Hutt City Council beefs up cybersecurity with SSS Virtual Chief Information Security Officer service
Finding itself with less than ideal cybersecurity while the threat environment continues ramping up apparently unchecked, Hutt City Council (HCC) knew it had to act fast while the sheer good luck of not yet falling victim to an attack held. By engaging SSS IT Security Specialists and its Virtual Chief Security Officer solution, HCC has dramatically improved its cybersecurity posture, identified and addressed gaps in its defences, and created a security-aware culture in the organisation.
Hutt City Council (HCC) is a territorial authority governing the city of Lower Hutt, the country's seventh largest city. The city borders Porirua to the north, Upper Hutt to the northeast, South Wairarapa District to the east, and Wellington to the southwest and west. It is one of nine territorial authorities in the Wellington Region.
The council represents a population of 113,000 and consists of a mayor and twelve councillors, with six elected from six wards (Northern, Central, Western, Eastern, Harbour, and Wainuiomata) and six at large.
Situation
When Information Technology Operations Manager Phil Baker joined HCC late in 2020, he was somewhat alarmed to find little in the way of formal cybersecurity practice. "It was a different time, so there wasn't much there; the security posture was weak as people didn't understand it or the risk," he relates. "Everyone was an administrator on their own laptop, and passwords were pretty basic."
Asked if the council had ever suffered a breach during this time, he says the concept of 'security through obscurity' appeared to have kept things safe. "That's really just good fortune more than anything else. But luck isn't a good nor lasting approach for decent governance."
Baker says improving matters was at least part of the reason for his hire. "They put it on my shoulders, and from there we started looking at things through a cybersecurity lens."
Solution
It soon became apparent that specialised guidance and expertise was necessary for an appropriately rigorous cybersecurity posture. "With limited budget the choice was trying to hire someone or look to outsource to a specialist which brings a full team to the job."
With prior experience of SSS IT Security Specialists, Baker says he had a known quantity on call. "Ultimately, we went with their Virtual Chief Information Officer offering as an accelerated way of getting the necessary cybersecurity strategy in place, along with a range of other measures designed to bring our data security regime up to an acceptable standard," he explains.
The V-CISO service provides senior strategic cybersecurity expertise on a flexible basis, with SSS personnel working alongside Baker's team, identifying and addressing gaps in strategy and execution. Strategic guidance takes into account specific requirements, along with an assessment and augmentation of current capabilities, practices, culture, plans, or roadmaps.
To date, services delivered include cybersecurity strategy, penetration testing, application security testing, the introduction of two-factor authentication, and day-to-day support of the security functions.
Results
Baker says the V-CISO service has proven invaluable, allowing HCC to get its cybersecurity measures up to speed rapidly and effectively. "The engagement has been great. With the service, we effectively buy a set number of hours, and SSS has been very flexible in its delivery allowing an accurate match of our requirements and timelines against their supply of expertise," he explains.
The service delivery has proven more effective than a full-time hire, Baker adds, as SSS offers a team with diverse experience and capabilities, which is unlikely in a single individual. "We tend to access SSS hours for higher level risks and tasks, while we do the lower and medium risks ourselves but have them sign off on it. That way ,we get optimal value from the relationship."
With information security a pressing issue for any organisation connected to the internet, he says the Council enjoys a level of peace of mind it previously lacked.
"Infosec is crucial, and we work in an environment where we're impacting people's lives with rates, consents, parking and more. We've seen the penetration testing identify big holes which have been sorted out, and we've done 'friendly phishing' exercises to help improve staff vigilance. All in all, we've seen significant improvements to our security posture to the point where we're a lot more confident in where we're sitting."