We now know what it is. We now know precisely what it means. A new normal. Three little yet big words. Life with COVID-19, because we can’t predict the future. At least not just yet. It is why CIO East Africa hosted a webinar titled Securing The New Normal In The Public Sector. The event was sponsored by Trend Micro, hosted by Indi Siriniwasa, Vice President, Trend Micro Sub-Saharan Africa, and moderated by Joseph Kang’ethe, CISSP, GCFW, CISM, ITIL. The one thing that kept coming up is talent, or rather, the absence of it. Joseph Kuria, Director of ICT & Risk Management, Commission on Revenue Allocation (CRA) illuminated this.
“ICT has never been considered as something which is as high a priority as other sectors. Someone in the finance department in government earns more than someone in IT. That is why you find you cannot retain qualified people who you have trained and can manage data centres. The moment you train them, they are poached by the private sector. The government needs to look at this as a major sector that needs to be looked into and well funded so we can move forward.”
He adds, “Most of the ICT projects we have, especially those that are cyber-related, like the National Optic Fibre Backbone (NOFBI) which has taken almost 13 years and we are not even complete. Why not finalise this thing? It is the runway upon which all the sleek aeroplanes will land and carry people. If we can conquer prioritisation, I think as a country we can get it right. Once you have that infrastructure, don’t worry about where you are going to find qualified people. They will come. Because it is an enabling environment.”
ICT has never been considered as something which is as high a priority as other sectors. Someone in the finance department in government earns more than someone in IT. That is why you find you cannot retain qualified people who you have trained and can manage data centres.
How has the Work From Home (WFH) model, and COVID-19 crisis, been a risk to your organisation?
Joseph: Within government, we have had a lot of challenges. Last year we had a terrorist attack where I worked. We were knocked out of our offices for close to a month working remotely. We had business continuity issues we had put in place. So when COVID-19 came, we were almost, but not completely prepared. We were in the process of moving to the cloud, but it was never 100 per cent ready for remote working.
Also, government employees are not tech-savvy. One of the challenges I had was training people online on how to use Zoom, Webex and others and of course, bandwidth. They could also not connect to the applications they needed. We had restricted access for security reasons. We had to risk opening it up with a lot of VPN connections.
When we gave staff equipment to WFH, they converted them into tool kits for educational purposes for their children, using them for other kinds of jobs. There was no way you could manage what they were accessing. Even worse, there was a lot of phishing. But people did not understand what it was. Yet we advised them to share suspicious email with IT.
In government, there is a sensitivity to what we discuss in our virtual meetings. Right now, we are talking about The Formula. The risk of information leaking, causing misinformation, distorting what the public gets, has been a significant source of concern.
When we gave staff equipment to WFH, they converted them into tool kits for educational purposes for their children, using them for other kinds of jobs. There was no way you could manage what they were accessing. Even worse, there was a lot of phishing.
COVID-19 has accelerated the public sectors acceleration, forcing them to review their strategies. On the one hand the need to adopt technology for business continuity to ensure the public sector still performs, but there are risks such as an increase in cybercrimes and cyber threats, issues of privacy, balancing between personal and professional responsibilities. We also need to look to the private sector and how stakeholders interact with these technologies and learn from them.
Martin Mirero, Director of ICT, Huduma Kenya Secretariat: It certainly turned the playbook upside own in the public sector. The last few months have caused an almost complete assessment of the risk strategies we have in place. To a certain extent, this is good – being able to work from anywhere at any time is a growing global trend.
It has been quite disruptive. Which also presents opportunities for us to prioritise our investments and see how best to address these risks while striking a balance between usability, ease of use and convenience between different stakeholders and users, with a need to protect the assets we as organisations have.
Innocent Muhizi, CEO, Rwanda Information Society Authority (RISA): This period has distorted and disrupted how we do business. The networks we run different systems on to connect have been tested to the maximum. Not only on data paths but voice as well. All of a sudden, your ISPs are affecting CBDs of different capitals. Not just that. We now have to optimise network in the rural areas.
This has created a lot of security issues. Home networks as not as secure and robust as office networks. Besides, all the knowledge we had was tested. We shifted our orientation from ‘how do we work securely online?’ to thinking about it holistically. It has been an eye-opener, albeit a good one.
The fight against cybercrime requires trained professionals. Are there mechanisms within the public sector to improve talent? What are some of the tactics when it comes to attracting and retaining critical talent in the security space?
