Ongoing Issues and Opportunities | Public-Sector Tech:

What happened (of significance) in 2017 that will shape 2018 and beyond in government technology?

Beyond 2018 cybersecurity predictions or year-end summaries that highlight headline-grabbing 2017 stories, what government tech trends can inform how we set priorities for 2018-2020?

Here is my attempt to connect the government dots as we head towards 2020.

Unique Perspectives 

There are many different answers to these important questions. For example: Deloitte offered their annual government perspective on tech trends calling it: The kinetic enterprise in 2017. Here’s an excerpt: “As in the past, we seek to shed light on the anticipated level of government relevance and readiness for each trend:

  • IT unbounded
  • Dark analytics
  • Machine intelligence
  • Mixed reality
  • Inevitable architecture
  • Everything-as-a-service
  • Blockchain: Trust economy
  • Exponentials watch list

In 2018, that Deloitte report has shifted to the symphonic enterprise with “disruptive technologies that work together in harmony.” Federal and state government leaders can learn more about how to orchestrate these disruptive technologies (like digital currencies) in this upcoming free briefing.

Gartner addressed the same shift in its Gartner Top 10 Strategic Technology Trends for 2018, with assessment of global megatrends. Also see: Gartner Identifies Three Megatrends That will Drive Digital Business into the Next Decade — which covers the hype cycle for major technologies.

Meanwhile, Governing magazine offered these 9 issues for states to watch in 2018. These items include (you can read the details at the Governing article link):

  • Federal Tax Revision
  • Health Insurance
  • Building 5G
  • Sexual Harassment
  • Fair Work Schedules
  • Opioids
  • Unions Under Siege
  • State Revenue Projections
  • Election Cybersecurity

On technology, the article said: “States are increasingly being asked to referee fights between mobile phone carriers and local governments, as the wireless industry sets out to build the next generation of data networks.

The reason for the clash is that the new 5G wireless networks are built differently than their predecessors. Existing mobile systems rely on equipment installed on towers and tall buildings that are relatively far away from one another. But 5G technology requires a much denser network of 10 to 100 times as many antenna locations, so that the networks can handle the surging demand for data from mobile phones, driverless cars, wearable devices, surveillance cameras, high-tech streetlights and other building blocks of ‘smart cities. …’”

On election cybersecurity: “The 2018 elections could provide an opportunity for states and localities to restore confidence in voting systems that came under intense scrutiny during the 2016 presidential campaign.

This year is likely to see unprecedented coordination among state and local election officials on security-related issues. Last October, they formed a working group with the U.S. Department of Homeland Security to address concerns over hacking. In exchange for partnering with Homeland Security, state election officials now can obtain security clearances, which will allow them to receive intelligence about specific cyberthreats. …”

Meanwhile, the 2017 State CIO Survey from Grant Thornton, which is run in partnership with the National Association of State Chief Information Officers (NASCIO), covered these topics and more

Top policy and technology priorities for state CIOs in 2017

  • Cybersecurity
  • Cloud Services
  • Agile and Incremental Software Delivery
  • Business Models, Sourcing and the CIO as Broker
  • Digital Government
  • Emerging IT
  • IT Workforce
  • Consolidation and Optimization
  • Data Management and Analytics
  • Procurement

The NASCIO priority list of hot topics for 2018 was led by security and risk management, cloud computing and consolidation. NASCIO teamed up with the Public Technology Institute (PTI) again this year to provide a free webinar on what state and local governments can expect to see in 2018. The webinar was called, Technology Forecast 2018: What State and Local Government Technology Officials Can Expect. This was the 10th year that this presentation was offered, and we will dive into some of the related details.

Here is a view that includes state and local priorities:

2018_priorities__2_ Ongoing Issues and Opportunities | Public-Sector Tech:

The results also match up with what the Center for Digital Government found in 2016 with its own survey of state CIOs, as well as 2017 surveys of county and city IT staff — all of them list cybersecurity as their top priorities.

