“I don’t do security anymore.”
That’s the last thing you expect to hear from someone who heads up IT security for an entire Canadian province. Yet it’s exactly what Jamie Rees proclaimed to a Toronto audience during his recent presentation at the SC Congress conference on IT security.
Since Rees is director of information assurance and chief information security officer (CISO) for the province of New Brunswick, what exactly does he do, then?
Rees not only explained what he does, but also how he approaches the CISO position from a philosophical and strategic point of view. He offered up his own unique perspective of the CISO’s role today and how it’s evolving.
It’s personal: Rees said his “most important job” is “making friends.” As soon as a new government department head is hired, Rees knocks on their door asking for a 20-minute chat. Why does he bother? So that managers don’t pigeonhole him as the Computer Crisis Guy. “(Don’t) be the guy who only shows up when there’s trouble, because you’ll get associated with trouble,” Rees said in an interview after his session. “Building a personal relationship with other departments pays off, he said. “When I need help, those (managers) are my friends because I’ve been helping them.”
It’s continuous: Building relationships that are consistent rather than crisis-based helps bake a security-focused approach into the business. “I decided security was gonna be part of the business, not something to worry about later,” said Rees. “I’m trying to get them talking about security in the boardroom.”
It’s not policing: “The new role of the CISO is not to be an Internet cop,” Rees said in our interview. “It’s certainly been a struggle, changing that mindset from what I like to call the Internet cop to an enabler (or) a business person.” Instead of handing other department heads a blanket list of what they can’t do, Rees asks them what specific business outcomes they want; then he starts identifying risks to those outcomes from a security perspective.
It’s not just technical: “My job isn’t technical anymore,” Rees told the conference audience. “I don’t do security anymore … I try to do trust.” By building consistent relationships with other department heads – and proving he’s there to help meet their business goals – Rees gains their trust. That trust makes them more likely to heed Rees’s IT security concerns and advice when he does bring them to the table.
It’s concise and contextual: Rees does use technical tools. A dashboard program displays the current IT risk level for various government departments at a glance. “This is meant to be an indicator, a business indicator, that risk is going up or down,” he said. It’s easy for time-strapped, multi-tasking government managers to understand this visual indicator quickly, he added. “They’re very busy. They have lots of things to think about. This is one of them. We need to be able to deliver that in a format that is clear and concise and contextual. And that is the most important role of the CISO these days.”
Photo Credit: http://www.pond5.com/artist/alexskopje via Compfight cc