Postcard From the Public Sector

Despite limited budgets, public sector organizations break new ground in security

3:05 PM -- As someone who's covered IT's "breaking news" for many years, I've developed a nasty blind spot around the public sector. Government, education, healthcare -- historically, these have not been the pioneers that provide the "hot news" in IT innovation. This isn't a criticism -- it's just that most public sector companies traditionally haven't had the IT budgets and resources needed to be technology trailblazers.

Recently, however, I've found myself covering more and more security initiatives in the public sector -- and being surprised to find these industries frequently on the leading edge.

On Wednesday, I got the lowdown on a new insider threat initiative at the Department of Defense. (See Government Targets Insider Threat.) The project is unique on several levels. First, it's a system built exclusively around the insider threat, rather than addressing both internal and external attacks, as most large security systems do.

Second, the proposed DOD system challenges the security industry to fill in the holes necessary to build such an enterprise-class system. Today, there are many tools that address the insider threat, from monitoring Website usage to auditing log files. But no single vendor has built a system that covers all of the bases required for insider threat prevention, and that's what DOD is asking for. I applaud them not only for developing a holistic architecture, but for identifying the shortcomings of current products and tasking vendors to step forward with some answers.

OK, the DOD traditionally has been an exception to the "innovator" rule in the public sector, because of its larger budget and the need for an edge on the battlefield. But how about universities? Many of them are breaking chunks of new ground in end-point security, where the unpredictability of student behavior and equipment has forced IT staffers to develop a whole new range of "guest" network security strategies. If network access control (NAC) technology ever catches on, it will quite likely be because university IT staffs paved the way -- even on their shoestring budgets.

Want to talk security compliance? The healthcare industry is one of the leaders. Between the pressures of HIPAA and the real threat of patient record theft, healthcare has left many other industries in the dust. Many retailers still can't spell PCI, but HIPAA compliance is the norm among hospitals and other care providers -- even the ones that are publicly-funded.

There are other examples. When it comes to the integration of physical and logical security, for instance, the federal government is paving the way for some new markets. Though implementation has been slow, the HSPD-12 initiative is breaking down barriers between physical security people and IT people, and showing vendors that there is a market for two-factor authentication that works both in the building and at the computer. (See HSPD-12's Toothless Deadline.)

Back in the heyday of networks and e-commerce, most of the "breaking news" came out of commercial industries such as retail and transportation. As we move deeper into the age of security, however, I, for one, am going to be taking a closer look at the folks I used to overlook in those days. They've already given us a lot to think about in the security space.

And I'll bet there's more to come.

— Tim Wilson, Site Editor, Dark Reading

Editors' Choice
Jai Vijayan, Contributing Writer, Dark Reading
Kelly Jackson Higgins 2, Editor-in-Chief, Dark Reading