Jeff Brittain on Public Sector Information Security

Public Sector Information SecurityJeff Brittain started out as a programmer/analyst in Hickory Springs Manufacturing and worked his way up to an I.T. Manager followed by the role of an I.T. Director at companies like Corning Cable Systems and Sarstedt, until entering the public sector in Hickory, North Carolina. Jeff Brittain served as I.T. Manager for the county of Hickory for approximately 12 years where he improved and upgraded the technological infrastructure in place to improve organizational continuity. Today, Jeff holds the Chief Information Officer position across different departments in Gaston County’s public operations located in Gastonia, North Carolina. He shares some insights and challenges presented in the public sector information security. 


LIFARS: As the Chief Information Officer, what responsibilities make up your days?

Jeff: It is really more of an administrative position than I have been used to in the past. I have worked in smaller companies with a more hands-on approach from the ground level to the top. Our sector is composed of an application development team, a network group, client services, and a service desk. My position is to develop that interdepartmental strategic road map and serve as the overall project manager, while at the same time keeping everyone on task and managing the budget. It is more “sitting at a desk and reading” now than it ever used to be.  

LIFARS: How would you describe your current state of cybersecurity and data management?

Jeff: In local government, everything comes down to budgeted funds. We have the same wants and needs as everybody else. There is always an internal competition for the funds that are available. We are experienced at working with the resources that we have at our disposal. We put some good firewalls in place and hold good security policies. As far as in-house application security, there are oversights on individual installations onto our network that ensure proper accessibility. I believe there are still gaps to fill and room for improvement. We know where we want to be and there is a road map to that goal, but it might take a bit longer than, let’s say, Bank of America to get to that destination. As we speak, we have three security-related projects that are upcoming this year, that is to say if the budget does not change.

LIFARS: What are some key points an organization should hit in planning their strategy for implementation for information security and road mapping?

Jeff: There is no one right or wrong thing that will solve all of your problems.We start off by having good standards. Our default is to lock things down and only opening up access to authorized users in order for any individual to complete their designated tasks. We have developed strong policies. When people are terminated, we get them out of the system immediately and disable all their accounts. To break the previous example down, we get notified by the Human Resource Department to notify that an individual was terminated and then it becomes a priority for us to disable the accounts they have access to. This includes their emails, directory, and AS/400. There is no possibility to log back in with their old credentials. It is of note that we have never had anybody do anything malicious. It could be because we are rather different from the private sector in the fact that anybody can walk in off the street and ask for data or reports and we give it to them. We are not developing new products here and we don’t have any kind of marketing strategy to execute. Everything we have is open to the public. There really is no reason for anybody to want to break in, other than just to say they did it. We would give it you on a CD if you ask for it. Our take on security here is probably not the same as it is in the private sector. It is very open here. The one thing that concerns us the most is that we support the health department so there is HIPAA compliance that is maintained and monitored.

LIFARS: What do you see in the future of information security for your public sector?

Jeff: I go to two conferences in North Carolina for I.T. folks from education to city, county, and state governments; we talk about emerging technologies. Security is always a topic at the conferences. We all have the same needs as the private sector, but we don’t have the same funds. We are typically lagging behind in the security world. Here in Gaston County, a couple of things we are trying to do this coming year is to take a look at security information management log-in tools. We also have some remote users that are coming in through our Citrix environment and being secure that way, but we would like to step that up with two-factor authentication. Those are the first steps we need to take before moving forward.

Jeff left LIFARS with this closing comment:

“It would be nice if we had the same money that the private sector does, but when you manufacture a product or provide a service you can control that. Our income derives from taxes and no one wants to pay more taxes, even if it is for a good cause. We are depending on elected officials to make that recommendation. No elected official wants to be responsible for raising taxes because that will be the last time they are elected. That is our biggest hurdle, trying to do the same thing everybody else is doing, but with less money.”