Government falls down on security

If the Canadian government can’t get a handle on its own IT security issues, then there may not be much hope for the rest of us.

In mid-February, Canada’s auditor general gave a failing grade to federal efforts so far in adhering to the government’s own minimum standards for IT security. Sheila Fraser was blunt, suggesting this shortfall effort is simply “unsatisfactory.” How many other Canadian enterprises can relate to the plight of the government?

The truth is that few companies measure up to a sound approach in minimizing the risk to which the business may be exposed. Yes, it’s disarming to realize that even the Canadian government can’t get it right, but the situation points to a couple of extremely difficult but pretty familiar hurdles.

Like many Canadian businesses, the government can’t get a grip on the scope and magnitude of its IT security challenges. Failure is seen in the government’s inability to specifically point to what areas of vulnerability exist within IT or to fully comprehend the implications, consequences and costs of security breaches.

Many of the reasons for the government’s security failure are familiar to most enterprise IT and business folks: not enough money, not enough people, and a discerning lack of interest in IT security by senior government management.

That’s disappointing. The Canadian government can’t be falling short in an area that’s critical to the public interest and future key government initiatives, let alone doing the responsible thing. Government should be getting it right because the highly sensitive nature of data collected by government demands it must be safe — to ensure citizen remain trustful and confident in their government.

And given where the government wants to go — enabling more “e-government” — there’s not much hope this vision can ever be realized if security can’t be wrestled to the ground. You’d also expect government to the evangelists of IT security — that the government would hold itself to a much higher standard in mitigating IT risk. There’s a desperate need for the feds to get their own IT house in order. The business case in the form of e-government is there, and the consequences in the loss of confidence by Canadian citizens in their government’s ability to protect them should be intolerable.