Thursday, November 25, 2010

The ongoing struggles to balance IT security and staff empowerment

Governments around the world are struggling to manage the dual challenges of maintaining IT security while also enabling their staff to do their jobs in a digital world.

The Australian government has endorsed social media engagement by staff in its Open Government Declaration, stating that;
Agencies are to reduce barriers to online engagement, undertake social networking, crowd sourcing and online collaboration projects and support online engagement by employees, in accordance with the Australian Public Service Commission Guidelines.
Meeting this remains a challenge in many agencies. It takes time to assess services, mitigate risks, adjust processes and policies and train staff.

This week we've seen just how hard this balance can be - with one large Australian Government department cutting about 700 staff off from an online service experiencing very rapid growth.

The service was Yammer, a social media network designed to be used within enterprises.

Yammer allows organisations to establish an internal network allowing micro-blogging (like Twitter, but for staff only), file sharing, direct messaging and communities - with every message stored and searchable for knowledge management and security purposes. It supports tagging, integration with third-party applications and has a strong security focus - if Yammer's messages were not secure it would not have a business.

Over 100,000 organisations use Yammer, including large internationals such as Deloittes and Cisco. At least 39 US government agencies are signed up to use the service via Apps.gov and the Flemish government in Belgium uses it as well.

Closer to home the service is in use, to my knowledge, in QLD, NSW and Victorian governments as well as at Federal levels.

Examples include the Victorian Department of Justice, with over 550 members on Yammer as of May 2010. The NSW Department of Education and Training uses Yammer and established a community for teachers to provide feedback on the Australian Curriculum. Queensland Transport has apparently been astounded at the rapid growth of the service amongst staff.

Federally, I'm aware of use of the service in at least six agencies on a trial or active basis.

However Yammer, and other social media services, still face enormous challenges gaining IT acceptance.

In the federal department mentioned above (with 700 or more users, including senior managers), the growth of the service was extremely rapid. Presumably this is because it provided functionality that staff could productively use in their jobs.

However, after a short consideration, the service was banned and blocked from the department. I've heard several versions of why this occurred, with the most common view being that introduction had not followed the correct process and usage was growing too fast to be manageable.

The use of social media in a number of other agencies remains strictly controlled or blocked altogether. I am aware of several other agencies who have been threatened with or had to shut down trials of services such as Yammer due to ICT security concerns.

Security concerns are real. So is the value of online services to government employees.

Where an online service is adopted very quickly it has clearly met a staff need that existing ICT services do not.

However it also poses a fast growing challenge for security people, who must ensure that an agency's network remains secure.

How do we balance these needs to secure organisational networks while empowering staff?

This quandary places senior management in a difficult position. If they take a straight 'block' approach to online services they could face employee dissatisfaction and diminished productivity. If they take an 'allow' approach, they could see networks compromised, data lost or stolen.

With new highly useful online services emerging almost every month, senior management need to educate themselves on the potential risks and benefits and make the most appropriate decisions quickly.

Staff need to be supported with appropriate guidance on how and where to use online collaboration tools.

Sharing information between agencies more actively would also help build a base of experience in the secure management and effective use of online services.

It would also be very beneficial to have centrally secured and approved services through a platform such as apps.gov to help mitigate individual agency risks.

However ultimately ICT security and business areas need to work very closely together, having open and frank discussions to build a mutual understanding of the concerns and benefits surrounding online tools.

14 comments:

  1. “The Net interprets censorship as damage and routes around it.” — http://en.wikiquote.org/wiki/John_Gilmore

    Love my iPhone and portableapps. Hate my work PC.

    ReplyDelete
  2. Hi Craig

    This event highlights the need for agencies to actively engage with their staff on the use of social media - Now. For some time I have been pointing out that people can access and use services like Yammer without intervention from IT.

    In many instances the ball has been completely dropped on this issue. What the agency concerned should have done is got in there and engaged with their people.

    Blocking will not work and it is about time there was more mature judgement exercises. So the message to IT and other corporate areas is stop behaving as if the technology is new, stop treating the whole social media thing as a 'project' and engage with their staff now to develop a sensible social ecology.

    The severe risk aversion of IT departments and failure to engage with staff is creating even greater risk. Ironic to say the least.

    Steve davies

    ReplyDelete
  3. I think we're now nearing a point where many agencies want to try things and the fast-and-loose experimentation that we could do on *very* small tests needs to undergo a level of proper governance in order for things to happen properly.

    There naturally needs to be a balance - we need to be able to try things and test the waters, but senior management and security need their concerns addressed too.

    Blocking will never work. It angers or irritates and Gilmore's Law gets invoked otherwise.

    Something I think needs to happen is for the lead agency to establish a set of guidelines on how to test services and then roll to implementation if they prove successful. Perhaps they could even provide testbed versions of the services.

    ReplyDelete
  4. We reached 234 members before we were asked to 'halt our pilot'. Now waiting for the policy document to be approved to start using it again.

    Interestingly it was 'support' staff (HR, finance etc) that were the fastest groups signing up.

    ReplyDelete
  5. We've had social media in government for over a century now - it's called the telephone and it allows any person to contact any one of millions of other people, and tell them anything.

    I don't see the phone banned from workplaces...

    ReplyDelete
  6. In my experience when it comes to IT Security business requirements do not come into consideration. IT Security trumps all.

    Because of their control of the firewall they are gods and care not for the needs or wants of pesky business areas, the commoners. Nothing comes between them and their charge to defend the realm.

