Web 2.0 requires public sector to consider security policies.
The setup is easy. An intern can do it. Within minutes, a governor, mayor, county executive or most any public agency can be up on Facebook, tweet on Twitter, share videos on YouTube and create a photo album on Flickr.
The repercussions can be hard and long lasting. The ease and speed of going social often short-circuits the best-made plans of those who are responsible for enterprise IT operations and security. "It's tough. It's really tough," conceded Michigan CIO Ken Theis. "You have to be extremely nimble ... and have a framework of policies and practices in place [so you know what to do when] you do need to open up to be able to provide those levels of service."
Virginia sees a need for speed and agility in policymaking to make sure new projects don't go off into the tall grasses for lack of policy guidance. There is continuous risk of becoming overtaken by events, said the state's chief applications officer, Peggy Feldmann. "We can collaborate very quickly with our Web services - putting reporting tools on top over a weekend, essentially. That's a little tough when your policies would have taken a while," she said.
In Utah, the state's Web standards provide both caution to and a wide berth for developers: "Web 2.0 services focus on autonomous, distributed services and recombination, and are fraught with ownership, boundary and control issues." Nonetheless, "there is no reason why agencies should not use [these] services as an integral part of their Web design implementations."
But that isn't the last word on the subject. "There is certainly a debate that is very rigorous here," said David Fletcher, Utah's chief technology officer (CTO). "There are always new services, and the way people are using services is changing."
There is a growing sense that enterprise public CIOs and CTOs simply cannot afford to become known as the people whose only answers are "No" or "Wait." That's absolutely correct, said Theis. "There is a big argument about Web 2.0 and how to deal with it and whether you should deal with it, shut it down, turn it off," Theis said. "... I just think those folks have their heads in the sand."
Rather than getting caught up in an irrelevant fight, Theis said the end game is that "CIOs have to make sure there [is a] safe, efficient, auditable and secure way to make this thing happen."
California Chief Information Security Officer (CISO) Mark Weatherford agrees. "My job is to make sure that we don't do things dumb and that we don't expose data or assets or systems to vulnerabilities that we can avoid. ..." With that said, "I think it's naive of us to think we can say no to some of these things," he added.
Weatherford said there will necessarily be limits imposed by CISOs. "I don't mean always. There will be cases and probably technologies where we'll say, 'You know, there's probably just too much risk associated with that,'" he said.
Utah's David Fletcher reminds us that all this action at the edges is bigger than any single enterprise. "I think more and more, we need to have ... an awareness of and participation in the global online community so we understand well what's happening, what we can leverage and what might get us in trouble," Fletcher said.
Editor's Note: This column originally appeared as The Enterprise Confronts Web 2.0 in the August 2009 print edition of Government Technology.