PGG Wrightson Security Exec: Privacy Legislation is an Effective Compliance Stick
PGG Wrightson’s Information Security Manager, Roger Temple, shares his career transition to information security, how he motivates change, and how he is embracing security as a growth enabler in his organisation
PGG Wrightson is a leading provider to the New Zealand agricultural sector with more than 1700 employees and a heritage of more than 170 years of working with the country’s farmers and growers to service their on-farm and on-orchard needs.
We asked the company’s Information Security Manager, Roger Temple, about how he ended up in an information security role and how to drive better security behaviours across organisations.
Temple went into arboriculture for 14 years after completing his bachelor’s degree. He worked on the tools as a climber and line clearer in NZ and the UK, then migrated to consulting, tree surveying and, finally, contracting management.
“During my time in the UK I did a lot of blue water sailing and met numerous people that worked in IT. I have always built my own PCs, so thought I was a bit of an IT wiz,” Temple says.
“I applied for a job as a SAN engineer for Sun Micro Systems and in getting to the last two, thought I might be able to make a go of IT. Suffice to say, I did not get the job.
“I got an opportunity through my cousin to work at a British start-up called SpinVox, and after floundering around for 3-4 months, I got offered a spot on an ISO 27001 lead auditors’ course which I subsequently passed.
“I have worked in security ever since. It was a great career move.”
Relieving the burden of driving change
Changing people’s behaviour is always one of the biggest challenges for information and cybersecurity practitioners.
Many companies have made fantastic progress with security improvements, controls, tooling, automation, and reporting. But how can leaders get the wider organisation to make security part of the way they work? Temple says that creating security culture is a critical part of his role.
“From my experience, people do not generally embrace change. I tackle this by trying to make security relevant to people, in both a professional and personal capacity,” he says.
“If you can make it real and increase knowledge and understanding, it helps to motivate change. The other part is making security part of working smarter and more efficiently; strive to make security part of business improvements and efficiencies.”
Temple shared some successful changes he managed to drive in his organisation over the past few months. One of those was implementing significant modifications to backend systems to facilitate the rolling out of Windows Hello across the whole business, including PGG Wrightson’s retail fleet of workstations. “In tandem with this, we introduced a no-password change with a longer password and launched a blanket 5-minute screen lock for all systems. The latter was quite a coup as our retail systems have never had anything in place! We got sign-off for this work back in August 2020, so it has been a long time coming,” he says.
Security is an enabler
We asked Temple to share how he helps his organisation understand the value of cybersecurity. He said that a lot of this has occurred through osmosis.
“Creating an oversight of security across all the business units and the executive team and building relationships across the whole business,” he says.
“Training staff, preferably with role-based T&A, but any is better than none. Including phishing simulations as this is a fantastic way to increase awareness, and improvements are easy to measure.
“The world also does a great job, with the volume of headlines both in NZ and abroad that keep InfoSec front of mind. We have also had enough of our own security events to raise the profile of security and the need to do it well.”
Temple also shared some practical steps that he used to encourage his organisation to be more collaborative in his projects.
“Security is pretty much a mandated component for all work programs now, and this has been endorsed by the CEO; the security team needs oversight across all work programs, including vendor reviews and robust contractual security commitments,” he says. “We have been able to demonstrate the benefits of addressing security up front and have excellent support from the board and the executive team.”
The future of privacy in Asia-Pacific
Given his global career, we were interested in Temple’s thoughts on how European organisations are addressing privacy concerns, and how countries like New Zealand and Australia are evolving in this space.
“Privacy is fast becoming dominant on the world stage,” Temple says.
“The EU has led the way in this space with Directive 95/46/EC and now with GDPR. I spent my first eight years in security working in the UK and these laws were treated seriously, and were also a very useful ‘compliance stick’ to motivate faltering executives.
“Most of the western world has followed the EU’s lead, and in New Zealand we follow Australia’s lead. In my six years back in NZ, there have been a lot of positive changes in this space, and I foresee this only increasing. “Robust privacy legislation is one of many foundations on which you can build an effective program for the security of your customer and business data.”