Full 90 minute Roundtable (more)
Ward Cunningham, inventor of wiki and founder of the Federated Wiki project (more)
Michael Byrne, Home Mortgage Disclosure Act Operations Lead at the Consumer Financial Protection Bureau (more)
Mike McGarr, Engineering Manager for the Build Tools team at Netflix (more)
The Solution Involves a Culture of Trust and Respect
There’s a reason we carry out these conversations in roundtables rather than square. We want to fit a variety of different perspectives into the conversation and treat them on an equal level in order to break through on some new ideas.
That’s one reason this roundtable was unusual for government information technology circles. We had technologists from both inside government and the private sector. We had experts on both security and innovation. We had people with decades of experience and some who were new to the game.
All that diversity added up to a very productive conversation that pushed some new thinking around how to find ways to love both innovation and security en route to transforming government IT.
Right now, those inside government focused on security and compliance are almost perpetually resistant to innovation because they fear changes will make their systems more vulnerable. And innovators, in turn, are loath to engage security issues because it will complicate their work.
What good would loving both innovation and security bring about? Michael Byrne, Home Mortgage Disclosure Act operations lead at the Consumer Financial Protection Bureau, said it would have a dramatic effect. It would lead to many more deployments of technology inside government at a much faster pace. It would help drive costs down over time, and it would be a lot more fun for workers and managers alike.
Henry Poole, CEO of CivicActions and board member of the Free Software Foundation, said he thought it would be much less frustrating for government technologists, and would be useful in attracting and retaining top talent, too.
Greg Elin, the host of the roundtable and the nascent series, was surprised by how much of the conversation centered on culture as the critical element for a long-term solution.
Mike McGarr, engineering manager for the Build Tools team at Netflix, went so far as to say that the difference in culture was the single biggest difference in his experience of working inside government and now in the private sector at Netflix. When engineers are trusted to maintain high levels of security, as they are at Netflix, McGarr said they take the responsibility seriously and proactively work to make their code more secure.
Matthew Burton, former deputy CIO at the Consumer Financial Protection Bureau who now works as a contractor with government, pointed out that culture inside government gets distorted by the need to comply with specific laws pertaining to security practices. Many government technologists are more concerned with passing compliance audits than with actually making their systems secure. They are judged on compliance rather than performance. Plus the pace of legislating is always much slower than the pace of technology, so government practices are always way behind.
Another problem is the unreliability of consistent budgets from year to year. Anne L. Washington, assistant professor in the Organization Development and Knowledge Management program at George Mason University School of Public Policy, said that managers can be resistant to too much innovation because they don’t feel confident the money will always be there to backstop experiments or sustain innovative reforms.
On the other hand, the security guys aren’t always the bad guys. Jeffrey Carr, founder and CEO of Taia Global, Inc. and author of Inside Cyber Warfare, made the case that the innovators often ride roughshod over the security people. Everyone these days is so enamoured of “innovation” that the innovators frequently get the upper hand in driving the train barreling down the tracks, and the security people get thrown off.
The general consensus seemed to be that if all parties trusted each other more, a culture would develop over time that would foster individual responsibility. Everyone would feel that security was just a core part of his or her job.
We’ve been here before. Ward Cunningham, inventor of the wiki and founder of the Federated Wiki project, made the analogy that 30 years ago coders were not trusted to write code of high quality without quality control oversight. However, soon software engineers were expected to maintain high levels of quality and not wait for overseers to clean up their work. The culture shifted and quality soon because the norm.
Cunningham thinks we may be on the verge of a similar shift among software engineers in regards to security. Soon that will just be expected as a central part of everyone’s job.