Early adventures in exploring social tools for smarter working

We’ve just ‘gone Google’. It’s still early days, but now that we’ve moved everyone over from our legacy Microsoft Exchange platforms to Google Apps for Work I’m seeing lots of really encouraging examples of people beginning to use Google Apps’ powerful collaboration capabilities to rethink the way that they do their work. That’s a blog post for another time, but one area I’m particularly interested in is how we can use Google+ to add a new dimension to the way we work, and I thought it might be useful to share a few examples of that here.

I’m very conscious of long standing advice from lots of experts who’ve spent time looking at enterprise social networking that a ‘fire and forget’ approach rarely works (I’ve put a few links to resources I’ve found helpful below). Just turning on Google+ and hoping it will magically become a valuable business tool isn’t likely to be very successful. So our current exploration has been around quite clearly defined purposes, and I’m very encouraged by what those have already achieved.

Supporting the Google transition

An obvious place to start was to use Google+ as part of our support for the Google transition. As well as the usual change support (online information, floorwalkers, optional training sessions etc), we set up a Google+ community and encouraged our users to join that to ask questions about functionality and share tips with each other. We’re using this to answer users’ questions, as well as publishing a regular ‘tip of the week’ highlighting useful features which people might not have found yet, and we now have over 160 people signed up (with a healthy upward trend in membership). But the thing I’m especially excited about is seeing our users helping each other out, often getting in with responses to questions more quickly than I or the other people in my team can. I think this has the potential to be a really useful addition to the standard ways we provide ICT support. It’s helping us foster a more open discussion with our users and giving the ‘gurus’ across our user base the opportunity to share their knowledge much more widely with other colleagues (making the traditional ‘water cooler’ advice more visible and available to all). It also means we can flag if a piece of advice might not be the most appropriate answer to a query.

We’re now planning to widen the purpose of this group to cover other questions about the services we provide (we asked our users and they thought that was a good next step).

Building our sense of team

Working as a shared service means that our team is spread across several different locations, which amplifies the usual difficulties of making connections between people who are working on a wide range of different projects and operational work. Creating a team space in Google+ isn’t a ‘silver bullet’ for this, but is showing some promise. Since we set up our team Google+ community last year we’ve used it for:

  • Regular updates which I share with the team to highlight work we’re doing and keep people informed. I’m finding this more effective than broadcast by email, as it provides the opportunity for follow up questions and is helping open up the work being done across the team.
  • It’s also starting to become a place where other team members share information about work they’re doing and ideas they’re looking at. I’m really keen to see this grow and become a ‘normal’ part of how we work together. I’ve found the connections I’ve made through Twitter etc incredibly useful in helping me with my work and getting new ideas (after being very sceptical about it before I signed up), and I’m keen to see if we can replicate some of that for our work within the team.
  • We’ve also experimented with using Google+ events to get people across the team involved in our service planning. Too often this is an exercise carried out by a small number of people and can result in service plans which others don’t find relevant to the work they’re doing. I definitely need to refine the approach a little, but the recent event we ran involved about 20 people from across the team (split roughly 50/50 between people in the room and those joining online) and brought out some really good ideas which we can use to shape our work. This felt like a good result from a first attempt, and the feedback from the people who took part was positive too.

Encouraging innovation across the Council

We’re also seeing some interesting examples of where colleagues outside ICT are exploring this opportunity. This includes:

  • The use of communities to get people across the Council to contribute to the thinking about our future strategic direction. I’ve seen some really interesting ideas and perspectives being shared through that, and as with our team community it’s good to see a wide range of contributors being given a platform for their thoughts.
  • Other colleagues are also looking into how this could be a useful tool to help with work across a range of partners, including the voluntary sector, where we are working together to shape policy and service change.

Early days, but encouraging stuff!

Useful resources

There’s lots of handy advice on how you can get started with social network tools in your organisation. Some of the resources I’ve found especially useful include:

Rachel’s @allthingsic blog has lots of useful information, including:

Gartner’s book ‘The Social Organisation’ is also very useful, Chapter One is available for download here.

And if Google+ is something you’re interested in looking at in more detail, here are some guides on the features available:

Positive signs from the PSN?

