If front line personnel are behind the curve on IT security, does the blame lie with … senior management?
In many Canadian governments, the responsibility for awareness training on IT security is so diffused throughout the bureaucracy as to be meaningless. Certainly at the federal level, as the Auditor General’s report from February 2005 makes clear, IT security messages are still not moving up the organizational chart: “We are concerned that, in many departments and agencies, senior management is not aware of the IT security risks and does not understand how breaches of IT security could affect operations and the credibility of the government.”
IT security company Elytra Enterprises has stopped trying to promote awareness training for senior management in the public sector because, said president Randy Sutton, there was no return. “You try to get a director-general to sit down for half an hour to listen to a little speech about security awareness,” he said. “It’s practically impossible to corner these guys.”
Hugh Ellis, president of IT security consultant Cinnabar Networks, said too many senior executives regard IT security and awareness training as insurance. “And the whole idea of buying insurance is to drive that cost as low as possible.”
Ellis said he tries to move clients away from the insurance metaphor to a comparison with building codes: Work up to an acceptable and appropriate standard of safety rather than down to a lower cost.
To institutionalize accountability, Manitoba has centralized responsibility for IT security within the Information Protection Centre (IPC), where director Patrick Hoger manages awareness training as a single program. “Telling 17 ministries to each do an education program can be very costly and ineffective,” he said.
Before designing that single program, Hoger said, IPC staff did a comprehensive stakeholder analysis. “Who are the people we want to talk to from a training perspective? What kind of messages we want to give those people, because there are different messages for different people.”
Contractors get a different message than typical staff members, he said, while management needs to know what training staff will receive. Technical people pose a different risk and a different challenge. “You have to treat them differently. You’re not going to start a discussion on ‘what is a virus’ to a technical person.”
BUILDING THE BUDGETS
The Manitoba IPC security group has a separate line item in its budget for Education and Awareness for Training, to develop course material and training guides and to fund the courses. However, staff time for training remains under the control of client departments.
“One of the key things that I have to get across when talking about budgets for security awareness training is the cost of not doing it,” Hoger said. “The problem is, if you’re not doing it, every incident has a meter that runs. The network is down because of a virus, or the disclosure of sensitive information.” In the end, Hoger said, awareness programs need buy-in from senior government officials. “If you are going to ask all their staff to come to training sessions, or ask them to take training materials, that is going to take staff time.”
UP THE LINE
There are indications that IT security awareness will be moving up the chain of command, at least in Ottawa. Helen McDonald, the federal acting Chief Information Officer, recently acknowledged the importance of top-down leadership before a parliamentary committee looking into the Auditor General’s February report. Among other things, McDonald said, “at the senior levels, we need to promote awareness of the importance of IT. Perhaps my optimism comes because I think every deputy minister in town is concerned about continuity of operations and is conscious of the fact that so much of what we do is now on IT systems.”
However, committee member Walt Lastewka questioned the value of friendly persuasion: “What forceful hammer do you have over them to make sure it’s done? You can’t use persuasion on this; it’s too serious. What mechanism do you use to make sure that come October, when we’ve asked you to come back, it’s done?”
Replied McDonald, “We have been thinking about whether a score card would also be helpful in showing deputies where they rank relative to other departments, as a way of trying to provoke more rapid action among perhaps the more laggard.”
Off Parliament Hill, however, the importance of awareness is almost a clich