Recently, I was privileged to make the keynote presentation to more than 500 attendees at the Government of Canada's General Security Policy Conference, a kickoff event of Canada's second annual National Security Awareness Week in Ottawa, Ontario. It was an honor to personally meet and speak with at least one hundred members of the Canadian government's security team, each of which had a broad range of different government responsibility. This snapshot was poignant and resonant. I left this beautiful city with a graphic, enlightened perspective of the Canadian security landscape.

House of Commons
The day before my presentation, I was privileged to attend the "Question Period" (QP) at the House of Commons. The Canadian federal government system consists of a Senate and a House of Commons. The House conducts its business in the parliamentary style, and this was my first personal exposure to this raucous format, truly a "no holds barred" and "take no prisoners" proceeding. Canada's new Prime Minister, the Honorable Paul Martin, was at the forefront, defending his administration from his opponents' accusations of corruption. Under discussion was the question of who is responsible for the diversion of $250 million dollars of government funds by entities responsible to the Canadian federal government. While the diversion occurred during the term of Martin's predecessor, it was discovered during the current administration. A headline-grabbing issue throughout Canada, it could result in a change of administration depending upon which political party is before the microphone.

While the politicians are deeply divided on many issues, I was impressed with what was not up for debate. Among Canadian politicians, despite their divisions, there remains a fervent unity for national security. There is a clear "hands off" on this subject, even in the theatre of the House of Commons. It is a refreshing alternative to the incessant political attacks, where everything is fair game, common in American politics. Martin's positions on additional expenditures for national defense, improved relations with the US on border and business issues, and the establishment of a department that will evolve into the equivalent of the US Department of Homeland Security (DHS) are not questioned or discussed by the opposition. The General Security Policy is not raised as a political issue but is supported all across the board.

Government Support of Security
Canada has written and passed a General Security Policy (GSP) creating a federal standard for security. It is the security benchmark the provinces must meet or exceed. This forward-looking policy outlines the requirements for physical security, security access to classified information, information technology, business continuity, data security, risk management and the integration of security into all facets of government. While the many agency acronyms legislated within the GSP drove this American bonkers, Canada has created a national security infrastructure that could serve as a model for Americans. The new Prime Minister is a strong advocate of security integration, and I am sure we will hear more from our neighbors to the north. While we in the US are discussing the integration of security throughout the Federal agencies, as a matter of policy, the Canadians have implemented this strategy, as a matter of law.

Integrated Risk Management
The Canadian government has a Department Security Officer (DSO) in every governmental department, agency or tribunal, 97 organizations overseeing the military, museums, finance, police, health and more. While imbedded within these governmental entities with traditional reporting structure, the DSO also enjoys a functional reporting relationship to the Privy Council Office of the Office of the Prime Minister for cross-jurisdictional issues such as coordinated responses to terrorism, significant security issues, national disasters, etc.

The breadth and depth of the DSO's responsibility varies, depending upon the size of his/her organization. However, virtually all attended the Security Awareness Training seminars, as directed by senior government officials. Representation of all government departments at a single venue is not done in the States, and it is a notion we should consider. The training, information and message received in such a forum are consistent since everyone is listening to the same presentations. Additionally, the interaction among peers and senior management is valuable and informative.

I attended two training sessions for Business Continuity and Security Awareness. The Awareness session focused on the integration of security horizontally across the governmental organization and identified and reinforced relevant provisions within the GSP that make these efforts mandatory. The Business Continuity presentation discussed the necessity of building teams within various organizations to identify and mitigate the risks unique to those organizations. Business continuity plans, with deadlines, are an integral part of the GSP legislation, as is the mandate to all government organizations to conduct regular tabletop exercises to test those plans. This testing component is where many American companies fail. A business continuity plan is often written, placed on a shelf and forgotten. The Canadians understand one of the fundamentals of Integrated Risk Management: that the business continuity effort must be training-based.

The Risk Analysis GroupSM has received considerable interest in its two principle efforts, Integrated Risk Management SM (IRM) and the development of the Chief Security Officer initiative and curriculum. Imagine my surprise, as I continue to lecture on the necessity to implement IRM in the American public and private sector, to find that this is being done, as a government mandate, in Canada. The Canadian message is clear: If they can do it, so can we.