I was surprised to find that it’s approaching six months since I last posted here. I’ll make sure my New Year’s resolutions include a commitment to do better in 2015…

I think a good topic to get myself back on track is to write something about the working group I had the pleasure of chairing on 9 January, where we looked into the thorny issue of PSN compliance for councils who want to enable access for unmanaged devices (aka Bring Your Own Device). As I’ve blogged before, I think this is a much bigger issue than simply letting users use their own smartphones to access their work systems. Council IT teams need to be able to support a growing range of partnerships with external organisations, many of whom are likely to use their own IT kit — including voluntary sector and community groups, and it’s essential that our security arrangements strike the right balance to avoid creating unnecessary barriers to delivering local services.

I felt that we made positive progress in getting to grips with some key issues and agreeing how we can work together with the Government Digital Service to find solutions to these. Some aspects felt more encouraging than others, but all in all I’m feeling increasingly optimistic.

First, a disclaimer:

  • This is not an ‘official’ statement on behalf of anyone, it’s just my take on the discussions last week.
  • The event was held under the Chatham House Rule (I checked — there’s only one! http://www.chathamhouse.org/about/chatham-house-rule#), which is why I haven’t referenced any specific details from the councils who attended the workshop.

What was the event about and who was there?

The event was well attended, and encouragingly included representatives from across local government, including districts, counties, and unitaries from across the UK. You can find an outline of the day here: https://lgaevents.local.gov.uk/lga/frontend/reg/thome.csp?pageID=10333&eventID=38&eventID=38.

In the morning, we held a closed session for local authorities to share practice and discuss our concerns. We used this to shape the agenda for the afternoon.

And in the afternoon we were joined by representatives from the Government Digital Service PSN team and PSNGB (the suppliers’ organisation). We put the questions that we had developed in the morning to them, and this stimulated a lively debate.

The event wasn’t expected to come up with all the answers (and it didn’t!), but we did get some useful clarifications and agreed some follow up activities which will now be taken forward using a ‘task and finish’ approach. We also discussed a broader range of issues than just unmanaged devices (possibly an indicator of poor chairing on my part!), and this gave us the opportunity to get some useful clarifications on other aspects of the PSN’s direction.

How did the discussion go and what happens next?

From the work we did in the morning session we identified four main areas which we wanted to focus on during the afternoon. These were:

1. How will the future direction for the PSN connect in with other compliance requirements, in particular health and the Police?

It was generally agreed that from a local authority perspective we often find ourselves having to take account of very different information assurance approaches and different interpretations of standards such as the new ‘OFFICIAL’ marking scheme. This can result in highly complex ways of working in order to meet the requirements of our various partners.

This was a tricky question for the PSN team to answer. They don’t have jurisdiction over many of the organisations involved, so finding a way to join things up is going to rely on collaboration rather than edict. They asked us to let them know where we come across these challenges, so we need to use our existing networks (for example WARP and regional SOCITM groups) to feed those through.

This will be something which continues to be an area of focus for the Local Government Association’s PSN programme board, which is working to make sure that local government is part of influencing the direction for Information Assurance that our partners take. Given how complex this is I don’t think that this is going to be a quick fix, so we’ll all also need to continue to work with partners on a local level to find ways to enable sharing of information, and share good practice to help others do the same.

2. Will the PSN take account of the needs of local government and the partnerships we rely on as they develop their compliance requirements?

The response to this was encouraging. We were given a clear statement that the PSN approach will be adaptive to reflect the different types of organisation who need to connect. Larger organisations will be expected to demonstrate a greater level of maturity in their information assurance arrangements, and smaller organisations will have a lighter touch. This was good to hear, and in my view demonstrates a big step forward from the days of ‘zero tolerance’ in 2013.

3. What are the implications for councils from the changes to the PSN Code of Connection which have been announced recently, and how can we make it easier to get consistent advice on acceptable ways of enabling access for unmanaged devices?

Throughout the discussion the PSN team put a lot of emphasis on listening and collaborative ways of working, and it’s clear that they are hoping to engage in a very different way to the ancien régime.

In terms of the high level approach, we were given a clear steer that the notion of ‘PSN originated data’ is definitely gone. In the future the PSN controls will focus on managing risk to the network, and data owners will be able to make their own risk decisions in terms of the ways that data is made available. The key being that where you are sharing information you need to be clear about what the data owner considers acceptable, and abide by their requirements.

