Tim McCreight, MSc, CISSP, CPP, CISA, is the acting Chief Security Officer (CSO) for the city of Calgary, Alberta, in Canada. He has more than 35 years of operational experience in IT and physical security and in designing and implementing security programs using a risk based, business-focused approach.

McCreight began his security career in 1981. Since then, McCreight has held executive positions at several organizations, as the Chief Information Security Officer (CISO) for the Government of Alberta, a role with the Office of the Auditor General of Alberta, and as Director, Enterprise Information Security for Suncor Energy Services Inc.

He has also held various security and IT roles at Online Business Systems, Hitachi Systems Security Inc., Above Security – A Hitachi Group Co., EPCOR, Seccuris Inc., MTS Allstream, ARC Business Solutions Inc. and Bell Canada. Most recently, he was the owner of Risk Rebels, a global security consulting practice.

He was awarded a Master of Science in Security and Risk Management from the University of Leicester. In addition, he is a writer and a speaker at various conferences across North America on topics such as enterprise security risk management, combatting telecommunications, fraud and implementing enterprise security programs. He is also a regular columnist for Canadian Security Magazine.

 

A Greater Security Stance

As CSO of the city of Calgary’s Corporate Security department, McCreight is in charge of public security and protecting the city’s employees, including the Mayor, members of Council, citizens and visitors; information, assets and infrastructure. Corporate Security has two main sub-services: cybersecurity and physical security, and McCreight is responsible for both aspects. McCreight and Corporate Security’s main areas of focus under the sub-services include:

• Conducting risk assessments and developing mitigation strategies
• Providing security training and education
• Security monitoring and response
• Investigations and forensics

Officially, McCreight’s goal is to “work proactively to manage loss, identify, assess and mitigate risks; and ensure organizational resilience, safety, security and availability of services.”

Internally, McCreight manages teams within the security department’s sub-services: the physical security team, composed of the “guard forces;” investigative and intelligence units; and the cybersecurity team, including the information security operations team, advisory services team and an incident response team. He says, “We all work to ensure the security of the citizens of Calgary and our employees.”

His role as CSO also incorporates securing city information assets and systems. “It’s a chance to give back to the citizens,” he says. “That’s important to me.”

McCreight doesn’t consider himself any different than other security executives, whether they are a CISO or a CSO. “We all have the same concerns and fears,” he says. “It’s making sure we protect our people, property and information.”

What is different about his role are challenges that are unique to the government sector, this includes maintaining transparency to citizens, and protecting their information from harm and from being released inadvertently to malicious actors and to the public.

“For us, it’s a double-edged sword. We have to make sure we are open and transparent from a governance perspective, but also ensure we are putting in place the right controls to protect that information,” he says.

According to McCreight, some of the biggest challenges his department faces are constantly adapting to cybersecurity threats, as well as changes to legislation, regulations and privacy laws. Another major challenge, McCreight says, is that citizens are now more conscious of their privacy and want McCreight’s department to spend more effort to protect their information. “We have to understand and maintain a stronger security stance against threats that continually evolve in cyber-space,” he says.

 

Disrupting Old Security Models

Over the past five years, the perception that people have of security departments has changed, McCreight contends. When he first began his career, security departments were typically seen as the department of “no”, he says. “We told people, ‘No, you can’t do that,’ or no ‘No, you can’t do this’ because it’s against policy.”

That change has culminated with the release of ASIS’s Enterprise Security Risk Management (ESRM) Guideline, which takes a different approach to traditional security and one McCreight has deployed at the city of Calgary. McCreight says ESRM is the “first strategic security management tool of its kind, which elevates the security function by establishing a partnership between security professionals and business leaders to manage risks.”

The objective of ESRM is to identify, evaluate and mitigate the likelihood and/or impact of security risks to the enterprise with priority given to protective activities that help enable the enterprise to advance its overall mission. The guideline positions the security professional – McCreight – as a trusted advisor that helps guide enterprise security through the process of making security risk management decisions.

The guideline outlines four processes to  identify and manage security risks. These are:

1. Identifying and prioritizing Assets required for business objectives.
2. Identifying and prioritizing Risks facing these Assets.
3. Mitigating the Prioritized Risks.
4. Conducting Continuous Improvement activities.

“Implementing this model has changed the perception of the security department. We are now seen more as a business partner and trusted advisor, as opposed to a department that says ‘no,’” McCreight notes. “We now work with other business units to understand their goals and objectives, the Assets they need to be successful and the Risks facing these assets.”

McCreight and his teams are constantly learning about the city’s business units and their functions, and the role the security department plays as a trusted advisor to each business unit. “I measure our department’s success by how many engagements we have across the organization, how many opportunities we have to speak to business units regarding their goals and objectives and the risks they face. With the ESRM model, it’s really focused our work to collaboratively identify the risks within the business units and then collectively develop strategies and controls we can put in place to reduce risks,” he says.

 

New Decade, New Risks?

As we head into a new decade, McCreight expects an expansion of the threats that enterprise security has faced for a number of years, “such as malware, ransomware and threats to the cloud infrastructure” to continue, he says.

In Canada and potentially North America, McCreight also expects an increased focus on privacy. “With the onset of the General Data Protection Regulation (GDPR), and its movement into becoming an effective piece of legislation in Europe, I think we will see similar laws in North America, or at least that’s my hope,” he notes.

Many cyber risks continue to develop, McCreight says, from Facebook scams, to election security issues, to information breaches. “I see those pervasive threats extending even further,” he says. “But now it will cost organizations even more, as we increasingly rely on social media and on organizations to maintain and protect citizen’s data. It only makes sense that we will see that concern grow in 2020 and beyond.”

To help mitigate these risks, McCreight contends that all security departments need to implement ESRM for the next decade. “It takes us out of the role of always telling people what to do. That is not the role that security should play. Our job is to be a trusted advisor to the business, and work with business units to understand and mitigate risks,” he says.

At the city of Calgary, both the physical and cybersecurity teams work hard to reduce as many risks as possible, notes McCreight. “We continuously recommend and put into place controls to mitigate risks across the city. We are always trying to find the right mix between what we need to be secure, while we ensure the appropriate availability of our information to citizens and employees.” It is a balance, McCreight says, that must be managed every day.

“We are always looking for opportunities to reduce risk. Sometimes, the answer will be technology. Most of the time, it will be procedures, training, education and awareness,” McCreight says.