The Importance of Information Security and Data Privacy Support in Local Government

Abdeslam Mazouz, Chief Information Security Officer at City of Minneapolis

Abdeslam Mazouz, Chief Information Security Officer at City of Minneapolis

Our local government has evolved from providing basic services to its constituents to managing a complex landscape of services to address further complex needs such as public safety, transportation, health services and many others. Technology plays a crucial role in providing these services successfully and reporting on the efficiency of the process and the outcome.

With the complexity of technology and the massive amounts of data collected and processed every day, local government evolved how it acquires, implements, and monitors technology solutions. In addition, strategies must be developed to manage what data is collected, how it is collected, where it is stored and disposed of when its purpose is obsolete.

These intricacies present new risks local government did not consider in the past. Moreover, the growth of the cybersecurity threat landscape has added more pressure to start considering the new risks presented to local government in a more scientific way. Many public entities overlook understanding the importance of information security and data privacy because there is either no tangible return on investment in these programs or because of the following notion, “No one will attack our organization because we are not that big and have no financial assets like banks and other private organizations.” These organizations neglect to understand the recent breaches and attacks involving similar groups in the government sector and consider the lessons learned from these events.

Our work as security professionals and leaders does not stop at implementing technical controls from a strict technological perspective. Our role is not only to implement the basics. Our role is not to have a single focus. Our role is to not work within technology and ignore the business aspect. We can no longer afford to have a technology-focused mindset.

The security professional’s mindset has expanded and become more multifaceted. We must cover technical controls. We must build relationships with all branches of the business. We need to build a culture of security and privacy. We must cultivate relationships with all the other stakeholders to get support. We must implement administrative controls and physical controls. We must stay up to date with the changes in the infosec landscape and the regulations governing data. We must be risk-averse and speak the language of the business. We must market information security. We must implement and monitor security best practices and data protection standards. We must build a holistic program and promote it within the organization to secure the funding, support, and resources needed for it to succeed.

" With the complexity of technology and the massive amounts of data collected and processed every day, local government evolved how it acquires, implements, and monitors technology solutions "

I often discuss the important aspects of a successful information security and data privacy program with others, and the first words coming out of my mouth usually are, “We need to go back to the basics”. Yes, it is important to cover your basic security controls to protect assets, technology, and data. The basics set organizations up for successful implementation of information security program because it is the key groundwork for everything else that follows. For example, we can’t implement a good security awareness program if the users don’t have multifactor authentication for sensitive systems and data. We can’t talk about business continuity planning if we don’t have a backup strategy and a disaster recovery strategy.

I am not going to give you a round map on how to implement an information security program or tell you what comes first when conserving a data privacy program. What I am going to tell you is that these programs are a team sport. The days of everyone working in silos are gone. We need a collaborative approach between technology and the business to achieve the organization’s goal in the easiest, streamlined, innovative and secure way possible. Risks are always going to be present; the key is managing those risks to minimize incidents and maximize resiliency. At the end of the day, our role as security professionals is to enable business processes and reduce risk. And the role of the business is to support information security and data privacy initiatives and provide at least the minimal resources needed to accomplish the strategic goals and objectives set forth by the organization. One group can’t exist without the other and one group can’t succeed without the other.

Finally, I would like to urge information security and privacy professionals to work with the business and to relay risk in business terms. In addition, it is essential that the business support our information security and privacy professionals and provide them the resources that they need. At the end of the day, if we win, we all win, and if we lose, we all lose.