How do you describe your job to average people?
I manage a team that implements security measures to safeguard sensitive information at the enterprise and maintains the availability of critical systems.
Why did you get into IT security?
Simple answer is I have a passion for information security and love the challenges in this field. I was initially an IT infrastructure specialist, and securing the systems was an important part of my job. I got deeper into IT security when I was appointed to lead the centralized patch management and malware protection implementations.
What was one of your biggest challenges?
One of the biggest challenges has been changing the organization's culture about information security from reactive to proactive. In information security, the “if it ain't broke, don't fix it” mindset can be quite dangerous and result in severe consequences.
What keeps you up at night?
The fact that IT security management is becoming a more challenging job every day. We live in an era where the network perimeter has almost disappeared, sensitive data can be stored anywhere and malware is getting more sophisticated. We need to leverage more effective technology, improve processes and constantly educate our people to be able to catch up.
Of what are you most proud?
I have been a key contributor in improving the security posture of The Hospital for Sick Children, one of the top pediatric hospitals in the world. Leading successful implementation of enterprise patch management, endpoint encryption and security awareness training are all examples of what I have accomplished. Undoubtedly, support of IT management and especially of our CIO, was essential in moving these initiatives forward.
For what would you use a magic IT security wand?
I'd use it to raise public awareness about cyber security. In a world where every end-user, hardware/software designer and executive is educated about information security, security practitioners would spend far less time on firefighting and would be more successful in helping the business achieve its objectives. The Ontario Privacy Commissioner has brought forward the philosophy of Privacy by Design, meaning embedding privacy proactively into technology itself. I truly believe the same approach should be followed for information security.