NZ IT pros call for government CISO

New Zealand's government needs to appoint a chief information security officer to help safeguard government IT systems, according to an organisation representing the country's IT professionals

New Zealand should appoint a chief information security officer to oversee efforts to keep government systems safe and provide a single point of reporting for vulnerabilities, according to the CEO of the Institute of IT Professionals, Paul Matthews.

Earlier this year Labour's Clare Curran revealed that an informant had alerted her to a security hole in a Ministry of Justice system. The government hit back over the disclosure of the flaw. Ministry deputy secretary, organisational development and support, Rose Percival, said there had been no threat to people's private information.

"This isn’t a member of the public inadvertently finding information. It appears to be about someone with IT skills deliberately trying to get into a Ministry IT system – the site where people apply to become licensed security guards," Percival said in April after Curran made the claim.

The incident followed revelations late last year that public computer kiosks provided by the Ministry of Social Development in Work and Income service centres were able to access private information on the ministry's network.

A review conducted by Deloitte found that security had not been adequately considered when the kiosks were designed, security holes discovered in April 2011 had not been addressed and that "risk management processes did not effectively escalate security exposures to management, nor ensure appropriate mitigating actions were taken".

Another review conducted in the wake of the kiosk affair under the auspices of government CIO, Colin MacDonald, found that many agencies had underdeveloped security processes.

The report, prepared last year but released in June, found that the "level of security management maturity across the state sector is lower than could reasonably be expected to provide the public with appropriate assurance about the safety of their private information". It found there were 13 government agencies "with potentially high priority unresolved vulnerabilities".

Things "really have been getting to the point where the public is saying that something's got to be done about it," Matthews said.

"Our view is we actually need government to step up and look at an all-of-government approach around the privacy and security," the IITP CEO added.

"That's why we're advocating a chief information security officer whose primary responsibility will be to set some standards across all of government in terms of both what should be in place, assessing what's actually in place, and also setting up ways that people can report vulnerabilities when they find them in an ethical disclosure manner."

After Curran was contacted about the Ministry of Justice's alleged vulnerability, police launched an investigation into the man who contacted the Labour MP. Having a central point to report vulnerabilities could help preventing situations like this arising, Matthews said.

"Currently every ministry and every department actually does their own thing, and reporting of vulnerabilities varies by department and the protections that they put in place around privacy of information vary quite significantly."

There's work on whole-of-government procurement efforts, "but as soon as you mention all of government from the policy side of things, the message is that they don’t like that approach," Matthews said.

"But the fact is, that's what we need to get the standard [of security] up."

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about IT ProfessionalsRose

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Rohan Pearce

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts