Making risk mitigation a priority
As conference speakers go, Tim McCreight is a breath of fresh air. During the Calgary Tri-Lateral conference in May he casually took to the stage to talk about “Common Sense Security.” The affable McCreight could almost have passed as a stand up comic.
He started with a few humorous stories about his background and gave a light-hearted account of how he got to where he is now in the very serious job of Chief Information Security Officer with the Government of Alberta.
He’s spent 30 years in the business and in his talk to security professionals on May 26 he touched on some of the bigger security gaps that have grabbed headlines in the last few decades. But he is by no means an old school security guy. He has watched the evolution of the industry carefully and charted his career path to understand and address the needs of both physical and IT security.
In his talk, he spoke about the challenges posed by the ubiquity of multiple cell phone platforms such as BlackBerry, iPhones, Android and others that have different operating systems that can lead to multiple threat vectors in the enterprise today — what he calls “the price of cool.”
“I know a lot of companies are struggling with the dichotomy of wanting to increase employee productivity while trying to reduce risks to information,” he says.
McCreight’s advice is to assess the appetite for risk and determine where the pain point is.
“If you want to provide a more enhanced user experience, you’ll need to assess how far and what type of experience that is for your company. You should conduct a risk assessment against the type of access you want to provide. In some cases, you may want to search out additional controls like third-party applications or security software to help keep your information secure,” he says.
It’s also important to not forget to provide user education. As with any new technology, spend some time helping users learn about the new platform, its benefits and risks.
“This is one step you need to ensure is in your process. You’d be amazed at how far educating your users can go to reducing the potential for risk,” he says.
McCreight didn’t start out as an IT security specialist. In fact his security background had humble beginnings after he left the Canadian Armed Forces and entered the hospitality industry in Winnipeg.
“My first security position was the Chief Security Officer for a downtown hotel in Winnipeg. I learned a lot as a newcomer to the security industry, like how to manage drunken curlers in the hotel lobby and catching vandals in the parkade. I didn’t have a dull shift, and I got to experience a whole new world,” recalls McCreight.
His first corporate security role was with Alberta Government Telephones (AGT), now TELUS Corporation.
“I was really lucky to land a position with corporate security,” says McCreight. “The management team I worked with was first-rate, and I got to learn so much from those folks.”
In the time he was with AGT, he got to manage major internal investigations, lead a toll fraud prevention and detection unit and direct the physical security program for the company.
“Along the way, I got a chance to work with some amazing individuals, one I still call my mentor — Walter Pigeon.”
Pigeon was one of the management team members at Alberta Government Telephones when McCreight was on the team. He’s now with the Edmonton Police Service corporate security team dealing with physical security requirements for police and community stations.
“He worked on files with me, giving me the chance to learn and practice these newfound skills.”
McCreight’s move into information security was really prompted by a chance encounter with Winn Schwartau — one of the fathers of information security.
“I got to meet and become friends with Winn while I was living in Florida at one point. We talked a lot about information security, some of the problems we saw coming, and what we’d do if we had a chance to fix things. That was all I needed to learn more about computer systems, so I sent myself back to our technical college here in Edmonton. I wanted to learn what I could about how information systems were designed, so I could help figure out how to secure them. Winn and I still haven’t solved all these problems…not yet,” says McCreight.
When McCreight was in Florida he caught a glimpse of the difference between what security in the U.S. can look like versus security in Canada. He applied for and landed a position with a local telecommunications company in Tampa but in the end couldn’t get a NAFTA visa approved to work.
“The process for applying for the position was an eye-opener. During my interviews I remember one of the questions was if I had received my small-arms training. I had to ask why, and apparently the senior management team wanted their security director armed because of some restraining orders and threats against employees. I asked how quickly someone could call 9-11. I don’t think they saw the humour in that comment,” jokes McCreight.
The career change into telco helped him transition into information security positions. He stayed in the telecommunication world for a while, and got the opportunity to work with Bell in the West.
“We were a smaller team to start, but eventually became part of a large, professional security team within Bell Canada. I keep saying this, but I really did luck in again to land a senior position with such a professional team,” he says.
He moved from the private sector into the public sector, and accepted the Chief Information Security Officer position with the Government of Alberta in June of 2009. In the role he is responsible for the security of information and information systems across the Government.
