Canadian Government Entities Under Scrutiny for Lax Cybersecurity

Canada’s government sector is increasingly coming under scrutiny for both lagging privacy and security both in legislation and in practice

 

In a sign of the times, figures released in February to the House of Commons reveal that the personal information of at least 144,000 Canadians was mishandled by Federal department and agencies, including the Security Intelligence Service and Department of National Defense.  The breaches were widespread, impacting over 10 separate departments and agencies, with evidence indicating that these figures are being underreported due to inadequate reporting requirements.  The Canada Revenue Agency led the pack with 3,020 identified breaches over the last two years impacting at least 59,065 Canadians. 

 

Helical’s offerings meet the “Baseline Cyber Security Controls for Small and Medium Organizations” published by the Canadian Centre for Cyber Security and can be scaled up according to need.  You can learn more about how we meet these requirements here or for more information about Helical, visit our website.  

Share

IT Projects & Black Swans

Have you ever been involved in an IT project that was difficult and resulted in a less than optimal outcome? I still joke about being a survivor of a large-scale IT implementation project. That was more than ten years ago and the memories are still fresh and painful. That is not to say that all IT projects end in disaster and I have seen a number of IT projects succeed in my career. Still the stigma remains and there is ample anecdotal evidence in the workplace that IT projects are particularly prone to failure.

Does this belief hold up under more rigorous scrutiny? According to Oxford University professor Bent Flyvbjerg, who has spent his career studying this subject, IT projects are actually not the worse type of project. He found that globally, across all industries, the percentage of projects that come in over-budget are:

Ø  50% of IT projects

Ø  60% of Energy projects

Ø  70% of Dam projects

Ø  90% of Olympic Games[1]

So only half of all IT projects come in over-budget. That somewhat mixed news for IT projects is tempered, however, by the obvious fact that IT projects are much more prevalent. IT projects are happening every day in organizations all over the world while large energy projects, dams and Olympic games are much fewer in number and less frequent.

In another study, Flyvbjerg and his colleague Alexander Budzier, focused solely on a sample of almost 1,500 IT projects.[2] The projects in the study included enterprise resource planning, customer relationship management, document management, and other management information systems. Many of the projects looked at were in the US public sector but surprisingly the results showed little difference when compared to projects in the private sector or other locations around the world.

Here is what they found:

Average IT project cost overrun is 27%

While that average might not seem alarming what they were startled to find, and what that average was hiding, was this reality:   

1 out of 6 IT projects had cost overruns of 200%

1 out of 6 IT projects had a schedule overrun of 70%

That means nearly 17% of all IT Projects are nightmare projects or what they call “black swans”.[3] Using a term popularized by best-selling author Nassim Taleb, black swans are “high-impact events that are rare and unpredictable but in retrospect seem not so improbable”.

There are many reasons for this high rate of IT project black swans but Flyvbjerg and Budzier point out a common finding was that sales and product development engineers and managers often have less than adequate skills in implementing the technology itself.  

The end result of these IT black swans is usually the same: increased financial pressure, reputational damage, and often loss of jobs, particularly those deemed responsible for the project. If a private sector organization is already weak before the black swan, the black swan IT project can often be fatal to its very survival. In the public sector, the organization survives but the public is left to pay for the mistakes through additional tax burden.       

To avoid becoming the next IT black swan case study, Flyvbjerg and Budzier say that we should always assess our organizational readiness through a 2-part stress test before beginning our next large IT project:

1.       Can the organization afford the cost if our largest IT project goes over-budget by 400% or more and if only half the benefits are realized?

2.       Can the organization absorb the impact of having 17% of all our medium sized IT projects coming in over-budget by 200% and missing the project deadline by 70%?   

These scenarios seem far-fetched when viewed at the outset of the latest IT project but the records show they happen all too often and no organization or industry is immune.  

As I said at the outset, many IT projects do succeed coming in on-budget and on schedule. According to Flyvbjerg and Budzier, the IT projects that are successful all share these common 7 key characteristics:

1.       Stick to the schedule

2.       Avoid scope creep

3.       Break the project down into manageable pieces

4.       Have the right people

5.       Minimize turnover of team members

6.       Align with business needs

7.       Focus on single objective and measure all activity against that target

  

  


[3] Nassim Taleb, “The Black Swan: The Impact of the Highly Improbable”, Random House, 2007

Share

Ontario Announces New Municipal Modernization Funding Program

Shortly after the Province let the air out of the tires of the Regional Government Review convoy, it announced another round of funding as part of the new “Municipal Modernization Program” (MMP). Small and rural municipalities across Ontario now have access to an additional $125 million through 2022-2023.