The Public and Private Sector in Canada
My keynote presentation covered the evolution of the Chief Security Officer (CSO) position over the past ten years. It is nearly identical to the presentations I have made in the US since 1999. The difference was the audience acceptance of the principles. Many members of the audience were certified in security (CPP), IT (CISSP) and Risk Management (ARM). Each was as attentive as the other. In discussions with the attendees, many agreed that governmental security staff must learn the dialogue, the acronyms and the methodologies of their equivalents and senior management in the private sector. I urged my audience to move government security to a new level, as a means of raising the bar for security practitioners throughout Canada. In Canada, the government is leading the security changes, while here in the US it is the private sector that is exploring the CSO initiative.

I closed my presentation by encouraging all in attendance to expand Security Awareness Week to include members of the private sector in equal numbers. Maximum effectiveness of the CSO and IRM initiatives will only be realized when they serve as the bridge between the sectors. Security has been raised to new levels in the past three years, and I applaud the Canadian government visionaries for their brilliant work to date. I am convinced that they understand that, while they have journeyed far, the final destination is still in the future.

Conclusion
What I experienced in Canada, while a revelation, was encouraging. The message is very clear. While the US private sector may be ahead of its Canadian equivalents, our government is lagging far behind. But if Mr. Martin's government can provide the leadership and support for the integration of risk management and security into government and management, so can we.

Over the years many of us have overlooked our Canadian neighbors to the north, much like the younger brother of a close family. Ladies and gentlemen, if we do not get ourselves in gear, little brother is going to take us into the wood shed. Much of the Canadian legislation is on the web site of the Treasury Board for the Government of Canada, and I encourage every reader to take the time to review it.

Discuss this article! Post your thoughts to RAG's message boards. If you have not used the RAG website before, you will be asked to create a user profile. The message boards are currently free for all users.

Integrated Risk Management Strategies:
From the Front Gate to the Hard Drive.

Presented by former U.S. Secret Service agents and other nationally recognized security specialists, this comprehensive two-day seminar offers practical solutions for preventing harm to staff, property, and information assets.

Earn CPP, CISSP, CLE, CLSD, PHR, SHRP and other continuing education credits!

Space is limited! Sign up NOW!

Atlanta
May 18-19, 2004
Barton National Academy
800-866-1122

For additional information or to register,
click here or call us at (310) 859-9853.

Upcoming Webinars

Corporate Travel Safety Webinar
April 27, 2004

E-Crimes: An Update And Discussion Webinar
May 18, 2004

Sarbanes-Oxley, Simitian, And More Webinar
June 8, 2004

Secure Email: A Risk Assessment Perspective Webinar
June 29, 2004

For additional information or to register,
click here or call us at (310) 859-9853.

Career Opportunities
Looking for your next great opportunity? Not looking but open?

Add your resume confidentially to the Risk Analysis Group Resume Database.

Our placement experts will contact you with exciting opportunities.

cnn.com
Feb. 16, 2004
"Expert: Microsoft dominance poses security threat"

news.com
Feb. 24, 2004
"WIll IM be the next security culprit?"

CSO Online
February 2004
"The Optimistic Pessimist"

CSO Online
February 2004
"Putting an End to Violence"

Risk Analysis Group is dedicated to providing information and resources to security-conscious professionals.

As a RAG member, you will have access to:

• The advice and experience of experts
• Research, white papers and presentations to get your security programs funded
• Education and training seminars
• Networking opportunities and information on career advancement opportunites
• Special Interest Groups (SIGs)
• Discounts at all Risk Analysis Group events and most external events
• Preferred pricing on all RAG services

"I came down from Canada to attend the Integrated Risk Management seminar in Boston, Ma. on November 3-4, 2003 and was not quite sure what to expect. What a pleasant experience it turned out to be. I sure got my money's worth and more! Rarely in my 28 year career as a senior security practitioner have I attended such a professional, educational, forward-looking and interactive seminar, presented by highly qualified and dynamic speakers and experts. These guys know what they are talking about! The seminar is designed in such a way that it can be of interest to new and seasoned security practitioners alike."

- Gerry Deneault, Government of Canada, Privy Council Office (the Department of the Prime Minister of Canada)