Cybersecurity: CISO Secrets

Two top Chief Information Security Officers explore key topics on cyber-security.


Dec 21, 2018

Two top Chief Information Security Officers explore key topics on cyber-security. Industry Analyst, Michael Krigsman, speaks with two female experts in this male-dominated field.

Tammy Moskites is a Managing Director and Senior Security Executive at Accenture. She has 30 years of experience with expertise envisioning, building and leading security, technology and operational support organizations within many sectors. Her professional affiliations/volunteer work include ISACA, ISSA and MIS|TI. She is an Editorial Advisor at CISO magazine. As a global speaker, she is passionate about volunteering her expertise in IT security, career planning and mentoring/coaching at nonprofit companies, diverse chapters and IT events. She is enthusiastically involved with SheLeadsTech™. She is a Distinguished Fellow of the Ponemon Institute.

Jo Stewart-Rattray has over 25 years’ experience in the IT field some of which were spent as CIO in the Utilities space, and 18 in the Information Security arena. She specializes in consulting in information security issues with a particular emphasis on governance in both the commercial and operational areas of businesses. Jo provides strategic advice to organizations across a number of industry sectors including banking and finance, utilities, automotive manufacturing, tertiary education, retail and government. Jo is the Chair of ISACA’s International Professional Influence & Advocacy Committee and past chair of its Leadership Development Committee. She is past president of ISACA’s Adelaide Chapter and she has served as a Director on ISACA’s international Board of Directors. ISACA is a professional body with some 115,000 members in approximately 200 countries around the world and represents professionals from the IT assurance, governance and information security disciplines.


Michael Krigsman: I'm not going to take it anymore! I'm sick of all the security stuff! I'm sick of being attacked by scammers of every different imaginable description! But we don't have to because we have two amazing female chief information security officers in the house right now!

I'm Michael Krigsman. I'm an industry analyst and the host of CXOTalk. Before we begin, please, please subscribe on YouTube. I need you to do that.

We're talking about chief information security officer secrets. We're going to hear everything there is to know. We have two female CISOs in the house. Let's begin. I would like to introduce Jo. Jo, please tell us about who you are and what you do.

Jo Stewart-Rattray: Hi, Michael. How are you? I'm Jo Stewart-Rattray. I'm Director of Information Security & IT Assurance for a firm called BRM Holdich in Adelaide, South Australia. I actually operate mainly as a virtual CISO for a range of different organizations.

Michael Krigsman: Jo, tell us what are the key kind of thoughts that you are thinking about right now regarding this topic.

Jo Stewart-Rattray: Some of the things that I think about is actually the understanding of what security means to an organization. I think that's a really important point. Some organizations seem to think it happens to the other guy, and so it's still something that we battle today.

I've been doing this job now for about 15 years and I'm still hearing that. It's like, "Oh, yeah, but that won't happen to us. We're not a sexy, groovy company." Well, guess what.

Michael Krigsman: Okay. I have to say that right now, Jo, it's 4:00 in the morning where you are, and you're in the middle of the country, so thanks for being here at 4:00 in the morning. I'm putting up on the screen this amazing photograph. Tell us what that is.

Jo Stewart-Rattray: These are birds that live around us. They're Australian native parrots. They're called galahs. As the sun rises here, you'll actually hear them, so you might hear them before the end of the broadcast. We're a breeding ground for them, and so we have lots of mommas and babies right now.

Michael Krigsman: Well, you know, I hope we hear them because I think it's just great. Thanks for being here in the middle of the night.

Jo Stewart-Rattray: Thank you.

Michael Krigsman: [Laughter] Our other guest is Tammy Moskites, who is with Accenture. Tammy, how are you? Thank you for being here as well.

Tammy Moskites: Thanks for having me. Let me tell you a little bit about my background. I'm currently working for Accenture. I'm a managing director and a security executive that oversees primarily North America. I'm a career CISO by trait. I've been doing that most of my career. I've held roles of CISO at companies like Time Warner Cable, Home Depot, and a few others. Now I get to work with customers around the world and be that trusted advisor, so I was very fortunate.

Women in Tech: Chief Information Security Officers

Michael Krigsman: I'll ask both of you this. Among your peers, how many are women?

