The importance of inter-agency communication

Dec. 31, 2020 was a highly anticipated date.

We were going to put the old, pandemic ridden year behind us and embrace all that 2021 was to bring. And then January happened.

We’re dealing with the aftermath of a massive information security breach and an insurrection of the U.S. Capitol Building — security failures that placed networks, intellectual property, lives and democracy at risk.

Are we still in 2020, the Director’s Cut?

There will be significant resources expended on these, and other, incidents. The Solar Winds breach will continue to be diagnosed and more warnings will be issued — on top of what already has been advised by experts across the globe.

The assault on the U.S. Capitol will be dissected as a colossal security and intelligence failure. As I write this article, I’m listening to news outlets update the world on the lack of inter-agency communication and questioning how local law enforcement agencies did not pick up on the chatter broadcast days before Jan. 6.

What these events — and all of 2020 — have emphasized for me is to continually focus on risk, communication and resilience. As security professionals, we need to learn (again) from these events and bring those lessons back to our organizations.

We need to spend more time assessing the controls we have in place to reduce risks. We must start checking these controls on a regular basis to see if they’re working as expected, and still offering the protection against the risks we
initially identified.

It means more work for security professionals, but this needs to become a part of our overall risk-based approach to security. We can’t just assume the controls we selected and installed a while ago are still the best option to reduce risks today. We saw what can happen when we don’t maintain this vigilance. Let’s not forget this lesson as we lean into the new year.

Communication needs to be increased between security professionals, law enforcement agencies, and executives within organizations. I’ve taken this task on within my organization. I’m spending more time with external agencies and other security departments across Canada to share information on threats we’re facing and plans we’re putting into place to reduce risk. It’s going to take time, but the value of developing these relationships and creating this information-sharing approach will benefit all of our organizations. This includes the relationships I’m developing with law enforcement in my city and others.

Increasing our communication with executive leadership is another avenue we must all explore. We need to update our executives on the risks we’re discovering if we’re not doing this already. The goal is not to be alarmist but to be realistic in our risk assessments and objective in our presentation of potential likelihoods and impacts. Getting our executives onboard with our risk management program is critical to keeping them, and all our assets, secure.

Finally, I found myself thinking more about resilience for this first part of 2021. Recovering from a breach — whether it’s logical or physical — is something we all hope our organizations can achieve. Hope isn’t a plan, though. This is the time we need to collaborate within our teams, other departments and agencies to walk through our incident response plans and how we’ll recover from an incident. We need to be flexible, agile, open minded and diligent in our incident planning process.

We survived 2020. We can get through 2021. I promise!

Tim McCreight is the acting chief security officer for The City of Calgary (www.calgary.ca).