2018 Partner Program Guide – CRN

The 2018 Partner Program Guide offers the information solution providers need to evaluate IT vendors they work with or are considering working with. The guide is based on detailed applications submitted by over 270 vendors, outlining all aspects of their partner programs.

5-Star Technology Vendors

As part of the Partner Program Guide, CRN designates some programs as 5-Star Partner Programs. Here are the 5-Star designees in key technology spaces for 2018.

5-Star Networking And Unified Communications Vendors

5-Star Emerging Vendors

5-Star Cloud Vendors (Part 1)

5-Star Cloud Vendors (Part 2)

5-Star Security Vendors

5-Star Software Vendors (Part 1)

5-Star Software Vendors (Part 2)

5-Star Storage Vendors

5-Star Peripherals Vendors

5-Star System/Data Center Vendors

Click program names for much more information.
8×8, Inc. ★ ★ ★ ★ ★
8×8 Partner Program / Partner Integr8tion
A10 Networks
A10 Affinity Partner Program
ACC Business
ACC Business
Accelerite Partner Program
Acer Alliance VAR Program
Acronis, Inc
Acronis Partner Program
Acumatica -The Cloud ERP ★ ★ ★ ★ ★
Acumatica Partner Program
ADTRAN Partner Program
Aerohive Networks ★ ★ ★ ★ ★
Aerohive Advantage Partner Program
AireSpring Channel Sales Division
Alaris, a Kodak Alaris Business ★ ★ ★ ★ ★
Alaris Partner Program
AlgoSec ★ ★ ★ ★ ★
AlgoSec Channel Program
AlienVault ★ ★ ★ ★ ★
AlienVault AlienNation
APC by Schneider Electric ★ ★ ★ ★ ★
APC Channel Partner Program
AppDynamics ★ ★ ★ ★ ★
AppDynamics Titan Partner Program
AppRiver, LLC
AppRiver’s Phenomenal Partner
Archive360 Accelerate Partner Program
Arctic Wolf Networks
Apex Partner Program
Aruba, a Hewlett Packard Enterprise company ★ ★ ★ ★ ★
Partner Ready for Networking
Aryaka Networks ★ ★ ★ ★ ★
Aryaka Partner Program
Asigra ★ ★ ★ ★ ★
Asigra Hybrid Partner Program
AT&T Alliance Channel ★ ★ ★ ★ ★
AT&T Alliance Channel
AT&T Partner Exchange ★ ★ ★ ★ ★
AT&T Partner Exchange
Atlassian Partner Program
Attivo Networks
Attivo Networks Partner Program
Autotask Corporation
Autotask Partner Program
Auvik Networks Inc
Auvik Partner Program
Avaya ★ ★ ★ ★ ★
Avaya Edge
Barracuda MSP
Barracuda MSP Partner Program
Barracuda Networks ★ ★ ★ ★ ★
Barracuda Partner Program
Bitdefender ★ ★ ★ ★ ★
Partner Advantage Network
BitTitan Partner Program
BlackBerry Limited ★ ★ ★ ★ ★
Enterprise Partner Program for Solutions Providers
Blue Medora ★ ★ ★ ★ ★
True Visibility Partner Program
BluVector Inc
BluVector Channel Program
BMC ★ ★ ★ ★ ★
BMC Partner Advantage Program
bpm’online ★ ★ ★ ★ ★
bpm’online Partner Program
Broadvoice Partner Program
Brother International Corporation
Brother Authorized Partner Program
Buffalo Americas
Buffalo Americas
BVoIP MSP Partner Program
CA Technologies ★ ★ ★ ★ ★
CA Advantage Partner Program
CA | Veracode ★ ★ ★ ★ ★
Veracode Partner Program
Cambium Networks ★ ★ ★ ★ ★
Carbon Black ★ ★ ★ ★ ★
Carbon Black Connect
Carbonite Inc. ★ ★ ★ ★ ★
Carbonite Partner Program
Catalogic Software
Partner Edge
Centrify ★ ★ ★ ★ ★
Centrify Channel Connect Partner Program
CenturyLink Channel Partner Program
Ciena Corporation ★ ★ ★ ★ ★
Cisco ★ ★ ★ ★ ★
Cisco Channel Partner Program
Cisco Integrator Program
Cisco Lifecycle Advisor Program
Cisco Solution Partner Program
Cisco ★ ★ ★ ★ ★
Cloud and Managed Services Program
Citrix ★ ★ ★ ★ ★
Citrix Partner Network
Citrix Systems, Inc.
WW Education Citrix Authorized Learning Center (CALC)
CloudCheckr ★ ★ ★ ★ ★
Powered by CloudCheckr
CloudHealth Technologies
CloudHealth Cloud Business Accelerator Program
Cloudian Inc.
Cloudian Partner Program
Cloudistics ★ ★ ★ ★ ★
Cogent Communications
Cogent Channel Partner Program
Comcast Business ★ ★ ★ ★ ★
Comcast Business Solutions Provider Program
Commvault ★ ★ ★ ★ ★
Global Partner Advantage Program Manager which includes North American Channel Program
Couchbase ★ ★ ★ ★ ★
Couchbase PartnerEngage
Cox Business
Cox Business Indirect Channel
Cradlepoint ★ ★ ★ ★ ★
Cradlepoint Authorized Channel Partner Program
CTERA Networks
CTERA Cloud Accelerator Channel Program
Cyber Power Systems (USA), Inc.
Channel Partner Alliance
CyberArk ★ ★ ★ ★ ★
CyberArk Global Partner Program
Cyberbit Partner Program
Cylance Inc. ★ ★ ★ ★ ★
Cylance Partner Program
DataCore Software ★ ★ ★ ★ ★
DataCore Premier Partner Program
Datto, Inc. ★ ★ ★ ★ ★
Datto Global Partner Program
DDN Storage
Dell Inc. ★ ★ ★ ★ ★
Dell EMC Partner Program
Delphix Partner Program
DH2i DxAdvantage Channel Partner Program
Diamanti Value Added Reseller Program
DiCentral Channels
DigiCert Certified Partner Program
Digital Guardian ★ ★ ★ ★ ★
Digital Guardian Synergy Partner Program
Digital Shadows ★ ★ ★ ★ ★
Digital Shadows Channel REV Partner Program
Digium, Inc. ★ ★ ★ ★ ★
Digium Partner Program
Docker, Inc.
Docker Business Partners Program
Dome9 Security
Dome9 Cloud Protection Partner Program
Dropbox Partner Network
Druva ★ ★ ★ ★ ★
Eaton ★ ★ ★ ★ ★
PowerAdvantage® Partner Program
Ekahau Partner Program
Epicor Software Corporation ★ ★ ★ ★ ★
Epicor Partner Program
erwin, Inc. ★ ★ ★ ★ ★
erwin Partner Program
ESET ★ ★ ★ ★ ★
ESET Partner Connect Program
Exabeam ★ ★ ★ ★ ★
Exabeam 3D Channel Program
Exasol Partner Program
Extreme Networks ★ ★ ★ ★ ★
Extreme Partner Network
F5 Networks
FireEye, Inc. ★ ★ ★ ★ ★
FireEye Fuel Partner Program
FireMon ★ ★ ★ ★ ★
Ignite Partner Program
Flashpoint ★ ★ ★ ★ ★
Flashpoint Global Channel Partner Program
Flexential Partner Network
Flowmon Networks a.s. ★ ★ ★ ★ ★
Flowmon Channel Partner Program
ForeScout Technologies ★ ★ ★ ★ ★
ForeScout Forward Partner Program
Fortinet, Inc. ★ ★ ★ ★ ★
Fortinet Partner Program
Fuze ★ ★ ★ ★ ★
Fuze Global Partner Program
Gemalto ★ ★ ★ ★ ★
Gemalto Cipher Partner Program
GFI Software ★ ★ ★ ★ ★
GFI Partner Program
Globalscape ★ ★ ★ ★ ★
Globalscape Partner Program
Greenlink Networks
Greenlink Partner Program
GuardiCore, Inc. ★ ★ ★ ★ ★
GuardiCore Partner Program
Hewlett Packard Enterprise ★ ★ ★ ★ ★
HPE Partner Ready
Hitachi Vantara ★ ★ ★ ★ ★
Hitachi TrueNorth Partner Program
Honeywell Safety and Productivity Solutions ★ ★ ★ ★ ★
Honeywell Performance Partner Program
HP, Inc. ★ ★ ★ ★ ★
HP Partner First
IBM ★ ★ ★ ★ ★
IFS ★ ★ ★ ★ ★
IFS Partner Network
IGEL North America ★ ★ ★ ★ ★
IGEL Partner Program
iguazio Systems LTD
The iguazio Channel Partner Program
iland ★ ★ ★ ★ ★
iland Partner Program
Illusive Networks
Illusive Networks Accelerate Partner Program
Imperva ★ ★ ★ ★ ★
Imperva PartnerSphere Channel Program
Impinj, Inc.
Impinj Channel Partner Program
BuildingBLOX Partner Program
Infor ★ ★ ★ ★ ★
Infor Partner Network
Informatica ★ ★ ★ ★ ★
Informatica Partner Program
Intel Corp. ★ ★ ★ ★ ★
Intel® Technology Provider Program
Cloud Advantage Partner Program
Intelisys Partner Program
Intermedia.net, Inc. ★ ★ ★ ★ ★
Intermedia Partner Program
Intsights Partner Program
IOGEAR’s Premier Connections Partner Program
Ivanti ★ ★ ★ ★ ★
Ivanti Partner Program
Ixia, a Keysight Technologies company
Channel Xcelerate Partner Program
Jabra One Partner Program
JASK Answers Partner Network
Juniper Networks ★ ★ ★ ★ ★
Juniper Partner Advantage Program
K2 ★ ★ ★ ★ ★
K2 Ascend Partner Program
Kaspersky Lab ★ ★ ★ ★ ★
Kaspersky Lab Partner Program
KEMP Technologies ★ ★ ★ ★ ★
Partner at KEMP Program
Kenna Security ★ ★ ★ ★ ★
Kenna Security-Partners First
Laserfiche ★ ★ ★ ★ ★
Laserfiche VAR Program
Lenovo ★ ★ ★ ★ ★
Lenovo Partner Program
Lenovo Data Center Group ★ ★ ★ ★ ★
Lenovo Data Center Partner Program
Lexmark ★ ★ ★ ★ ★
Lexmark Connect
LookingGlass Cyber Solutions, Inc. ★ ★ ★ ★ ★
LookingGlass Cyber Guardian Network
Macola Software ★ ★ ★ ★ ★
Macola Unity Partner Program
Malwarebytes ★ ★ ★ ★ ★
Malwarebytes Global Partner Program
Masergy Communications, Inc.
Masergy Global Partner Program
MegaPath Channel Program
Mellanox Technologies ★ ★ ★ ★ ★
Mellanox PartnerFIRST Program
Global Alliance Program
Microsoft Corporation ★ ★ ★ ★ ★
Microsoft Partner Network
Mimecast ★ ★ ★ ★ ★
Mimecast Partner Program
Mist Partner Program
NCR Corporation ★ ★ ★ ★ ★
NEC Display Solutions ★ ★ ★ ★ ★
NEC Partner Net
Nectar Services Corp.
Nectar Partner Program
Nerdio ★ ★ ★ ★ ★
Nerdio Partner Program
NetApp ★ ★ ★ ★ ★
NetApp Partner Program
NetMotion PartnerConnect ★ ★ ★ ★ ★
NetMotion PartnerConnect
Arbor Advantage Partner Program
Neustar Cloud Security Partner Program
Nexsan ★ ★ ★ ★ ★
Nexsan Partner Program
Nintex Partner Network
Nitel Channel Program
Nuspire Networks
NuSecure Partner Program
Alvin Dacosta
Omnitracs ★ ★ ★ ★ ★
Omnitracs Partner Advantage
One Identity ★ ★ ★ ★ ★
One Identity Partner Circle Program
OnRamp Channel Partner Program
OPAQ Networks
OPAQ Channel Partner Program
Opengear ★ ★ ★ ★ ★
Opengear Partner Program
Oracle Corporation ★ ★ ★ ★ ★
Oracle PartnerNetwork Program
Oracle NetSuite
NetSuite Solution Provider Program
OutSystems Partner Program
Palo Alto Networks ★ ★ ★ ★ ★
NextWave Channel Partner Program
Panasas Accelerate Partner Program
Panasonic System Communications Company of North America
Panasonic Authorized Reseller Program, Business Mobility
Panduit ONE Partner Program
Panduit ONE Partner Program
Panzura ★ ★ ★ ★ ★
Panzura Freedom Partner Program
Park Place Technologies
Park Place Technologies Reseller Program
Pax8 ★ ★ ★ ★ ★
Cloud Wingman Partner Program
PC Pitstop
PC Matic Pro Partner Program
Pitney Bowes Software, Inc. ★ ★ ★ ★ ★
Pitney Bowes Software Partner Program
Pivot3 ★ ★ ★ ★ ★
Pivot3 Partner Program
PKWARE Partner Program
PlanetOne Communications, Inc.
PlanetOne Partner Program
Platform9 Cloud Partner Program
Polycom, Inc. ★ ★ ★ ★ ★
Polycom Partner Program
Progress Partner+
Proofpoint Partner Program
PTC ★ ★ ★ ★ ★
PTC Partner Network
Pulse Secure ★ ★ ★ ★ ★
Connect Now Partner Program
Puppet ★ ★ ★ ★ ★
Puppet Partner Network
Pure Storage ★ ★ ★ ★ ★
P3 (Pure Partner Program)
Qlik ★ ★ ★ ★ ★
Qlik Partner Program
QOS Networks
QOS National Channel Program
Quality Uptime Services
Quality Uptime Services Channel Program
Quantum Corporation ★ ★ ★ ★ ★
Quantum Alliance
Quest Partner Circle Program
Qumulo Partner1st Program
Smart Choice Partner Program
Raritan Inc., a brand of Legrand
Raritan Partner Advantage Program
Red Hat Inc ★ ★ ★ ★ ★
Red Hat Connect
RedSeal Partner Program
Revolabs, part of Yamaha UC Department ★ ★ ★ ★ ★
CORE Reseller Program
Ribbon Communications ★ ★ ★ ★ ★
Advantage Partner Program
RIBBON Communications ★ ★ ★ ★ ★
RIBBON Partner Assure Program
RingCentral ★ ★ ★ ★ ★
RingCentral Partner Program
Riverbed Technology ★ ★ ★ ★ ★
Riverbed Rise
RSA ★ ★ ★ ★ ★
RSA SecurWorld
Ruckus Networks ★ ★ ★ ★ ★
Ruckus Ready Channel Program
Sage Partner Advantage Program
Sage Intacct ★ ★ ★ ★ ★
Sage Intacct Partner Program
Salesforce Partner Program
Samsung Electronics America ★ ★ ★ ★ ★
STEP – Samsung Team of Empowered Partners
SAP ★ ★ ★ ★ ★
SAP PartnerEdge Program
Scale Computing ★ ★ ★ ★ ★
Scale Partner Community
Schneider Electric ★ ★ ★ ★ ★
EcoXpert Partner Program
Seceon ★ ★ ★ ★ ★
SecuRIGHT — Cyber Security Done Right!
Reseller Partner Program
SentinelOne, Inc.
SentinelOne Partner Program
Server Technology, a brand of Legrand ★ ★ ★ ★ ★
Power Rewards Partner Program
ServiceKey ★ ★ ★ ★ ★
Independent Service & Maintenance Organization
Sharp Electronics Corporation ★ ★ ★ ★ ★
Sharp Alliance Plus
Siemens MindSphere
MindSphere Partner Program
Siemens PLM Software ★ ★ ★ ★ ★
Siemens PLM Solution Partner – Channel Sales Program
Silver Peak Systems, Inc. ★ ★ ★ ★ ★
Global SD-WAN Channel Program
SingleHop LLC
SingleHop Channel Program
Skybox Security
North America Channel Sales
SkyKick IT Cloud Partner Program
Snow Software Inc. ★ ★ ★ ★ ★
Snow Global Partner Program
SolarWinds MSP ★ ★ ★ ★ ★
SolarWinds MSP Channel Partner Program
SonicWall ★ ★ ★ ★ ★
SecureFirst Partner Program
Sophos ★ ★ ★ ★ ★
Sophos Partner Program
SOTI ★ ★ ★ ★ ★
SOTI Altitude Partner Program
SparkCognition, Inc.
SparkCognition, Inc.
Spectrum Partner Program
Spectrum Partner Program
Splunk ★ ★ ★ ★ ★
Splunk Partner+ Program
Star2Star Communications ★ ★ ★ ★ ★
Star2Star Channel Partner Program
StorageCraft ★ ★ ★ ★ ★
StorageCraft Partner Network
SugarCRM ★ ★ ★ ★ ★
SugarCRM Partner Program
Sungard Availability Services ★ ★ ★ ★ ★
Sungard AS Partner Program
Symantec Corporation ★ ★ ★ ★ ★
Symantec Secure One
SYNNEX Corporation
SYNNEX Corporation
Tech Data ★ ★ ★ ★ ★
Tech Data Practice Builder
Tech Data ★ ★ ★ ★ ★
TeleDomani, Inc.
TeleDomani Partner Program
TetherView Partner Program
Threat Alliance Program
Thycotic ★ ★ ★ ★ ★
Thycotic Partner Program
Tintri Partner Program
Tripp Lite ★ ★ ★ ★ ★
Tripp Lite Partner Program & Premier Partner Program
Trustwave ★ ★ ★ ★ ★
Trustwave Channel Partner Program
Tufin Partner Program
Turbonomic ★ ★ ★ ★ ★
Turbonomic Partnership Program
Unitrends, Inc. ★ ★ ★ ★ ★
Unitrends Partner Program
VASCO Data Security ★ ★ ★ ★ ★
VASCO Partner Program
Veeam Software ★ ★ ★ ★ ★
Veeam ProPartner Program
Veritas Technologies LLC
Veritas Partner Force Program
Verizon ★ ★ ★ ★ ★
Verizon Partner Program
Vertiv ★ ★ ★ ★ ★
Vertiv Partner Program
VIAVI Solutions ★ ★ ★ ★ ★
Velocity Partner Program
VIPRE Partner Program
Virtual Instruments ★ ★ ★ ★ ★
The Virtual Instruments Partner Network (VIPN)
VMware ★ ★ ★ ★ ★
VMware Partner Network
Vonage Business
Vonage Partner Network
WatchGuard Technologies ★ ★ ★ ★ ★
Western Digital – Enterprise ★ ★ ★ ★ ★
Western Digital Enterprise Partner Program
Workfront Partner Network
WTG Partner Program
Xerox Corporation ★ ★ ★ ★ ★
Xerox Global Partner Program
Yeastar Information Technology Co., Ltd.
Yeastar Xcelerate Channel Program
Zebra Technologies ★ ★ ★ ★ ★
Zebra® PartnerConnect
ZeroStack, Inc.
ZeroStack Cloud Innovation Partner Program
Zerto ★ ★ ★ ★ ★
Zerto Alliance Partner (ZAP) Program
Zyxel Communications, Inc.
ZAP – Zyxel Authorized Partner Program

Past Partner Program Guides

2017 | 2016 | 2015 | 2014 | 2013 | 2012 | 2011 | 2010

See Also: 2018 Channel Chiefs

Collaboration and the creation of a new journalism commons – Columbia Journalism Review

Executive Summary

The history of journalism includes many and varied forms of cooperation, as far back as landmark events such as the creation of the Associated Press by five New York newspapers in 1846 to share costs related to the coverage of the Mexican-American War. What sets the current phase of collaboration apart from previous ones is the wide diffusion of networked forms of organization and production, and the transformative impact of these cooperative practices in reshaping the new media world and its underlying social and technological infrastructure as public utilities.

This report explores the gradual development of this phenomenon and the related development of a new commons for journalism, or a collection of shared resources and communities reconfiguring the material and cultural conditions of newswork as a social practice subject to dilemmas that require cooperation. The journalism commons, often going unrecognized in the academic and public discourse on the future of media, offers a framework to make sense of the new schemes of human relations, production, and governance.

Key findings:
  • Network collaboration: The media world emerging from the transformations that occurred in the last decades of the twentieth century—some of them predating the internet and still unfolding—has gradually incorporated a wide array of collaboration powered by digital networks as an essential, pervasive component of the fabric of news. The term “network collaboration” encompasses current and previous practices developed in the last three decades that rely on digital networks to enable the production and sharing of technologies, information, services, and practices through cooperative modes, regardless of their form, as they apply to journalism.This broad definition aims to cover collaboration’s role in the creation of a new shared infrastructure for journalism, and the variety of cooperative practices and processes developed around the material conditions of news production and dissemination.
  • The gradual diffusion of the phenomenon: Four main developments underlie the gradual diffusion of networked forms of collaboration in journalism: 1) the digitization of news media beginning in the mid-1990s and the development of new modes of news production; 2) the wide array of collaborative practices, both internal and with others including the public, adopted by traditional media organizations in the aftermath of the dot-com bubble and through the 2000s; 3) the development near the end of the 2000s of a new model for watchdog journalism that served as a template for a renewed collaborative ethos among different organizations and individuals for investigative reporting; and 4) the ongoing consolidation of a set of partnership strategies in a new era that’s still unfolding.
  • The collaborative age: The distinct feature of the ongoing phase of collaboration, often labeled as collaborative journalism, is the development and open embrace of cooperative production arrangements between news organizations and others, including journalism schools and the public, to generate content that is greater than what any individual journalist, newsroom, or organization could produce on its own. Several reports, as well as individual accounts, have provided snapshots of this phenomenon, but there’s no definitive assessment of its diffusion and impact. Considering the limitations of the data currently available, focused on explicit forms of collaboration between organizations, three core themes emerge:
    • Collaboration as a field repair: A core function of cooperative practices since the late 2000s, collaboration fills the vacuum left by the industrial decline of media and the constant erosion of the conditions for journalism.
    • Shared resources for journalism: The promise of collaboration in the networked era is likely showing its fullest impact in revitalizing investigative reporting through local, national, and international partnerships. These collaborations rely and build on shared resources—public databases, open source technology, networked communities—to fulfill journalism’s core mission. This byproduct of collaboration is increasingly taking on characteristics of a commons, or a shared resource subject to social dilemmas.
    • The expanding role of journalism schools, nonprofit organizations, and other players: A key difference between the current phase of collaboration and the convergence years is the existence of diverse players beyond news organizations that are having a prominent role in fostering, funding, and sustaining partnerships, led by journalism schools and established nonprofit organizations that fully incorporate network collaboration as a structural element.
  • The creation of a new commons: The rise of collaborative practices applied to journalism have led to the development of the journalism commons, an intricate resource system functioning under an open access scheme and hosting critical technological and social components pertaining to journalism. This commons works as a supporting infrastructure for newswork. It is structurally dependent of network collaboration.
  • A preliminary characterization of the journalism commons: Based on the description of other information resources such as the internet and the understanding of media systems as a layered structure, the journalism commons can be characterized as a resource system made of three distinct and intertwined layers —technological, social, and content-based—that contain other resources, or a commons of commons. This commons builds and take on characteristics of the internet as a founding structural element.The building blocks of this system are facilities, the evolving technologies that make digital distributed information possible, including its physical components; artifacts, specific, nameable representations of an idea or set of ideas, stored in facilities; and ideas, non-physical units, not protected by copyright, contained in an artifact. Just as the layered structure description provides an overview of the journalism commons and how it works, this low-level framework enables a careful examination of its building blocks—what individuals or organizations ultimately appropriate or use—and the relations among them.

    This preliminary characterization of the journalism commons as a resource system allows us to further conceptualize some of the most pressing issues affecting journalism as social dilemmas, and identify structural vulnerabilities.
  • The commons as a framework: Connecting news media to the vocabulary of the commons provides a rich framework to analyze the impact of networked forms of collaboration in reshaping the infrastructure for journalism, and think about its future possibilities as social dilemmas that require cooperation. It also helps connect apparently independent phenomena, and devise new collaborative approaches to address structural vulnerabilities limiting the development of the new media world —from net neutrality to systemic market failure and the development of social capital and collective action. Much work is required to further the understanding and the importance of the commons in the new media world, a topic mostly neglected in academic and public discourse.


In the 1990s, scholars noticed how networks were taking on new life beyond their traditional realm. Networks, defined as a pattern of interconnections among a set of things,1 had a prominent role long before the internet in sectors like crafts, where the work tends to be project-based and an assembly line-like workflow is poorly suited compared to a flexible arrangement involving groups with different skills and resources.2 The critical change that researchers recognized was the expanded reach of information networks into new domains powered by the internet.3 Paired with digital technologies, networks departed from their traditional, local nature and became apt for managing large and complex structures—an attribute especially befitting in times of relentless change and technological disruption thanks to their resilience and adaptability.

In the last decades of the twentieth century, there was an upsurge in research on the growing role of networks in enabling phenomena as diverse as migration, entrepreneurship, international trade, and the emergence of a new type of enterprise “built around business projects resulting from the cooperation between different components of different firms.”4 In a broader context of change, networks became the basis of a new social arrangement described by sociologist Manuel Castells as the network society, enabled by digital information and communications technologies.5

Sign up for CJR‘s daily email

The popularization of the internet introduced new conditions for formal and informal collaboration within newsrooms, between organizations, and with the public. In the last three decades, the news media has gradually incorporated a wide array of networked forms of collaboration as an intrinsic component of the peer-production practices that have driven the development of a new technological infrastructure, enabled new forms of editorial work,6 and reformulated how news organizations function and concentrate attention in the digital age.

The diffusion of collaboration is related to another transformative phenomenon: the creation of a new commons for journalism, or a collection of intricate, shared resources reshaping the material and cultural conditions of newswork as a social practice subject to vulnerabilities that require collaboration. The commons offers a framework to make sense of the “new schemes of human relations, production, and governance” emerging in the post-industrial new media world.7

Collaboration is not a new phenomenon in news media. The history of journalism includes varied forms of cooperation embedded in the daily production routines and between news organizations, including landmark events such as the creation of the Associated Press by five dailies in New York in 1846 to share costs and resources related to the coverage of the Mexican-American War. But the novel conditions created by digital technologies to develop new forms of organization and production based on networked forms of collaboration kick-started a new phase. The diffusion of networked forms of collaboration and the related development of the journalism commons is the subject of this report.

Previous research has covered the growing role of collaborative practices in journalism since the late 2000s. This work aims to complement it by providing an overview of the gradual evolution of collaboration since the early days of digital journalism, and its structural role in developing new social and technological conditions for newswork.

In the following sections, I describe how the adoption of the internet introduced novel forms of collaboration and contributed to reshaping the media ecosystem; the main dynamics around this process; and how a broad set of collaborative practices drives the development of the journalism commons. The main motivation for this research is to focus on collaboration as an evolving and pervasive component of digital journalism, and to widen the conversation about its fundamental role in the creation of a sustainable news world.

In the first part, “The Rise of Networked Collaboration,” I summarize how the current form of collaboration, usually described as collaborative journalism, came into being in American media. To do so, I reviewed academic research, essays, and reports on the social, technological, economic, and cultural transformations since the mid-1990s as they relate to the rising new conditions for formal and informal modes of cooperation in news media.

In the second part of the report, “Developing the Journalism Commons,” I examine the impact of networked forms of collaboration through the creation of a new social and technological infrastructure for news. This part builds on the groundbreaking work by the late Elinor Ostrom and the research developed since the 1990s on knowledge and information as resource systems.8

The citations chapter includes the full bibliography collected on the range of topics covered in this research—from the early days of digital journalism to the consolidations of new material and cultural conditions for newswork. Hopefully, this bibliography will be useful for others interested in expanding the role of the commons as a framework for thinking about the current challenges and opportunities for journalism.

The Rise of Network Collaboration

The profound transformations that occurred in the last decades of the twentieth century have reconfigured different aspects of human life, including journalism.i9 These transformations ranged from critical developments in the social and economic conditions around newswork, including the social network revolution10 and opportunities to develop new models of organization,11 to media-specific developments such as the derogation of the Fairness Doctrine (1947–1987) and the ushering in of the cable news era. The post-industrial media world emerging from this vast ecology of changes, some of them predating the internet and still unfolding, has gradually incorporated a wide array of collaborative forms powered by digital networks as an essential and transformative component of the fabric of news.

Collaboration has enjoyed different lives in the context of digital media. In the latest of its several evolutions, it is generally used to describe “a cooperative arrangement (formal or informal) between two or more news and information organizations, which aims to supplement each organization’s resource and maximize the impact of the content produced.”12 I’ll use the term network collaboration throughout this report as a generic concept that encompasses this form as well as previous ones that use digital networks to enable the production and sharing of technologies, information, services, and practices through cooperative modes, regardless of their form, as they apply to journalism.

Following Lisa Gitelman’s model of media as a system operating on two levels—the technology as a medium that enables communication, and the social and cultural practices developed around that technology—this broad definition aims to cover collaboration’s role in the creation of a new technological infrastructure for journalism, and the variety of cooperative practices and processes developed around the material conditions of news production and dissemination.13

Collaboration might be present in one-off and long-term partnerships between different media organizations; in intricate patterns of production within the same organization; in peer production facilitated by the technical infrastructure of the web; in meetups involving journalists and software developers; in radical decentralized modes that facilitate sifting through databases and documents; in arrangements involving nonprofit, public, and commercial media as well as other players such as journalism schools, advocacy groups, and technological platforms; in formal partnerships within large media networks; and in informal ventures loosely coordinated. The term network collaboration aims to capture the full extent of this phenomenon—all types of collaborative practices developed around digital journalism inside the newsroom, between organizations, with the public and individuals—to make it sustainable.ii14

The rise of network collaboration in journalism might seem, with hindsight, expected in the context of the network society, defined as an era of intrinsic collaboration.15 An essential condition of network relationships is that “one part is dependent on resources controlled by another, and that there are gains to be had by pooling resources, sharing and collaborating.”16 But it took a gradual and often troubled evolution for these practices to play a substantial role in the assembly of news. As media researcher W.C. Anderson argues in his analysis of the Philadelphia news ecosystem’s struggles to adapt to the digital age, collaboration involving different organizations between 2007 and 2010 was rare and the result of lengthy bureaucratic negotiations, contrary to the expectations built for the network society.

This pattern seems to fit into the irregular diffusion of networks,17 with different degrees of penetration across the same system, and the expected development of the network enterprise as a gradual process that starts with the adoption of horizontal structures, followed by the cooperation between small and medium businesses “pulling their resources to reach a critical mass,” and finally “the strategic alliance and partnerships between large corporations and their ancillary networks.”18 This process was far from completion when Anderson did his research, and is arguably still ongoing in an irregular fashion across the news ecosystem. This reactive context for the adoption of novel forms of collaboration could also be seen as a sign of a larger problem: the difficult transition to digital media.19

Four main developments can describe the gradual diffusion of networked forms of collaboration in journalism:

  1. The digitization of news media beginning in the mid-1990s and the development of novel modes for news production;
  2. The wide array of practices of collaboration, both internal and with others, adopted by traditional media organizations in the aftermath of the dot-com bubble and through the 2000s;
  3. The development of a new model for the watchdog function by the end of the 2000s that served as a template for a renewed collaborative ethos in investigative reporting based on the alliance of different organizations and individuals;
  4. The ongoing consolidation of a set of partnership strategies into a new era of collaboration currently unfolding.

Digitizing the news

The early days of digital journalism were a time of “feverish activity.”20 In 1993, the first graphical web browser (Mosaic, later Netscape) was released to the public, followed a year later by Microsoft Internet Explorer. By 1996 most news outlets, print and broadcast, had a web presence.21 In a context for traditional media “marked by reactive, defensive and pragmatic traits,”22 news sites featured content that was usually limited to “shovelware”—text, video, or audio repurposed for web publication from its original format without changing substance, a practice that already required significant organizational change.

