How I became involved with CSA Z246.1

I'm incredibly grateful to my boss Mark Jean and coworker Wes Elliot for recommending me to join CSA Z246.1. The opportunity to not only join CSA Z246.1 but also be on the working group for Clause 6,7 (Information Security and Cybersecurity) was a 12-month work activity that will be published in the amended 2025 CSA Z246.1.

Why I am on the Board

I joined this board because of its implications for owners, operators and governments across Canada. CSA Z246.1 is adopted federally and is adopted in some provinces in specific ways. This standard is one that the industry is involved in, meaning there's a lot of conversation between government and industry representatives toward developing a standard that works for everybody.

When I go to in-person board meetings, there's a lot of talking and many disagreements, which is perfect. Resolving disagreements is an indicator that we are getting work done. There's nothing worse than going to a silent board meeting and having no one say much of anything, then leaving with the feeling of a wasted day in your gut. I appreciate the time and energy each person provides to the board, and the meaningful work we do together.

What CSA Z246.1 means to me

Before I started working in governance and policy I complained often about the slow pace of government. Much of this complaining was my lack of understanding for the "system" and how each part of it operates. I have a different, and more nuanced approach to government and regulations now.

CSA Z246.1 is a performance-based standard, which means it does not aim to prescribe activities. The regulator expects the operator to show their thought process, the design and the implementation of a system. After all, if you tell someone to do something its clear that once the activity is done, continual improvement to close gaps may not be implemented because the task itself was done. Keeping it performance-based provides operators the flexibility to determine what they should do based on their own levels of risk, and the regulation simply guides operators to also include certain factors (like public safety). See more about the advantages of prescriptive standards in my blog post!

The long and short to this question is that responsibility needs to be held in trust between regulators and industry, we need to keep things in line and provide rules but we have to trust that companies will adhere to and meet them.

My roles and responsibilities

My role with CSA Z246.1 is constantly changing. When I first started as a guest, I simply observed and communicated my opinions with the board and working group. Then, 4 months later I was able to become a non-voting member. During that time I spent many weeks with the working group to develop the amended Clause 6,7 for information security and cybersecurity.

Recently, I have made it known to the board that I intend to stay for the long-run and become a voting-member. Who knows where this will take me? My ambition to remain on this board and contribute to its long-term success is high because I care about security and its impact on industry.