The Halifax Regional Police department is on the hunt for a new chief information security officer to develop and then manage its IT security, strategy and operations.
Until the newly-created CISO position is filled, HRP’s systems are presumably more vulnerable to outside cyber attacks. Just how vulnerable, though, the department isn’t saying.
“The field of IT security and delivery is evolving fast, and police departments’ security needs are unique and complex,” says HRP spokesperson Neera Ritcey. “In recognition of that, we are constantly assessing the effectiveness of our systems, and where necessary, we take action and are continuously improving our systems.”
The police department’s current business plan calls for the development of a cyber threat protocol and policy to help HRP combat external attacks.
As part of that work, consultant group KPMG was hired to complete a “Cyber Threat Assessment” on HRP’s security of systems, data and policies.
A completed version of that assessment was submitted last year, but in a December update to the Board of Commissioners, chief Jean-Michel Blais writes there are “disagreements regarding security application between HRP and ICT.”
The Coast submitted a Freedom of Information request last month for a copy of KPMG’s cyber threat assessment and any correspondence related to its contents. The request was refused.
Police inspector and HRP FOIPOP coordinator Donald Mosher claims the release of even a redacted version of the report or any of the emails about its contents “could reasonably be expected to harm the security” of HRP’s systems and operations.
Ritcey explains away those “disagreements” alluded to by Blais as part of the normal “back-and-forth” that happens with any project.
Nevertheless, until an agreement on the way forward is reached and until an experienced CISO is hired, HRP is apparently unable to implement the assessment’s findings.
Funding for the new CISO position was approved in last year’s police budget as part of an overall IT strategy. The future hire will develop a strategic view of security and operations, says Ritcey, and will act as HRP's liaison for all IT-related matters with HRM and partner agencies.
Candidates for the chief information security officer position will need a minimum 10 years in IT management, along with a lengthy CV of other high-tech proficiencies.
“The roles and approach to policing have seen unprecedented change,” reads a job ad. “Halifax Regional Police face increasing public expectations and scrutiny around their adoption of digital technology in their approaches to identifying, responding to and preventing crime in Halifax.”
The Halifax Regional Municipality is also looking for an outside assessment of its own IT security. A request for tenders released earlier this month asks for firms who can test out city hall's hardware and software vulnerabilities against attacks such as phishing and ransomware.