BSides 2020 - Privacy and Cyber Security Executive Panel

good afternoon everyone it's uh my pleasure to spend the next 60 or so minutes uh with my esteemed panelists and all of you listening in nikki um if you cannot hear or see us or if we start running a little bit behind schedule please step in and let me know and i just say so because i can only see my panelists i can't necessarily see what's happening on the stage from your point of view my name is uh hani mancy and i've spent um the last 30 years in technology 21 of those years have been in security and risk management currently i'm the chief information security officer for the city of edmonton my responsibilities include

cyber security from governance to security operations and everything in between as well i'm responsible for disaster recovery and digital ethics i'd like to start by having rachel then martin then tim briefly introduce themselves then i will ask a few probing questions for us to gain a lens into the mindset of privacy and security executives so if i could hand off rachel if we can start with you sure i'm rachel hayward i'm the director of compliance and special investigations with the alberta privacy commissioner's office i've been with the commissioner's office for 10 years it was actually 10 years in august and the last about three of those i've been i've been director um our responsibilities with the

director of compliance portfolio is the um self-reported breaches that are mandatory under two of the three pieces of legislation and we also review all the privacy impact assessments and my team is also responsible for a large number of the investigations that the oipc uh completes including our offense investigations okay excellent and i'm martin danelle i'm the chief information security officer for the government of alberta uh i also have the title of executive lead for innovation modernization and cyber security at goa um so i've been the chief information security officer for the government for the past uh well just over five years now and since christmas time and a more heavy focused move towards digital services

i was also given the portfolio of innovation and modernization which includes alberta digital services so that's anybody who's used my alberta digital id and such that's essentially in my area modernization rationalization provincial broadband obviously as with digitized services it's important for albertans to have connectivity to those services i also have advanced analytics artificial intelligence and rpa in my area and cyber security which includes digital forensic investigations security operations threaten tell imt risk management overall cyber security awareness and disaster recovery

i feel bad i've only got one title i'm the chief security officer from the algorithm hi folks tim mcrae i've been in the security industry since 1981 i've had the pleasure of working with a number of folks that are on the screen here today but also throughout my career i've had executive positions including ciso and cso roles for different organizations like this is number 11 or 12 now i've been on and i think this is the 13th and 14th team i've i've been able to redesign looking forward to today's session so i'll hand it back to you honey thanks wonderful thank you uh so this year's theme is resilient cyber security post 2020 as we know cyber breaches are on the

rise this is this is important because technology is a vital component of most organizations and as a result of the pandemic organizations have transitioned to working from home at an unprecedented pace this has led to many new lessons many new surprises and it's sort of led to an experiment at an unprecedented scale um i wanted to share a few numbers cyber cyber breach numbers just to kind of get our juices going before i start asking a couple of the questions that i have so so here goes 8 billion records have been exposed in the first quarter of 2020 there has been a four-fold increase in cyber crime since march 1st of this year as reported by

the fbi in april of this year and so this this is a little bit dated i don't know what the numbers would be at this point um cyber security global spending is projected to increase to 137 billion dollars by 2022 cyber crime economy is estimated at six trillion dollars by 2021 which is just around the corner this would place cyber crime as the g-10 country if that gives a little bit of scale and and finally and there's some good news in this because the numbers keep coming down the time for detecting the average time to detecting a cyber compromise is at 56 days at this point so i wanted to kind of just level set us

to some of the the challenges the opportunities and the improvements that we're seeing and and my first question to each of you uh following your introductions is how have your roles expanded over over the past few years and has this pandemic further altered your role so um maybe i'll switch it up this time i'll start tim with you you're gonna do that because my neighbor is cutting his grass so this is perfect right no i mean so the numbers he gave hannie were pretty frightening it's it's scary to see how we are our world is changing and more so now because of covet 19 and some of the i think it's forced transformation that we're having

to do with our workforce part of it what i'm seeing at least from my perspective is this idea that we're now the changes that i'm seeing is we're i i'm relying now on 5800 users doing the right thing at home i'm just going to let that hang there for a couple minutes um what i would love to see i mean in my utopia is that we would have everybody knows the computer hygiene you should have at work should bring home but i don't know if that's going to be the case i think you're right though what i'd love to see is some of the statistics are going to come out in the end of this

year right now that we've had more people staying from home i know that this was a change for a lot of organizations particularly those who weren't typically used to having a large workforce at home the same problems though are going to occur from home right we're still going to see the ransomware on the malware we're still going to see attacks against the endpoints we're still going to see people who are really interested in the data that all of our organizations hold and they're going to do as much as they can as often as they can now to try to get that data from us the concern then becomes is how do i train a workforce that may not have been used

to be remotely working from home in an environment that with my neighbor cutting his grass we weren't particularly ready for as we get in our work from home scenarios so how do i reduce the risk how do i reduce the threat factors that are facing people working from home as they would be working from your office we're using different service providers now for wi-fi and connectivity we're using different locations now as opposed to our typical desks we're sitting in bedrooms now and kitchen tables you know i've seen people propped up on their lucky fellows popped up on their balconies to do their work this has changed right and this has changed the paradigm of how we function

