While organizations are becoming better equipped to navigate the tides of cybersecurity warfare, cybersecurity’s importance is only increasing in size and scope, made more urgent by the popularity of smart technologies, the increasing role of IoT, and the changing relationship between academia and industry. This reality can be clearly seen in the movements to protect Canada’s energy industry, one of our most vital resources. Amidst calls from CSIS for better cybersecurity hygiene across the sector, the development of stronger public policy, and a better understanding of the motives of international actors, the Canadian energy landscape is inundated with a growing list of responsibilities, needs, and, for some, opportunities. Nathan Snider, Manager of Policy & Outreach for the Information and Communications Technology Council (ICTC) had the chance to sit down and connect with Jamie Rees, Chief Information Security Officer (CISO) for Energie NB Power, the primary energy utility for the province of New Brunswick. This discussion comes in anticipation of ICTC’s upcoming report in partnership with the province’s Department of Post-Secondary Education, Training and Labour, which looks to evaluate the region’s demand for cybersecurity talent. Jamie Rees is a leading member of the province’s cybersecurity community, chair of the ICT-Cybersecurity Leadership Council on Youth and Education, and previously the CISO for the New Brunswick government. This conversation dives into the areas of responsibility held by Jamie and his team, the changing landscape of hiring skilled talent, and a commentary on diversity, education, and the future.Nathan:Hi Jamie, thanks so much for meeting with me. I’m wondering if we can start by learning a bit more about yourself and your role within New Brunswick Power (NB Power)?Jamie:I am the chief information security officer for New Brunswick Power. That means I am responsible for all of what would be deemed cybersecurity, and maybe more traditionally, information security, as well as our physical security elements. NB Power is a vertically integrated utility, which means we own generation of various types; a nuclear plant, wind, and water, and more traditional thermal plants—so we run the transmission system for the entire province. We also operate what's called the ‘energy control center’ or system operations, which manages the balance between how much electricity is getting used by our customers, how much we're going to generate, or how much we're going to ask to be made by our generation partners. It's our control center people who are really the unsung heroes of keeping the entire electricity grid operational. Beyond that we also have products that we sell for households and end users, like municipalities. We're continuously looking for products like smart thermostats, smart light bulbs, all smart home technologies. So, from an electron being made, the technology involved there, straight through the entire technology train, we're involved in almost every stage. And as you can imagine, as we get more involved in distribution and household products, we continue to expand our role in new security elements. The area of cybersecurity has produced a lot of need for the involvement of new cybersecurity-minded people. We're doing things with technology that the electricity business has never seen before. But at the end of the day, customers are counting on us. We're going to do things the right way and make sure everything we do is safe and secure for use.Nathan:It’s interesting that you mentioned expanding your involvement in the cybersecurity space out of both necessity and to foster innovation. Can we dive a little deeper into the work you do from a cybersecurity perspective?Jamie:Absolutely. We've been around for almost 100 years and next spring is our birthday, and throughout that time we’ve been involved in providing high quality, technology focused work. And despite a variety of changes, we have a legacy of doing great quality work that we want to maintain. When computers became popularized, PCs began appearing on people's desks and we were able to witness a whole evolution thanks to this new technology and, as a result, a developing business need. That same pattern repeats itself today: new technology means new ways of working and a greater need for cybersecurity. Our team was originally formed to focus on general IT services, like patching and antivirus work, which were some of the first security elements for our utility, and our engineers would have done whatever work was required of them in the control network area at that time. There’ve obviously been upgrades and changes from one vendor to another since then, but we’ve always maintained a long history of monitoring important systems that need to be secure. Taking care of operating systems, data pieces, websites, making sure employees are digitally secure, and maintaining proper levels of security awareness, just to name a few of our responsibilities. Having worked in the telephone industry myself in the late 90s, until the mid 2000s, there was a mindset from large software companies where you couldn’t change or alter anything until they told you, which is a much different environment than what we see today. Now they're offering various patches and making things happen faster without threatening to void your system’s warranty. It’s fascinating, technology has become more cutting-edge due to its exposure to the internet. Leading business software providers have had to cope, whereas operational technology or OT stuff has kind of hidden itself away until recently. We need to find a way to ensure that the OT path echoes the business technology roadmap but with the added challenge of the accelerated timeline. Ultimately, as a cybersecurity team and an organization at large, we're focused on getting to another hundred years and to the future of our organization.Nathan:Given how dynamic your cybersecurity focus is, how do you keep up with the demand for skilled talent? Is there anything unique you do to stay competitive?Jamie:You know, we’ve heard a lot about labour shortage issues. We knew that it was going to be hard to fill cybersecurity positions in the future. So, we developed a plan that said over three years, we're going to hire ‘this’ many people and fill out ‘these’ capacities. If the shortage is true, which we believe it is, we’d have to find another way to address the issue. You can sometimes hire people, if you’re lucky, that come with experience from somewhere else or maybe you can even hire consultants for a short period of time. But we felt, well, maybe we can grow talent internally, maybe we can shape our own skilled workforce. So, we got together with our HR folks, head office, and at least twelve different people internally to discuss compensation and talent development, along with several different aspects of labour relations, of course. After those discussions, everyone was happy with our direction and we built a brand-new entry-level point to foster and develop our own skilled cybersecurity talent within the organization.Nathan:So instead of struggling with the standard hiring process, you created your own hiring and training process and developed talent internally. Don’t you face issues when taking cybersecurity education into consideration?Jamie:Yes, so of course this is a heavily engineering-focused organization for various reasons. And that carried over in a lot of ways into our technology roles, which required an engineering degree or computer science degree. Usually a four-year program of some kind. Those people are great, they do a lot of great work, but I think we know that when you're constructing a building, you need an architect, but you also need the person that pulls the wires, the cabinet makers and the plumbers as well. They all have different levels of training, they don't all go to four-year programs, some go to a two-year program, an apprenticeship, or they do various other things to gain meaningful experience. We decided to consider those options with our cybersecurity staff. Certain jobs still require a four-year degree, because it's an architecture job, or something similar, and certain roles can be supported by shorter community college programs, like the ones offered here in New Brunswick. In fact, we helped establish some of these programs by providing input on their curriculum. This collaboration meant we could also take graduates from these programs directly and place them into some of our roles. And then, at a more extreme level, we’ve even built this new position where we actually hired a 17-year-old straight out of high school last year. We identified that the student had an inclination and aptitude towards the industry thanks to extracurricular school activities. Programs like the Cyber Titan initiative for instance. Cybersecurity is something we should be teaching more kids. I have a personal story myself about growing up and how technology made me what I am today, so the subject is important to me.Nathan:You mentioned before that some members of your team have a computer science background, others have engineering degrees, and a handful have only high school diplomas. Can you elaborate on the challenges you might encounter when hiring outside of the norm?Jamie:In the example of our high school graduate, basically what it came down to is that we have certain needs as an organization and he has needs as a talented human being that he wants to accomplish. We tried to align those two things and realize that the next 17-year-old we might hire may have a different interest, and we may have different needs, so hiring needs to become a little more flexible in that sense to attract new talent. But that's what's happening there. I mean, we made a certain profile, and it certainly took work with HR to better understand it and realize that we need to pay a person a certain amount of money, not because they have a university degree, but because they have a talent that we’re really looking for. So, it's an interesting conversation to have. We’re 100 years old and I think that its promising that an organization with such a long-standing history like ours, with policies and regulations, can still make changes in itself to better address such fast-paced industry changes.Nathan:How do you feel diversity plays a role within your cybersecurity team?Jamie:We’re pretty much 50/50 on the team when considering origin of employee. We have people working for us that came to Canada from abroad, as immigrants to Canada. We also have Indigenous peoples working within our organization thanks to our internship program with JEDI. From a gender diversity perspective, I think security industry as a whole has some way to go yet and our team still reflects that, we all need to get more gender-diverse applicants. We do have one individual who has worked with us for quite some time, since she was 19. She’s held various technical roles and works on access control, and making sure people get all the permissions they need on certain networks and those elements. Additionally, she controls elements of our security awareness modules and provides that form of support. To be honest, we didn't necessarily set out to build a diverse team. It just happened. To some degree that goes back to the capacities plan I mentioned earlier. When we looked at applicants for ability to meet a need, not necessarily having a certain credential etc., we had more latitude and ability to make different choices. We interviewed people and we put the best people in the right roles. The even outcome was accidental really but I think that's great for our team’s capabilities and it works well for us. We get along well together, we respect and enjoy each other’s company, not because a policy says we have to, but because we share a strong common purpose in security and the different skills and thoughts we each bring helps build success. NB Power is a very forward-thinking place that enables this.Nathan:You made a comment earlier where you highlighted that you believe there's a labour shortage issue within the cybersecurity field in New Brunswick. Why do you believe that is, and to elaborate further, what do you believe a solution might look like?Jamie:I do think there’s a shortage, and I want to point out that to me, this ties back directly to the gender disparity issue I mentioned before. Despite our current female members, we’ve had almost no female applicants for any of the cybersecurity jobs we've posted in the last two years. So logically, we’re missing out on 50% of our potential workforce. The female candidates we do have within the province are so few and far between. They’re exceptionally well-respected in the field, so naturally they’re sought after. Aside from, in terms of a solution—New Brunswick is already doing a great job sparking interest at an earlier age with cybersecurity education in schools. They’re starting in grade six and then entering broad-based technology courses in grade eleven and then grade twelve cyber security courses along with the Cyber Titan program. Trying to get people interested in technology and in cybersecurity at a younger age so that they end up in my queue later on is critical. I meet a lot of really bright young people and I can put them on my watch list. Then, if their name shows up in my pool of potential resumes when I post something in the future, perfect.Be sure to look for ICTC’s upcoming report on New Brunswick’s dynamic cybersecurity industry in spring of 2020. This report will explore insight from industry leaders, the demand for skilled labour and feedback from New Brunswick’s industry associations regarding the province’s exciting cybersecurity landscape. For more information, please visit: https://www.ictc-ctic.ca/new-brunswicks-digital-workforce/Nathan Snider is the Manager of Policy and Outreach for the Information and Communications Technology Council (ICTC). Nathan has taught in the School of Business and Management at Canadore College and the School of Business and Information Technology at Cambrian College. He sits on the Board of Directors for the Near North Mobile Media Lab (providing those in Northern Ontario the means to produce and present media art) and the Enaagaazing Makerspace (an Indigenous community-led cultural production hub). Through his work, Nathan has been a committed advocate for tech accessibility in Northern Canadian communities. Nathan’s previous research has focused on social and economic barriers to the ICT field facing Indigenous communities in Canada.Jamie Rees is NB Power’s Chief Information Security Officer. Rees is a member of the editorial advisory board for the UK based Cyber Security: A Peer-Reviewed Journal, a co-founder of B-Sides Fredericton and chair of ICTC’s National Cyber Security Leadership Council on Youth and Education. He also possesses more than 18 years of senior leadership and an award-winning history in the telecommunications, financial services, government, and utility verticals industry. Jamie is a recipient of the North American CSO 50 Award, the IT Association of Canada Ingenious Award for technology projects demonstrating outstanding business value, and was presented with the CyberSmart Award for student outreach and engagement in the field of cybersecurity. He holds an MSc in Information Security from Royal Holloway and is certified in cyber-risk oversight by the National Association of Corporate Directors and Carnegie Mellon SEI.
