The hybrid team leader: David Kennedy of Orion Health

22.12.2014
Most CIOs focus on availability of systems, but my balance really is towards confidentiality of information and the integrity," says David Kennedy, CIO of Orion Health.

This perspective is honed by his nearly two decades of experience working across information security -- from technology to management -- in various parts of the world. He was an advisor at KPMG for almost a decade, and was IT security architect with IBM Global Services for four years.

Kennedy joined Orion Health as a contractor in February 2012, and was made chief information security officer six months later. At the start of 2013 CEO, Ian McCrae, offered him the inaugural CIO role (previously the company had an IT manager), based on the security programs he set up. "He wanted me to implement my ideas within the IT area."

"I am a hybrid CIO," he says, smiling. "It means security is a thought raised in the beginning of everything we do."

While security has raced to become the primary concern of CIOs across the globe today, having it as a priority across all business decisions is imperative in a company like Orion Health. The company, founded in 1993 as a boutique consultancy, is now a leader of health information exchange (HIE) and healthcare integration systems. Last month, it listed on the New Zealand and Australian stock exchanges, where it was valued at over $1 billion.

"When you're in such a growing environment, you have to make sure you're always delivering to what the customer needs, while backing it up with all of the metrics to prove what the need will be, and the activities you're doing.

Security is a thought raised in the beginning of everything we do.

"One of my main focuses here is to develop secure solutions. And I bring all of that experience because security is one of our major priorities working in the health industry and the software industry as well.

"Those security techniques and processes are literally driven through business right from the top. I just make sure that everything we do is driven by the correct level of security," he says.

The CIO needs to consider security the same way he or she does availability of systems. There's no point in having an available system if it's insecure, "because someone will be inside your network very quickly", Kennedy says.

"So set your top down security framework right from the outset as a CIO, then drive that down into your areas and have a single framework.

People can have waivers if they can't meet certain requirements and system owners can't meet them, but stick hard to your single framework and have a single point of contact where the entire company can go," he advises.

One of the first things Kennedy did was to create Orion Health's Information Security Portal.

"We have a governance structure for security here that spans the entire world," he says. "That is based on risk. We've trained our entire company to understand there is a single point of all things security related, the Information Security Portal.

"It needs to have that consistency across the world because then we have a single language. We understand the consistency and what the risk means.

"In fact, one person that works here is the most incredible security engineer I think I've ever met in 17 years, Tom Parker. His knowledge of application security is just incredible. So he works in development, leads development security. Our applications are born through the secure process."

Kennedy also has an information security manager and information security officers in Orion Health's offices in Europe and the United States (Orion Health has more than 1000 employees in 22 offices worldwide).

"That helps drive down that single policy framework consistency," he says.

These offshore-based security focused staff report to him, not to their responsive teams, "so they can have independence".

Recently, Kennedy's team launched a project called 'Elastic Networking' to "provide improved access to business critical core systems.

"We created the core network," he says. "We pulled all of the core applications into this secure area, and then we have different architectural zones by which we can have different levels of security.

That means in one of the outer areas someone can bring a device and they can use it, but they won't actually penetrate into the core network. Again, it is based on security."

Kennedy has conducted a full risk analysis of all the different areas versus the needs of the executives, the needs of the customer, and created a map showing the risks.

One of the major business risks that emerged was connectivity, and the inconsistency and quality of the network. The smaller offices would have a much lesser experience than the major offices.

"Elastic Networking was born to really have a high level of confidence in the network availability," he states.

It also entails simplifying the supply chain so the company can leverage its size as it works with bigger partners like Verizon.

With Elastic Networking, Orion Health can subdivide the network into separate architectural branches and proactively shape network traffic, thereby increasing stability, security and visibility, Kennedy explains. The two major benefits include better performance and better availability.

All these changes have made a strong, but positive impact to the IT team, he states. "It has turned the IT team into a more strategic force. So they do less reactive work and much more strategic work, thinking about what future and innovation we can pull in two or three years' time, rather than dealing with the problem today."

The next phase will only allow people into that core network with an agent running on a device. That means it creates a space where anyone is BYOD, says Kennedy.

