The poor state of cyber security of some Ontario school boards, child welfare agencies, municipalities and hospitals worries the head of the province’s expert panel that just assessed the state of the wider public sector.
“Some townships, smaller municipalities are really struggling,” Robert Wong, former chief information officer (CIO) of Toronto Hydro and currently a board member of the Independent Electricity System Operator of Ontario, said in an interview. He is particularly concerned about the smaller institutions and their smaller financial and personnel resources.
Usually when an organization is called a “critical mass”, it has a “dedicated few”. [IT] resources,” he said. “But from what I’ve gathered, there are some that still aren’t … They might have a person who’s a ‘wizard of all trades,’ and running IT and cyber among other duties.” as required.'”
report of his committee It was presented to the province several months ago, but was not publicly released until last month, due to a provincial election in the summer and the appointment of a new minister of public and business service delivery.
Among other things, it concluded that there has been “systemic under-investment in both legacy technology replacement and cyber security” in the Comprehensive Public Service (BPS).
One of the report’s recommendations is that regions within Ontario’s BPS should be encouraged to move to a shared security service model. Citing the report is an example canadian shared security operations center for universities and colleges across the country.
The report also states that some institutions are experimenting with creating Regional Security Operations Centers (RSOCs). Ontario Health has established six Regional Safety Operations Center (RSOC) pilots as well as regional governance mechanisms.
A key recommendation is that the province create a single body to oversee, advise and demand accountability for cyber security across the wider public service. It will augment current governance structures responsible for sector-specific cyber security risks.
Wong cites as an example the Ontario Energy Board’s power to compel electric utilities to file annual reports saying they are aware of their cyber security risks and have plans to address known gaps . They will also have to file a data breach report to the agency.
It may seem daunting to have one body to oversee the different types of organizations, but the report also recommends that all BPS organizations in Ontario adopt a common cyber security framework for continuous improvement based on the National Institute of Standards and Technology (NIST) Cyber Establish a risk operating model. security framework.
The report states that shared resources such as policies, standards, controls and self-assessment tools will promote a common language and understanding of cyber risk across BPS.
The report says Ontario should also establish a shared resource or contracting vehicle to conduct or independently validate risk and control assessments at regular intervals, as part of a cyber security risk management framework.
Another recommendation is that the province examine options for BPS organizations to establish a self-funded cyber insurance program to support the delivery of services such as breach coaching, incident response and recovery.
Asked for comment, last week Services Delivery Minister Khalid Rashid said his department was “proud of the expert panel’s work and has accepted the recommendations outlined in the final report.” However, no time frame was given for implementing the recommendations. “Work is underway to assess and implement measures that will improve and strengthen the province’s cyber security ecosystem,” the statement said.
At the recently concluded annual InfoSec conference of the Municipal Information Systems Association of Ontario, The CISO of the province said The report will aid in the creation of Ontario’s four-year strategic cyber security plan.
While the panel found several problems, the biggest for Wong is a lack of governance — meaning leadership from the top of each organization. This is one of the reasons why he says that simply giving more money to BPS is not the solution. “If this [cybersecurity] Important enough for an organization, you would allocate a fair share of your budget to it,” he said.
While having the resources is important, “I think the bigger problem I tried to highlight in the report is the governance issue,” Wong said. “In many organizations that are far and wide, to what extent are key decision-makers familiar with and knowledgeable about cyber security risk? Have they conducted a formal, effective assessment of that risk, and have the resources and resources to manage and control that risk efforts? To me, it’s the key decision makers, whether they’re board members, school board trustees, or council members in municipalities. decisions around priorities, they are the ones who should ultimately be held accountable. Ignorance is not a defense. That’s the biggest focus for me. It’s the organizations that get it, the people at the top that get it. And who don’t.”
To move this, the report recommends the province mandate that each organization in the BPS appoint a senior officer responsible for cyber security. The report explains, “Establishing responsible individuals will create clear expectations and promote informed executives.”
The province should also maintain a consolidated list of cybersecurity stakeholders in the BPS, the report said, including an official index of each organization’s senior cybersecurity official, updated annually. The goal is to help manage key stakeholders and foster relationships among the BPS community.
The panel found that communication between BPS organizations is extremely limited, hindering their ability to share cyber knowledge. They recommend the province create a simplified structure that fosters active communication and collaboration of resources between BPS and key government stakeholders. It should also create a unified critical information-sharing protocol to ensure rapid communication of cyber incidents, threat intelligence and vulnerabilities among BPS organizations.
The report also urges the government to include cyber security training in the curriculum up to grade 12, following Saskatchewan’s lead. The Ministry of Education already has a K-12 Cybersecurity Strategy pilot program. In addition, it recommends that Ontario develop basic cyber security training and education for all post-secondary students.
Wong expects the province to prepare and release an implementation plan for the recommendations soon. “I hope the implementation plan is well thought out and it is well structured and co-ordinated. Doing so will be a huge challenge,” he admits.
“I do not want organizations to wait till the government comes out with a plan. There are things they can do now.”
When an unnamed organization learned that one of their leaders was a member of the expert panel, Wong said, they suddenly had “more support and traction” on cybersecurity than before. “I think having an awareness of the importance and seriousness of this issue is what helps organizations get out of their ruts and get things done.”