and this is going to be become that new normal so this is i'm looking for what the next three months brings what's the next six months the next year brings that's that's where i'm really worried about us those next next few months thank you kim martin uh yes actually uh the covet pandemic this year has acted as a catalyst not only for us but also for attackers obviously the scary part in the numbers that you've given is they don't even include some other types of crime usually they don't include things like nation states trying to actually bring government systems down through denial of service attack this is one type of attack that we've been under

since the beginning of the pandemic here at the government of alberta and only increasing day-to-day different types different vectors are being used different ways to try to attack our systems sometimes trying to attack from within through a phishing attack that might be successful or something like this and we have to constantly be on our guard and evolve our protection and show that our staff are well trained and know how to respond to it and ensure that our management and our executives are actually aware of what's going on so that we don't have to ask for permission before doing things like shutting down a system or something like that most of you a lot of people anyway i

know ended up not being able during a period of time and as you know you were able to sign up through madi as a matter of fact to get some money uh to actually help you get through the period where you were not working you should have seen the attacks coming on this on these systems most of them from russia and i'm not saying it was russians as we all know attackers like to actually redirect their attacks to actually blame other parties but it's been going on since the beginning of the pandemic now for us just put it in perspective actually we have about 35 000 employees and contractors at the government of alberta and one week into the pandemic once we

decided that we were going to work remotely we were essentially being asked to provide services that would enable those 35 000 people to work remotely working from home and we managed to actually do that just in a few weeks just the thought of doing that maybe two months before the pandemic occurred most of us would have looked at it and said that's impossible it's not gonna happen the payment system that i've mentioned to you earlier uh if we had been told you got three days there were the systems we would have gone there's no way even if we work overtime guess what it happened within three days and that's the new normal we're now at

the point where we have to deliver services faster but i will say the new environment as risky as it is as we're working from home now has enabled people to actually have a life while also having a work life it's weird to say but i do the same i work from home sometimes i'll start my laundry in the morning now come online i'll do some work you want to make sure you keep your information secure you want to make sure you don't go print stuff that is confidential that other people in the house could see you want to make sure of all those things but you also have that flexibility now working from home and what we're finding

is our people are working later longer hours harder are more focused on their work and next thing you know as we deliver faster so there's both some good and some bad to the environment we're in i think we have to recognize that we have to adapt to it and my job as chief information security officer is obviously to keep that secure environment there to ensure that people are aware well trained have the right tools to ensure that the information can be shared in a secured manner thank you rachel so when you talked about the stats uh hani the first thing i thought about was um what something that i find is often missing uh when we talk about

um breach stats especially in this in this kind of environment and that's human error and i would say when when we talk about breaches as a result of the pandemic the majority of the ones we've seen are actually due to human error and it's because people were rushing to get home and people were um you know grabbing documents they probably shouldn't have had and left them in their car and their car was broken into and um and or um they you know somebody wasn't in a um an office for a period of time so they didn't know that a breach had happened because nobody was was uh um checking in on on that uh in that office for a period of time so

um we do definitely see some uh human error along those lines what's different in my environment from tim's and martens is that our role is guided by legislation so i don't get to be agile i have to follow what the law says and i have to continue to try and um uh regulate within that even in times of pandemic so what's been really challenging um for the commissioner i would say is that in a time of pandemic how do we continue to work within the confines of the law when the law doesn't have um an exception for a pandemic so we have things like access requests that have 30 days to respond to and that i would say that the um the

provincial government did manage that but we have a lot of other issues there more than just time that where we're asking for documentation we're trying to conduct investigations we have timelines that are legislated for our investigations and um we uh um and suddenly we can't meet face to face with people we're trying to interview and um so we've had a lot of challenges because we can't we're just not agile we're we're stuck within the constraints of the law um so i think my my uh uh my perspective on this is one of feeling really constrained a lot and that we want to be a little bit more agile and adaptable and uh we're doing the best we can but

um we still have to work within what the law says and it does make things a little bit more difficult for us thank you so so follow on to that seeing that we've had this increase in digitization and and business services going online um the question really is has privacy or cyber security taken a more prominent role in technology projects um i'll switch it up martin i'll go to you sure absolutely and it's it was i'll be honest it's not caused by covet it's been accelerated by cobit the need for privacy for security being involved from the beginning at the idea stage of digitizing a service or something like that was always there but i think cove it and the acceleration

of the delivery of those solutions is making it absolutely absolutely integral we don't have time to think about security after fact and then go back to passion application system to make it secure or something like that we don't have time to deal with privacy issues once we go live that would be silly to do it this way so as a result to fast track the implementation of solutions we're seeing privacy our privacy officers are involved in all projects from the idea stage when people start talking about data sets that we're gonna put online and where they're gonna be especially if they're gonna go to the cloud which is kind of the option number one right now for most solutions that we put

in place security is the same way the first thing we do is we do what we call a statement of sensitivity for any idea that we have about moving a a new data set to the cloud or even on-prem as a matter of fact we assess the classification of the data from an information security perspective and then we kind of identify what the risks are how we're going to mitigate them and as usual all the time we always put all this information in front of the business and the business has to make the decision how much risk are they willing to live with and how fast do they want to move and so on and so forth

