Security Leaders in Focus: Tracey Saunders, Dunedin City Council
Tracey Saunders’ CV isn’t that of a typical cybersecurity leader. With a lifelong career in local government, she was previously responsible for tackling a variety of business process problems at Auckland Council – which she typically accomplished with enhancements of IT. Despite having only started working in IT relatively recently, she has quickly gained a reputation amongst her colleagues and peers for taking the lead in information security matters.
A bent for cybersecurity
Joining Dunedin City Council’s IT team as Digital Services Manager, she took on the CIO role leading an IT team of 48 employees and contractors in 2016. Her own special interest is cybersecurity.
“I believe that cybersecurity needs to be in everybody’s CV, not just the security guys,” she says. “We recently hired a new Information and Enterprise Architect who is skilled in security. Our approach is to work collectively on our risks as well as our infrastructure.”
“Local Government was not seen as a prime target for cybercrime,” she says. “A lot of the information we hold is publicly available, the risk is reputational if you have the right back-ups and security protocols in place.
That said, Tracey is well aware that it doesn’t really matter how available information might be – it’s still vulnerable to cyberattack. “Our current threat is cloud technology – and the ability of it to be accessed without prior IT approval. We can control the security and access of our own environments, but when staff use unapproved SaaS products, IT unfortunately cannot opt out of data protection for our customers. However secure our hosting or SaaS arrangements, our data is still our responsibility wherever it resides.”
“My priority is making sure our cybersecurity capabilities are moving as fast as the threat outside. That, and ensuring everyone in the organisation is aware of the risks and how sophisticated phishing emails have become.”
Problem! What problem?
An early challenge for Tracey was the comparative innocence of Dunedin, a harbour city located on the south-east of New Zealand’s South Island. “We live in a very safe community,” Tracey says. “Dunedin has a low crime rate even compared to other New Zealand cities, and locals are extremely trusting. So, because cybercrime is not a local but a global phenomenon, we’ve had to get staff to appreciate the risks.”
She says council leaders have become far more aware of cybersecurity threats in recent years – and therefore the need to invest in protection. “Our team has worked to help them understand the ramifications, mostly using case studies of breaches in our industry so they can identify with the potential damage.”
“At some point most companies will have a cyber incident, the mitigation is the depth or breadth and the speed of recovery. Understanding potential weaknesses and mitigating them at speed is key. You must also be resilient when something does happen; have good back-up response so everyone can get back to work fast.”
Of around 800 council employees, 600 are computer users and are regularly reminded of the risks. “We give them the bigger picture face-to-face, but we also run campaigns about specific threat types – typically concentrating on phishing and whaling.”
Tracey says she reads a lot about cybersecurity and attends security conferences to keep across the bigger picture herself. “We subscribe to cybersecurity channels which provide useful guidelines and bulletins. I also like to start each day reading Blendle and Aeon to keep up with emerging trends in technology.
In terms of next steps, she’s looking into what adoption of the European Union’s GDPR regulations will mean for local government – as she believes New Zealand will follow likely suit within a year or two.
“We are now planning for that and other changes with better use of metadata and security classifications. Historically, companies applied metadata at the end of a record’s life, but now we know we need to address these critical issues at the start. When you’re rolling out born-digital applications you must do it up front, so you can respond to change later
Slowly does it…
Asked if she has any advice for her peers as she moves from Dunedin City council to new pastures, Tracey says that she is wary of deploying a lot of new technology too quickly.
“Around the time I became CIO, council leadership was wanting to transform the organisation, so IT was growing in importance,” Tracey says. “But it’s not possible to get the maximum value out of technology investments if you can’t increase your skill levels at the same rate. You must give people the right amount of development and training – and the time to master any new system.”