Experimentation developed on the fringes, and new offerings for the web grew steadily. By the end of the 1990s, U.S. online newspapers exhibited “a range of products, a technical infrastructure and organizational patterns that clearly departed from its print counterparts.”23 Journalism’s initial foray into the web introduced a culture, tools, and cooperative modes of production that set the baseline for network collaboration to develop.iii24

In traditional newsrooms, the diffusion of network collaboration generally occurred within established structures. The industrial, assembly line-like news workflow was dominant and served as a model to explore the unique opportunities offered by the internet: multimedia storytelling combining text, video, and audio; layered information connected through links and tools to navigate it; the opportunity to foster a dialogue with the public and involve it in the news process; and novel narratives and formats such as blogs. Email was adopted as the main form of communication. New routines and intricate patterns of production tested centralized, hierarchical practices, and they gained more relevance in the coming years as the ability to collaborate internally and externally increased dramatically.25

The idea of exploring creative arrangements with other organizations or with the public was in an early stage or not even on the horizon for most legacy media, with notable exceptions such as the legacy tradition of partnerships in local media: projects building on early efforts such as The Whole Earth ’Lectronic Link26—normally shortened to The WELL—launched in 1985 that reimagined computer-mediated communication as virtual communities;27 and the work of organizations outside the mainstream media such as California Media, later New American Media, relying on partnerships with other organizations “as a way to combine the strengths of ethnic media and the intimate knowledge of diverse communities with those of mainstream journalism.”28

Media researcher Pablo Bockzowski’s studies on the early days of The New York Times’s first digital-only section, Cybertimes, a project launched in 1996 to experiment with online narratives, illustrates these early developments through the diffusion of new organizational routines and horizontal structures on the sides of legacy, top-down workflows.29 Bockzowski also documents the Houston Chronicle’s 1995 multimedia efforts, a series of projects combining text, video, animation, and 360-degree photography that exhibit some of the transformations in communication, technology, and organization that were beginning to unfold. The analysis by the same author of New Jersey Online’s Community Connection advances the deep organizational changes and different notions of journalism emerging from projects that considered the public not only a consumer but a potential producer of valuable information, too. These early examples of digital journalism attest to the changes happening on the edges of legacy news organizations in their initial explorations of the web’s potential, and fit into Manuel Castell’s description of the first steps in the evolution of an organization into a network enterprise.30

That being said, the most successful collaborative journalism often requires a departure from past practices and mindsets.31 Perhaps the most illustrative and well-known project of this kind was the Independent Media Center (Indymedia), a collective that grew out of the 1999 World Trade Organization protests in Seattle. This network was built around a set of tools and a decentralized structure to empower on-the-ground observers and “give voice to the voiceless.” It used its own servers and open source content management systems. Local chapters negotiated their own editorial line and code. The interweaving of political activism, a new technological infrastructure, cooperative production, and a decentralized structure represented a radical alternative to the legacy, hierarchy-based production of news.

But the rise of peer production wasn’t a phenomenon limited to organizations outside of mainstream media. This system of collaboration facilitated by the internet had enabled large groups of individuals to cooperate effectively in the creation of new tools, technologies, and social practices that were gradually adopted for newswork, including the internet as a platform for news and flagship developments that became core components of the new infrastructure for journalism such as the Apache web server or the Linux operating system.32 This phenomenon, responding to a new economic logic not relying on market or public incentives, is a pervasive, often overlooked component of the new media world in spite of its profound implications in reshaping the infrastructure for news, and its powerful role in reinventing its social and cultural conditions.iv

Through the next decade, the diffusion of network collaboration in journalism followed three main paths: technological, as a core component of the commons-based infrastructure for newswork; experimental, through the development of decentralized, cooperative modes of production involving participatory communities, individuals, and others; and corporate, or the organizational and partnership strategies that shaped the role of collaboration in traditional media and contributed to the overall networking of the emerging media world. Often these paths would collide, and they would eventually consolidate into a new model for watchdog reporting combining different forms of collaboration as a structural feature.

The convergence years

The assumption in the 1990s was that we were in the midst of the digital revolution. As Nicholas Negroponte and others put it, the internet would “flatten organizations, globalize society, decentralize control, and help harmonize people.”33 But to use Pablo Bockzkowski’s expression, the past survived in the future.34 The networking of an emerging media ecosystem combining both traditional and new components was gradual, multi-layered and non-linear.35 The burst of the dot-com bubble that occurred between 1997 and 2001 opened a new phase for network collaboration driven by the convergence of old and new media, and the deployment of a more explicit role for cooperative practices in traditional media.

Technologies of Freedom, written by Ithiel de Sola Pool, was probably the first book to lay out the concept of media convergence.36 In it, de Sola Pool argues that “a single physical means—be it wires, cables, or airwaves—may carry services that in the past were provided in separate ways. Conversely, a service that was provided in the past by any one medium—be it broadcasting, the press, or telephony—can now be provided in several different physical ways. So the one-to-one relationship that used to exist between a medium and its use is eroding.”37 de Sola Pool anticipated a long period of media transition during which different media systems, combining both legacy and novel elements, would compete and collaborate.

By 2000, when the internet service American Online (AOL) and the media company Time announced “the largest merger in corporate history,” the logic of the convergence became a dominant theme in the conversation about the future of journalism and news organizations. Four years later, Pew Research Center’s first annual report on the “State of the News Media,” published regularly since then, listed convergence as one of the main eight trends shaping the new media world among others such as the existence of diverse journalism standards inside a single news organization, and the shrinking of audiences in some markets.38

Digitization set the conditions for old and new media to collide, a development that required significant organizational change and propelled the diffusion of novel collaborative forms.39 Convergence practices were adopted through five main modes that could be seen as a precedent of today’s dominant forms of collaborative journalism:40

  • Ownership convergence: Refers to partnerships within large media companies for cross-promotion and content sharing. This arrangement can be traced back to the mid-1980s. It didn’t imply shared editorial decisions or other collaborative practices. Media resources (print, television, digital) were usually owned by the same company.
  • Tactical convergence: Partnerships between media properties usually under separate ownership on content, marketing, and revenue strategies. An example would be efforts to sell advertising packages across platforms owned and operated by different companies. The most common model of this partnership was between a TV station and a newspaper in the same local market, a practice that initially characterized the convergence years. Media researcher Rich Gordon traces the adoption of this strategy to the last 1990s.41 In most cases, the main motivation was promotional. It did not produce substantive change in the participant newsrooms.
  • Structural convergence: Practices within the same media company to reorganize the newsroom and introduce new positions. These are changes with a significant impact on internal workflows and production patterns. They continued in the next decade, sometimes in an erratic development as both national and local news organizations seeked new strategies to adapt to the ongoing consolidation of the news market, the shrinking of newsrooms, the rise of social media platforms, novel distribution models and media consumption patterns, and the progressive decline of industrial models.
  • Information gathering, or the use of several devices to capture information such as audio or video recorders by an on-the-ground journalist: This idea of the “backpack” or multimedia journalist was highly controversial in the early 2000s as it was seen as a practice having a negative impact on the quality of journalism and responding to layoffs. This practice continued to evolve with the emergence of social media, a new generation of digital journalists, and new user-friendly devices to easily capture, collaborate, and share information.
  • Presentation convergence: Referring to storytelling practices involving different media formats such as audio, video, and 360-degree photograph to convey a news story.

Because of the wide array of practices included under these modes, data about its diffusion might be misleading.42 One of the earliest attempts to track it, completed in 2002, found that nearly eighty-nine percent of the respondents—members of an association of news directors of radio and television—considered their organizations engaged in some mode of convergence. The most common behavior (seventy percent of respondents) was republishing already existing content on the web. Also, thirty percent of the participants said their radio or television stations produced content for newspapers.

Another work from the early 2000s surveying one newspaper and TV station in each of the U.S.’s top media markets found that eighty-three percent of responding stations and ninety-five percent of newspapers practiced convergence. These figures again included organizations that repurposed content from print or broadcast. Seventy percent of the newspapers and forty-one percent of the TV stations included in the survey reported a partnership with another medium.43

Anderson’s account of the Philadelphia news ecosystem’s struggles in the digital age, referenced earlier, offers an example of how some of these practices unfolded within a large newspaper chain.44 With the collapse of the online economy in the early 2000s and the demands from shareholders to increase profits in the still highly profitable news industry,45 media publisher Knight-Ridder centralized all local services, including its online properties covering Philadelphia. Overall, thirty-three newspaper sites were reduced to thirteen within a year, operated by a few editorial teams using the same ad platform and publishing system. The primary forces behind these changes were managerial and economic over technological or journalistic. Anderson didn’t find the “spontaneous, networked work practices envisioned as the future of digital media production on the web,” but a formal approach following a lengthy organization and planning.46 Most of the changes implemented under these strategies for convergence didn’t last long. Other media firms with multiple news holdings went down a similar path, moving to single publishing platforms to share news and publish ads across nationwide networks.

By the end of 2000s, most of the early practices of convergence were fading,47 though some of them—such as structural convergence, or the reorganization of newsrooms to adapt to new digital workflows and products—continue to be part of the toolkit for adapting to the digital age. The print-TV partnerships trend from the beginning of the 2000s fell into oblivion under new circumstances dominated by the decline in print newspaper readers and ad revenue, and wide cuts in newsrooms. The context for journalism by the end of the 2000s was one of severe economic crisis. The Project for Excellence in Journalism reports 11,000 lost jobs in journalism just in 2008 and 2009, while other estimates are higher.

Radio and television, which had enjoyed profit levels similar or higher to their print counterparts, began pursuing similar staff cuts, with an estimated 1,600 jobs lost in local television between 2008 and 2009. This trend continued in the next years, with the total number of news workers within the industry dropping by around forty percent over the decade, growing drops in circulation and ad revenue, and the systematic erosion of the journalism ecosystem, with entire regions going mostly uncovered.48

Collaboration during the convergence years could be described as one piece of a larger corporate roadmap initially focused on the cooperation between print and broadcast media, and later dominated by ever-increasing financial pressures and organizational struggles. In spite of the limitations of these strategies, shaped by short-term goals and a poor understanding of the emerging news world, these practices had a significant impact in conceptualizing the role of network collaboration in traditional media.

On the organizational side, novel tools and technologies that made some of these strategies possible such as content management systems that standardized the editing process and production workflows became central in blurring the lines between novel and traditional routines and consolidated the importance of digital tools in fostering or hindering collaborative practices in the newsroom. Likewise, the business logic that generally drove the diffusion of these strategies only gained more importance after the 2008 economic crisis, though increasingly with a journalistic purpose, and helped define the role of collaboration as a field repair, a concept that will be further explored later in this report.49

A new model for the watchdog function

The convergence paradigm has a deeper meaning beyond the tactical one often capturing the journalism discourse through the 2000s. It refers to new structural conditions for media “where different forms of what constitutes journalism and the idea of the public collide, where grassroots and corporate media intersect, where the power of the media producer and the power of the media consumer interact in unpredictable ways,” as Henry Jenkins put it in the introduction to Convergence Culture.50

This process, still unfolding, has been critical to the assembly of a new environment for network collaboration within newsrooms, across organizations not limited to news media, and with the public. The partnership between WikiLeaks and other media organizations on the 2010 U.S. embassy cables, as an example, provide us with insights about what this transformation entails.

WikiLeaks, a “stateless news organization,” was founded in 2006 to harness the speed, interactivity, and global reach of the internet “to provide a secure mechanism to anonymously submit information and share it to a global audience.”51 Preaching radical transparency for the access to information pertaining to governmental or corporate affairs, the organization stormed into the journalism scene in 2010 with the publication of several leaks of critical importance for the understanding of current events and international diplomacy—starting with the release of a leaked video on the 2007 U.S. Baghdad airstrike,52 and followed by the Afghan War Logs,53 the Iraq War Logs,54 and the coordinated release of U.S. cables in collaboration with five traditional media organizations in the United States and Europe, and later with many others around the world.55

As researcher Yochai Benkler wrote in a seminal paper on the importance of these events in signaling the sources of resilience and weakness of the emerging networked fourth estate, “the steady flow of confidential materials through an organization that was not part of the familiar ‘responsible press’ was met by increasing levels of angry vitriol from the Administration, politicians, and media commentators,” including prominent voices among its original partners for the distribution and reporting on the US cables.56 These were the days when the leading Republican presidential candidate, Mike Huckabee, called for the execution of WikiLeaks founder, Julian Assange, and media commentators across the political spectrum declared WikiLeaks a major security threat.57

The study of these events has provided us with a fascinating account of the assembly of news in the networked era. What is critical for this report is how these events contributed to further define creative arrangements combining different forms of collaboration to solve complex journalistic production problems. As it happened earlier with Indymedia, WikiLeaks combined an open, participatory culture with a fully decentralized organization.

The collaboration with the public, who was encouraged to anonymously submit leaked documents that shed light on matters of public interest, was possible through a digital system integrated into a structure that shaped a new role for whistleblowing in the digital age. The cooperation with traditional media was articulated through a set of organizational protocols and digital tools to share documents and sift through them with the required confidentiality. Mainstream media offered WikiLeaks a major pathway to getting an important subject to the public, and effect that was amplified by the orchestrated publication of the reporting by legacy newspapers.

A tradition of collaboration in investigative reporting already existed—the Center for Investigative Reporting in Berkeley had been doing collaborative work since 1977 and the Center for Public Integrity since 1989. But the partnership between WikiLeaks and legacy organizations was of a different nature. As described by the French news site Mediapart, it was “a reflection of the new alliance formed by the digital revolution between professionals and amateurs, journalists and activists, news professionals and citizen whistleblowers.”58

The Cablegate signals the emergence of a model of the watchdog function neither purely networked nor purely traditional, but an interaction between the two, with collaboration playing a structural role.59 This arrangement combines the strengths of the network with the reporting tradition. It also consolidated the presence of new computer expertise and tools in legacy newsrooms that had been building up since the 1990s, in this case to develop a secure infrastructure to organize, secure, analyze, and share large databases of documents—on the WikiLeaks side, also to circumvent the multiple attacks it faced to limit its ability to function.

The collaborative age

The deliberate cooperation of two or more newsrooms, along with other players including the public, to collect, share, and sift through documents and databases, and report on the findings, occurred within a larger trend often described as a new era of collaboration in journalism. By the end of the 2000s, cooperation with the competition was arguably becoming “more the rule than the exception.”60 The distinct feature of this ongoing phase is the development and open embrace of cooperative arrangements for news production by news organizations, in collaboration with others including journalism schools and technological platforms, to generate “content that is greater than what any individual journalist, newsroom, or organization could produce on its own.”61 Collaboration in this context has evolved “from experiment to common practice.”62

Recent initiatives such as the SF Homeless Project, involving more than seventy organizations seeking “answers and change” to the problem of homelessness in San Francisco;63 the News Integrity Initiative, a global consortium hosted at CUNY Graduate School of Journalism;64 and Electionland,65 a collective effort to monitor the vote on the 2016 election day, are only three major examples of this emerging pattern. Several reports as well as individual accounts have provided with snapshots of this phenomenon, but there’s no definitive assessment of its diffusion and impact.v

In 2014, Pew Research examined the achievements and challenges of five journalism partnerships taken as a sample to survey the motivations of news outlets to team up together, and the difficulties in sustaining these efforts.66 Economic problems were the main driver for these partnerships. Arrangements usually followed simple, non-bureaucratic terms but were easily derailed for different reasons. Partnerships were (still) not easy to implement between legacy media due to incompatible workflows and tools, such as digital content management systems that couldn’t work together. The projects that fueled engagement with the audience and involved important topics seemed more suitable for collaboration—or at least received more attention by news managers.

This report anticipates that ad-hoc strategies taking full advantage of the distributed nature of the web would be “the next wave” in collaboration. The phenomenon was also expected to grow in the coming years “as nonprofits become more established and credible” and become “an increasing asset to traditional news organizations,”67 a shift that effectively occurred.

The latest report on the current estate of collaboration, published in 2017 by the Center for Cooperative Media at Montclair State University, provides the most comprehensive analysis to date of the current state of collaborative journalism. This report catalogues forty-four ongoing collaborations in the United States involving more than 500 newsrooms and other information providers, and estimates at least two hundred million dollars spent to foster journalistic collaboration since the 2000s.68 This effort describes six main arrangements based on the length of the project and the level of integration of the participants. The self-explaining modes are:

  1. Temporary and Separate, such as the already mentioned SF Homeless Project, where dozens of organizations report independently on the same subject and collaborate in some dissemination practices to concentrate attention around their coverage.
  2. Ongoing and Separate, like the USA Today Network, an organizational effort within the same organization focused on marketing and consumer solutions.vi
  3. Temporary and Co-Creating, such as Documenting Hate, a project led by ProPublica to collect and verify reports on hate crimes and bias incidents, and build a database for others to further investigate these issues.
  4. Ongoing and Co-Creating, such as NPR’s Collaborative Coverage Project, aiming to transform National Public Radio and member station newsrooms into a journalistic network.
  5. Temporary and Integrated, like the award-winning Panama Papers, an international collaboration led by the International Consortium of Investigative Journalists to report of a massive leak from the database of one of the world’s biggest offshore law firm.
  6. Ongoing and Integrated, such as the arrangement involving seven public radio stations in Alaska operating independently on the editorial side but integrating their business efforts.

Several of the forty-four initiatives considered in this research started as one model but evolved into a different one. There are also projects that fall into various categories. In some cases, the differences between some of the projects included in this catalog are minimal when compared to the so-called convergence modes from the previous decade, a circumstance that suggests the overlapping of old and novel practices as the networking of the new media world continues to unfold.

The Center for Cooperative Media at Montclair State University also leads the Collaborative Journalism Database initiative,69 an effort aiming to serve as a central repository on collaborative journalism. A first release of data from January 2018 includes one hundred and eleven entries of news collaborations from more than 800 organizations.70 Projects are classified according to the previous categories.

The database also includes other information such as the starting date of the collaboration, a brief description, list of participants, subject, funding sources, tools used to articulate the work, and success metrics. A very preliminary analysis suggests the wide adoption of a simple technological infrastructure for collaboration developed since the mid-2000s (from Google Docs, launched in 2006, to Slack, available since 2013) and a similar number of projects following formal versus informal agreements.

Considering the limitations of the data currently available, focused on explicit forms of collaboration between organizations in detriment of other arrangements, three core themes emerge from the current phase of network collaboration:

  1. Collaboration as a field repair: A core function of cooperative practices since the late 2000s is to fill the vacuum left by the industrial decline of media and the constant erosion of the conditions for journalism. This notion permeates the discourse on the role of collaboration. The expression “field repair,” mentioned earlier in this report, draws from the sense of “field” as developed by the French scholar Pierre Bourdieu and others as a way “of understanding and explaining the constraints and processes involved in news media production,” and is used here to convey the overall function of collaboration in fixing the media ecosystem.71 The emphasis for traditional media is on filling the gaps left by the still unfolding economic crisis by exploring networked arrangements to reimagine how newsroom and business operations can function in the digital age, expanding their mission and better serving the public. In this context, collaborative practices are still fringe activities for most organizations and don’t touch on core editorial and business routines, but they are becoming a common solution for addressing big challenges and for gaining salience and attention in a news media ecosystem increasingly reliant on opaque technological platforms to reach the public.
  2. Shared resources for journalism: The promise of collaboration in the networked era is probably having its fullest impact in revitalizing investigative reporting through local, national, and international partnerships. The combination of decentralized organizational arrangements—powered by new communication tools such as Slack—and new technological capabilities to collaboratively obtain, mine, and share information seems to be one of the most promising developments in digital journalism. These collaborations rely and build shared resources—public databases, open source technology, networked communities—to fulfill journalism’s core mission. This byproduct of collaboration is increasingly taking on characteristics of a commons, or a resource shared by a group of people independent of particular property rights, and contributing to transform the underlying infrastructure for news production. This is one of the most impactful and transformative effects of collaboration.
  3. The expanding role of journalism schools, nonprofit organizations, and other players: A key differentiator between between the current phase of collaboration and the convergence years is the existence of diverse players beyond news organizations that are having a prominent role in fostering, funding, and sustaining partnerships, led by journalism schools and established nonprofit organizations that fully incorporate network collaboration as a structural element. Major examples of initiatives led by non-traditional organizations include:
    • Electionland and Documenting Hate,72 both hosted and led by Pro- Publica in partnership with national and local organizations, journalism schools, and technological platforms
    • Santa Clara University’s Trust Project,73 a consortium of news organizations and platforms to develop transparency standards to assess the quality and credibility of journalism
    • Stanford Open Policing Project,74 a public repository of national data on police misconduct, elaborated and supported by an interdisciplinary team of researchers and journalists at Stanford University
    • Center for Collaborative Journalism at Mercer University,75 exploring the “teaching hospital” model in partnership with local media, an arrangement also pursued by other journalism schools across the United States
    • MuckRock,76 a nonprofit site that brings together journalists, researchers, activists, and individuals to request, analyze, and share government documents
    • Brown Institute for Media Innovation,77 a collaboration between Stanford University and Columbia University to encourage and support new paths for media media innovation
    • the wide array of collaborative initiatives hosted outside of the traditional news ecosystem to address some of the most pressing issues affecting journalism, such as verification and online propaganda

Foundations have played a critical role in funding, promoting and sustaining these efforts and the overall diffusion of collaborative practices. For example, as quoted in the 2014 Pew Research report already mentioned, the Knight Foundation funded eight pilot collaborations between news outlets and community contributors—though only one participant remained active when the seed money ran out.78 The future role of these organizations as well as new players (startups, ad-hoc nonprofits, journalism schools, civic organizations at the local and national levels, joint efforts exclusively focused on collaboration) in enabling and further developing network collaboration is expected to grow.

Several questions remain open about the current estate of collaborative journalism. One of them is to what extent the arrangements currently in vogue are an evolution of previous modes in a more mature news media ecosystem, with an array of nonprofits and foundations supporting the diffusion of collaborative practices. A related question is whether the current era of collaboration is fulfilling its promise and producing a substantive, lasting change, and what larger impact these practices will have in journalism, in news media, and in serving the public. Are collaborative partnerships producing broader and deeper news coverage, more easily accessed or discovered?79 Can we prove that in a collaborative project the sum is more than the parties?vii

All these question deserve further inquiry in light of the importance that collaboration is gaining, the resources devoted to it, and its role in creating more opportunities for news media under pressure from ever-increasing economic and technological challenges. The second part of this report addresses the issue of impact by examining the critical role of network collaboration in creating a new shared infrastructure for journalism.

Developing the Journalism Commons

Public parks, roads, open squares, and the internet are all examples of commons, or shared resources subject to social dilemmas in which non-cooperation between individuals leads to its deterioration and possible collapse. A commons is the resource and the community that uses and manages it. It is easier to grasp the pervasiveness and relevance of these social and economic structures as public utilities that support varied forms of organization and production than fully characterize their distinct structure and vulnerabilities, especially in complex commons with many dimensions such as the internet.viii

The understanding of this field has changed radically, and its complexity has grown as the focus moved from local, geographically defined natural resources to complex global information commons with many intricate dependencies and no clear boundaries. A full account of this rich discussion is beyond the scope of this report. But it is necessary to briefly introduce the recent intellectual history of this domain in order to fully examine the critical impact of network collaboration in creating and developing a shared, commons-based infrastructure for newswork in the post-industrial media world.80

The once dominant model to conceptualize the commons builds on one of the most cited papers in social science, Garret Hardin’s “The Tragedy of the Commons.”81 In 1968, Hardin published his metaphor of a pasture open to all where each herdsman would try to maximize its personal benefit by keeping as many cattle grazing as possible, ultimately leading to the inevitable depletion of the natural resource. The resulting tragedy, used by Hardin to illustrate the perils of overpopulation and the degradation of the environment, is captured in a famous line: “Ruin is the destination toward which all men rush, each pursuing his own interest in a society that believes in the freedom of the commons. Freedom in a commons brings ruin to all.”

Hardin’s solution was “either socialism or the privatism of the free enterprise,”82 excluding the longstanding existence of the notion of public property in the Western world and traditional group-property regimes.83 In reality, this narrative only applies to a narrowed percentage of cases defined as open access commons. But Hardin’s parable set the terms of the debate for the next two decades, and it has been widely used to rationalize central government control of key resources, to justify privatization of shared resources, and “to paint a disempowering, pessimistic vision of human prospect.”84

The traditional understanding of the commons has also been influenced by other lines of research. One of them is the prisoner’s dilemma, a formal approach that turns Hardin’s tragedy into a set of elements and evaluates their potential combination, showing how in certain circumstances rational individuals might not cooperate, even if it appears it is in their best interest to do so. This model considers three main variables to theorize about the fate of the shared resource—communication and cooperation between the participants, and the personal incentives to seek an individual versus a collective benefit.

Other game theory approaches offer more complex alternatives to the same problem—as with the prisoner’s dilemmas, they all serve as mathematical tools to analyze decision-making in situations with social interdependencies. A third narrative builds on the theory of collective action as developed by Mancur Olson in the 1960s on the difficulties faced by any group of individuals working to provide a public good in an efficient manner, and the possibilities of cooperation. This theory is said to heavily influence Hardin, and is usually at play in the current discourse of the commons along other key concepts such as social capital.85

These models have often provided us with the base for policy, sometimes with disastrous effects.86 But the possible solutions around the collective use and management of shared resources, often opaque by memorable metaphors, are much wider. As Elinor Ostrom wrote in the seminal Governing the Commons, “communities of individuals have relied on institutions resembling neither the state nor the market to govern some resource systems with reasonable degree of success over long periods of time.”87 Empirical research shows how public property and privatization are also subject to failure and in some cases are associated with more degradation than traditional group-property regimes.88

Since the mid-1980s, the combination of disciplines had enabled a deeper understanding of this pervasive phenomenon. Scholars began to untangle the many confusions existing about commons as complex resource systems, and uncover its prominent but often neglected role. Putting it succinctly, the conversation moved from “the solution to a commons is x” to a more nuanced, empirical approach that considers local lore and ad-hoc arrangements.

In the mid-1990s, the attention turned to new or previously ignored core resources for communication such as the internet, public radio, and digital content. It was in this decade when the Library of Congress began to use “commons” and “natural resources” for some books concerned with conservation of natural resources,89 and when scholars and activists called for a new environmentalism for open information in the digital age, threatened by a new enclosure movement that fostered restrictive copyright regimes for information, limiting the development of the networked public sphere.90 Information commons outgrows from the critical role of libraries in safeguarding public knowledge and ensuring wide access to it.

This is the overall context for the rise of the journalism commons in the networked digital age. In spite of its pervasiveness, the potential implications of a shared, commons-based infrastructure for journalism has been mostly neglected in the public discourse on the future of media.

A basic vocabulary on the commons

Through this intellectual journey, covering the last five decades, a technical vocabulary to characterize shared resources has been defined—though different notions still exist as the understanding of this domain continues to evolve.91 In this report I follow the terminology building on Elinor Ostrom’s work,92 who had a seminal influence in evolving the research on the commons into a multidisciplinary, empirical approach. This is not to assume that the Ostrom school has prevailed and that other points of view are not relevant. But for the sake of simplicity, this vocabulary provides with a comprehensive and accessible framework to think about the impact of collaboration in developing the journalism commons, and can serve as the base for a first attempt to characterize this critical relation.

Researchers make a basic differentiation between commons as a resource system, also called common-pool resources, and as a property rights regime. Common-pool resources, natural or human-produced, have two main characteristics: the exclusion of beneficiaries is especially difficult and costly, and the exploitation by some of the users reduces the availability of the resource for others. Social dilemmas affecting resource systems include overuse, congestion, pollution, and free riding, referring to the use of the resource by some of its beneficiaries without contributing to the costs of providing, maintaining, and regulating it.

A resource systems such as the journalism commons can consist of multiple goods—excludable and non-excludable, rivalrous and non-rivalrous—and still have many characteristics of a commons. A good or service is excludable if it is possible to prevent consumers who have not paid for it from having access to it, and is non-excludable if non-paying consumers cannot be prevented from accessing it. If a good can be used and consumed by many individuals concurrently it is is non-rivalrous.

In the opposite situation, when a good cannot be consumed by many individuals at the same time, is classified as rivalrous. Hardin’s tragedy considered two possible property rights regimes to prevent the degradation and the inevitable collapse of the pasture—privatization or governmental property. But there are two additional forms neglected by this view. These are open access, such as the pasture in Hardin’s metaphor or the internet, characterized for the absence of enforced property rights; and group property, when the rights of the resource are held by a group who can exclude others to use it.93

There is a large variation of common-pool resources, patterns of use, and types of users, and no definitive evidence that favors any property right over the others as the best suited.94 What the systematic, empirical research on natural resources has yielded is a set of general principles that are associated with a better performance of shared resources, such as the existence of rules devised and managed by the beneficiaries; simple systems to monitor its compliance and impose sanctions; different institutions to deal and regulate with the resource in all its dimensions, such as local versus regional; and procedures for revising the rules.

Lessons from extensive case studies of local and regional natural common-pool resources are encouraging. Pasturelands, woodlands, fisheries, and other natural resources have long been shared and used in common by local people as a combination of particular environmental characteristics, social conditions, and technological factors.95 In highly complex systems, such as the internet or the journalism commons, it is extremely challenging to devise optimal rules and institutions to monitor them.

The critical role of collaboration

This introduction to the current conceptualization of the commons and its vocabulary serves as the base for a first attempt to characterize the shared infrastructure for journalism and its structural dependence of network collaboration. Based on the description of other information resources such as the internet and the understanding of media systems as a layered structure, the journalism commons can be described as an intricate resource system, functioning under an open access regime, with both local and global dimensions, and hosting all components and social activities pertaining to journalism.96 It is made of three distinct and intertwined layers containing other resources—or a commons containing other commons—that build and take on characteristics of the internet as a founding, structural element.

The first layer is the technological commons, the physical infrastructure and the technologies to collect, store, and organize digital information. It includes the code that regulates the cascade of operations involving digital information, the elements required for commercial transactions and services, and the different media technologies used to capture, produce, manipulate, and disseminate digital data, both open source and proprietary. The internet and its related technologies are incorporated in this layer as an essential component of the infrastructure for news, with all its related technologies, components, and dilemmas.

The technological commons is a critical driver of change in the journalism commons. It can transform how elements flowing through the resource are captured and used by the users, the overall rules regulating it, and expand or limit the community of users and how they access and utilize the resource. Critical segments of the technological commons are a result of past and ongoing commons-based practices of production, occurring when there are no exclusive rights to organize the productive effort or capture its value, and cooperation is achieved through social mechanisms other than market or managerial directions.97 This is the case for open web standards, the core internet protocols, unlicensed spectrum, and the wide array of free and open source software (FOSS) used for news production and dissemination.

By the end of the 2000s, FOSS accounted for between sixty-five percent and seventy percent of the web server software market, about eighty percent of server-side scripting languages, and serves as the base for the widely adopted Android operating system and the web browser Firefox.98 The technological commons illustrates the essential role of networked forms of collaboration, through commons-based production, in building the technological infrastructure for journalism. This is the result of the cooperative work of “the connected,” or “those who have built and are building the internet that we have come to know.”99

The second layer of the journalism commons is the social commons, created by the use of the resource by individuals and groups. This layer is not always included in models describing media systems. But it seems critical to capture the social nature of journalism, including the relation with the public, intricate workflows and production patterns, and the many cooperative arrangements and forms described in the first part of this report.100 Collaboration is how journalism works. This social nature of the social commons has been defined in the academic literature as “the commoning,” and is increasingly seen as an essential attribute.

The social commons intersects with the technological commons through social production practices, as the logic that fostered the collaborative creation of critical segments of the digital infrastructure for media that expanded to other activities including the production of specific tools, software and other resources for news production and dissemination, and the development of social practices for editorial work.

The third and final layer is the content commons, or the information hosted in this system. Its possibilities are shaped by the technological and the social layers. Network collaboration enables new ways to cooperatively generate information, sometimes also functioning as a structural resource for others to report and to further investigate public affairs, meeting in this case the function of a technology. This type of hybrid good with several functions illustrates one of the main characteristics of the journalism commons—it hosts components with dual attributes, such as physical and digital, often distributed across different layers and evolving as they flow through different points of the system. Critical dilemmas such as enclosure, erosion, or pollution can emerge in some of these intersections through changes in any of the three layers.

This multi-layered, complex resource system can be characterized in detail using a framework for information resources that classifies its components as facilities, artifacts, or ideas.101 If the layered structure description provides us with an overview of the journalism commons and how it works, these terminology complements it by enabling a careful examination of its building blocks—what individuals or organizations ultimately appropriate or use—and the relations among them. This low-level framework allows for further conceptualizing some of the most pressing issues affecting journalism as social dilemmas, identifying structural vulnerabilities, and refining the examination of the impact of network collaboration in the development of a shared, sustainable infrastructure for newswork:102

  • Facilities are the evolving technologies that make digital distributed information possible, including its physical components. They store artifacts and make them available in the system. The properties and attributes mentioned in the description of the technological layer applies to facilities, including the foundational role of networked practices of collaboration.Examples of facilities are digital repositories such as online newspapers and magazines, and the internet and its underlying technologies and protocols, including its physical infrastructure such as servers, routers, and wires. They can have physical limits, such as being able to host a limited number of concurrent users or the amount of information that can effectively travel through a digital network.There are critical dilemmas associated with these components with important implications for policy regulation, often not receiving enough attention in the journalism discourse. For example, net neutrality—the idea that internet service providers should treat all data that travels over their networks fairly, without improper discrimination in favor of particular apps, sites, or services103—can be conceptualized as a social dilemma involving specific facilities of the journalism commons, how they are appropriated and used, and whether they serve to a few users or to the whole collective.Another related example would be the digital divide, or the technology gap that prevents users from accessing the internet on fair terms due to the combination of the cost of an unrestricted, neutral internet connection, and the absence of critical facilities in less populated regions due to lack of market incentives, still a major problem for American society.104Overall, facilities bring to the forefront core questions such as who owns and regulates the different digital and physical resources that populate the system and are used and appropriated by its beneficiaries, how particular property rights regimes can alter the proper functioning and sustainability of the whole resource, and the essential role of collaboration both in creating and managing the building block of the commons, addressing vulnerabilities, and securing its long-term viability.
  • Artifacts are a specific, nameable representation of an idea or set of ideas. They are stored in facilities and flow through the resource. The description of the content layer applies to artifacts. Their flow through the system is more complex than in natural resources due to the combination of both physical and virtual characteristics. Digital information can be subject to dilemmas such as congestion (pollution), but usually not to erosion (deterioration) in the same way that physical information artifacts. Users can usually be excluded from using them at some point (enclosure), but this process is more complex and less transparent than with natural resources.The use of digital artifacts—an article, a movie, an image, a PDF file—can be limited based on the capacity of the facilities hosting them or the logic defined in the system, for example, to prioritize some piece of information over others (the net neutrality problem), or the property rights regime in use. They vary in their durability, and can evolve during their transit—a trait of the journalism commons already mentioned. In the same way that an excessive amount of artifacts is associated with key information problems such as congestion, resulting in overwhelming the end user and the loss of value for information goods flowing through the system, the opposite problem is also a commons dilemma.The growing problem of news deserts, resulting from local newspapers shutting down its operations across the country, can be conceptualized using this framework as the combination of a lack of market incentives and investment on facilities to guarantee the flow of the system at the local and national levels. This market failure is not foreign to journalism, as noted by media researcher Victor Pickard, the history of American media is in many ways a history of market failure.105 The commons offers a way to think about these problems beyond private or public arrangements.
  • Ideas are non-physical units, not protected by copyright, contained in an artifact. An example would be the thesis of an article, or the outcome of a journalistic investigation. The overall functioning of the system has also an impact on the availability of ideas. This is a critical aspect of property rights regimes—the balance between protecting them and guaranteeing the free flow of ideas required for the system to keep functioning and serve as a platform for new ideas. Another problem is the poor quality of information, or the pollution of the system due to new strategies of overwhelming and propaganda, resulting also in the decay of the system.

The discourse of the commons is at once descriptive, “because it identifies models of community governance that would otherwise go unexamined,” and constitutive, because it gives us a language to build new communities and resources based on principles of the commons.106 Connecting news media to the notion and the vocabulary of shared resources subject to social dilemmas provides with a rich framework to analyze the impact of networked forms of collaboration in reshaping the infrastructure for journalism, and think about its future possibilities. It also helps connect apparently independent phenomena, and devise new collaborative approaches to address structural vulnerabilities limiting the development of the new media world—from net neutrality to systemic market failure and the development of social capital and collective action. Much work is required to further the understanding and the importance of the commons in the new media world, a topic mostly neglected in the academic and the public discourse.


The period covered in this report—the first three decades of digital journalism—could be described as a constitutive moment in the creation of media.107 Sociologist Paul Starr explains this phenomenon as an episodic process that reflects “the particular conjuncture of forces and ideas at the moment when a political upheaval takes place, a new technology is introduced, or some other event reopens settled institutional patterns.” The profound social, cultural, economic, and political transformations happening in the last decades of the twentieth century is the context for network collaboration to rise and evolve in journalism as a collection of formal and informal, implicit and explicit arrangements. After three decades of gradual, non-linear evolution beginning with the digitization of news media in the mid-nineties, the assumption is that a new era of collaboration in journalism is unfolding.

Traditional news media, nonprofit organizations, journalism schools, and other information producers are taking advantage of opportunities created by the combination of decentralized, networked, and traditional models for news production and dissemination to work together, create shared resources, and advance their work. The cooperation of multiple organizations and individuals to address journalistic challenges is happening at a scale that no single organization could replicate by itself.108

These arrangements are helping to alleviate the impact of the economic crisis, fostering new ways to expand journalism’s core mission, and contributing to reconfigure the media ecosystem through the creation of a new commons-based shared infrastructure for newswork. A first attempt to characterize this resulting journalism commons—an open access resource system with a technological, social, and content layers made of facilities, artifacts, and ideas—uncovers a social, economic, and cultural form that is unfolding in front of us.109

Looking at the impact of collaboration in creating the journalism commons allows us to connect apparently disconnected resources and phenomena and introduce new questions to media organizations, journalism schools, foundations, and other organizations involved in news production and dissemination, and interested in its long-term sustainability. The issues at play in the journalism commons, as in any commons regardless of its nature, are equity, or issues of equal appropriation contribution, and maintenance of the resource; efficiency or the issues affecting the optimal production, management and use of the resource; and sustainability or the outcome in the long term.110 A model for journalism based on the commons opens new creative ways to think through these long-term issues, and puts collaboration as a structural element of the future of news.


A number of people have contributed to this report. Heather Bryant and Tana Oshima edited the first draft and made essential suggestions to improve it. Jon Keegan and Kathy Zhang, from the Tow Center for Digital Journalism at Columbia University, supported this research through 2017. Abigail Hartstone made a thorough review of the final draft and proposed critical changes to make it more consistent and appealing. Luis Melgar contributed the two graphics. This report builds on the recent research on collaboration from the Center for Cooperative Media at Montclair State University and the American Press Institute, and the seminal work on the commons developed by Elinor Ostrom, Charlotte Hess, Carol M. Rose, Yochai Benkler, Lawrence Lessig, and others. Discussions on independent media in the early days of First Look Media in San Francisco with Debbie Cohen, Dino Anderson, and Lise Woods Fink kick-started the project. Many other colleagues—John Temple, Tran Ha, Martin Kotynek, Andrew Losowski, María Sánchez, Dan Gillmor, and others—contributed through informal conversations about journalism. Their opinions have also shaped this report.


  1. “Toward the end of the second millennium of the Christian era, several events of historical significance transformed the social landscape of human life. A technological revolution, centered around information technologies, began to reshape, at accelerated pace, the material basis of society.”
  2. A similar distinction has been used to describe network journalism as “a structural concept, referring to the whole of the global journalism sphere in which roles of journalists de facto change, but even more importantly a new organizational framework is taking shape in which journalistic outlets operate.”
  3. The hacker culture provided the technological foundations, and the communitarian culture linked to the aftermath of the 1960s counterculture movements shaped its social forms, processes, and uses.
  4. The importance of peer production is further explored in the second part of this report regarding its critical role in the development of the journalism commons.
  5. The Center for Cooperative Media at Montclair State University is currently building a database on journalism collaborations aiming to fill this gap.
  6. From a Gannet press release.
  7. This question was posed by Liza Gross from the Solutions Journalism Project in the first Collaborative Journalism Summit, held at Montclair State University on May 4–5, 2017.
  8. The idea of the commons has been used before in the context of journalism. For example, the discussion around the public journalism movement in the mid-1990s referred to the American newspapers as “the public conversational commons” in Jay Black, ed., Mixed News: The Public, Civic, Communitarian Journalism Debate (New York: Routledge, 1997). Also, see Lawrence Lessig, The Future of Ideas (New York: Vintage Book, 2001).


  1. David Easley and John Kleinberg, Networks, Crowds, and Markets: Reasoning About a Highly Connected World (New York: Cambridge University Press, 2010).
  2. Walter W. Powell, “Neither Market, nor Hierarchy: Network Forms of Organization,” Research in Organizational Behavior, no. 12 (1990): 295–336, https://www.researchgate.net/publication

  3. Manuel Castells, The Rise of the Network Society (Cambridge, MA: Blackwell Publisher, 1996).
  4. Manuel Castells, The Internet Galaxy (New York: Oxford University Press, 2001).
  5. Manuel Castells, The Rise of the Network Society.
  6. Jeff Howe, Aleszu Bajak, Dina Kraft, and John Wihbey, “Collaborative, Open, Mobile: A Thematic Exploration of Best Practices at the Forefront of Digital Journalism,” Working paper, May 26, 2017, https://ssrn.com/abstract=
  7. David Bollier and Silke Helfrich, eds., The Wealth of the Commons: A WorldBeyond Market and State (Amherst, MA: Levellers Press, 2013).
  8. Charlotte Hess and Elinor Ostrom, Understanding Knowledge As a Commons (Cambridge, MA: MIT Press, 2007).
  9. Manuel Castells, The Rise of the Network Society.
  10. Lee Rainie and Barry Wellman, Networked: The New Social Operating System (Cambridge, MA: MIT Press, 2012).
  11. Yochai Benkler, The Wealth of Networks: How Social Production Transforms Markets and Freedom (New Haven, CT: Yale University Press, 2006).
  12. Sarah Stonbely, “Comparing Models of Collaborative Journalism,” Center for Cooperative Media, September 29, 2017, https://centerforcooperativemedia.org/new-research-comparing-models-collaborative-journalism-released-sept-29/.
  13. Lisa Gitelman, Always Already New: Media, History, and the Data of Culture (Cambridge, MA: MIT Press, 2008).
  14. Ansgard Heinrich, Network Journalism: Journalistic Practice in Interactive Spheres (New York: Routledge, 2011).
  15. Manuel Castells, The Rise of the Network Society.
  16. Walter W. Powell, “Neither Market, nor Hierarchy: Network Forms of Organization.”
  17. Laurel Smith-Doerr and Walter W. Powell, The Handbook of Economic Sociology (New York: Princeton University Press, 2005).
  18. Manuel Castells, The Internet Galaxy.
  19. C.W. Anderson, Rebuilding the News: Metropolitan Journalism in the Digital Age (Philadelphia: Temple University Press, 2013).
  20. Pablo Boczkowski, Digitizing the News: Innovation in Online Newspapers (Cambridge, MA: MIT Press, 2004).
  21. Mark Deuze, “Journalism and the Web: An Analysis of Skills and Standards in an Online Environment,” Gazette, no. 5 (1999): 373–390, https://doi.org/10.1177/0016549299061005002.
  22. Pablo Boczkowski, Digitizing the News: Innovation in Online Newspapers.
  23. Ibid.
  24. Manuel Castells, The Internet Galaxy.
  25. Clay Shirky, Here Comes Everybody (New York: The Penguin Press, 2008).
  26. Howard Rheingold, The Virtual Community (Cambridge, MA: MIT Press,1993).
  27. Fred Turner, From Counterculture to Cyberculture: Stewart Brand, The Whole Earth Network, and the Rise of Digital Utopianism (Chicago: University ofChicago Press, 2006).
  28. Sarah Stonbely, “Comparing Models of Collaborative Journalism.”
  29. Pablo Boczkowski, Digitizing the News: Innovation in Online Newspapers.
  30. Manuel Castells, The Internet Galaxy.
  31. Martha Hamilton, “All Together Now: News Partnerships Increase in Digital Age,” American Journalism Review, May 18, 2015, http://ajr.org/2015/05/18/all-together-now-news-partnerships-increase-in-digital-age/.
  32. Yochai Benkler and Helen Nissenbaum, “Commons-Based Production and Virtue,” Journal of Political Philosophy, no. 4 (December 2006): 394–419, http://onlinelibrary.wiley.com/doi/10.1111/j.1467-9760.2006.00235.x/abstract.
  33. Nicholas Negroponte, Being Digital (New York: Knopf, 1995).
  34. Pablo Boczkowski, Digitizing the News: Innovation in Online Newspapers.
  35. Mark Granovetter, “Economic Action and Social Structure: The Problem of Embeddedness,” American Journal of Sociology, no. 3 (November 1985): 481–510, https://www.jstor.org/stable/2780199?seq=1#page_scan_tab_contents.
  36. Henry Jenkins, Convergence Culture: Where Old and New Media Collide (New York: New York University Press, 2006).
  37. Ithiel de Sola Pool, Technologies of Freedom (Cambridge, MA: Belknap Press, 1983).
  38. “State of the News Media,” Pew Research Center, 2004, http://www.pewtrusts.org/en/research-and-analysis/reports/2004/03/15/the-state-of-the-news-media-2004.
  39. Henry Jenkins, Convergence Culture: Where Old and New Media Collide.
  40. Rich Gordon, Digital Journalism: Emerging Media and the Changing Horizons of Journalism (New York: Rowman & Littlefield Publishers, 2003).
  41. Ibid.
  42. Leslie-Jean Thornton and Susan M. Keith, “From Convergence to Webvergence: Tracking the Evolution of Broadcast-Print Partnerships through the Lens of Change Theory,” Journalism & Mass Communication Quarterly, no. 2 (June 2009): 257–276, http://journals.sagepub.com/doi/abs/10.1177/107769900908600201.
  43. Ibid.
  44. C.W. Anderson, Rebuilding the News: Metropolitan Journalism in the Digital Age.
  45. Juan González and Joseph Torres, News for All the People: The Epic Story of Race and the American Media (New York: Verso, 2011).
  46. Pablo J. Boczkowki and C.W. Anderson, Remaking the News: Essays on the Future of Journalism Scholarship in the Digital Age (Cambridge, MA: MIT Press,2017).
  47. Leslie-Jean Thornton and Susan M. Keith, “From Convergence to Webvergence: Tracking the Evolution of Broadcast-Print Partnerships through the Lens of Change Theory.”
  48. Victor Pickard, “The Great Evasion: Confronting Market Failure in American Media Policy,” Critical Studies in Media Communication, no. 2 (June 2014):153–159, https://doi.org/10.1080/15295036.2014.919404.
  49. Lucas Graves and Magda Konieczna, “Sharing the News: Journalistic Collaboration As a Field Repair,” International Journal of Communication (January 2015): 1966–1984, https://www.researchgate.net/publication/313750807_Sharing_

  50. Henry Jenkins, Convergence Culture: Where Old and New Media Collide.
  51. Benedetta Brevini, Arnie Hintz, and Patric McCurdy, eds., Implications for the Future of Communications, Journalism and Society (New York: PalgraveMcMillan, 2013).
  52. Collateral Murder, https://collateralmurder.wikileaks.org/.
  53. Afghan War Logs, https://wikileaks.org/afg/.
  54. Iraq War Logs, https://wikileaks.org/irq/.
  55. Public Library of US Diplomacy, https://search.wikileaks.org/plusd/.
  56. Yochai Benkler, “A Free Irresponsible Press: WikiLeaks and the Battle Overthe Soul of the Networked Fourth Estate,” Harvard Civil Rights–Civil Liberties Law Review, no. 2 (2011): 311–397, https://dash.harvard.edu/handle/1/10900863.
  57. Ibid.
  58. Benedetta Brevini, Arnie Hintz, and Patric McCurdy, eds., Implications for the Future of Communications, Journalism and Society.
  59. Ibid.
  60. Brant Houston, “Collaborations Spread Quickly, Giving Stories a Broader Reach,” IRE Journal, Spring 2010, https://www.ire.org/publications/ire-journal/search-journal-archives/2029/.
  61. Sarah Stonbely, “Comparing Models of Collaborative Journalism.”
  62. Ibid.
  63. SF Homeless Project, https://sfhomelessproject.com/.
  64. News Integrity Inititive, https://www.journalism.cuny.edu/centers/news-integrity-initiative/.
  65. ElectionLand, https://projects.propublica.org/electionland/.
  66. Rick Edmonds and Amy Mitchell, “Journalism Partnerships: A New Era of Interest,” Pew Research Center, December 4, 2014, https://mediaimpactfunders.org/journalism-partnerships-a-new-era-of-interest/.
  67. Ibid.
  68. Sarah Stonbely, “Comparing Models of Collaborative Journalism.”
  69. Database: Search, Sort and Learn about Collaborative Journalism Projects from around the World, https://collaborativejournalism.org/database-search-sort-learn-collaborative-projects-around-world/.
  70. Ibid.
  71. Rodney Benson and Erik Neveu, Bourdieu and the Journalistic Field (Malden, MA: Polity Press, 2005).
  72. Documenting Hate, https://projects.propublica.org/graphics/hatecrimes.
  73. The Trust Project, https://thetrustproject.org/.
  74. Stanford Open Policy Project, https://openpolicing.stanford.edu/.
  75. Center for Collaborative Journalism, https://ccj.mercer.edu/.
  76. Muckrock, https://www.muckrock.com/about/.
  77. Brown Institute for Media Innovation, https://brown.columbia.edu/.
  78. Rick Edmonds and Amy Mitchell, “Journalism Partnerships: A New Era of Interest.”
  79. Ibid.
  80. Charlotte Hess and Elinor Ostrom, “Ideas, Artifacts and Facilities: Information As a Common-Pool Resource,” Law and Contemporary Problems, no. 11(2011): 111–145, https://scholarship.law.duke.edu/cgi/viewcontent.cgi?article=1276&context=lcp.
  81. Garret Hardin, “The Tragedy of the Commons,” Science, no. 3859 (December 1968): 1243–1248, http://science.sciencemag.org/content/162/3859/1243.
  82. Elinor Ostrom, Joanna Burger, Christopher B. Field, Richard B. Norgaard, and David Policansky, “Revisiting the Commons: Local Lessons, Global Challenges,” Science, no. 5412 (April 1999): 278–282, http://science.sciencemag.org/content/284/5412/278.full.
  83. Carol M. Rose, “The Comedy of the Commons: Commerce, Custom, and Inherently Public Property,” University of Chicago Law Review, no. 3 (1986): 711, http://digitalcommons.law.yale.edu/fss_papers/1828/.
  84. Elinor Ostrom, Governing the Commons: The Evolution of Institutions for Collective Action (New York: Cambridge University Press, 1990).
  85. Mancur Olson, The Logic of Collective Action: Public Goods and the Theory of Groups (Cambridge, MA: Harvard University Press, 1971).
  86. Elinor Ostrom, Governing the Commons: The Evolution of Institutions for Collective Action.
  87. Ibid.
  88. Digital Library of the Commons at Indiana University, full database of case studies, https://dlc.dlib.indiana.edu/dlc/.
  89. Bonnie J. McCay, The Commons in the New Millennium: Challenges and Adaptation (Cambridge, MA: MIT Press, 2003).
  90. Lawrence Lessig, The Future of Ideas: The Fate of the Commons in a Connected World (New York: Vintage, 2001).
  91. Bonnie J. McCay, The Commons in the New Millennium: Challenges and Adaptation.
  92. Elinor Ostrom, Governing the Commons: The Evolution of Institutions for Collective Action.
  93. Francesco Parisi, Oxford Handbook of Law and Economics: Private and Commercial Law (Oxford, UK: Oxford University Press, 2017).
  94. Bonnie J. McCay, The Commons in the New Millennium: Challenges and Adaptation.
  95. Joanna Burger, Elinor Ostrom, Richard B. Norgaard, David Policansky, and Bernard D. Goldstein, Protecting the Commons: A Framework for Resource Management in the Americas (Washington, DC: Island Press, 2001).
  96. Charlotte Hess, “The Virtual CPR: The Internet as a Local and Global Common Pool Resource,” Fifth Annual Meeting of the International Association for the Study of the Common Property, Syracuse University, 1995, https://www.researchgate.net/publication/45530367_

  97. Yochai Benkler, “Commons-Based Strategies and the Problems of Patents,” Science, no. 5687 (August 2004): 1110–1111, http://science.sciencemag.org/content/305/5687/1110.full.
  98. Francesco Parisi, Oxford Handbook of Law and Economics: Private and Commercial Law.
  99. Lawrence Lessig, The Future of Ideas: The Fate of the Commons in a Connected World.
  100. Todd Sandler, Collective Action: Theory and Applications (Ann Arbor, MI: University of Michigan Press, 1992).
  101. Charlotte Hess and Elinor Ostrom, “Ideas, Artifacts and Facilities: Information as a Common-Pool Resource.”
  102. Elinor Ostrom, Governing the Commons: The Evolution of Institutions for Collective Action.
  103. Electronic Frontier Foundation, https://www.eff.org/issues/net-neutrality.
  104. Pablo J. Boczkowki and C.W. Anderson, Remaking the News: Essays on the Future of Journalism Scholarship in the Digital Age.
  105. Ibid.
  106. Charlotte Hess and Elinor Ostrom, Understanding Knowledge As a Commons.
  107. Paul Starr, The Creation of the Media: Political Origins of Modern Communications (New York: Basic Books, 2004).
  108. Yochai Benkler, “A Free Irresponsible Press: WikiLeaks and the Battle Over the Soul of the Networked Fourth Estate.”
  109. Charlotte Hess and Elinor Ostrom, Understanding Knowledge As a Commons.
  110. Ibid.

Carlos Martínez de la Serna is a fellow at the Tow Center for Digital Journalism, and a journalist and researcher based in New York City.

Study: Healthcare Lags Other Industries in Digital Transformation, Customer Engagement Tech – Healthcare Informatics

Last week, Michael Millenson, president of Health Quality Advisors LLC, and an associate professor of medicine at Northwestern University’s Feinberg School of Medicine, authored a thought-piece in the online publication STAT, entitled, “Google is quietly infiltrating medicine—but what rules will it play by?” Millenson looked at the emerging landscape in healthcare around the accelerating participation of healthcare consumers in using web search, consumer-facing apps, and other tools, to help them educate themselves about personal health and healthcare delivery issues, as well as the emergence of a number of corporations, including Google, Amazon, and Apple, as disruptors in the healthcare world—both as innovators in technology, as well as, increasingly, players in the care management and care delivery arenas.

“If ‘data is the new oil,’ as the internet meme has it, Google and its Big Tech brethren could become the new OPEC,” Millenson wrote on January 3. “Search is only the start for Google and its parent company, Alphabet. Their involvement in health care can continue through a doctor’s diagnosis and even into monitoring a patient’s chronic condition for, essentially, forever.”

Meanwhile, Millenson wrote, “Suppose you’re worried that you might have diabetes. Googling ‘diabetes’ brings up not just links but also a boxed summary of relevant information curated by the Mayo Clinic and other Google partners. Google recently deployed an app enabled with artificial intelligence for remote professionals to use that can all but confirm diabetes-related retinopathy, a leading cause of blindness. Diabetes is also a diagnosis your doctor might have predicted using more Google AI applied to the electronic health record. Meanwhile, a Google joint venture called Onduo recently announced a partnership to allow a major pharmacy chain to use its “virtual diabetes clinic” to coach patients on managing their disease. And, of course, at home you can get daily diabetes reminders from your Google Assistant.”

And, in some cases, he added, “[Y]our doctor could actually be Dr. Google. The brick-and-mortar Cityblock clinic, whose first site opened in Brooklyn, N.Y., earlier this year, is an Alphabet spinoff. It promises a ‘personalized health system’ experience for low-income patients.”

And with Google hiring the former chief executives of both the Geisinger Health system and the Cleveland Clinic, more and more interesting developments are certain to be at hand.

Michael Millenson

And all of this, Millenson noted, is prompting some in the industry to ask what the implications are of these developments for the social contracts that have long anchored physician-patient/clinician-patient, and patient care organization-patient relationships and interactions. In that context, he spoke with Healthcare Innovation Editor-in-Chief Mark Hagland, following the publication of his STAT commentary, to discuss the implications of some of those current trends, for the future of patient care delivery. Below are excerpts from that interview.

There are so many developments taking place right now involving what might be called “interspecies” business combinations—payers and providers, payers and retail pharmacy companies, employers and providers, and on and on. Do you see some potential dangers in the uncharted territory that’s emerging in healthcare, because of such combinations?

What I was trying to sound as a cautionary note, not an alarm, but a cautionary note, was that, when barriers are breached in terms of definitions, there are new challenges to long-established ways that we do things. We all like to talk about disruption, but there are downsides. And those downsides need to be confronted squarely. And what I was trying to propose in my commentary was a practical ethical framework for dealing with downsides—not a mission statement, or whatever, but practical thoughts. If you have a commitment to accountability and shared responsibility, it brings up issues. Just because you believe you’re committed to patient engagement or lowering healthcare costs, or whatever noble goals you espouse, particularly if you’re working for a not-for-profit entity, or even a for-profit, personal and corporate interests can conflict with noble goals.

And even as all these kinds of partnerships can be wonderful, we also realize we need new ways of dealing with potential negative side effects. No hospitals that merge ever say, thank God we can get rid of the price pressure from insurance companies! And it’s not that individuals making statements about mergers are deliberately telling untruths, but they sometimes make statements that may not be in the best interests of patients.

Healthcare informatics arose from people who were in the HC field, who wanted to apply the benefits of informatics knowledge to improving care, lowering costs, and other problems. That’s a different set of assumptions from when you take people whose expertise is in manipulating data and information, and put them into healthcare. There are cultural issues there. People from within HC tend to say, there are certain problems, and let’s look for solutions.

But people outside healthcare sometimes have the tendency to say, we have this wonderful tool; look at all the ways we can solve your problems.

Looking at the entry into the healthcare delivery process of disruptors like Google, simply because of the near-universality now of web search as a consumer activity in healthcare—will consumers simply start self-diagnosing off the web now?

It’s one thing to look at Google as a search engine. It’s another to look at the issue of Google as an element in care delivery. The issue of “Dr. Google” is a significant one. I wrote an article recently called, “Beyond Dr. Google.” What happens if you’re using the Babylon Symptom Checker with AI? What happens if you’re looking at a mole? Because they’ll have a legal disclaimer. But we’re looking at an entire paradigm shift around how we interact with doctors. Years ago, I said the Information Age is to medicine as the Protestant Reformation was to the Catholic Church. It changed the people’s relationships to the priests; the Church didn’t go out of business, but it had to change. Once the laity could read the Bible, the role of the priests had to change. And I think that the role of physicians as holders of knowledge, has to change. They still have specialized knowledge; but the conversation has to change, and the tone has to change.

What I’m concerned about is when an organization like Google, Amazon, or Apple, starts partnering with physicians, what happens? When Google, Amazon or Apple, starts being a partner to help you with your diabetes, are they helping you have a better conversation? Or are they starting to use gathered information to try to cause behavior change, to manipulate you? And there’s a fine line between doing this for your own good, or because I want you to change?

And then there’s the accountable care issue—when you have attributed patients, and it’s in your financial interest now to collect and use social-determinants-of-health data and other forms of data, as well as apps and tools, to try to motivate your patients towards participating in the enhancement of their health status.

Exactly—now, there’s also a profit motive. I wrote an article about the secret use of the social determinants of health, for care management—and for profit, on the part of vendors that are putting data into algorithms and selling those solutions. LexisNexis found a correlation between someone in the household having completed some kind of professional certification, anything from a plumber’s license to a PhD—with medication compliance and adherence. The point is, you get companies that use information about my life, as raw data for analytics, that are meant to influence my behavior. We need a different kind of safeguard doesn’t go awry. And I’m not saying that what they’re doing might not be wonderful and disruptive in a good way, but nothing turns out as promised, whether Brexit or Google.

The social contract in healthcare, particularly between providers and patients, especially that between physicians and patients—what might that look like, or need to look like, in the coming years?

I see collaborative health as the new social contract. I’m not sure that that patriarchal, hierarchical relationship has changed as much as we might be thinking. I remember writing things 30 years ago that everything would change, and the hierarchies would be totally gone. They haven’t disappeared, though. Your grandmother was probably just grateful to see a doctor. And there are still a lot of people in the country who are still grateful just to see a doctor.

So part of that issue involves socioeconomic class, of course?

Yes, absolutely. That said, I also absolutely agree that a new social contract is going to center around collaborative health. And an explicit one is needed. There’s a lot of talk about that, around Google, Facebook, Alexa. But the medical element is different. When organizations that have tremendous data analytics capabilities, are applying those to the problems of individual patients, that gives us both the potential for unprecedented breakthroughs in patient care, and for the unprecedented ability to manipulate people. The fact that I know everything about your Google searches, your purchasing and eating patterns, and I’m tracing your driving patterns—that can help me improve your health, but also control your life, and manipulate people. And even if the decisions are to your benefit, a social contract demands shared engagement and shared accountability, because that’s the social contract that medicine needs, to retain its soul—even if that doesn’t help increase the value of the IPO or the price-earnings ratio, or the amount of money you get back from meeting your obligations under an ACO contract.

How do you see physicians and other clinicians adapting to this new world?

I think the social contract is even more important, because the power of the individual doctor is often decreasing now. If more and more doctors will be employed, and operating under stricter rules of accountability, that’s good for patients, but the balance between accountability and autonomy is a balance we’ve got to find. And we should welcome Amazon, Apple, and Google—they have an incredible potential to disrupt HC for the better; but the individual doctor, just like the individual patient, is going to be powerless to set a new social contract on their own. That’s why we need a social contract that encompasses clinicians, patients, patient care organizations, payers, pharmaceuticals, and everyone. It may be to my benefit that my doctor is using an app to track population health issues, but with the blurring of lines between different types of organizations, things get complex. Information is power, and the information we’re gathering is extraordinarily powerful, and good things can go awry. So frankly, I see this new social contract as a protection for physicians, and as something that will ensure that the “therapeutic alliance” that doctors like to talk about, will remain strong, even as other boundaries dissolve. And whether my doctor is employed by an insurance company, a hospital, or is a solo practitioner, it should make no difference to certain kinds of relationships.

What You Need To Know About Cybersecurity In 2018 – Forbes Now

You might think of cybersecurity as a specialized, niche career—not a skill that the average person should learn about.

But that’s not the case. In an age where we manage more and more of our lives digitally, it means that anyonein any careershould know simple things about keeping security up to par. At work, this will help companies maintain robust protocols. At home, it will help you protect your own information.

Why anyone and everyone should learn about cybersecuritypexels.com

Technology Affects All Aspects Of Modern Life

To help explain why security knowledge is so important, let’s first establish the baseline of how daily life operates for most of us. “There aren’t many careers left that aren’t based on technology,” says Matt McCormack, Chief Security Officer at Virtustream.

