Most CIOs focus on availability of systems, but my balance really is towards confidentiality of information and the integrity,” says David Kennedy, CIO of Orion Health.
This perspective is honed by his nearly two decades of experience working across information security – from technology to management – in various parts of the world. He was an advisor at KPMG for almost a decade, and was IT security architect with IBM Global Services for four years.
Kennedy joined Orion Health as a contractor in February 2012, and was made chief information security officer six months later. At the start of 2013 CEO, Ian McCrae, offered him the inaugural CIO role (previously the company had an IT manager), based on the security programs he set up. “He wanted me to implement my ideas within the IT area.”
“I am a hybrid CIO,” he says, smiling. “It means security is a thought raised in the beginning of everything we do.”
Related: David Kennedy of Orion Health: CISO to CIO
While security has raced to become the primary concern of CIOs across the globe today, having it as a priority across all business decisions is imperative in a company like Orion Health. The company, founded in 1993 as a boutique consultancy, is now a leader of health information exchange (HIE) and healthcare integration systems. Last month, it listed on the New Zealand and Australian stock exchanges, where it was valued at over $1 billion.
“When you’re in such a growing environment, you have to make sure you’re always delivering to what the customer needs, while backing it up with all of the metrics to prove what the need will be, and the activities you’re doing.
Security is a thought raised in the beginning of everything we do. David Kennedy, Orion Health
“One of my main focuses here is to develop secure solutions. And I bring all of that experience because security is one of our major priorities working in the health industry and the software industry as well.
“Those security techniques and processes are literally driven through business right from the top. I just make sure that everything we do is driven by the correct level of security,” he says.
The CIO needs to consider security the same way he or she does availability of systems. There’s no point in having an available system if it’s insecure, “because someone will be inside your network very quickly”, Kennedy says.
“So set your top down security framework right from the outset as a CIO, then drive that down into your areas and have a single framework.
People can have waivers if they can’t meet certain requirements and system owners can’t meet them, but stick hard to your single framework and have a single point of contact where the entire company can go,” he advises.
Related:The untrammelled rise of the cyber security professional
One of the first things Kennedy did was to create Orion Health’s Information Security Portal.
“We have a governance structure for security here that spans the entire world,” he says. “That is based on risk. We’ve trained our entire company to understand there is a single point of all things security related, the Information Security Portal.
“It needs to have that consistency across the world because then we have a single language. We understand the consistency and what the risk means.
“In fact, one person that works here is the most incredible security engineer I think I’ve ever met in 17 years, Tom Parker. His knowledge of application security is just incredible. So he works in development, leads development security. Our applications are born through the secure process.”
Kennedy also has an information security manager and information security officers in Orion Health’s offices in Europe and the United States (Orion Health has more than 1000 employees in 22 offices worldwide).
“That helps drive down that single policy framework consistency,” he says.
These offshore-based security focused staff report to him, not to their responsive teams, “so they can have independence”.
Next: The CIO/CISO portfolio: Protecting the core
Recently, Kennedy’s team launched a project called ‘Elastic Networking’ to “provide improved access to business critical core systems.
“We created the core network,” he says. “We pulled all of the core applications into this secure area, and then we have different architectural zones by which we can have different levels of security.
That means in one of the outer areas someone can bring a device and they can use it, but they won’t actually penetrate into the core network. Again, it is based on security.”
Kennedy has conducted a full risk analysis of all the different areas versus the needs of the executives, the needs of the customer, and created a map showing the risks.
One of the major business risks that emerged was connectivity, and the inconsistency and quality of the network. The smaller offices would have a much lesser experience than the major offices.
The mantra for all my teams is this: Simplicity, clarity, and visibility in all that we do. David Kennedy, Orion Health
“Elastic Networking was born to really have a high level of confidence in the network availability,” he states.
It also entails simplifying the supply chain so the company can leverage its size as it works with bigger partners like Verizon.
