Jo Stewart-Rattray: Preventing Governance and Security Failures
Interview: Jo Stewart-Rattray, Award Winning Top Executive, International Security and Risk Management Authority and Vice President ISACA
- Masters of Education Studies – Psychology
- Certified Information Systems Auditor (CISA)
- Certified Information Security Manager (CISM)
- Certified in the Governance of Enterprise IT (CGEIT)
- Certified in Risk and Information Systems Control (CRISC)
- Certified Social Engineering Prevention Specialist (CSEPS)
- Registered 27001 Lead Auditor
- Certified Professional (Australian Computer Society)
- Member, Australian Computer Society, Certified Professional
- Co-opted member, ACS SA Branch Executive Council
- International Vice President, ISACA International
- Chair, Leadership Development Committee, ISACA International
- Past President, ISACA, Adelaide Chapter
- Ambassador, Women in Innovation & Technology
- Professional Member, Australian Information Security Association
- Member of the Australian Institute of Management
- National ICT Professional of the Year (iAwards 2011-2012)
See RSM Bird Cameron
Jo has 24 years experience in the IT field, some of which were spent as CIO in the Utilities space, and 16 in the Information Security arena. She underpins her information technology and security background with her qualifications in education and management.
She specializes in consulting in information security issues with a particular emphasis on governance in both the commercial and operational areas of businesses. Jo provides strategic advice to organizations across a number of industry sectors including banking and finance, utilities, automotive manufacturing, tertiary education, retail and government.
Jo is the Chair of both ISACA's International Leadership Development Committee and its Security Culture Taskforce. She is past president of ISACA's Adelaide Chapter, and she was sworn in as International Vice President of ISACA in June of this year at the Association’s Annual General Meeting in Washington, DC.
ISACA is a professional body with some 95,000 members in 180 countries around the world, and represents professionals from the assurance, governance and security disciplines.
She was appointed to CIGRE's international working group B5.38 and worked with the group to assess information security risks in power system operations within SCADA systems and the implementation of appropriate security controls.
To listen to the interview, click on this MP3 file link
Interview Time Index (MM:SS) and Topic
Jo, you have a strong history of significant global impact in security, risk management, governance, and senior executive leadership. Thank you for sharing your considerable expertise, deep accumulated insights, and wisdom with our audience.
Congratulations on your recent significant award. Can you tell us more about it?
"....In August of this year I was named the Australian ICT Professional of the Year....When I was asked by a colleague if I minded if they nominated me, I agreed and quite frankly I didn't think I would hear any more....You can imagine my absolute surprise when I received a call from the committee saying that I had won the award. I was really blown away by it...."
What was the reaction from your family from receiving this award?
"....I have been fortunate over the years — my husband has been exceptionally supportive of my efforts....Also close colleagues were also blown away...."
What valuable lessons can you share from ISACA's research initiative on 'Creating a Culture of Security'?
"....One of the most valuable lessons for me was about not judging a book by its cover. You can find the champions of a culture of security in all sorts of places, not just at the top of an organization...."
What are the main thrusts around your work on COBIT 5.0 that will be of value to the audience?
"....It's looking at COBIT as not just the framework itself which of course is the platform, it will be a strong framework on which a series of lenses can be applied depending on what you do in the IT or Information Security space...."
What are important takeaways on your work on ISACA's Business Model for Information Security (BMIS)?
"....BMIS gets rid of the silos in organizations because it takes a cross-functional approach to information security....My important take-away from this is that there is something in BMIS for everyone and it's absolutely worth a look at...."
Please share your goals as the Chair of both ISACA's International Leadership Development Committee and its Security Culture Taskforce.
"....The Security Culture Taskforce was formed to specifically develop and publish the research on creating a culture of security....The completed goal was to publish that document and also to get this piece of work out into the world....The Leadership Development Committee was formed last year in 2010 and it's in place to encourage ISACA members to volunteer at the international level....It's about making the experience worthwhile from both sides of the fence. We are also looking to identify high potential future leaders of the Association....It's always a work in progress...."
I guess there would be a lot of crossovers with other Societies. I'm sure there are lots of members of both Societies. Do members of ISACA collaborate with the Australian Computer Society?
"....Absolutely. That's one of the things in my role as International Vice-president I have ensured....It's fair to say that we do have a fairly strong relationship with the Australian Computer Society...."
What do you hope to contribute as International Vice President of ISACA?
"....One of the important things for me is furthering the connections that I've already fostered within the Australian and Oceania regions....One of my roles is to work closely with our President's Council....I'm also very active in promoting ISACA and forming those relationships with other professional bodies...."
Can you briefly describe your work and outcomes with international working group B5.38?
"....CIGRE is an organization with its focus on large utilities....What we produced was what CIGRE calls a technical brochure which is actually a very large guide with many pages on the security on electricity substations. Very rewarding piece of work which allowed me to work with a multi-disciplinary, multi-national group of professionals...."
Can you outline important lessons from your work in the Utilities space?
"....I learned so much from my engineering and telecommunications colleagues during that time that I'm still grateful for today. It actually piqued my interest in securing that kind of environment so it's a little bit of a passion. It's not something I work in all the time, but it is something I really enjoy..."
