In some ways, running a city is like running a business. There are costs and pressures, and there’s also a pressing need to understand the way cybersecurity and cybercrime are changing. And for both the CIO of a company, and the CIO of a city, the key part of the job is communicating what the organization needs to protect its data and keep itself secure. What the job entails, though, is constantly changing.
“Traditionally, we protect the perimeter by blocking off everything. But now we need a new kind of protection strategy,” said Rob Meikle, the CIO for the City of Toronto.
He was speaking from a panel at Technicity 2013, an IT World Canada event exploring Toronto’s role as a hub for the ICT industry and focusing on cybersecurity. The event was held Tuesday at the Toronto Reference Library.
Watch this video of Rob Meikle, giving a recap at Technicity 2013:
As CIO of the City of Toronto, Meikle’s main roles are to ensure public safety and to protect the city’s assets. That could be anything from the city’s data, to more physical objects like the city’s buses or firetrucks, he said. However, both mobility and open data have changed the way the city approaches security.
“What mobility has now done is extended boundaries of this interconnected ecosystem. Normally you would just be dealing with laptops, computers, and technology that would reside on an organization’s premises,” he said in an interview after the panel discussion ended.
“But now you have citizens and businesses consuming information and services, especially through mobile devices. So what that’s done is that our purview on looking at how we protect not just our network and our applications, but also how do we protect our data, which is a great asset,” he added, saying that includes both data within the organization and outside the organization. With the city’s Open Data portal, he and his team need to protect the data residing within the organization, as well as the data outside of it, he said.
For Ritesh Kotak, ensuring cybersecurity is all about integrating it into his organization. Kotak is the project coordinator for Operation Reboot, a program spearheaded by the Toronto Police to boost internal security and to educate the 5,500 police officers working for the force on how to deal with cybercrime.
“There’s no common definition of cybercrime,” Kotak said, adding that makes it difficult for police officers to identify when they do see it. He was speaking from the panel alongside Meikle.
For example, most people think of Anonymous or the Syrian Electronic Army when they think of cybercrime, he said. But there shouldn’t be just a cybercrime unit dedicated towards fighting online crime, especially if its effects spill over into the offline world. Instead, his goal is to see cybersecurity become a decentralized goal for each police division in the city, he said.
“Stealing clothing from a mall is a crime. But cybercrime is no different, it’s just virtual,” he said, giving an example of, say, a resident of Toronto walking into a police division office and saying a neighbour has hacked his or her Wi-Fi and has racked up a ridiculously huge bill.
The project has mainly been an internal one, made up of a task force of police officers, individuals with a background in IT, and even a beat cop with a programming background, he said. Launching in April, the project ran for six months before it was renewed. The goal is to eventually make recommendations to the command officers of the Toronto police.
Still, while most businesses don’t need to fight online and virtual crime in the same way as the city’s police force, there is still a need to ensure officers understand IT policies, Kotak said.
“We have to be cognizant of [IT policies],but our mandate is public safety and public trust, and locking up bad people. That is the essence of a police organization,” he said in an interview.
“However, the best practices, and the steps moving forward, and even the efficiencies in technology, we have a lot to collaborate with when it comes to private industry and the public sector … We’re a paramilitary organization, but the reality is, we still need to look at ourselves as a corporation.”
For the City of Toronto, there’s also a difference in how it carries out its day-to-day IT activities, Meikle said. For one thing, the number of stakeholders is a lot higher, he said. Before coming to work at Metro Hall, Meikle worked first for Nortel Networks Corp. and then for the City of Brampton, so he’s worked in both the public and private spheres.
But one thing he had to learn was to balance the needs of a large, diverse group of stakeholders. Unlike Nortel, which only delivered products and services to a small, niche category of people, the City of Toronto has to take its stakeholders – residents and taxpayers – into consideration too, he said.
And of course, then there are always hackers attacking both the city and the police force – a problem with which most businesses can relate. For example, the Toronto police has faced spoof attacks in the past, when hackers will send emails that appear to be from an individual within the organization, inviting recipients to download attachments containing malware.
Still, Meikle said he faces many of the challenges other CIOs face – namely, thinking about the future.
“We’ve got to be forward-thinking. It’s not the same old. Boundaries, their reach and richness has been extended, so we’ve got to make sure our policies, procedures, our practices, and our people understand that … We’ve got to make sure we’ve got the right level of openness and security,” he said.
That means designing architecture that doesn’t just work for the present, but that will keep working in the coming months and years, he added.