In my view this is a welcome change, but it does have the effect of making things more complex (which is ever the way with a more pragmatic approach — and in my view is preferable to the alternative of ‘levelling up’ to whatever is needed by the most risk averse organisation). We will need to work together to figure out a way to make sure that advice to authorities is consistent.

In terms of specifics, there’s still a lot of detail which needs more work. For example, a question asked by several attendees was whether ‘container’ based solutions for providing access using unmanaged mobile devices would be acceptable for PSN connection if your whole network is in-scope (i.e. you have a ‘flat network’)? The current answer seems to be ‘no’, as CESG advise that these types of solution pose an onward risk back to other connected organisations. This was subject to some discussion, and it’s clear more work is needed to establish what will and won’t be acceptable to the PSN.

But we did get clarity that there are acceptable ways of providing flexible access while also complying with the PSN Code of Connection requirements. For example, thin client desktop access with no data on the end user device is in principle acceptable, subject to making sure that the design meets the PSN security requirements. And the PSN team will also be happy to review designs before they are implemented to advise on whether or not they will be acceptable.

We agreed that a good way to take this forward would be to establish a ‘library’ of approved solutions. This mustn’t be restrictive as technologies are changing rapidly, but it will help councils make sure that they are aware of the existing options available and avoid rumour and misunderstanding leading to incorrect assumptions about what would not be allowed. Nick Roberts (@socitmpresident) and I have agreed to meet with the PSN team in a few weeks time to sketch out a process and template, with a view to then drawing on the wider local government community to help produce this library. This will include giving thought to suggestions for the best way to share this information for future reference.

4. Finally, how will the growing use of cloud services be reflected in the PSN requirements?

A number of people were also keen to get a clearer understanding of the PSN’s position on cloud services (for example the use of Google Apps for Work and Microsoft Office 365). We didn’t get too deep into the specifics of this (as it wasn’t the core topic for the day), but the key message was similar to those for unmanaged devices — the essential requirement for PSN compliance will be the need to demonstrate that the design mitigates any onward risks to the PSN network.

So in short, my main conclusions from the day were…

  • The PSN do not have a blanket ban on providing access using unmanaged devices, but it will still be essential to demonstrate that security architectures mitigate onward risks to the PSN network.
  • The risk appetite of the data owner will be key, and we are all going to need to make sure that we’re clear about that as part of our information sharing agreements.
  • The PSN team are committed to working collaboratively with councils to develop architectures that will work, and recognise that local government has specific needs which need to be reflected in the Information Assurance approach.
  • We need to do more work together to develop clearer guidance which will help councils feel confident that they know which approaches will be accepted, and we can then continue to develop that over time to make sure that we keep up with technology change.
  • And that’s going to be best done if it involves people from across local government. The number of people who made the effort to come to the workshop suggests that it will be no problem getting people to help make this happen!

Thinking about ‘Think Digital’

I enjoyed Dave Briggs’ Think Digital webinar. I thought it was a good walk through some of the key principles which should underpin a different way of delivering public services. I jotted down a few notes as I listened, picking up on the key point which stood out to me. You can listen to the webinar here: http://vimeo.com/m/101912478.

I thought that ‘Permission’ is a very useful concept. I think that digital leadership is less about showing the way and setting a specific agenda, and more about creating an environment where people can innovate in a constructive way (which involves setting guidelines and parameters, but has to allow for creativity — because that’s where the magic is).

‘Death of one size fits all’ is also spot on. But we also need to respect complexity and invest in the foundations needed to enable agility. We need to make sure that ‘digital’ doesn’t just become a justification for random online stuff, with a plethora of websites that baffle our users and create obstacles to genuinely user-focused services. This is particularly challenging in a public service context where we do so many different things. Core capabilities, such as identity / sign on, need to be built to be reused, and I’m very drawn to the ‘Government as a Platform’ model.

‘Should we really be doing this?’ also makes me want to ask whether ‘this’ is a thing we need to be doing in the longer term (which means we need to plan for sustainability and it may be best to join up with other organisations or groups who already specialise in the topic at hand), or whether the need is point in time (in which case a home gown and ‘throw away’ approach might be just fine).

I wonder whether the points could be grouped into themes? e.g. What you do… How you do it… How you make sure that people are doing it right… I’m not sure about that, and it may just be my inner yearning to write local gov papers…!