“Teachers in classrooms are using SMART boards. Someone who comes to your home to do contract work will whip out a smartphone or tablet and add information to an app on the spot. The mistakes that cause the most damage at companies are security-related—something as small as clicking attachments in emails without knowing if they are safe.”

Of course, security concerns don’t stay at work. “Nowadays, you’re not just worried about the security of your company, but also your own security and what you put out on your social networks,” McCormack continues. “When I worked for the government, we constantly advised people on what they could and couldn’t do—even outside of work—when it came to social media.”

How Basic Security Knowledge Can Help Any Career

Aside from simply not clicking suspicious email attachments, there are things nearly all employees can do to enhance company security and make themselves more valuable workers.

“Within any role in the organization, learning about security can help an individual understand the risks and make informed decisions for their key stakeholders,” says Pavi Ramamurthy, senior manager of information security at LinkedIn.

Like what, you ask? Here are a few of Ramamurthy’s examples:

  • In sales, reassure customers of an organization’s security posture.
  • In corporate communications, you should assess in the context of business reputation and brand trust.
  • The legal team should ensure that the right security clauses are built into supplier and customer contracts.
  • Regarding HR and/or security, know what’s needed for better security awareness and training.
  • Product managers should advise on good security features.
  • In engineering development, make sure you develop secure code.
  • Security professionals should perform reviews and quality assurance tests for functional and security verification.
  • Corporate management should ensure that a good security incident response plan is in place to address any vulnerabilities.

As you can see, it certainly doesn’t require being a security professional to contribute to security-related projects and awareness. In fact, the more equipped a workforce is with this knowledge, the less money and time will be lost to security breaches.

Cyber Attackers Rely On Human Error

Hackers rely only partly on their security-penetration skills. The other thing they need? Regular people making mistakes. “An analysis of threats faced by organizations in the first quarter of 2017 reveals that cyber attackers still rely heavily on user interaction,” says Bo Yuan, Ph.D., professor and chair of the department of computing security at Rochester Institute of Technology.

One high-profile example: the CEO of Equifax attributed the company’s 2017 breach—which comprised the data of over 147 million consumers and could cost over $600 million—to, you guessed it, human error.

“For those who do not work in IT but use computing devices for work, it is necessary to have cybersecurity training so that they understand how minor mistakes or simple oversights might lead to a disastrous scenario regarding the security or bottom line of their organization,” Yuan continues. “With attacks becoming more advanced and sophisticated, training is mission-critical to minimize human error from the cyberattack equation.”

It’s a wise step to take on a personal level as well, since even if your mistake was completely unintentional, you won’t avoid consequences. “No one wants to get fired, especially when you didn’t do anything malicious to harm your company,” says Andrew Jones, senior sales engineer at Shape Security. “But this is exactly what can happen if you fall victim to an email phishing campaign or other social engineering attack and become the vector by which your company exposes sensitive information. Educate yourself to be suspicious and cautious when it comes to operational security.”

Security Know-How Can Advance You In Your Existing Job

Gaining new skills is a tried-and-true way of getting ahead at your job, and security is one that looks particularly good. “Educating yourself about security (cyber, physical, or otherwise) will positively impact the average person’s career,” says Jones.

The first step to getting promotions or pay raises is showing that you can be trusted with additional responsibilities. “Even if your job is not directly related to a security role, consider the ways that your work could be abused by a malicious third party,” Jones continues.

For example, consider sending an email to your customers that contains a link. “You could use a shortened URL service, like Google’s https://goo.gl, to make the document read better, but that could also provide a template for a bad actor to phish your customers with an identical email using a similar goo.gl link that points to a malicious website,” explains Jones. “The average consumer would have no way of telling the difference. How could you compensate for that risk? Are you even thinking about the potential vulnerability?”

Your company may be willing to cover educational expenses on your behalf, but even if they don’t, there are plenty of ways to pursue security knowledge independently. It doesn’t even have to mean formal training, either. “Educating yourself about security doesn’t just mean getting a certification or diploma,” says Jones. “It’s adjusting your way of thinking about the world so that you can put yourself in the bad guy’s shoes and really consider how they could exploit a weakness.”

Gaining Knowledge Now Can Lead To A Lucrative Career Later

If you begin dabbling in security and discover that you enjoy it or have a knack for related skills, why not pursue it full-time? Doing so is more lucrative than ever. According to Cybersecurity Ventures, it’s predicted that by 2021 there will be 3.5 million unfilled cybersecurity positions. That kind of demand should be attractive to anyone seeking career advancement.

Sarah Squire, senior technical architect at Ping Identity, started her own security career after transitioning from another job. “I began my career in web development, but I was recruited onto a niche information security team,” she said. “After one year of exhaustive training, I was hooked. From there, I got the qualifications to open my own consulting business, contribute to NIST guidelines, speak at high-profile security conferences, author white papers, and contribute to standard protocols that everyone on the internet uses on a daily basis. My security education super-charged my entire career trajectory.”

Plus, it’s work that will help you solve real problems. “The consequences of the cybersecurity skills gap spread far outside of the security space—leaving workplaces across all countries and industry verticals vulnerable to attack,” says Dr. Yuan. “The average data breach is projected to reach a $150 million price tag, plus the corresponding customer and employee trust/loyalty-related outcomes of a breach.”

Ready to start looking into cybersecurity skills or potentially pursue it as a career? Here’s where to start.

The top 10 technology challenges that startups face and how to navigate them – YourStory.com

From business models and management teams to customer experience and technology platforms, startups face a number of challenges that may trip them up in their long journey. Here are 10 key challenges founders need to identify and correct, to ensure that their entrepreneurial venture has a chance of success.

  1. Skillsets

Founders with a business or design background may not understand the language of technology, let alone the latest trends in tools and platforms. Conversely, techie founders may not grasp the design and financial issues which go into building full-scale customer offerings.

Capacity building via online courses, peer discussions and mentors can help here. For example, the business model canvas by Strategyzer is a good tool for techies to understand management and strategy issues. Courses on commercialisation of technology at the MITs and IITs of the world can help managers understand technology evolution issues and manage innovation. Design thinking workshops and tools by companies like IDEO and Stanford’s. School can increase the design quotient of techies and managers.

  1. The Product Mindset

Customers do not care really care what technology is used – all they want is a product or service which can meet their needs and aspirations. This requires a product mindset from the ground up, which will eventually lead to branding of the offering in a way that is attractive to the customer. Technology should be seen as an enabler, and not an end by itself.

Techies, managers and designers need to master product management and teamwork processes. Product management is now emerging as a discipline at the intersection of business, technology, and user experience. Product-first companies such as HP, Microsoft and Google have helped bring a shared vocabulary to the field; courses are offered on sites like UpGrad.

Product managers must be experienced in at least one of the three key areas (business, tech, UX), passionate about all three domains, and be able to converse with practitioners of all three. Product management also involves familiarity with strategic planning, marketing, and team development.

  1. Project management

The software industry has often been plagued with over-runs in costs, time and effort. Project management of software and services continues to attract some of the best brains in the field to build a body of knowledge (BoK) for project management efficiency. Managing tech projects is a tough skill, and many young startups may flounder in their early steps.

Project managers can overcome some of these challenges with frameworks such as lean, agile, scrum, design sprints, directed discovery, and kanban. A range of easy-to-use and often free tools are available for startups, such as Asana (daily activities), Podio (complex projects), Kanban Tool (workflow visualisation) and Smartsheet (for spreadsheets).

  1. Team roles and dynamics

Even in the field of technology, there are multiple roles and skillsets, ranging from architects and testers to developers and administrators. From the junior engineer all the way up to CTO, each role calls for different skills, experiences and mindsets, which can change over time.

At the individual and team level, this calls for continuous capacity building and changes in team configuration. Startups need to identify talent tracks in roles like lead software engineer, fullstack developers, JavaScript developers, data scientists and even content managers.

  1. Cultural fit

The startup world is unlike the relatively smoother and structured corporate environment. Rapid changes in market and customer needs as well as pivoting by the founder will lead to frequent changes in the product direction. Techies in startups will, therefore, need to be more flexible than in larger firms, and deal with a culture of continuous adaptation.

While hiring techies, qualities to look for, in addition to skillsets, include capability to think of the big picture, willingness to enjoy challenges, ability to unblock obstacles, capacity to wear multiple hats, time management, and humility to create ‘psychological safety’ for newer team members as the company grows. There should be clear alignment on metrics for success and ethics in product development.

  1. Continuous learning

Every other year there seems to be a new programming language, operating system upgrade, stack architecture, development framework or SMAC update. For engineers, learning tech skills does not end when they get a college degree – that is just the beginning.

Techies need to devote a significant amount of time to learning from online courses, books, conferences and peers. A number of MOOC offerings such as Coursera and Udacity allow subscription models where learners can sign up for courses as well as updates on refresher modules on tech topics. Developer conferences and hackathons offer hands-on opportunities to brush up on skills and emerging platforms, and network with tech peers.

  1. Proprietary versus Open source

There are convincing arguments from both sides on when proprietary code or open source code should be used, depending on the context (this extends to APIs and standards as well). Comparison features include quality, robustness, customer support, expense, upgrades, market penetration, and emerging trends.

For example, some developers work within the Microsoft or Oracle suite of products. Those wishing to use open source tools can use LibreOffice (functional modules for word processing, spreadsheets), Mozilla Thunderbird (email management), TurboCASH (accounting) and WordPress (web publishing).

  1. Choice of channel

For digital offerings, the customer contact can be via channels such as desktop, mobile, kiosk, or IoT, and variations of these. At times, startups have been swept up by hype about which of these channels is best. For instance, many high-profile e-commerce startups mistakenly abandoned the desktop and chose to go “mobile only” for customer interface, before retracting their moves and developing for all platforms.

E-commerce retailer Myntra discontinued its mobile website to adopt an app-only model in 2015, but brought it back a year later. Early online check-in for airlines was only via the desktop web – but later expanded to mobile apps and airport kiosks. Techies and designers need to compare and contrast the benefits of each such channel as they roll out interactive customer touchpoints.

  1. Ignoring security and privacy

Many high-profile instances of hacking and loss of confidential information due to lost or stolen devices have revealed that security is either ignored or tacked on as an afterthought in tech development. Tech security and risk management should be a key priority for startups right from Day One.

Companies like Symantec, McAfee and QuickHeal offer solutions for startups to secure their devices, data and online workspaces; similar approaches should be used by startups to secure their own offerings to customers.

There are also tough laws in each country about privacy of consumer data. Techies and their business heads should be clear about what kinds of customer data is being captured, what kinds of consent agreements are implied, how this data will be used, and who this data is being shared with. Techies should clearly trace and log all this data for the scrutiny of internal and external auditors.

  1. Hardware: prototyping and supply chains

Hardware is driven by rapid prototyping and global supply chains of components, and tech firms in the hardware space will quickly realise that design and development requires mastery of techniques like 3D printing, virtualised products, and even frequent trips overseas to build close connects with suppliers in countries like China.

The first Maker Faire was launched in 2006, and there are now many such community events held around the world. These events have a mix of hobbyists and product professionals. Inexpensive boards (such as Arduino, Raspberry Pi, and BeagleBone) make electronics prototyping accessible to everyone; a number of enabling startups (eg. MakerBot, Adafruit, SparkFun) have also sprung into the game to help other founders develop products.

Hardware products fall into four categories: connected devices (eg. Nest, SmartThings, Belkin’s WeMo, Lowe’s Iris Smart Home Management System); wearables (Quantified Self: eg. Nike+ and Fuelband, UnderArmour’s Armour39), robots (eg. Fetch Robotics, Rethink Robotics, Agrobot, UAV or unmanned aerial vehicles such as DroneDeploy, and ROV or remotely operated vehicles); and designed products (eg. Quirky).

Founders should be able to segment the market in terms of needs and behaviours, and differentiate their proposed offerings. For example, Jawbone began with noise-cancelling headsets for soldiers, and then diversified into other kinds of wearables. Lumo Body-Tech, co-founded by Monisha Perkash, conducted extensive customer research with 30 different iterations for its body posture sensors; it finally arrived at the monitor band design instead of adhesives or garment tack-ons.

Founders will need to master terms such as design for manufacture (DFM), design for assembly (DFA), design for test (DFT), design for cost (DFC), engineering verification test (EVT) and engineering change order (ECO).

A number of hardware accelerators offer formal design reviews and mentorship in design, manufacturing, logistics, reliability, standards, and testing. Prominent players in this space include Lemnos, Y Combinator, 500 Startups, TechStars, PCH, AlphaLab Gear, Flextronics Lab IX, Logistica Asia, HaxAsia and HAXLR8R (‘hack-celerator’ programme in China).

In sum, becoming aware of the above mentioned types of challenges and taking corrective steps is key for startups to harness the transformative power of technology. Forewarned is fore-armed, and it helps startups to learn not just from their own mistakes but from others’ mistakes as well in order to keep their tech foundations intact.

Liked this article? Read more such educative and inspiring stories here.

7 Great Education Policy Ideas for Progressives in 2018 – Center – Center For American Progress

Download the PDF here.

Education in the United States must be improved to support greater economic mobility. Those without postsecondary training have experienced stagnant wages, were hit the hardest by the Great Recession, and have barely benefitted from the subsequent economic recovery. All signs point to these trends continuing, so it is imperative that today’s students are prepared for jobs that will position them to support their families and participate fully in America’s economic growth.

Educational opportunity for all has always been a defining progressive value, but in recent years, as the economic benefits of education have skyrocketed, living up to this ideal has taken on greater urgency.1

As America’s economy has become more knowledge-based over the past several decades, there has been a hollowing out of the middle class.2 In 2015, for the first time ever, less than half of American households were middle class.3 Real wages have been stagnant since the 1960s, particularly for those in the middle- and lower-income brackets.4

The modern economy has left behind the nearly two-thirds of workers without a college degree.5 Over the past 50 years, job creation has mainly been in industries such as health care; business and financial services; education; and government services, where a large proportion of jobs require some postsecondary training or college degrees.6 Meanwhile, the share of jobs in industries that historically have not required any postsecondary training has shrunk dramatically. These industries include construction, manufacturing, and natural resources—such as oil, gas, and forestry—and even they are increasingly seeking to hire skilled workers with higher educational attainment.

Job creation during the post-2008 recovery widened the gap between workers who are college-educated and those who are not. Of the 11.6 million jobs created during the recovery, nearly all—11.5 million—went to those with at least some college education and 73 percent went to workers with at least a bachelor’s degree.7

While 36 percent of non-Hispanic white adults have a bachelor’s degree, 23 percent of black adults and 16 percent of Hispanic adults—of any race—have obtained the same.8 Because black and Hispanic adults were less likely to have a college degree, the recession hit their families the hardest and the recovery has benefitted them the least. Black adults still face a 7 percent unemployment rate, while the rate for white adults has declined to 3.4 percent.9 As a result, racial wealth inequality is at its highest point in nearly 30 years.10

Though America still has far to go, pathways leading to high-wage jobs and careers that will enable workers to provide for themselves and their families are still important goals for our education system. Just as important, schools must support parents rather than acting as a barrier to work.

The U.S. economy is increasingly perceived as a zero-sum game in which only those who are already well-off reap the most benefits. And as the American ideal of a country in which economic mobility and opportunity are accessible to all seems to be moving further and further away, disillusionment with the political system grows. Embracing a progressive agenda for educational equity—detailed below in seven innovative policy ideas—is key to reclaiming the promise and once again putting the American ideal within reach.

Seven progressive education policies to revitalize the American dream

1. Provide a tutor for every child performing below grade level

The U.S. education system must dramatically scale up effective tutoring models through national service programs, fellowships, volunteers, and high-quality virtual tutoring. States should provide a high-quality tutoring experience to every student performing below grade level. In addition to using existing state and local funds, school districts could use federal funds—ESSA Title I, Title II, and Title IV; Education Innovation and Research; AmeriCorps; and more—to finance these programs.

The research supporting the effectiveness of tutoring is extensive and stretches back more than a dozen years. Spurred in part by meta-analyses published at the time demonstrating tutoring’s positive effect on student achievement, tutoring was incorporated into the No Child Left Behind Act of 2001 in a program known as Supplemental Educational Services (SES).11

While good in theory, SES had many implementation problems,12 including low participation rates and lack of quality control.13 In some districts, there were scandals involving providers overcharging districts, hiring tutors with criminal records, or violating federal regulations.14 In all districts, SES siphoned off Title I funds, leaving less for other important Title I programs.15 The tutoring program was eventually phased out as the Department of Education began implementing “ESEA Flexibility,”16 also known as waivers, and it was scrapped all together under the Every Student Succeeds Act (ESSA).17

Yet despite the problems with SES, the research base for tutoring has continued to grow. One of the many examples of great programs is the SAGA Innovations program, which trains and places full-time tutoring fellows in high-needs schools in Chicago and Lawrence, Massachusetts. Chicago students who received high-dose math tutoring gained more than two and a half years of math learning in one year. In Lawrence, the schools that implemented the SAGA tutoring program went from the lowest-performing in the state to the top 7 percent of all schools in Massachusetts.18

A 2011 paper that investigated the effects of tutoring provided by teachers found that students who received tutoring in either reading or math performed significantly better on the state standardized test than a control group of students with similar prior scores who did not receive tutoring.19 Even when programs are less structured and instruction is not provided by trained teachers, tutoring can have a notable effect on student performance. In one study, students tutored by minimally trained community volunteers increased their grades and were more likely to pass their classes.20 And many studies have demonstrated the positive academic effects of peer tutoring, where students are tutored by classmates or older students.21

The research results on the effectiveness of tutoring make intuitive sense. High-quality tutoring can meet each student at his or her individual level,22 a level of differentiation that is impossible for even the most dedicated of teachers to provide.23 Essentially, every student with an educated, engaged parent has access to one-on-one tutoring at home, which is perhaps one of the reasons why homework compounds the advantages enjoyed by middle-class children.24 For students who, for a variety of reasons, may not have access to that kind of academic assistance at home, receiving more tailored instruction from their schools can help to level the playing field and close achievement gaps.25

In addition to the academic benefits of tutoring, there are social-emotional ones as well. Research has shown that developing a close relationship with a role model is an important determinant of engagement in school, and a tutor that a student sees regularly can provide such a relationship.26

To reap the benefits of tutoring but avoid the problems of SES, tutoring initiatives should grow from the ground up rather than as a result of a blanket mandate. Piloting and then a paced scaling of programs such as SAGA could ensure that tutoring programs work with local school communities instead of burdening already limited resources. In order to contain the costs of tutoring, tutors could be found and compensated by recruiting community volunteers, undergraduates interested in teaching careers, recent college graduates, or through the expansion of AmeriCorps. Teachers who want to participate could also be reimbursed for their additional time.

Another way to contain costs would be through appropriate use of computer-based tutoring. There is evidence that computer-based tutoring can yield results similar to one-on-one tutoring in certain subjects, such as science, technology, engineering, and math (STEM) fields,27 or when certain principles of the cognitive science of learning—such as self-explanation—are embedded in the program or software.28 While these programs cannot replace the need for human interaction and relationships, they may be effective for some students and allow for greater targeting of resources toward students who most need traditional one-on-one tutoring.

Since it is known that receiving low grades in elementary school is a predictive factor for dropping out during middle school and that receiving more than one failing grade in a core academic course during ninth grade is a predictive factor for dropping out during high school, tutoring can make a difference.29 Providing access to tutoring to improve students’ grades before they are at risk for dropping out could help them to complete further schooling, which, in turn, increases their likelihood of finding employment and earning a family-sustaining salary in adulthood.

2. Offer free breakfast and lunch for all students, regardless of income

Though the school lunch program currently intends to provide meals for low-income students who need it most, stigma and shame prevent many students—particularly at the high school level—from accessing these meals, which is especially troubling since childhood hunger is still a pressing concern across the nation. Providing a healthy, nutritious breakfast and lunch to all students regardless of income would solve problems of access and also make the lives of all working families easier.

Forty-one million Americans, including 13 million children, do not reliably have enough food to eat.30 Meeting all children’s nutritional needs could keep students healthier, which would keep them at school and support their learning while there.

It is not always obvious who is experiencing hunger, and the face of hunger in America is changing. While it remains most acute in urban core neighborhoods with intergenerational poverty,31 hunger is increasing in suburban locales and is most prevalent in rural Southern locales.32 Since wages have been stagnant or eroding in many industries, two-thirds of families experiencing food insecurity have at least one working adult, and many might initially appear to be maintaining a middle-class lifestyle.33

Children who are hungry are less healthy; they experience more colds and stomach aches and have a greater likelihood of chronic health problems. They also experience mental health consequences such as chronic stress and anxiety because persistent hunger sends the body’s stress management system into overdrive.34 Unsurprisingly, these children’s learning and academic achievement also suffer.35 The reverse is also true: When children have access to healthy lunches, they perform better in school.36 Even families that have the means to feed their households may not have access to nutritious, healthy foods, and access to these foods is associated with lower risk of obesity and greater fruit and vegetable consumption.37

Of households that experience food insecurity, less than two-thirds participate in one of the main federal anti-hunger programs: Supplemental Nutrition Assistance Program (SNAP); the National School Lunch Program; or the Special Supplemental Nutrition Program for Women, Infants, and Children (WIC).38 In part, this is because many food insecure households are not eligible for nutrition assistance or because certain barriers exist, such as the stigma associated with participating in programs designed to benefit low-income families.

Moreover, this stigma can be exacerbated by school policies. For example, there have been instances of schools refusing to give the regular hot meals to students in the free and reduced-price lunch program or forcing them to get in a separate line.39 Worse is the abhorrent practice of “lunch shaming,” where schools publicly call out students for their parents’ unpaid lunch bills, for example, by marking their hands to embarrass them or even by throwing away their lunches.40 The stigma of free lunch can feel especially strong for high school students—one reason they currently utilize the program at low rates.41 This is worrisome since in very low-income families, despite the fact that adolescents have the greatest calorie needs of any age group,42 teens sometimes forgo food at home in order to ensure that younger siblings have enough to eat.43

Expanding the federal school breakfast and lunch program in order to provide free meals to all students—including in the summer months—would reduce childhood hunger and improve children’s health and academic outcomes. For states and localities where universal access is unrealistic, an expansion of the community eligibility program, which allows schools and districts in low-income areas to serve free breakfast and lunch to all students without collecting applications, would be an interim step to consider.44 Making free meals universal would ensure that all students experiencing food insecurity have access to healthy, nutritious meals; end the stigma surrounding school lunch; and eliminate administrative barriers to accessing the program. All families—even those who could otherwise afford lunch—would benefit from this change. For instance, having healthy lunch options at school would alleviate the worry of packing lunch or parsing out lunch money on busy mornings. Absent federal action, states could embrace this policy by supplementing federal funds with state dollars in order to implement a universal school meal program.

3. Ensure opportunities to combine college preparatory academics with technical training and workplace experience

To be prepared for the jobs of the complex, dynamic, and rapidly globalizing future, all students should have access to opportunities to learn firsthand how their academic work applies to potential career paths and vice versa. Programs that allow for this exposure and provide students with a tangible outcome—such as college credit or professional certification—should be available in every district.

Not every student has the same academic needs, interests, and goals, but many schools still offer courses and provide instruction that treat students as if they are the same. Far too many schools are not preparing students for the world which they will enter after their K-12 education, instead relying on sit-and-get direct instruction and leaving students feeling disengaged from the real-world contextual challenges that they will eventually face. With each passing day, technology advances in previously inconceivable ways; climate change alters coastal lines; distant wars and international trade shape relationships with foreign governments. All of this has enormous effect on America’s increasingly global economy. Yet many high schools are not preparing students for any of these realities or for professional experiences that could help them get jobs upon graduation.45

Preparing students to confront and contribute to a rapidly changing world beyond their K-12 schooling means providing coursework that addresses these challenges; allows students the space to uncover and express their interests; and then provides them with the necessary resources to tailor their educational experiences to those interests. Many schools are redesigning the high school experience by implementing various models, such as career and technical education (CTE); personalized learning, apprenticeships; early college and dual enrollment; and language immersion programs—all of which can work for students’ individual needs.

CTE and dual enrollment programs, specifically, provide students with options for coursework that will best meet their postsecondary and career goals. Under the Carl D. Perkins Career and Technical Education Act of 2006, states are provided with funding to develop the technical skills of secondary and postsecondary students who elect to enroll in CTE programs.46 Currently, 12.5 million high school and college students are enrolled in CTE programs.47 These programs help keep students in school; the graduation rate of CTE students is about 90 percent, 15 percentage points higher than the national average.48 However, research on their effectiveness is still in the preliminary stages.49 The best and most effective CTE programs are linked to and supported by local business or industry; provide real-world experiences or work opportunities; give students tangible outcomes such as an industry credential or college credit; and create pathways for pursuing college or career after graduation.50

Programs such as Linked Learning, which according to its website, “integrates rigorous academics that meet college-ready standards with sequenced, high-quality career-technical education, work-based learning, and supports to help students stay on track,” have seen positive outcomes for students.51 A seven-year longitudinal study comparing students who participated in Linked Learning to those who did not showed that the program completers were less likely to drop out and more likely to graduate from high school. Linked Learning students also reported better jobs that were more likely to offer paid vacation, sick time, and health insurance. Black students who completed the program were also more likely than their traditional high school peers to enroll in a four-year college.52

Another example of a program that successfully combines academic and real-world experiences comes from DuVal High School in Maryland. There, students are enrolled in an aerospace engineering and aviation technology course in partnership with NASA and the College Park Aviation Museum, giving them exposure to exciting career options.53 Another innovative program is the Washington Leadership Academy in Washington, D.C., which uses a combination of individualized online courses, project-based learning, and in-person classes, which are rooted in various forms of technology, such as virtual reality and coding, to inspire students to make new advances in the tech world.54

In order to increase the number of schools willing to experiment with such programs, states should incentivize school districts by creating or expanding grant programs that offer flexibility for students to learn outside of traditional school hours and beyond school buildings. States should also provide additional funding for apprenticeships and use grant programs to incentivize districts to form partnerships with local employers to offer summer internships or a semester of credit. Blending traditional instruction with advanced postsecondary courses and real-world career preparation prepares high school students for their next steps and helps them gain practical skills in growing fields.

States should also seek to study and authorize charter schools that promote innovative high school designs with quality control systems in place or establish what is termed “innovation status” for traditional public schools. Innovation status, which provides a package of waivers to public schools to implement new school designs, has been enacted through legislation in states such as Colorado and Massachusetts.55 In addition, states should reform their systems of graduation requirements in order to reflect students’ comprehension of material instead of how many hours they attend a course. Such reform could also require local school boards to adopt graduation requirements that better reflect college and career-ready standards and provide credit for nontraditional courses.

Lastly but critically, the federal government should increase its support for states in this work and leverage improvements to the quality of CTE programs through Perkins Act reauthorization. Federal policymakers should also allow for the integrated use of funding streams and incentivize states to target federal funding toward communities that are unable to provide these options through other means.

4. Transition to a 9-to-5 school day to better fit parents’ needs

The current school schedule is antiquated and makes balancing a job and child care extremely difficult for working parents. The federal government or states should pilot a school day that aligns with today’s work schedules.

Currently, the average school day is less than seven hours and the median school day ends at 2:50 p.m.56 The average workday, however, does not align, requiring parents to make tough choices about their income, parental involvement, and child care. Nearly half of all U.S. workers report not having any form of flexibility in their work schedules, and almost 40 percent of all workers do not even have paid vacation time.57 Public school schedules are not based on student achievement but on an antiquated system that relies on two-parent, one-income households.

Between school vacations, professional development days, summer recess, and after-school time, most working parents who have school-age children face many gaps in child care and may even be forced to leave their children in unsafe care. According to a Center for American Progress report examining the largest school districts in the country, schools are closed for an average of 29 days each school year—not including summer recess—which is 13 days longer than the average private sector worker has in paid leave.58 Not only do days off increase the cost of child care, but the short length of the school day also decreases economic productivity when parents have to take time off from work or when parents with elementary school-age children opt out of full-time employment in order to accommodate their children’s schedules.59

The length of the school day is also an equity concern. Only around 45 percent of all public elementary schools offer before- and after-school care, and low-income schools are actually less likely to offer after-school programs.60 In fact, only 24 percent of children living in communities of concentrated poverty participate in an after-school program, although 56 percent of children not in an after-school program would be enrolled in one if it were available to them.61 Extended days and after-school programs also provide opportunities for students to encounter enrichment activities, arts education, and real-world learning that might not be embedded in the regular school day and that not all parents can afford to provide for their children privately. Access to after-school programs improves academic performance, decreases dropout rates, reduces drug use, and improves classroom behavior.62

Academic gains, economic productivity, and equity concerns should incentivize the federal and state governments to better align work and school schedules. However, teachers, already strapped for time and pressured by myriad responsibilities, cannot be expected to work several extra hours each day for nothing in return. Changing school schedules will require new and creative uses of time, personnel, and money. States could incentivize a longer school day by compensating teachers who want to work longer hours and by increasing requirements on public schools’ instructional hours. At the federal level, the Department of Education could promote the use of ESSA funding for expanded school schedules, encouraging high-poverty schools to use funds from Title I, Part A to pay for longer school days as part of a larger effort to boost student achievement. Congress could also increase funding for programs—such as Promise Neighborhoods, 21st Century Community Learning Centers, and AmeriCorps—that provide students with longer school days and access to after-school programs. Furthermore, the federal government could implement a pilot program under the university-assisted community model in order to partner graduate schools in social work with neighboring public school districts to develop a 9-to-5 schedule.

5. Support, train, and pay teachers like professionals

Teachers should begin their careers with an annual base salary of at least $50,000 and receive supported training similar to that of a medical resident before becoming responsible for leading a classroom of their own. More experienced teachers with a demonstrated track record of excellence should have the opportunity to earn at least $100,000 annually.

In the United States, new teachers only make an average of about $36,000, and the average salary for all teachers is just over $58,000—which, in today’s dollars, is lower than the average salary during the 1989-1990 school year.63 Teachers make 60 percent of what similarly educated professionals earn, much lower than the proportion in other Organisation for Economic Cooperation and Development (OECD) countries.64 Partly as a result of low teacher pay, young people are avoiding the teaching profession, excellent teachers are staying away from high-need schools, the teaching profession is not as diverse as it needs to be, and far too many great educators leave the profession altogether.65

Lower teacher pay is not the only factor contributing to disinterest in or attrition from the teaching profession. New teachers too often feel unprepared to teach and manage a classroom of their own when they graduate from their preparation program and enter their first experience as a full-time teacher. Teacher residency models—not dissimilar to those in the medical profession—provide emerging teachers with an opportunity to experience for a set period of time what leading a classroom of their own would be like.66 Many residency programs require teacher candidates to spend a portion of their time delivering lessons to students, but they do so under the guidance of a mentor teacher who provides feedback on both the delivery of the lesson and the degree to which the resident successfully manages the classroom.67 An induction period similarly allows new teachers to ease into the profession with help from a more experienced mentor teacher. When new teachers receive this type of support, their students gain months of additional learning.68

Teachers who are not adequately prepared to teach and who are not paid professionally may decide to leave the profession. Others—especially high-achieving young people—may never even consider teaching because of the profession’s relatively flat salary trajectory and because the professional work environment does not match that of other career paths.69 Teachers have less flexibility in their schedules compared with other professions, sometimes even struggling to find time to use the restroom.70 They also struggle to find time to collaborate with peers and often have to pay for their own supplies.71 To ensure that high-quality teacher candidates enter the profession and that excellent teachers stay in the profession, all educators should be trained and compensated like the professionals they are. Steps, therefore, should be taken to improve the professional work environment for teachers where possible.

