Security, and especially Cyber Security, are topics of great interest these days, for good reason. Security is not the only consulting service I offer – I can help with strategy, planning, governance, innovation, and other fields; however, Security seems to be on the minds of many potential clients when I am discussing possible consulting engagements.
So, let me outline some of my experience in this field. (I’ll be vague – some details will be expanded when we are talking about a specific opportunity; and some parts of my experience are classified and I can’t discuss openly.)
I have been directly responsible for IT Security several times over several decades:
- I created and managed the first Computer Security group in a private sector organization;
- I served as Director, Systems Security for a large corporation;
- I served as Director, IT Security for a Canadian government department, including leading a “Pathfinder project” for one of the first projects in the Government Online initiative and using the Entrust PKI;
- I held Director and Director-General roles in a Canadian Intelligence agency, with responsibilities that included the internal IT Security organization. During this period, we had funding approved and launched the re-engineering of CTSN (Canadian Top Secret Network), including major security initiatives.
- Since retiring from the public service and taking up consulting, I have worked in Cyber Security engagements for three years, in dozens of projects related to security assessments, exercises, policies, and planning.
I have also held positions that, while not directly responsible for Security, were strongly connected to it, several times.
- I Directed the re-development of an Information Management system, including security measures for Top Secret information;
- I wrote IT specifications (including Security) for a large RFP for outsourcing certain services as part of a Public-Private Partnership for a new building, operating at a Top-Secret level;
- I served as Chief Information Officer in a Security Intelligence agency, with responsibilities including implementing security in a data analytics system, and implementing security measures on Top-Secret networks.
- I served as a Canadian representative to an international committee coordinating multi-national IT planning, including security, for over a decade.
- In a private-sector high-tech firm, I defined and led product management of security products.
I retain my Top-Secret security clearance. Here are some thoughts on whether that matters to you.
Do you need a cleared person?
Obviously you need a person with appropriate clearance if they will have access to classified information as part of the contract you are establishing. However, there are also advantages to having a cleared person if you merely work in classified premises, even if the consultant will not be accessing classified information.
- It protects you from accidental disclosure. Your consultant may be accidentally exposed to classified information – perhaps overheard in a hallway, or left on a whiteboard in a meeting room. If they hold an appropriate clearance, you do not have a security incident to deal with.
- It is required if you want your consultant to have unescorted access to your premises. Do you want to have escort your consultant constantly? Not just in meetings, but in hallways, at lunch, to the bathroom?
- The same is true for access to classified systems. For example, if your consultant needs to log in to your classified network, they need a matching clearance, even if all you intend them to access on that network is unclassified information.
If you need a cleared person
In Canada, there are 3 basic clearance levels: Enhanced Reliability (used for Protected information), Secret, and Top-Secret. (It is actually slightly more complicated than that, but that is close enough.)
The classification levels “roll up”, so you can use a consultant with a higher clearance than you need. So, a Top-Secret cleared consultant is acceptable whether your information and premises are Protected, Secret, or Top-Secret.
Once you get to Top-Secret, there are additional riders that can be attached to a clearance. A very common set of these is “SI” (Special Intelligence) and “TK” (whose meaning is historical and won’t clarify things). For example, to access the CTSN network, or systems inside CSE or CSIS, you need a TS//SI//TK clearance. That’s a Top-Secret clearance, with the additional checking and indoctrination needed for the SI and TK riders.
I had these and other riders; however, they don’t survive retirement or department change, so I presently hold only a “plain Top-Secret”. If your work requires TS//SI//TK or similar, I can re-acquire them, but doing takes your sponsorship and a few weeks, so allow enough time.
If you don’t need a cleared person
You might still feel better hiring a cleared person, even if you don’t need one because of classified information. A high-level clearance means you are getting a trustworthy person whose background has been thoroughly vetted for serious criminal activity and relations, loyalty, conflicts of interest, and undeclared foreign influences.
Facilities also get clearances
Note that I am a cleared person, but my personal office is not cleared space. So, classified information will need to be stored on your premises, or at the cleared facilities of one of the consulting firms through whom I can be contracted (both of whom have facility clearances).