Watch this episode on YouTube.
Reasonably Accurate 馃馃 Transcript
Good morning builders. How's it going today? Um Bright and sunny Monday, hopefully, at least wherever you are just make sure everything's good up on the stream. We are rocking right on. Um Yeah, it's decently warm here. It's better than normal. Um, but Monday morning is always hard to kind of get the ball rolling.
Well, I feel like I'm pushing the boulder uphill today. Um mainly because it is Canadian Federal Budget week. Now, thankfully, I'm no longer with the Federal Public Service and this does not mean that um I am running around with my head chopped off like I used to.
Um, now I had a great time in the public service. Don't take that comment the wrong way. I spent a decade, um, working there on cybersecurity on forensic investigation, on policy on a whole manner of stuff and I really enjoyed it and I learned a ton, but budget week is always crazy, stressful, lots of stuff happening, lots of things moving around.
Now that I'm on the outside, it's a little more relaxing or at least it's supposed to be. Except last week CBC dropped an article that said, um up to a billion dollars could be sent on the Canadian federal budget on cybersecurity this year. Um or at least in this budget promised out.
So how many years that's over is remains to be seen and on what it is being spent. So I started, you know, wheels started turning because setting policy in a company is one thing and we all know how hard that can be to set a policy within your company, to encourage people to make a positive cybersecurity decisions on a national level.
Um is a whole another thing, it's completely a different ballpark that you're dealing with. And it's really fascinating. And so I was diving into that um this weekend, diving into that um this uh today as well. Um Hoping to write up my thoughts into something a little more compact.
Um and uh really kind of put forward an opinion on where we should be going as a nation, which sounds really egotistical and grandiose. But I think it's important for the issues like that as many perspectives as possible. Um Now, Canada has a national cybersecurity strategy that was done in 2010 and it really had three major pillars and that was essentially let's secure the government of Canada and its assets.
Um Let's work with partners in the industry to secure critical assets within Canada. So things like our telecom networks, our city infrastructures, um power grids, this kind of stuff. Um And then let's make some concerted efforts to make Canadians safer online. So the end result of that is the um fantastic get cyber safe program.
If you haven't seen that yet, I I'll link to that below. Really just tips and tricks on how to make smarter decisions as a digital citizen, right? So these are really good things for 2010. It needs to be, you know, there was a report issued I think mid last year about the efficacy of this strategy.
And there are some things that really need to be fixed, some working groups or committees that need to be adjusted, some ways to implement this strategy that need to change. Now, the strategy itself is pretty sound, it makes sense. Secure, go c like secure the government after assets work with partners um to secure the rest of the stuff and, and let's educate Canadians.
I don't think that needs to change. I think what needs to change is how we're working with partners. Um And how we're building a community of cybersecurity expertise within Canada. Um And I think there's a part for private sector, there's a part for public, there's a part for um academia.
Um and there's a part for um just general contributions from the citizenry, right? We've got a lot of talented Canadians, let's take advantage of that. Um So there's, there's some interesting stuff going on there, but one of the biggest issues I think, and we've seen this unfortunately in some bad examples um in the public eye, like the Phoenix pay system, um is that one of the key things for um cybersecurity is really just strong it, solution delivery.
You need to build security into the fabric of everything. Because my concern when I saw that $1 billion number in the budget and that's based on requests from government agencies saying we need this money to secure our systems is that that's all just going to perimeter defense, that's all going to band aid solutions.
A billion dollars worth of band aids. And that's really concerning now, that may not be the case and I hope that I am wrong. But I think realistically, that's probably what's going to end up happening. And that's generally a bad thing because that's just a stop gap measure and we need to really address the core issue and that's really building strong, high quality it systems and whether that's through contracting outside, whether that's internally, whether that's a collaborative community effort, whether that's active in the open source community, there's any number of ways of going about this, but security does not happen just by bolting it on.
If all you're doing is building permanent. This applies equally to a country as it does to the organization as it does to yourself. If you're just bolting security on, that's really a stop gap measure. It's going to maybe at best case, if really well executed, maybe get 60% of the threats.
You're far better off spending resources, focusing your time and efforts on building stronger programs to build better stuff in the first place. Right. It, security solutions that get bolted on or, and that's people process and things. It's all, you can't just have one, when they're bolted on like that, you know, you're, you're at best kind of plugging a leaky bolt.
Uh, you know where I'll take my Dutch reference and, you know, you've got your, your, your thumb in the, in the uh in the day I'm trying to break uh or trying to make sure that, you know, the fields aren't flooded out. Um Realistically, cybersecurity ends up being three things I mentioned it a little earlier.
I'll go over in detail right now. It's people, it's process and its product and whether the product is commercial or open source, whatever three PS is better than T for tech. So people are the core of it. People are the ones who are conducting business.
The people are the ones who are handling information. They need to be educated, they need to be able to make information, they need to be able to make decisions in context with the right information process is there to help people make those decisions.
It's there to make sure that you are regularly putting your information in the right risk context so that you're not needlessly publishing things that don't need to be public that you're not needlessly classifying things that don't need to be classified. So, process is important to help people and the product, the technology amplifies that process and those people and really all three need to be working if you over, invest in one and that's what I'm afraid this is, is an over investment in, purely in product.
Um, the other two suffer and you don't really have security. It's, um, you know, to take a clo or a more relatable thing is if you go to the gym and all you're ever doing is chest and arms, right? You see those gym, the gym monkeys are just huge biceps and huge packs and they're just monsters, right?
But they're not very functional. Whereas, you know, you looked at the Olympics the last couple of weeks, all sorts of different body types you need, you know, all these lean, strong muscle to a really powerful athlete as opposed to just a couple of muscle groups.
So, the same thing with cybersecurity, you need people, you need process and you need products all working in unison to truly be secure. So that's a big way to start the week. That's probably way too much to be thinking about. I should have picked something simpler.
Like, hey, we really need to make sure that passwords are in a password manager rather than cyber security at a, at a nation level on a nation scale. Um, but it's budget week. So what can you do? Um, I think a lot of Canadians are going to be talking about this and hopefully it generates discussion um in the community uh online here.
I'm at marknca. You hit me up on Twitter, hit me up on linkedin Facebook. Um I think this is a discussion that's equally applicable. It's interesting at the nation's state level, but um bringing it down to the organizational level, I think there's a lot of lessons to be learned there.
Um, I hope you are having a lighter Monday than I am. Uh, but always willing to engage and chat and I will talk to you tomorrow.