And my own experience suggests that the iterative / ‘minimum viable product’ approach (which I endorse) can be a challenge for users — who often struggle to adapt to that way of working. I wouldn’t underestimate the effort required to reposition expectations, especially in the public sector where there seems to be an unhealthy appetite for ‘IT disasters’…

All in all, I thought that Dave’s approach is a really useful outline of how we should approach making digital work in government. And now I’m off to persuade some other colleagues to take the time to watch it too!

Defining digital

Never one to miss the opportunity to get involved in a debate on a topic I’m interested in, I thought I’d add my tuppence to the ‘what does digital mean?’ question which I’ve recently seen discussed…

Matt Jukes posted a piece mulling over the question on his blog.

Phil Rumens made feel nostalgic for our first CD player here.

And Gavin Beckett described how Bristol City Council are defining digital here.

I guess it’s easy to ask whether it really matters how we define digital. But as the focus of government and business at large shifts to seeing ‘digital’ as a core part of successful business models, it seems sensible to make sure we’re all clear about what we’re aiming to achieve. And when you see how digital is helping companies like John Lewis to grow their online and offline business, and Uber to transform urban travel, ignoring digital seems naïve at best.

For me ‘digital’ feels very similar to Gavin’s definition: it’s about technology, but it only works if it’s based on a fundamental rethink of how services are designed, putting the user need first and foremost. It isn’t just about popping a website at the front of the same old ways of providing services. And this applies equally to internal services (intranet etc) as it does to citizen facing services.

The implications for our architectures, systems, business processes, ways of working, information and relationships with citizens and other service users are huge. Interesting times indeed!

One Local Gov Digital: some further thoughts

An otherwise slightly frustrating day has been brightened up by some really interesting conversation about local government digital today. A (digital) coffee with @bmwelby at the start of the day was followed by an equally good (and also digital) pre-lunch chat with @PhilRumens, @pmackay, @_BforBen and others.

My first observation was how easy it is to use tools like Twitter, Google+ and Google Hangouts to bring people together to discuss common topics of interest. Having seen another of my local government IT colleagues take the bold step of allowing access to the ‘normal’ internet earlier this week, I’m amazed that we still have to put effort into making the case for removing some of the Stone Age barriers which stand in the way of our users getting stuff done. Nothing we talked about today was sensitive, and I feel better off for having had the opportunity to connect with colleagues who are working on the same challenges I am grappling with (with zero travel cost to the public purse too!). And I know that it’s not just tech enthusiasts who want to have these sort of easy collaboration tools at their disposal to help them with their work.

Some broad areas of agreement emerged from these conversations (although the other participants may want to correct or clarify my recollection!):

  • I think we all recognised the importance of reflecting localism, and the need for local government digital to be firmly plugged into the different communities which councils serve.
  • And we were also very focused on trying to make sure that councils can offer their residents and businesses the best of digital technology and service redesign, and make sure that we use shared endeavours to achieve this for the lowest possible cost. We made several references to work which has been developed from the recent Local Gov Camp event, exploring ways to help make this easy.

We discussed several ways that sharing could be useful, in particular:

  • Sharing our roadmaps so that we can easily check where other councils are working on similar areas and spot opportunities to collaborate.
  • Sharing the processes and content we produce as we redesign services for digital.
  • Working towards shared standards so that we increasingly build reusable components that other councils can use, and sharing our design principles and lessons learned to help other councils get the most progress for least cost.
  • And this would be supported by making our code open source too (although I realise that this isn’t a new idea, and others have pointed out that code which is already open source isn’t always being reused).
  • And we should also be sharing our data, ideally as open data.