This new program allows municipalities to apply for funding to “undertake expenditure reviews with the goal of finding service delivery efficiencies and lowering costs in the longer term.” 

Some of the criteria include the use of an independent third-party reviewer who would identify savings and efficiencies. These reviews could include; a line-by-line municipal budget review, a service delivery review, modernization/technology opportunities, and a review of administrative processes, all in an effort to create efficiencies and reduce costs.   

The reviewer would present an actionable series of recommendations and the threshold for these reviews is anticipated to be between $20k and $200k.

The Province requires the municipality to provide the local Municipal Services Office with its intent to participate in the program by November 22, 2019 and there is a formal application (Expression of Interest Form) that the municipality must submit by December 6, 2019. The timelines are rather tight in that the work can start November 1, 2019 with the production of a final public report by June 30, 2020.

Each submission will be evaluated on a case-by-case basis and the Province determines which submissions are approved in the January – February 2020 time frame.  The Province also requires the third-party reviewer’s draft report by June 15, 2020, with the intent that the final report would be posted publicly by the municipality by June 30, 2020.

If you are feeling somewhat rushed to make the timelines, the Province has also indicated a second round of applications will be considered in the spring/summer of 2020.

It’s rather unfortunate that the Province won’t make public their third-party reviewer’s report (Regional Government Review) so that municipalities could determine if some of the gems provided to the Province might be worth considering as part of this next phase of municipal modernization.  

No doubt some of the suggestions made throughout the extensive consultation process may have provided some insight for the municipalities who now are tasked with establishing their priorities around the modernization program. Wouldn’t it have been great to capitalize on the work of Mr. Fenn and Mr. Seiling and launch into initiatives that had already been vetted by independent third-party reviewers? 

Ontario is approximately $350+ billion in debt and once again committed millions more of taxpayers’ dollars to municipalities to look to find efficiencies and reduce costs.

At the end of this regional government review process the Province backed off and did not advance anything meaningful despite the expectations that changes would be forthcoming.

In an era of outdated governance models, aging infrastructure, strained debt capacity and lack of funding for programs and services, who are we kidding here?

Why do we still need to kick the tires?          

Just saying…

So don’t, miss out on your chance, don’t let the short timelines intimidate you. 

You are encouraged to express your letter of intent followed by your formal application in order to be considered for these additional funds. After all you are no longer the passenger but instead you have the steering wheel in hand.

We work with several municipalities across the Province. We know that there is still so much that your organization can do in order; to streamline your processes, to create efficiencies, to source and implement new technologies, to better respond to your customers, to improve your programs and services, to explore shared services and to ultimately save $$$$.

“You can’t keep doing the same thing over and over again and expect different results.”

 ____________________________________________________

Using improvement methods of LEAN Six Sigma and AccessE11 technology we will make your organization; simpler, faster, better and less costly. We help you cut the red tape, remove the non-value-added activities and defects in your processes, improve customer service, help you to achieve measurable results and achieve a costs savings.

Contact us today at [email protected]

 

Share

Service Delivery Reviews 101

The Province of Ontario recently announced they will be partnering with municipalities without pursuing a top-down approach. (a.k.a. not proceeding with regional restructuring). 

Instead they will be providing municipalities with the resources to support local decision-making with additional funding of $125 million through 2022-2023. The funding will help municipalities conduct service delivery reviews, implement recommendations from previous reviews and undertake a range of projects such as IT solutions or process improvements.  The Municipal Modernization Program is application-based and all applications will be reviewed on a case-by-case basis.  

Why?

Well, over time, as municipalities and the needs of their citizens change, some services that have historically been provided may no longer be needed, or perhaps there’s a better way to deliver them.  Often times a review of the service is necessary to address budgetary pressures or to improve efficiencies and practice fiscal restraint.

As a result of the recent funding announcement, over the next while many municipalities will be engaging outside professionals to work with them to conduct service delivery reviews. Due to the level of detail and analyses that takes place with these reviews, municipalities often engage a knowledgeable, experienced, objective third-party to guide them through the review and to remove any bias or perceived bias with the evaluation process. 

Even though there are many consultants who can provide quality expertise it’s important to have a basic understanding of what a service delivery review is, its purpose and the work and analyses it will encompass.  

What is a Service Delivery Review?

A service delivery review is a systematic review of municipal services and programs to determine the most appropriate way to deliver them. 

