Most CIOs focus on availability of systems, but my balance really is towards confidentiality of information and the integrity,\u201d says David Kennedy, CIO of Orion Health.\nThis perspective is honed by his nearly two decades of experience working across information security \u2013 from technology to management \u2013 in various parts of the world. He was an advisor at KPMG for almost a decade, and was IT security architect with IBM Global Services for four years.\nKennedy joined Orion Health as a contractor in February 2012, and was made chief information security officer six months later. At the start of 2013 CEO, Ian McCrae, offered him the inaugural CIO role (previously the company had an IT manager), based on the security programs he set up. \u201cHe wanted me to implement my ideas within the IT area.\u201d\n\u201cI am a hybrid CIO,\u201d he says, smiling. \u201cIt means security is a thought raised in the beginning of everything we do.\u201d\nRelated: David Kennedy of Orion Health: CISO to CIO\nWhile security has raced to become the primary concern of CIOs across the globe today, having it as a priority across all business decisions is imperative in a company like Orion Health. The company, founded in 1993 as a boutique consultancy, is now a leader of health information exchange (HIE) and healthcare integration systems. Last month, it listed on the New Zealand and Australian stock exchanges, where it was valued at over $1 billion.\n\u201cWhen you\u2019re in such a growing environment, you have to make sure you\u2019re always delivering to what the customer needs, while backing it up with all of the metrics to prove what the need will be, and the activities you\u2019re doing.\n Security is a thought raised in the beginning of everything we do. David Kennedy, Orion Health\n\u201cOne of my main focuses here is to develop secure solutions. And I bring all of that experience because security is one of our major priorities working in the health industry and the software industry as well.\n\u201cThose security techniques and processes are literally driven through business right from the top. I just make sure that everything we do is driven by the correct level of security,\u201d he says.\nThe CIO needs to consider security the same way he or she does availability of systems. There\u2019s no point in having an available system if it\u2019s insecure, \u201cbecause someone will be inside your network very quickly\u201d, Kennedy says.\n\u201cSo set your top down security framework right from the outset as a CIO, then drive that down into your areas and have a single framework.\nPeople can have waivers if they can\u2019t meet certain requirements and system owners can\u2019t meet them, but stick hard to your single framework and have a single point of contact where the entire company can go,\u201d he advises.\nRelated:The untrammelled rise of the cyber security professional\nOne of the first things Kennedy did was to create Orion Health\u2019s Information Security Portal.\n\u201cWe have a governance structure for security here that spans the entire world,\u201d he says. \u201cThat is based on risk. We\u2019ve trained our entire company to understand there is a single point of all things security related, the Information Security Portal.\n\u201cIt needs to have that consistency across the world because then we have a single language. We understand the consistency and what the risk means.\n\u201cIn fact, one person that works here is the most incredible security engineer I think I\u2019ve ever met in 17 years, Tom Parker. His knowledge of application security is just incredible. So he works in development, leads development security. Our applications are born through the secure process.\u201d\nKennedy also has an information security manager and information security officers in Orion Health\u2019s offices in Europe and the United States (Orion Health has more than 1000 employees in 22 offices worldwide).\n\u201cThat helps drive down that single policy framework consistency,\u201d he says.\nThese offshore-based security focused staff report to him, not to their responsive teams, \u201cso they can have independence\u201d.\nNext: The CIO\/CISO portfolio: Protecting the core\nPage Break\nRecently, Kennedy\u2019s team launched a project called \u2018Elastic Networking\u2019 to \u201cprovide improved access to business critical core systems.\n\u201cWe created the core network,\u201d he says. \u201cWe pulled all of the core applications into this secure area, and then we have different architectural zones by which we can have different levels of security.\nThat means in one of the outer areas someone can bring a device and they can use it, but they won\u2019t actually penetrate into the core network. Again, it is based on security.\u201d\nKennedy has conducted a full risk analysis of all the different areas versus the needs of the executives, the needs of the customer, and created a map showing the risks.\nOne of the major business risks that emerged was connectivity, and the inconsistency and quality of the network. The smaller offices would have a much lesser experience than the major offices.\n The mantra for all my teams is this: Simplicity, clarity, and visibility in all that we do. David Kennedy, Orion Health\n\u201cElastic Networking was born to really have a high level of confidence in the network availability,\u201d he states.