This article was written by Steve Havert, a seasoned IT pro with a 36 year IT career. Here he discusses his experiences of moving from a private sector IT job into a public sector position.
After spending the bulk of my career working for medium-size corporations, consulting firms and owning my own business, I’ve come out of “retirement” to work for a local city government. Since I would be working with police department computer systems, I was required to take an online Criminal Justice Units (CJUS) course. While having extensive experience in cyber security, it was at this point I realized I was entering a whole new world than I’d experienced in the private sector.
Is the public sector better or worse than the private sector? That’s open for debate. What I want to share here are a few of the surprises I’ve encountered around cybersecurity in moving from the private to the public sector — for anyone considering a move out of the private sector or just curious about what the grass is like on the other side.
State and local governments are required by federal law to abide by very specific security protocols. These, of course, extend to their information systems, policies and procedures. I’ve found that I’m adopting a different mindset working in this environment. In working in the private sector, my first priority was to find the “best” (most cost effective, most elegant, etc.) solution to a business problem. Security was always part of the equation, but it wasn’t the driving force. Now, however, network security is always in the forefront of my thinking.
For example, the city I work for is planning to migrate (like many other IT organizations) some of our infrastructure to the cloud. Like many other organizations, our first choice is to move to Office 365 and hosted Exchange. In addition, we plan to use Microsoft’s Azure cloud computing platform for data storage and disaster recovery. But, before we could consider this option, we needed to verify that Microsoft’s solution was CJUS-compliant.
It turned out that the Azure/hosted Exchange environment had just recently been approved by our state for use by state and local governments. In order to gain that certification, Microsoft had to demonstrate that all infrastructure that would host data, services, applications, etc., would utilize only equipment housed in the United States. In addition, it had to guarantee that all employees, consultants or contractors working on the systems had passed a background check and were finger-printed.
Another eye-opening realization for me was the tightness of the data communications infrastructure. Our internet connection is through the county. Their main offices are up the road from city hall and there is fiber running between the two buildings. They have a high-bandwidth connection which they share with us. They control the firewall and all VPN connections.
We recently had a consultant come in to help configure some new servers. He was having problems communicating with NTP servers to obtain the current date and time. It turned out the county was blocking outbound NTP traffic. In the private sector world we rarely worried about blocking outbound traffic. Sometimes we blocked SMTP traffic from any IP address other than the Exchange server to prevent spam bots from sending email, but the idea of blocking NTP traffic was never considered.
Smartphones are a challenge for any organization. It can be a real headache keeping track of who has what device, especially in a BYOD environment. Then there’s the question of how to set up each phone for corporate email — it seems that each version of iOS, Android and Windows Phone requires slightly different procedures. I remember writing four or five different sets of user instructions to accommodate the various types of phones being used in one organization.
But government takes that challenge to a whole new level. In our case, we use a Mobile Device Management (MDM) package to manage our devices. Through this system we’re able to isolate work-related emails on users’ phones from other data and apps. If a phone is lost or stolen, we can wipe all or selected data and apps from the phone.
A totally new aspect of government IT requirements is the need to maintain a record of all data communications. Naturally, we archive all emails and retain them (unlike some politicians and corporations have been known to do) for a required amount of time. We also just implemented a system for recording and archiving all text communications to and from all smartphones — something I never even contemplated in the private sector. Another surprise for me is the need to maintain a record of every change to our website. Little did I know there are companies that provide this service.
All these requirements stem from the fact that we must comply with all public record requests in a timely fashion.
I recently read an article noting that many police departments in the U.S. are deciding not to deploy video recording devices as part of their officers’ equipment. As someone who would be required to figure out a way to archive and retrieve these recordings, I can understand why police departments would opt out. The amount of storage space and time required could very well double or triple the department budget.
For me, working in the public sector has proven quite the learning experience. It’s forcing me to re-think many security strategies and tactics that I’d become comfortable with — and when it comes to security getting outside your comfort zone and thinking about things in a new light can be a good thing
For those of you who already work in the public sector, I applaud and commiserate with you. For those of you considering making a move from the private sector to the public, be prepared — it’s a different world.
If you work in security in the public sector, what are some dilemmas you’ve faced or specific requirements that have surprised you? And what have you learned from those experiences that others in the private sector might benefit from? Get in touch today !
Sign-up for email updates...