It focuses on setting priorities and where possible, finding new, more cost-effective ways to deliver the services the municipality has determined it wants or needs to continue providing.

A review of local services and programs can be undertaken to improve a current service, meet new service demands and/or maintain a current service by finding efficiencies to reduce the costs of delivering it, for example.

A service delivery review is a rigorous evaluation process that ask questions such as;[1]

  • Do we really need to continue to be in this business/service?
  • What do citizens expect of the service and what outcomes does council want for it?
  • How does current performance compare to expected performance?
  • How is demand for the service being managed?
  • What are the full costs and benefits of the service?
  • Are there alternative/better ways to deliver the service?

There is a role for staff, Council, citizens and other stakeholders during a service delivery review and each should be asked these questions.

Service delivery reviews are labour-intensive, so identifying up front the staff with the range of knowledge and experience and the resources necessary for the review, is extremely important to its success. Typically, this will be the staff who is familiar with the operations of the service or program being evaluated.

The review will look to see if there are internal improvements that can be made or if there’s a need to investigate other methods available to deliver the service/program.  For instance could the service be outsourced more cost-effectively than trying to deliver it in-house, could staff receive quality training digitally rather than travelling to classrooms, is there a different bill payment solution to use, etc.?

Council has a critical role in representing the public and consider the well-being of the taxpayers by determining which services the municipality provides, as well as providing direction on the  specific outcomes or deliverables they want the review team to achieve.

Summary:

This is a very brief, high-level look at service delivery reviews. The Ministry of Municipal Affairs has a great online resource, “Making Choices A Guide to Municipal Service Delivery Reviews for Municipal Councillors and Senior Staff”, that sets out a six-stage approach to service delivery reviews.

The full guide was invaluable to me as the first CAO of a newly restructured municipality who was tasked with the responsibility of reviewing the services and programs of each of the five former municipalities and assessing whether they were still relevant in the new municipality and/or if there were better more cost-effective ways to deliver them.

Yes as mentioned, service delivery reviews are labour-intensive, but they are also an extremely interesting challenge – and a process, I thoroughly enjoyed.  When you open up your mind to thinking outside the box and adopting new ways of doing things it will save the municipality time and your taxpayers money.  And that’s rewarding!

One Final Word

My article just wouldn’t be mine without including a small plug to remind municipalities that over this past year, we have added more professional members who offer a wide variety of amazing new and innovative products and services that can help you achieve those efficiencies directed by the Province.

Why not search muniSERV for the service you’re looking for?  You’ll be amazed at some of their offerings!

You may even find that consultant who can help you with your service delivery review! 

Susan Shannon is the Founder & Principal, muniSERV muniJOBS

Susan can be reached at [email protected]   855.477.5095

[1] A Guide to Service Delivery Review for Municipal Managers, Ministry of Municipal Affairs

Share

North Carolina County loses Millions to Business Email Compromise and Phishing

North Carolina County loses Millions to Business Email Compromise and Phishing

Written by Michael Castro, vCISO and founder of RiskAware

Late last year, Cabarrus County in North Carolina fell victim to a crafted email asking to change banking information for a contractor with whom they had started business earlier that year. Within 3 weeks, the County had sent more than 2.5 Million dollars to who they thought was their contractor. It wasn’t.

It took a few more weeks to discover that they had been compromised. When the dust settled, the County was able to recover some funds, including a mere $75 000 from insurance, but even now, more than 1.7 Million remains unaccounted for.

Last year, losses to business email compromise topped 1.2 Billion dollars. As such, it is clear how an easy scheme can net quite large returns, and why it is so popular amongst cyber thieves.

Just the month previous, the city of Griffin in Georgia lost $800 000 in a compromise scheme.

Email as a process is not enough to deal with impersonation email, email fraud and wire transfer processes. Municipalities need to build new processes with checks in place to prevent the easy route of email compromise and fraud. Changes to account payable processes, proposer cybersecurity planning and education can all greatly improve the chance of such a scheme being caught before any money is lost.

Municipalities should also consider bring in cybersecurity experts to help with governance, compliance and process models that go beyond technical security controls and systems. For those government groups that have smaller budgets set aside for cybersecurity, a fractional or virtual Chief Information Security Officer (vCISO) is a good resource to help plan and build a more resilient cyber presence within a budget and capability of the municipality.

RiskAware is a boutique Cybersecurity firm, specializing in Security Governance and Strategy, assisting organizations of all sizes with security and risk advisory services and security-on-demand capabilities. RiskAware and its founder Michael Castro also provide fractional CISO services

RiskAware can be contacted at [email protected] or visited at www.riskaware.ca

 

 

 

Share

What is the difference between LEADERSHIP and MANAGEMENT?