What I found particularly interesting about the conversations were the challenges we will need to address to make this possible. Key issues which struck me as particularly important were:

  • The need to adopt clear principles of sharing as the foundation of a collaborative approach. It seems self-evident to me that using something like the Open Government licence would be in the best interests of local government as a whole. But I don’t think that this is an accepted principle in all quarters, and as councils look towards income generation to help offset the effects of budget cuts I can see this becoming an area of some debate.
  • The need to pick the right tools to enable the different elements of sharing. Tools like GitHub are perfect for sharing of code, but there needs to be something to bring the various components together in a user-friendly form to create a ‘hub’ for digital collaboration that will be useful for techies and non-techies alike.
  • The need for a ‘gravitational force’ which can draw digital collaboration together. From the perspective of the councils I work with, we’re already benefiting enormously from sharing together and with other councils whose work is helping us drive forward our digital change. But too often this relies on use of our contact networks and keen enthusiasts publicising their work. This is powerful and effective, but also somewhat haphazard. It would be great to see a ‘core’ for local government digital collaboration, building on what feels like promising foundations and becoming the natural first reference point for sharing digital work.
  • And it isn’t all about what councils create. Citizen hackers and a range of groups are creating useful digital tools which could be used much more widely. It would be ideal to use our work to provide a way for the products of their efforts to be made available for public benefit too.

One Local Gov digital?

There’s been a conversation bubbling around lately about the need for a single Local Government Digital Service (one LOCAL.GOV.UK if you will). If memory serves, the current round of this discussion was kicked off by @dominiccampbell, and I’ve read some interesting contributions to the discussion since. These include:

I’m not at all convinced that the argument makes much sense: ‘digital’ is a much bigger thing than ‘websites’, and local government is not the same thing as central government. That’s not to say that we shouldn’t be looking to share services and to do our work as efficiently as possible. The two councils I work for have had their budgets cut by c 40% / 50% between 2010 and 2018, and our focus is absolutely on protecting the money we have left to maintain the frontline services our communities rely on. But having had a year’s experience now in leading work to put in place a shared technology platform across two councils, I think it’s easy to understate the complexity involved in making shared services succeed. A shared digital platform across several hundred councils would be enormously challenging.

I think the place to start is to understand the business of local government. The ‘local’ bit really matters, and councils need to respond to a great variety of local needs. And that’s before you get into the complexity of different responsibilities across different types of council. I don’t find a single local government website plausible — Councillors will (rightly) feel strongly that their council’s digital presence needs to reflect what matters to local residents, and this will inevitably mean that content and emphasis will need to differ across boundaries.

The array of legacy business systems will also mean that an apparently neat solution of one local digital service will be highly complex. Different approaches to insourcing vs outsourcing; security vs flexibility; different contract timescales; and the growing use of cloud services inevitably mean that the information and processes needed to enable true digital services are not simple to join up. And unlike central government, there isn’t a lead agency for each service area so similar work can often be done very differently across authority boundaries (to pick a simple example, some Councils charge for garden waste collection but others don’t).

But I’m not even convinced that ‘one’ is the best answer here. Other colleagues have commented on how the current local authority software market feels very tired, and even medieval in its nature. We desperately need to encourage new suppliers to enter the market and help us drive innovation in local service delivery. I think that a monolithic approach will mitigate against this and take us back to the old fashioned monopolies which we need to move away from. A local approach means that we can encourage small and medium sized enterprises to test out new ideas at a manageable scale, and provide an environment to incubate new ways of delivering services. I’m convinced that variety can be a strength here.

Overall, my main concern about the suggestion of one digital service for local government is that any ‘win’ from savings on content management systems will quickly be lost many times over in lost opportunities for service change and the complexity of governance issues. But that’s not to say that there isn’t much which we can share.

A model based on sharing and reuse of technology, content, service redesign and digital principles has a lot to offer for local government, and I see lots of examples where that’s already happening. Examples include:

There’s lots more potential here, and I’m sure that we can keep pushing hard to make more of these opportunities. But I think it’s important that we focus on what’s practical and best suited for the environment we work in, and that we work iteratively to build momentum across the sector. There’s too much we need to do to spend time on Grand Schemes which won’t actually address the big issues we need to fix.

But overall, I think the argument is probably best made by @MartinHowitt.

‘nuff said.

An applications strategy fit for digital?

There’s been lots of debate lately about the best approach for local government applications and digital services. As councils work to manage further dramatic budget reductions and to meet the demand for more personalised services, our legacy business systems are very often among the key factors which hold us back and limit our ambitions.

Some colleagues have pointed out that the traditional way we source and run our applications feels rather medieval (I think that there’s some truth in that); there are lots of voices arguing for more use of cloud and open source solutions (which I think should definitely be part of the answer, but in my view it will take a while before they are providing a significant proportion of the services we need); and some people are making the case for a unified pan-local government approach to address challenges such as delivering digital services (which I’m not convinced by — a ‘one size fits all’ approach may indeed reduce some technology costs, but I don’t think it is the right model for local government where different types of council have different responsibilities and are driven by the need to respond to their local demands and priorities).