so absolutely it's like the first thing we do in any design and development process at this point in time is involve security and privacy to ensure that we're not going to cause any issues to the government of alberta or to albertans of course to all of our stakeholders wonderful and rachel what's your perspective so i have to say that i expected that we would see a lot more breaches related to covet and we are tracking breaches that um are submitted to our office um under any piece of legislation where where the organization says that this is as a result of the of cobit or the pandemic and we're seeing a lot less than what i expected

maybe that's because they're not being reported to us just yet or you know that's always it's always in the back of my mind or um uh maybe the the reality is is that we're just not we're um there's just not gonna be as many as we expected we thought there'd be a big surge and there just wasn't um enabling people to work from home very quickly um just for me seems fraught with issues one of the things that we've seen a huge uptake in our office is um virtual care platforms and in the health sector so this is um and you i'm sure you've seen some of this um in the news and i won't speak about any of them

specifically um but we do have at least one that we're investigating currently um but uh these are where um you can meet with your healthcare practitioner online just as we're meeting today really and we we have since the pandemic we have between 80 and 100 privacy impact assessments so since march we've had between 80 and 100 privacy impact assessments submitted to our office just on virtual care platforms alone so um so the uptake is really fast and um have we reviewed all of those no we have not yet we're currently looking at a plan to be able to do that as efficiently as possible because we are in a pandemic and the majority of these um

those who have submitted them are health practitioners they they have other priorities right now so we want to try and find an efficient way to do that so the way in which we've looked at this has been quite a um it's been quite a switch in this the types of services or or um platforms that um organizations are looking to implement um and they are there and what's great is that we're getting a lot of information about them and we're getting a lot of them submitted to us so um i do think there's there's uh some good news in there uh for sure thank you and tim your perspective on this please so from a security and privacy perspective what

i've been seeing this little while and martin and rachel both alluded to it is that we've been seeing the requirements to bring in cyber and privacy professionals and projects at the onset right and where it's this whole idea and i think you learned about it a little bit today about this idea of push left right get everything as as close as you can to that you know time when i walk out of a restaurant with a napkin and a pen and i have a great idea stop right bring in privacy and security and let's start understanding what the implications are what are the different threat factors how critical is the information so this whole approach that we've been

adopting within the city of calgary is based on the principles of enterprise security risk management this idea that it's the business that makes the decision because they're the ones who set the goals and objectives so our role as security professionals in concert with our privacy team members our privacy professionals who are part you know a different department within the city but we work with them on projects throughout the year we've been now bringing both lenses to a project we're incorporating our approach from an esrm based uh you know framework and we're using digital transformation to take that data and put it in a repository so now i can start presenting risk back to the business in

a very objective way it's kobe's made it faster to martin's point earlier we're uh we had to speed things up right we really had to get across a couple of hurdles internally and now that we have our approach now is really keeping moving forward on the same methodology looking at things from business lens and understanding what are the risks and then applying or bringing in privacy professionals as we need to you know from a privacy impact assessment on all these different applications so it's changing the way we're doing our business it's forced us to be more agile it's forced us to think more as a business professional than a pure security professional who says no

we lost that right a long time ago to say no to projects now it's how can we help reduce the risk as opposed to how can i stop the project you are so right if you don't mind me adding something you are so right tim actually this is this is key in the past people saw security professionals as the person who always says no one you ask them to do something that's no longer an option for us it's all about risk it's about okay you want to do this here's the risk are you willing to live with it and here's what i can do to potentially mitigate it but it's no longer a no thing it never

will be again i think no agreed and in terms of involvement it's kind of funny because like i i kind of read the question listen to you and we talked about projects one of the reason why this is happening at this moment why we're putting so much of the focus is also that our executives the people at the highest level of the organization know about security a lot more than they used to they are informed they see what's going on in other organizations i'm actually going to mention this here because i think that's important when there was a switch in government two years ago from ndp to ucp there was a transition team that had been put together and literally

one week after the uh the election was over i was brought in personally to do a presentation on cyber security to the transition team this is how important it's becoming to organizations nowadays it's no longer cyber security is that side thing that this geek in the corner in a dark room with a desk and a pen and you know it takes care of it's not i was thinking about you tim although uh yeah it does fit doesn't it but it truly has become a major focus for the executives of every organization it is and i agree with them i think there's a point where now we're being asked to provide context to business so they can make a better

decision and that's that's a role we haven't played up until probably about you know not that long ago through maybe three four at most five years but now that we're being brought to that table now it's on us as security professionals to start making those business presentations as opposed to those truly technical presentations and that's that's where our next change has to be in the profession is now how do i focus on risk how do i focus on business how do i make sure that we bring in privacy so that all of the aspects that we need to cover from the data that we're responsible for that we're able to protect it and then how do i as a security professional walk

away from it if the business decides against something i recommend how do you do that right i mean thank you these are all excellent perspectives and and i i fully agree so so if i was to sort of surmise them in some sort of a call to action it would be to ensure that we're very tightly stitched integrated with the business so that we're having business value and business risk conversations that we are regularly um you know performing very efficient and very effective assessments privacy impact assessments threat risk assessments and providing pragmatic guidance or pragmatic direction to to the asset owners or the business executives that are responsible for these business services that um we've ensured that security and