    Someone needs to take them back to school and teach them that taking some risk is necessary for progress and innovation, that risk can be managed and consequences mitigated.

    ReplyDelete
  7. I'm with Nathanael on this. The need to address security issues is real and obvious. However, a lot of the blockers on this are due to perceived potential damages to reputation. Then there is the fact that empires have been built around IT security. Not a good combination.

    How about the damage done to the reputation of organizations by not trusting and not managing risk in ways that make sense? Sure there is a need to reassure those responsible for security, but those areas also need to adjust there behaviour and engage on this important issue.

    ReplyDelete
  8. Well hasn't this generated activity.

    Yes we all have phones ... fax, email, printers and usb sticks - oh I forgot we meet people for coffee and lunch just to chat. There are so many ways information can be distributed. IT Security is fearful also of the third party(s) hosting the social chatter - Yammer eg - who may use information against an Agency either by publishing or selling; true, for this was the excuse I received.

    It isn't always agencies who are trying various apps to test the waters. Those passionate few who have been trying to drive change also just go out on a limb and force a decision or make a service available to gauge a response externally.

    As usual all the nods and winks from the executive which make staff think something will change still just keeps the status quo or one step back. I am all for 'going out on a limb'.

    We are heading towards a centralised social media applications for the APS and public to cross pollinate? Maybe this will keep IT Security happy and out of our way!

    ReplyDelete
  9. We've had Yammer informally in use for a couple of years and went to a formal trial in June. During this trial we've seen the user base climb from 250 to over 8000 users, most adopting the service due to good word of mouth. We have had a few issues that we've needed to manage, but these pale into consideration against the immense value of having a threaded micro-blogging service. Staff regularly assist each other with trivial through to extremely important matters; they debate, share resources, support one another and in other ways engage in productive activities. We support them centrally with various forms of assistance as well as light-touch rules of use that align with our overall code of conduct. We monitor the service constantly and have the assistance of other key micro-blogging staff to do this. Our experience to date has been overwhelmingly positive. On the basis of what I've seen, I'd thoroughly recommend such a service (yammer's not the only product out there)for any public agency.

    ReplyDelete
  10. Interestingly I recently had a conversation with a room full of Local Government IT Managers about these kind of issues.
    I asked the question about why these types of applications are blocked/not deployed. The answer surprisingly was that many supported the use of these technologies, with the proper testing and processes in place, but they are being blocked by out of touch senior management.

    Perhaps we need to stop looking at our IT staff as the enemy, and start educating our managers about how this stuff works in "real life"

    ReplyDelete
  11. I can see how you would ban Yammer from an agency but not how you block it. Once signed up users can participate from home or their iPhone. A web proxy could easily be set up to forward stuff and of course you can use email to access it too.

    Not so easy to block web services, as anyone responsible for ICT at a school knows. :-)

    ReplyDelete
  12. I have serious concerns about any company whose business model is to spread virally throughout an organisation and then request that you pay for basic admin rights and data ownership, I would consider this organisational ransomware. There are a number of other products that enable your firm to own the data OOTB or in the case of many risk adverse organisations pull this behind the firewall.

    ReplyDelete
  13. As one of the aforementioned IT Security neanderthals I would love nothing more than to "get out of the way". However, risks to my organisation from services like Yammer are real, and it's my job...mandated by Government policy, I'll add...to assess risks and make recommendations on how those risks are best controlled. The problem is that once some public servant puts information up onto a social media webiste, it becomes public information even if it wasn't meant to be. There's this principle called need-to-know; every organisation of every size and type has information that it would consider sensitive or private. A word out of place by any employee and that privacy disappears, damaging that organisation. Sure there are controls, but in the case of social media they pretty much all boil down to user education, and we all know how well that works, right? (Note the ironic tone, there.) Another option is constant monitoring, and that's unacceptable for a number of reasons. The only other realistic option is to say "no". Sure, have microblogging in the workplace; go for it, I say. But does it really have to be hosted by a third-party that is beyond our control?? Remember, the hosting company probably exists in a different country subject to different laws and cultural expectations, and they certainly have different goals in mind. So what's wrong with hosting your microblogging service internally, where you can control who has access to the information? If you can develop a business case to justify use of Yammer, then exactly the same business case can be made to host such as service internally (behind the firewall, as the previous poster said), and all the security concerns go away.

    ReplyDelete
  14. Hi Leitchy,

    I don't disagree about the idea of running an internal version of these types of tools - when they are for agency staff only.

    However the cost of implementing an internal tool can be much, much greater and often agencies won't invest in corporate tools to the value required to build or buy one and host it internally.

    In many cases IT teams attempting to replicate an external service by building it from scratch may struggle to acquire the skills to build a product which has been designed over many years of trial and error. They may even be in breach of patents held by the external companies.

    To be realistic, don't government agencies already host many services externally, outside our 'control' (not that internal hosting necessarily leads to control - whatever control means)? Why not simply put in place appropriate contracts, as we do in many other cases, train our staff and trust them to work appropriately.

    After all we allow them to have their mobile phones at work - which are equally capable of sharing information widely. And we allow them to leave the office, transporting papers, personal computing devices and even holding conversations outside the workplace.

    Social media hasn't created a risk of employees speaking out of turn - it simply provides new mediums which can be managed with a little emphasis of staff training and support rather than attempts to solve via technical means human behavioural challenges.

    ReplyDelete