City creates IT position to battle cyber threats
A top-level tech buff will be in charge of protecting the City of Ottawa against hackers and scammers in a new position created by the municipal government as it tries to bolster confidence in its cyber defences.
The city is on the hunt for its first chief information security and digital risk officer who will be responsible for building an information technology (IT) risk management program.
There have been high-profile attacks on staff and systems.
IT falls under a new city portfolio called the innovative client services department, which is a catch-all of corporate branches.
Valerie Turner, who joined the city last August, was previously a vice-president of IT at MD Financial Management. She has also held senior tech roles at the University of Ottawa, including chief technology officer and associate chief information officer.
Turner wasn’t available for an interview Monday, but in a written response sent through the communications department, she said the new security manager will report directly to her.
The manager’s role “will enhance the city’s security practices by helping senior management stay informed on the ever-changing cybersecurity landscape,” Turner said.
The creation of the position represents a “maturation” of the city’s security protocols, she said.
The salary range for the new position, based on a 2019 pay scale, is between $153,830 and $194,540.
The City of Toronto in 2019 also created the position of chief information security officer to oversee cyber risks.
In Ottawa, city hall’s ability to protect itself against cyber attacks has been called into question a few times since an unsophisticated attack in 2014, when someone managed to point the city’s website address to a webpage showing a dancing banana.
In a subsequent audit of IT risk management, the auditor general challenged the city to review the governance structure for IT-related risks and make sure necessary policies and procedures are in place to identify and address dangers. That 2015 audit had some troubling findings.
The AG discovered the municipal workforce didn’t have a great handle on IT risks and that the city didn’t have the capacity to manage risks. It wasn’t even clear to the AG that IT risks were being properly identified and communicated up the management chain, leading him to declare the city as largely having a “low maturity level” for IT risk management.
When the AG in 2018 checked the city’s progress on the audit’s eight recommendations, he found that none had been completed, but seven had been partially completed. The city’s IT department in 2019 was still working toward completing all the work in the audit recommendations.
An AG investigation into an email scam, which tricked the former city treasurer into sending nearly US$100,000 to a fraudster in 2018, determined that the city needs to pay better attention to teaching employees about technology security, particularly when it comes to fraud awareness.
The city did a “phishing” test of municipal public servants in January 2018 to see what they do when a suspicious email arrives in their inboxes. These kinds of tests are designed to gauge how employees react when they’re the subjects of email attacks. The 2018 test resulted in a failure rate of 26.5 per cent, compared to an industry average of 15 per cent.
The AG investigation related to the email scam prompted several actions by management, including starting mandatory cyber-awareness training for employees.
Meanwhile, the city is still looking for a permanent chief information officer, which is the top IT job at city hall. Sandro Carlucci has been the acting CIO for about a year.
Turner said the city’s priority is hiring a chief information security and digital risk officer before considering the CIO.