tablets, we need to embrace a secure Bring Your Own Device approach which lets them take full advantage of what they already have. And this needs to take account of what will make people actually want to use their own devices. Taking away everything which makes their smartphone fun by implementing a full set of corporate controls (a notion I’ve heard described as ‘Donate Your Own Device’!) just won’t work.

In mulling this over I’ve pulled a few thoughts together in the slides below. To me the key is putting the risks in context, thinking about the bigger picture and adapting the way we secure our systems to provide a sensible level of technical control which is appropriate to the information we are giving access to. And I’m sure that if we challenge ourselves and look for a different approach, we can both help our organisations work more effectively and actually reduce the risk of losing information at the same time.