Hardeep Mehrotara has found that by keeping his generosity and passion for helping others in the center of his vision, his career in IT has progressively prospered hand-in-hand with his volunteer work. Over the course of his more than 20-year career, Mehrotara’s passion has been to lead and influence organizations about cybersecurity — whether those organizations were in the public or private sector, and whether he worked as an employee or a specialist volunteer donating his time and service to his country and society at large.

Mehrotara currently is Director, Information Security & Architecture at Concert Properties, a Vancouver development, construction and property management company. While cybersecurity traditionally hadn’t been a strong focus for many companies in this sector, the pandemic started to change that by forcing them to digitize so employees could work remotely. These companies also have begun to realize that to attract a younger generation of customers, they need more advanced digital capabilities such as virtual property tours and online (rather than in-person) rental processing.

In addition, cybercrime is increasing “astronomically” in this space because growth in sales and rentals has attracted the attention of cybercriminals. Mehrotara is helping Concert Properties with these issues, as well as with the growing risk of cyber threats to smart building systems and operational technology (OT) networks. “I hope to do some good, advanced research in that area and give back to the community on how to take care of those kinds of networks,” he says.

In the public sector, Mehrotara spent 14 years with the Insurance Corporation of British Columbia (ICBC). He worked on cybersecurity for high-profile projects including Canada’s enhanced driver’s license program, facial recognition, red-light camera installations and license plate recognition systems. He highlights the sharp contrast between the more mission-critical public sector and the more risk-management-focused private sector with its risk-versus-reward considerations, such as competition and time to market.

He had been volunteering for the Royal Canadian Mounted Police (RCMP) for many years before attaining a position there doing cybersecurity work for law enforcement networks in British Columbia. As the police, firefighter and ambulance services moved from analog radio communications to digital communications, Mehrotara worked on compliance and data privacy laws. He also had a role in investigations and intelligence work while at RCMP. “I’ve always had this passion about helping and making a difference, and I found that RCMP was a great opportunity to really make that difference,” he says.

There are many other ways in which Mehrotara has made a difference, particularly through his work as a Canadian Armed Forces (CAF) Reserve Officer. He was recognized by the National Defense Assistant Deputy Minister for outstanding support in assisting with Cyber Force development in the CAF. As CAF works continually to build its cyber force, Mehrotara had the opportunity to help build an assessment mechanism for identifying individuals currently in the Army, Navy, Air Force or Reserves who have some level of cyber education and/or certification. He continues to assist the CAF with cyber force development, training and various cyber mission tasks.

After working with the RCMP, Mehrotara joined Coast Capital Savings, one of the largest credit unions in the country, as Information Security Manager. There, he was responsible for building the Security Operations team from the ground up, as well as developing the firm’s Application Security and Automation team (DevSecOps). He says that the regulatory backdrop of the sector leads to a different level of risk tolerance than other organizations in the private sector. “In the financial sector, you are constantly being targeted by cyberattacks,” he relates. Because of industry regulations, “the risk level and tolerance is very different than other private organizations, as it impacts users’ life savings and company trust.”

Mehrotara’s diverse career in both public and private sectors has been driven by the need to perform meaningful work. “For me, it’s about working for an organization that’s not just financially motivated. There’s got to be some sense of purpose and actually making a difference in people’s lives,” he says.

Some of the other organizations that have benefitted from Mehrotara’s leadership in are the World Economic Forum; the Standards Council of Canada; the Center for Internet Security, where he served as Co-Editor of the “Top 20 Critical Security Controls” and writer of technical benchmarks; and as chair of several university program advisory committees. He has mentored numerous students, helping them start their careers in cybersecurity.

“You get that sense of fulfillment in helping organizations around the world, making a difference. That’s what’s really fulfilling. In life you can have all the money in the world, but one day you’re going to be sitting there thinking, ‘What did I accomplish? What did I contribute?’ I think that’s what actually keeps you going,” he describes.

Throughout his career, Mehrotara’s natural leadership abilities also have been tapped through his work on digital expansions at organizations. He says nine out of 10 digital transformation programs and cybersecurity programs fail; one of the primary reasons is lack of support from the top of the organization. In order to get that buy-in from business leaders, you need to develop a solid understanding of the business so you can speak their language instead of “speaking technology.” This often leads to trust, which gives cybersecurity leaders the autonomy needed to execute on digital expansion in the way they think best, he says. “There are new threats, zero-day exploits and vulnerabilities announced daily. You need to summarize that and explain the level of risk to your business leaders in relation to their business process and impact.”

He encourages aspiring leaders in cybersecurity to have regular communication with their company’s senior leaders “to ensure that you’re aligning with the risk tolerance of the company. People tend to swing the pendulum too far and then you start getting pushback.”

Mehrotara offers some advice for approaching conversations about risk. First, reach out to other people in the industry you’ve joined to get a perspective of what they are doing. You may even want to collect a list of cybersecurity incidents, such as ransomware attacks, in your specific sector. Then tie it all together in a narrative about the business implications, he advises, because “people love stories.”