On a recent NASCIO/Public Technology Institute (PTI) Webinar on regarding state and local government technology for 2018 the top trends included flat spending, much more cloud services, efficiency efforts, cybersecurity as a business risk, FirstNet rollout, digital government and CIO transitions with gubernatorial elections. More cybersecurity insurance is being purchased by states — up from 20 percent in 2015 to 38 percent in 2017.

The PTI Local list of technology items that are in and out in local government this year looks like this for 2018:

2018_priorities__2_ Ongoing Issues and Opportunities | Public-Sector Tech:

 

What Else? My Take — A Quick Look at Technology Issues from 2017 that Won’t Go Away (and Should Not Go Away) in 2018 and Beyond

My thanks to Andris Ozols for help on this list that is organized (somewhat) from A-Z with links to supporting materials for further review.

A – Amazon Second North American Headquarter Solicitation

Example: Amazon Narrows Choices for Second Headquarters to 20 — “Amazon named 20 metropolitan areas as finalists for its second headquarters after reviewing 238 proposals from across the U.S., Canada and Mexico. New York, Chicago, Columbus, Ohio, and Indianapolis are among the choices.”

  • Cities Lament, Celebrate Amazon Short List
  • The Surprises on the Short List
  • Comparing the Contenders
  • Amazon second headquarters finalists: Their pros and cons

Artificial Intelligence (AI)

  • Example: Will AI help fill the skills gap?
  • Example: Autonomous Vehicles
  • Example: CES 2018: States are key for autonomous tech, say industry leaders

“Nevada Gov. Brian Sandoval was joined by leaders from Google, Uber, Amazon and others. They urged government’s continued support for advancing autonomous and electric vehicles.

Alongside representatives from some of the transportation tech industry’s most innovative companies, Nevada Gov. Brian Sandoval told an audience at the 2018 Consumer Electronics Show (CES) in Las Vegas that it is state government’s duty to support the growth of emerging technologies like autonomous and electric vehicles.

B – Blockchain 

Example: To Unleash Blockchain’s Potential, Government Must Direct Its Growth

C – Census, Census Readiness, Redistricting

Examples: Redistricting Cases Could Redefine State and U.S. Politics in 2018

More than a dozen cases on partisan and racial gerrymandering are winding their way through the court system. Two cases, in particular, could become two of the most important this decade.

  • Citing States’ Resistance, Trump Ends Voter Fraud Commission
  • New Bipartisan Bill Would Help States Beef Up Election Cybersecurity

Civic Tech – An emerging industry, service sector often highlighted by e.Republic as a market segment.

Climate Change – Issue related to disasters, data and information access and transparency, trust. At minimum consider citing project and report series; GAO report.

Cybersecurity 

Example: Lohrmann on Cybersecurity Extensive Coverage

D – Disaster Management and Recovery

Example: How Trusting Tech Can Improve Disaster Response
Using data from both government and volunteer sources is key to an effective disaster response strategy.

Drones 

Very high-profile solution and trend, frequently cited in mass media, referenced in NASCIO annual survey.

E – Election Frameworks and Processes

Identity management, data use in districting, access and transparency to data and information in exercise voting opportunities and rights. See articles above from Governing.

F – FirstNet

Example: All 50 States Have Joined FirstNet as Deadline Closes

A flurry of states indicated they would join FirstNet as the 90-day opt-in deadline came to a close.

All 50 states, along with two territories and Washington, D.C., decided to join FirstNet, the dedicated, nationwide first responder network, by its Dec. 28 deadline.

Federal IT Issues

Example: One of the findings of the 2017 federal CIO survey conducted by Grant Thornton and the Professional Services Council was that almost half of the 27 chief information officer positions at the largest federal agencies remain open 249 days after President Donald Trump’s inauguration, and this has agencies worried about their ability to enact ambitious information technology modernization plans.

Example: Leadership vacancies, cyber-risks forcing federal CIOs to ‘do more with less’

NASCIO has outlined its legislative priorities for 2018, focusing on harmonizing federal cybersecurity regulations, recognizing state authority in emerging technology and ensuring safeguards for shared intergovernmental data.

