CIOReview
CIOREVIEW >> Public Sector >>

Innovating Cities Securely

Marcelo Peredo, CISO, City of San Jose

The utopia where municipalities work as they should, citizen engagement and satisfaction is thriving, traffic is always optimal, everyone is happy, simply does not exist. Smart Cities in which a digital nervous system of sensors, a central brain, and data driven outcomes is probably evolving but is far from the utopian view often depicted for smart cities.

The quality of government services is increasing because of information and communication technologies as well as operational efficiency. This improvement can be seen in communities, towns, cities, states, and the nation. As technology improves our lives, officials often must make decisions on how they can also help their constituents. It is important to point out that these improvements are not just about technology but it is also about the human element and the procedures that work with the technology as the enabler. Another aspect is that sometimes the investment does not have to be significant to have a big impact. Also, working with the private sector and establishing partnerships may allow government to leverage technologies at relatively small costs. For that matter, Cities don’t have to be big either, small Cities may have access to technology in smaller portions with small or no investments in the form of Software-as-a-Service offerings. One last point to make is that the technologies to be implemented do not have to be in the ‘cutting-edge’ or ‘bleeding edge’. Solving a business problem efficiently with the right proven technology is the end goal.

Exponential data growth is coming via the Internet of Things (IoT) with smart lighting, building automations, emergency management systems, security and access control systems, intelligence grids, connected water treatment facilities, transportation sensors, and many other sensors in every area a City operates.

Smartphones and mobile devices will continue to displace the desktop or laptop with full capabilities enabling the mobile workforce. This will represent another level of complexity managing mobile devices and keeping tabs between City owned devices and employee owned devices.

Data Privacy concerns will be more prevalent and increasingly becoming a priority for States to review outdated Privacy Laws. California is leading the charge with the California Consumer Privacy Act that goes into effect in January 2020. The City of the future will need to embrace core principles surrounding privacy such as transparency, collecting only the minimum required data, allowing citizens to control their data, share only what is necessary, and implementing new technologies with privacy as part of the design process.

Innovations such as autonomous vehicles, smart traffic management, artificial intelligence, will give citizens incredible reach and function. At first security issues may plague these innovations with false starts. However, if history is an indicator, security innovations will also come through and allow for continuous positive change.

  ​As technology improves our lives, officials often must make decisions on how they can also help their constituents. It is important to point out that these improvements are not just about technology but it is also about the human element and the procedures that work with the technology as the enabler​  

So, how does the City of the future ensure its systems and data are protected?

There is not one single approach that will address the security concerns for a City. There are several ways, frameworks, methodologies, tools, and techniques, that could be employed. What will determine the most efficient and effective way to protect a City is its budget and the designed overall security approach. Following are the ingredients to include in a tailored security program.

Cyber-threat intelligence sharing is one of the key elements to fight cyber-crime. Security product vendors know it and capitalize on it by providing you threat updates as often as possible. When a vulnerability is discovered in the wild, it takes a few days or sometimes longer to get the fix out in the form of a patch or signature file. This gap in time is critical because hackers know that vulnerable systems are ready to be exploited. Being part of cyber-threat intelligence communities such as FBI Infragard, US-CERT, MS-ISAC, Arizona Cyber Threat Alliance, ISACA, IC2, and others, is more critical than ever. Having visibility and awareness on what is about to hit you may be the difference between being safe or being hacked.

Budget constraints in most Cities will require building small effective teams to be able to deal with current threats. Larger cybersecurity teams with access to large sets of tools will probably exist in few very large Cities while most Cities will have to use a combination of best-of-breed tools with the right private partnerships to get the work done. The combination of a solid security framework, risk management, and compliance practices in which all parts of IT play a role will help in keeping risk at tolerable levels. Understanding the current security posture of a City and knowing the priority of what investments to make will result in the best future state. Risk based roadmaps will determine the sequence, dependencies, and timelines of new technology rollout waves to mitigate existing risk and to adapt to the changing threat landscape.

In a very fluid economy where cyber-talent is constantly moving, the cyber maturity of an organization may be impacted constantly. Having a maturity model that assesses the current levels will provide visibility as well as the ability to compensate, adjust, re-allocate resources, prioritize, and invest before it has a significant impact on controls and operations. More importantly, the ability to provide coverage between existing team members and avoid single points of failure.

Adopting a framework may be the single most important aspect of a security program. No need to reinvent the wheel if NIST’s CSF, RMF, or COBIT, FAIR, CIS RAM, ISO 27005 and others is embraced. The benefits include a common language for all IT, leveraging existing knowledge, a solid risk management methodology, and a solid practice to extend to Cloud and IoT environments. Constant adjustment and monitoring of controls will ensure that the framework in place is effective.

Be ready for the big day which I hope it never happens. Cities are being targeted every day and situations like Atlanta, Baltimore, Valdez, Port of San Diego, and others will continue to happen. Strive for resilience so that you have critical infrastructure and systems up and running as expected and outlined. Perform Contingency Plan tests routinely and communicate the plan with all City departments. Ensure that the Business Impact Assessment is accurate and that all parties agree on the recovery time and point objectives.

At the end of the day, doing all the right things at the right time does not guarantee that the City will not be impacted but due-diligence and a good Incident Response, Contingency/ Disaster Recovery Plan will end up getting the City back in business as designed.

Read Also

How to Build a Techforce

How to Build a Techforce

Christian N. Schmid (Managing Director and Partner), Raffael Kazda (Associate Director), Daniel Wagner (Manager) and Annika Melchert (Senior IT Architect), all core members of the Banking Practice Area of BCG and BCG Platinion
Data Archival - Rest in peace

Data Archival - Rest in peace

Himali Kumar, Director Data Management, AutoZone
What Does RBG's Death Mean for the Investing World?

What Does RBG's Death Mean for the Investing World?

Jenny Abramson, Founder & Managing Partner, Rethink Impact
The New Bridges and Barriers to an Integrated World view

The New Bridges and Barriers to an Integrated World view

Brandon Beals, Director of Data & Analytics, Dot Foods
Data Literacy –What is it and Why Should Your Company Care?

Data Literacy –What is it and Why Should Your Company Care?

Lisa M. Mayo, Director of Data Management, Ballard Spahr LLP