But I am convinced of the need for change. In a rapidly changing technology landscape, and as the future for local public services is debated and shaped, I think it’s key that we look at our applications strategies and get them fit for a future which is uncertain but which also holds exciting possibilities. There’s a real opportunity for IT to make a big contribution, and the way we design our applications portfolios will have a big influence on the choices available to our organisations.

What’s the problem?

The current local government application vendor market feels tired and I don’t think that it’s fit for a more complex future which will force us to work in more agile ways (enabling use of a wider range of devices, more flexible working scenarios, and new partnerships with a wide range of people and organisations). For example, all too often we find that suppliers tell us that their support for mobile working depends on a specific type of device or that they don’t have a mobile solution at all — a very 1990s approach! And similarly, often the APIs we need to join our systems up and make our information work harder for us are variously absent, unreliable and poorly documented, or only available for very significant extra cost.

The problem is that a ‘rip out and replace’ strategy requires money (which is scarce), needs to fit in with our investment cycles and has to compete for resources along with other major changes to the way we run our businesses. The answer has to be based on business need, not just our technology philosophy.

What might the answer look like?

I don’t think that there’s a quick or easy answer to this, but there are some key principles which will help us build our way out of our current legacy ecosystems and move us to a more flexible future. We need to look hard at our applications strategies and make sure that they are fit for purpose. I think that it’s essential that we:

  • Build enterprise architectures which include the key capabilities that will allow us to bring together a wide range of solutions, including cloud based services.
  • Create an environment where new suppliers are encouraged to come into the local government market — challenging the traditional providers and rocking a few boats. (So I’m definitely supportive of the open systems alliance which Camden are championing)
  • Be pragmatic about cloud. Cloud services are definitely going to be an important part of our toolkit, but often when we’ve looked at cloud options it’s become clear that they would actually significantly increase our costs (not to mention requiring a shift from capital to revenue funding which is also quite challenging). Cloud is important and its value to us will only grow, but we need to learn how to use it well.
  • Be positive about open source, but not dogmatic. And where we are able to use open source solutions make the code for any developments we do available for other councils to reuse. (See my previous post here: https://bytherye.com/2013/04/20/sharing-our-digital-endeavours/)
  • Make sure that mobile solutions are based on web standards, not device specific software (unless there’s a compelling reason for using native apps — this blogpost from the Government Digital Service gives some good pointers for making that decision: https://gds.blog.gov.uk/2013/03/12/were-not-appy-not-appy-at-all/). It’s essential that we are able to take advantage of new developments in the rapidly changing mobile market, not get locked into a particular device ecosystem.
  • Make open architectures with standards based APIs key factors in our procurement decisions. I’ve been inspired by some of the examples I’ve seen where companies are using open, component based, architectures to deliver amazing business results (Bechtel provide a great case study for this). But many of the ideas and challenges will be reminiscent of the days of e-government, and we will need determination and stamina to address these and learn the lessons of past experience.
  • Consciously avoid getting too deep into any one supplier’s ecosystem. We need to make sure that we make it as easy as possible to change suppliers when they no longer meet our needs, not get stuck moving at their pace of innovation.

Over the coming months we’ll be reviewing our applications strategy, and I’m determined that we build a new approach based on these principles. It won’t be a quick fix, but I’m convinced it will pay significant dividends if we get it right.

Keeping our information safe and using it well

Getting the right balance between security and flexibility has become a really hot topic across local government of late.

Traditionally, the way we’ve kept information safe is to implement as many security controls as we possibly can. We make sure that we have full control over everything and that’s made us feel confident that there won’t be any incidents where sensitive information will get lost.

But the reality is more complex than that. Questions we need to ask ourselves include:

  • Are we designing our systems to reflect the way that our organisations need to work in future?
  • Are the controls we’re implementing proportionate for the information that we’re trying to protect?
  • Are we in danger of simply adding barriers which consume precious time, getting in the way of the real work?
  • Are some of our technical controls actually increasing risk, as people do things like print material or use personal email so that they can get things done while they’re away from their desks?
  • And can we actually afford to provide all the new devices which will help people work in a more mobile way if we insist on providing less flexible ways of accessing our systems?

