It is an absolute pleasure to be able to introduce today’s Interview with an IT Professional, Jo Stewart-Rattray. Jo is the Director of Information Security with Vectra Corp. The first woman elected to be the State President of ISACA (Information Security Audit & Control Associations), she is also the Oceania representative, and the only woman on ISACA’s International Security Management Advisory Committee. Jo has travelled the world and has embraced many experiences and challenges along the way.
Jo, a role model to men and women alike, your career is an inspiration to many. Today you are the Director of Information Security with Vectra Corp. How did your career start and how has it evolved to where you are today?
My career started with the usual amount of indecision as to what I really wanted to do. I ran off to the big city to make my fame and fortune (Sydney and later several European and North American cities). I was still really restless. It wasn’t until I returned to Australia and was in fact 30 that I decided that I should follow the IT path.
I got into IT, then IT education and it was at that point that I was introduced to information security. I was working at Sydney Institute of Technology and was heavily involved in the development of some national competency based courses. I was managing a programme and had a subject called Computer Operations (which no one else wanted to teach let alone develop the learning materials for it). So I took it on. The course involved the history of computing and the evolution of equipment and computer security. I charmed the Officer in Charge of the Computer Crime Unit of the Australian Federal Police to come and speak to groups of students every semester. In the process I became enthralled with security and my career path ever so slightly deviated.
I went into Staff Development and Training at Sydney Institute, initially to provide relevant IT training for both academic and non-academic staff. That developed into providing career development training for a range of professionals including those from IT.
In 1996 my husband and I moved to South Australia and I began working the Utilities sector. My first job here was a supposedly short term contract to document an ERP system. I say supposedly because I stayed with the organisation for almost 7 years! I became project manager, and supervised application security before moving on to infrastructure services management, IT contract negotiation, Information Security Management and finally CIO.
Then in 2002 Vectra made me an offer that would put me where I really wanted to be…full time information security and as they say the rest is history!
Has being a female working in the security industry ever been an issue for you?
I believe that women often find that they need to be better qualified, have more experience and be more decisive to get to where they are going. I think my real issues were in straight IT as opposed to security. There are very few very senior women in this field in Australia so I acknowledge that to some degree I am a novelty but people soon learn that I am no fool and have worked hard to get to where I am. There is a granite ceiling, not a glass ceiling by the way, and you do need to carry a jack hammer with you at all times if you really are determined to succeed.
I did have a curious experience recently. I was at an international information security strategy meeting in the US a couple of weeks ago when I was having a struggle to be heard, a man leaned over to me and said “it must be so hard working in a man’s world”! Of course, my point was heard and acknowledged which I think left this man quite flat-footed. I actually hoped he was joking too!
What is it about security that appeals to you?
The challenge. It’s an ever changing environment which requires you to keep up to date and focused on trends here and abroad as well as enhancing your own skill set and practices. I am in a role where I am often giving high level advice to senior management – and you don’t want to get that wrong! Reputation and trust is of paramount importance in this profession.
Where in the world has your career taken you?
Vienna, Austria; Munich, Germany; Chicago, Illinois; Scottsdale, Arizona; Las Vegas, Nevada; Toronto, Canada; Colombo, Sri Lanka; Singapore; Kuala Lumpur, Malaysia; Port Moresby, PNG; Auckland, NZ; Wellington NZ; and every capital city in Australia (many times over) and a few regional areas as well.
What has been some of the highlights of your career?
Working for some of the largest corporates in Australia; reach the C-suite; being appointed to ISACA’s International Security Management Advisory Committee representing the Oceania region; my involvement with industry associations such as ISACA, Australian Computer Society, Women in Innovation and Technology and Australian Information Security Association; meeting the Queen of Sweden and then being seated with her for lunch.
The first woman to be elected the State President of ISACA (Information Security Audit & Control Association), you have been responsible for ensuring information security professionals comply with global standards.
You are also the Oceania representative and the only woman on ISACA’s International Security Management Advisory Committee.
What is your current involvement with ISACA, and what do the roles involve?
I am President of the Adelaide Chapter. I oversight all Chapter activities and am involved in ensuring that the needs of members from all three domains of practice are met. Those domains are assurance, governance and security.
I was appointed for a second time to the International Security Management Advisory Committee. I represent the interests of the Oceania region. It is my role to ensure that the research materials and professional development programs and security models that we produce are equally usable here as in any other part of the world. We meet face to face three times every year – usually in the US – which sounds glamorous but means around a 32 hour trip each way for maybe 5 nights on the ground. We conduct subject matter expert and fatal flaws reviews of all security related material and provide specialist input into other areas of the association.
Out of interest, ISACA is a global organisation with 70,000 members representing 149 countries.
As well as your position of Director of Information Security at Vectra Corp, your involvement with ISACA, you are also an active member of the Branch Executive Committee of the South Australian branch of the ACS (Australian Computer Society).
How do you manage your time effectively in order to be able to be active in so many areas?
The secret is to keep all the balls in the air without trying to be Superwoman. It’s about good time management and knowing when to say no and being enthusiastic about what you are involved in.
I guess the other reason is that I do only have two speeds – full throttle, peddle to the metal or completely couch potato, crashed out. So to get a lot done you do need to have a certain level of ‘hyperactvity’ that you can turn on when you need to.
A key note speaker, you regularly present to a variety of audiences around the world on issues regarding security. How did you develop your presentation skills?
I believe that presenting is about infotainment – a combination of information dissemination and entertainment – getting the audience involved. I was first involved in adult education in about 1989 and found that I loved presenting so I started to learn more about it. In fact I started learning about the whole teaching and learning process. My first degree is in adult education with a major in HR and a sub major in psychology, all of which has been invaluable.
I think you have to feel comfortable presenting (that doesn’t mean not being nervous), know your material and let yourself enjoy it. I presented at a conference in Perth yesterday and I was nervous because it was the first time I had presented that particular material but I still enjoyed getting the audience involved.
How has being able to present to various audiences improved your career?
Networking and learning from others! You get an opportunity to meet extraordinary people from extraordinary backgrounds with extraordinary experiences that they share with you; all of which enriches your own experience and indeed your own practice.
As a Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM) and a Certified BS 7799 Lead Auditor, you are able to consult on a variety of information security issues.
What security threats should people be the most aware of?
That’s an incredibly long list! Potential for identity theft, data loss or misuse, information leakage, e-fraud, social engineering and other scams, and the list goes on.
With more social sites and networks popping up all over the net, what advice can you give to people in order to protect their identities and information that is so easily displayed to the masses?
Social networking sounds wonderful on the surface but the under-culture that is developing is frightening. By that I mean, the various types of predatory behaviour, exposing too much about ourselves that is always out there (something you may regret later), exploitation, extortion, bullying – again a long list of stuff to be aware of and to care about.
Just ego surf and you’ll be surprised what you’ll find that is already out there about you.
Finally, what advice can you give to anyone wanting to pursue a career in the security industry?
Get some good solid IT runs on the board first. Find out what you really want to specialise in, do one of the industry level security credentials and then put yourself on the market. However, it is a small field of practice (albeit growing) it is currently flavour of the month and therefore highly sought after, so roles are few and far between for the inexperienced. It’s a bit of a catch 22 really. There are a few graduate programmes out there but they too are hotly sought after.
