ENSURING SECURITY WHILE PROVIDING ACCESS TO OPEN INFORMATION
A two-headed monster faces public sector agencies. On the one hand, they must make their data transparent and accessible – they are public agencies, after all. But on the other hand, they have to keep that data secure. And therein lies the rub. According to a survey conducted by Grant Thornton LLP, in conjunction with TechAmerica and the National Association of Chief Information Officers, relatively little progress is being made to keep data in the hands of state agencies secure.
This issue was addressed at an executive roundtable featuring IT executives of several Texas state agencies: Anh Selissen, Director of Application Services, Texas Comptroller of Public Accounts; Ed Kelly, Chief Administrative Officer, Texas Department of Agriculture; Jon Percy, CIO, Department of Public Safety; Claudia Escobar, Statewide Security Program Manager, Department of Information Resources; and Shirley Erp, Chief Information Security Officer, Health & Human Services Commission. They were joined at the table by Tony Hernandez, Partner, Grant Thornton.
For all the officers, maintaining transparency is a key concern, and it is the chief difference between the public and private sectors. “We define transparency very classically,” said Jon Percy of the DPS. “We believe transparency means data is available, no matter where it’s been generated or whatever format it’s in and it becomes available with the assurance the data is correct.”
Claudia Escobar said transparency can be viewed differently. “Texans deserve transparency,” she said, “but we do need to protect the security of the public.”
“You come to recognize that you don’t need that information any more, but while it’s in the stovepipe it’s going to remain,” he said. The legal ramifications of hanging onto data that is no longer accurate could be serious, and Percy said no one has been put in charge of deciding what data can be released. At DPS, a lot of the data contains personally identifiable information, and can’t be shared because it deals with criminal justice.
“I don’t want it outside of DPS because there’s a lot of potential for malfeasance and there’s great risk,” Percy said.
At the Comptroller’s office, the situation is similar. Data must be kept longer than at other agencies because it contains financial information. But the Comptroller’s policy is to be transparent. Selissen said the office has become very pragmatic about dealing with the issue, by focusing on a high level summary of information.
“The reporting is not granular where exposure can concur,” she said, “but from a transparency perspective we’ve gotten to a point where we have refined the methodology to offer transparency without the risk of exposure.”
Selissen said the emphasis is on identifying what kinds of information the state and taxpayers want to know, and making in available in a consumer-friendly way.
But transparency can also introduce issues of privacy. Kelly, of the Department of Agriculture, said privacy is partly affected by a generational divide.
“The workforce we bring in today,” he said, “the Millennials, are very open with sharing their own information on social media, which means we have to educate them and make them aware of the difference of sharing through social media at a personal level and what their job responsibilities are.”
Employees who are used to sharing everything on social media are responsible for protecting the privacy of individual constituents, Kelly said. The question becomes not just who has access to the data, but what problems might be caused if the data is shared.
“I don’t want to sound glib, but we do sort of hide behind the rubric of security when it comes to protecting data,” said Percy. DPS maintains legal and financial data, and also medical information controlled by HIPAA.
“As a rule we just don’t release information and if we do and can’t avoid sharing information, it’s very heavily redacted,” he said.
“Do you deny open records requests?” asked Selissen.
“Yes, we do,” Percy replied.
Selissen said the Comptroller’s office has developed policies and procedures for releasing data. “Over the last few years, we have matured in a way that we can say the information we release for transparency is open and does not contain confidential information,” she said.
Grant Thornton’s Hernandez observed that security issues are often dropped into IT’s lap, but since the IT department is the custodian of data and not its owner, IT must be given guidance to deal with it.
“It is easy to blame IT,” said Kelly. But to be successful, a collaboration between the business areas and IT is necessary. Over the last three years, Kelly said his department has made great strides in that collaboration. “We’re not there yet completely, but we’re working on it,” he said. “They come to me and ask for my advice now, where before that the attitude was, ‘Let IT fix it.’”
