The quest for security: Interview with Mary Carman, CIO Industry Canada

Audio of interview with Mary Carman. File type: mp3. File size: 3.75 MB. Length: 9.23 minutes

Hello and welcome to another “Voices” interview. I’m Joaquim Menezes, editor of, and our new “voice” today is Mary Carman, CIO of Industry Canada. I spoke to her at the recent Canadian InfoSec Summit held in Ottawa. The Summit is billed as an IP Security Forum for CIOs and Mary Carman was a keynote speaker.

Ms. Carman, in your keynote you described how Industry Canada has effectively won the battle against spam using a Secure Channel Network application. Can you tell as us a little more about this solution?

Secure Channel Network is serviced by a consortium called Bell Nexxia and Bell is the principal within that. And there was an anti-virus with a modular anti-spam solution available for Secure Network; and when the Department was looking for a spam solution it realized that was there…and so with some enhancements, it really is a modification of the Bell Brightmail solution. So where I said that Industry Canada instituted a Grey Mail option for our employees…the folder that appears where there’s quarantined mail…it’s not quite sure…then it’s actually called the Brightmail folder. And so, if you’re a Bell Sympatico user then I would assume that you are using a similar if not the exact tool – obviously modified to put on the Secure Network. But it can be modified and enhanced so that things…if you direct mail back that “this is spam, it came through and it’s spam,”…we’ve got folders set up for our staff, so that we can then assist the Bell Nexxia consortium in modifying and enhancing the tool.

So what was the cost of implementing the anti-spam product, and what sort of savings does Industry Canada hope to gain?

Spam was costing the Department $5.5 million a year. The cost of implementing it [the anti-spam product] was not even close to a million.

So what you’re figuring is [that] as a result of the implementation, this is the amount you would be saving in gained productivity, greater efficiency etc.

If the business case were accurate today then we would have avoided $5.5 million in costs to the department, which includes productivity, hardware, network costs…all of the various interventions.

You’ll have been live on the tool for about five months. I’m not sure if you have actually…empirically measured things to find out if you have indeed enhanced your productivity and if you could put a dollar value to that.

We haven’t, but I don’t believe that for the business case we had used an empirical measure. Certainly I can give you an anecdotal account of a colleague who…basically the first half hour of their morning, every morning when they booted up their computer was to clean spam off their computer prior to the institution of the Secure Channel Network tool. I’m assuming that they did not come in half an hour before business productivity time, but that’s a half an hour out of a 7.5 hour day technically that is now available for greater productivity.

And you multiply that by so many employees…

And you multiply that…and clearly not every individual had 60, 80, 120 spam (e-mails) on their machine. But removing the irritation factor or the sense that if this much spam is getting through maybe this isn’t the tool I want to be using, which from an Industry Canada perspective, from a business and commerce need…external and the growth of the industry in Canada, and the fact that that is a preferred channel [for] dealing [with] businesses both with government departments and business to business…the lack of confidence was a serious concern. And we just amplified it inside the department, looking at it through both sides of the looking glass.

Another interesting point you made in your speech related to the internal audit that Industry Canada recently conducted on the status of its security practices and capabilities. What was the context of this audit and what did it accomplish?

Ours was an assessment of vulnerabilities in our system as it was. Clearly whatever was a gaping hole was fixed immediately, and then there are areas that we can further strengthen. From my perspective, it’s analogous to requesting your own internal auditor come in and do an audit and evaluation to allow you to improve your program, your program delivery or your value of business service.

So what I’m interested in is…when you say 3rd Party…did you have a firm like Ernst & Young come in…

We actually had [the] Canadian Security Establishment come in. So I don’t believe they do that for non-government departments. I think it was rather special. And we were not their first.

So can you tell me about some of the recommendations that they made and whether and how they are being implemented?

The assessment made some recommendations on how we could further strengthen actions we had already put in place. And those are no different from any other organization…whether it’s following up on patches – the patch isn’t implemented until it’s fully rolled out – so following through on implementation; on ensuring robustness of passwords; on monitoring change configuration. All of those that clearly we have processes in place and yet they can always be improved upon. And [as] I already mentioned in my talk, looking at remote access devices. They are consistent across areas. But it’s good for someone to come in and tell you that…I suppose you have the traditional issues that you can always improve upon…and I think that would be constant. We’re not going to ever be perfect.

In February this year the Auditor General (AG) released a report commenting on the status of information security practices in various departments – and Industry Canada was one of the Departments actually named in the Auditor General’s report. Was your own internal audit conducted in response to some of the findings in this report?

Two things…The security posture assessment was not done in response to the Auditor General’s [report]. It was done sometime ago…

Was the assessment done prior to the AG’s report being released?

Several of the evaluations were running at the same time, but they were entirely independent and one was not requested because of the other. We requested the Security Posture Assessment as a check. We were quite pleased Industry Canada was noted (by the AG report) as being…quite in compliance. The government security policy is relatively new, it has changed as it has gone through…and clearly as policy changes, then departments need time to become compliant; and there are many ways to be compliant. We believe that we are on a good, strong path to full compliance but it doesn’t happen overnight. And I think the AG report takes recognition of that. And as the policies change, then we react to them. And I would expect that the government security policy won’t remain static either. Same as the MITS (Management of Information Technology). There is now a drive within the government to look at how to become MITS compliant.

I remember at the time the [AG] report was announced there were people within government and outside government that were asked to comment. And one comment I found fairly interesting was from Paul Rummell, former Treasury Board CIO…and I think he’s currently with EDS. One of the things he said is that the government would continue to be challenged by IT security until there’s a central authority that’s established. Because right now – at least as far as policy and operations