\nIt also entails simplifying the supply chain so the company can leverage its size as it works with bigger partners like Verizon.\nWith Elastic Networking, Orion Health can subdivide the network into separate architectural branches and proactively shape network traffic, thereby increasing stability, security and visibility, Kennedy explains. The two major benefits include better performance and better availability.\nAll these changes have made a strong, but positive impact to the IT team, he states. \u201cIt has turned the IT team into a more strategic force. So they do less reactive work and much more strategic work, thinking about what future and innovation we can pull in two or three years\u2019 time, rather than dealing with the problem today.\u201d\nThe next phase will only allow people into that core network with an agent running on a device. That means it creates a space where anyone is BYOD, says Kennedy.\n\u201cYou can\u2019t really stop people from doing it and if you try and stop them, they\u2019ll just find ways around it. So rather than trying to restrict people, you try and allow them to use it and just protect those core aspects.\u201d\nAnother project, which goes hand in hand with the Elastic Networking is the \u2018180 Degrees IT\u2019. \n\u201cIt\u2019s about giving control back to the user for their laptop,\u201d Kennedy explains. \u201cThe users will have high levels of administrator access to enable innovation. We have agents running on these systems, on the laptops, and that gives us configuration of all the individual laptops so we can see or we can help make the estate more consistent while allowing them to download things.\u201d\nIt means they could contact the user before they have an issue. The team can identify if the user is running inefficient versions of software and automatically contacts the user to have all features and functions working at their optimum.\n\u201cIf someone downloads a malicious tool bar, we can automatically send them an email to say that you\u2019ve downloaded something that will affect your performance in three weeks. And then in three weeks, we can email them with this message: \u2018You don\u2019t have to delete it, it\u2019s up to you, but here\u2019s the procedure for deleting it\u2019.\n\u201cIf they choose not to, that\u2019s fine; it\u2019s just going to slow the machine down. And then in three weeks we can email them again and ask, \u2018How is your performance?\u2019 Again, it\u2019s about giving that power back to the user and the transparency to help them diagnose their own problems.\u201d\nThe Self-Service Portal is another project and provides a user-friendly IT support website designed to get the quickest and most effective response to low priority IT queries. \u201cThis is the go-to place for IT-related FAQs and how-tos,\u201d says Kennedy.\nIts features include the network and application performance monitor. \u201cThis enables every user to self-diagnose IT issues. If the user has a performance issue they can check the monitor to help determine the root cause of the issue.\u201d\nThere is also a MacHelp area providing \u201cgreat tips and tricks\u201d for users who are new to Apple technology.\n\nLeading the way with security\nKennedy started as a contractor for Computer Sciences Corporation in the UK, and this, he says, was the start of his education in information security.\nKennedy did not go to the university until \u201cmuch later\u201d, when he was with KPMG. But his initial role at CSC paved the way for a career in information security, as he worked on military-based information security and technology consulting.\n\u201cI left CSC after about two years, because the military security is very black and white; there are huge documents of what you can and can\u2019t do.\n\u201cI wanted to learn much more about risk management and the balance of risk management, so I joined IBM in 2000 as an information security architect,\u201d says Kennedy.\nStrategy outsourcing during those years at IBM was \u201cvery big\u201d, he says. \u201cMy role really was to interpret the security requirements and place them into the architecture for delivery.\u201d\nHe worked mainly with financial institutions across Europe. He also worked with the UK Post Office, Deutsche Post, and Heineken.\n\u201cI left there several years later because I felt that my career came to a juncture where you can choose security management or you can choose security technology,\u201d he says. \u201cI felt as if the technology aspect was really starting to go offshore. I think you have more of a chance to make a difference if you do security management.\u201d\nHe then moved into information security management consulting at KPMG, working with major financial banks like Barclays, Nationwide, Lloyds and Co-Op in the UK, and also worked in Germany and Turkey developing information security systems to support many different sectors. His KPMG assignments took him to the United States and then Asia \u2013 Taiwan and Singapore \u2013 working with BP and other KPMG offices.\n Don\u2019t be afraid to take on big projects, get yourself a good mentor. David Kennedy, Orion Health\nAt KPMG, he worked with the certification team, looking primarily at the advisory and audit against ISO27001, ISO20000, and other industry recognised standards.\nKPMG also allowed him to complete his MBA. \u201cThey gave me the space and time to do it\u201d, which Kennedy says was critical for anyone wanting to undertake this qualification.