Federal and state policymakers should make legislative changes that put an end to the huge gap in earnings between the teaching workforce and other college-educated professionals. To start, all teachers should begin their careers with a base salary of $50,000. More experienced teachers with a demonstrated track record of excellence should earn no less than $100,000 annually. One option for moving toward a professional scale for teachers would be a $10,000 federal tax credit for teachers in high-poverty schools, which would close the gap between teacher salaries and those of other college graduates. States could implement a similar policy, with the tax credit adjusted to close the gap between teachers and other college-educated professionals in their state, particularly for teachers in high-need schools or subjects.

Teachers—like all new employees—improve their practice after being in the profession for a few years. Policymakers should do more to accelerate the learning curve by expanding teacher residency programs, clinical preparation, and induction programs to improve new teachers’ skills and by extension, their students’ learning. A new federal program could be funded through the Department of Education and administered by AmeriCorps, which already provides grants to residency programs run by nonprofit organizations, such as the Memphis Teacher Residency and Urban Teachers. States could expand funding for these programs in partnership with institutions of higher education, school districts, and nonprofit organizations; and they could use Title II, Part A funds to do so. States such as Louisiana have already begun this important work of leveraging federal dollars to create and expand residency and induction experiences for all of their teachers;72 others should follow their lead.

6. Create a safe and healthy environment in every school

Hire additional specialized instructional support personnel (SISP)—school counselors, school social workers, and school psychologists—to ensure that all students have access to academic, career, mental health and social-emotional support. By reducing staff-to-student ratios and carrying out targeted and schoolwide mental health interventions, students’ well-being and academic achievement can be improved simultaneously.

One in 4 children experiences a mental health disorder annually,73 and half of those who will have a mental health disorder at some point in their life will first be diagnosed at age 14 or younger.74 Furthermore, about half of all children will experience a traumatic event—such as the death of a parent, violence, or extreme poverty—before they reach adulthood.75 And as the opioid epidemic continues to grow, students are coming to school affected by a parent’s addiction as well as the havoc and instability that it can wreak on family life.76 In addition, as students experience other issues—such as puberty; family matters, like divorce; and bullying—having supportive trained adults to talk to in school is critical for improving their well-being and attention to learning.

Mental health issues such as attention difficulties, delinquency, and substance use are associated with lower academic achievement and attainment.77 Likewise, experiencing trauma is associated with lower standardized test scores and an increased risk of being diagnosed with a learning disability or behavioral disorder.78 When children experience trauma, it not only affects their own learning but also that of their classmates. For example, when a student is experiencing domestic violence in the home, the reading and math scores of their classroom peers also decline.79 Researchers have found students in class with a peer who is experiencing domestic violence also had more behavioral infractions; they theorized that there were spillover effects that changed the context and culture of the entire classroom.

Despite the widespread need for mental health services and the link between mental health and student achievement, far too many children do not have access to this support. In a 12-month period, only 20 percent of children and adolescents 6 to 17 years old who were defined as needing mental health services received such services, most commonly in school.80 This is despite the fact that early intervention is key to building resiliency, improving school performance, and reducing the risk of harm later in life.81

Even though school is the most common place for young people to receive mental health services, shortages of school-based mental health personnel are one of the main reasons so many children do not have access to such services. Major providers of mental health services in schools, such as school psychologists, are operating at ratios far higher than recommended, often with one person serving multiple schools.82 With so few of these personnel serving so many students, it is impossible for students’ needs to be met.

Specialized instructional support personnel can also be instrumental in the selection and implementation of high-quality schoolwide social-emotional learning programs. Social-emotional learning programs improve the social skills and academic achievement of students and can improve school climate by reducing violence, bullying, and other conduct problems.83 These skills are particularly important in early childhood education, as students as young as kindergarten who have strong prosocial skills are more likely to obtain a high school degree, college diploma, and full-time job when they reach adulthood.84

School counselors also act as academic or guidance counselors, handling curriculum planning; interpreting and maintaining student records; and providing college counseling.85 Many students who would be the first in their family to attend college desperately need help planning for and navigating this process, as they might have fewer adults in their lives who can provide information about college admissions and financial aid.86 Every student who needs it should have access to this type of adviser and advocate who can help guide his or her college and career choices.

To better serve students, mental health counseling and academic guidance roles should be separated, and all students should have access to both types of supports. In addition, every student with pressing mental health needs should have access in school to counseling from a trained professional, and every school should have the personnel necessary to implement schoolwide behavioral support and social-emotional learning programs.

7. Eliminate crumbling school buildings

It is necessary to create a national school infrastructure program that will update school buildings while simultaneously creating jobs in local communities.

Approximately 14 million students across the country attend schools that are in need of extensive repairs or complete building replacement, and nearly two-thirds of American schools have at least one building feature that needs to be replaced or needs extensive repairs.87

Just recently, the condition of schools in Baltimore made national news because the leaky windows and outdated heating systems forced students to huddle in coats and mittens in their classrooms in order to stay warm.88 But this news is not new. In 2016, Detroit school buildings infested with rats caused similar national uproar;89 and ensuring that hurricane-damaged schools in Puerto Rico are safe to reopen to students will be a long and difficult process.90

While school building conditions are a national problem, the disrepair of America’s public schools disproportionately affects students in low-income communities that cannot raise funds for maintenance, repair, or modernization. According to federal estimates, addressing deferred maintenance and repairs alone would cost about $200 billion.91

As the stories coming out of places such as Baltimore, Detroit, and Puerto Rico make plain, a safe and comfortable school building is an important precondition for students to learn to their full potential. Children’s health and learning are affected when schools have poor air quality, cannot maintain a comfortable temperature, are excessively noisy, or are poorly lit.92 School infrastructure projects are a wise investment because well-maintained school buildings can last up to 50 years and facilitate achievement of student outcomes.

A national school infrastructure program to update unsafe or unhealthy school buildings and create a national database on the condition of school facilities would also provide thousands of jobs across the country. Under such a program the majority of the funding should be targeted to schools with highest need, with the remainder set aside for low-cost bonds. This school infrastructure program would bring the neediest school buildings to a state of good repair and allow other schools to modernize and even retire debt for recent capital investments. And for every billion dollars spent, this program would create thousands of jobs—including both direct and indirect hires—for the life of the program. School buildings act as convening spaces for the community, and schools receiving these infrastructure funds could use them to meet various needs of the local school community in accordance with state and local laws.

Possible funding for new policy initiatives

With recent tax policy changes creating large national deficits and states facing persistent budget shortfalls, finding ways to pay for new policies is always difficult.93 Below is a list of some creative ways to fund the ideas listed in the previous sections. This is by no means an exclusive list, as there are many resources available with suggestions for how to raise revenue,94 including how to do so in line with progressive values and without increasing taxes.95

Passing a legislative solution for Dreamers. Permanent protections for Dreamers, those without legal status who came to the country at a young age, will have a profound impact on their lives while having an equally important impact on the national and local economies. Before the Deferred Action for Childhood Arrivals (DACA) program was rescinded in September 2017, a national survey of the recipients of the program—a subset of the Dreamer population—showed that they were able to pursue greater educational opportunities and earn higher wages.96 Another report found that DACA recipients and DACA-eligible immigrants contribute approximately $2 billion in state and local taxes annually.97

The Center for American Progress has estimated that passing the Dream Act, which would make thousands of young workers already in the United States eligible for legal status, could add $281 billion and as much as $1 trillion to the country’s gross domestic product over 10 years.98

Legislation to protect Dreamers—including the 20,000 educators with DACA—that includes pathways to legal status or citizenship would not only increase the GDP, creating more revenue with which to improve public schools, but it would also mean that students and families across the country currently living in fear of deportation could focus on both their education and creating a better future for themselves and their communities.99

Reducing the prison population and corrections spending. A 2016 report released by the Department of Education revealed that in all but two states, spending on prisons is growing much faster than spending on public education, having quadrupled between 1979 and 2013.100 The United States imprisons people at higher rates than any other country in the world and has a prison population of more than 2 million—the largest in the world.101

The more than $80 billion in U.S. tax dollars spent annually on the corrections system would be better invested in public schools.102 In order to redirect funding from prisons to schools, state policymakers must find ways to reduce their prison populations. A good place to start would be the 1 in 5 incarcerated people that are locked up for a nonviolent drug offense.103 The Brennan Center for Justice estimates that about 4 in 10 people in state and federal prison today present little or no public safety risk and could be released or have their sentences reduced for a total savings of $20 billion each year.104

In 2009, the Justice Policy Institute noted that some states have begun to decrease the size of the prison population—thereby reducing spending—by providing community-based substance-abuse treatment programs, increasing rehabilitation efforts, improving parole mechanisms and services, and decriminalizing nonviolent offenses.105 States that intentionally decreased their prison populations saw crime decrease even faster than national averages.106 Other states should consider such reforms.

Investing in school systems rather than prison systems would benefit the U.S. student population in more ways than one. Presently, incarceration disproportionately impacts people of color, and students of color disproportionately attend schools with fewer resources and less experienced teachers. Redirecting funding currently spent on corrections to the public education system would not only improve the educational experiences of students of color but could also positively impact their families, communities, and potentially life outcomes—ending, or at least disrupting, the vicious “school-to-prison pipeline.”107

Leveraging taxes from marijuana sales. In recent years, several states have decriminalized the use of medical marijuana, and a handful of states have legalized the use and sale of recreational marijuana. Since Colorado passed its law legalizing recreational marijuana in 2014, the state has brought in $506 million in tax revenue, about half of which has gone to K-12 education.108 Other states that have followed suit, such as Oregon and Washington, have also been able to capitalize on the additional tax revenue.109

Selling advertising on government documents or locations. In recent years, as options for reading and viewing content have diversified, advertisers have had increasing difficulty reaching mass audiences of customers. State-run entities, however, still hold the potential for reaching mass audiences since they may interact with all residents. Many localities are already raising revenue by selling advertising on local buses and in subway stations.110 States can expand on the same idea by allowing advertising in state highway rest stops or in state-run offices where there is a lot of wait time, such as the Department of Motor Vehicles or in state capitol cafeterias. States could also include advertisements or coupons in mailings and other communications to their residents.111


Economic dislocation is a powerful threat to the well-being and security of American workers and the American economy. Millions of Americans feel anxious about the changing economy. Working-class jobs that once promised a lifetime of decent wages and benefits are disappearing, displaced by automation and jobs that favor a different set of skills.

Education is at the root of the country’s broader economic challenges, and improvements to the education system offer the solution. Employers need talented workers who have the skills, disposition, and knowledge to operate effectively in the new economy. A progressive education agenda can ensure that all Americans are afforded the education needed to meet these challenges.

Lisette Partelow is the director of K-12 Strategic Initiatives at the Center for American Progress. Catherine Brown is the vice president of Education Policy at the Center. Sarah Shapiro is a research assistant for K-12 Education at the Center. Stephenie Johnson is an associate campaign director of K-12 Education at the Center.


  1. Guillaume Vandenbroucke, “Lifetime Benefits of an Education Have Never Been So High” (St Louis, MO: Federal Reserve Bank of St. Louis, 2015), available at https://www.stlouisfed.org/~/media/Publications/Regional-Economist/2015/July/education.pdf.
  2. Pew Research Center, “The American Middle Class Is Losing Ground” (2015), available at https://www.stlouisfed.org/publications/regional-economist/july-2015/lifetime-benefits-of-an-education-have-never-been-so-high.
  3. Ibid.
  4. Drew Desilver, “For most workers, real wages have barely budged for decades,” Pew Research Center Fact Tank, October 9, 2014, available at http://www.pewresearch.org/fact-tank/2014/10/09/for-most-workers-real-wages-have-barely-budged-for-decades/.
  5. Robert E. Scott and David Cooper, “Almost two-thirds of people in the labor force do not have a college degree,” Economic Policy Institute, March 30, 2016, available at http://www.epi.org/publication/almost-two-thirds-of-people-in-the-labor-force-do-not-have-a-college-degree/.
  6. Anthony P. Carnevale, Tamara Jayasundera, and Artem Gulish, “America’s Divided Recovery: College Haves and Have-Nots” (Washington: Georgetown University Center on Education and the Workforce, 2016), available at https://cew-7632.kxcdn.com/wp-content/uploads/Americas-Divided-Recovery-web.pdf.
  7. Ibid.
  8. Camille L. Ryan and Kurt Bauman, “Educational Attainment in the United States: 2015” (Washington: U.S. Census Bureau, 2016), available at https://www.census.gov/content/dam/Census/library/publications/2016/demo/p20-578.pdf.
  9. Bureau of Labor Statistics, “Labor Force Statistics from the Current Population Survey,” available at https://www.bls.gov/web/empsit/cpsee_e16.htm (last accessed February 2018).
  10. Rakesh Kochhar and Richard Fry, “Wealth inequality has widened along racial, ethnic lines since end of Great Recession,” Pew Research Center Fact Tank, December 12, 2014, available at http://www.pewresearch.org/fact-tank/2014/12/12/racial-wealth-gaps-great-recession/.
  11. Batya Elbaum and others, “How effective are one-to-one tutoring programs in reading for elementary students at risk for reading failure? A meta-analysis of the intervention research,” Journal of Educational Psychology 92 (4) (2000): 605–619; Peter A. Cohen, James A. Kulik, and Chen-Lin C. Kulik, “Educational Outcomes of Tutoring: A Meta-analysis of Findings,” American Educational Research Journal 19 (2) (1982): 237–248; Patricia A. Lauer and others, “The Effectiveness of Out-of-School-Time Strategies in Assisting Low-Achieving Students in Reading and Mathematics: A Research Synthesis” (Denver: Mid-continent Research for Education and Learning, 2003), available at http://www.schoolturnaroundsupport.org/sites/default/files/resources/ostfullsum.pdf.
  12. Government Accountability Office, “No Child Left Behind Act: Education Actions Needed to Improve Implementation and Evaluation of Supplemental Educational Services,” GAO-06-1121T, Report to the Committee on Education and the Workforce, House of Representatives, September 2006, available at https://www.gao.gov/new.items/d061121t.pdf.
  13. Patricia Burch, “Supplemental Education Services under NCLB: Emerging Evidence and Policy Issues” (East Lansing, MI: Great Lakes Center for Education Research and Practice, 2007), available at http://sesiq2.wceruw.org/documents/Burch_NCLB.pdf; Patricia Burch, Matthew Steinberg, and Joseph Donovan, “Supplemental Educational Services and NCLB: Policy Assumptions, Market Practices, Emerging Issues,” Educational Evaluation and Policy Analysis 29 (2) (2007): 115–133, available at http://scholar.gse.upenn.edu/steinberg/files/steinberg_supplementaledservicesandnclb.pdf.
  14. Michael LaForgia, “Public schools lose millions to crooks and cheaters,” Tampa Bay Times, February 9, 2013, available at http://www.tampabay.com/news/education/public-schools-lose-millions-to-crooks-and-cheaters/1274614.
  15. Burch, “Supplemental Education Services under NCLB.”
  16. Alyson Klein, “No Child Left Behind: An Overview,” Education Week, April 10, 2015, available at https://www.edweek.org/ew/section/multimedia/no-child-left-behind-overview-definition-summary.html.
  17. Every Student Succeeds Act, Public Law 114-95, 114th Cong., 1st sess. (December 10, 2015), available at https://legcounsel.house.gov/Comps/Elementary%20And%20Secondary%20Education%20Act%20Of%201965.pdf.
  18. SAGA Innovations High Impact Tutoring, “Impact,” available at https://sagainnovations.businesscatalyst.com/#impact (last accessed February 2018).
  19. Terri Rothman and Mary Henderson, “Do School-Based Tutoring Programs Significantly Improve Student Performance on Standardized Tests?”, Research in Middle Level Education 34 (6) (2011), available at https://www.amle.org/portals/0/pdf/rmle/rmle_vol34_no6.pdf.
  20. Anna Allen and Nancy Feyl Chavkin, “New Evidence that Tutoring with Community Volunteers Can Help Middle School Students Improve their Academic Achievement,” The School Community Journal 14 (2) (2004): 7–18, available at https://files.eric.ed.gov/fulltext/EJ794820.pdf.
  21. Lisa Bowman-Perrott and others, “Academic Benefits of Peer Tutoring: A Meta-Analytic Review of Single-Case Research,” School Psychology Review 42 (1) (2013): 39–55.
  22. Roseanna Ander, Jonathan Guryan, and Jens Ludwig, “Improving Academic Outcomes for Disadvantaged Students: Scaling Up Individualized Tutorials,” (Washington: The Hamilton Project, 2016), available at http://www.hamiltonproject.org/assets/files/improving_academic_outcomes_for_disadvantaged_students_pp.pdf.
  23. ASCD, “Finding Manageable Ways to Meet Individual Needs,” available at http://www.ascd.org/publications/curriculum-update/winter2000/Differentiating-Instruction.aspx (last accessed February 2018).
  24. Alissa Quart, “Homework Inequality: The Value of Having a Parent Around After School,” The Atlantic, June 6, 2016, available at https://www.theatlantic.com/business/archive/2016/06/homework-inequality-parents-schedules-grades/485174/.
  25. Ander, Guryan, and Ludwig, “Improving Academic Outcomes for Disadvantaged Students.”
  26. David Murphey and others, “Caring Adults: Important for Positive Child Well-Being,” (Bethesda, MD: Child Trends, 2013), available at https://www.childtrends.org/wp-content/uploads/2013/12/2013-54CaringAdults.pdf.
  27. Kurt VanLehn, “The Relative Effectiveness of Human Tutoring, Intelligent Tutoring Systems, and Other Tutoring Systems,” Educational Psychologist 46 (4) (2011): 197–221, available at http://www.public.asu.edu/~kvanlehn/Stringent/PDF/EffectivenessOfTutoring_Vanlehn.pdf.
  28. Vincent A. W. M. M. Aleven and Kenneth R. Koedinger, “An effective metacognitive strategy: learning by doing and explaining with a computer-based Cognitive Tutor,” Cognitive Science 26 (2) (2002): 147–179.
  29. Center for Public Education, “Keeping Kids in School: Preventing Dropouts,” available at http://www.centerforpubliceducation.org/Main-Menu/Staffingstudents/Keeping-kids-in-school-At-a-glance/Keeping-kids-in-school-Preventing-dropouts.html (last accessed February 2018).
  30. Feeding America, “Hunger and Poverty Facts,” available at http://www.feedingamerica.org/hunger-in-america/hunger-and-poverty-facts.html?referrer=https://www.google.com/ (last accessed February 2018).
  31. Tracie McMillan, “The New Face of Hunger,” National Geographic, 2014, available at https://www.nationalgeographic.com/foodfeatures/hunger/.
  32. Ibid.; Jessica Leigh Hester, “Rural America Is Hungry,” CityLab, May 8, 2017, available at https://www.citylab.com/equity/2017/05/hunger-in-rural-america-map-meal-gap-report/525549/.
  33. McMillan, “The New Face of Hunger.”
  34. American Psychological Association, “What are the Psychological Effects of Hunger on Children?”, available at http://www.apa.org/advocacy/socioeconomic-status/hunger.pdf (last accessed February 2018).
  35. Ibid.
  36. Michael L. Anderson, Justin Gallagher, and Elizabeth Ramirez Ritchie, “How the quality of school lunch affects students’ academic performance,” Brookings Institution, May 3, 2017, available at https://www.brookings.edu/blog/brown-center-chalkboard/2017/05/03/how-the-quality-of-school-lunch-affects-students-academic-performance/.
  37. Judith Bell and others, “Access to Healthy Food and Why It Matters: A Review of the Research” (Oakland, CA: PolicyLink, 2013), available at http://thefoodtrust.org/uploads/media_items/access-to-healthy-food.original.pdf.
  38. Feeding America, “Hunger and Poverty Facts.”
  39. StoryCorps, “Dakota Gibson, Gary Barber, and Kenny Thompson,” available at https://storycorps.org/listen/kenny-thompson-gary-barber-and-dakota-gibson/ (last accessed February 2018); Carl Pogash, “Free Lunch Isn’t Cool, So Some Students Go Hungry,” The New York Times, March 1, 2008, available at http://www.nytimes.com/2008/03/01/education/01lunch.html.
  40. Bettina Elias Siegel, “Shaming Children So Parents Will Pay the School Lunch Bill,” The New York Times, April 30, 2017, available at https://www.nytimes.com/2017/04/30/well/family/lunch-shaming-children-parents-school-bills.html.
  41. Pogash, “Free Lunch Isn’t Cool, So Some Students Go Hungry.”
  42. Health.gov, “Dietary Guidelines 2015-2020: Appendix 2. Estimated Calorie Needs per Day, by Age, Sex, and Physical Activity Level,” available at https://health.gov/dietaryguidelines/2015/guidelines/appendix-2/ (last accessed February 2018).
  43. Robert A. Moffitt and David C. Ribar, “Child Age and Gender Differences in Food Security in a Low-Income Inner-City Population.” Working Paper 22988 (Cambridge, MA: National Bureau of Economic Research, 2016), available at http://www.nber.org/papers/w22988.
  44. U.S. Department of Agriculture, “School Meals: Community Eligibility Provision,” available at https://www.fns.usda.gov/school-meals/community-eligibility-provision (last accessed March 2018).
  45. Marni Bromberg and Christina Theokas, “Meandering Toward Graduation: Transcript Outcomes of High School Graduates” (Washington: The Education Trust, 2016), available at https://edtrust.org/resource/meandering-toward-graduation/.
  46. Perkins Collaborative Resource Network, “Perkins Act,” available at http://cte.ed.gov/legislation/about-perkins-iv (last accessed February 2018).
  47. Advance CTE, “Career Technical Education,” available at https://careertech.org/cte (last accessed February 2018).
  48. Ibid.
  49. Marisa Castellano and others, “Do Career and Technical Education Programs of Study Improve Student Achievement? Preliminary Analyses From a Rigorous Longitudinal Study,” International Journal of Educational Reform 21 (2) (2012): 98–118, available at http://www.nrccte.org/sites/default/files/external-reports-files/12-008_ijer_v21_no2_fnls.pdf.
  50. College and Career Readiness and Success Center, “How Career and Technical Education Can Help Students Be College and Career Ready: A Primer” (2013), available at https://ccrscenter.org/sites/default/files/CCRS%20Primer%20Brief.pdf.
  51. Linked Learning Alliance, “About Linked Learning,” available at http://www.linkedlearning.org/en/about/ (last accessed February 2018).
  52. Alliance for Excellent Education, “The Workplace Connection: Organizational Partnerships and Alliances” (2017), available at https://all4ed.org/wp-content/uploads/2017/09/OrgPartnerships.pdf.
  53. Ovetta Wiggins, “High school aerospace engineering program taking flight,” The Washington Post, November 30, 2014, available at https://www.washingtonpost.com/local/education/high-school-aerospace-engineering-program-taking-flight/2014/11/30/520eee20-74bd-11e4-bd1b-03009bd3e984_story.html?utm_term=.4503fb440b96.
  54. Washington Leadership Academy, “About,” available at http://www.washingtonleadershipacademy.org/about/overview/ (last accessed February 2018).
  55. Massachusetts Department of Elementary and Secondary Education, “School Redesign,” available at http://www.doe.mass.edu/redesign/innovation/ (last accessed February 2018); Nic Garcia, “After years of stagnation, Colorado’s innovation schools see breakthrough in improvement, data show,” Chalkbeat, August 2, 2017, available at https://ny.chalkbeat.org/posts/co/2017/08/02/after-years-of-stagnation-colorados-innovation-schools-see-breakthrough-in-improvement-data-show/.
  56. National Center for Education Statistics, “Average number of hours in the school day and average number of days in the school year for public schools, by state: 2007–08,” available at https://nces.ed.gov/surveys/sass/tables/sass0708_035_s1s.asp (last accessed February 2018); Catherine Brown, Ulrich Boser, and Perpetual Baffour, “Workin’ 9 to 5: How School Schedules Make Life Harder for Working Parents” (Washington: Center for American Progress, 2016), available at https://www.americanprogress.org/issues/education-k-12/reports/2016/10/11/145084/workin-9-to-5-2/.
  57. Ibid.
  58. Ibid.
  59. Ibid.
  60. Ibid.
  61. Afterschool Alliance, “Executive Summary: Afterschool in Communities of Concentrated Poverty” (2016), available at http://www.afterschoolalliance.org/AA3PM/Concentrated_Poverty_Executive_Summary.pdf.
  62. Youth.gov, “Benefits for Youth, Families, & Communities,” available at https://youth.gov/youth-topics/afterschool-programs/benefits-youth-families-and-communities (last accessed February 2018).
  63. National Education Association, “2012-2013 Average Starting Teacher Salaries by State,” available at http://www.nea.org/home/2012-2013-average-starting-teacher-salary.html (last accessed February 2018);

    National Center for Education Statistics, “Estimated average annual salary of teachers in public elementary and secondary schools, by state: Selected years, 1969-70 through 2015-16,” available at https://nces.ed.gov/programs/digest/d16/tables/dt16_211.60.asp?current=yes (last accessed February 2018).
  64. Organization for Economic Cooperation and Development (OECD), “Education at a Glance 2017: OECD Indicators” (2017), available at http://www.oecd-ilibrary.org/docserver/download/9617041e.pdf?expires=1519148041&id=id&accname=guest&checksum=42796EF455E675E79827B115C2A9ADA9.

  65. Lisette Partelow and others, “America Needs More Teachers of Color and a More Selective Teaching Profession” (Washington: Center for American Progress, 2017), available at https://www.americanprogress.org/issues/education-k-12/reports/2017/09/14/437667/america-needs-teachers-color-selective-teaching-profession/; The New Teacher Project (TNTP), “The Irreplaceables: Understanding the Real Retention Crisis in America’s Urban Schools” (2012), available at https://tntp.org/assets/documents/TNTP_Irreplaceables_2012.pdf.
  66. Ronald Thorpe, “Residency: Can it transform teaching the way it did medicine?”, Kappan 96 (1) (2014): 36–40, available at http://www.nbpts.org/wp-content/uploads/ron_thorpe_pdk.pdf.
  67. Lisette Partelow and Annette Konoske-Graf, “Starting Strong: How to Improve Teachers’ Entry into the Profession” (Washington: Center for American Progress, 2017), available at https://www.americanprogress.org/issues/education-k-12/reports/2017/01/25/295885/starting-strong/.
  68. Ali Picucci, “Early Results Are in: NTC Model Leads to Student Learning,” New Teacher Center, May 13, 2016, available at https://newteachercenter.org/blog/2016/05/13/early-results-ntc-model-leads-student-learning/.
  69. Third Way, “National Online Survey of College Students” (2014), available at http://s3.amazonaws.com/content.thirdway.org/publishing/attachments/files/000/000/214/Third_Way_Educ_Attitudes_Topline_No_Summary_Tables.pdf?1412784379; Tamara Hiler and Lanae Erickson Hatalksy, “Teaching: The Next Generation” (Washington: Third Way, 2014), available at http://www.thirdway.org/report/teaching-the-next-generation.
  70. Terence M. McMenamin, “A time to work: recent trends in shift work and flexible schedules,” Monthly Labor Review 130 (12) (2007): 3–15, available at https://www.bls.gov/opub/mlr/2007/12/art1full.pdf; Alia Wong, “Using the Restroom: A Privilege—If You’re a Teacher,” The Atlantic, July 27, 2015, available at https://www.theatlantic.com/education/archive/2015/07/teachers-not-enough-bathroom-time/399629/.
  71. Linda Darling-Hammond, Ruth Chung Wei, and Alethea Andree, “How High-Achieving Countries Develop Great Teachers,” (Stanford, CA: Stanford Center for Opportunity Policy in Education, 2010), available at https://edpolicy.stanford.edu/sites/default/files/publications/how-high-achieving-countries-develop-great-teachers.pdf; Ann Ness, “Teachers Spend Hundreds of Dollars a Year on School Supplies. That’s a Problem,” Education Week, August 2, 2017, available at https://www.edweek.org/tm/articles/2017/08/02/teachers-spend-hundreds-of-dollars-a-year.html.
  72. Louisiana Department of Education, “Believe and Prepare,” available at https://www.louisianabelieves.com/teaching/believe-and-prepare (last accessed February 2018).
  73. Bradley D. Stein and others, “Interventions to Improve Student Mental Health: A Literature Review to Guide Evaluation of California’s Mental Health Prevention and Early Intervention Initiative” (Santa Monica, CA: RAND Corporation, 2012), available at https://www.rand.org/content/dam/rand/pubs/technical_reports/2012/RAND_TR1319.pdf.
  74. Ronald C. Kessler and others, “Lifetime Prevalence and Age-of-Onset Distributions of DSM-IV Disorders in the National Comorbidity Survey Replication,” Arch Gen Psychiatry 62 (6) (2005): 593–602, available at https://jamanetwork.com/journals/jamapsychiatry/fullarticle/208678?resultclick=1.
  75. Olga Khazan, “Half of All Kids Are Traumatized,” The Atlantic, December 11, 2014, available at https://www.theatlantic.com/health/archive/2014/12/half-of-all-kids-experience-traumatic-events/383630/.
  76. Sarah Catherine Williams and Kerry Devooght, “5 things to know about the opioid epidemic and its effect on children,” Child Trends, June 2, 2017, available at https://www.childtrends.org/child-trends-5/5-things-know-opioid-epidemic-effect-children/.
  77. Jane D. McLeod, Ryotaro Uemura, and Shawna Rohrman, “Adolescent Mental Health, Behavior Problems, and Academic Achievement,” Journal of Health and Social Behavior 53 (4) (2012): 482–497, available at https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3752654/.
  78. Rachael D. Goodman, M. David Miller, and Cirecie West-Olatunji, “Traumatic Stress, Socioeconomic Status, and Academic Achievement Among Primary School Students,” Psychological Trauma Theory: Research, Practice, and Policy 4 (3) (2012): 252–259, available at https://www.researchgate.net/publication/232560514_Traumatic_Stress_Socioeconomic_Status_and_Academic_Achievement_Among_Primary_School_Students.
  79. Scott E. Carrell and Mark L. Hoekstra, “Externalities in the Classroom: How Children Exposed to Domestic Violence Affect Everyone’s Kids,” American Economic Journal: Applied Economics 2 (1) (2010): 211–228, available at http://faculty.econ.ucdavis.edu/faculty/scarrell/domesticviolence.pdf.
  80. S.H. Kataoka, L. Zhang, and K.B. Wells, “Unmet need for mental health care among U.S. children: variation by ethnicity and insurance status,” American Journal of Psychiatry 159 (9) (2002): 1548–1555, available at https://www.ncbi.nlm.nih.gov/pubmed/12202276; Substance Abuse and Mental Health Services Administration (SAMHSA), Results from the 2014 National Survey on Drug Use and Health: Mental Health Detailed Tables (U.S. Department of Health and Human Services), Table 2.1A – Sources of Mental Health Services in the Past Year among Persons Aged 12 to 17, by Age Group: Numbers in Thousands, 2013 and 2014, available at https://www.samhsa.gov/data/sites/default/files/NSDUH-MHDetTabs2014/NSDUH-MHDetTabs2014.htm#tab2-1a.
  81. Elizabeth V. Freeman and Kimberly T. Kendziora, “Mental Health Needs of Children and Youth: The Benefits

    of Having Schools Assess Available Programs and Services” (Washington: American Institutes for Research, 2017), available at https://www.air.org/sites/default/files/downloads/report/Mental-Health-Needs-Assessment-Brief-September-2017.pdf.
  82. Kirsten Weir, “School psychologists feel the squeeze,” Monitor on Psychology 43 (8) (2012): 34, available at http://www.apa.org/monitor/2012/09/squeeze.aspx.
  83. Vanessa Vega, “Social and Emotional Learning Research Review: Evidence-Based Programs,” Edutopia, December 1, 2015, available at https://www.edutopia.org/sel-research-evidence-based-programs; Rosemarie O’Conner and others, “A review of the literature on social and emotional learning for students ages 3–8: Outcomes for different student populations and settings (part 4 of 4)” (Washington: Institute for Education Sciences, 2017), available at https://ies.ed.gov/ncee/edlabs/regions/midatlantic/pdf/REL_2017248.pdf.
  84. Damon E. Jones, Mark Greenberg, and Max Crowley, “Early Social-Emotional Functioning and Public Health: The Relationship Between Kindergarten Social Competence and Future Wellness,” American Journal of Public Health 105 (11) (2015): 2283–2290, available at http://ajph.aphapublications.org/doi/abs/10.2105/AJPH.2015.302630; Jennifer Ng’andu, “Lifelong Success Starts With Social-Emotional Learning,” Edutopia, December 22, 2015, available at https://www.edutopia.org/blog/lifelong-success-starts-with-sel-ngandu-price-baron.
  85. American School Counselor Association, “Appropriate/Inappropriate School Counseling Program Activities,” available at https://www.schoolcounselor.org/asca/media/asca/home/appropriate-activities-of-school-counselors.pdf (last accessed February 2018).
  86. Jennifer Engle, Adolfo Bermeo, and Colleen O’Brien, “Straight from the Source: What Works for First-Generation College Students” (Washington: The Pell Institute for the Study of Opportunity in Higher Education, 2006), available at https://www.tgslc.org/pdf/files-sfts_what_works.pdf.
  87. Government Accountability Office, “School Facilities: Condition of America’s Schools,” GAO/HEHS-95-61, Report to Congressional Requesters, February 1995, available at https://www.gao.gov/assets/230/220864.pdf.
  88. John Bacon, “Outrage in Baltimore after kids huddle in freezing classrooms” USA Today, January 4, 2018, available at https://www.usatoday.com/story/news/nation/2018/01/04/outrage-baltimore-after-kids-huddle-freezing-classrooms/1004530001/.
  89. Emma Brown, “Rats, roaches, mold – poor conditions lead to teacher sickout, closure of most Detroit schools,” The Washington Post, January 20, 2016, available at https://www.washingtonpost.com/news/education/wp/2016/01/20/rats-roaches-mold-poor-conditions-leads-to-teacher-sickout-closure-of-most-detroit-schools/?utm_term=.7bda2adbd783.
  90. Merrit Kennedy, “The Monumental Task of Reopening Puerto Rico’s Schools,” NPR, October 12, 2017, available at https://www.npr.org/sections/ed/2017/10/12/556953509/puerto-rico-s-secretary-of-education-says-its-schools-are-connecting-communities.
  91. Debbie Alexander and Laurie Lewis, “Condition of America’s Public School Facilities: 2012-13” (Washington: National Center for Education Statistics, 2014), available at https://nces.ed.gov/pubs2014/2014022.pdf.
  92. Mark Schneider, “Do School Facilities Affect Academic Outcomes?” (Washington: National Clearinghouse for Educational Facilities, 2002), available at http://www.ncef.org/pubs/outcomes.pdf.
  93. Jordain Carney, “CBO: Senate tax bill increases deficit by $1.4 trillion,” The Hill, December 2, 2017, available at http://thehill.com/blogs/floor-action/senate/362905-cbo-senate-tax-bill-increases-deficit-by-14-trillion;

