Governmental auditing as a catalyst to improve cybersecurity mindset of LAC governments

News item | 07-12-2016

Latin America and the Caribbean still have opportunities to improve the cybersecurity mindset of their governments. Recent research shows that a large number of countries in the region have a minimal or basic recognition of this matter. This paper recommends the evaluation of Information Security Risk Management as part of government auditing to help increase the cybersecurity mindset of government.

Written by: Jairo Hernan Marin Agudelo, Juan Carlos Buritica Grajales, Carlos Andrés Arbelaez Velasquez. Auditors at Comptroller General’s Office of Medellin, Colombia.

Cybersecurity mindset of Latin American and Caribbean governments and the trust in e-government

In 2016 the collaboration between the Inter-American Development Bank (IDB), the Organization of American States (OAS), and the Global Cyber Security Capacity Centre (GCSCC) at the University of Oxford, produced a cybersecurity report entitled “Cybersecurity Are we ready in Latin America and the Caribbean?” [1]. This report presents an up-to-date holistic picture of the state of cybersecurity of countries in Latin America and the Caribbean. It was carried out using an online tool to gather data from cybersecurity stakeholders representing different sectors.

As part of the report, the collected data was analyzed using the 49 indicators of the Cybersecurity Capability Maturity Model (CMM) developed by the GCSCC [2]. In this model, the indicators are divided into five dimensions, with “Cyber Culture and Society” being one of them. Each dimension is divided into factors, and each factor into indicators. Finally, in order to determine the level of maturity, each category has a set of indicators across five levels: 1. Start-up; 2. Formative; 3. Established; 4. Strategic; and 5. Dynamic (see Table 1 and Table 2).

Table 1: Government’s Cybersecurity Mind-set Level; Table 2: Level of Trust in e-Government (Source: authors, using data from Observatory of Cybersecurity in Latin America and the Caribbean)

Regarding the results obtained and presented in the report, some of the most interesting aspects are: government cybersecurity mindset and the Trust in e-government. The first one is analyzed on the “Cybersecurity Mind-set” factor by the “Government” category and the second one is analyzed on “Confidence and Trust on the Internet” factor by the “Trust in e-government” Category.

Pertaining to the government cybersecurity Mind-set, the report shows that 96.88% of the 32 countries analyzed in Latin America and the Caribbean, have an assessed level of maturity rated at 1 or 2 (see Table 1). In addition to the trust in e-government, the report shows that 87.5% of the 32 countries analyzed, have an assessed level of maturity of 1 or 2 (see Table 2). (Source: authors, using data from Observatory of Cybersecurity in Latin America and the Caribbean.

These results indicate that there are still opportunities to improve the cybersecurity mindset within the Latin American and the Caribbean governments, and also to improve the confidence with citizens in the services they offer.

Government auditing as one way to help increase the cybersecurity mindset of government

The Government auditing has been one of the most important mechanisms used across the world to monitor the way in which taxpayers’ money is spent. Traditionally, it has been focused on the economy, effectiveness and efficiency of government actuations and operations.

Nowadays, as a consequence of the digital revolution, there has been a change in the way in which the government and the citizens interact. The Information and Communication Technologies (ICTs) have been used to improve services deployment and covering, and even have been used to offer online transactions to citizens.

According to Organization of American States -OAS-, this application of ICTs to government functions and procedures with the purpose of increasing efficiency, transparency and citizen participation, is called e-government. Obviously, this new approach impacts the traditional way in which government has operated, and therefore also has an impact on government auditing.

It is neither effective nor efficient if government spends taxpayers’ money to implement online services that are not available when citizens need them, nor when the services are scarcely used because the citizens do not trust them. One way to evaluate effectiveness and efficiency of government actuations in e-government environment is to control that government online services will be accessible to users during planned hours of operations, and they are also reliable enough to make citizens want to use them.

One of the most widely accepted practices used to obtain an acceptable level of service reliability and availability regarding online services, is to perform an adequate Information Security Risk Management (ISRM). As a result, it is reasonable that government auditors look for evidences from an appropriate ISRM on government online services, and not only in the financial information systems.

The regular application of government auditing has promoted beneficial changes for the audited matter. Because of the rigorous control applied by the auditors on government financial operations over the years, the government functionaries are very diligent about executing these operations with great care. The regular application of government auditing on ISRM could also promote beneficial changes, like a more careful design, implementation and operation of online services.

The findings derived from auditing normally generates improvement actions, which the government agencies and functionaries are responsible for implementing. In this way, giving more importance to ISRM with respect to government auditing could help to improve the security of online services, and also the cybersecurity mindset of government functionaries and agencies. In addition, it is reasonable to think that more secure government online services, will increase citizens’ confidence in e-government and their use of government online services.

This article first appeared in the second issue of the Global Cyber Expertise Magazine – November 2016.