A 2-Step Approach to Securing Local Government

Securing Local Government

EDITOR’S NOTE: This is the second in a three-part series focused on information security and the public sector – more specifically, local government.

In the first of our 3-part series for local government, 5 IT Trends Changing Local Government, I talked about the changes upcoming generally for information technology management, and how those changes will manifest in the public sector – specifically for local government.

Reminder: this includes cities, counties, public utilities, maritime ports, and any other organization designated as a “special-purpose district” (usually with taxing authority). The following prognostications involve moving the narrative from IT in general to IT security, and the challenges that will accompany those changes.

Note that the changes to which we must adapt include moving the data center and applications out to the cloud (in all its glorious incarnations), while simultaneously pulling in all manner of IoT devices to improve telemetry, efficiency, and cost. This IT transformation is a double whammy, and as the pressure to implement these “smart” technologies grows from elected officials, figuring out how to stay in front of security problems with a shrinking employee pool requires new approaches.

 

Service Providers Are Becoming the Norm

Already, local government IT is moving from internal management to service providers – to include the spectrum of cloud services.

  • Those services supplying varying levels of security controls, and are generally now certified as compliant with industry and regulatory standards. No one would today hand-roll credit card data processing, for example – you contract a service that is PCI-certified, with servers in a certified data center, running a certified application processing operation.
  • SaaS applications are not only in use to avoid the cost of recreating applications that are best of breed (and inheriting management of all the infrastructure in perpetuity), but because their use allows for faster “pivots”, when changes in requirements or long-term direction necessitate a change. If you’ve ever replaced your organization’s financial or ERP systems, you know what I’m talking about.
  • Infrastructure as a service comes with virtualized systems that have maintained operating systems. Yes, you can deploy an application that is grossly insecure on top of a secure OS, but part of the job of security is being done for you.

 

Focus on Manufacturers, Integrators, and Service Providers

The mid-market (to include local government) will, in terms of the evolution of security, minimize points of control, not controls, and focus on contracts with service providers rather than continuing to staff all IT functions internally.

This is just a reality of the market: the value proposition for working in technology for the public sector is not consistent with that being offered in the private sector, and the bulk of resources are preferring to contract with, rather than be directly employed by government. Over time, IT professionals will be permanently gravitating to work in managed services: cloud data centers, analytics and business intelligence, value-added resellers, and managed service providers (both IT and security). One key benefit is the ability to now create expectations for service levels without worrying about employee churn.

There are two keys to success here:

  1. Understand the life cycle of technology security, and document the roles and responsibilities for manufacturers, resellers, integrators, and administrators – likely with a decreasing focus on the latter.
  2. Once that food-chain is understood, start with procurement and contracting processes to purchase secure products, which are deployed securely, with provision for ongoing security through information sharing and vulnerability management.

Stated another way, you’re going to be depending on resources for security that do not report directly to you, and your leverage will be legal, rather than the threat of poor performance evaluations and nasty notes in personnel files.

In part 3 of this series, I’ll talk about an organization that is working to crack this very code, and using the focus on security management of operational technologies (control systems for water, energy, and waste that will NOT be moving to the cloud) to create the larger discussion and prepare the organization to adopt new technologies, while not creating a large set of unmanaged vulnerabilities.