Over the years, McCreight says his philosophy has changed when it comes to being open to collaboration on security projects.
“We used to be able to say ‘no’ to projects in terms of a business unit wanting to do something ‘new,’ then trying to get corporate security to simply endorse it,” he says. “It could be anything from leasing a new building, launching a calling card program or releasing an application from development to production. In the past, if we weren’t involved in the beginning, we’d get our backs up and say ‘no’ to put a halt on the project, giving us time to look at the potential problems this ‘new’ thing would bring to the organization.”
He discovered all that tactic did was develop an ‘us/them’ mentality, and, in some cases, the business units would simply circumvent corporate security altogether.
“Where I’m trying to focus now is on risk management. We need to start seeing ourselves as risk professionals, not just security professionals,” he says. “One of the key strategies I’ve always believed in is protecting your core assets. Regardless of the type of security you’re involved in, you come back to three key assets: people, property and information. These are the three things you’ll protect in your security career.”
His focus is on understanding the types of risks facing people, property and information within the Government of Alberta, and helping senior management understand these risks.
“We need to make sure we’re presenting these risks objectively so we can help senior management make policy decisions based on the information we’ve provided,” he says.
In the two years McCreight has been in the Corporate Information Security Office he has seen new Information Security Management Directives (ISMDs) signed into effect, and now the province’s Ministries are working on plans to ensure the Directives are incorporated into their information security programs. The ISMDs, are based on the ISO27000 series of information security management standards and were created using a collaborative approach.
“We engaged subject matter experts from across the government to develop these Directives, including Ministry CIOs and Ministry Information Security Officers. We also reviewed the Directives with legal counsel and corporate HR as well as our privacy team,” says McCreight. “We’ve taken an international standard and applied it to the Government of Alberta’s information security program.”
To further address the risk component of his responsibilities, McCreight recently introduced a risk management application for the Government of Alberta. “We’re really looking forward to using this application to help us assess the types of risks that are facing our people, property and information. The great thing about these types of applications is the level of automation and workflow that can be designed into activities like Threat and Risk Assessments, Business Impact Analysis, etc.,” he says.
The goal with this new application, he says, is to assess risks across the three assets, and determine if the government can reduce the risks of more than one area by implementing a control.
“That’s a lofty goal and one that’ll take some time to achieve. But what if we could show how the Government of Alberta can reduce the risks it faces on a couple of different fronts by implementing one type of control? That’s when you see the benefit this type of approach can bring,” he says.
In the future, McCreight says security professionals will have to learn to embrace change as it comes along and recognize it for the game-changing role it could potentially have on their careers and their organizations.
“I have to say I was caught off guard on how quickly the ‘consumerization’ of IT occurred. What I mean is, how fast companies have brought consumer devices into the workplace, like iPads and iPhones. That type of speed to market, and then penetration into the corporate environment hasn’t happened in a lot of years. Some folks (including me) weren’t quite ready for it,” he says.
McCreight says all security professionals need to start collaborating as a team to reduce the risks organizations face. He’s always been a big proponent of the “converged security” model, but admits it isn’t always a great fit for every organization.
“You can still work with the ‘other’ side of the security fence if you simply reach out and start sharing information. Eventually, you’ll start forming stronger working relationships and begin to see that all of us want the same thing: to ensure our people, property and information are safe and secure,” he says.
When it comes to security systems such as card access systems and CCTV running on the corporate network, he says there is still a divide between IT and physical security in terms of understanding the demands of technology on both sides of the fence.
“I know some IT folks don’t think blending these types of devices into the corporate network is a really good idea. In many ways, the IT security teams still don’t completely trust the physical security teams,” he says.
The argument, he says, typically goes like this: physical security companies do not have the same rigor when it comes to systems development, information security principles aren’t imbedded into the operating systems and there’s a lack of patch management — just to name a few.
“What I think we need to focus on is an assessment of the technology; what the requirements are for the application or system, the risks this type of equipment could pose to the corporate environment, and if there are any existing IT security controls that could be applied to the system. It takes more work, absolutely, but if the teams can work together and develop a manageable solution, then it’s a benefit to the organization.”