privacy are embedded at the very beginning of our initiatives and and i know i know tanya talked about software development life cycle now with secure software development life cycle as well as you know the the security team is now not a the security office or the privacy office is not the privacy office but there is it's it's all of your users it's a team sport everyone has a responsibility although their responsibilities vary but everyone has a responsibility and we probably need to do a really good job of making sure that we improve their knowledge of what they need to do so so maybe what i would ask is with all of this in mind pandemic or no

pandemic we know we're we're moving in the right direction and honestly after 30 years i'm very happy to see this continued trend my question is have have you or your teams had to acquire new skills or new tools to be able to move forward and so just to keep it changing i think and i'm going to lose probably track of who i asked last but rachel um i'll start with you sure um so can i just say first of all i think it's really sad that it took a pandemic to get you know privacy regularly at the table but um regardless of how we got there i'm very excited to hear what you're saying is that privacy is there now

because for a long time we've really felt the same way as security and we felt like we've been fighting to get to get um at the table early on so i think that's that's um that's fantastic news um from an outsider looking in and hearing what you're saying so i would have to say that the way in which my team will um we the way in which we adapt and change is based on what it is that you are all doing so you're looking at new technology we get forced to look at that new technology so so we react to what it is that's being implemented in alberta and um i would like to give you a

specific example of something i'm particularly proud of that my team has uh recently completed and that's um the alberta trace together app the app to help um track cobit so um we had never looked at an app before that was potentially going to have you know if everybody um downloaded it millions of users we'd never looked at something that was an app based product that was you know available um on um uh um you know available for download on individual phones before we just haven't had that that experience so we suddenly had a privacy impact assessment on our desks that we had to look at and we had to learn a lot about how apps work we

had to learn a lot about how um how the technology was being used in other parts of the world as well because we wanted to do some comparative analysis to see whether or not there were better options out there because this was fairly new for us to look at so we were um we were suddenly thrown into this and on top of all of that there's a huge pressure for us to get this out in order to help protect albertans right that's ultimately what we're trying to do is protect the privacy of albertans and the longer we took to review this the longer it would take for organizations or for individuals to um necessarily decide because we heard a

lot of feedback that they people wanted to hear what the commissioner had to say about the product so at the end i had two members of my team eric and christine who did just a fantastic job on a on a report that's over 60 pages that where it was very very detailed analysis where where they looked at the system and provided that comparative analysis as well and produced something that's available for public consumption um i would say i don't expect most albertans to want to read that report but um it's out there and it's out there for um for for those of us who who want to understand better and those of us in privacy and security

who want to see um what options are out there right now and uh to see whether or not you know the commissioner ultimately thinks that this is a uh a safe and uh privacy um enhancing product so um and that was something that was brand new and thrown on us and i can tell you that they worked crazy hours getting that that um that analysis done and i'm very very proud of that from our team i think that was some really outstanding work so and that's very much the way it is whenever um uh the government or an or organization within alberta starts um making some decisions and you know planning some new technology that's when

we jump in is we we want to learn about it and and understand the benefits and potential drawbacks so we follow you guys is what we do usually i'm gonna follow up with what rachel started with this idea of being very adaptive um one of the things i've learned where i've seen in the last few years and more so now is the skill sets that i information security professionals or cyber security professionals has to have is increasing right so we're being asked to consider different and varying types of technologies whether it's within the typical it infrastructure or looking at ics as well we're looking at as as we migrate more towards the cloud now we got to start

bringing in or understanding more about what that environment looks like how do i manage data in a cloud environment where i don't have the control over it so now i have to look at it from a risk-based perspective and what are the things that i need to consider or that i need to validate or controls i need to see in place so that i can provide the same level of assurance in that provider's environment as it would be in a typical data center i'm also seeing that this increased requirement for things like um more from a forensics perspective or understanding more from a mobile device what's on the mobile device how does it interact with the data

how do i store if i am storing it how do i identify or not identify myself so the rachel's point about the the tracing app perfect example of the same thing skill sets that teams need not have is to be able to adapt to that different type of technology look at it from a risk-based perspective and then provide an objective viewpoint on the new technologies coming across so for me i think more than anything it's that ability to adapt as situations change covets brought that forward and it's really it's really demonstrated those teams they can change those that can adapt and those that can approach things from a different perspective and collaborate differently and the last point i think

from my perspective and because i was the late guy coming on here adapting to new technologies adapting to new ways of doing their business how do i communicate more regularly now and you know i do this in my current role with executive leadership with council etc how do i do this from home in my bedroom as opposed to in front of somebody get the same point across have the same impact and have the same business discussions that i need to have with executives at least from my perspective at my level as the chief security officer that's what i need to change my approach and and how i manage my business thank you kevin martin yeah that's

excellent that's really good i'm taking notes as we're going ahead here's i'm like wow yeah that's a lot of things to address with some good ideas for us as well things that you don't think about unless you're in a conference like this one this is the usefulness of panels like this one but yes for us actually the government of alberta well i'm going to start with something simple we're talking about implementing new tools and such we're certainly implementing new services but as you will all understand i think a lot of us are in the public sector right now uh oil industry is not doing so good um i'm gonna say the same with uh you know

