redundancy or fail-safe security capabilities. He said that the COVID pandemic
exacerbated that challenge because it diverted limited staff focus away from IT security.
Marc explained how in recent years, the IT threat environment has increased
significantly. For example, on the dark web today, hackers sell hacking toolkits for
significant profit, effectively weaponizing hacking tools for use by individuals needing
very little knowledge to do tremendous damage.
The goal of the new cybersecurity policy is to provide tools, strategies and guidance for
the benefit of all County departments whether supported by DoIT or by department IT
staff. He briefly discussed some of the tools and services DoIT employees to actively
monitor the County’s IT environment and detect intrusion. He provided some actual
events in which these tools and services were employed to good effect.
The new proposed policy was developed in collaboration with ITAC (Information
Technology Advisory Committee), following meetings with County departments and with
County Counsel. The policy provides minimum security guidelines and standards for
departments to attain. Marc acknowledged that some departments may be subject to
much higher security standards based on their business and data.
Marc emphasized the importance of consistent and comprehensive staff training, citing
that more than 70% of cyber attacks involved a human element. High ranking County
officials are often targets of these attacks due to their level of decision making and
discretion within the County. The County’s staff is its first line of defense against cyber
attacks.
Marc briefly discussed how artificial intelligence (AI) is presenting both exciting
opportunities and new and difficult challenges in terms of IT security. For example, by
agreeing to the Terms and Conditions of many popular AI platforms, staff may
inadvertently be consenting to the platform owning any data - potentially private data --
entered onto the platform via user prompts. He said that DoIT intends to bring a
separate policy forward specific to AI.
Nathan explained how these new cyber security standards and guidelines will be
socialized with departments to better understand the impacts associated with their
adoption and ensure their feasibility. Following BOS approval, next steps would be to
assess where security gaps exist and engage with those departments to elevate them to
the new standard for security.
Chair Burgis said it would be important to incorporate personal responsibility for
security breaches, so that education and training can be targeted to prevent recurrence.
She would like to see more awareness among staff as to the consequences to the County
and its clients of security breaches in terms of cost, lost time, and personal impacts.
Marc responded that the mandatory staff training would be conducted annually.
Vice Chair Andersen asked if DoIT has the necessary resources to respond to a major
cyber security event. Marc responded that DoIT now has a five-person team dedicated to