Government CIOs are working hard to get IT security right, but they still have an uphill battle ahead of them
I've recently been doing some IT risk management training for governments in Australia, and I've been impressed at the commitment shown by IT managers and CIOs to get it right. They are enthusiastic because the risk management approach helps them identify the IT security work they need to do, based on the operational objectives of their departments. This should make things easier - after all, the real security needs of, say, a tourism promotion agency are not the same as those of a department delivering health-care or public security. Each department can manage its costs better, spending only what it needs to keep its IT systems secure.
The IT managers and CIOs I've been talking to would certainly like it to be easier, but they realize they have an uphill battle ahead of them. The problems they face are similar to those of private sector CIOs - management commitment and corporate culture - but there are issues unique to government.
State governments in Queensland and New South Wales have taken a firm stance on introducing information security best practices based on the Australian and international standard ISO 17799, but progress is excruciatingly slow. There is a similar story at the federal level. Australian governments are not alone in this - the US and many other governments are grappling with the challenge of managing their IT security, and though the events of September 11, 2001 have raised the visibility of the issues, not a lot of progress is being made.
The private sector has done marginally better. Risk management is a key objective for almost all corporates, and that has extended to IT security and risk management with tangible support in terms of resources and training. So why are governments finding it harder?
We could point the finger to bureaucracy and the age-old practice of setting objectives without funding them. Bureaucracy is probably the key feature of corporate culture, and private sector bureaucracy can be just as limiting as anything seen on Yes Minister. I know government budgeting cycles are tough, but corporate finance officers probably keep even tighter hold on the purse strings.
It may be that the culture in government traditionally sees areas such as finance, supply, public security and national defence as the place for IT security. Governments are also traditionally risk averse and find it much harder to shift to a risk-based approach that requires departments to take some risks, just so long as they understand the risks they are taking.
Security in government is also traditionally vested in security agencies, leading other areas of government to see it as not their problem. This background can make it very difficult to introduce a consistent and flexible approach to managing IT risks. There are, of course, notable and remarkable successes, but these are the exception.
Traditional security agencies have been reinventing themselves as whole-of-government centres of expertise and helpful advice. But there is sometimes a lingering mistrust of "spooks" who turn up saying "we're here to help". In most cases this is misplaced, but security specialists who have spent their careers mandating security systems to counter all risks often find it hard to adapt to a new way of doing things. This will change over time, but the real limiting factor is management commitment.
In government that means senior public servants who already have a lot on their plate and may find it difficult to focus on something as technical as IT security. It is not just a matter of money - throwing dollars at the problem is a good way to boost the deficit.
In the private sector, boards and senior management have realized that their organizations and their careers depend on getting IT and IT security right. A risk-based approach is a key part of it, but allocating time and specialist skills is the crucial factor.
It is good to see governments supporting security and risk management training for their IT managers, but high-level accountabilities and focus, together with finding the right sources of expertise, are critical. Getting IT security right means getting in the A team with full backing from the top and support from the trenches. Anything less leaves governments vulnerable to critical failures of the IT systems they depend on.
It is focus, commitment and the right skill base that has produced the notable and exceptional successes in managing IT risk in government. These successes mostly languish in silos, kept there by a lingering culture within government that is reluctant to share information and leverage off the success of others. IT managers and CIOs are generally more open to adopting the successful strategies of their colleagues. As a citizen relying on government IT to deliver government services, I can only hope that departmental managers will support their IT people in making a change for the better.
Mark Ames is chief consultant for information security specialists ICT Risk
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.