Example: NASCIO Releases 2018 Federal Advocacy Priorities: Focus on Innovation and Efficiencies

G   Government Shutdown (2018)

Example: Yet Another Stopgap Funding Bill Likely in February, Lawmakers Say

H – Hurricanes

Example: 2017: The Year Hurricanes Devastated Land, Data and Trust

I – Infrastructure

  • Example: Trump to announce a 1.7 trillion infrastructure package at State of the Union
  • Example: NGA Announces First-Ever Technology-Focused Office for States

With the rapid pace of innovation, each governor and state CIOs can be challenged to keep up with emerging technology developments. The National Governors Association recently launched NGA Future, an initiative to give governors insights into potentially disruptive technology that is three to five years away.

N – Natural Disasters

Example: Natural Disasters Cost U.S. an Unprecedented $306 Billion Last Year

Net neutrality

Example: The FCC’s recent Net Neutrality ruling adds another dimension to a simmering debate over who controls broadband service and related infrastructure.

O – Offshore Drilling

Example: Trump Wants to Expand Offshore Oil and Gas Drilling. Does the Industry?

Opioid epidemic

  • Example: New CDC Data: 2016 Was the Deadliest Year Yet for the Opioid Crisis
  • Example: Opioid Epidemic & Health IT — Health IT Playbook — HealthIT.gov

S – Sexual Harassment, IT Workplace and Opportunities

Example: Women in Tech Speak Frankly on Culture of Harassment — The New …

The disclosures came after the tech news site The Information reported that female entrepreneurs had been preyed upon by a venture capitalist, Justin Caldbeck of Binary Capital. The new accounts underscore how sexual harassment in the tech start-up ecosystem goes beyond one firm and is pervasive.

Smart Government and Cities as an Applied Best Practice

  • Example: “Putting Smart Cities on the Map” — The term “smart city” has evolved since it first made an appearance in the gov tech conference circuit. While it continues to mean different things to different people, smart cities — whether they are made up of networks of sensors or data analytics platforms — are popping up across the United States. Here is our growing list of the smartest cities in the country.
  • Example: CES 2018: Making Smart Cities Responsive, CES 2018: Making Smart Cities Responsive — Government Technology

T – Tax Legislation and IT

  • Example: Apple, Capitalizing on New Tax Law, Plans to Bring Billions in Cash …

Trust

  • Example: Trust — Facebook, Google and others join The Trust Project, an effort to increase transparency around online news
  • Example: “Why Zuckerberg’s New ‘Trust Indicators’ Can’t Fix Fake News”

U – Unemployment Insurance

NOTE: Current examples of an ongoing shared services trend.

Example: Maine Officially Becomes Next State to Join Unemployment Insurance Cloud Consortium — On Dec. 6, the state of Maine migrated the benefits side of its unemployment insurance system to the cloud, joining the four-state consortium

W – Wildfires 

  • Example: At 230,000 Acres, Thomas Fire is Now the Fifth-Largest Wildfire in Modern California History  
  • Example: How California and Western States Should Shift Their Fire Prevention Strategy
  • Example: Commentary: Why California Burns

Final Thoughts

There is a lot in this blog to ponder, and way too much to cover in detail in one piece.

My hope was to provide a 50,000-foot overview of the issues and technology trends in government that are facing us moving forward this year.

I plan to cover the president’s new infrastructure plan and state and local impacts in much more detail over the next month.

10 Recommendations for Security Awareness Programs

How do we improve the security culture in our organizations? Our security team keeps coming back to that fundamental question, and we are constantly looking for ways to help.

Why? Culture change is a critical success factor in our security programs and almost ever technology or innovation project. We keep asking: Is there a better way?

But even as new mobile solutions and cloud computing transform the way we live and work, industry experts point to many challenges in pursuing security culture change.