When you did your work with the Utilities space were you working with government agencies as well?
"....In Australia, until about 6 – 10 years ago they were always government owned. Now we have a combination — some are privately owned and some are still government owned, so that creates a whole raft of issues when it comes to crisis or emergency management. The Australian government has recognized that and have put in place some safeguards around critical infrastructure....There is understanding of critical infrastructure protection and I was involved in part of those programs which was about information sharing in those environments...."
What are your top five governance tips?
"....Never under-estimate the human factor when you are putting governance posture in place....Ensure that there are good policies in place that are as unambiguous as possible. Ensure that the policies that have been developed are disseminated to the appropriate staff, contractors and temporary staff — whatever is appropriate to your organization....Information security or IT must be aligned with the overall corporate strategy....Information security awareness has to be an ongoing program and not a one-off event....If we are talking about information security governance, it’s got to be a commitment from the top...."
Please overview your certifications and the value they bring to your work and your clients?
"....The certifications that I have show my clients that I have a strong understanding of the core body of knowledge that relates to each of those credentials. Holding the certifications also shows that I have an on-going professional development program in place...."
Jo, can you profile your extensive history and valuable lessons you wish to share from each of your top three leadership areas?
"....Don't expect everyone to have the same standards and concepts of time and urgency as yourself....Let people do their jobs without breathing down their necks....Never underestimate the human factor....Never judge a book by its cover....Look for the champions...."
Have you encountered what I would call unconscious bias in your career and how did you overcome it?
"....This is not always the case and it is not the case in all organizations or all walks of life but I have certainly found it over the years....Oftentimes it's unconscious, but it can be ingrained and it can be systemic in organizations where they don't recognize that what they are doing is actually a form of discrimination so it is a problem....There are lots of questions you have to ask yourself: "Am I prepared to continue to fight for it? How far would I go with this? What is the impact going to be? Is it worth the impact or the consequences of the impact?"....For early career professionals, women do have to be prepared that it's not the equal playing field that we would like to think it is, in some cases – in other cases, yes it is...."
Do you think it will happen in our lifetime that we're going to see this or do you think it's going to 50 years before we see a flat playing field?
"....It has been enshrined in legislation so we have won part of the battle....Now it's getting it accepted in the corporate sense which has got nothing to do with the legislation. This is about developing new social norms and we're talking about creating that kind of culture....It is longitudinal — it's not going to be something that is going to happen overnight and women have to continue to want to fight...."
Jo, tell us about your most difficult challenges and the valuable lessons you wish to share?
"....One of the greatest challenges that I've had is actually getting people to understand what information security really is about. Lessons to be learned — I need to collect stories and anonymize those stories in order to help educate markets...."
How will you accomplish your three top goals in your current position and how will you measure success for each of these goals?
"....Goals: To build a highly successful practice....To people it with the very best that I can....To exceed my clients’ expectations....Measurements: profitability....staff retention and cohesiveness of staff....customer satisfaction...."
Describe some areas of controversy or much discussion in the areas that you research and work.
"....There is a great deal of controversy about what is culture and how do we build a culture that is appropriate to our organization....How much is technology and how much is culture in the IT and IS type businesses — that's another area of controversy. I have a theory that in information security it's 80% about the people and 20% about the technology....One of the areas of much discussion currently is cloud....The other area of controversy or much discussion I think is the use of social media in the corporate environment...."
Why should IT professionals and executives join non-profit associations?
"....I believe it's a way of enriching your understanding of the industry sector in which you work. It's a sensational way of networking with people....You generally have access to a core body of knowledge as well....There's also the credentialing and that sort of stuff....Quite frankly it's about giving back to the community that has given you so much...."
What specific challenges and opportunities should IT practitioners and businesses embrace today and in five years?
"....Consumerization of IT....The issue of BYOD (bring your own device)....Security on the inside, not just the perimeter....We live in a outsourced, offshore, cloud-provided world and we need to make sure we know who has access to our data legally through those means...."
Do you think the concept of singularity will happen in the next 50 years?
"....We see it with the younger career aspirants in the workplace. They are sitting right next door to their colleague but send them an email or they text them. What concerns me is that we are losing the art of one-on-one interplay; the human to human interplay disappears and more and more is done through a different interface....There's always that issue when we talk about downloading the conscious into a computer system....but where does the moral or ethical stuff come into it....I certainly see that more and more we are relying on an interface and it’s becoming just part of the way people do stuff...."
What are your thoughts on computing as a recognized profession like medicine and law, with demonstrated professional development, adherence to a code of ethics, and recognized credentials?
[See www.ipthree.org and the Global Industry Council, http://www.ipthree.org/about-ip3/global-advisory-council]
"....I really think we are seeing it more with a lot of organizations....I think that regardless what you do and how you do it, professionalism is about the people themselves and the values that they hold as professionals...."
From your extensive travels and work, please share one or more stories (amusing, surprising, unexpected, amazing).
"....Sometimes out of the worst experiences the best things come...."
If you were conducting this interview, what 3 questions would you ask and then what would be your answers?
"....If you had to pick out one event what was the turning point for you in your career?....Can you take out your crystal ball and predict what will happen in the IT world in the next 5 to 10 years?...."