Technicity GTA 2023: How municipalities prioritize data security

Most municipalities are different from organizations in the private sector, however, they have one thing in common: the need to prioritize their data to meet privacy and security obligations.

During an online cybersecurity panel at this month’s Technicity GTA conference, speakers from the municipal sector made it clear doing that is no different from the way profit-making firms do it.

“It’s critical that the information security team spend time with business leaders to understand questions such as how long would it take to retrace all of our engineering drawings, how much lost productivity would we have if the ERP system was unavailable for a week?” said Brent Capp, IT security and risk officer, for the town of Newmarket, Ont.

“Using this information we can start to tell a story of how critical an asset is, what it’s worth from a service delivery perspective.”

It starts with collaborating with the city clerk’s office, with business owners and data custodians who can help identify data based on its classification, agreed Maneesh Agnihotri, interim CISO of the city of Toronto. Then, he said, based on the data classification, infosec leaders can look at the security infrastructure and everything around it that supports the safekeeping of that data.

“So the first step is to have that discussion, to identify what is the key data in the organization, where is it housed, and how do we secure that?”

That led moderator Richard Freeman, Ricoh of Canada’s portfolio manager for enterprise workflow solutions, to ask how municipalities can balance the security needs of users — internal and taxpayers — with the need to protect data.

Kush Sharma, director of municipal modernization and partnerships for the Municipal Information Security Association of Ontario, reported that 92 per cent of respondents to a recent poll of members said municipalities should first focus on critical infrastructure — such as the water system, public transit, solid waste and the voting system — before what they called traditional IT.

“What you don’t want is the water system to be breached. If Microsoft Office 365 and your documents go down, or maybe you can’t process some financial statements, that can be fixed. But if your water system goes down there are life-safety issues. If we can try to balance the resources we have as municipalities and focus on the critical infrastructure components …. that would be a good start.”

Finding information is vital, panelists said. Capp noted that IT business system analysts and the records management team will help with the lesser-known areas where personally identified information is stored. They are experts at collaborating with different business units and know where some data is “unofficially” stored.

“Sometimes you’ll find people are storing PII somewhere because it’s convenient and helps them get from point A to point B faster. The more we understand the use cases for these temporary or alternate use cases, the easier it is to work with the business units and improve the security posture,” he said.

The panel also touched on cyber insurance. Roland Chan, CISO at Toronto Metropolitan University, said that because rates depend on what organizations are doing to protect themselves, his institution makes departments aware of the importance of good cybersecurity practices.

Many municipalities won’t be able to qualify for insurance based on the heightened cyber controls insurers are asking for, warned Sharma. Even if they do, insurers may declare a cyber incident is excluded from coverage because it is part of an ‘act of war’.

Any municipalities smaller than a city may have to look at self-insurance, he advised, or group with other municipalities to self-fund themselves.

“Organizations have to understand insurance isn’t a cyber control,” said Agnihotri. “It’s part of your remediation, it’s part of your recovery. So what is driving this now is how fast can we improve and mature our security posture.”

Finally, asked for tips on improving employees’ cybersecurity awareness, Sharma urged infosec leaders to stop thinking of themselves as technical experts. “We need to translate and communicate better to the leadership that we are a critical business function within the organization,” he said.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer. Former editor of and Computing Canada. An IT journalist since 1997, Howard has written for several of ITWC's sister publications, including Before arriving at ITWC he served as a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Story

How the CTO can Maintain Cloud Momentum Across the Enterprise

Embracing cloud is easy for some individuals. But embedding widespread cloud adoption at the enterprise level is...

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs