Cyber Startup Observatory – Cybersecurity Leader of the Week, Rima Aristocrat, President and CEO of Willis College
Rima Aristocrat is the founder of the Willis Cybersecurity Academy, the Veteran Friendly Transition Program, TeKnoWave Inc., with a focus on indigenous programs and primary founder of the Women in Technology Scholarship.
For over 150 years, Willis College has served Canada’s Capital Region by training the next generation of healthcare, business and cyber/network security professionals. Rima Aristocrat, President and CEO of Willis College, pioneered a new approach to skills training that engages prospective employers at the program development stage, injecting specific industry content right into the formation of the student’s diploma program. By tailoring diploma programs to specific industry needs, Willis College and the Willis Cybersecurity Academy have become a source of new talent that is helping to feed Canada’s largest IT hub in Ottawa and Kanata. Students use millions of dollars of proprietary equipment from industry partners such as Sophos, Fortinet and Check Point, which enables them to be job ready the moment they graduate, while at the same time positioning Willis College as the paramount talent pipeline for these growing companies and more.
Are there common traits to what makes a successful security program?
By far the most important trait of successful security programs are those programs that haven’t forgotten the human element. There’s so much focus on automation, but ultimately the systems we are trying to protect are used by humans and it is a human who we need properly trained and in a position to help implement the solution when problems arise.
There is a lot of talk in the Cyber community about ensuring Board or CEO buy-in to security programs. I believe this is important, but it is also important for the entire organization to buy-in. Leadership at the top will drive change, but acceptance and broad adoption of standard security procedures will ensure a security program can be implemented and managed on-going to the benefit of the organization.
How can security executives get that buy-in from the top?
Security executives have a daunting challenge securing buy-in amidst the quarterly drive to earnings and pressure from markets for top-line performance. Many security executives use the threat of a breach to capture the attention of their masters, and while this may prove to be effective in the short-term, ultimately it engenders a fix-the-problem mentality rather than a preventative on-going approach to security management.
From my experience, while the C-suite makes the ultimate decision on organizational management, security executives should look to securing buy-in from middle and lower management, and ultimately the front-line team. By securing broad support from across the organization, upper management is more inclined to listen and perhaps adopt a new approach to security management. This approach not only improves the potential buy-in from upper management, but also gives the security executives a new series of inputs into their proposal, that may more appropriately align the initiative with other organizational objectives.
What soft-skills can help security executives collaborate better?
This is a great question and one that ultimately hits home for my efforts as an educator at Willis College. Decades ago it made sense to silo expertise with sales, marketing, operations and security. In 2018, these silos are outdated, and ultimately each stream should include security as part of their mandate. Business schools should include Cybersecurity as a component of their MBA programs, and Cyber programs should include business, communications and Cybersecurity leadership training. Only with these combined will we truly be in a position to adopt robust security procedures across an organization.
What is the biggest challenge you face in the year ahead?
As an educator, the biggest challenge I face is keeping my programs at the Willis Cybersecurity Academy in line with emerging trends in the marketplace. Willis Cyber programs use proprietary equipment from leaders in the industry such as Fortinet, Sophos, Checkpoint and many more. Add to this the move to the cloud, our administration and faculty must be constantly assessing which equipment and techniques should be taught in classes to maximize the employability of our graduates.
When the business is steaming along and wants to introduce new products or services, how do you make sure security is plugged in?
You will see a theme emerge in my comments, but this goes back to my point earlier about how all middle and lower management should have an eye for and be cognizant of security needs. The conception phase of a new product or service should include a security review or consideration, done by the leaders of those units. 20 years ago it was natural to have one person taught on the principles of security, however, now that the digital revolution has occurred, all members of the team should be aware of the principles behind cybersecurity.
How can we address the perception of cybersecurity holding back the business?
As an industry, we are saddled with the perception from security policies of 10 and even 20 years ago. Having to update passwords on a monthly or quarterly basis is a nuisance, and one that, at the right time, can impede business from moving forward, albeit temporarily. Not sending information over email and using fax, as the government tends to do, is another example. But as technology continues to evolve, we as security experts need to better nuance our security approach with the operations of the business and focus on educating our colleagues on the new security technology that is begging to balance consumer and front-line staff needs with security management.
This also goes to my previous point that we simply cannot rely on one person or one team in an organization to be focused on security. It needs to be a whole-of-organization approach, from the sales manager up to the CEO, for a security program to be effective. Previous generations relied on one person or team to advocate for security, creating an us-vs-them mentality. The sales manager very likely has been using technology for most of their life, and could become a champion of security procedures that might be overlooked in today’s organizations.
We also need to remember that a robust security policy may ‘brief well’ but may be impossible to implement in an organization. We as security experts must focus on what technology our organization can reasonably be expected to implement and use. Otherwise our security policy may only serve to create a liability to our organization in the event of a breach.
As industry and academia turns its collective attention to addressing the talent gap in cyber and network security, it is vital that we broaden the scope of who can be trained for this field. Women, men, veterans, and individuals who are currently working in completely unrelated fields can be retrained for these important roles. Our industry needs dedicated, hardworking, well-trained people from all walks of life to fill the gap. It needs solid partnerships between experts and leaders in cybersecurity, academia, government and the community at large and consistent implementation of successful skills training models. Willis College and the Willis Cyber Security Academy are ready to help them make the leap forward.