\nHe finished his MBA over two years, on part-time. His then boss gave him lots of time off to be able to study in between.\nHe found the MBA a \u201creal eye opener\u201d.\n\u201cIt took me from understanding about delivery of projects and delivery of engagements to how organisations are structured, even things around venture capitalism and the finance side of things, which I wasn\u2019t really subjected to or had exposure to during my career, all the way through to marketing,\u201d Kennedy says.\nHis offshore stints exposed him to multicultural workplaces and leadership norms.\n\u201cUnderstanding the cultural differences really helped as well.\u201d\nHe moved to KPMG in New Zealand, and after two years, worked as a contractor. Orion Health was one of his clients.\n\u201cAfter spending only a few weeks here, I decided this is the place that I wanted to work and I have been here ever since,\u201d says Kennedy.\nHis message to ICT professionals and even students is to consider a career in information security. \u201cIt is something that will grow bigger and bigger.\u201d\nA good background, he says, is application security and code security.\n\u201cStart at the ground up, then make a decision whether you want to continue into technical or go into management.\u201d\nBut he is emphatic about the importance of getting a technical background for a foundation.\n\u201cStart technically, because at the end of the day, it is all based on technical\nstuff. Also, don\u2019t be afraid to take really big career risks.\u201d\nThis means taking on big projects. \u201cGet yourself a good mentor\u201d.\n\nGame on: IT\u201ds Oscar Awards\nGame on: The IT team that can close the most tickets keeps this Oscar for a month.\nBuilding a deep leadership bench, as well as developing and motivating his team members, are at the top of Kennedy\u2019s agenda.\nHe has a compact team of 20 in Auckland, plus less than 10 people in the United States, and two in London.\nHe says it is important to have a clear strategy to ensure the teams can align to the common goal.\n\u201cThe mantra for all my teams is this: Simplicity, clarity and visibility in all that we do.\u201d\nGamification is one approach Kennedy uses for the ICT team through a program called Ticketmaster.\n\u201cThere\u2019s a little Oscar statue and the first week of every month the IT teamglobally goes through a competition for who can close the most tickets. Each ticket is weighted differently, it depends if it\u2019s a priority one or a priority zero. And then it\u2019s a race to the first week to see who wins this trophy. This trophy gets shipped around the world once a month.\u201d\nKennedy says it was an idea that sprung up when he first joined Orion. He noticed that the tickets were piling up.\n\u201cYou have to think of ways by which you can respond to what the customer needs, and the business needs. And Ticketmaster was a way to get people into spirit of doing things faster.\u201d\nHe vouches for the positive culture at Orion Health.\n\u201cThe market goes through constant change,\u201d he says. \u201cIn order to meet that, you have to then enable your teams to not be put off by change. And the culture we have here really is one of constant change and saying: \u2018What\u2019s the next best thing?\u2019. That comes from [CEO] Ian\u2019sinnovative mind.\u201d\nThe global CIO\nKennedy is essentially a global CIO based in Auckland. So what are some insights he can share on working with teams and customers across the globe?\n\u201cLead by the front,\u201d he advises. \u201cCommitment and drive are key, and working together creates fantastic results.\u201d\n The culture we have here really is one of constant change and saying, what\u2019s the next best thing? David Kennedy, Orion Health\nIt is also important to listen to customers, both internal and external.\n\u201c\u2018Listen to your customer\u2019 is a mantra that I now live by through my time at KPMG, he states.\n\u201cMake sure you strike a clear balance and add value uniformly\u201d to both of these groups.\n\u201cIt is very much a part of a collaborative crowdsourcing culture at Orion Health,\u201d he says.\nStakeholder management is a key part of the role. He meets monthly with most executives, and bi-monthly with two other executives due to work commitments. \u201cIt is important to understand their strategies and needs so that I can mobilise them through technology,\u201d he says.\nRelated:CIO to CEO: Career advice from Rob Fyfe\nThe upsides of the role\n\u201cI work with many people and continuously learn from my teams,\u201d Kennedy says. \u201cI\u2019m fortunate that I can educate customers and employees about what we do and the culture we have here at Orion Health.\n\u201cThe fast growth we experience allows for continual improvement, for pushing the boundaries of technology to better the company and improve the experience of the employees.\n\u201cAlso, knowing that we are making a difference in the health sector is something that is very rewarding.\u201d Photos by Tony Nyberg\n.\nThis article is the cover story of the Summer 2014 issue of CIO New Zealand.\nSend news tips and comments to firstname.lastname@example.org\nFollow Divina Paredes on Twitter: @divinap\nFollow CIO New Zealand on Twitter:@cio_nz\nSign up for CIO newsletters for regular updates on CIO news, views and events.\nJoin us on Facebook.