• United States




Some states get it; some don’t

Apr 13, 20103 mins
Data and Information SecurityIT LeadershipPrivacy

Bob Bragdon says politics shouldn't dictate government privacy policies.

In my travels, I get a unique glimpse into how security is approached by various vertical markets and industries, as well as by all levels of government and its assorted agencies. Some impress me with their forward thinking, while others just don’t seem to be getting the message.

When it comes to government, what is that message? It’s that security is no longer optional. As our governments, they are in possession of the most private and sensitive information about us: financial, medical, criminal and so on. It’s no longer acceptable to take shortcuts in protecting the data we entrust to them.

Unfortunately, they don’t all seem to be getting that message very clearly.

In some states, such as Washington, Oregon and even California, with its significant financial challenges, elected officials have made information security a priority. As in the private sector, they have come to understand the risks a cyberattack poses to both their own reputations and the safety of their customers (in this case, the taxpayers and voters). In these states, the role of the information security officer is critical and we see ISOs at all levels of state and local government.

In other states—Pennsylvania, for example—we see IT and IT security budgets being cut over the past several years, and a clear message being sent that security must give way to the larger bureaucracy of state government. Just a few weeks ago, Pennsylvania dismissed its CISO, allegedly for talking about a data breach at RSA without prior authorization. Sounds a little convenient for me. Politics at play. (See Maley: How the Firing Really Went Down and Ira Winkler’s Sometimes You Should Just Keep Quiet for two different views of that story.)

It’s really not that different from what we see in many private businesses. The CEO either gets security or doesn’t get it. In the private sector, the CEO is sometimes taking a calculated risk, and we in business understand that. Greater risk can lead to greater rewards. But I really doubt that Governor Ed Rendell is taking an educated risk. I say this because when it comes to government and the management of its citizens’ data, the same risk equations do not apply. You either protect the data or you do not, and accept the consequences of the breach that will inevitably occur if you choose the latter. I guess that makes it a political equation.

As for me, I don’t want political equations deciding the fate of my most sensitive, personal information. I just wish all our government officials understood risk like we do in the private sector.

What do you think?