The idea behind GovSym, a special one-day conference produced by IT World Canada in partnership with Symantec that was held in Ottawa today, was to cover the critical issues in IT security, cyber-crime and risk management, which was a pretty tall order. Overall I think we had some great discussion on the broad strokes of implementing policies and programs. Where we needed more time, I think, was on the nitty-gritty, because that’s where these people really live.
I heard a number of speakers, for example, point out the reasonable piece of advice that you can’t really set up IT security practices or a risk management framework unless you know what it is you’re protecting. The first step offered to GovSym attendees was to do a sort of inventory check to see what kind of information resides where, what level of exposure it has and what level of “risk appetite” you have around that information. For example, depending on how important the data is, it may be necessary to terminate a certain kind of activity. It may be necessary to transfer the threat somehow, to treat it or to simply accept it.
What I didn’t hear was detail around how you begin this exercise, and what’s involved. I would imagine that in many public sector organizations, it would require the kind of fact-finding that takes people away from a lot of their day-to-day duties. I could see the need for expensive consultants and third parties. There might need to be committees formed to sort out the existing processes and procedures around the information. And that’s all before you start to look at changing the way this information is protected. What kind of time commitment is involved, and how on earth do you manage that without disrupting existing service delivery?
For all the talk about programs and frameworks, meanwhile, we didn’t focus as closely as we perhaps should have on the naysayers – the people who push back on security issues or (even worse) silently circumvent the rules when nobody’s looking. Despite asking a number of GovSym presenters, the best answer I got is that it’s not easy. And maybe that’s the best we can offer at this point.
Even Symantec, which has deep resources around threat detection and prevention research, would admit that it is dependent on governments to report their security issues, and there is undoubtedly a lot that never gets told. GovSym, however, was filled with shared experiences and anecdotes that illuminated both the gaps the government has around risk management and some of its progress. This year was a kick-off to a deeper conversation that needs to be as honest, and as thorough, as possible.