With Elastic Networking, Orion Health can subdivide the network into separate architectural branches and proactively shape network traffic, thereby increasing stability, security and visibility, Kennedy explains. The two major benefits include better performance and better availability.
All these changes have made a strong, but positive impact to the IT team, he states. “It has turned the IT team into a more strategic force. So they do less reactive work and much more strategic work, thinking about what future and innovation we can pull in two or three years’ time, rather than dealing with the problem today.”
The next phase will only allow people into that core network with an agent running on a device. That means it creates a space where anyone is BYOD, says Kennedy.
“You can’t really stop people from doing it and if you try and stop them, they’ll just find ways around it. So rather than trying to restrict people, you try and allow them to use it and just protect those core aspects.”
Another project, which goes hand in hand with the Elastic Networking is the ‘180 Degrees IT’.
“It’s about giving control back to the user for their laptop,” Kennedy explains. “The users will have high levels of administrator access to enable innovation. We have agents running on these systems, on the laptops, and that gives us configuration of all the individual laptops so we can see or we can help make the estate more consistent while allowing them to download things.”
It means they could contact the user before they have an issue. The team can identify if the user is running inefficient versions of software and automatically contacts the user to have all features and functions working at their optimum.
“If someone downloads a malicious tool bar, we can automatically send them an email to say that you’ve downloaded something that will affect your performance in three weeks. And then in three weeks, we can email them with this message: ‘You don’t have to delete it, it’s up to you, but here’s the procedure for deleting it’.
“If they choose not to, that’s fine; it’s just going to slow the machine down. And then in three weeks we can email them again and ask, ‘How is your performance?’ Again, it’s about giving that power back to the user and the transparency to help them diagnose their own problems.”
The Self-Service Portal is another project and provides a user-friendly IT support website designed to get the quickest and most effective response to low priority IT queries. “This is the go-to place for IT-related FAQs and how-tos,” says Kennedy.
Its features include the network and application performance monitor. “This enables every user to self-diagnose IT issues. If the user has a performance issue they can check the monitor to help determine the root cause of the issue.”
There is also a MacHelp area providing “great tips and tricks” for users who are new to Apple technology.
Leading the way with security
Kennedy started as a contractor for Computer Sciences Corporation in the UK, and this, he says, was the start of his education in information security.
Kennedy did not go to the university until “much later”, when he was with KPMG. But his initial role at CSC paved the way for a career in information security, as he worked on military-based information security and technology consulting.
“I left CSC after about two years, because the military security is very black and white; there are huge documents of what you can and can’t do.
“I wanted to learn much more about risk management and the balance of risk management, so I joined IBM in 2000 as an information security architect,” says Kennedy.
Strategy outsourcing during those years at IBM was “very big”, he says. “My role really was to interpret the security requirements and place them into the architecture for delivery.”
He worked mainly with financial institutions across Europe. He also worked with the UK Post Office, Deutsche Post, and Heineken.
“I left there several years later because I felt that my career came to a juncture where you can choose security management or you can choose security technology,” he says. “I felt as if the technology aspect was really starting to go offshore. I think you have more of a chance to make a difference if you do security management.”
He then moved into information security management consulting at KPMG, working with major financial banks like Barclays, Nationwide, Lloyds and Co-Op in the UK, and also worked in Germany and Turkey developing information security systems to support many different sectors. His KPMG assignments took him to the United States and then Asia – Taiwan and Singapore – working with BP and other KPMG offices.
Don’t be afraid to take on big projects, get yourself a good mentor. David Kennedy, Orion Health
At KPMG, he worked with the certification team, looking primarily at the advisory and audit against ISO27001, ISO20000, and other industry recognised standards.
KPMG also allowed him to complete his MBA. “They gave me the space and time to do it”, which Kennedy says was critical for anyone wanting to undertake this qualification.
He finished his MBA over two years, on part-time. His then boss gave him lots of time off to be able to study in between.
He found the MBA a “real eye opener”.
