Cyber ​​security is not just about technology

So is cyber security a concern that should be in the entire municipal structure?

A “municipal entity” for cybersecurity is something that is broad and transversal for the municipality which is responsible for protecting the technological component and also for defining the course of action and strategy that should be reviewed, supported and supported by the municipal authorities, so that the different operational entities can then acquire the skills, good practices, habits and behavior to be defined .

We know the difficulties related to the lack of qualified resources in these areas that exist in the municipalities. Could this be a problem?

From the point of view of the need for resources, I would say there is a technological component, but there is also a process component and a cultural component. From the point of view of technology and procedures, it is clear that there is a need for financial resources – and perhaps in this respect Recovery plan and resilience (PRR) can help.

In this case, the municipal councils have to acquire technological resources and skills – even if at different speeds, which is related to their budgets, which are necessarily related to their dimensions. But there is also a procedural component that relies heavily on consulting services to help implement the range of best practices and procedures that come with technology and beyond. Having a specific cybersecurity strategy, with back officetechnology, specialized fields, and people’s skills and qualifications in particular [que têm funções] Operational issues are, above all, a cultural and training issue and an opportunity for professional rehabilitation.

From the point of view of qualification, except for those who guarantee the technological infrastructures, this is what we saw as promoters of the Governance in Cyberspace Group, which was created recently, and after having a dialogue with some partners who specialize in behavioral psychology who are involved in international projects.

Is it then possible to work with existing resources?

Here is a set of skills and qualifications that are, in fact, important for defining strategies, which, again, must align with technology. So it’s not just about technology. As for the application and what are the traditional processes, it is clear that it is a matter of harmonizing them and carrying out this rehabilitation process.

We understood, thanks to the experience we have in cluster And in other forums there is a tendency to say that people are not qualified because they are already of a certain age and are very accustomed to a certain profession, but these are the people who, in these behavioral areas and who have to do so with good practices and processes, are the easiest to adapt, because they are people , even through life experience and cognitive development, is more prepared for organizational issues and for what good practices and processes are. For example, younger recent graduates focus too much on technology or on very technical topics, in theory, and lack the organizational component.

I would say this is an opportunity for rehabilitation. Indeed, it is one of the things that this group advocates for: in fact, in addition to new courses, new academic careers and new curricula that may emerge, there is an opportunity here for the professional rehabilitation of people who are already on the market.

Go back to the municipalities: it is not a seven-headed beast. Will any municipality, even the smallest, be able to tackle the issue of cybersecurity?

It achieves! Obviously, each to his own dimension, but from the point of view of what the lower bounds are, [é possível]. The National Center for Cyber ​​Security (CNCS), two years ago, defined the National Cybersecurity Framework of Reference; he is framework Based on international standards and defining a set of stages to reach compliance with best practices in the field of cybersecurity. CNCS also has more lightfor organizations with the least ability to implement processes and technology, which is Minimum Capacity Roadmap for Cyber ​​Security.

At these minimums, one of the most important things is to have a risk analysis, as happens, for example, in traditional security. Again, cyber security is not invented. To the extent that some entities, some agents, and market players try to devise new concepts, even for commercial and marketing reasons, the concepts [base] already exists.

Obviously the needs are different, but we don’t invent the wheel; We apply it only to new facts and new elements that are part of this ecosystem. So I say any entity can do that, including small municipalities.

What should be the first step?

Starting with a risk analysis is most important. Identify hazardous assets from the point of view of information containers. They have to go to the technology component, compulsorily; Understand what the security of the technology is, what network architecture they have, and how it is thought of from a technology standpoint. This is something that the fields of informatics and information systems in municipalities will already do. Next, they should consider good practices in order to locate containers of information that need to be secured and protected.

Leave a Comment