Lessons in security leadership: Dwaine Nichol

The 2011 CSO Compass Award winners discuss prioritizing investments, learning lessons the hard way, and much more

As Manager of security and life safety for the City of Toronto, Dwaine Nichol is responsible for securing the diverse operations of the largest municipality in Canada and the fifth-largest city in North America. These operations include 1,500 facilities, including water resources, social-assistance offices, recreation centers, day care facilities, City Hall, and Union Station, the busiest transportation hub in Canada. Under ­Nichol's 12 years of management, Toronto has implemented a citywide strategic security plan--a key document that Nichol says the organization relies on heavily--and video-surveillance policy that brought all 1,000-plus cameras used in the city under the Corporate Security Unit.

Nichol has been qualified by ASIS International as a Certified Protection Professional and has extensive knowledge of workplace violence.

CSO: What is unique about the security challenges you face in Toronto?

Nichol: Because Toronto is a large and very diverse multicultural city, the challenges are also very diverse. In one day, we could have a protest at City Hall, security-system issues at a number of water facilities, and a major incident at Union Station.

It's also very political--the city has 44 councilors and a mayor, and we need to always be in response mode. What they say publicly can always affect security in some fashion.

What was the most difficult or rewarding accomplishment of your career?

I'm most proud of that fact that we've been able to retain for a number of years an outstanding security-management team who could easily be stars in another organization but are very dedicated to the City of Toronto. To see their energy and enthusiasm in the face of challenges on a daily basis is, I find, a great reward.

What has been the biggest change to the CSO role in the past few years?

There's been a push to see security as a value enhancer versus a cost center and to practice what we preach in terms of showing clients how security contributes to the business, using metrics and showing ROI. One of our priorities is developing metrics that are important to the different divisions and giving them monthly reports: number of security occurrences, year-over-year change, how many alarm responses, how many major events.

Can you name one of the biggest mistakes you've made during your security career and what you learned from it?

Underestimating [the importance of] my work-life balance. A few years ago, I got to a point where I couldn't enjoy downtime at all. I remember being at one of my son's ballgames, and I was working, and I saw the other parents just enjoying their time. That was the moment I said, I've got to do something about this. I started reading everything I could about time management and began really picking up on those principles that are often said but not often done--work smarter not harder, have a realistic plan of what you want to accomplish each day, delegate authority, block off time to do things that are incredibly important but that can get lost in the everyday shuffle.

It's something many of my colleagues face, especially in the security profession, where a myriad of issues can happen at any time and the next big thing is always waiting around the corner. But a key to leadership is maintaining a very good work-life balance.

What are three fail-proof principles of security leadership?

The first is aligning your unit's goals to the organization's goals. In municipal government, the goals might change every four years, so you better be aligned with how you fit into those new goals and how you support and enhance those new goals.

Second, security needs to be seen as value-adding. People talk about this a lot, but it needs to be lived and breathed as a core value. With anything we do, we're looking at how can we support and enhance the safe delivery of city services.

[Also see Next stop for security: Business intelligence and business services]

Third is the power of benchmarking. It's a great opportunity to learn from the successes and failures of others and show senior management what other cities have in place. You can also benchmark against yourself to see how you're set up in one area and standardize across the organization.

What are two things about security or security leadership you wish you'd known 10 years ago?

Focus on opportunities that come along and don't be afraid to experiment or take risks. There's so much day-to-day stuff to do, but certain opportunities come along that can really enhance the delivery of security, and they have short windows of time in which they present themselves, so you need to prioritize them.

Second is the power of a good story. We can talk to employees and hang up posters to increase security awareness. But a good story has a personal aspect to it that gets people to really listen. For instance, if I had an area in the organization where there were lots of problems with people letting other employees enter into a secure area using their access card, if we can tell them about an actual incident that has happened--say, a workplace violence story--then it becomes something they value. It holds much more weight than any other initiatives.

What will be (or do you think should be) the next big topic in the security field?

I'm concerned about sustaining security systems. After 9/11, many security grants became available and all kinds of organizations and governments upgraded security, so a great deal of physical security infrastructure was and continues to be installed. I worry greatly about whether enough thought has been put into the total cost of ownership of that equipment and keeping it highly functioning and operating through times of limited budgets and cuts. What's worse than not having a security device is having one installed that doesn't work.

What is the most over-hyped topic in the security field?

You can have the highest-definition video, but if it's not capturing enough data for a recognizable view, then your super-high-priced system isn't doing too much. After people watch CSI, they start believing your system can do these things and do them rapidly, with the push of a button. Everyone faces these myths, where people don't understand the intricacies of what's involved in completing an investigation.

If a CSO could get budget approval for one security investment, what should it be?

A master security plan. Every painter has a vision--he doesn't start randomly throwing paint on a canvas. Security is like that. You need a road map of where you are now, what the end result will be and the strategic details of how you're going to get there in a phased, multi-year process. It's a key document for getting buy-in from management for approval and budget to support your goals and objectives. If I were new at an organization, the very first thing I would ask for is approval for a master security plan.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mary Brandel

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts