Cybersecurity fixes 'incomplete' 4 years later, city auditor finds - Action News
Home WebMail Tuesday, November 26, 2024, 04:46 AM | Calgary | -17.0°C | Regions Advertise Login | Our platform is in maintenance mode. Some URLs may not be available. |
Ottawa

Cybersecurity fixes 'incomplete' 4 years later, city auditor finds

City councillors were baffledto learn Wednesday that none of the eightrecommendations in a damning auditor's reporton how Ottawa manages its cybersecurityhas been acted upon, four years later.

Ken Hughes was following up on IT security audits completed in 2015

'Serious' issues with city's IT management remain, auditor says

5 years ago
Duration 1:13
According to Auditor General Ken Hughes, none of the security recommendations from a 2015 audit have been implemented, while the turnover in role of chief information officer (CIO) job is high.

City councillors were baffled to learn Wednesday that none of the eight recommendations in a damning auditor's report on how Ottawa manages its cybersecurity has been acted upon, four years later.

Auditor General Ken Hughesand his team were followingupon a trio of 2015 audits into the city'sIT leadership, how the department manages riskand how ithandles critical incidents but weren't able to closethe files.

Ahacker can take ...minutes to breach our system, yet we're still working on this four years later. I think that this is unacceptable.- Coun. Carol Anne Meehan

"There are some issues that remain incomplete that are, in our view, serious," saidHughes.

Councillors were briefed on the most sensitive matters how the city responds toIT security threats, for example behind closed doors.

Those earlier audits found thecity had"low maturity" when it came to understanding IT security risks, and often gave people without technical expertise responsibilityfor identifying technological risks.

This image appeared on the main page of the City of Ottawa's website after it was hacked in November 2014. (CBC)

'Why is it taking so long to do this?'

Coun. Jenna Sudds, who used to represent technology companies in Kanata North, noted IT risks have changeddramatically since 2015, and wanted assurancesthe city is keeping pace.

Other councillors wondered why it's taken so long to address the issues.

"Why is it taking solong to do this? I mean a hacker can take ...minutes to breach our system, yet we're still working on this four years later. I think that this is unacceptable," Coun. Carol Anne Meehan said.

City staff said they've implementedbetter training, put new processes in place, and now have a bigger budget since the first report.

"A lot of work has been done," said acting chief information officer Sandro Carlucci, who promisedto fulfil the rest of the recommendations by the end of the year.

Kanata North Coun. Jenna Sudds says she understands it can be difficult to keep IT talent from leaving for the private sector, but says the city needs to 'put our money where our mouth is.' (Laura Osman/CBC)

CIO job still a revolving door

Meanwhile, the city is once again without a permanent IT leader to manage those risks. Seven people have held the chief information officer role at the City of Ottawa since 2012.

If we believe that cybersecurity is a priority, if we believe that service innovation is a priority, we need to put our money where our mouth is.- Coun. Jenna Sudds

"Other municipalities have not seen the same turnover. That's what makes it so striking here, and that's why we raise it," Hughes cautioned.

For example, Saad Bashir, who was CIO for 26 months, left recently to take a similar jobin Seattle.

But treasurer Marian Simulik, who is responsible for corporate services, noted turnover in top technology jobs is common.

"The City of Ottawa, by comparison, doesn't pay perhaps as well as private sector does. I'm certain Mr. Bashiris making a heck of a lot more money in Seattle than he was here. It's hard for us to keep them in place," she said.

Sudds suggested following the City of Boston's model, where one manager is responsible for IT security and another for improving the way it delivers online services for residents.

"I come from this world, in a past life, I understand it's a very unique skill set. The ability to pay istough in this setting. However,I believe it is a very, very critical role in our city," Sudds said.

"If we believe that cybersecurity is a priority, if we believe that service innovation is a priority, we need to put our money where our mouth is."