Fraser Hirsch is the kind of guy you probably want watching your back – and your front, electronically speaking. Hirsch, head of IT security for the City of Ottawa, spoke to TIG about the increased need for IT security municipalities face as they put their services online, and about his city’s role
in hosting the Municipal Information Systems Association of Ontario 2004 (MISA) IT Security Conference on Oct. 21-22, following this year’s GTEC.
TIG: Why is the MISA conference being hosted by the City of Ottawa?
FH: When I joined the city in 2001, it was one month after 9/11. I interviewed for this job on the morning of 9/11. Based on lessons learned at the Bank of Canada, I took the opportunity to build an IT security program the way I had always wanted to do it. What I did learn when I joined the City of Ottawa was that municipal governments across Canada were not doing IT security formally, it was always some IT guy responsible for databases that wore the security hat as well.
I got full endorsement from the corporation and budget funds to build an IT security group, and in early 2002 I started getting a lot of calls from other cities wondering what we were doing in the field of security.
That went on for about a year and I realized we should share what we are doing. Vancouver started up a security program at the same time I did, so we decided we would host the first (conference) in 2003.
We used the MISA banner because of its relevance to municipalities and we had what I would call great success.
We had approximately 30 cities represented and everybody wanted us to do it again.
TIG: Is it becoming more common to see IT security specialists in municipalities these days?
FH: At the municipal level it’s getting there. Municipalities are struggling with very limited budgets: keep the streets plowed but we’re not buying any new technology this year. It’s what the public sees, it’s not what perhaps is truly needed, so some of the municipalities are struggling with the budget side of starting up a new program, but they recognize the importance of it. Whether or not it’s formally addressed by a position or a chief information officer of security, they are developing programs.
TIG: What are the biggest security challenges facing municipal IT?
FH: The number of citizens we’re trying to serve. If you look out your front door on any given day, the city you live in is providing you services. We plow your roads, we pick up your garbage, we show up with an ambulance, we provide recreation programs, we collect taxes, we bring healthy, safe drinking water to your taps, and fire trucks show up when needed.
Every one of those approximately 100 city services is supported by some type of technical system. Those systems have to be running. I can’t allow monitoring systems for drinking water to fail, either through malicious intent by an outside hacker or by mistakes from inside.
TIG: A lot of municipalities are putting services online. To what extent does that create a security risk in itself?
FH: It’s huge. When I joined the City of Ottawa they had just amalgamated 11 municipalities as one megacity, and it was decided for budgetary reasons that the Web was a very good way to deliver city services, (but) it was being done in a haphazard way. When any program came online we looked at ways to improve the security of those city services so the citizens would have trust in doing online transactions.
The City of Ottawa has gone leaps and bounds in delivering online services … and in all those cases we’re asking for that credit card number, so we have to make sure we’ve got the right technical security layers in place to make the citizens comfortable and have trust in our ability to maintain the security of that information.
TIG: As we work towards seamless e-government, it would seem to me that every piece that is connected has a responsibility to be completely secure.
FH: We have a lot of partner relationships with health care, with the hospitals or the province in different areas, and technically we have to be able to talk to one another. Before (the partnership) ever happens, we always have a nice chat with that partner to find out what they do for IT security.
Ultimately, the decision is made as to whether we’re comfortable allowing connectivity with a provincial network or not, or, if we are going to allow it, there is a way to secure it ourselves without being affected by something that might be wrong on their end.
The City of Ottawa is starting to look at a new process where you’d go to one counter for municipal, provincial and federal services, and that will be another challenge.
— for the full interview please see www.itbusiness.ca