Government IT Must Strike a Balance Between Security, Access

Officials from Washington, D.C. and Los Angeles were part of a government IT panel at the oktane21 conference, reflecting on how they’ve guided city government systems toward an environment that is both secure and accessible.

Shutterstock_Cybersecurity_Laptop
Public-sector IT officials are often under the dueling pressure of protecting privacy and creating smooth pathways for the public to engage with the many services offered by local, county and state government. 

These goals have led to the development of single sign-on for workers and users of government systems, as well as other mechanisms to make government processes more user-friendly and, “more like Amazon,” as Joyce Edson, deputy chief information officer and assistant general manager for Los Angeles, put it. 
 
“I wish I had a nickel for every time I heard that,” she remarked Wednesday during a panel discussion at oktane21, a summit covering government IT security, organized by government-focused cybersecurity company Okta
 
The COVID-19 pandemic accelerated government’s move toward more nimble, flexible and online postures, say industry watchers. Overnight, trends that were already on the move – like single sign-on or multifactor authentication – were fast-tracked as government transitioned to work-from-home arrangements, while the public’s interaction with government also moved to an almost exclusively digital exchange. 
 
“COVID pushed us into this faster than we probably would have gone naturally,” said Edson. “But everything that we wanted to do, and had queued up and were trying to get people to really engage with us on, COVID helped us get that over the finish line.”
 
The discussion Wednesday, moderated by Sean Frazier, federal chief security officer at Okta, was centered on some of what COVID-19 taught public IT leaders as they navigated its often competing needs around increasing access into public systems and actually increasing data security. 
 
The big picture, said John Kindervag, senior vice president of cybersecurity at ON2IT, is protecting the security of data. And all tech strategies to achieve advancements like single sign-on need to keep this goal top of mind, he added. 
 
“My best advice is, don’t start with technology,” said Kindervag. “Start by thinking about what you need to protect. If you don’t know that, you will always fail, because you cannot protect the invisible.
 
“There’s two types of data in the world,” he added. “There’s the stuff that people want to steal, and there’s everything else. So protect the stuff that people want to steal.” 
 
Pedro Agosto, CIO for the Washington D.C. Department of Consumer and Regulatory Affairs, said the district has been working first from the perspective of getting residents used to the idea of registering online for services. From there, the city moved to two-factor authentication for some systems, while from behind the scenes, watching for attempts to break into the systems. 
 
“So as part of our plan, we’re just building these little steps along the way, when the time is right, to be able to balance the need for security, with also the need to remove that friction from the customer perspective,” said Agosto.  
 
Removing friction, and increasing security, is a delicate dance, said Edson. “We try to not be overly paranoid, but just paranoid enough,” she remarked.
 
Government IT should have a clear idea of what data needs protection, while also not making the protections so cumbersome, no one can get to it, said Edson. 
 
“You have to figure out what your happy medium is, and be flexible,” she added. 
Skip Descant writes about smart cities, the Internet of Things, transportation and other areas. He spent more than 12 years reporting for daily newspapers in Mississippi, Arkansas, Louisiana and California. He lives in downtown Sacramento.