    Elizabeth McNichol and Samantha Waxman, “States Faced Revenue Shortfalls in 2017 Despite Growing Economy,” (Washington: Center on Budget and Policy Priorities, 2017), available at https://www.cbpp.org/research/state-budget-and-tax/states-faced-revenue-shortfalls-in-2017-despite-growing-economy.
  94. Steve Ressler, “5 Ways to Double Your Revenue,” Government Technology, March 4, 2011, available at http://www.govtech.com/budget-finance/5-Ways-to-Double-Your-Revenue-030411.html; Jared Bernstein, “We’re Going to Need More Tax Revenue. Here’s How to Raise It,” The American Prospect, June 13, 2016, available at http://prospect.org/article/were-going-need-more-tax-revenue-heres-how-raise-it; Congressional Budget Office “Budget Options,” available at https://www.cbo.gov/topics/budget/budget-options (last accessed February 2018); American Federation of State, County and Municipal Employees (AFSCME), “Digging for Dollars: A Guide to Local Government Revenues” (2012), available at https://m.afscme.org/issues/privatization/resources/document/DIGGING-FOR-DOLLARS-rev-Oct-2012__cw.pdf.
  95. Rebecca Thiess, “Many options exist for raising revenue in a smart and progressive manner” (Washington: Economic Policy Institute, 2013), available at http://www.epi.org/publication/options-exist-raising-revenue-smart-progressive/; Erica Williams, “A Four-Point Fiscal Policy Blueprint for Building Thriving State Economies” (Washington: Center on Budget and Policy Priorities, 2017), available at https://www.cbpp.org/research/state-budget-and-tax/a-fiscal-policy-agenda-for-stronger-state-economies; Shawn Sebastian and Karl Kumodzi, “Progressive Policies for Raising Municipal Revenue” (Washington: Local Progress, 2015), available at https://itep.org/local-progress-progressive-policies-for-raising-municipal-revenue/; William G. Gale, “Raising Revenue in a Progressive Manner without Raising Tax Rates” (Washington: Brookings Institution, 2012), available at https://www.brookings.edu/opinions/raising-revenue-in-a-progressive-manner-without-raising-tax-rates/.
  96. Tom K. Wong and others, “DACA Recipients’ Economic and Educational Gains Continue to Grow” (Washington: Center for American Progress, 2017), available at https://www.americanprogress.org/issues/immigration/news/2017/08/28/437956/daca-recipients-economic-educational-gains-continue-grow/.
  97. Misha E. Hill and Meg Wiehe, “State & Local Tax Contributions of Young Undocumented Immigrants” (Washington: Institute on Taxation and Economic Policy, 2017), available at https://itep.org/state-local-tax-contributions-of-young-undocumented-immigrants/.
  98. Francesc Ortega, Ryan Edwards, and Philip E. Wolgin, “The Economic Benefits of Passing the Dream Act” (Washington: Center for American Progress, 2017), available at https://www.americanprogress.org/issues/immigration/reports/2017/09/18/439134/economic-benefits-passing-dream-act/.
  99. Greg Toppo, “20,000 DACA teachers at risk — and your kids could feel the fallout, too,” USA Today, October 11, 2017, available at https://www.usatoday.com/story/news/2017/10/11/thousands-daca-teachers-risk/752082001/.
  100. U.S. Department of Education, State and Local Expenditures on Corrections and Education (2016), available at https://www2.ed.gov/rschstat/eval/other/expenditures-corrections-education/brief.pdf.
  101. Peter Wagner and Alison Walsh, “States of Incarceration: The Global Context 2016” (Northampton, MA: Prison Policy Initiative, 2016), available at https://www.prisonpolicy.org/global/2016.html.
  102. U.S. Department of Education, State and Local Expenditures on Corrections and Education.
  103. Peter Wagner and Bernadette Rabuy, “Mass Incarceration: The Whole Pie 2017” (Northampton, MA: Prison Policy Initiative, 2017), available at https://www.prisonpolicy.org/reports/pie2017.html.
  104. James Austin and Lauren-Brooke Eisen, “How Many Americans Are Unnecessarily Incarcerated?” (New York: Brennan Center for Justice, 2016), available at https://www.brennancenter.org/sites/default/files/publications/Unnecessarily_Incarcerated.pdf.
  105. Justice Policy Institute, “Pruning Prisons: How Cutting Corrections Can Save Money and Protect Public Safety” (2009), available at http://www.justicepolicy.org/images/upload/09_05_rep_pruningprisons_ac_ps.pdf.
  106. Marc Mauer and Nazgol Ghandnoosh, “Fewer Prisoners, Less Crime: A Tale of Three States” (Washington: The Sentencing Project, 2015), available at http://sentencingproject.org/wp-content/uploads/2015/11/Fewer-Prisoners-Less-Crime-A-Tale-of-Three-States.pdf.
  107. Marilyn Elias, “The School-to-Prison Pipeline,” Teaching Tolerance, Spring 2013, available at https://www.tolerance.org/magazine/spring-2013/the-schooltoprison-pipeline.
  108. Katelyn Newman, “Milestoned. Colorado Pot Tax Revenue Surpasses $500M,” U.S. News & World Report, July 20, 2017, available at https://www.usnews.com/news/best-states/colorado/articles/2017-07-20/colorado-pot-tax-revenue-surpasses-500-million.
  109. Ibid.
  110. Steve Ressler, “3 Ways Cities and States Can Increase Revenue,” GovLoop, December 27, 2010, available at https://www.govloop.com/3-ways-cities-and-states-can-increase-revenue/.
  111. Patrick Ibarra, “This Government Brought to You by…,” Governing, April 10, 2013, available at http://www.governing.com/columns/mgmt-insights/col-government-revenue-assets-naming-rights-advertising-sponsorships.html.

Information security and privacy protection aspects of CCTV systems – Government Europa

Professor Dr. Milan Marković of Paneuropean University Apeiron, Republic Srpska, Bosnia and Herzegovina, discusses the impact of CCTV systems on information security and privacy.

Closed-circuit television (CCTV) is a TV system in which signals are not publicly distributed, but are monitored, primarily for surveillance and security purposes. CCTV systems rely on strategic placement of cameras and observation of the camera’s input on monitors. As the cameras communicate with monitors and/or video recorders across private coaxial cable runs, or wireless communication links, they gain the designation “closed-circuit” to indicate that access to their content is limited to only those with authorisation to see it.1

The effectiveness of video surveillance technology is continuously improving, and it has already established itself as a vital security tool for the police, private companies and many public sector organisations.. An effective CCTV system contributes to the detection and prevention of crime, as well as protecting towns, cities and transport networks from the threat of terrorism.2

Advances in CCTV technologies – especially from analog CCTV cameras to internet protocol (IP) ones – certainly improves the safety and security that CCTV systems provide, but also increases information security and privacy concerns. Having in mind that the new EU privacy protection regulation, General Data Protection Regulation (GDPR), will be applied from 25th May 2018, information security and privacy protection concerns of CCTV systems are being recognised.

Applications of CCTV systems

There are three primary ways to use CCTV systems:

  • As a deterrent;
  • For forensic purposes; and
  • As an interdictive device.3,4

Originally, CCTV surveillance systems were simply a deterrent. The notion that “Big Brother” was watching was often enough to keep people from misbehaving.

On the other hand, as recording and storing technologies and software, such as video analytics, have become more efficient, CCTV systems have evolved into a forensic surveillance tool, enabling the collection of evidence after an event has taken place.

Finally, as CCTV surveillance systems become more easily integrated with monitoring devices, alarm systems and access control devices, a third use of CCTV is related to help security personnel to identify and interrupt security breaches as they’re occurring, or even before they take place.

CCTV systems are commonly used for a variety of purposes, including:1,3

  • Maintaining perimeter security in medium- to highly-secure areas and installations;
  • Observing the behaviour of incarcerated inmates and potentially dangerous patients in medical facilities;
  • Traffic monitoring;
  • Overseeing locations that would be hazardous to humans, for example, highly radioactive or toxic industrial environments;
  • Building and grounds security;
  • Obtaining a visual record of activities in situations where it is necessary to maintain proper security or access controls, for example, in a diamond cutting or sorting operation, banks, casinos, or airports;
  • Home security;
  • Public transportation;
  • Crime prevention;
  • Business surveillance;
  • School protection;
  • Body worn;
  • Sporting events;
  • Monitor employees; and
  • CCTV for Open Data purposes.

We should have surveillance cameras in public places because they ensure public safety. Rarely will anyone attempt to harm anyone else when they know their actions are being recorded on camera. Cameras keep the public and their personal property safe.5

The police can identify criminals through recordings on camera. Through surveillance cameras, the police can both prevent crimes from happening and can quickly solve criminal cases with material evidence.

Surveillance cameras protect against property theft and vandalism. It is very difficult for criminals to get away with stealing if there are cameras in operation. Therefore, the thief will often get caught. Surveillance cameras will catch the thief before, or during, the process of committing the crime.

Cameras, through video analytics, now have a zoom feature, allowing the camera to reveal someone’s identity, which can be beneficial to crime prevention when used in the correct way. As a result, the criminal can be apprehended quickly. For instance, in abduction cases a video would be a great way of tracking down a person quickly, and may even prevent a death.

In industrial plants, CCTV equipment may be used to observe parts of the process from a central control room, for example when the environment is not suitable for humans. CCTV systems may operate continuously, or only as required to monitor a particular event. A more advanced form of CCTV utilises digital video recorders (DVRs), providing recordings for many years potentially, with a variety of quality and performance options and extra features, such as motion detection and email alerts. More recently, decentralised IP cameras, some equipped with megapixel sensors, support recording directly to network-attached storage devices, or internal flash for stand-alone operation.

Advances in CCTV Technologies

CCTV surveillance systems have made tremendous technological progress in the last decade, not only in individual capabilities, but also in the ability to interact with other security technology.

Some of the key advances in the domain of CCTV systems are:2,3,4,5,6,7,8

  • Video content analysis (VCA);
  • Automatic number plate recognition (ANPR);
  • High definition (HD) CCTV;
  • Sophisticated motion detection algorithms;
  • Facial recognition;
  • Wide dynamic range;
  • Internet of Things (IoT);
  • Cloud technology;
  • Big Data;
  • Video management systems (VMS); and
  • Wireless technology.

Video content analysis

A key area where CCTV is rapidly developing is that of VCA. This impressive technology is already contributing to the security of a range of high-level facilities, such as city centres, transport facilities, and utilities. The costs of the technology are falling and the capability increasing to the extent that it is becoming a cost effective option for commercial premises.

VCA is the automatic analysis of CCTV images in camera or centrally, utilising advanced algorithms to create useful information about the content. Generally, these systems need a static background and, consequently, tend to operate with fixed cameras or pan, tilt, zoom (PTZ) cameras at set positions, as they are looking to identify changes or movement at a particular scene. The scope of VCA is considerable and can be used in the detection of intruders, abandoned packages, wrongly parked vehicles or as a means of counting people.

One particular area that VCA can be especially effective is around the perimeter of a site. Securing a perimeter can be seen as one of the most crucial steps in any security plan. An early detection of a threat also means that there is more time and space available to formulate the necessary response, potentially preventing an intrusion alltogether.

Automatic number plate recognition

Using CCTV in conjunction with ANPR software can also be beneficial at large sites, as it allows for the identification of vehicles moving in and out of a site. If an intruder does happen to be successful, this integration can provide the police with valuable information in order to track down the suspect.


HD CCTV is another area that is expanding across a wide range of video surveillance applications. HD CCTV signifies:

  • An unprecedented revolution in the quality of images that can be delivered;
  • The ability to more easily identify suspects and make sense of their actions; and
  • The potential to improve successful conviction rates on the ground.

HD cameras also open up the possibilities to cover a much wider area without having to use multiple different cameras. Operators of these cameras will also be able to pan, tilt and zoom the camera with the use of a joystick, adding flexibility to the monitoring process. When employed in the right contexts, cameras like these can allow for more widespread coverage and observation in larger areas.

Intelligent video algorithms

Intelligent video algorithms, such as sophisticated motion detection algorithms, can identify unusual walking patterns and alert a guard to watch a particular video screen. Object recognition algorithms can identify someone who might simply be loitering, or even a briefcase or other suspicious object that is left somewhere that it shouldn’t be. Again, the system can alert a monitoring guard so that appropriate action can be taken.

The most advanced intelligent video algorithm is facial recognition. However, most experts agree that use of this technology as an efficient tool in the private sector is still several years down the road.

Wide dynamic range

Wide dynamic range is another technology that is becoming a more prevalent feature of CCTV cameras. Wide dynamic range means cameras can provide detail when there’s a tremendous amount of both light and dark areas in the same scene. Meanwhile, traditional cameras can’t do that.

The Internet of Things

IoT services will allow for combined systems which integrate previously disparate devices into a common management console providing a single pane overview across entire buildings and sites. This includes:

  • Video surveillance cameras;
  • Smoke detectors;
  • Access control panels; and
  • Loudspeakers.

In the last few years, IoT has grown rapidly across the world. No longer is the internet confined to computers and mobile devices, it is now available to nearly every device that has an IP address – from microwaves and refrigerators to wearable devices and headphones. IoT systems can be integrated with, and supported by, video to provide information for facility, operational, or business needs. Video analytics, like heat mapping and person counting, can also help businesses gather more business intelligence and strengthen their security.

The result is a huge opportunity for security solutions that are purpose built to share useful data with other connected devices, all of which can be monitored remotely. This connectivity between devices will provide end-users with more complete situational awareness across multiple locations. With the advent of Cloud technology, the notion of connecting any and every device to the internet with an on and off switch became a reality.

Big Data

There still remains a significant challenge to effectively manage and use the endless amounts of video data being generated, so-called Big Data. Big Data is difficult to process through traditional data processing applications. This technology can put structure around vast amounts of unstructured video data, helping better understand significant patterns and trends. In the coming years, look for improvements in, and greater use of, VMS to search Big Data in order to pull up relevant events, people, locations, times, colors and keywords. Such tools will assist business operators to turn Big Data into critical information that supports loss prevention, marketing, operations and customer service.

Wireless technology

Wireless technology has transformed our lives in many ways, from mobile phones, to WiFi connectivity. We have already seen the benefit and convenience of remote security monitoring via smartphones and tablets. Video surveillance systems of up to ten network cameras can be managed entirely via mobile devices, no longer requiring a desktop PC to run video management software. This significantly lowers the technology hurdle, as users are more open to using a smartphone app than having to overlook a more comprehensive and detailed video management software on a desktop PC, whilst also reducing overall system and maintenance costs.

Information security and CCTV

Today, security safeguards generally fall into one of three categories:9

  • Physical security;
  • Information security; and
  • Operational security.

Physical security involves measures undertaken to protect personnel, equipment and property against anticipated threats. It includes both passive and active measures. Passive measures include the effective use of architecture, landscaping and lighting, to achieve improved security by deterring, disrupting, or mitigating potential threats. Active measures include the use of proven systems and technologies designed to deter, detect, report and react against threats. CCTV systems are part of such active measures.

Information security is the process of protecting the confidentiality, integrity and availability of data from accidental or intentional misuse by people inside or outside an organisation or facility. Key elements of information security, include technical security measures/controls, such as:

  • Encryption/pseudonymisation;
  • Limiting information to authorised entities exclusively;
  • Preventing unauthorised changes to, or the corruption of proprietary data;
  • Guaranteeing authorised individuals the appropriate access to critical information and systems;
  • Ensuring that data is transmitted to, received by or shared with only the intended party; and
  • Providing security for ownership of information.

Such measures very much influence the modern CCTV systems, in regards to:

  • Protection of unauthorised access to the camera itself, especially IP cameras, to VDR systems, and to video storage systems (especially if cloud technology is used);
  • Ecryption of video transmission links between camera and storage system, especially in the instance of IP camera case;
  • Encryption or pseudonymisation of retained video material, either on local or cloud storages; and
  • Antimalware/end-point protection, on both camera and storage systems.

Operational security is the process of creating policies and procedures, and establishing administrative controls to preserve privileged information regarding organisational capabilities and vulnerabilities. Operation security is of paramount importance in order to create effective CCTV security policies and procedures, and that certainly should be an important part of the overall Information Security Management System (ISMS), established on the basis of the ISO/IEC 27001 international security standard.

Applying advanced information security technologies to CCTV

Cloud-based computing has touched just about every industry and it will continue to reshape the security and surveillance sector, as well. Security can now be offered as a service that is managed remotely, freeing up valuable human and capital resources that no longer need to be on-site at every location which requires monitoring.7

Secure remote access to security systems will increase in use, including by end-users who want the convenience and real-time benefits of being able to monitor property and events without having to be physically present. Such systems must be well protected at the end point (camera), as well as protecting video transmission and video retention system components.

Cloud storage is another important aspect of how systems are becoming more efficient in this model. Much larger volumes of data can be stored cost-effectively and securely at dedicated server facilities, allowing users to archive video and associated data for longer periods of time and improve its accessibility as well.

While the vision of IoT is enticing for the convenience, capabilities and flexibility that vast networks of connected devices offer, there is a growing risk for security threats and breaches as the number of entry points of a network dramatically increases. As a general rule of thumb, as you increase availability and access to any network device, it potentially increases exposure to cyber threats.

As security camera systems become increasingly interconnected with the rise of the Internet of Things, offering benefits such as remote access and third party integration – just as with other network connected devices – it is critical to perform an information security risk assessment and implement security polices in the design and implementation of a network video system. The first step is establishing an understanding and use of industry standard security protocols, including:

  • Multi-level user authentication and authorisation;
  • Password protection;
  • SSL/TLS encryption;
  • IEEE Standard 802.1X;
  • IP-filtering; and
  • Public key infrastructure (PKI) electronic certificate management.

As a network device, a camera, or other connected physical security devices, may pose a risk. If devices, services and applications do not need to interact, users should try to limit connectivity between them. Additionally, segmenting the video system from the core network is a good overall protection measure, thereby reducing risks of video resources and business resources adversely effecting each other.

Recently, surveillance CCTV cameras being used as IoT devices are being used by hackers to gain entry into corporate IT networks. The security industry needs to quickly get a grip on keeping hackers out of devices connected through IoT, by using transport encryption and establishing more secure firewalls and monitoring which alert the security administrators of potential hackers.

CCTV privacy concerns

Many civil liberty campaign groups, academics and consultants, have published research papers into CCTV systems. Challengers of CCTV point out the loss of privacy of people under surveillance and the negative impact of surveillance on civil liberties. Furthermore, they argue that CCTV displaces crime, rather than reducing it.10

Proponents of CCTV systems argue that cameras are effective at deterring and solving crime, and the appropriate regulation and legal restrictions on surveillance of public spaces can provide sufficient protections so that an individual’s right to privacy can reasonably be weighed against the benefits of surveillance. However, anti-surveillance activists have maintained that there is a right to privacy in public areas.

According to the debate of whether surveillance cameras should be put in public areas, such as schools, stores, libraries, airports, bars and clubs, some individuals feel more secure with cameras, while other citizens and privacy advocates feel nervous about the idea of someone watching them every time they are out in public.

As the volume and quality of cameras and sensors are increased, cities are turning to more advanced face and object recognition software to make sense of the data; civil liberty activists are concerned about how the technology of CCTV systems could be abused.10 With cameras in remote cities all connecting to the same database, a person’s movements can be tracked across states or continents. For instance, it could be used to single out a person attending multiple political protests.

In the workplace, employers have to deal with two competing interests; employers have a legitimate need and right to watch their employees.11 At the same time, employees maintain some privacy rights while they are at work. Workplace privacy laws vary by country, but it is very common for video surveillance of restrooms, locker rooms and break areas to be illegal, while surveillance of work areas is permitted.

From a legal perspective, there is a significant difference between a video only camera and a camera that records audio along with video. As such, if your camera is set up to record audio, you will fall under even more legal scrutiny. 11


The EU GDPR regulation is designed to strengthen the privacy laws governing the data of EU citizens worldwide. Protecting personal information, including image data which may allow individuals to be personally identified, is a central consideration and it brings CCTV data into the scope of GDPR.12

The GDPR is a set of laws designed to protect personal data from commercial abuse and to encourage organisations that retain such data to harden their defences and improve their processes for looking after it. This will significantly increase the importance of control over all types of data, not least because companies that breach any of the GDPR’s principles run the risk of massive fines – up to €20 million or 4% of turnover, whichever is higher – as soon as the regulation comes into effect.13,14

Some of the key facts about the GDPR include:12

  • The GDPR applies to all companies worldwide that process personal data of EU citizens.
  • The GDPR widens the definition of personal data, bringing new kinds of data under regulation. The GDPR considers any data that can be used to identify an individual as personal data. It includes, for the first time, materials such as genetic, mental, cultural, economic, or social information.
  • The GDPR tightens the rules for obtaining valid consent to using personal information. The GDPR requires all organisations collecting personal data to be able to evidence clear and affirmative consent in order to process that data.
  • The GDPR introduces mandatory privacy impact assessments (PIAs) to identify privacy breach risks and minimise risks to data subjects.
  • The GDPR introduces a common data breach notification requirement which harmonises data breach notification laws in Europe. This is intended to ensure that organisations constantly monitor for breaches of personal data. Organisations need to notify the local data protection authority of a data breach within 72 hours.
  • The GDPR introduces the right to be forgotten; organisations are not to hold data for any longer than necessary and are not to change the use of the data from the purpose for which it was originally collected. Data must be deleted at the request of the data subject.
  • The GDPR requires that privacy is included in the design of systems and processes. Software development processes must factor in compliance with the principles of data protection. Essentially, all software must be capable of completely erasing data.
  • The GDPR allows any European data protection authority to act against organisations, regardless of where in the world the company is based. This enforcement is backed by significant fines for non-compliance.

The key security technologies encompassed by GDPR are:

  • Data discovery, cataloguing and classifying;
  • Data loss protection;
  • Data encryption;
  • Email encryption;
  • Data breach identification and blocking;
  • Pseudonymisation;
  • Data portability;
  • Mobile device management;
  • Perimeter security;
  • Cloud storage and sharing services;
  • Anti-malware and advanced threat protection – endpoint protection;
  • Application security testing;
  • Evaluating cloud service providers;
  • Identity and access management;
  • Behaviour analytics;
  • Privileged access management; and
  • Format-preserving encryption (FPE).

CCTV and GDPR compliance

As for CCTV in regards to GDPR compliance, businesses and organisations operating CCTV and electronic surveillance systems need to consider:12

  • Conducting a Privacy Impact Assessment (PIA) to ensure that all CCTV cameras serve a legitimate purpose.
  • Allowing CCTV systems to power on/off, where appropriate, so recordings of footage are not continuous. Audio and video need to be independent from each other as well. Legitimate reasons for recording either, or both, need to be clearly established.
  • Sound recordings should only be obtained where absolutely necessary, in order to support the legitimate reasons. The use of CCTV surveillance systems should not be regularly placed in the working environment in order to record conversations between the public and employees.
  • Recordings from CCTV systems need to be stored securely, whilst access is required to be restricted to authorised personnel.
  • CCTV recordings need to be of an appropriate quality to meet the purpose intended.
  • Regular checks are needed to ensure that the date and time stamps recorded on images is accurate.
  • Recording and playback functions need to provide access to recordings made in specified locations and times, in order to comply with subject access requests from individuals in recordings, or in response to police requests.
  • Appropriate policies need to be enforced so that employees know how to respond to requests from individuals or police for access to CCTV recordings.
  • Ensuring that the appropriate security safeguards are in place to prevent interception and unauthorised access – the copying of recordings or viewing.
  • CCTV recordings that no longer serve a purpose need to be deleted. Clear documentation of the information retention policy, which is clearly understood by CCTV system operators, need to be established.
  • The need for signage and the availability of other appropriate information; there is a need to notify individuals of surveillance information processing, such as their presence in an area where CCTV is in operation and their rights of access to recordings and/or images of themselves.

What many organisations often do not realise is that personal data is not just written material, but includes video and audio if this allows individuals to be identified. One area of particular concern is CCTV. Nowadays, there is a constant flow of news articles, highlighting the security flaws that have enabled hundreds of thousands of CCTV systems across the world to be hacked and used in Distributed Denial of Service (DDoS) attacks.13

When the GDPR comes into force, management will set out operational processes to help their employees demonstrate compliance. Due to the inherent limitations of traditional CCTV, where data is held on DVRs, these will inevitably restrict general access to the equipment, rather than allowing access to specific data by authorised employees.

One of the solutions is to hold CCTV information securely in the Cloud, with access limited to authorised personnel. There is no longer a physical DVR; data is sent directly and securely from the cameras to the Cloud. Such systems can not only provide an overview of all visual data collected by the CCTV cameras connected to it, but also complete control over access to that data, which is encrypted from end-to-end and can be viewed using a standard computer, tablet or smartphone, via secure browser technology. They can also only record CCTV data when needed and can automatically delete it when it is no longer required.


  1. http://whatis.techtarget.com/definition/CCTV-closed-circuit-television
  2. http://www.in-security.eu/index.php/news/archives/advances-in-cctv-can-offer-peace-of-mind
  3. https://en.wikipedia.org/wiki/Closed-circuit_television
  4. https://www.facilitiesnet.com/security/article/From-cutting-edge-to-off-the-shelf-Facilities-Management-Security-Feature–2643
  5. https://www.ifsecglobal.com/role-cctv-cameras-public-privacy-protection/
  6. https://www.facilitiesnet.com/security/topic/How-Can-CCTV-Surveillance-Systems-Improve-Security–19062
  7. https://www.ifsecglobal.com/smart-cctv-and-the-internet-of-things-2016-trends-and-predications/
  8. https://systemsurveyor.com/iot_survellance/
  9. https://www.facilitiesnet.com/security/article/Taking-Security-To-the-Next-Level-Facilities-Management-Security-Feature–2566
  10. https://edition.cnn.com/2013/04/26/tech/innovation/security-cameras-boston-bombings/index.html
  11. https://itstillworks.com/legal-issues-concerning-surveillance-cameras-3333.html
  12. https://www.ic2cctv.com/news/cctv-regulation-compliance-surveillance-footage-new-gdpr-information-security-standard/
  13. https://gdpr.report/news/2017/04/25/gdpr-key-cctv-cyber-security/
  14. http://smallbusiness.co.uk/cctv-system-gdpr-compliant-2541510/

Professor Dr. Milan Marković

Paneuropean University Apeiron

Republic Srpska

Bosnia and Herzegovina

Scope Infotech, Inc. – Government Accountability Office


Matter of: Scope Infotech, Inc.

File: B-414782.4; B-414782.5

Date: March 22, 2018

Daniel J. Strouse, Esq., Laurel A. Hockey, Esq., David S. Cohen, Esq., and John J. O’Brien, Esq., Cohen Mohr LLP, for the protester.

David B. Dixon, Esq., Meghan D. Doherty, Esq., and Robert Starling, Esq., Pillsbury Winthrop Shaw Pittman LLP, for Sparksoft Corporation, the intervenor.

Christian P. Maimone, Esq., and Erin V. Podolny, Esq., Department of Health and Human Services, for the agency.

Nora K. Adkins, Esq., and Amy B. Pereira, Esq., Office of the General Counsel, GAO, participated in the preparation of the decision.


1. Issuance of a task order that included non-Federal Supply Schedule (FSS) items under a competition among FSS vendors was improper.

2. Protest challenging agency’s evaluation of the awardee’s quotation is denied where, despite the protester’s assertions to the contrary, the solicitation did not mandate the pricing of all software provided as government furnished equipment, vendors were assessed on a common basis, and the awardee’s professional compensation was reasonably evaluated in accordance with Federal Acquisition Regulation provision 52.222-46.


Scope Infotech, Inc., a small business located in Columbia, Maryland, protests the issuance of a General Services Administration (GSA) Federal Supply Schedule (FSS) task order to Sparksoft Corporation, a small business located in Catonsville, Maryland, by the Department of Health and Human Services, Centers for Medicare and Medicaid Services (CMS) under request for quotations (RFQ) No. 170454 for operations and maintenance of the data services hub system utilized to support healthcare exchanges. The protester challenges multiple aspects of the agency’s evaluation.

We sustain the protest in part, and deny the protest in part.


