Q&A: Interview with Peter Major, IT Security Advisor, INTACT
Peter Major is the IT Security Advisor for whole of government and IC & IT Security Manager for the ICT assets across government in the ACT. Peter is scheduled to speak at the e-Security for Government conference in Canberra in September.
Q. Peter, tell us a little bit about yourself, your background in ICT Security and about INTACT ACT?
A. No problem. My role in the ACT Government is IT Security Advisor for whole of government and I’m the IC & IT Security Manager for the ICT assets across government. A bit about my background? Well I have three degrees; a degree in Electrical Engineering, one in IT, and one in Accounting, and numerous other qualifications and professional certifications. I’ve been playing (well I won’t say playing) in the IT Security space for about the last 15 years. Before that I was in the Electrical Engineering side of things and in the IT field in private enterprise. INTACT came about in a funny way. Many moons ago when outsourcing became the flavour of the month, the ACT government took it upon itself and said “No, I’ll get a better return on investment by in-sourcing”. And out of an in-sourcing model, they formed INTACT. And now INTACT is the ICT provider to the ACT Government; all of its hardware, software and everything else.
Q. Now, E-Security is topically relevant as the Government is investing hundreds of millions of dollars in security measures for IT infrastructure, typically, what are the common threats to the online security of Government?
A. The way I look at this is that the threats from outside are always present, however, if the threat from the actual government themselves… what happens is they want to deliver services yesterday – everything has to happen; they get a new initiative, they get a new budget imperative, and they want to deliver the services as effectively and efficiently to the market as they can, which then drives change. Unfortunately, with change happening so fast, you tend to lose the rigour of how change control happens and websites of importance become available too quickly. An instance of this was going back many years now, when they tried to launch their ABN Tax Number type set up in the ATO and that was a very, very short spanned project and with all of the pressure the teams were under, it ended up as a sacrifice in security to get the outcome and they paid the penalty. That is not an abnormal situation. Many agencies survive because they didn’t get pinned but even if we have to take a rigorous governance approach to all developments and all delivery of E-Government and E-Business. It may delay things, but that delay can actually save you a lot of time and a lot of money in the future.
Q. How can the industry, government and community work together to develop future responses to E-Security?
A. Industry? I’d like to see more tools, more standards, and more rigour in the standards for development of applications, for training; especially if you’re looking at the Education industry - educating our programmers and future developers on how to program and how to program rigorously. Government? Invest in R&D and invest local. Why buy overseas when we have some of the best ICT professionals here in Australia. And the community? Well, that’s going to be evolutionary. As mum and dad, and the baby boomers (my generation) fall off our perch, the kids are going to come along and they will know how to keep their PCs at home robust and secure and they’ll have security on their mind. Once they get past their Facebook and Twitter phase, hopefully their ability to put their Anti-Virus software and keep their firewalls up to date and not become an attack VET to be viewed by the enemy against us.
Q. Now, let’s talk about the role of awareness and education of E-Security and who this applies to? What steps are being taken currently?
A. Within Government, the steps are quite robust and rigorous. We’ve got the information security manual, we’ve got the protective security policy and guidelines, we’ve got the protective security manual, and we have a whole lot of standards we use in house. Rolling out governance and education within Government is quite good. Industry can see where Government is coming from, they’ve also been compromised themselves, so they know the rigour that has to be applied and they’re putting pressure on the development of software areas. So, for me, Industry and the Government are, I think, working there. What we’re not doing is investing in the community. We can see many incidents where E-Security and cyber crime and cyber attacks are not hitting the Governments and not hitting the business sectors, they’re actually hitting the end user. With identity theft – we’re not teaching the end user how to use their equipment safely, which then in turn removes a number of attack points that an educated assailant can use against Government and industry. You have to spend more, and I mean more, on our kids and on the public. Get them aware that that PC they have at home has more processing power than the average mainframe had a few years ago
Q. Now for the E-Security for Government 2010 Conference I guess the driver is about safeguarding Australia’s critical infrastructure in the information age; tell us what is the value for a delegate, for a sponsor, or for a speaker in attending the conference?
A. For me, it allows me use the delegates for peer review of what I’ve done. It allows the delegates to give me feedback on my philosophies, my policies, my governance models. It also allows me to gather information about what others are doing. There’s more than one way of skinning a cat, and my ideas may not be the best. Someone else can tune them and by attending a conference of this nature and getting a lot of peer input and a lot of compatriots talking together, I can glean and come back and get a better value for my investment and security dollar for the ACT. We’re only a small jurisdiction and any money I can save, is money well earned.
For further information, go to: http://www.e-security.com.au