things like foreign taxes so less money coming in the government we're dispersing money of course to help albertans who are having issues money-wise but also businesses we're trying to help the businesses so they stay afloat and such so as a result our focus has very much been on stakeholders and keeping them up and running so that means at the same time less money for us i.t folks the geeks that would really like to run some tools to make the environment better so actually i've seen a little bit of a different thing happen actually for us it's been more a simplification of the environment the rationalization of the tools we're using use less tools but use them better

leverage them better and for the few tools that we're implementing the other thing that i'm seeing and i've been pushing it for as long as i've been here over five years is the idea of open source there are such good products out there that are even better supported than some of the vendor-based products that we can leverage and those are the same products that very often the hackers are using against us so leveraging some of those tools are very important but for us we're very much a microsoft environment so we started to actually kind of look at what do they have that i can leverage like do i need say a trend or a mcafee to do my virus check

when i'm getting defender for free and atp is available like those are the considerations that we're having right now or already have had as a matter of fact so it's more simplification so we can manage better is what i'm seeing um where we have had to really ramp up is video conferencing has been part of our environment for a long time but it was more a side tool it's now a major focus for us the office of the corporate cio here at the government of alberta is committed to having 50 of our staff working from home permanently as of christmas time it looks like it's actually going to be more like 70 percent of our staff

so what that means is we need really good tools to communicate better faster and be more concise and we find that that's what has been happening with the tools that we're using we're currently using webex but also we're starting to implement teams we want to do it right though we don't want to just jump into it again sometimes security concerns sometimes integration concerns but so we're moving gradually towards those tools and our vendors our partners have a lot of knowledge on this as well the ciscos of this world the microsoft of this world our vendors like cgi accenture on the 1gx side involve them when you can those are your partners they should be able to help you implement some of the

new tools and strategies actually that that are out there to help you in this situation and that's what we've been doing but to holistically understand main comment is actually it's not necessarily going to acquire a whole bunch of new tools it really has been more a simplification rationalization and better use of what we have thank you you know that's that's very very very good and and i've been kind of you know if you could see me bending down every now and then making some notes because some excellent points by some very you know experienced professionals um we talked about a couple of things we talked about being very aware of our business or economic conditions

very very key so that we're always pragmatic about what we ask where we take the business what recommendations we give we talked about some of the you know current changes we're dealing with uh which we talked about the tracing app uh tim you talked about industrial control systems critical infrastructures yet another thing we could talk about for hours uh we talked about mobility and where we're heading there and and really another key thing for me was to make sure that we're working towards simplicity and better leveraging the tool sets that we have so that we can get better economies of scale in my mind maybe is the way i like to paraphrase it one of the

things that you touched on tim was the way in which you communicate and um so i mean my follow-on question would be is how have you changed the way in which you communicate with your business with your executives during this time and and martin maybe i'll just get you to lead this one off sure um actually as i mentioned the idea of video conferencing and things like that is being used big time presentations online big time keeping them simple we have all become experts as we're moving ahead uh instead of blah blah blah here's what we're doing and here's why and so on and so forth we're looking at what a cabinet and most of our deputy ministers and such

require from us when we have information to communicate what do they need a briefing it's right there in the name briefing be brief quick background what are the options your recommendation and how you expect to be moving what you're expecting from the person who's listening to you and at that point in time go get moving so be brief with everything that you do don't go forever um so that's probably one of the biggest thing empowerment empowerment has been huge as well it's no longer a question of going through five different levels to get approvals for something put somebody in charge is going to be able to run the whole gambit and make it happen and get the approvals coming from that

person or maybe the supervisor of that person but simplify approval processes and that's the other thing that's been happening as well this way there's less turmoil less questioning and we don't have time for the perfect solution anymore like for instance when it came to payment to albertans uh i'm sure some people have tried to sign up over the first couple of days when everybody was trying to log in at the same time and there were some issues we actually knew there would probably be some issues with that but it was either we do it now we make it happen and we help people right away or we fiddle around for the next three weeks try to figure out the perfect

solution so that's the other thing that has simplified itself the solutions we're looking for don't look for perfect look for the best case you can make for yourself look at risks accept a certain level and then improve over time this agile methodology of delivering something quick and then repeating slices of improving the situation is way better than the old waterfall projects where we would talk about requirements for months start designing for months implement over a number of months and by the time you deliver the requirements all have changed so that's been our approach from a communication perspective thank you rachel so um i think it's actually it's quite interesting because both um tim and martin they both work in large

organizations the oipc has 42 staff members um between two offices we have a small budget i think our budget last year and this is public was around 7 million dollars we don't have a lot of money so um we when when a pandemic hits we don't have spare change in the back to use we literally have that money set up for everything and uh we had to go buy laptops when when the pandemic hit um so that we had staff that could actually work from home i think we we had about three people on the in the office me being one of them that actually had laptops um rather than um desktops so we had a