One of the fundamental ways to start is by building (and constantly improving) a robust security awareness program for all staff and security training for specific employees based on business need.

This topic surfaces almost everywhere I go. End users clicking on links, giving away passwords or plugging-in malware-infected USB drives were topics that arose this week at the Cyber Summit at Oakland University.

In response, strengthening the security culture is listed as a top priority in many global security reports, including this UK case study which was release late last year. Here’s an excerpt:

The security of systems is dependent on the people that use them. Effective institutional assessment of risks and implementation of secure practices rely on a shared understanding of the threats and challenges facing the institutions….

Universities should consider how they embed knowledge of cyber security practice and responsibilities across their institution. This ranges from requiring annual active confirmation of acceptance of terms and conditions of using the network or certain parts of it, through to training and education programs. The 2011 UCISA Award for Excellence went to the University of Leicester, which led a consortium of universities that developed an Online Information Security Training for higher education institutions. Janet also provides a number of security-related courses for IT staff…

Another recent study referenced by the Ecommerce Times found:

An overwhelming 80 percent of corporate security professionals and IT administrators indicated in a recent survey that “end user carelessness” constituted the biggest security threat to their organizations, surpassing the ever-present peril posed by malware or organized hacker attacks.
Users’ cavalier attitude toward security was further exacerbated by corporate executives who failed to support their security administrators by enforcing computer security policies….

One more – Trustwave lays out seven deadly sins of uneducated employees in this serious of graphics that do an excellent job at pointing to how a lack of awareness training can cause more data breaches.

Why Security Awareness Programs? What are the Benefits?

Of course, this topic is not new. It would be surprising if readers had not heard most of these same cyber awareness themes before.

For example, the State of Oregon commissioned a study back in 2006 to “determine the best way to deliver security awareness training to state employees, and to develop a plan for its implementation.” Their study was based on extensive research, rigorous criteria, a “particular emphasis on IT and business standards, laws and regulations, and official guidance” and much more.

Oregon identified 18 best practices in that study – with an overview available at this Oregon.gov website.

Over the past eight years, the many benefits and potential drawbacks of security awareness programs have been debated numerous times.

At the start of last year, Ira Winkler wrote this article listing 7 elements of successful security programs.

Joan Goodchild, executive editor at CSO Magazine, offers this slideshow with 9 tips, tricks and must-haves for security awareness programs.

Ten Recommendations to Consider

After reading through these numerous reports, tips, best practices, articles and white papers that examined what works and what doesn’t, here are my ten top recommendations to consider when trying to build or improve your security awareness program. My goal is to keep this simple, but update the list for 2014. I plan to come back to this list at least annually for the latest updates.

I’ve divided this section into two lists – the Do’s and the Don’ts…

Five DON’Ts:

1) Don’t stay with your status quo. A cyber awareness program with content that hasn’t been updated in years is a waste of employee’s time. Our team heard that message loud and clear.

In Michigan, we got rid of our old end user awareness program in 2012 and started over from scratch. Why? Our old awareness program was deemed to be boring, irrelevant, too long, outdated and even “Death by Powerpoint.” After a competitive RFP process, we moved to a new set of solutions using Security Mentor for cyber awareness and the Michigan Cyber Range for technical training. More specific details on our award-winning approach can be found in our National Association of State CIOs (NASCIO) project profile.

2) Don’t rely on videos or Powerpoint slides as the primary channel for awareness programs. Several studies, including this white paper from 2013 from Secure Mentem, found that interactive material that engage end users are more effective in achieving results than just using a series of awareness videos. The truth is that many employees don’t pay attention to videos. Some even start the videos, leave their desks to use the restroom, talk to neighbors or get coffee, and come back to see if the video is over.

However, fun, user-created videos, such as those developed as a part of this EDUCAUSE 2013 Video Contest, can help as supplemental content to create energy and excitement at the office.

