Cybersecurity fixes 'incomplete' 4 years later, city auditor finds
Ken Hughes was following up on IT security audits completed in 2015
City councillors were baffled to learn Wednesday that none of the eight recommendations in a damning auditor's report on how Ottawa manages its cybersecurity has been acted upon, four years later.
Auditor General Ken Hughes and his team were following up on a trio of 2015 audits into the city's IT leadership, how the department manages risk and how it handles critical incidents — but weren't able to close the files.
A hacker can take ... minutes to breach our system, yet we're still working on this four years later. I think that this is unacceptable.- Coun. Carol Anne Meehan
"There are some issues that remain incomplete that are, in our view, serious," said Hughes.
Councillors were briefed on the most sensitive matters — how the city responds to IT security threats, for example — behind closed doors.
Those earlier audits found the city had "low maturity" when it came to understanding IT security risks, and often gave people without technical expertise responsibility for identifying technological risks.
'Why is it taking so long to do this?'
Coun. Jenna Sudds, who used to represent technology companies in Kanata North, noted IT risks have changed dramatically since 2015, and wanted assurances the city is keeping pace.
Other councillors wondered why it's taken so long to address the issues.
"Why is it taking so long to do this? I mean a hacker can take ... minutes to breach our system, yet we're still working on this four years later. I think that this is unacceptable," Coun. Carol Anne Meehan said.
City staff said they've implemented better training, put new processes in place, and now have a bigger budget since the first report.
"A lot of work has been done," said acting chief information officer Sandro Carlucci, who promised to fulfil the rest of the recommendations by the end of the year.
CIO job still a revolving door
Meanwhile, the city is once again without a permanent IT leader to manage those risks. Seven people have held the chief information officer role at the City of Ottawa since 2012.
If we believe that cybersecurity is a priority, if we believe that service innovation is a priority, we need to put our money where our mouth is.- Coun. Jenna Sudds
"Other municipalities have not seen the same turnover. That's what makes it so striking here, and that's why we raise it," Hughes cautioned.
For example, Saad Bashir, who was CIO for 26 months, left recently to take a similar job in Seattle.
But treasurer Marian Simulik, who is responsible for corporate services, noted turnover in top technology jobs is common.
"The City of Ottawa, by comparison, doesn't pay perhaps as well as private sector does. I'm certain Mr. Bashir is making a heck of a lot more money in Seattle than he was here. It's hard for us to keep them in place," she said.
Sudds suggested following the City of Boston's model, where one manager is responsible for IT security and another for improving the way it delivers online services for residents.
"I come from this world, in a past life, I understand it's a very unique skill set. The ability to pay is tough in this setting. However, I believe it is a very, very critical role in our city," Sudds said.
"If we believe that cybersecurity is a priority, if we believe that service innovation is a priority, we need to put our money where our mouth is."