This perspective is honed by his nearly two decades of experience working across information security – from technology to management – in various parts of the world. He was an advisor at KPMG for almost a decade, and was IT security architect with IBM Global Services for four years.
Kennedy joined Orion Health as a contractor in February 2012, and was made chief information security officer six months later. At the start of 2013 CEO, Ian McCrae, offered him the inaugural CIO role (previously the company had an IT manager), based on the security programs he set up. “He wanted me to implement my ideas within the IT area.”
“I am a hybrid CIO,” he says, smiling. “It means security is a thought raised in the beginning of everything we do.”
While security has raced to become the primary concern of CIOs across the globe today, having it as a priority across all business decisions is imperative in a company like Orion Health. The company, founded in 1993 as a boutique consultancy, is now a leader of health information exchange (HIE) and healthcare integration systems. Last month, it listed on the New Zealand and Australian stock exchanges, where it was valued at over $1 billion.
“When you’re in such a growing environment, you have to make sure you’re always delivering to what the customer needs, while backing it up with all of the metrics to prove what the need will be, and the activities you’re doing.
Security is a thought raised in the beginning of everything we do.
“One of my main focuses here is to develop secure solutions. And I bring all of that experience because security is one of our major priorities working in the health industry and the software industry as well.
“Those security techniques and processes are literally driven through business right from the top. I just make sure that everything we do is driven by the correct level of security,” he says.
The CIO needs to consider security the same way he or she does availability of systems. There’s no point in having an available system if it’s insecure, “because someone will be inside your network very quickly”, Kennedy says.
“So set your top down security framework right from the outset as a CIO, then drive that down into your areas and have a single framework.
Read more: Mission Critical ICT at St John NZ
People can have waivers if they can’t meet certain requirements and system owners can’t meet them, but stick hard to your single framework and have a single point of contact where the entire company can go,” he advises.
One of the first things Kennedy did was to create Orion Health’s Information Security Portal.
“We have a governance structure for security here that spans the entire world,” he says. “That is based on risk. We’ve trained our entire company to understand there is a single point of all things security related, the Information Security Portal.
“It needs to have that consistency across the world because then we have a single language. We understand the consistency and what the risk means.
“In fact, one person that works here is the most incredible security engineer I think I’ve ever met in 17 years, Tom Parker. His knowledge of application security is just incredible. So he works in development, leads development security. Our applications are born through the secure process.”
Kennedy also has an information security manager and information security officers in Orion Health’s offices in Europe and the United States (Orion Health has more than 1000 employees in 22 offices worldwide).
“That helps drive down that single policy framework consistency,” he says.
These offshore-based security focused staff report to him, not to their responsive teams, “so they can have independence”.
Next: The CIO/CISO portfolio: Protecting the core
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.