 

3) Don’t confuse cyber awareness programs with security training. Ira Winkler makes this point very well in this Dark Reading article: “Security training provides users with a finite set of knowledge and usually tests for short-term comprehension…. Security Awareness programs strive to change behaviors of individuals, which in turn strengthens the security culture. Awareness is a continual process. It is not a program to tell people to be afraid to check their e-mail. The discipline requires a distinct set of knowledge, skills, and abilities.”

4) Don’t forget anyone, and don’t make security awareness an optional extra. As Oregon pointed out in their study in 2006, everyone has a role in improving security. The entire enterprise needs security awareness, since the weakest security link is usually an employee clicking on bad links.

5) Don’t focus solely on compliance or make awareness just a “check the box” exercise. No doubt, you need security awareness programs for PCI-compliance, HIPAA-compliance, complying with federal regulations or other compliance reasons. But cybersecurity awareness needs to be a process with constant improvements and adaptation, as your technology and business changes. The main goal is to improve the security culture in pragmatic ways. Culture change takes years and hard work, so this won’t be a simple endeavor.

Five DOs:

1) Ensure executive support and management buy-in. End user awareness must have the full and vocal support of top executives and the middle managers in order to be successful. When top executives lead by example and participate themselves, key messages are understood to be important by the masses. Leading by example is key. Occasional prodding of key execs and managers will be necessary to keep things on track.

2) Make it fun – use gamification and interactive content, if possible. Brief, intriguing, “sticky” content is key. The more relevant and timely, the better. Yes, remind staff of important security policies. But also inform your people about risks, such as spear-phishing techniques, or something new to help them online in their personal and professional lives. Add competition or other learning techniques that are proven to be effective.

3) Include posters, newsletters, email tips, blogs and reminders, National Cybersecurity Awareness Month and more. Different people learn differently. There are numerous sources to help provide new and refreshing security information, such as the free resources from Multi-State Information Sharing & Analysis Center (MS-ISAC) and SANS Newsletters for technical staff.

4) Focus on changing behaviors. Relate cyber awareness to personal life, family and home. Our goal is to change culture and improve security. This can only happen if people make good decisions and act in ways that reduce risk each and every day. Also, many studies have shown that employees pay more attention if the awareness materials can be used (and even shared) outside the office – at home with family and friends.

5) Solicit end user ideas, encourage feedback, measure success and growth of program. Make sure that your awareness program is measured. How many users actually complete the training? What did they like? Did they learn anything? Have behaviors changed? Also, ask for new ideas and suggestions to improve. Encourage creativity. Provide mechanisms to get real-time data from staff.

Stressing the Cyber Awareness Imperative

It is true that several high-profile security leaders have come out against security awareness programs in the past few years. They want to focus 100% of security efforts on improving technology deployments, tools and technical processes to be secure.

Not only do I disagree with those views, following that approach is frankly irresponsible. Security awareness is required by auditors and compliance organizations, but more importantly, it is a core responsibility of CISOs or other top security leaders. If there is no specific cybersecurity leader in your organization, a top technology leader (or perhaps HR) must be responsible and accountable for the security awareness program.

Like a doctor explaining the behaviors needed to stay healthy to his/her patients or a nurse describing physical therapy steps that are necessary to recover after an operation, security pros need to educate employees regarding how to protect themeselves in cyberspace. End users can make well-informed decisions to reduce risks to data and networks. Healthy lifestyles do make a positive difference – both offline and online.

The surge in spear-phishing as the top method used by hackers to gain unauthorized access to sensitive data shows that importance of end user awareness programs. Every employee within our enterprises must be aware that they are both a big asset and at the same time one of the greatest security vulnerabilities.

In conclusion, major cybersecurity companies like Symantec stress the importance of security awareness programs. They urge clients to make personal responsibility a major component of security programs.

In addition, new security approaches are emerging from several cyber startup companies that use the latest learning techniques to help organizations change their security culture.

Bottom line, as organizations retool their technology infrastructure, security architectures, use of smartphones, policies regarding social media and innovative approaches with big data in business areas, it is also time to take a fresh look at security awareness programs.

Improving your security culture depends on it.