I read an interesting article this morning that details how information security is running afoul of mission delivery at the Department of Energy. Click here for the article. In an April 29 speech at the National Renewable Energy Laboratory in Golden, Colo., DOE Secretary Chu said “well-meaning people” in the chief information officer’s office and in the procurement and finance offices “whose job it is to protect the Department of Energy” actually hinder what the department can do.
It is rare for a cabinet Secretary to mention an OCIO function, let alone single one out so specifically and with such specific language towards its negative impact on mission delivery. The role of information security is important, but there must be a practical application of security measures. Although it is easy to blame the security community, the fault does not sit solely with those individuals. Although there are plenty of over zealous security folks, they often are acting in reaction to the pressures they face from security oversight, policies, and punishments that steer the community towards locking down rather than opening up.
In the new era of open government and transparency, the security community will be burdened with calls to open up information and interactions to better inform and engage the public. In the current paradigm, the security community will be faced with a no win situation .... legacy rules that focus on punishing security breaches versus mission needs and open government agendas that demand better information accessibility.
The security community will need to define and adopt security risk frameworks to allow their executives to accept certain risks for certain rewards. These security risk frameworks will get us past the current model of accepting no risk and locking down everything for fear of reprisal. Instead, the security risk frameworks will provide executives with a decision making tool to categorize risks and rewards and make informed decisions as to what course of action should be taken. The President's Transparency and Open Government memorandum and his Freedom of Information Act memorandum both outline the expectation of greater information disclosure and public participation. The security community will need to work with executive staff to develop a way to make nimble, informed, and risk conscious decisions without hindering mission delivery or the Administration's open government agenda.