Interview Series - Jo Stewart-Rattray VP of ISACA

As part of the Infosec Professional interview series, we are lucky enough to have grabbed some time with Jo Stewart-Rattray, Director of Information Security at RSM Bird Cameron and International Vice President of the Information Systems Audit & Control Association.

Ed: Hi Jo and thank you for agreeing to the interview.  How has information security changed in the last 3 years (perceptions, threats, protection etc) ?
Jo:  Information security is ever evolving; however, the last three years have seen an acceleration in the speed of events. There have been a greater number of attacks, in some cases on iconic brands. The rise of social media has given organisations new internal issues to consider, together with the move to the cloud and the potential jurisdictional issues that come with such a move.

What do you think are the main threats facing organisations in 2012?
Jo: Use of cloud providers, and indeed other providers, without proper due diligence and without appropriate service level agreements being in place. The big question could be “Where is my data?” and “Who, under law, can access it?

Are organisations ready to deal with those threats and what can they do to protect themselves?
Jo: Good research into the provider and the due diligence previously mentioned are extremely important. Of course organisations are able to deal with this sort of threat. It’s about an awareness of the risks involved and undertaking the appropriate treatment of such risks. Guidance on this is available at

What do you think are the main threats facing individuals in 2012?
Jo: Unbelievably, scams are still an issue for individuals. They become more and more sophisticated and less easy to identify. Privacy is another issue. How much is out there about you? Can someone recreate your identity? How much should you release to the world via social media and other outlets? Cyber bullying and cyber trashing are both issues as well. People tend to behave very differently online if they perceive there is a degree of anonymity.

Infosec has now become an independent profession, with job titles, budget and certifications. What challenges do infosec professionals face in 2012?
Jo: Some may face budget cuts and, potentially, job layoffs if the economy is affected by the European debt crisis. There are still organisations that see information security as a discretionary spend. Of course, the bad guys don’t stop just because the economy is less than booming.  On a more positive note, information security professionals must keep abreast of trends, ensure that their continuing professional education programme is in place. They should also look to certify if they have not already.

What are the key qualities that organisations look for when using the services of an infosec professional?
Jo: Certifications, experience and background are probably the three most important.

Which credential will be in hot demand for 2012?
Jo: Certified Information Security Manager (CISM) and Certified in Risk and Information Systems Control (CRISC) are certainly both growing. CISM was named a top certification in 2012 by the Information Security Media Group (ISMG) and CRISC has been earned by more than 16,000 professionals in its first two years.

Ed: Thanks to Jo for giving us her insight into the current trends in Information Security for 2012 and beyond.