Skip to main content

Interview Series - Jo Stewart-Rattray VP of ISACA

As part of the Infosec Professional interview series, we are lucky enough to have grabbed some time with Jo Stewart-Rattray, Director of Information Security at RSM Bird Cameron and International Vice President of the Information Systems Audit & Control Association.

Ed: Hi Jo and thank you for agreeing to the interview.  How has information security changed in the last 3 years (perceptions, threats, protection etc) ?
Jo:  Information security is ever evolving; however, the last three years have seen an acceleration in the speed of events. There have been a greater number of attacks, in some cases on iconic brands. The rise of social media has given organisations new internal issues to consider, together with the move to the cloud and the potential jurisdictional issues that come with such a move.

What do you think are the main threats facing organisations in 2012?
Jo: Use of cloud providers, and indeed other providers, without proper due diligence and without appropriate service level agreements being in place. The big question could be “Where is my data?” and “Who, under law, can access it?


Are organisations ready to deal with those threats and what can they do to protect themselves?
Jo: Good research into the provider and the due diligence previously mentioned are extremely important. Of course organisations are able to deal with this sort of threat. It’s about an awareness of the risks involved and undertaking the appropriate treatment of such risks. Guidance on this is available at www.isaca.org/cloud.


What do you think are the main threats facing individuals in 2012?
Jo: Unbelievably, scams are still an issue for individuals. They become more and more sophisticated and less easy to identify. Privacy is another issue. How much is out there about you? Can someone recreate your identity? How much should you release to the world via social media and other outlets? Cyber bullying and cyber trashing are both issues as well. People tend to behave very differently online if they perceive there is a degree of anonymity.


Infosec has now become an independent profession, with job titles, budget and certifications. What challenges do infosec professionals face in 2012?
Jo: Some may face budget cuts and, potentially, job layoffs if the economy is affected by the European debt crisis. There are still organisations that see information security as a discretionary spend. Of course, the bad guys don’t stop just because the economy is less than booming.  On a more positive note, information security professionals must keep abreast of trends, ensure that their continuing professional education programme is in place. They should also look to certify if they have not already.


What are the key qualities that organisations look for when using the services of an infosec professional?
Jo: Certifications, experience and background are probably the three most important.

Which credential will be in hot demand for 2012?
Jo: Certified Information Security Manager (CISM) and Certified in Risk and Information Systems Control (CRISC) are certainly both growing. CISM was named a top certification in 2012 by the Information Security Media Group (ISMG) and CRISC has been earned by more than 16,000 professionals in its first two years.

Ed: Thanks to Jo for giving us her insight into the current trends in Information Security for 2012 and beyond.

Popular posts from this blog

Customer Data: Convenience versus Security

Organisations in both the public and private sector are initiating programmes of work to convert previously physical or offline services, into more digital, on line and automated offerings.  This could include things like automated car tax purchase, through to insurance policy management and electricity meter reading submission and reporting.

Digitization versus Security

This move towards a more on line user experience, brings together several differing forces.  Firstly the driver for end user convenience and service improvement, against the requirements of data security and privacy.  Which should win?  There clearly needs to be a balance of security against service improvement.  Excessive and prohibitive security controls would result in a complex and often poor user experience, ultimately resulting in fewer users.  On the other hand, poorly defined security architectures, lead to data loss, with the impact for personal exposure and brand damage.

Top 5 Security Predictions for 2016

It's that time of year again, when the retrospective and predictive blogs come out of the closet, just before the Christmas festivities begin.  This time last year, the 2015 predictions were an interesting selection of both consumer and enterprise challenges, with a focus on:


Customer Identity ManagementThe start of IoT security awarenessReduced Passwords on MobileConsumer PrivacyCloud Single Sign On
In retrospect, a pretty accurate and ongoing list.  Consumer related identity (cIAM) is hot on most organisation's lips, and whilst the password hasn't died (and probably never will) there are more people using things like swipe login and finger print authentication than ever before.

But what will 2016 bring?


Mobile Payments to be Default for Consumers

2015 has seen the rise in things like Apple Pay and Samsung Pay hitting the consumer high street with venom.  Many retail outlets now provide the ability to "tap and pay" using a mobile device, with many banks also offer…

The Role of Identity Management in the GDPR

Unless you have been living in a darkened room for a long time, you will know the countdown for the EU's General Data Protection Regulation is dramatically coming to a head.  May 2018 is when the regulation really takes hold, and organisations are fast in the act on putting plans, processes and personnel in place, in order to comply.

Whilst many organisations are looking at employing a Data Privacy Officer (DPO), reading through all the legalese and developing data analytics and tagging processes, many need to embrace and understand the requirements with how their consumer identity and access management platform can and should be used in this new regulatory setting.

My intention in this blog, isn't to list every single article and what they mean - there are plenty of other sites that can help with that.  I want to really highlight, some of the more identity related components of the GDPR and what needs to be done.

Personal Data On the the personal data front, more and more org…