CMS issued the RFQ on January 20, 2017, pursuant to the procedures of Federal Acquisition Regulation (FAR) § 8.405-2, to small business vendors holding contracts under GSA schedule 70–commercial information technology equipment, software, and services.[1] RFQ at 1; Contracting Officer Statement (COS) at 1. The solicitation sought a vendor to provide information technology operations, maintenance, and support services to maintain CMS’ data services hub, which permits computer systems and networks across multiple government agencies to communicate with each other, and permits the public to shop for health insurance in the private health insurance markets (known as exchanges). COS at 1. The agency intended to issue a fixed-price and time-and-materials task order consisting of a 1-year base period and four 1-year option periods.[2] RFQ at 1, 4. The RFQ provided for selection of the best-value vendor based on the following factors, which were listed in descending order of importance: technical understanding and approach; personnel qualifications and management plan; past performance; section 508 compliance; and price.[3]Id. at 8-9.

The RFQ required vendors to submit quotations in three separate volumes: business/price; technical; and business ethics, conflicts of interest, and compliance. Id. at 4-7. With respect to the business/price volume, vendors were instructed to provide a total price for each year for the fixed-price portion of the statement of work and complete a basis of estimate for the time-and-materials tasks outlined in the statement of work. Id. at 4. Vendors were also required to include any materials, travel, and/or other direct costs (ODC). Id. This volume also required the submission of information pursuant to FAR provision 52.222-46–Evaluation of Compensation for Professional Employees.

With respect to the technical volume, vendors were instructed under the technical understanding and approach factor to demonstrate their technical approach for completing the statement of work requirements, including anticipated risks and their approach for mitigating each risk. Id. Under the personnel qualifications and management plan factor, the RFQ instructed vendors to provide the labor categories and hours, and a plan to manage the staff based on their technical approach. Id. at 5. The RFQ also required vendors to provide a letter of commitment for each person not currently employed by the vendor, to include the date of availability, how long the commitment is binding and a signature both of the individual submitting the letter of commitment and the vendor’s authorized official. Id.

As relevant here, the RFQ provided that the agency would evaluate technical understanding and approach by assessing the vendor’s understanding of the statement of work and its techniques and procedures to ensure efficient, low risk performance. Id. at 8. The agency would evaluate price in accordance with FAR § 8.405-2(d) and assess the information submitted as required by FAR provision 52.222-46 to determine whether a vendor’s compensation plan reflects a sound management approach and understanding of the contract requirements, including an assessment of the vendor’s ability to provide uninterrupted high-quality work. Id. at 9. The professional compensation proposed would also be considered in terms of its impact upon recruiting and retention, its realism, and its consistency with the vendor’s total plan for compensation. Id.

CMS received six quotations in response to the solicitation. Agency Report (AR), Tab 6, Source Selection Decision (SSD), at 4-5. The agency evaluated quotations and issued questions to all vendors. COS at 2. As relevant to this protest, on April 14, the contracting officer sent an email to Sparksoft asking if it was possible to provide any of the non-FSS (open market) software licenses on Sparksoft’s GSA schedule or on one of its teaming partner’s schedules. Id. On April 17, the contracting officer also sent an email to Scope asking if it was possible to provide any of the open market software licenses on Scope’s GSA schedule or on one of its teaming partner’s schedules. Id.; AR, Tab 4M1, CO Email, Apr. 17, 2017 (12:34 p.m.). On April 20, the contracting officer sent an additional email to Scope to point out that the RedHat JBoss software licenses it quoted were open market items. COS, at 2; AR, Tab 4M3, CO Email, Apr. 20, 2017 (11:02 a.m.). The contracting officer asked Scope if it could look at providing these items through one of their partners’/subcontractors’ GSA schedules. Id. On April 21, Scope responded that two companies, Carasoft and EC America, offered the JBoss software licenses on their GSA schedules; however, Scope noted that when purchased on the GSA schedule, the price discount from Carasoft would be removed, which would make the total cost of the JBoss software licenses higher.[4] AR, Tab 4M3, Scope Email, Apr. 21, 2017 (2:53 p.m.).

On April 26, based on the results of the initial evaluation and the vendors’ answers to the contracting officer’s questions, the contracting officer removed all vendors, aside from Scope and Sparksoft, from the competition. COS at 3. On April 28, the agency opened discussions with Scope and Sparksoft. Id.

The agency sent discussion letters to both Scope and Sparksoft to address questions regarding the vendors’ assumptions and quoted software licenses. AR, Tab 4B, Sparksoft Discussion Letter, at 1-2; Tab 4D, Scope Discussion Letter, at 1-2. Each letter also noted that, “a significant portion [of the ODC software licenses] were quoted as open market items as defined in FAR part 8.” Id. at 2. The agency asked, “[i]f at all possible, please provide a quote with no open market ODC’s.” Id. at 2. On May 1, the contracting officer held individual conference calls with each vendor. COS at 3. During these calls, the contracting officer discussed, among other things, whether the software licenses quoted by the vendors as ODCs were open market items. Id. The contracting officer also agreed to provide both vendors with a list of government furnished equipment (GFE) software licenses, which the agency would receive at the end of the incumbent contract and provide to the new contractor. Id. The contracting officer requested final quotation revisions by May 4. Id. at 4.

On May 2, the contracting officer emailed the vendors a spreadsheet listing the GFE software licenses CMS would provide to the awardee. AR, Tab 4F3, CO Email to Scope, May 2, 2017 (3:16 p.m.); Tab 4F4, CO Email to Sparksoft, May 2, 2017 (3:15 p.m.). In response to this email, Scope responded as follows, “this GFE list covers most of the ODC items we had listed. We will go ahead and revise our ODC list to exclude the items covered under GFE.” AR, Tab 4F3, Scope Email, May 2, 2017 (3:43 p.m.). On May 3, the agency sent an updated GFE spreadsheet to the vendors, which included an expiration date for each software license. AR, Tab 4F3, CO Email to Scope, May 3, 2017 (9:28 a.m.); Tab 4F4, CO Email to Sparksoft, May 3, 2017 (9:28 a.m.); See AR, Tab 4E, GFE Software List.

The agency received final quotation revisions from both Scope and Sparksoft. AR, Tab 6, SSD, at 4. The contracting officer began reviewing the vendors’ quotations and noticed a possible misunderstanding in Scope’s business/price volume. COS at 4. The contracting officer emailed Scope on May 5to request clarification that it intended to remove all GFE software from its ODC pricing. Id. The contracting officer’s email provided as follows:

I notice there are no ODC costs in your updated quote besides travel costs. As you saw in the GFE list I provided, the [software] licenses CMS is providing as GFE do expire and will need to be renewed. I want to confirm that the updated quote you sent includes support of the licenses throughout the life of the contract as needed to complete the DSH [data services hub] work – perhaps as not separately priced.

AR, Tab 4G, CO Email to Scope, May 5, 2017 (2:27 p.m.). In response, Scope replied:

It is a misunderstanding on my part, I apologize. I assumed the items from the GFE list you provided will continue to be provided as GFE items under [the] DSH [data services hub] recompete contract. I can redo the price sheet and submit it as if we are picking up all the GFE items as ODC, as they expire.

Id., Scope Email, May 5, 2017 (2:45 p.m.). On May 8, Scope submitted a revised quotation. Id., Tab 6, SSD, at 4.

The agency evaluated the quotations of Scope and Sparksoft and concluded that Sparksoft provided the best-value quotation. COS at 5. On May 31, CMS awarded the task order to Sparksoft and notified Scope of the award. Id.

On June 9, Scope filed a protest with our Office. In response, the agency notified our Office of its intent to take corrective action by re-evaluating the price quotations of both Scope and Sparksoft and issuing a new source selection decision. Based on the agency’s notice, we dismissed the protest as academic on June 29. Scope Infotech, Inc., B-414782, June 29, 2017 (unpublished decision). The agency conducted a re-evaluation of the quotations, and on July 28, again awarded the task order to Sparksoft. COS at 6.

On August 4, Scope filed a second protest with our Office. After the GAO attorney assigned to the protest conducted an alternative dispute resolution conference, in which she informed CMS that she would likely sustain the protest based upon the agency’s evaluation of the vendors’ professional compensation, the agency notified our office of its intent to take corrective action by re-evaluating the quotations of Scope and Sparksoft and issuing a new source selection decision. Based on the agency’s notice, we dismissed the protest as academic on October 27. Scope Infotech, Inc., B-414782.2, Oct. 27, 2017 (unpublished decision). The agency conducted a re-evaluation of the quotations, and on December 8, again awarded the task order to Sparksoft.[5] COS at 6.

On December 13, Scope filed this protest with our Office. Thereafter, on December 22, the agency published a justification and approval for other than full and open competition pursuant to FAR § 8.402(f) to add the bundled JBoss software licenses as open market items to Sparksoft’s FSS task order award.[6] AR, Tab 1Q, JBoss Justification, at 1-5; Seehttps://www.fbo.gov/?s=opportunity&mode=form&id=ab47fb10689ebc40ee787cd3367a4cd7&tab=core&_cview=0 (last visited, Mar. 16, 2018). The justification cited the authority at 41 U.S.C. § 253(c)(1), authorizing the use of other than full and open competition when there is only one responsible source and no other supplies or services will satisfy agency requirements. Id. at 2. The justification provided that Sparksoft was forced to quote the open market bundled JBoss software licenses because these items were not available on a GSA schedule. Id.


Scope challenges the agency’s evaluation of Sparksoft’s quotation. The protester alleges that the agency’s award is improper because Sparksoft’s quotation contained open market items, which Scope quoted on Carasoft’s GSA schedule. The protester also alleges that CMS’ evaluation was unreasonable because Sparksoft’s quotation is unacceptable. Scope also challenges the agency’s evaluation of Sparksoft’s professional compensation. We have reviewed all of the protester’s allegations and as explained below, we sustain the protest because the agency unreasonably included the JBoss software licenses as open market items on Sparksoft’s task order. While we do not address each of the remaining allegations, we have reviewed them all and find that none provide a basis to sustain the protest.[7]

Open Market Items

Scope contends that the task order award was improper because Sparksoft quoted the JBoss software licenses as open market items. In response, CMS alleges that it properly issued the award pursuant to FAR § 8.402(f) because no vendor could provide the JBoss software licenses on a GSA schedule contract. We sustain the protest because Scope’s quotation provided the JBoss software licenses on a GSA schedule contract and thus, the agency could not include the same JBoss software licenses on Sparksoft’s order as open market items.

The FSS program, directed and managed by GSA, provides federal agencies with a simplified process for obtaining commonly used commercial supplies and services. FAR § 8.402(a). Orders placed using the procedures established for the FSS program satisfy the requirement for full and open competition. 41 U.S.C. § 152(3); FAR § 6.102(d)(3). Non-FSS products and services may not be purchased using FSS procedures; instead, their purchase requires compliance with the applicable procurement laws and regulations, including those requiring the use of competitive procedures. See FAR § 8.402(f); Symplicity Corp., B-291902, Apr. 29, 2003, 2003 CPD ¶ 89 at 4.

Here, the JBoss software licenses at issue are offered by Carasoft. As explained above, Carasoft’s GSA schedule contract includes the JBoss software licenses as four separate items. Under the prior CMS contract, Carasoft offered a price discount to the incumbent contractor if the four software licenses were purchased as a bundle (i.e. JBoss Fuse + BRMS 16 core and JBoss Fuse + BRMS 64 core). While Carasoft assigns these two bundled products separate product numbers from the four software licenses on its GSA schedule, there is no dispute among the parties that, aside from a price discount, the four JBoss software licenses on Carasoft’s schedule are the same software licenses as those bundled for the price discount. In this regard, whether ordering the bundled or unbundled products, Carasoft provides four separate JBoss software licenses.

The agency first asserts that its award was proper because Scope’s quotation did not include the JBoss software licenses on Carasoft’s GSA schedule contract as the protester alleges. The agency explains that Scope’s final quotation provides, after listing the four software licenses individually: “[The incumbent] had bundled discount for Fuse + BRMS. GSA schedule does not offer bundle discount.” See AR, Tab 2q, Scope Revised Price Quotation, ODC Tab, at 1. CMS contends that this reference to the bundled price discount indicates that Scope did not obtain the JBoss software licenses on Carasoft’s GSA schedule. We disagree.

Scope’s quotation provided a spreadsheet with line entries for each of its ODCs. Four of these line entries quoted Carasoft’s JBoss software licenses and listed Carasoft’s schedule number, Carasoft’s GSA schedule price, and a discounted price Scope received from Carasoft for this procurement. Id. As stated above, the entries also included a note referencing the price discount received by the incumbent. Id. On this record, we find no basis to support the agency’s conclusion that Scope quoted the bundled open market software. Scope’s quotation provided all the necessary information for the agency to confirm that Scope was offering the four separate JBoss software licenses on a GSA schedule (i.e. Carasoft’s GSA schedule number, GSA schedule price, and a price discount). Had the agency reviewed this information, the agency could not have reasonably concluded that Scope failed to quote these items on a GSA schedule. Scope’s reference to the incumbent price discount simply acknowledged that the discount was not available on a GSA schedule. Accordingly, we find the agency’s conclusion that Scope failed to provide the JBoss software licenses on a GSA schedule was unreasonable.

We also find that the agency’s next argument–that CMS could properly rely on Carasoft’s bundle-item price discount to support its claim that no vendor could provide these items on a GSA schedule–is unreasonable. The agency asserts that Sparksoft was forced to quote the bundled JBoss software licenses as open market items because they are not sold on a GSA schedule. However, as explained above, the software licenses were, in fact, available on GSA schedule contracts as four separate items. Indeed, the exact software licenses quoted in Sparksoft’s proposal as open market items were quoted by Scope on Carasoft’s GSA schedule. While the agency makes much of the fact that Carasoft provides different product numbers for these software licenses, whether bundled or unbundled, and provides a price discount for the bundled items, the agency’s claim that the price discount prevents Sparksoft from quoting these items on a GSA schedule is unreasonable and circumvents the very purpose of the FSS. That is, to award contracts to vendors quoting scheduled items. Rapiscan Sys., Inc., B-401773.2, B-401773.3, Mar. 15, 2010, 2010 CPD ¶ 60 at 3 (citing general rule that all items under an FSS solicitation must be included on the successful vendor’s FSS contract). Accordingly, we find that the agency could not reasonably rely on a bundle-item price discount as a basis to find that the JBoss software licenses were not available on a GSA schedule.

In sum, we find that the agency unreasonably concluded that Scope did not provide the JBoss software licenses on a GSA schedule and that no vendor could provide these items on a GSA schedule. Thus, we cannot find the agency’s inclusion of the open market items on Sparksoft’s order pursuant to FAR § 8.402(f) to be reasonable. In this regard, FAR § 8.402(f) permits a contracting officer to “add items not on the Federal Supply Schedule (also referred to as open market items)” to a FSS task order only if all applicable acquisition regulations pertaining to the purchase of the items not on the FSS have been followed. FAR § 8.402(f). Here, the JBoss software licenses could not reasonably be considered to be “items not on the Federal Supple Schedule” because they were quoted by Scope on Carasoft’s GSA schedule contract. For these reasons we sustain the protest.[8] We further conclude that Scope, the only other vendor in the competition who was favorably evaluated at a fair and reasonable price, was prejudiced by the agency’s inclusion of the open market items because, but for these errors, the protester could have had a substantial chance for award. SeeDRS ICAS, LLC, B-401852.4, B-401852.5, Sept. 8, 2010, 2010 CPD ¶ 261 at 21-22.

Sparksoft’s Evaluation

Scope argues that Sparksoft’s proposal is unacceptable because it failed to price all GFE software licenses as ODCs. Relatedly, Scope argues that Sparksoft’s quotation is unacceptable because its technical approach, which provided that it would not make significant changes to the current software licensing, is inconsistent with its price, which did not include pricing for five software licenses provided as GFE. Scope further argues that the agency failed to treat the vendors equally because it permitted Sparksoft to quote only a portion of the required GFE software licenses, while it required Scope to price all GFE software licenses. Scope also challenges the agency’s evaluation of Sparksoft’s professional compensation.

Where, as here, an agency issues a solicitation to FSS contractors under FAR subpart 8.4 and conducts a competition, we will review the record to ensure that the agency’s evaluation is reasonable and consistent with the terms of the solicitation. SRM Group, Inc., B-410571, B-410571.2, Jan. 5, 2015, 2015 CPD ¶ 25 at 4. In reviewing a protest challenging an agency’s technical evaluation, our Office will not reevaluate the quotations; rather, we will examine the record to determine whether the agency’s evaluation conclusions were reasonable and consistent with the terms of the solicitation and applicable procurement laws and regulations. OPTIMUS Corp., B-400777, Jan. 26, 2009, 2009 CPD ¶ 33 at 4. A protester’s disagreement with the agency’s judgment does not establish that an evaluation was unreasonable. DEI Consulting, B-401258, July 13, 2009, 2009 CPD ¶ 151 at 2.

Scope raises multiple related arguments all based upon the same underlying premise–that vendors were required to price all GFE software licenses as ODCs. We find no basis to support this conclusion. The protester has not pointed to anything in the solicitation that would require such pricing, and based on our review, we have found none. Instead, Scope argues that the agency’s communications with the vendors included the requirement to price all GFE software licenses. We do not agree.

As stated above, during separate conference calls with each vendor, the contracting officer agreed to provide a list of GFE to the vendors. The GFE list contained the software licenses used by the incumbent contractor and included an expiration date for each license. AR, Tab 4E, GFE Software List, at 1. After Scope received the list of GFE software licenses, it revised its quotation to remove pricing for each of the GFE software licenses. AR, Tab 2P, Scope Price Quotation, May 4, 2017, ODC Tab, at 1. The contracting officer reviewed Scope’s final revised quotation and recognized Scope’s misunderstanding with respect to the GFE software licenses. COS at 4. In this regard, the contracting officer realized that Scope mistakenly believed that CMS would be providing the software licenses as GFE for the entire contract. Id. To correct this misunderstanding the contracting officer emailed Scope to explain that “[a]s you saw in the GFE list I provided, the licenses CMS is providing as GFE do expire and will need to be renewed. I want to confirm that the updated quote you sent includes support of the licenses throughout the life of the contract as needed to complete DSH [data services hub] work – perhaps as not separately priced.”[9]Id.; AR, Tab 4G, CO Email to Scope, May 5, 2017 (2:27 p.m.). Scope confirmed its misunderstanding and submitted a revised quotation. AR, Tab 4G, Scope Email, May 5, 2017 (2:45 p.m.), at 1; Tab 2Q, Scope Revised Price Quotation.

Based on our review of record, we find that the contracting officer’s communications did not provide a requirement to price all GFE. Rather, the communication was to correct Scope’s misunderstanding with respect to the agency’s provision of these items throughout the life of the contract. Indeed, the contracting officer made clear that the licenses should be renewed only as needed to perform the work. The protester’s allegations in this regard are not reasonable.

Relatedly, Scope also challenges the agency’s evaluation of Sparksoft’s price quotation asserting that the agency failed to recognize that Sparksoft’s price is inconsistent with its technical approach. Sparksoft’s technical quotation provided, “Sparksoft does not anticipate major changes to the current DSH [data services hub] architecture, so, we do not expect significant changes to software licensing.” AR, Tab 3c, Sparksoft Technical Quotation, at 46. Scope argues that, since Sparksoft did not expect significant changes to software licensing, it was required to price all GFE software licenses, and that since Sparksoft did not price five software licenses listed as GFE, the agency should have found its quotation unacceptable. We disagree.

As above, we find no requirement for vendors to provide pricing for all software licenses provided on the GFE list. We also find no basis to conclude that Sparksoft’s statement–that it did not expect significant changes to software license–is inconsistent with its price quotation or required it to price all GFE software licenses. In this regard, Sparksoft did not propose the same solution as the incumbent contractor. Thus, it is not unreasonable to expect differences in its pricing of the GFE software licenses. Moreover, as part of its previous corrective action, the agency conducted an evaluation of Sparksoft’s ODCs to determine if the lack of pricing for the five specific software licenses called into question Sparksoft’s ability to perform the contract. AR, Tab 5F, Sparksoft ODC Analysis, at 1-3. Based upon this review, the agency found no issues with the software licenses Sparksoft included in their quotation and concluded that the price quotation: “1) matched their technical approach and 2) the excluded items . . . would not cause any changes to the DSH [data services hub], which could or would introduce unacceptable risk or problems for the Government.” Id. at 2. On this record, we find the agency’s evaluation unobjectionable.

Scope also alleges that the agency’s evaluation was unequal because the agency required Scope to price all GFE software licenses while Sparksoft was permitted to provide pricing for only a portion of the licenses. Again, neither the RFQ nor the contracting officer’s communications with the vendors mandated the pricing of all GFE software licenses. Furthermore, we find no unequal treatment as a result of the contracting officer’s communications with the vendors because the contracting officer asked both vendors the same question. Compare AR, Tab 4C, CO Email to Scope, May 5, 2017 (2:27 p.m.), at 1, with Tab 4H, CO Email to Sparksoft, May 5, 2017 (3:05 p.m.). As the record demonstrates, Scope priced all software licenses listed as GFE because, as it explained in its communications with the contracting officer, “a central part of our proposed approach for DSH [the data services hub] is to continue the current hardware/software configuration and infrastructure.” AR, Tab 4M2, Scope Email, Apr. 19, 2017 (11:16 a.m.). In this regard, Scope chose to implement the solution of the incumbent. However, Scope was free to maintain only the licenses that were required for performance of the contract. That Scope chose to implement the solution of the incumbent does not require the agency to evaluate Sparksoft, or any other vendor, as if they offered the same solution as Scope. Accordingly, we find that the agency’s evaluation in this regard was equal and in accordance with the solicitation criteria.

Finally, Scope argues that the agency’s evaluation of Sparksoft’s professional compensation was unreasonable. We find no basis to object to the agency’s evaluation.

The purpose of FAR provision 52.222-46–Evaluation of Compensation for Professional Employees is to evaluate whether offerors will obtain and keep the quality of professional services needed for adequate contract performance, and to evaluate whether offerors understand the nature of the work to be performed. MicroTechnologies, LLC, B-413091.4, Feb. 3, 2017, 2017 CPD ¶ 48 at 8. In the context of fixed-price contracts, our Office has noted that this FAR provision anticipates an evaluation of whether an awardee understands the contract requirements, and has offered a compensation plan appropriate for those requirements–in effect, a price realism evaluation regarding a vendor’s proposed compensation. Id. at 6-7. The depth of an agency’s price realism analysis is a matter within the sound exercise of the agency’s discretion. Apptis Inc., B-403249, B-403249.3, Sept. 30, 2010, 2010 CPD ¶ 237 at 9. In reviewing protests challenging price realism evaluations, our focus is on whether the agency acted reasonably and in a manner consistent with the solicitation’s requirements. MicroTechnologies, LLC, supra, at 11.

Here, the agency conducted a thorough evaluation of the vendors’ professional compensation plans to ensure that the plans reflected a sound management approach and understanding of the contract requirements, including an assessment of each vendor’s ability to provide uninterrupted high-quality work. AR, Tab 5E, Professional Compensation Analysis. The agency compared the salary and benefits submitted by the vendors to the incumbent contractor’s salary and benefits to determine if compensation levels were lower than those of the predecessor contractor. Id. To conduct this portion of the analysis the agency chose to use the mid-point of each vendor’s professional compensation plan salary range. Id. The agency compared this number to the incumbent salary as well as reference salaries such as salary.com, glassdoor.com, and indeed.com. Id. For Sparksoft, the mid-point was the 75th percentile salary range. Id. Based on this analysis, the agency concluded that there was no evidence to suggest that Sparksoft’s professional compensation plan salaries were out of line or otherwise not competitive. AR, Tab 6, SSD, at 27.

Scope argues that the agency’s evaluation was unreasonable because the agency should have compared Sparksoft’s 50th percentile range to the incumbent’s rates. We find the agency’s evaluation unobjectionable. As stated above, price realism analysis is a matter within the sound exercise of the agency’s discretion. While Scope would have preferred that the agency conduct its analysis at the 50th percentile range, there is nothing in the solicitation that would require the agency to do so. Scope’s disagreement with the agency choice of percentile range is unavailing. Sparksoft’s professional compensation plan provided that “although the salary [ranges] reference local and national surveys, Sparksoft may offer salaries beyond those listed for resources exceeding standards set for requirements such as education and experience.” AR, Tab 3L, Sparksoft Business/Price Quotation, Section 2.4, at 6. Moreover, the record demonstrates that Sparksoft’s quotation included signed letters of commitment, many of which are from incumbent employees. AR, Tab 3C, Sparksoft Technical Quotation, Appendix A, Resumes. Thus, we have no basis to question the agency’s conclusion that Sparksoft’s proposed compensation plan reflects a clear understanding of the work to be performed; demonstrates the ability to retain qualified personnel and employ a stable workforce; and includes realistic rates for professional compensation. AR, Tab 6, Award Decision, at 27.


We recommend that the agency cancel the order to Sparksoft and assess its actual requirements. To the extent the agency chooses to move forward with this procurement, it should reevaluate proposals consistent with the RFQ and the rules applicable to FSS procurements, and make a new source selection. We also recommend that the agency reimburse Scope the reasonable costs of filing and pursuing the protest, including attorneys’ fees. Bid Protest Regulations, 4 C.F.R. § 21.8(d)(1). Scope should submit its certified claim for costs, detailing the time expended and costs incurred, directly to the contracting agency within 60 days of this decision.

The protest is sustained in part, and denied in part.

Thomas H. Armstrong

General Counsel

Scottsdale Institute 2017 CISO Fall Summit: Best Practice Standards in Cybersecurity Risk Management – Healthcare Informatics

Thirteen chief information officers (CIOs) and chief information security officers (CISOs) of leading health systems convened in Chicago to discuss key challenges, best practice standards and collaborative opportunities in cybersecurity. These healthcare executives focused on cybersecurity maturity levels, governance practices, reporting systems, threat monitoring/threat analytics tactics and the importance of tying cybersecurity metrics to business impacts. This report captures their discussion and shared insights.

CISO Fall Summit Participants: Fernando Blanco, vice president and CISO, Christus Health; Jeff Bontsas, vice president and CISO, Ascension Information Services; Erik Decker, chief security and privacy officer, University of Chicago Medicine; Jim Hanson, Information Security Officer, Avera Health; Bryan Kissinger, Ph.D., vice president and CISO, Banner Health; Thien Lam, vice president and CISO, BayCare Health System; Ken Lawonn, senior vice president and CIO, Sharp HealthCare; Leonard Levy, vice president and CISO, Spectrum Health; Christie Polley, system director, IS information security, Eastern Maine Healthcare Systems; Brad Sanford, CISO, Emory University; Randy Thompson, M.D., CMIO and interim CIO, Billings Clinic; Jim Veline, senior vice president and CIO, Avera Health; Brenda Williams, vice president technology services, Mosaic Life Care

Organizer: Scottsdale Institute; Sponsor: Deloitte

Moderators: Deloitte—Bruce Daly, principal, Deloitte & Touche Llp; Raj Mehta, partner, Deloitte & Touche Llp


With numerous high-profile security events and data breaches splashed on the papers of national newspapers, there is a growing appreciation in healthcare and non-healthcare organizations alike that cybersecurity impacts business as a whole. Today, cybersecurity is increasingly regarded not as a technical issue pigeonholed in IT departments, but as a corporate and business issue. The cybersecurity function is rapidly evolving, eliciting greater visibility across healthcare systems and drawing increased attention from boards and leadership charged with risk management.

In October, leadership representing information technology (IT) and information security (IS) functions from Scottsdale Institute member health systems came together to share their perspectives, experiences and strategies for tying cybersecurity metrics into business impacts and business risk and for monitoring and managing ever-changing risks and threats.

The Imperative of Linking Cybersecurity Risks to Business Impacts

There is a growing appreciation across boardroom tables that cybersecurity is a business risk, not just a technical risk. Yet, the process of reporting metrics has not fully caught up. To drive the understanding home that cybersecurity addresses key corporate and business issues, alignment of cybersecurity reporting to business impacts is key. “How many of you are regularly using business risk to report?” asked discussion moderator Raj Mehta of Deloitte, kicking off a spirited conversation focused on improved communication of metrics, risks and impacts to management and boards. “If there is a cybersecurity risk to the organization, it is fundamentally a business risk. On this, we all agree. But is it being reported up and out that way?” Mehta challenged.

Participants around the Summit table voiced challenges, shared tips and broadly agreed that CISOs and cybersecurity teams have work to do internally to better align cybersecurity metrics, measures—and even budget requests—with business risks and business impacts. Many have already started that process.

What We Consider Catastrophic may be Very Different from what the Business Cares About

It is crucial to understand what critical or catastrophic impact means to your business leaders, emphasized Erik Decker, chief security and privacy officer at University of Chicago Medicine. “What we in IT think of as catastrophic can be very different from what the business cares about,” said Decker, citing his experience in collecting feedback from his senior leadership on the business impacts most important to them.

“Early on in my program, we convened our C-suite to make objective statements around the stratification of risks that were most concerning to them and that had the most consequential impacts to the business. We talked through many different scenarios of cybersecurity risk and threat outcomes that could happen, and together we categorized and stratified these on a 1-5 scale of catastrophic to nominal. Items on the table ranged from a simple phish, to hacking that could lead to data loss, as well as cyber actions that could cause death. There is now a clear sense internally of what the most concerning business impacts are, and we can now measure and stratify risks/threats against those stratified impacts.”

Core business impacts ranked by University of Chicago, and agreed upon by participants around the table, included:

  • Patient safety issues/harm to patient
  • Ransomware that can bring down digital operations and systems
  • Breach of private data
  • Mishandling of sensitive information
  • Risks/unknowns brought by M&A activity

There were hearty nods of agreement centered on the categories of business impacts, with the understanding that different boards may rank the importance of each type of impact differently.

Brad Sanford, CISO at Emory University, reported that his organization reflects these business impacts in a slightly different approach. “We have one risk measure that is a roll-up of several related risks that could impact the confidentiality or integrity of our data, and another one that focuses on the availability of our systems including business continuity and our ability to recover in the event of a disaster.”

Cybersecurity: A Row in a World of Columns

Bryan Kissinger, CISO of Banner Health, noted that his organization views cybersecurity metrics via the lens of “confidentiality, availability and integrity of systems.” Yet, he noted, none of the frameworks adequately fits the depth and breadth of cybersecurity risks and impacts. “Cybersecurity is a row in a world full of columns,” he opined, in a statement that became a mantra during the Summit. “Patient safety is a column. Financial performance is a column. But security is a row that cuts across everything. Information security and cybersecurity cut across every one of those business impacts. We are a row in a world full of columns. The row is being driven by info security and privacy teams but it permeates all of the organization and its entities.”

Risk Assessment: Shaping Risk Postures through the Lens of Threat Actors

Though risk assessment is tackled differently across organizations, the value of understanding “threat actors”—and the type of impact each could have on business—was discussed as a meaningful way to approach risk assessment frameworks. One participant identified a white paper, “Hacking Healthcare IT in 2016: Lessons Learned from the OPM Breach” as a particularly helpful resource to overlay the intentions of threat actors with the business risks of health systems.

The paper, which categorizes risks across five main categories of threat actors—script kiddies, hacktivists, cyber criminals, cyber terrorists and nation-state actors —has “helped shape our risk postures,” the participant explained. “We’ve built a framework that considers who the actors are, what their motivations might be, and how our strategies can address those specifically. We now tie threats back to risks, and tie risks back to groups of threat actors. Today, as we profile risks and add controls, we keep the common threat actors in mind.”

Tip: To manage the sheer volume and immensity of risk assessment and risk analysis, Leonard (“Lenny”) Levy, Vice President and CISO, Spectrum Health, reports that he and his team balance breadth and depth when conducting their annual risk assessment. “Since it would not be feasible to go in-depth across our entire environment, we perform an enterprise assessment looking at key risks and control and once a month perform a deep dive into a specific application, location and business unit, to make a more comprehensive analysis.”

