Just what is the cost of unfettered connected-device growth?…
Goodbye passwords, logins and data-hungry tech giants. The net’s future might just be on a USB…
What happened, what’s coming next and what you can do about it…
What’s your mother’s maiden name? Don’t ask…
Why thinking clearly about security is so hard…
Chief security officer shares lessons from the original supercity…
Your cyber security team needs to get closer to your company’s physical security if it wants to deliver a truly secure environment.
That’s the message from Owen Key, the former Auckland police detective who has been the officer in charge of both security and information security at the City of Calgary since 2011.
Key, has been working on merging the two groups for the City of Calgary for several years.
To be fair, Key is coming at the situation from the position of an entire municipality – and a big one at that, but the message resonates in an ‘everything always connected’ world.
While the City of Calgary has a similar population base to Auckland it is a true ‘supercity’ – unlike Auckland’s ongoing amalgamation of smaller councils, the Canadian city grew up as a supercity. It runs its own bus and train services, police, fire, wastewater, water and recreation facilities – all connected on its own network.
“It’s a very complex beast to look after. We have a lot of IT and also a lot of operational technology and industrial control systems to look after,” Key says.
“An alarm is an alarm is an alarm, whether it’s from a camera, a card reader or from an event or system log.”
“We’re a business and we run service lines,” he says of the philosophy the city brings to its operations.
In Key’s words the city likes its “shiny objects” and has a lot of technology – including its own fibre network so it doesn’t have to rely on telcos (in fact it sells some of its dark fibre to telcos), along with a fixed wireless network.
The network enables the City to more easily connect a lot of its endpoint devices, including traffic signals, cameras and building access systems. This has meant combining physical and IT security, which has brought about a matching organisational structure.
“Traditionally we had a bunch of security cameras and card readers and needed to put them on a network. That’s grown to combining them functionally into the same group – so while they are still two separate departments, they might report through to the same dude or dude-ess,” Key says.
While two separate but connected teams is the current state of play for the City of Calgary, the benefits are motivating Key to take it further, and it’s a message he thinks is relevant for any organisation.
“An alarm is an alarm is an alarm, whether it’s from a camera, a card reader or from an event or system log out of a computer, it doesn’t matter.
“The operations could be combined. Our investigations and incident responses for both physical and cyber could be combined and our architecture and threat risk assessment and compliance work can be combined,” he says.
“You end up forming a basic risk model on those. A before, during and after. That’s the next piece.
“We have so much overlap with social media and attacks through both cyber and protest and other types of nefarious activity, the two of them have to talk to each other and get a lot closer.”
Key’s goals have been given a helping hand by the recent ransomware attacks on Baltimore and Atlanta.
The Baltimore attack locked the city hall’s computer system, online sales and real estate sales – using malware developed by the National Security Agency – with the attackers reportedly demanding US$100,000 in bitcoin (and causing damages and direct costs estimated at US$18 million).
“We can point over to them and say ‘look if you don’t throw some money at this and do it this way, you’re at risk of getting attacked too and your whole organisation gets taken down.”
Key’s security team numbers more than 250 including the physical security team. The city, which has an asset base of C$65 billion and close to 20,000 employees, has a team of 30 cybersecurity professionals.
Key reports not to the CIO, but to the city’s law department alongside the CIO (and the Chief of Police and Fire Chief) in terms of rank within the city, highlighting the credence given to security.
Despite the scale being far in excess of most New Zealand organisations, Key says he believes the merging of the two units can be applied to any organisation and bring benefits.
“Smaller organisations may only have sole practitioners so it may not work. But at least they have got to talk to each other,” he says.
“You get a lot of efficiencies out of this. Threat intelligence platforms and threat risk assessments can be done on one platform as opposed to two. In operations, you can have a security operations centre that monitors both cyber and physical, rather than building two centres. And the information is shared which is vital as you get a lot of efficiencies and effectiveness.
“It’s about achieving operational resilience for a corporation.”