Most CIOs focus on availability of systems, but my balance really is towards confidentiality of information and the integrity," says David Kennedy, CIO of Orion Health.
This perspective is honed by his nearly two decades of experience working across information security — from technology to management — in various parts of the world. He was an advisor at KPMG for almost a decade, and was IT security architect with IBM Global Services for four years.
Kennedy joined Orion Health as a contractor in February 2012, and was made chief information security officer six months later. At the start of 2013 CEO, Ian McCrae, offered him the inaugural CIO role (previously the company had an IT manager), based on the security programs he set up. "He wanted me to implement my ideas within the IT area."
"I am a hybrid CIO," he says, smiling. "It means security is a thought raised in the beginning of everything we do."
While security has raced to become the primary concern of CIOs across the globe today, having it as a priority across all business decisions is imperative in a company like Orion Health. The company, founded in 1993 as a boutique consultancy, is now a leader of health information exchange (HIE) and healthcare integration systems. Last month, it listed on the New Zealand and Australian stock exchanges, where it was valued at over $1 billion.
"When you're in such a growing environment, you have to make sure you're always delivering to what the customer needs, while backing it up with all of the metrics to prove what the need will be, and the activities you're doing.
Security is a thought raised in the beginning of everything we do.
"One of my main focuses here is to develop secure solutions. And I bring all of that experience because security is one of our major priorities working in the health industry and the software industry as well.
"Those security techniques and processes are literally driven through business right from the top. I just make sure that everything we do is driven by the correct level of security," he says.
The CIO needs to consider security the same way he or she does availability of systems. There's no point in having an available system if it's insecure, "because someone will be inside your network very quickly", Kennedy says.
"So set your top down security framework right from the outset as a CIO, then drive that down into your areas and have a single framework.
People can have waivers if they can't meet certain requirements and system owners can't meet them, but stick hard to your single framework and have a single point of contact where the entire company can go," he advises.
Sign up for CIO Asia eNewsletters.