In short: leaders create risk, and managers reduce it.

LEADERSHIP ANTICIPATES THE BEST OUT OF PEOPLE, AND MANAGEMENT ANTICIPATES THE WORST. While leadership invites others to follow, management ensures the followers are following.

Leadership is the act of inviting others to a new and better future.  A leader inspires and creates change by casting a vision of a destination that is different, better, and achievable.

Management is the ensuring things happen by creating, communicating, and monitoring expectations.  It tracks individual people to see that they perform as expected, as opposed to inspiring a number of them. 

Leadership skills can be summarized as those skills relevant to interacting with large groups of people, and to inspiring and creating vision. Conversely, management skills are those which are relevant to interacting with individual people, and to specifying and monitoring performance.

Many of the skills required to lead people are also the ones used to manage people. However, the expression of these skills can be significantly different.  For instance, a leader needs to effectively communicate to be compelling and inspirational, and a manager needs to effectively communicate to be precise and personal.

Because of the skillset overlaps between management and leadership, it is quite possible that a single person assumes either of these roles.

 

Want to learn more about leadership?  Check out EVERYTHING YOU NEED TO KNOW ABOUT LEADERSHIP.

Share

Why You Should Become an Asset Management Coordinator

Asset Management Coordinator – have you heard this of this career before?  

Well, if you haven’t, you’re about to hear a lot about it from municipalities over the next little while.  

Many municipalities are facing challenges to fund their infrastructure at levels that ensure their sustainability. With ageing assets, increased renewal needs and pressures from changing climate there is a need to do things differently and collaborate to address the “infrastructure gap”.

The end goal is for municipalities, provinces, and the federal government to leverage asset management planning to optimize infrastructure investment decisions. For example, in December 2017, the Province of Ontario passed O.Reg 588/2017 that sets out new requirements for asset management planning for municipalities.  

This makes the need to hire Asset Managers and/or Asset Management Coordinators, even more important and urgent. Therefore this is a rapidly growing and expanding career in Canadian municipalities.

So what is asset management and why do municipalities need an Asset Management Coordinator?

 

What is Asset Management?

 

Asset management refers to the systematic approach to the governance and realization of value from the things that a group or entity is responsible for, over their whole life cycles. It may apply both to tangible assets and to intangible assets. Asset management is a systematic process of developing, operating, maintaining, upgrading, and disposing of assets in the most cost-effective manner.

 

What kind of background and training do I need to have for this career?  

 

Many asset managers have engineering, finance and/or planning backgrounds but another key criterion is Project Management, as addressed in a recent Public Sector Digest webinar, “Hiring an Asset Management Coordinator”, sponsored by muniSERV/muniJOBS, as being integral to the success of someone looking to enter this career. 

Municipalities reported that core competencies should be there but much more important is that you can tell them how you’d add value to the position. Because this is an emerging field, you have a great deal of liberty to build the position as you go.  Articulate it in your cover letter. You may not have all the skills right now but if you’re willing to learn, municipalities are willing to provide you with the right training to do the job.

Top skills reported are;

  1. Willingness to learn on the job
  2. Systems thinking
  3. Relationship building and
  4. Communications skills.

 

At present, there are no courses available at universities, although, the Municipal Finance Officers’ Association of Ontario (MFOA)and Public Sector Digest can help.

For municipalities looking for an Asset Manager or Coordinator, muniJOBS has some candidates with Asset Management listed as one of their skills. To search candidates, simply register for a free Employer profile.

Share

5 Ways to Deal with a Bad Boss

Dealing with a bad boss

Bad bosses can be deadly. One 15-year study found that when employees had a difficult relationship with their boss, they were 30% more likely to suffer from heart disease. Perhaps really bad bosses have lower coronary disease because their hearts are seldom used!

If you have ever said, “My boss makes me sick!” you might be right. A British study found that stress induced by a bad boss lowers immune response, and participants were more susceptible to a cold virus.

As with much in life, it’s not what happens to us, but what we do about it. A bad boss might victimize you, but you choose whether to be a victim. Strong leaders don’t wait, they initiate. If you have a bad boss, you can decide that he or she’s not unbearable and live with your situation, fire your boss by leaving, or practice upward leadership with some boss management.