To quote Mike Bracken from an interesting article I read recently about some of the ICT challenges the US government is dealing with: “In many government services you really only see two voices: the voice of security and the voice of procurement. The voice of usability isn’t in there as well.”

There are two really important reasons why these questions are critical for councils in the current environment…

As I’ve mentioned before in a number of my posts, councils of all political shades are working to deliver services through a more diverse range of partnerships than ever before. For many this is the only way to keep those services running in the face of truly dramatic budget reductions. This means that as well as more collaboration with central government, other public services such as the NHS and Police, and big private sector providers; councils also need to find ways to make it easier for community groups and the public at large to work with us to help find new ways to keep critical public services running. It’s essential that ICT teams find ways to help this succeed, rather than creating barriers which stand in the way of our business strategies.

We also need to find ways to help our people work more productively, taking away the obstacles which reduce efficiency and the time spent on valuable work. But with such large budget reductions can we really afford to provide this across the board in the traditional way? To be honest, I think that notions such as ‘Choose Your Own Device’ which I’ve heard people talk about recently are only going to work for wealthy organisations who can afford to offer a smorgasbord of shiny things to their users. Given the large numbers of people who already have their own smartphones and tablets, we need to embrace a secure Bring Your Own Device approach which lets them take full advantage of what they already have. And this needs to take account of what will make people actually want to use their own devices. Taking away everything which makes their smartphone fun by implementing a full set of corporate controls (a notion I’ve heard described as ‘Donate Your Own Device’!) just won’t work.

In mulling this over I’ve pulled a few thoughts together in the slides below. To me the key is putting the risks in context, thinking about the bigger picture and adapting the way we secure our systems to provide a sensible level of technical control which is appropriate to the information we are giving access to. And I’m sure that if we challenge ourselves and look for a different approach, we can both help our organisations work more effectively and actually reduce the risk of losing information at the same time.

https://docs.google.com/presentation/d/1KbjGOMJrshIm1pou_Aemd76Z-HjA33VvFNBsrcktgcI

Securing mobile BYOD: keeping up and doing it right

The technologies for securing access to business information and systems from personal devices are becoming very capable, and they are developing very rapidly. These should be taking away the fear of ‘Bring Your Own Device’, which is still surprisingly common among ICT teams, and allow us to embrace a change which gives us the opportunity to provide a much more user focused experience without compromising the safety of our organisations’ information. Actually, I think this will improve security too.

Firstly, I have no intention of allowing an unsecured device to connect into our secure networks. The focus for BYOD has to be on delivering information securely beyond the network, not opening the doors to all manner of unmanaged threats — that would be daft!

But I also genuinely don’t believe that managing a personal device as you would a corporate device is a viable BYOD proposition. Nor do I believe that it’s necessary given the technology capabilities available and the right policy and practices (I recently blogged some thoughts about how the traditional business and ICT relationship for security needs to be rebalanced here: https://bytherye.com/2013/08/28/does-ict-need-a-manifesto/). Indeed, I think that BYOD could actually increase the safety of information as it will reduce the likelihood of users doing really silly things such as losing sensitive paper documents and emailing inappropriate information to personal addresses. Evidence from the Information Commissioner shows that these are by far and away the most common reasons for information incidents (http://www.ico.org.uk/enforcement/trends).

Councils have had close to 50% of their budgets cut and we have to work much more closely with communities and a wider range of partners to help bridge the gap. We need to meet the BYOD challenge or ICT will be creating expensive barriers to achieving those business goals (for example, community groups are unlikely to be willing or able to pay a large ‘IT tariff’ just to have a council device so that they can work with us, and you can’t manage a device with two different Mobile Device Management services — which is important where partners need to use their own managed corporate devices to work with us).

The main mobile platforms have been making major leaps forward in addressing concerns about security, and tools we already have available can help us to make this work.

Mobile Device Management providers such as AirWatch (http://www.air-watch.com/solutions/bring-your-own-device-byod) can provide the ability to implement sufficient controls and where needed lock business information safely away in a secure container.

