Lawrence Eta, the city of Toronto’s five-month old deputy CIO, would be the first to say that the private sector – which he came from – greatly differs from the public sector he recently joined.
However, in an address this week to infosec pros at a cyber security forum run by the Information Technology Association of Canada (ITAC), he also suggested the two sectors have a lot in common.
“Public trust is the business we’re in,” he said, a statement that might not be different than what CEO or CISOs of some publicly-traded companies might say.
“The public demands are very clear to us, and that’s through the democratic process. I see it in terms of cyber security as the assets of our environment –both the technical assets, the assets of our data and the ability to demonstrate to the public and our leaders that trust is very important to us.
Accountability and transparency are a public sector mantra, he said, “but it’s balancing those components with not being the information technology [department] of ‘no.’” Instead, he wants his team to be a partner with city staff and say, ‘We understand you need to deliver the services. Here are the risks.’”
If the public sector doesn’t continue to modernize how it delivers services then it will be questioned by voters and political leaders on its relevance, he said. So infosec leaders need to bring security awareness to bureaucrats, he said, so it becomes ingrained in staff.
Eta and his staff of 305 are responsible for the IT infrastructure that serves Canada’s largest city and its 30,000 employees. That includes 7,000 network facilities, 3 data centers and 10,000 devices.
Until now the city’s IT culture has been what he called an “on-premise-driven infrastructure.” However, he added “there’s a yearning to deliver scalable systems” from the cloud to respond to taxpayers faster. At the same time those taxpayers want their personal data protected.
Eta made it clear he’s looking to partner with vendors and private sector cloud providers, particularly those with security expertise. “I’m taking the view we can’t do it all, but what we can do is find the right partner through a procurement process that can help us be experts, and then we can do due diligence in those partner services.”
SaaS, IaaS and PasS “are great opportunities where my team don’t need to be the roadblocks but be the enablers in terms of how we pilot and test some of these services,” he said.
But he also said he follows the RACI model (knowing who is responsible and accountable, and who should be consulted and informed on risk) of management and decision-making.
Among the security-related initiatives going on now at city hall are discussions on a security awareness program and data classification, he said. On the latter, he said that “security champions” can help. “We in security shouldn’t be imposing policies, but be consulted in terms how we can classify data in terms of threat and risk.”
From potential municipal partners he wants to hear about their approach to cyber security, the services they deliver, the way they are going to help the online user experience, their ability to scale and be agile.