huge change um from that perspective and so and so when we talk about being able to uh communicate effectively differently we're still working on it we we don't have a great approach yet we don't use zoom we don't use um uh teams we don't use anything except you know good old-fashioned 1990s teleconferencing technology we don't see each other this is the first day i've had to dress up for work in ages like um we just talk on the phone i'm wearing shorts right now um so we just we don't have not only do we not have the resources but because of we are the the commissioner's office we we don't just implement technology without doing a privacy impact

assessment first and if we do our own privacy impact assessment that certainly has different um uh it has a different feel to it shall we say than if we hire an outside organization to do that for us and we just bought a whole bunch of laptops um that weren't budgeted for and so then you know getting a an outside organization to do a privacy impact assessment for us these things are going to take time to figure out how we can financially manage that um so we're not there yet we're starting to look at some other technology that uh that we might be able to use but right now we're one of those organizations and i'm

sure that there's a lot of others out there that are struggling to use what we had before um during the pandemic which was teleconferencing um for the most part and uh um and trying to try we're trying to figure out still what is the best way for us to communicate um we definitely uh we communicate with organizations a lot by email but we were doing that before as well so um we we just don't have uh we don't have a lot of um uh um we don't we just don't have the opportunity to make a lot of these changes that we'd like to be able to make as quickly as we'd like to be able

to make them um it does look like we'll we'll start to head down these these paths and and start to find you know new and more innovative ways to do this because it is a bit clunky the way we're operating right now and for those of you who are working with us on privacy impact assessments or investigations i apologize um because it is clunky for us um and we're struggling a little bit sometimes we have to wait until we're going to the office and we're only really allocated one day per every two weeks to go into the office so um it's uh it's been a bit of a struggle you know um and i'm hoping that

we will continue to move forward on this we um and let me just kind of uh step back and say prior to the pandemic no one at the oipc worked from home we didn't have a work from home policy and it just wasn't something that was available to us dealing with the the level of sensitivity of the information that we deal with we kept it within the secure environment of the office and we and again nobody really had laptops so this has been such a complete shift for us with not a lot of money or ability to make sudden changes um we've definitely struggled and uh um we're starting to get you know a few ideas and starting to

move forward now but it's it's been it's been a really hard um turn for us for sure thanks rachel what are your thoughts well i'll just i'll kind of close it off by i'll knit a few of these things together we've we've adapted our approach we started this a few a little while ago before the pandemic hit that is changing our approach to how we communicate particularly with our our clients and our business units that we interact with but also with executives and outside agencies to martin's point yeah brief that that's yeah a page i'm a soccer crayon kind of a guy if it's a couple of pages long i'm not going to read it

i don't have the kind of time so i'm trying to figure out who my audience is finds executive so i'm trying to keep it short right get to the point what's the business problem you're trying to solve what's the risk that's facing the assets that supports that business objective and what can we do to help remediate the risks so we try to keep it crisp in our communication we use a lot of technology now right more so now over the pandemic so microsoft teams is huge for us we're using other uh platforms you know as this is as another example we're also getting very good at using um the visuals from our perspective i don't know about

you folks but that death by powerpoint stop just stop like get get the point across get to the point make it make it a valid business point with a risk associated to it give a remediation and get out of the room get onto the next meeting so i've i've been forcing my team to get to go down that path and the other one too is from my perspective is when we discuss or we communicate with other members of our teams but that we work with as our client base we talk about the difference between an exception to a policy and accept an acceptance of risk two different words two different meanings you know the way

i look at it is one it's okay to go break the rules exception alternatively it's here's the risk and at two in the morning you're the guy understand what that means right we'll be there to help but when you make that business decision to accept the risk that risk is now on you and that's when we get to some really interesting conversations with executives because the points being made that this is now a business decision to accept the risk or would you like to work with our team and the it operations group to help reduce the risk so those are things i've seen change at least in the last couple years but throughout my career this idea of

talking about things from a business perspective changing the language that we have as security professionals so it's a business discussion not a put up a hand and say no now i want to talk about the problem can we look at it from a business perspective keep it brief to the point gain their attention get their acceptance move on thank you so some some excellent points there and really um if i could surmise just snippets of it's around communicating briefly communicating value and risk and and and the note there is is yes the the days of no well i think they're gone long gone uh hopefully none of us are doing that anymore but it's making sure

that we're communicating effectively so that business executives can make informed risk decisions because taking risk is not bad and businesses take risk all the time it's just a matter of understanding and quantifying what it is that you're taking on and for how long you will take that on and maintaining that so that you don't lose sight of that in a year or two or three so that you have the opportunity to pivot back and close things if that that's something that makes sense so i'm just doing a bit of a time check so it's uh almost 150 so running a little tight on time i do have one more question to ask and then uh we

have a couple of questions from the audience that uh i'd like us to tackle if possible so this could be a you know an interesting one so i was kind of looking forward to this one left at the last my last question is do you see do you foresee any changes on the horizon to privacy legislation and or cyber security standards i will start uh rachel i'm going to leave you to last so tim i'm just going to go with you craig thanks for that hannie i appreciate it um from my end yeah i do actually i i do see changes and i'm not going to overstep here but i see changes at least from you know the linking more

