John Paul Lowes (known as JP around here) is Central 1’s Director of Information Security. We caught up with him to find out how he got started in information security, where he thinks the industry is headed, and of course we had to ask him for some advice during cyber security month.
You’ve been working in technology for over 20 years now, tell me how you got started?
Fresh out of university with a Bachelor of Computer Science, I made a big decision to leave England and the handful of graduate job offers I had on the table. I jumped on a plane and headed to Vancouver to start working IT jobs in Whistler, including one of the few IT help desk jobs where I could snowboard between clients. Now, I’ve been working in technology for 21 years, the last 5 have been specifically in Information Security. I started tinkering with security tools in the late 90s and it was surprised by the weakness present in web applications. I recall learning about SQL injection attacks one day, then sitting down and finding vulnerabilities in a friend’s employers website. After a few beers, we managed to get ourselves admin access and then showed his boss. From then on I was hooked, I find solving security weakness problems rewarding and fun.
During my time at Accenture, I had the opportunity to work on projects such as server hardening, vulnerability management and implementing technology controls to meet the Payment Card Industry certification. So, while I was working as a server administrator, there was an opportunity to be involved in security.
When I joined Central 1, I transitioned into people management as the Manager, System Engineering, but after a few years I was eager for a new challenge. When I saw the Information Security Manager opportunity come up I knew it would be the right fit for me (clearly, I was getting too much sleep back then). From there, I moved into the Corporate Information Security Officer role and today I am the Director, Information Security for Central 1.
How has the industry changed in the last 5 years?
I’ve seen the security capability become more of a partnership, rather than being a gatekeeper. While there still is, and always will be, an element of gatekeeping, it’s become clear to me that a healthy security ecosystem requires give and take. With the increase of online activity taking place there is more data available than ever before for the forces of good and evil both. Keeping everyone’s information safe while avoiding unnecessary friction during workflows is not always a simple task, however; working in partnership to develop leaner and more secure paths forward is beneficial to everyone.
I’ve also noticed a change in the new candidates for the roles we post. Previously, applicants would come from various backgrounds: systems, network and development. The new era of applicants come straight out of courses where their major is information or cyber security. The benefit here is that these courses provide knowledge on security terminology, theory and processes. However, that knowledge needs to be applied in a real-world setting and the ongoing learning that professionals do helps us to understand the systems and the business functions that need to be protected. It’s a significant shift, which also makes it an exciting time to be in Information Security.
How has COVID-19 impacted Information Security?
COVID-19 and working from home certainly created more security concerns within the modern workplace. We have to ensure that corporate devices in the home office have the same protections in place and get patched as they did before. When an incident takes place on a remote workstation, it’s not quite as easy to send out the help desk. Thankfully, as an organization, Central 1 already had strong technology capabilities in place for remote access, we just needed to re-enforce that our staff remain security aware with the constant barrage of remote access themed phishing campaigns.
This pandemic in particular opened up a pandoras box of new phishing and malware schemes designed to take advantage of those who are fearful or in need of help during this time, businesses and consumers alike. Sadly, there is no scenario fraudsters will not exploit for their own gain.
If you could share one piece of advice with our clients what would it be?
Take security into account when making technology decisions. It doesn’t have to be the only thing you think about, but at least make security one of the requirements alongside cost and features. It’s important to take a risk-based approach to understand your exposure and that will determine the level of effort that should be spent. Financial institutions should invest more time looking after the things that are the most valuable to them and their customers.
What is the number one cyber security tip you share with friends/family?
I’m not sure there is one single tip, but there are few basics to live by:
- don’t use unsupported operating systems,
- keep your devices updated,
- uninstall any junk software you don’t use,
- use passphrases instead of passwords (make them long and don’t reuse them);
- and anywhere that supports multi-factor authentication, use it!
Learn more about Central 1’s suite of Cyber Security Products and Services.