“I actually like audits,” she said. Did I hear that right?
It was about mid-way through this week’s GovSym conference, when I was moderating a session on crisis mitigation, when Denise Ernst, the director of IT security and recoverability at the Canadian Payments Association, admitted she didn’t suffer from the usual conflict one associates with those being subjected to a security or compliance review.
“The thing is, we can’t be aware of everything. We’re not always out there on the ground,” Ernst said. “If they can show us an area where we can improve, that’s terrific.”
So is her attitude. The interesting thing about GovSym this here was how positive many people were. It started with Symantec CEO Enrique Salem’s opening keynote, where he suggested mitigating risk should be a positive discussion. It continued later in the day in the session on policy development and enforcement. I asked Tim Dafoe, the senior IT security advisor for the government of Ontario, about how to ensure that staff adhered to the rules he helps develop.
“In many cases it’s about raising awareness,” he said. “People may not know, but once you tell them, people generally want to do the right thing.”
This got to the heart of this year’s GovSym theme, which was “people are the new perimeter.” People have always been part of the perimeter before, but advances in technology have vastly increased the points of vulnerability along that perimeter, whether it’s a USB stick, an electronic health record, or a Facebook account.
Towards the end of the day, we gathered four of our key speakers back to the front of the room for one more “lightning round” of questions. I ended by picking up on one of the first questions of the day. It came from a gentleman (who I was later told came from the DND) who asked how IT professionals could really improve security because they are dealing with people and, in his words, “you can’t change people’s behaviour.”
I asked our panel whether they agreed. Three of our four didn’t. They thought that with the right education, with clear enough policies and effective monitoring, a culture of security is possible. I don’t think I could have asked for better news to come out of GovSym.