now between privacy requirements and security controls that should be in place to reduce the risk and i'm i was a big fan of the gdpr when it came out in europe all 834 pages but you know a good hunk of it um should we see some of that come here i think we should i know i know some folks don't think that it's you know that it's a fairly hefty piece of legislation but when you take a look at the premise behind it i think as a canadian would be really i think would be well served if we follow that type of change or that type of structure for the way that we manage the data that we need to hold

confidential and private i think as security professionals it's going to become more and more upon us as organizations that hold data for for citizens for customers etc we need to do a better job of demonstrating how we've done that so i'm i'm a fan of looking at it from a security perspective this is going to sound way out there and i'll start out there for martin to pick on me but what if you started legislating security controls you had to have in place some of what we do for pci what about other requirements and why not right if we're doing our job well then focusing on the risk and putting in the right control why can't

we what if we were just doing our job really well right and we did not be told how to do it i think that'd be a great idea and i think what that would do is it would set the tone for executives as they start looking at things moving forward so i'll start the brawl here and i'll let martin jump in here actually it would be a brawl if i was not an agreement i'm actually going through a lot of what you said but i'm going to say it goes beyond regulations and such it goes also towards education training and awareness we can no longer have just the security people being the experts and the

information management people knowing the policies inside out we need to get to a point where the general population and certainly our young people are trained very young to understand the risks and uh uh that they take sometimes with uh you know just giving their name or giving their email address or something like that when they go to the store or something like that you know that needs to to come into play uh so i'm gonna say here um i'm actually a proponent of changing some of the rules okay and let me let me actually be more precise on this one i don't think we need new rules as per se we need to adapt them

okay so a lot of the regulations that exist are in terms of records and i'm talking paper records like the government of alberta official records have been historically paper records the digital records are usually a copy of the paper records um we need to move to the digitized world we need to have records sorry database type policies and such so some of the acts and regulations that exist they are there very often to do things like foreign protect records of course but they will say things like you can't have this data this particular data set outside of the province of alberta well when you're in a digitized service and you move to the cloud pretty darn difficult to accomplish and

this is where i'm gonna put the plug-in that we were discussing before the meeting actually rachel we have an oipc that's very forward-looking here in alberta we're super lucky with that they are looking at tools they are looking at doing the way we're doing business and they understand it so that we can actually work with them to come up with solutions that make sense but i'm going to tell you that there's a lot of provinces and territories and jurisdiction in this country right now that are not able to move towards modernizing their services and digitizing their services because their own oipc's or the powers that be in their province or territory still look at things the old way can't

do business outside of canada can't do business outside of the province in some cases outside of the cities even for municipalities i've heard so this is something that's very important we should adapt all those regulation rules and so on and so forth that have been in place but i agree that we should have more security based regulation i'm gonna throw in right now because i saw our vendor putting a question about mfa the biggest vector to get into organizations right now is email phishing where you obtain credentials if people believe that their information is well protected because they have a username and a password good luck i hate passwords we need to go beyond that we

need to go into biometrics digital certificates things like that whatever shape or way we we do it but mfa should become a regulation literally some kind of an act or something like that for anything that involve private personal information i think any solution that's in the cloud any solution that's digitized should have mfa in place to protect you it's too easy to get in with just a simple password they can be hacked so easily but a second factor of authentication even if it's like a call back device my telephone is registered somebody's trying to access my account or one of my records and i get a notification on my phone with the authorization number or

something perfect this is what we need to protect ourselves and this is where maybe we should look into regulations in the future thank you rachel well this is a hard one for me because there's so much i could talk about um the first thing i always like to start off by saying is that the commissioner doesn't write the legislation um she regulates it so there's often a misconception that the commissioner has the ability to actually change the legislation there's a lot of things in it that we don't particularly like either and we'd like to see updated and change so with that in mind um i would say that um i wanted to pick up on on something

that tim had said actually i think it's really really important that we do look at some other legislation and look at modern modernizing what we have the gdpr has some great concepts around data processors i'd love to see that what we have right now um we call them information managers under the health information act and to be able to have a little bit more authority on some of the work that they do a little bit more direct authority i think would be really helpful it is very rare nowadays where we come across an organization that isn't dealing with at least one data um at least one data processor um sometimes there's seven or eight within

an organization and a specific investigation that we're dealing with and it gets very very complicated that way so be nice to have some uh some changes like that um i would say that uh the health information act specifically needs to be modernized it needs it needs to be updated it needs to look at some things around use secondary use of data it really doesn't address that very well and it doesn't really address um data repositories either we do there's a there's an opportunity there for um regulation on on um on data repositories but it it's not there it was never written so it would be nice to have some of that work updated and done as well um in terms of

the public sector i would really like to see a mandatory breach reporting in the public sector government holds a lot of really important really sensitive data on on albertans and it would be nice to have um to have notification if that information goes awry and right now it's the only piece of legislation in alberta that doesn't have mandatory breach notification because the health information act does as does our private sector legislation so i think that that's really missing and then i'm going to throw this out there and sound a little bit controversial as well maybe but um private sector legislation if you look um globally there's there's definitely a trend in this and we can even see this um happening in

