Cybersecurity fixes 'incomplete' 4 years later, city auditor finds

City councillors were baffled to learn Wednesday that none of the eight recommendations in a damning auditor's report on how Ottawa manages its cybersecurity has been acted upon, four years later.

Auditor General Ken Hughesand his team were followingupon a trio of 2015 audits into the city'sIT leadership, how the department manages riskand how ithandles critical incidents but weren't able to closethe files.

Ahacker can take ...minutes to breach our system, yet we're still working on this four years later. I think that this is unacceptable.- Coun. Carol Anne Meehan

"There are some issues that remain incomplete that are, in our view, serious," saidHughes.

Councillors were briefed on the most sensitive matters how the city responds toIT security threats, for example behind closed doors.

• City of Ottawa IT system faces 'significant' risk, Auditor General Ken Hughes finds

Those earlier audits found thecity had"low maturity" when it came to understanding IT security risks, and often gave people without technical expertise responsibilityfor identifying technological risks.

'Why is it taking so long to do this?'

Coun. Jenna Sudds, who used to represent technology companies in Kanata North, noted IT risks have changeddramatically since 2015, and wanted assurancesthe city is keeping pace.

Other councillors wondered why it's taken so long to address the issues.

"Why is it taking solong to do this? I mean a hacker can take ...minutes to breach our system, yet we're still working on this four years later. I think that this is unacceptable," Coun. Carol Anne Meehan said.

City staff said they've implementedbetter training, put new processes in place, and now have a bigger budget since the first report.

"A lot of work has been done," said acting chief information officer Sandro Carlucci, who promisedto fulfil the rest of the recommendations by the end of the year.

CIO job still a revolving door

Meanwhile, the city is once again without a permanent IT leader to manage those risks. Seven people have held the chief information officer role at the City of Ottawa since 2012.

If we believe that cybersecurity is a priority, if we believe that service innovation is a priority, we need to put our money where our mouth is.- Coun. Jenna Sudds

"Other municipalities have not seen the same turnover. That's what makes it so striking here, and that's why we raise it," Hughes cautioned.

For example, Saad Bashir, who was CIO for 26 months, left recently to take a similar jobin Seattle.

But treasurer Marian Simulik, who is responsible for corporate services, noted turnover in top technology jobs is common.

"The City of Ottawa, by comparison, doesn't pay perhaps as well as private sector does. I'm certain Mr. Bashiris making a heck of a lot more money in Seattle than he was here. It's hard for us to keep them in place," she said.

• City treasurer tricked into wiring $100K US to fraudster

Sudds suggested following the City of Boston's model, where one manager is responsible for IT security and another for improving the way it delivers online services for residents.

"I come from this world, in a past life, I understand it's a very unique skill set. The ability to pay istough in this setting. However,I believe it is a very, very critical role in our city," Sudds said.

"If we believe that cybersecurity is a priority, if we believe that service innovation is a priority, we need to put our money where our mouth is."