“It took me from understanding about delivery of projects and delivery of engagements to how organisations are structured, even things around venture capitalism and the finance side of things, which I wasn’t really subjected to or had exposure to during my career, all the way through to marketing,” Kennedy says.
His offshore stints exposed him to multicultural workplaces and leadership norms.
“Understanding the cultural differences really helped as well.”
He moved to KPMG in New Zealand, and after two years, worked as a contractor. Orion Health was one of his clients.
“After spending only a few weeks here, I decided this is the place that I wanted to work and I have been here ever since,” says Kennedy.
His message to ICT professionals and even students is to consider a career in information security. “It is something that will grow bigger and bigger.”
A good background, he says, is application security and code security.
“Start at the ground up, then make a decision whether you want to continue into technical or go into management.”
But he is emphatic about the importance of getting a technical background for a foundation.
“Start technically, because at the end of the day, it is all based on technical
stuff. Also, don’t be afraid to take really big career risks.”
This means taking on big projects. “Get yourself a good mentor”.
Game on: IT”s Oscar Awards
Game on: The IT team that can close the most tickets keeps this Oscar for a month.
Building a deep leadership bench, as well as developing and motivating his team members, are at the top of Kennedy’s agenda.
He has a compact team of 20 in Auckland, plus less than 10 people in the United States, and two in London.
He says it is important to have a clear strategy to ensure the teams can align to the common goal.
“The mantra for all my teams is this: Simplicity, clarity and visibility in all that we do.”
Gamification is one approach Kennedy uses for the ICT team through a program called Ticketmaster.
“There’s a little Oscar statue and the first week of every month the IT teamglobally goes through a competition for who can close the most tickets. Each ticket is weighted differently, it depends if it’s a priority one or a priority zero. And then it’s a race to the first week to see who wins this trophy. This trophy gets shipped around the world once a month.”
Kennedy says it was an idea that sprung up when he first joined Orion. He noticed that the tickets were piling up.
“You have to think of ways by which you can respond to what the customer needs, and the business needs. And Ticketmaster was a way to get people into spirit of doing things faster.”
He vouches for the positive culture at Orion Health.
“The market goes through constant change,” he says. “In order to meet that, you have to then enable your teams to not be put off by change. And the culture we have here really is one of constant change and saying: ‘What’s the next best thing?’. That comes from [CEO] Ian’s innovative mind.”
The global CIO
Kennedy is essentially a global CIO based in Auckland. So what are some insights he can share on working with teams and customers across the globe?
“Lead by the front,” he advises. “Commitment and drive are key, and working together creates fantastic results.”
The culture we have here really is one of constant change and saying, what’s the next best thing? David Kennedy, Orion Health
It is also important to listen to customers, both internal and external.
“‘Listen to your customer’ is a mantra that I now live by through my time at KPMG, he states.
“Make sure you strike a clear balance and add value uniformly” to both of these groups.
“It is very much a part of a collaborative crowdsourcing culture at Orion Health,” he says.
Stakeholder management is a key part of the role. He meets monthly with most executives, and bi-monthly with two other executives due to work commitments. “It is important to understand their strategies and needs so that I can mobilise them through technology,” he says.
Related:CIO to CEO: Career advice from Rob Fyfe
The upsides of the role
“I work with many people and continuously learn from my teams,” Kennedy says. “I’m fortunate that I can educate customers and employees about what we do and the culture we have here at Orion Health.
“The fast growth we experience allows for continual improvement, for pushing the boundaries of technology to better the company and improve the experience of the employees.
“Also, knowing that we are making a difference in the health sector is something that is very rewarding.” Photos by Tony Nyberg
This article is the cover story of the Summer 2014 issue of CIO New Zealand.
Send news tips and comments to email@example.com
Follow Divina Paredes on Twitter: @divinap
Follow CIO New Zealand on Twitter:@cio_nz
Sign up for CIO newsletters for regular updates on CIO news, views and events.
Join us on Facebook.