Boss management or leading upward is one of the most popular topics on our website. Recently The Globe & Mail published my column on Five Ways to Deal with a Bad Boss in their Leadership Labs section. I condensed years of writing and coaching on this topic into five steps:

  1. Strengthen your credibility and relationship
  2. Check your timing and approach
  3. Don’t wait, initiate
  4. Speak up
  5. Fire a bully boss

Click here to read the column for a brief description of each step.

A reporter once asked the Dalai Lama why he didn’t hate the Chinese Communists. Now they have some bad bosses! The Dalai Lama replied, “They have taken over Tibet, destroyed our temples, burned our sacred texts, ruined our communities, and taken away our freedom. They have taken so much. Why should I let them also take my peace of mind?”

Share

Thinking about thinking….

Daily we are required to make decisions, recall facts, and balance risks, whether at work or at home.

All of this requires considerable thinking yet we don’t really pay much attention to how we do that. Is it because its so easy or because it is so hard????

Let’s explore….

If we were to ask a friend or colleague “What is capital of France?” most will quickly come up with the right answer. Paris, of course. Easy question and not a lot of effort goes into finding the answer. The same goes if I were to ask you to spot the pattern in this series of numbers 122333….?? Yes, you got it. 4444.

But what if you were asked to come up with the answer to 15 x 24 without using your phone/calculator? If you are like most people, this question requires you to pause and think hard. If you were good at math in school you might be able to recall a shortcut or you just might have to get out pen/paper and figure it out the old-fashioned way. Unless you are a math superstar, it will be difficult to come up with the answer quickly but, given time, we can all do it.  The answer btw is 360.

If you consider yourself in the top 1% in terms of math abilities and are still feeling comfortable, here is my favourite math challenge of all time:

·       A bat and ball cost $1.10 to purchase

·       The bat costs one dollar more than the ball,

·       How much does the ball cost?

Allow me to keep you in suspense as you mull that one over. The answer is at the bottom of the page.

What these mind exercises illustrate is something that Daniel Kahneman refers to as “Thinking, Fast and Slow”, which happens to be the name of his best-selling book from 2011. Kahneman, who is now in his mid-80’s, is acknowledged to be the father of the field of behavioural economics. As a trained psychologist, and proudly not an economist, he has always been considered an iconoclast in his field of study. Along with his now deceased partner, Amos Tversky, he has spent a lifetime studying and gaining insight into how the human mind behaves.

As a result of their ground-breaking studies, Kahneman and Tversky came to realize that there are actually two systems at play in our brains which affect our reasoning, judgement and decision making:        

·       System 1 operates automatically in the background at all times. It is quick and intuitive requiring little or no effort to come up with an answer. System 1 allows us to answer “Paris” to the question about the capital of France. When we use this system to think we are looking for patterns and meaning from the information at hand. Consequently, it is prone to mistakes. We can easily make judgment errors and fall victim to bias and are generally unaware of these errors when they happen.

·       System 2 kicks in when System 1 can’t provide the answer, like in the example of 15 x 24. This type of thinking is necessarily slow and deliberative. It requires great effort and we have to pay careful attention. It works best when it tests and checks results from System 1. It too can be prone to errors if we become distracted and lose our focus on the task at hand.

As someone who has spent their career helping colleagues make important procurement decisions there is much we can learn from Kahneman and the study of the human mind.  How often have we seen rushed evaluations and distracted evaluators lead to the wrong contractor being selected and poor project outcomes?

That is not to say that evaluations need to be dragged out unnecessarily. The use of enabling technology and more effective evaluation methods can make a huge impact and result in better overall outcomes, while still being completed in a timely manner. I advocate for drafting more effective and efficient evaluation schemes. On your next RFP, consider asking suppliers to respond in a structured manner to avoid having evaluators engage in an endless cycle of page flipping as they seek to find the pertinent information.  Try using enhanced consensus scoring where you focus only on the differences in scoring that exceed a pre-determined variance. We often spend too much time debating the merits of a 6 vs 7 and too little time trying to reconcile significant differences of opinion. Finally, spend the time to adequately prepare and train evaluators, even those who have previous experience. Awareness of how the mind operates and the pitfalls to avoid can go a long way towards a better outcome.    

In closing, here are my top advice tips to evaluators:

·       Be prepared to invest the time necessary to the task

·       Don’t rely on your fellow evaluators to bail you out

·       Slow down your thinking and avoid the rush to judgment

·       Pay attention to the details

·       Use critical thinking

·       Be respectful of other viewpoints during consensus meetings

·       Be aware of your biases – everyone has them

 

·       When relying solely on intuition, pause and use slow thinking to check/recheck the result

The ball costs $0.05

https://www.wayfinderconsultinginc.com/

 

Share