"You can't really stop people from doing it and if you try and stop them, they'll just find ways around it. So rather than trying to restrict people, you try and allow them to use it and just protect those core aspects."

Another project, which goes hand in hand with the Elastic Networking is the '180 Degrees IT'.

"It's about giving control back to the user for their laptop," Kennedy explains. "The users will have high levels of administrator access to enable innovation. We have agents running on these systems, on the laptops, and that gives us configuration of all the individual laptops so we can see or we can help make the estate more consistent while allowing them to download things."

It means they could contact the user before they have an issue. The team can identify if the user is running inefficient versions of software and automatically contacts the user to have all features and functions working at their optimum.

"If someone downloads a malicious tool bar, we can automatically send them an email to say that you've downloaded something that will affect your performance in three weeks. And then in three weeks, we can email them with this message: 'You don't have to delete it, it's up to you, but here's the procedure for deleting it'.

"If they choose not to, that's fine; it's just going to slow the machine down. And then in three weeks we can email them again and ask, 'How is your performance' Again, it's about giving that power back to the user and the transparency to help them diagnose their own problems."

The Self-Service Portal is another project and provides a user-friendly IT support website designed to get the quickest and most effective response to low priority IT queries. "This is the go-to place for IT-related FAQs and how-tos," says Kennedy.

Its features include the network and application performance monitor. "This enables every user to self-diagnose IT issues. If the user has a performance issue they can check the monitor to help determine the root cause of the issue."

There is also a MacHelp area providing "great tips and tricks" for users who are new to Apple technology.

Game on: IT's Oscar Awards

Game on: The IT team that can close the most tickets keeps this Oscar for a month.

Building a deep leadership bench, as well as developing and motivating his team members, are at the top of Kennedy's agenda.

He has a compact team of 20 in Auckland, plus less than 10 people in the United States, and two in London.

He says it is important to have a clear strategy to ensure the teams can align to the common goal.

"The mantra for all my teams is this: Simplicity, clarity and visibility in all that we do."

Gamification is one approach Kennedy uses for the ICT team through a program called Ticketmaster.

"There's a little Oscar statue and the first week of every month the IT teamglobally goes through a competition for who can close the most tickets. Each ticket is weighted differently, it depends if it's a priority one or a priority zero. And then it's a race to the first week to see who wins this trophy. This trophy gets shipped around the world once a month."

Kennedy says it was an idea that sprung up when he first joined Orion. He noticed that the tickets were piling up.

"You have to think of ways by which you can respond to what the customer needs, and the business needs. And Ticketmaster was a way to get people into spirit of doing things faster."

He vouches for the positive culture at Orion Health.

"The market goes through constant change," he says. "In order to meet that, you have to then enable your teams to not be put off by change. And the culture we have here really is one of constant change and saying: 'What's the next best thing'. That comes from [CEO] Ian's innovative mind."

The global CIO

Kennedy is essentially a global CIO based in Auckland. So what are some insights he can share on working with teams and customers across the globe

"Lead by the front," he advises. "Commitment and drive are key, and working together creates fantastic results."

It is also important to listen to customers, both internal and external.

"'Listen to your customer' is a mantra that I now live by through my time at KPMG, he states.

"Make sure you strike a clear balance and add value uniformly" to both of these groups.

"It is very much a part of a collaborative crowdsourcing culture at Orion Health," he says.

Stakeholder management is a key part of the role. He meets monthly with most executives, and bi-monthly with two other executives due to work commitments. "It is important to understand their strategies and needs so that I can mobilise them through technology," he says.

The upsides of the role

"I work with many people and continuously learn from my teams," Kennedy says. "I'm fortunate that I can educate customers and employees about what we do and the culture we have here at Orion Health.

"The fast growth we experience allows for continual improvement, for pushing the boundaries of technology to better the company and improve the experience of the employees.

"Also, knowing that we are making a difference in the health sector is something that is very rewarding."

Send news tips and comments to divina_paredes@idg.co.nz

Follow Divina Paredes on Twitter: @divinap

Follow CIO New Zealand on Twitter:@cio_nz

Sign up for CIO newsletters for regular updates on CIO news, views and events.

Join us on Facebook.

Read More:

(www.cio.co.nz)

Divina Paredes

Zur Startseite