Innocent: There is no single bullet solution. It is not about how to keep good security talent. It’s technology and IT talent. They are very scarce and hard to keep once you get them. That being said, there are several strategies. We are looking at what I believe is a global phenomenon. And money is not the solution for everything.
What is the value you are creating for them in the tasks being assigned, career advancement, linking their work to addressing societal issues they are very passionate about? Combined with continuous education, not just for cybersecurity professionals, but any other technology professionals. But, that includes education and awareness of the general public, the end-user. Security is as good as the user. It is not a one-person game.
Home networks as not as secure and robust as office networks. Besides, all the knowledge we had was tested. We shifted our orientation from ‘how do we work securely online?’ to thinking about it holistically. It has been an eye-opener, albeit a good one.
What are some of the technology, and more specifically, cybersecurity trends you see in the public sector?
Joseph: From where I sit in government and policymaking, I think the most significant challenge we have had since 2013 is pushing cloud computing. It saves a lot of cost in building infrastructure.
If you look at the counties, you see them trying to come up with data centres – a very costly venture which I don’t even think they will have the skills to maintain. COVID-19 has come at a very optimal time. Most entities are looking at how to get into cloud and security of data. I also foresee a lot of savings in travel and per diems, which is one of the most massive budgets in government.
What are some of the exciting challenges that CIOs and CISOs are currently facing in East Africa, according to your experience or sector, and regardless of COVID-19?
Martin: The most visible/immediate is the ongoing pandemic that has changed the way we work and interact, bringing new risks. I acknowledge the downsides. But the upside is we have prioritised having this conversation as leadership and purse holders in government especially.
Conversations around investing in security are getting more exposure and are being prioritised because this is affecting everyone. There is also a confluence of new merging technologies that have become ubiquitous but have not been structurally addressed from a security perspective in government.
Regulations and compliance around jurisdiction such as the GDPR, and the enactment of the Data Protection Act 2019 are also being brought to the table. I think CIOs need to have these conversations and create roadmaps on how to address some of these new challenges.
You have mentioned two very critical things: the environment and budgeting. No head of IT can do without referencing money. Is there money explicitly allocated to cybersecurity, or is cybersecurity part and parcel of the overall IT spend?
Innocent: I think it is a bittersweet situation. The ransomware and IT breaches we had the last couple of years sort of opened up understanding. We started to see specific budgetary allocations for cybersecurity. I expect this trend to increase over the next couple of years. However, it will also affect the overall IT budget, which is escalating.
Suddenly, we have seen budgets for digitisation and automation. This is a good thing. But it is wanted as soon as yesterday, and it cannot be provided because these processes take a bit of time and require a bit of talent to do that. It creates another challenge – one where we have to perform a balancing act. Assessing situations some CIOs and CISOs are facing right now, is one of data privacy and data security.
How do you keep medical records private? That is linked to governance and regulatory issues. Do we even have the regulatory instruments in place to govern these processes? We also need talent. And, now with people online, security risks need to be mitigated. Finally, how do you balance innovation, i.e., coming up with new tools and techniques to deliver services while at the same time running a business?
Suddenly, we have seen budgets for digitisation and automation. This is a good thing. But it is wanted as soon as yesterday, and it cannot be provided because these processes take a bit of time and require a bit of talent to do that.
As you interact in the region, what are some of the things you are hearing from security partners and how does that drive your interaction and conversations with them?
Indi: I’d like to take a segue first. Education is vital. Do not just make sure all your tools are there, but how do you educate your staff? How do you train teams to work remotely and safely with the tools you have provided?
Things like skill shortage. Phishing. Let me put it all together. It is tough to have the number of skilled people solving problems or handling issues. We have got to look at automating security and managing responses in a better way for CIOs to analyse.
Most of the new security ware is going to be (Software-as-a-Service) SaaS-based. With Microsoft and AWS, we have the tool-set and the intelligence to respond better. Looking at where we are going, on the regulatory side, we can ask, what is the right governance protocol? Are your digital assets compliant? How do we provide you with this cloud? With this endpoint protection?
How do we look at everything and offer you a service? COVID-19 has done something remarkable. This is our chance to retrain people to understand technology. It is an excellent opportunity for the government to create new jobs for 4IR. It’s happening. This is the perfect springboard, and we can help you as a CIO.
For further insights into Vice President, Trend Micro Sub-Saharan Africa Indi Siriniwasa’s brilliant mind, listen to the rest of our webinar.
Do you have a story that you think would interest our readers? write to us firstname.lastname@example.org