North Carolina, Minneapolis IT leaders wrestle with BYOD
SALT LAKE CITY — With government employees increasingly eager to use their personal smartphones and tablets at the office, state and local IT leaders across the country are grappling with how to be effective gatekeepers for their networks.
But responses to that dilemma have been across the board, IT execs said at a panel discussion at the National Association of State Chief Information Officers’ annual conference.
In North Carolina, State Chief Information Risk Officer Maria Thompson said she’s revamped the state’s “bring your own device” policy, putting in place a set of more restrictive, “back to basics” guidelines for employees hoping to bring their own devices for use at work.
“Just because you can connect it, doesn’t mean you should,” Thompson said. “If there’s a business need for it, that’s one thing. But if you don’t look at it from that standpoint, you’re going to have people bringing anything into the environment.”
In Minneapolis, Chief Information Officer Otto Doll is taking a different approach: The city put in place a BYOD policy several years ago and has expanded it to include everything from smartphones to tablets to smartwatches.
“We have a somewhat liberal policy on that because we feel the workforce in particular, and our constituents, are already there,” Doll said. “Our workforce is expecting it to be available to them and they want it in an ecosystem that they’re most comfortable with.”
Doll acknowledged that policy has “raised our risk profile” when it comes to security, but he believes the city’s staff is comfortable with the tradeoff.
“We know that we’re not Fort Knox, we’re not the NSA,” Doll said. “The majority of what we hold is open data.”
Specifically, he noted that Minneapolis already publishes a great deal of information on an open data portal, and Minnesota’s laws make a substantial amount of government data subject to open records requests. The city still has to protect sensitive law enforcement or health care data, but Doll said that he tends to favor convenience unless security is absolutely necessary.
“Our password complexity is stronger than most national banks in the United States. I’ve had council members come up to me and say, ‘What in the world are you doing asking for me to create that password of that complexity when my bank, where I have my money, doesn’t,’” Doll said. “The banks are weighing convenience versus security, and we’re doing the same thing. I really sense that we’re going to fall closer to where private industry is with a lot of this unless an organization demands very, very high levels of security.”
But Thompson argued that her role in a state government means that she has to think about the security of more than just North Carolina’s data.
“We’re all interconnected,” Thompson said. “In North Carolina, if I choose to take a less stringent stance on security, it could potentially affect neighboring states depending on how we’re connected. There’s also federal data running through our networks at any given time, so we have to make sure there’s a balance to that.”
That’s a large factor driving Thompson’s decision to enact the new BYOD policy, which she added will also incorporate the growing challenges presented by the Internet of Things.
“The initial rollout of that [policy] will be more restrictive until someone can identify that there’s a business need for a particular client or a tool, and then we’ll adjust as needed,” Thompson said.
At the same time, Thompson is also hoping to cut down on security worries by limiting the data that state agencies end up collecting. Thompson said she wants to see all North Carolina entities start thoroughly re-evaluating what kind of personal information they need to collect, so that people are better protected — even if her more stringent policy can’t guard against every vulnerability.
“We’re trying to ask, ‘Do you need that data?’” Thompson said. “A lot of people are collecting Social Security numbers just because they feel like they need to, and that’s not always the case.”