Recently, I've spoken with a number of government leaders who have told me - "I'd love to try a lot of the new technology and approaches out there but my IT Security shop will not budge and always says no. They do not want to do anything different as it's too risky to them"
Both asked me:
"Do you have any tips on convincing IT Security?"
Any GovLoopers have tips?
Anything on how to convince IT security on new items like BYOD, SaaS solutions, etc whether it's a cultural move (take 'em to lunch) or technical (see if on FedRamp)
The approach that has worked several times is to provide a relative unbiased cost analysis of the move to new technology. A good analysis will include costs of not engaging new technology...
Sometimes this analysis will show that it IT Security is correct and that it doesn't make financial sense for an organization at this time to make the move to the new technology.
A good analysis providing a good return on investment will often bring more pressure on IT security, (CIO and Director believe that it is a good way to go) to, at the very least, make an attempt at explaining why the NO.
If the analysis has not changed the minds, often a offer for pilot project will get an OK, Understanding that for a pilot project to fly the "suggestors" are going to have to put some skin on the table. An example would/could be: "IT Security could have the ability to "wipe" all personal data in the case of a compromised BYOD device, with no cost to the organization for lost data"
Good one - I like it. Clean ROI is always the best
The way this is phrased, it sounds like they are simply saying "I want to use/try (insert technology here)." Being on the IT side of things myself, I see this a lot. Some suggestions (along with what Henry Brown has already suggested):
IT Security, the Department of "NO".
My Dept: "We would like to use laptops for R&R of government, equipment, fleet vehicles, facilities repair and would like wireless capability to connect and dl the vendor software for such things as updates on new equipment, trouble codes for diagnostic purposes as it relates to fleet vehicles and MHE, trouble codes and standards on facility maint, water, lights, HVAC (not all of that is contracted out, thank goodness)."
IT Security, "NO, you can have that, too risky, a security risk."
My Dept: "Actually, no, there is a usb type cord that plugs into the equipment from the laptop to the machine, vehicle or whatever, and they "talk to each other."
IT Security, "NO, too risky, no portable, and no wireless devices allowed, you must be tethered to the network, and oh by the way, no dl of anything without 100 copies of paperwork, signed in triplicate and initialed on the initials, and sent to the A -Z dept and all 26 depts will look at and determine if you have permission to purchase the software. If you leave anything blank on the form, the process starts over. Oh and there is no guarantee we will grant your request. You'll hear from us in about 3 months."
My Dept: <heavy sigh>
That is how my agency/organization does IT. We're used to it. We just party like it's 1989.
What I see is a schism between IT planning/procurement and IT security. A purely hypothetical and in no way related to my Agency example:
"Sure, you can have progressive tool and functionality, but let me break it with several thousand layers of redundant, burdensome, box-checking security controls so that the resulting tool will suck and fail. That way, I can claim victory and progress and get kudos from the press and OMB, while you, dear user, are no closer to actually being able to do the thing you are seeking to do <insert maniacal laughter here>."
My favorite IT paradox is having unique log-ons for every single dingle application that we use, and then procuring single sign on software that allow me to log into them all automatically. Really? REALLY? Is that not ironic to anyone but me?
On the serious side, I would LOVE to see a benchmarking report on implementation of NIST security controls that ALSO gives end-user satisfaction ratings. If our job is to balance info access, availability and security, we need to balance the incentives and repercussions related to all three - not just the security side - in an integrated way.
You hit on the head. When we sent our non-networked (stand alone) laptops to IT as required (don't ask), they put all their "bloat security ware" on it to the point, when we got it back the programs (software) we purchased (another long and boring story with no results), didn't work. I kid you not. Mind you, this is a stand-alone. It does not connect to any gov network. To add insult to injury, the software programs that we have been purchasing, (the vendor) now requires that we purchase "on line", and download it. The Dept of NO, and the bean counters, say NO. No downloading. Ok, so we can perform our mission without the software. They "are" working with us now to get us an internet line, (secure of course). We have completed yet another set of "approvals" paperwork....pages and pages of what, why, where, when and how. Hey, I don't speak computer geek, I just "know" what our dept needs. A typical time line to order a laptop, takes just about 6 months. It doesn't matter if it is non-networked or networked. Software takes about 3-4 months to get through all the approvals. Once it is ordered, it arrives within 5-7 business days. The "approvals" are what takes the longest.
Yes, I have about 8 passwords I use for different gov sites, DLA, DoDemall, GSA Advantage, the program I use everyday, the payroll program. And yes, it's an alphabet soup of letters, numbers special characters no less than 15, that you are supposed to memorize.