Cybersecurity fixes 'incomplete' 4 years later, city auditor finds

City councillors were baffled to learn Wednesday that none of the eight recommendations in a damning auditor's report on how Ottawa manages its cybersecurity has been acted upon, four years later.

Ken Hughes was following up on IT security audits completed in 2015

According to Auditor General Ken Hughes, none of the security recommendations from a 2015 audit have been implemented, while the turnover in role of chief information officer (CIO) job is high. 1:13

City councillors were baffled to learn Wednesday that none of the eight recommendations in a damning auditor's report on how Ottawa manages its cybersecurity has been acted upon, four years later.

Auditor General Ken Hughes and his team were following up on a trio of 2015 audits into the city's IT leadership, how the department manages risk and how it handles critical incidents — but weren't able to close the files.

A hacker can take ... minutes to breach our system, yet we're still working on this four years later. I think that this is unacceptable.- Coun. Carol Anne Meehan

"There are some issues that remain incomplete that are, in our view, serious," said Hughes.

Councillors were briefed on the most sensitive matters — how the city responds to IT security threats, for example — behind closed doors.

Those earlier audits found the city had "low maturity" when it came to understanding IT security risks, and often gave people without technical expertise responsibility for identifying technological risks.

This image appeared on the main page of the City of Ottawa's website after it was hacked in November 2014. (CBC)

'Why is it taking so long to do this?'

Coun. Jenna Sudds, who used to represent technology companies in Kanata North, noted IT risks have changed dramatically since 2015, and wanted assurances the city is keeping pace.

Other councillors wondered why it's taken so long to address the issues.

"Why is it taking so long to do this? I mean a hacker can take ... minutes to breach our system, yet we're still working on this four years later. I think that this is unacceptable," Coun. Carol Anne Meehan said.

City staff said they've implemented better training, put new processes in place, and now have a bigger budget since the first report.

"A lot of work has been done," said acting chief information officer Sandro Carlucci, who promised to fulfil the rest of the recommendations by the end of the year.

Kanata North Coun. Jenna Sudds says she understands it can be difficult to keep IT talent from leaving for the private sector, but says the city needs to 'put our money where our mouth is.' (Laura Osman/CBC)

CIO job still a revolving door

Meanwhile, the city is once again without a permanent IT leader to manage those risks. Seven people have held the chief information officer role at the City of Ottawa since 2012.

If we believe that cybersecurity is a priority, if we believe that service innovation is a priority, we need to put our money where our mouth is.- Coun. Jenna Sudds

"Other municipalities have not seen the same turnover. That's what makes it so striking here, and that's why we raise it," Hughes cautioned.

For example, Saad Bashir, who was CIO for 26 months, left recently to take a similar job in Seattle.

But treasurer Marian Simulik, who is responsible for corporate services, noted turnover in top technology jobs is common.

"The City of Ottawa, by comparison, doesn't pay perhaps as well as private sector does. I'm certain Mr. Bashir is making a heck of a lot more money in Seattle than he was here. It's hard for us to keep them in place," she said.

Sudds suggested following the City of Boston's model, where one manager is responsible for IT security and another for improving the way it delivers online services for residents.

"I come from this world, in a past life, I understand it's a very unique skill set. The ability to pay is tough in this setting. However, I believe it is a very, very critical role in our city," Sudds said.

"If we believe that cybersecurity is a priority, if we believe that service innovation is a priority, we need to put our money where our mouth is."

    About the Author

    Kate Porter


    Kate Porter covers municipal affairs for CBC Ottawa. Over the past 15 years, she has also produced in-depth reports for radio, web and TV, regularly presented the radio news, and covered the arts beat.


    To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

    By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.