Threat Monitoring

There is abundance—and many times, an overabundance—of data feeding into the threat intelligence and threat-monitoring funnel. A challenge that many agreed on is deploying the right level of internal and external resources to collect the optimal information. Outsourcing and collaboration rose to the top as the trends that CISOs are converging around.

CISO Insider Insights / Tips from the Trenches:

Outsourcing: “We recently converted to a hybrid model. Our primary level 1/level 2 monitoring is now outsourced. We still retain some resources internally who respond to issues and double-check our provider. This is where our red team comes in to test and make sure it is functioning properly.” (Lenny Levy, Spectrum Health)

Collaborative learning through ISACs: “The information-sharing and analysis centers (ISACs) are helpful as members are able to share information about what we are seeing. After all, it only takes one person to figure out an interesting nuance to a particular threat. Then, this can be shared and everyone can take advantage. Working with ISACs, you don’t need to figure out everything on your own.” (Brad Sanford, Emory University)

Monitoring for threats not experienced…yet: While this is an area that is ripe for maturity, many CISOs have their teams on a variety of chat rooms to “monitor what is happening externally, so we know threats we haven’t experienced. You need to look for it, as it doesn’t come to you.” (Jim Hanson, Avera Health)

Structured internal teams: “We have a team that is structured to focus on three core areas: threat management, vulnerability management, and incident management.” (Brad Sanford, Emory University)

Establishing internal norms and flags: “We feed privacy and access data in SIEM [security incident and event management] and determine what is normal—for example, how many records people access per day, per week and per month. So if this number of records went up, that is a flag for investigation.” (Thien Lam, BayCare Health System)

While SIEM systems were broadly regarded as the go-to tool for threat monitoring and analysis, understanding and applying the data generated by SIEM remains an area CISOs struggle to best interpret.

“As you deploy tools, you will see more [incidents]. So, it may seem like you are doing worse, but really you are doing a better job. There are not necessarily more threats, but you are expanding the visibility across your network and identifying more threats,” commented Jeff Bontsas, Vice President and CISO, Ascension Information Services. Many are moving to playbooks and use cases to bolster and build out general threat intelligence.

Common challenges underlying threat monitoring identified by participants include:

  • Cost of threat intelligence investments vs. value
  • Scope
  • Use cases
  • Talent
  • Maturity
  • Intelligence

Needed: A Plan for Ransomware across the Entire Health Sector

CISOs probed each other for what their plans were in a ransomware situation. While the commonly accepted best practice is not to pay, CISOs around the table understood that the amount of money was trivial compared to an EMR system being taken down. One CISO had even researched an investment in bitcoin to have readily available if needed—“although the board shot down that option.”

This is an industry and sector issue, rather than an individual organizational issue and threat, argued Jim Veline, Senior Vice President and CIO of Avera Health. “Once one [organization] pays, we are all more likely to get attacked. It would be worthwhile to run this up the flagpole with our professional associations and generate a position paper that you do not pay. That gives cover and backstop to a CEO and board when faced with a difficult decision. Right now there may be FBI advice, but formal positions are lacking in the relevant professional groups we all participate in.” This suggestion was met with broad agreement from participants around the Summit table, who agreed to have follow-up discussions regarding how to best raise the issue through targeted professional organizations.

Reporting Business Risk: The “So What?” of Metrics

There was little consistency in the types of metrics—the key performance indicators (KPIs) and key risk indicators (KRIs)—reported up to management councils, board committees and executive boards. Summit discussions also pointed to little consistency on the frequency of reporting (some monthly, some quarterly, others annually—depending on the organization, and the body being reported to). However, there was broad agreement on the challenges of collecting actionable, instructive KPI/KRI data.

Shared challenges to developing good-quality, standardized KPIs/KRIs included the need to address these areas of variability: data availability; data consistency; data quality; and reporting thresholds

When it comes to KPIs and KRIs, there is a lack of standards guiding the industry in this field. “Management made investments in security, and we need to show the value of that investment. But how do you best do that with today’s KPI and KRI metrics?” challenged Ascension’s Bontsas. “For example, we can show the increased number of attacks we blocked. Yet, it’s hard to talk about value when we talk about risk avoidance. Was it worth it? What did we avoid? Telling the story of what we avoided can be difficult.”

While the core concern voiced around the table was the overall lack of KPI/KRI standards guiding the cybersecurity field, the key issue that emerged was the actionable nature of metrics: the “so what?” factor.

There are many KPIs “that are important for operations people, but that are not meaningful in terms of making informed decisions about risk. There are also many that are more focused on justifying spend than on risk. The challenge we face is, what is most meaningful?” noted Fernando Blanco, CISO of CHRISTUS Health. “We regularly report on metrics like ‘we did patching X months ago and we hit X percent.’ If we are at 85% or even 95%, is that good or bad? That is what we have to ask as we are collecting metrics both for ourselves and for the purposes of reporting up and out. However, today we lack clear thresholds to make the numbers meaningful.” Summed-up by Banner Health’s Kissinger: “Every metric has to answer the question ‘so what’ to be meaningful from a business-impact perspective.”

“When there is a significant new threat that emerges, at the end of the day the ‘so what’ metrics we need to know are: (a) how quickly can we frame the specific risk to our institution, (b) how exposed we are, and (c) how quickly we can react and get controls in place. These are the metrics that matter most from a business perspective, and we are working now to really shrink the time for that process,” said Emory University’s Sanford.

Common Cybersecurity Metrics Being Tracked

> Encryption

> Vulnerability Management

> Patching

> 2-factor authentication

> Phishing

> Training

> Risk assessment

> CAPs (Corrective Action Plan)

> Old/Outdated legacy systems (cannot be patched)

> Identity & Access Management/Privilege Access Management

> Incidents

> SLA (Service Level Agreements)

> SOC (Security Operations Center)

Key Takeaway: A key action-item from the discussion was to ensure that, no matter what metric was being tracked, it tied back to business risk so that its value could be better understood in the broader context of business impacts. “My metrics today are not all explicitly tied to business risk, but that is what I am going to go back and do,” reported Randy Thompson, MD, CMIO and Interim CIO, Billings Clinic, to the team.

Threats, Risks and Metrics: CISO Insider Insights/Tips From The Trenches

> Collaborate with outside parties/external auditors: “We do both internal and external risk assessments. We have internal auditors that check for risk/cyber risk. Then we hire and have high-tech security firms audit so we have a different set of eyes every year.” (Brenda Williams, Mosaic Life Care)

> Outsourcing and hybrid models: “Our small team couldn’t move at the pace the business needed, so it made sense to outsource rather than hire in. The funnel was too small internally to send all the third-party risk assessments through.” (Lenny Levy, Spectrum Health) Thien Lam, CISO of BayCare Health System, showed the value of outsourced threat detection in real-time to senior management. While everyone was convened, he had his team initiate a ransomware and lock up select machines. His phone rang within 15 minutes, with his vendor reporting the event. “I showed them exactly how fast we can know and react,” Lam reported. Buy-in was achieved in real-time.

> Establishing metrics silos: “We were having difficulty with consistent apples-to-apples metrics. For example, in our vulnerability scanning, in some areas we get comprehensive information on our credentialed scans, and for others (non-credentialed) we get just basic information. These were originally all lumped together in a risk score, but now we are working to silo them out to keep metrics for groups we get full scans on vs. metrics for groups we get partial scans.” (Brad Sanford, Emory University)

> Weighted metrics: Though all metrics may be relevant, not all are equal across business threats. “We have metrics around general cybersecurity hygiene health, and then specific metrics that support measurement of executive level cybersecurity risks of interest to our Audit Committee and executives.” (Erik Decker, University of Chicago Medicine)

> Know your audience: “Be sure to know your audience when reporting out metrics. IT boards and councils are different from senior management, which are different from executive boards. Each is after different information.” (Ken Lawonn, CIO of Sharp HealthCare)

“Keep Us Out of the Papers”—Reporting Metrics and Maturity to Boards

“We don’t get a lot of guidance and direction from the board in terms of what they want to see,” reported one participant, with many heads nodding in agreement.

At Ascension, Bontsas noted, “Board members want the assessment on a scale from 1-10, but the scale keeps changing. Now we may be at a 7, but as soon as we climb to 9, we fall back to 7 as cyber threats continue to evolve and the scale to measure them against changes so quickly. Whatever I report out will change, quickly.” Board members tend to have one key top-level concern, he noted: showing up in the newspapers because of a security event. More heads nodded vigorously in agreement from shared experience.

“We can’t say definitively that this event won’t happen, but we do show what we are doing to prevent that event by focusing on the right things. We report on why we believe we are following the right strategy, and taking the right steps. We show our progress as the threat landscape changes. The board wants a 1-10 measure of assurance, but at the end of the day that is subjective,” Bontsas said.

Tip: Take Advantage of News Headlines to Educate. Bontsas takes advantage of board members’ interest in news headlines about breaches by using that curiosity—and concern—to educate board members. “At most board meetings, I have five to ten minutes to address what I want to talk about, and the rest is questions about what they’ve seen in the headlines [or] read in the Wall Street Journal, and how those threats may impact our organization.” This speaks to the education gap that is there. “I now regard that Q&A as an important educational opportunity. Ultimately, I believe it will build much more value with our board in the future when we discuss how our strategy and controls will help protect our organization against the threats, risks and breaches experienced by other organizations and governments.” Spectrum Health’s Lenny Levy added, “Sharing tangible examples of threats detected and mitigated go a lot further than metrics in resonating with leadership and boards.”

The Challenge of “Subjective-Objective” Cyber Maturity Levels

While CISOs are regularly asked to assess and weight their cybersecurity maturity levels for their boards or management councils, there are many limitations of maturity assessments—which were broadly regarded around the table as helpful, but ultimately subjective.

Kissinger explained how Banner Health tackled that issue: “For each category in our maturity framework, we’ve established for ourselves internally that ‘to be a 5 means this’, and ‘to be a 3 it’s this.’ This is a subjective-objective rating, but we think it’s valuable. It shows where we were, where we are today, and where we want to be. I show that I want to move from here to here. This helps us with audit committee and board level discussions.”

Tip: Build a Dollar Investment/Dollar Value Model to Guide Spending and Funding Determinations: To complement its maturity framework, Spectrum Health created a framework to show the direct dollar value of its cybersecurity initiatives, and to guide future investments. “To better ‘sell’ the cybersecurity programs up through our board, we created a framework to illustrate where we are now, what we are targeting and the dollar impact. We worked with actuarial teams from our health-insurer arm to do the calculating to show business risk, business disruption, direct dollar costs, soft costs and reputational risks. We broke those out,” explained Levy. “We built a model to show that as we went from 2 to 3 to 4 to 5 on the maturity scale, we could show how that impacts the curve. For example, if we fund at X level to Y level, we could show investment and benefits. Of course there were many assumptions built in that were well-documented, but with this model we could overlap maturity ratings on a scale and show where we were, where we wanted to go, how much to get there. We could also show spends and the predicted value of the spend.”

Lengthy questions followed, given the tremendous interest in Spectrum’s model, which Levy has offered to make available (in a desensitized format) to Summit participants and Scottsdale Institute members. CISOs around the table voiced the same desire to get a better handle on not only what an “appropriate” spend is, but how it changes depending on levels of maturity, and how an individual organization spends compared to currently unknown industry benchmarks. While bigger health systems may spend more on cybersecurity than a smaller one spends on total IT, the ratio of spends across maturity levels—and across capital expenditures vs. operating expenditures—is a valuable benchmark to the CISO community.

Tip: Refer to the Gartner Graph (Gartner Best Practices for Moving Up the Information Security Maturity Curve) to see a benchmark graphic of levels of spend to get to different levels of maturity.

“From this we could develop and create guideposts more specific to the healthcare sector. This graph that represents the security investments across industries in terms of percent of IT spends and levels of maturity is a good start,” said Jim Veline, senior vice president and CIO at Avera.

External Consultants and Peer Comparisons in the Maturity Assessment Process

“When it comes to maturity level, we show our board where we are, where industry is, and how and where we are aiming to grow. We report maturity level progress,” said CHRISTUS Health’s Blanco, offering a tip that has helped him drive the credibility of his team’s maturity assessments: “We now hire an independent organization to do the assessment. After all,” Fernando joked, “if I assess myself, I am thinner and taller, so a third-party provides an independent perspective to the board.” Many others in the room reported that their organizations were also employing third parties for purposes of objectivity and for an additional layer of credibility to the board on the results.

“We measure ourselves and measure ourselves again, against the same maturity criteria. This works well comparing against ourselves, but comparing to other organizations is where it all falls apart. There is no benchmark to compare to each other, it is subjective even with tools like the Cybersecurity Framework,” lamented University of Chicago Medicine’s Decker, to broad agreement. Banner Health’s Kissinger agreed that peer comparisons were much needed, but woefully lacking. “It would better help us to know how we compare with one another. We and our boards want to know what we are like compared to our peers in the health sector, and in other industries.”

Yet, there is also potential downside in comparing across sectors, cautioned Avera’s Veline. “We are being held to the same standard as banks. Unfairly. Yet, we in the room are unique because our number one business is patient care. While we could look to banking for benchmarking and maturity comparisons, we have to remember that banks aren’t buying robotic surgery devices or infusion sets.”

Billings Clinic’s Thompson drove home shared concerns about the helpfulness of cross-industry comparisons by reminding fellow CISOs about the task their organizations are all focused on at the end of the day: patient care. There are unique challenges in pitting cybersecurity against patient care when it comes to the allocation of dollars and resources at health systems, he opined. “When you pull money away from patient care to put money into a risk that may or may not happen, who wins? Until the system goes down, that is not always clear to leadership—even when we aim to make the business risks and our security impacts clear. Every FTE that I hire or resource that I request is personnel and dollars not going to patient care. So it’s a challenge and balance.”

Challenge and Balance Of Cybersecurity and IT Alignment

The challenge and balance raised by Thompson also applies to alignment of the cybersecurity function within organization structure and governance. With the increasing visibility of the cybersecurity function and its influence on business risk and impact, many sectors with the same level of complexity of healthcare have moved the cybersecurity function outside of IT. “With large regulated sectors like banking and aerospace, we’ve seen the security function organized more independently than it is in healthcare. Security has its own budget, leadership role and direct feed to the CEO or board. We don’t have that in the healthcare space today, and it’s a notable difference,” noted Bruce Daly, Deloitte’s healthcare digital technology risk leader who co-moderated the Summit. “How many have a security function that has a direct line to the board that could bypass the CIO?” Daly asked. No one responded in the affirmative. This generated a discussion about how to best align cybersecurity and where it could move to in the future.

“We contemplated moving cybersecurity into other places—like reporting to the general counsel or CEO. We ultimately decided that staying under the CIO organization was most helpful in the environment of today, where we need to change many technology elements to bring cybersecurity measures onboard. Once we mature, we can contemplate moving it somewhere else, but for now it is more effective where it is under the CIO,” noted Spectrum Health’s Levy.

Banner Health’s Kissinger said the challenges of appropriate alignment spoke to the “[cybersecurity] row against the [risk] columns.” It is the entire organization “that ultimately owns security and cyber-risk challenges, you need deep teaming with IT to be effective today. So embedding with IT is key.” Avera’s Jim Hanson summed up the discussion by noting that cybersecurity “belongs with the executive that is most effective in moving it forward. We could function in several areas, so the issue is not about ‘where.’ If the executive in charge doesn’t have a sense of the function, then it doesn’t matter where or how we align in organizational governance.”

Better Communications of Business Impact = Earlier Seat at the M&A Table

One of the positive outcomes of better linking cybersecurity to business impact is that it has opened doors for earlier engagement in a key business area notorious for introducing some of the most significant risks and causing the most painful cybersecurity headaches: M&A activity.

“We are noticing nationally a slight but discernable uptick in bringing in security and privacy functions into due diligence for M&A activity,” shared Deloitte’s Daly. Reaction was quick, with many noting there’s much room for growth. Even for those CISOs who are invited to the discussions earlier in the process, many are not convinced that their inputs are carrying weight in decisions.

“I ask a set list of questions I like to ask early and often when it comes to M&A activities,” said Banner Health’s Kissinger. “At the end of the day, I may not have much influence on a deal even if it is introducing considerable new risks. But at the very least, we are looking for pathways to more visibility in what we are inheriting, so we can get ahead of it and start planning on what we need to remediate.”

Mosaic Life Care is “bringing in security and risk teams earlier now, including review of contracts. We are getting ahead of things rather than mitigating the risk after the contract has been signed,” said Brenda Williams, Vice President Technology Services, Mosaic Life Care. “We have introduced it for vendors and we are putting some due diligence in place for acquisitions.”

“We are involved before the ink is set. But our access to it is small. We can only ask minimal things. Leadership doesn’t want to scare a potential partner with a 300 page questionnaire,” one participant shared.

Many opined that even if a review earlier in the process identified clear risk, that likely wouldn’t be enough of a red flag to slow down or stop a deal that served other business needs of the company. Often, being at the M&A table was more informative than influential. Deloitte’s Daly, however, conveyed a real-world instance when cybersecurity assessments made as part of the diligence process brought real value to an M&A deal he had worked on. “The prospective buyer got a better deal because they had identified some of the core vulnerabilities and risks of the organization they were looking to acquire, and they had calculated remuneration estimates to bring that organization’s systems up to speed. They were able to factor this in to an adjusted price. In this way, for smaller-scale acquisitions, early collaboration in the diligence process with security or IT functions can really pay off.”

Driving Third-Party Accountability: Vendor Management and Vendor Risks

Similar to the security concerns that M&A introduces are the risks and challenges associated with vendors. Many at the Summit expressed frustration working with vendors who made them feel like they were the “only ones” asking for certain provisions and protections. Many CISOs are also pulling together and standardizing risks and metrics specific to vendors.

Tip: generate a heat map. “We can’t fully assess every vendor, but we can generate heat maps with a procurement system or accounts payable overlay,” said Emory’s Sanford. CISO teams can take a risk-phased approach with that heat map and focus on highest risk vendors.

Call to Action: Bontsas led a call to action: “As an industry, let’s start choosing only those vendors willing to secure their products.” These can be generated organization by organization, or preferably, created by associations that can share across the healthcare sector. The National Health Information Sharing & Analysis Center (NH-ISAC) and Medical Device Information Sharing and Analysis Initiative (MDISS) were discussed as a good go-to group to develop such a list. MDISS, it was noted, maintains a large repository of devices and their vulnerability issues, which it shares with members.

To get a better handle on risks posed by vendors, many CISOs are pulling together metrics specific to this area and collecting:

> Percent of critical third parties who have not been risk-assessed

> Percent of vendors who have had security incidents since the last reporting period

> Percent with high residual risk

> Percent of third party system accounts that have not been certified in the last 6 months

> Percent of vendors with high-risk findings

> Percent of vendor X that have not been certified

Securing Medical Devices with Stronger Vendor Contracts, Micro-Segmentation

Many of the vendor headaches above spill over to medical devices as well, which is already an area of particular concern and risk as it relates to cybersecurity.

“For years we were told by manufacturers that, because the medical devices were FDA approved, we couldn’t make any changes or they had to be recertified by FDA. So relationship with our vendors was tense. We would scan the network, but not these devices. Or similarly, manufacturers would tell us that we could patch devices, but ‘if you break something, don’t come back to us because it is not the way we configure it. If you patch it, it’s your problem,’” recounted CHRISTUS Health’s Blanco. The FDA has recently made it clear that hospital systems could patch devices and address security aspects, he said, referencing the 2016 “Postmarket Management of Cybersecurity in Medical Devices” guidance to industry from FDA. This led to an around-the-table sharing of other positive experiences leaning on the FDA in related instances, but also to the shared grievances of government punishing businesses for being victimized by cybercrime—which can happen even to the most robust and mature cybersecurity operations.

Call To Action: Consistent Language Across Contracts. Blanco reported he has been in touch with Mayo Clinic’s CISO, who shared the language it uses in its contracts to hold vendors accountable to the 2016 FDA guidance. “If we all incorporate the language in contracts, we have more power together.”

Tips from the trenches/CISO Insider Insights:

Micro-segmentation: Banner Health has been moving to micro-segmentation to secure devices, reported Kissinger. “A lot of security technologies in our server just don’t work in clinical devices. So we are doing segmentation and micro-segmentation. Some clinical devices are on their own network, and then infusion pumps, for example, are on their own sub-network segment so that issues can’t move laterally across groups of devices.”

Separate long-term from short-term: BayCare’s Lam noted that as part of his risk planning, he looked at short-term vs. long-term medical device concerns. “We did risk planning to assess what would happen to these medical devices if we had to take down our network. Believe it or not, 90% of the devices we were most concerned about would still function. We identified the few that need to stay on the network, and those that would be okay if the network was down. That helped us establish long-term and short-term protection for our medical devices.”

Overlay patient risk with cyber risk: CHRISTUS Health is similarly segmenting medical devices by risk, but counseled CISOs not to start with standard patient-safety methodology: “Our first priority when we started this process was infusion pumps and pacemakers, because if these get compromised it has a direct, dangerous impact on patients. What we learned, however, is that these were not the most risky from a cyber point of view. Many did not have wireless capability or were not connected to the network. So these are low-risk from a cyber perspective. We realized we needed to combine patient risk with cyber risk. Now we are reclassifying this risk overlay and identifying new priority devices. We lost a few months on the final deployment based on this risk identification and selection, but now we know how best to deploy,” said Blanco. “I hope I can save you a few months with this advice: don’t start with standard patient-safety methodology, these were not the most high-risk devices in our current inventory.”

Align clinical engineering teams within cybersecurity governance: “We have folks installing medical devices on our network who have no IT experience let alone cybersecurity experience. This has been an ongoing challenge that I’m looking to find ways to fix,” lamented Christie Polley, System Director, IS Information Security, Eastern Maine Healthcare Systems, noting, “Our supply chain currently handles clinical engineering, with little or no visibility on the IT side.” Ascension’s Bontsas concurred that with device installation, engineering teams often leave ports and services open and running that are not necessary. “We need to get in front of the implementation so we can have them shut off ports and services that are not needed.” BayCare’s Lam counseled, “This is something we changed. Clinical engineering now reports to IS and the same CIO. This works really well.” Spectrum’s Levy added, “We will pull help desk or clinical engineering teams and do exercises together in IT to build relationships so that we can speed coordination in a real-time incident.”

Get manufacturers involved: “Over the long term, we have to get the manufacturers on board to work with us,” said Lam, with much agreement from the table. The need for more manufacturer cooperation, particularly for patches for “end of life” devices and equipment, was emphasized. While the enhanced contract language referenced above will help moving forward to hold manufacturers accountable for updates and patches, participants recognized the near-term challenge is the legacy systems in place that have no contract terms to make vendors more accountable.

Work together on standard demands: “We regularly get push back from vendors when they say we are the ‘only ones’ asking for certain protective measures and contract terms. We need the ability to reach out to others so that we can standardize our demands and ‘asks’,” said BayCare’s Lam. Summit participants also planned, as follow-up, to build a better mutual understanding regarding how and when CISOs are reaching out to the FDA.

Cybersecurity Training: It is Everyone’s Business to Protect the Business

Ultimately, it is everybody’s business to protect the business from cybersecurity risks—which spills over to the need for training staff across the organization. Yet, participation in and compliance with training is a frustration shared across CISOs at the Summit. Discussion focused both on the “carrot” and the “stick”—on how CISOs were attempting to make it easier for providers and health system staff to complete training, and how discipline and sanctions were being put in place for those who were non-compliant.

Tips from the trenches/CISO Insider Insights:

Provide context: “We made a two-minute video explaining to new hires the importance of cybersecurity and their role in it. Then they have a mandatory training module to complete online within 15 days of onboarding, but at least with the video they now have the proper context and motivation to complete the training.” (Fernando Blanco, CHRISTUS Health)

Make it real: “Members of my team and I started personally going to senior staff meetings and getting on agendas each quarter. We talk briefly about threats and risks and provide tips. We made cybersecurity more real and personal rather than something that simply emanates from corporate. We’ve gotten great feedback about that.” (Bryan Kissinger, Banner Health)

Set a consistent calendar of training expectations: “We launch interactive educational modules a minimum of 4x year, along with our bi-monthly reminder communications. We struggled at first with pushback on that frequency, but we have taken a stand.” (Christie Polley, EMHS)

Enable, rather than only restrict: “We have tools that we have certified for employees to use, for example, the file-sharing tool box. That way, we weren’t just putting out restrictions to tools like Dropbox and Google Drive, we were also providing an alternative.” (Brad Sanford, Emory University)

Align training to safer computers at home: “Our biggest successes in terms of staff engagement come not from a ‘how to be secure at work’ approach, but from training and communications focused on how to be more secure online at home. People were very motivated when it came to their home computers and emails, and we realized we could offer advice there that can then bleed back over into work.” (Lenny Levy, Spectrum Health)

Be prepared for paradoxes: “We did some internal testing, and what we learned showed a training paradox. Our healthcare division performed much worse in phishing tests but had a nearly 100% completion rate in training; our university staff performed better on the phishing tests, but were much less compliant in training.” (Brad Sanford, Emory University)

With regard to how to discipline or sanction a provider who is adding benefit to the organization from a patient-care perspective, but who hasn’t been compliant with training, CISOs have taken a variety of approaches. Some have made noncompliant providers ineligible for a pay raise. Others reported they have in fact terminated people based on long-term noncompliance. One creative solution being considered is a quarterly report, entered into board minutes, that lists all employees who have completed cybersecurity trainings…and all who have not. The thinking underlying this approach: being named on a noncompliance list will be frightening to providers, and that alone could be motivation to complete training. At the end of the day, CISOs agreed, sanctions and discipline must be set as part of an organizational culture discussion, and must have the buy-in of leadership.

Conclusion: The Tail Will Wag the Dog

Even with its challenges and frustrations, CISOs have come a long way for a role that barely existed in healthcare organizations a decade ago. With the realization that security breaches can derail profits, damage reputations and ultimately hurt patient care, health systems are now moving toward enterprise risk management (ERM). CISOs are well poised to play an active role in that evolution, and in many ways, can be the proverbial tail that wags the dog when it comes to understanding, assessing and managing risks and threats across an organization. After all, that has been a focus we have been pushing up and out on the cyber front for years. With the evolution to ERM, the imperative to understand and articulate risks/threats within the context of business impacts will only increase.

Indeed, our current role as a “row within columns” may in fact be the jumping-off point as we guide health systems through ERM adoption over the next five to 10 years. Our experiences, challenges and frustrations today may in fact be the fodder that guarantees us a seat at the table tomorrow.

Three Myths About Cyber Insurance – Healthcare Informatics

The average cost of a data breach in the U.S. in 2016 increased to $7 million, according to the Ponemon Institute
Click To View Gallery

The drumbeat of cyberattacks grew louder in 2017. The number of U.S. data breach incidents in 2017 hit a new record high of 1,579, according to the Identity Theft Resource Center (ITRC) and CyberScout, a 44.7-percent increase over 2016. And the capper to that record-breaking year was undoubtedly the September announcement by Equifax, a credit reporting agency, that more than 145 million records had been compromised.

Of the five industry sectors that ITRC tracks, the business category topped the list for the third year in a row with 55 percent of the total number of breaches, while the medical/healthcare industry followed in second place with 23.7 percent. Yet most businesses don’t carry cyber insurance. According to The Council of Insurance Agents & Brokers (CIAB), about 31 percent of respondents’ clients purchased some form of cyber liability and/or data breach coverage in the last six months of 2017, compared to 32 percent in its May 2017 survey, and 29 percent in October 2016.

Given the escalating number of attacks and increasing financial costs (the average cost of a data breach in the U.S. in 2016 increased to $7 million, according to the Ponemon Institute), the rate of cyber insurance adoption is somewhat surprising. We believe there are three myths about cyber insurance that are keeping more businesses from adding these policies.

Myth #1: We don’t need cyber insurance

Business leaders at large companies may have a false sense of security because they employ smart people and devote significant resources to security measures such as firewalls and encryption, or they incorrectly believe that they are not liable for data handled by a third-party company or stored in the cloud. But what they often fail to take into account is that cyber criminals also have significant resources and are focused day-in and day-out on finding any crack in a company’s armor.


Components of Strong Cybersecurity Program – A Closer Look at Endpoint Security Best Practices

Endpoint protection remains a core security challenge for many healthcare organizations and it is more important than ever for healthcare organizations to actively manage their full range of…

Meanwhile, small- and medium-sized businesses (SMBs) are often under the very wrong assumption that they are too small to be targets. A survey by Nationwide found that a majority of SMBs (57 percent) do not have a dedicated employee or vendor monitoring cyberattacks, and another 34 percent do not believe they will be the target of an attack.

But, in reality, half of all SMBs in the U.S. experienced a data breach in 2016, and 55 percent experienced a cyberattack, according to the Ponemon Institute. In the aftermath of an incident, SMBs spent an average of $879,582 due to damage or theft of IT assets, based on extrapolated calcula­tions. In addition, disruption to normal operations cost an average of $955,429.

Despite the severe financial consequences, many SMBs do not have the budget and in-house expertise to protect their systems and networks against potential threats. Only 14 percent of small companies rated their ability to mitigate cyber risks, vulnerabilities and attacks as highly effective, according to Ponemon.

Myth #2: We already have coverage

Another major reason that companies choose not to investigate cyber insurance is that they believe they are already covered under the general liability policy, and they are often unclear about stand-alone cyber insurance options.

According to the Insurance Information Institute, most traditional commercial general liability policies do not cover cyber risks, such as property damage, personal and advertising injury claims arising from access or disclosure of confidential information. Since traditional insurance policies do not cover these risks, insurers have developed policies to bridge the gaps. Typical cyber-related coverages can include:

Data breach response and liability: Covers the expenses and legal liability that arise from a data breach.

Computer attack: Covers damage to data and systems caused by a computer attack, such as a virus or other malware attack or denial-of-service attack.

Network security liability: Provides defense and liability coverage for third-party lawsuits alleging damage due to the insured inadequately securing its computer system.

Media liability: Covers defense costs and damages for claims asserting copyright infringement and negligent publication of media while publishing content online and via social media channels.

Funds transfer fraud: Covers losses from the transfer of funds as a result of fraudulent instructions from a person purporting to be a vendor, client or authorized employee.

Cyber extortion: Covers the “settlement” of an extortion threat against a company’s network, as well as the cost of hiring a security firm to track down and negotiate with blackmailers.

Myth #3: Coverage is not affordable

Another myth surrounding cyber insurance is that it’s not affordable. According to The Insurance Information Institute, premiums can range from a few thousand dollars for base coverage for small businesses (less than $10 million in revenue) to several hundred thousand dollars for major corpora­tions looking for comprehensive coverage.

As part of the application process, some insurers offer an online and/or on-site security assessment free of charge regardless of whether the applicant purchases the coverage. This assessment is critical since cyber insurance is hardly a one-size-fits all type coverage. Different industry sectors represent different levels of exposure. For example, a small convenience store is a relatively low hazard compared to a medical doctor’s office. In addition to a simplified limit and deductible structure, different credits may apply if certain security procedures are in place, such as employee training.

Ironically, given the concern about price, it should be noted that cyber insurance prices have actually been declining. According to the CIAB, 62 percent of respondents said premium prices generally decreased over the last six months of 2017. And, according to Marsh, U.S. cyber insurance rates decreased 1.1 percent, on average, in the third quarter of 2017, the third straight quarter of decline.

Cybersecurity risks can seem very intangible, especially compared to risks such as fire, flood and bodily injury, but thousands of companies have already found that these risks can suddenly become all too real. Given the pace of cyberattacks and their financial repercussions, businesses of all sizes should ignore the myths around cybersecurity and seriously consider adding this coverage to protect operations.

Daniel Casey is president and CEO of Peoples United Insurance Agency, one of the largest regional brokers in the Northeast with over 160 professionals and $400 million in premiums.