And we actually even have very powerful tools available within our existing email services which again allow us to make sure that appropriate protection can be provided if we allow access to our corporate email from a personal device. These include requiring a passcode lock, wiping the device after a certain number of failed password attempts, remote wipe for devices which are lost or stolen, limiting the amount of email which gets sent to the device (for example, seven days worth is quite sufficient for users to get a big productivity gain while also significantly limiting the amount of data which is sent to the device), encrypting the device and managing how attachments are handled. For detail of some of these capabilities check out these links:

Microsoft Exchange ActiveSync: http://technet.microsoft.com/en-us/library/bb123484(v=exchg.141).aspx

Google Sync: http://support.google.com/a/bin/answer.py?hl=en&answer=1408902

Balanced with the right policies, robust user training and alternative secure solutions for more sensitive information (a much smaller but very important part of the information we look after) I’m convinced that this approach can provide a viable way forward.

But we also need to remember that providing access to email and calendars is really only the first step in delivering a genuine shift and enabling our users to work productively from any device. Recent updates to iOS and Samsung’s Knox give much more sophisticated mobile management capabilities, accelerating a move away from Mobile Device Management towards secure Mobile Application Management. These links provide a bit more detail about these changes:

iOS 7: http://www.citeworld.com/mobile/22439/iOS7-mobile-management-mdm-mam

Knox: www.samsung.com

While these are very recent additions to our toolkit, the potential they offer is substantial. And let’s not fall into the trap of thinking that this is all about ‘bring your own’ and playing with shiny toys. It’s about ICT moving beyond the old ‘all in one’ model where we have to control everything, it’s about removing technology barriers to our organisations’ innovation and it’s where we have to get to if we’re going to still be relevant in only a short period of time.

Does ICT need a manifesto?

I was struck by this blogpost from @ThinkingPurpose recently: http://thinkpurpose.com/2013/08/01/goodbye-ict-youre-already-dead/. It’s a cri de coeur describing how it feels when the ICT tools you’re provided with at work seem to be designed to stop you being productive. I suspect that this is a sentiment that more than a few other people would echo too…

This got me thinking about whether it might be time to replace the traditional ‘ICT strategy’ with a manifesto. Something which speaks about what the ICT team are for, rather than the traditional statement describing the technologies we want to use. And something which makes clear the relationship between ICT and our users in achieving our common goals.

As in many businesses, the astonishing pace of change in technology gives those of us who work in local government ICT a real opportunity to help our services meet the major challenges presented by unprecedented budget cuts. If we use technology well we can free up our people to spend more time doing work which matters, and start to use our information resources more effectively — helping to plug some of the gap left by the cash resources which we are losing. The potential extends further too, into digital services and using open data to help change the relationships between councils are the communities we serve.

However, this pace of change in technology presents a significant challenge for ICT teams. Traditionally business ICT functions (not just those in the public sector) have been heavily focused on providing reliable, locked down and standardised technology models which are not necessarily well adapted to a business environment where services are changing radically to respond to major financial challenges, and new user devices and ‘apps’ are springing up at an incredible rate. We need to learn to adapt to this.

We also need to build a mature relationship with our colleagues. One where we effectively share the responsibility for using information well and keeping it safe. It’s really important that the ICT team don’t fall into the trap of becoming the internal police, telling our users what they can and cannot do (the “computer says no” approach). As I’ve blogged before (https://bytherye.com/2013/11/09/keeping-our-information-safe-using-it-well/), keeping information safe takes more than technical controls, and this fascinating graph from the Information Commissioner’s Office (http://www.ico.org.uk/enforcement/trends) shows that by far the biggest cause of data breaches is human error — often because of poor use of case records. Technical controls are vital (especially to protect our systems from outside threats), but it’s perfectly possible to achieve an appropriate balance of security and flexibility without increasing the risks for the information which we’re responsible for. In fact I’d argue that greater flexibility can actually increase security — have you ever tried to remotely wipe paper documents which have been misplaced?

Creating an environment where ICT can support real business change is key to getting the most benefit from the opportunities that technology offers. Successfully harnessing this potential depends on an effective partnership between ICT and frontline teams. By working together, sharing responsibility, and providing tools which are risk managed not stuck in a model which is 10 years out of date ICT teams have a real opportunity to be seen as part of the core business, not a ‘back room’ function. That sounds like a good place to be!