When it comes to cybersecurity, you have to get ahead of the curve. To be slow and reactive means it is likely already too late. The damage is probably already done, and your software or systems may have fallen victim to compromise. Timely action and proactive measures are crucial to prevent such unfortunate scenarios, as delay can leave you vulnerable and exposed to potential threats. In one of the largest community colleges in the United States, this just can’t happen. Reet Kaur, who served as CISO at Portland Community College (PCC) up until August 2023, knows the responsibility.
However, for Kaur, it is par for the course, as she likes leading transformation journeys. Armed with 22 years of IT and information security experience, she has proven knowledge of creating value for large companies. This includes a seven-year tenure at Nike where she led various programmes in Information Security Governance, Risk and Compliance functions including a highly successful one to develop an Information Security Risk Management programme for Nike’s entire supply chain.
Having arrived at PCC just two days before the disruption caused by COVID-19 in early 2020, Kaur was immediately forced to firefight instead of developing a strategy in the early days upon her arrival. “I came with a 90-day plan to build a world class security programme. Like many organisations, PCC wasn’t ready to take its employees and students remote. Without considering the culture, we didn’t even have the infrastructure to go remote,” she says. “Our VPN (Virtual Private Network) couldn’t even handle more than 1% of the workforce concurrently. It meant that overnight we had to come up with strategies to enable to remote work. That passion and drive working relentlessly towards the mission of the organisation was mind-blowing.
“As we know, necessity is the mother of all inventions, with no plans on hand, we had to jumpstart our digital transformation and migration up to the cloud. When I worked at Nike, we had a roadmap of five years to roll it out but over here we literally did this within five weeks, without any formalised plan of how to do it. We didn’t have much time on the security side; we just needed to ensure that when everyone goes remote that we’re secure. Surprisingly, we were not alone, many organisations had to go through a similar journey.”
Risk vs Speed
Fast forward to today, Kaur and her team have successfully established a risk-based information cybersecurity program within PCC. After joining, Kaur reported to the CIO, who is an advocate for the security program she was building. However, Kaur seized the opportunity to report directly to the President. Up until her departure from her role at PCC in August 2023, she also held a seat in the cabinet.
“We operate based on a three-year strategy developed from the risks identified in the risk register,” explains Kaur. “Given our limited resources, our initial focus is on risks exceeding our organisation’s risk appetite. We then prioritise them using the weighted shortest job first methodology, a tool commonly used in the Scaled Agile Framework (SaFE) to guide teams in prioritising key initiatives. We developed this approach to prioritise risks concerning our ongoing programmes, as well as any considerations related to people and processes. Our goal is to lower the maximum level of risk that exceeds our risk appetite. Any risk surpassing that threshold is not acceptable. We are committed to mitigating these risks within our allocated budget. Similar to many state-funded organisations, we operate on a tight budget.”