ontario where uh commissioners offices are actually getting some opportunity to um to actually levy fines i know that the uk commissioner does this a lot for example but there's it's growing in popularity and before um before you think oh my goodness we shouldn't let the commissioner do that um the commissioner does already but we go through the court system so what are we doing right now in alberta we have a huge backlog in our court systems and the pandemic made that a lot worse so then our investigations are um are getting held up in those as well where individuals or organizations may be fined and it would be nice to actually see some of that

where there could be a little bit more direct um rather than us having to go through the court systems to do it having said that i do want to clarify that that's my opinion and not the opinion of the commissioner um but i do think that that's that's a real trend in the private sector legislation and i'd like to see that in all of the legislation as well so that um commissioners have the direct ability rather than going through the court system which just seems like a um a much slower process and um just doesn't it's just not efficient um for what we're looking at so i could probably talk forever about some of the other pieces that were mentioned

like the the uh legislating some security controls we do have a little bit of that in the health information act and some regulations but um the difficulty with that of course is that our legislation does not get updated fast enough and and security changes right so um there's always that there's that caveat there that well we could do it but then it's gonna be outdated in a couple of years and you know um the acts just don't get they don't they might get a few amendments periodically but actually getting a thorough review and update it's rare um for it to happen so um so you know it'd be nice if we could do that but i i just i'm not sure that it

would be as practical as we'd like um so i'll stop there because i could go on forever and ever on this one thank you so much and i really do appreciate the passion with which each of you is um is speaking and and appreciate the expertise so so that was my last question and i know right now there are people probably texting me to say you're running out of time so i'm just going to take the liberty of going a couple of minutes over time i'm trying to answer at least one question that we have from the audience and and that question is um i think it's probably meant for you rachel what is the oipc guidance on privacy

impact assessments or cloud computing projects related to alberta's pii but tim and martin you may also want to add rachel could we begin with you well i think the safe guidance would be do them please do a privacy impact assessment if you're in the health sector it would be mandatory um if you're in the public or private sector we'd look at it we'd review it for sure and provide guidance we do have some guidance and there's some guidance i think federally as well around cloud computing um and um not not not not to make light of it but i would say that another really smart idea is investigate the the cloud computing products that you're using

um you've probably heard of the blackbaud breach which has affected millions of albertans and that's a cloud cloud computing technology right that's public information that's out there um so you know and and there are cloud providers that that do get attacked so really be careful about the ones that you choose and do a really thorough review and make sure that your contracts with those organizations have enough detail in there that you get notified right away if there is a breach um or some other kind of compromise um we do have some there is some guidance available though both um uh i think it's federally um i can't to be honest with you it's a couple of

years old now so i'm not sure if um we actually signed on to it as well we might have so um so there is some out there but yes please do them and uh we were happy to review them we're also happy to take a phone call and just um provide some general ideas and uh um depending on what it is you're looking at as well the other thing i would say is one of the most common breaches we received recently and i'll end with this is um around amazon web buckets and people just forgetting to add the security on the amazon web bucket so they just buy it as is and it doesn't have the security in it and they start

using it and then the information is freely available on the web so um you know um just watch some of the basics like that as well i think amazon actually may have fixed that now so that it's that's not the case um but we we definitely saw a large number of breaches just related to not you know addressing the security when you buy the product um so that would be a pretty basic um place to start i think too gentlemen is there anything you'd want to add to that yeah honey there's to rachel's point there's a couple of free resources you can get or resource you can get online as well cloud security alliance just an update on

their control review that you can do before you start looking at a cloud service and they've also got a series of risk questions that you should be asking your executives so that they understand that when you want to move to the cloud here's the risk that you need to start answering and that's everything from how do you manage the data itself what are the different types of controls how do you demonstrate assurance that those controls are actually operating effectively and efficiently so if you get a chance go to the cloud security alliance they've got some great tools there if you are looking at a cloud-based product or cloud-based solution and some of the risks you should be assessing and some

of the controls you know to rachel's point about amazon that you really should be asking your vendor prior to signing up and shipping data up into the cloud i can only leverage what team was just tim was just mentioning right now i totally agree the one thing i'm going to add to it is information classification implement information classification schemes so that instead of dealing with every piece of data as a one-off trying to figure out the risk around it imagine buckets you know your most sensitive information to the least sensitive even to public kind of figure out ahead of time what kind of protections level and what kind of risks your your organization is willing to take regarding these buckets

then later on all you have to do is take a piece of information fit it can fit it in the right bucket and you don't have a whole bunch of work to do it's done already it's been done with your classification leverage information classification for these kind of activities too perfect the only thing i would have said in in addition to supplement the excellent response was yeah cmc iso have some good things but there are also some some good general key controls that come from the federal government and so the government of canada does this as a part of its partnership with the five eyes and you know it's yet another conversation what are those key controls

and how do you deploy them whether you're on premise or whatever cloud solution your platform you're looking to leverage but but yes you don't have to reinvent the wheel having said that i know i'm over time but i i want to quickly really express my gratitude to the three of you and your expertise wisdom and and the fact that you're willing to share the time to share the wisdom so thank you so very much uh very grateful to you best of luck and i hope to see you in the very near future maybe besides edmonton 2021 sounds fantastic thank you very much thank you