He was like a shadow guest at our recent Technicity conference — mentioned by nearly everyone, cited as a source of great concern and potential danger to all manner of organizations across Toronto and beyond.
No, not Rob Ford — Edward Snowden.
While the ongoing legal investigation of Toronto’s mayor has made headlines (and punchlines) around the world, the revelation of public sector surveillance by Snowden summer made Technicity’s cyber-security theme particularly relevant to the CIOs and other officials who attended the conference.
For Rob Meikle, who joined the city as CIO about a year ago, worries about secretive online spying come at a time when he has been more focused on an almost polar opposite activity: bringing more information to the public in ways they can use for their own benefit.
“Part of our governance mandate from mayor and members of council is to be a more open and transparent government,” he said during a panel discussion at Technicity. “In essence, it’s about connecting them more to citizens, to visitors, to drive innovation in the way they deliver services. This has brought some fundamental transformation in our government.”
Toronto’s open data initiative, for example, began almost five years ago and has evolved into a comprehensive portal of data sets that have been continuously updated. Recent releases include councillors’ constituency services and office expense reporting, council and standing committee meeting statistics, and a set of summary tables titled “How does the city grow?”
Although taking information available through the Freedom of Information Act and making it public in readable forms is a way to foster innovation, Meikle said it also represents an area of considerable risk.
“When the purpose of a thing is unknown, abuse is inevitable,” he said flatly. “We’re driving towards open data, but we’re also focused on being responsible and proactive to monitor that (the data) is being used in a positive way. It means we have to look at all our policies and practices and ensure that this conglomerate of services work together to deliver service excellence, and not just examine them from an organizational boundary perspective.”
If Toronto’s biggest threats are outside users, most enterprises are increasingly grappling with internal threats, said Daniel Tobok, managing director of digital forensics at Telus Security Solutions.
“In the old days, we all used to barricade ourselves with all kinds of firewalls,” he said, adding that risks from employees are beginning to outweigh those from hackers or botnets. “If you really look at the scales over the past eight years . . . we are now at 50/50 (in terms of internal/external risk), and within 10 years we’ll probably be 80/20 the other way. It’s more real than everybody thinks. It’s not something out of Mission:Impossible 5.”
The ongoing challenge for both public or private sector CIOs, however, is that boards need to take greater leadership around the investment necessary to protect against the myriad threats facing their IT systems. Despite years of working harder to align themselves with business strategies, this is where technology executives can fall short, said Kevvie Fowler, a partner in forensic advisory services at KPMG.
“There’s been a failure to communicate threats in a way that the C-suite would understand,” he said.
Not everyone agrees. Greg Thompson, vice-president of enterprise security services and deputy chief information security officer at Scotiabank, said education around cyber-security is a two-way street.
“Boards in general have a fiduciary responsibility to understand risk,” he pointed out. “My board has no trouble speaking the language of financial risk, whether it’s liquidity and so on. We don’t necessarily have to dumb the message down, but educate them. Too often CIOs are asked to provide a concise message where, in the process, we lose the message.”
In some sectors, a focus on privacy can help bring IT security higher up on the corporate agenda. That’s the case with Jeff Curtis, chief privacy officer at Sunnybrook Hospital. Curtis said his job, which came out of legislative changes like PHIPPA, is ever-evolving, but IT security is increasingly seen as an important element in keeping patient data under wraps. That’s why the hospital has been establishing a formal framework for technology decision-making.
“As much as we’ve done very well to implement enterprise risk management in the hospital, we need to introduce IT governance as well,” he said. “That’s starting to pay off because it raises the awareness all the way up to the board in terms of how important the data function is, the mission criticality of the information. This is not a new thing for many other sectors, but health-care is playing a catch-up game in this area.”
Even with the best IT governance, though, expressing what the organization’s risk posture is no easy task, Curtis added.
“It’s not enough even then to just tell it like it is,” he said.k “You have to repeat the message and it has to be integrated in the management function in the hospital.”
Striking that balance between policy and risk has never been more important, Tobok said.
“The companies and the CIOs that are ahead of the game are there because they have the experience to understand the impact to the business or they have been in a (security-related) situation before,” he said.
Even for experienced IT leaders, though, cybersecurity is more complicated now because of the range of systems that are automated. It’s far beyond ordinary desktops and data centres, speakers at Techncity told the audience.
“We’re creating a very highly integrated technology web where even technology is not clearly defined,” said Meikle, citing things like SCADA systems or technology on fire trucks as examples of emerging areas of risk. “We have to ensure not only how to protect those assets but understand what those assets are. With traditional security, it was about creating a perimeter. We’ve had to shift to adopt to the trends that are existing in the organization — mobility and other technology that’s being developed.”
These were the takeaways from Technicity 2013: That internal and external threats are increasing even as organizations are trying to be more transparent and collaborative with data; that the education and involvement of boards is mission-critical for CIOs, and that mobility and the consumerisation of IT will only expand the perimeter further. There are no easy answers, of course, but for most attendees the value is in recognizing the dangers early on. Meikle may have summed this up best.
“We’re experiencing is a growing complexity in an ecosystem of technology and data,” he said. “It’s a question of doing our best not to be reactive.”