“Privacy and security start with process,” said Hernandez, and that process needs to be inclusive of HR, the general counsel, and communications. “There needs to be
buy-in that they all have skin in this game. Where are you in that maturity?”
“We are nowhere close to maturity,” said Selissen, “because we’re a large agency who has been around a long time, yet, we’ve made viable progress.”
Kelly agreed. “You’re talking about a strategic development of enterprise data management that has to be in place,” he said. “We’re not there yet, but we’re having a big changeover in leadership and we’ll be taking up with the new people coming on board.”
All the participants agreed that the cloud poses problems for security, while at the same time providing solutions for budget-strapped state agencies. “At the state, we typically don’t allocate enough resources and budget to maintain the systems – both hardware and software,” said Shirley Erp of Health and Human Services. “I see cloud as a very good answer for some of the businesses, but from a security perspective, it’s a killer because your data is now leaving your borders.”
Selissen was concerned with knowing whether information stored in the cloud is safe and secure.
“You need to know exactly what type of information is going to be stored on the cloud,” said Escobar. “You might have some regulations that apply specifically to that type of data which might or might not allow you to put that information there.”
One of the audience, Vijay George, the Chief Technology Officer at the Comptroller’s office, interjected that the idea that information stored on an agency’s own servers compared to the cloud needs review.
“The cloud makes sense in certain cases,” he said. “The level of security and monitoring provided in our own data center would be cost prohibitive. In a lot of ways, the offering that we’re leveraging through the DIR contract through Microsoft is more secure than an exchange solution where we would be hosting in our own data center.”
Escobar echoed the sentiment. “You can have the same or more security on the cloud,” she said.
Erp said it depends on a number of factors: the type of data being stored, the level of encryption required, and how to monitor. “You really cannot just say they are better,” she said. “You have to analyze how it’s being applied, encrypted and the security controls, which means you have to get in front of it before you offer it.”
The panelists agreed that the role of the CIO is changing, and moving to a higher level. “The CIO has a visionary and leadership role and an innovation role for their agency,” Kelly said. “They should be offering solutions in advance and not just being reactive.”
Selissen said it’s no longer enough for the CIO to be a techie. “You need to be the diplomat, you have to be a politician and the negotiator – which are all key,” she said. “If you want to be a CIO, can you not only keep up with the technology, but do you have the business acumen to be able to relate to the business directors? If you can’t, you won’t be successful in that role.”
Information is still the key word in the CIO’s title, said Percy. “I think the role of a CIO is continuously improving the ability to turn data into actionable information to make that data and information accessible,” he said, “to protect it and all the things necessary from a technology perspective to do those things are just commodities and just technology. It’s up to us to keep up with the technology to provide the best use and value to the state, but we need to stay focused on our role as chief information officer, information is our role.”
“The modern CIO has morphed into the super business analyst,” said Hernandez. “They are the translator for the business trying to figure out how to leverage that with technology.”
Erp expressed a similar point of view: “In a large agency like ours, I think it’s critical to be more of a business advocate of services rather than focusing on the IT realm,” she said. “Being a visionary and business orientated while leveraging the IT resources is very important in that role today.”
“It’s your communication skills that mean the most,” said Selissen. “If something is going wrong, it’s not going to be fixed with a code change; you have to fix it with clear communication to the service provider. It’s the soft skills we need now where we valued the hard skills in the past.”
She added that large state agencies take time to move, a statement that drew a rebuttal from Erp. “I came from the corporate world and I strongly believe we need to change our culture in government,” she said. “We’re often way too slow and we need to start thinking about the cloud technology, time to market, customer service and bring slow gradual change – there’s a lot of resistance.”
Erp said if things don’t change at the information level, business areas of state government will move ahead on their own. “That causes problems,” she said.
To sum up, Selissen said the state is often seen as conservative and doesn’t respond to progress. “I think it’s an exciting time and there is a lot of opportunity for growth and improvement,” she said.
Percy said a new legislature brings new opportunity. “The Legislature has been conservative in its spending on IT and they need to recognize the state has grown over the last decade and it’s time to spend,” he said.