OTTAWA — There’s a modern-day retelling of the tortoise and the hare going on between business and government in the race to address security and privacy concerns.
At least, that’s what one industry expert suggested Wednesday during the second and final day of the Cyber-Sabotage
2002 Internet crime symposium at the Westin Hotel.
Presenter Peter Hope-Tindall, an executive with Oakville, Ont.-based dataPrivacy Partners Ltd. predicted that big business is positioning itself to win the race. He says while the federal government has taken some initiative on privacy in the past, it has slipped into reactive mode and tends to only move on the issue when a privacy commissioner or treasury board demands it. While he says some provincial governments like Ontario tend to fare better — its privacy commissioner, Ann Cavoukian, has written high-profile books and does the lecture circuit — they can stall on privacy issues, too.
Hope-Tindall said he approached that province’s Ministry of Health a couple years ago with a plan to make health cards completely anonymous to all but the card owner, but the plan was greeted with skepticism. The project never moved forward.
In contrast, “on the business side, (many) companies are afraid of looking bad to the public,” said Hope-Tindall after his presentation. “They want to prove they are good information stewards to their customers. So you can expect business to win the race, once we start to run it.”
Those out of the starting gate include the Bank of Montreal Group of Companies, whose executives said has become much more proactive on security-related risk management.
The reason? The bank feels it could lose ground — and customer trust — to their major competitors if they don’t do anything, even though it could be charged higher premiums by insurance companies every time it takes technology risks.
“You can take two years in getting an assistant deputy minister to sign a huge (security policy) manual,” says Robert Garigue, vice-president and chief information security officer of the institution. “But if it takes you more than a quarter to risk assess new technology (as a business), you’re going to be running behind your competition.”
He noted that the bank could offer wireless branch banking services to customers, but has chosen not to because there are huge security issues with wireless networks. War drivers, or wireless hackers, can zip around in their cars with a laptop and Pringles chip can and ‘listen in’ on wireless networks.
But Garigue cautioned that businesses can’t get too paranoid about adopting new technology or they could lose their clients altogether.
“You can refuse technologies that pose security issues, but people are going to be using them outside of your organizations and you’ll be left behind,” says Garigue.
It’s impossible to know just what the risks are sometimes, which his co-presenter Carolee Birchall — vice president and risk officer of the bank’s technology and e-business group, Emfisys — pointed out.
“We don’t have reliable metrics (to measure risk) — things just move far too quickly,” she said. “So what we’re doing is setting up a risk management framework.”
That framework involves identifying security risks, figuring out the impact that risk could have, and then deciding to accept it or not. Once it has, the bank monitors the technology associated with the risk, tries to analyze it and then report that analysis to senior management.
Birchall also recommended being incredibly honest with the executive level during that final stage about any problems or bad news that’s emerged.
“People only want to tell good stories to the top of the house, and this is not going to help manage the risk,” she says.
Though Cyber-Sabotage covers both the public and private sector, government representatives were unexpectedly absent from the conference. Presenters from the Treasury Board Secretariat and Saskatchewan government either canceled or were bumped from the schedule at the last minute.
Comment: [email protected]