James Blair launched his career in cybersecurity on the service desk at an Australian energy company. Starting from the bottom up has definitely shaped how he executes his role as CISO of Todd Energy, a leading natural gas provider based in New Zealand.

“Initially, cybersecurity was very reactive,” Blair said. “It’s great for that dopamine rush, but you don’t normally move forward all the time when that’s the approach.

“As a result, I became very strategically focused. I develop a plan and execute from there, adapting the plan when necessary, but without being reactive all the time. You’ve really got to know where you’re heading and how you’re going to get there.”

In the future, he sees the CISO’s role evolving in a more collaborative direction because of the expanding threat landscape.

“Cybersecurity is a global issue, not a local or regional or national one, and people need to collaborate and talk more. So forums like CISOs Connect, which have established global networks of excellence where you can actually reach out and talk to people, is where I see the CISOs gaining exceptional value,” he said.

“These sorts of forums allow you to communicate with people at the same level, with people who have the same challenges, to talk about different ways they’ve done things and then take that information, distill it and formalize that into your plan. I think that’s a really good platform to work off of.“

Blair was born in South Africa, left to travel around the UK, then moved to Australia and later to New Zealand. In his free time, he rides motorbikes, and goes biking with friends in the hills and back countries of his adopted home. He also likes to golf and boxercise, a sport that emulates the fitness required for boxing without the full physical contact.

He sees a direct line between the kind of off-duty activities he enjoys and the work that he does. “I’m hell of a competitive,” he said. “I’ve always wanted to get to the top and I like to fight outside my weight division as well.”

“Our digital program at Todd Energy has won Asia Pacific and global accolades, and I’m also on some global committees, which is unconventional for a company our size. We do that through merit, showing that even relatively small companies have significant amounts to offer. We have to be very entrepreneurial in our execution, and that probably differentiates us.”

Like other CISOs, Blair faces resource challenges that are made more complex by New Zealand’s geographical isolation and population of just over 5 million.

“There is a skilled resource gap globally in this space, but certainly in New Zealand, there’s the added complication of finding skilled resources locally,” he said. “There’s also the challenge of retaining people you’ve trained, because there’s always the risk that the people you’ve trained will leave to go to bigger, better jobs because there are so many opportunities in the space.”

As for financial resources, money is always a challenge, but that encourages creative thinking, he said.

His broader remit includes overall responsibility for the company’s digital transformation.

“I was over the in the U.S. recently at a conference, and it showed that the breadth of generalization is certainly more prevalent in New Zealand than a lot of the U.S. companies we saw,” he said.

A successful CISO needs to look at things holistically and be able to network effectively, Blair said.

With resource crunches, Blair expects to see more virtual CISOs coming on board. Another trend he sees is more alignment and/or adoption of standards.

“Governments, especially around country critical infrastructures and privacy, are requiring businesses to comply with defined requirements,” he said.

Blair regards cybersecurity as a long-term game that involves a lot of change management.

“It’s not just about bringing the IT people along for the ride, it’s about bringing the business along for the ride,” he said. “That includes senior executives so you get their buy-in, and even our operations personnel. Everyone in the organization needs to know how to initiate the incident response plan, why they need to update their PC regularly, why they need to do cybersecurity training. Cybersecurity impacts everybody in the organization.”

His program works on a building block model.

“We started with step-change improvement because we didn’t really have the cybersecurity program or team in the beginning,” he said. “But now it’s iterative improvements to maintain and sustain our overarching maturity. Cybersecurity is continuously evolving, and you need to continuously allocate resources.”

“It’s not just, follow the next trend. You have to be able to analyze things effectively, and have the ability to communicate and problem-solve rapidly,” Blair said. “Communication is key. It is our role to make it easy for boards and executives to understand what they need to do to make the organization more secure, and that requires you to be a very effective communicator.

“You also need to be adaptable,” he said. “If you’re going down a path and it’s not working, you need to be able to acknowledge that and change tack.”

His advice for people just entering the field: Get as much experience as you can.

“Get a wider view of things instead of just looking at a security tooling,” he said. “Not just in the networking realm, though obviously networking is a key place to get experience. If you get a depth of experience in multiple IT areas you’ll definitely be more effective.”

Blair prides his team on developing a culture of cyber awareness at Todd Energy that spills over into people’s home life.

“The biggest thing is that we’ve brought the organization along with us,” he said. “We’ve made them more cyber aware and as a result cyber safe, and then they take that cyber awareness and cyber safety home and share it with their families, and it becomes part of how they interact digitally.

“They end up mitigating risk for you by not going into unsecured networks in the airport, or using short passwords that get compromised. They also take those cyber resilience skills into other organizations. They become good digital citizens. It’s really cool.”