Tammy Moskites: Not many. Right now, I think the latest survey that was done by ISACA was, like, at 13% of the global Fortune 500 were women, and that's not just CISOs. That's CISOs, CIOs, and senior executives such as a VP in the technology arena. It's still a very, very small amount that equates to about 65 companies out of the 500.

Jo Stewart-Rattray: Yeah, I'd have to agree with that. I know that it's getting better. I remember when I first went to a security executive forum 15 years ago that there were two women. One was me, obviously, and the other one was a speaker, so it was very small.

I know that I'm really grateful for ISACA, as well, who put on a conference here recently where we had a panel of female CISOs, which I was lucky enough to moderate. So, we are seeing more, and they're actually really quite active in this space, which is great, and actively promoting the role of the CISO.

Tammy Moskites: Yeah, the other piece is that ISACA also has a thing called She Leads Tech. I've been really fortunate of being able to get involved with that program. Really, what we've been doing is working with women and getting them more involved, not just in technology, but technology leadership roles and how they get into the technology workforce, really focusing on the younger individual all the way up to people that are willing to make changes in their career. So, it's really exciting, just as Jo was saying, being able to moderate and focus on some of these women leadership panels have been very worth-while.

Jo Stewart-Rattray: Yeah, Tammy. I'm not sure that even you're aware of this, but I'm actually the global lead for She Leads Tech. On the volunteer side, I'm the chair of the Women's Leadership Advisory Council for ISACA, and it has had great success. What we didn't realize when we begin this journey was what it was going to mean to women in different parts of the world as well.

In some cases, in Africa, I was stunned to realize that we were not only providing a place for women to meet other professionals in the space, but we were also providing a safe space for them to tell some of their stories in pretty harrowing circumstances. The program has gone beyond what we had imagined. Yeah, like you, I love it. I think it's something great that we can both be a part of and that we can both promote what we do to other women to try and bring as many as we can into the profession.

Michael Krigsman: What are the keys to bringing women into the CISO profession?

Jo Stewart-Rattray: Yeah, look, you're right; it is a huge question. One of the things that we hear from women, and I've been hearing this for the last few years, is that they feel that there's a lack of mentors, a lack of role models, a lack of showcasing of women's careers. We need to be able to see women, other women, doing what we're doing. I think that's a really important piece of it is to ensure that we can show that people like Tammy and I have been doing this for a long while, we've survived and, in fact, it's a great career option.

Tammy Moskites: It's not an easy career. That's for sure, right? But I think that you have a great point about the mentorship. We really do have a lack of women mentors in the community. In light of that is that as the individual contributors or the folks that are looking to move ahead in their career are really trying to focus on, "How do I get that mentor? How do I get that right person to help me get to the next level in my career?" because a lot of what we do every day is high networking. That's how we get to the next level.

The other challenge is that a lot of women say, "Well, I don't get paid equally as the men do," and that's also very common but it's getting better. I really do believe it's getting better, but we still have a long way to go. People think that if they get into a cybersecurity type of role, they're going to be working 24 hours a day, 7 days a week, 365 days a year. As a CISO, yeah, pretty much that's been my life for a long time, but some of the other roles are more flexible for those that need more flexible work schedule.

Jo Stewart-Rattray: That's right, and I think that's an important point is that flexibility of work schedule. I know that in my world, like yours, Tammy, it's been pretty much like that. I came from the electricity sector originally, so that is 24/7, 365 days a year. But you can also choose industry sectors, if you like, which will allow far more flexibility too. I think that's the other thing.

Michael Krigsman: What are some of the other key factors that we need to put into place in order to prepare younger girls to go into technology as well as to work with established companies to create these role models and create the opportunities in addition?

Tammy Moskites: Well, I know that Accenture offers a lot of internship opportunities, and they focus on not just women and not just young girls, but a very diverse work panel of trying to get folks involved and interested in the cyber security industry. Most universities don't even have cybersecurity offerings, and so I recently just had somebody reach out and said that they were going into information technology but their university didn't offer anything on cyber or anything on security offerings and where would they get that learning so they can actually start doing things. What I encouraged them to do is look for internships into organizations that'll help balance out your skillset in addition to volunteering to balance out.

Things are changing rapidly. The cyber landscape is becoming more and more aggressive.

Jo Stewart-Rattray: I think, also, it's about image. It's the image of our profession as well.

I met a fabulous young woman in Ireland the year before last, in fact. She was saying that she came from a family of six boys and herself, and so she was used to that sort of testosterone driven environment. But there was only one other young woman in the tutorial group of 30 people. She came from a family of all girls and so, for her, the testosterone-fueled environment, the hoodies, and perhaps less showered young men amongst the group really put her off.

I think we really need to do something about the image as well to say it's not all like that. That's just university. That's not what our profession is actually like when you get into the hardcore work of it all. I think we have an image program and we need to attract young women.

Young women need to see another person in their own image, so they need to see another woman. If they see another young woman, then they'll be in, so I think we need to create opportunities for young women and I love the idea of internships. I think that's brilliant. And we need to, as I say, ratchet up our image.

Michael Krigsman: I want to remind everybody that we are speaking right now with two chief information security officers. It happens that they're both women. There is a tweet chat taking place right now. You can join in and ask your questions. We'll try to answer them during this live show on Twitter using the hashtag #CXOTalk.

Jo, let me ask you this. We talk about CISOs, chief information security officers. What is it that you guys actually do?


Jo Stewart-Rattray: That's a very good question, Michael. It's an interesting thing. We have a high-security focus, obviously, and we're dealing with technologists every day who are deep security professionals, if you like. We often have to find ourselves having to speak the language of business. We're the conduit to our fellows on the executive and, indeed, the board.

That in itself can be very interesting, particularly when you are speaking to a board of directors. I've had the experience where the board of directors has been largely tech-unsavvy because that's not their field. They're there because they're experts in their field, which may be something creative, as it was in one instance.

And so, given that, our role also becomes one of education. We need to educate those people who know that cyber is a thing and know that it sounds groovy but, indeed, we really need to be educating and saying, "This is what security is," and the lack of the proper protections can actually bring your company into disrepute and, in fact, bring your company down.

Tammy Moskites: Yeah, you're right. CISOs are really there to protect the data and protect the supporting business objectives. When we think about what CISOs used to do, like I said, we used to be "The Office of No," right? It's like, "No, you can't do that," "No, you can't do that."

Really, it's so important for us now to have that business hat. We have to make sure that we understand the business, we understand the risks, and we also share it with the business areas to allow them to make good, solid decisions on what things to accept and what things to move ahead with.

When you think about what we're doing, a CISO today, vendor risk management is a huge piece of what they do. Compliance is a huge piece of what they do. Everything from identity management to foundational security and partnering with the CIOs to make sure that they're there together working on a holistic program is just critical.

Jo Stewart-Rattray: I think you touched on a good point about risk management as well. All of a sudden, cyber has gone from being information security that was little understood and little known to being something that can be a major risk to an organization to the point where it has to be seen as a material risk on the corporate risk register. That's been a real shift in thinking, particularly for chief risk officers.

Tammy Moskites: Yeah, the risk management framework as a whole has to be properly governed, and that's right from the board of directors. That gives the board of directors the information they need to make decisions on whether they need to invest in something or not and it's very critical. You see it more and more as we sit on boards and as we participate in board of director meetings, whether it's our own companies or others. We find that that's a big topic, right?

Jo Stewart-Rattray: Yeah.

Tammy Moskites: Can we make decisions based on the data we have?

Jo Stewart-Rattray: It is a huge issue. In fact, I'm doing a piece of work at the moment for a client on that whole data governance piece because it's little understood.

One of the things that I'm finding more and more is organizations don't actually understand the data that they've collected, why they've collected it, what they're going to do with it and, indeed, how they're going to protect it, other than very basic, because it's scattered throughout the organization. That's the other issue. Some of the most critical information can be held in the oddest places. That protection piece is a huge one for us and that's something I know I'm certainly talking to my fellow executives and certainly talking to boards of directors about.

Tammy Moskites: Yeah, I know that ensuring that critical data is only accessible by those who need the data to perform the required tasks. That's the keyword, right? As we go into more and more compliance, whether it's GDPR or other types of things that are out there now from a regulatory perspective is that we have to make sure we know what we're securing and protect it. We have to make sure our third parties, fourth parties, whomever, are also ensuring that critical data is being secured.

Jo Stewart-Rattray: Another good point. Regulation has changed too. Certainly, you would have seen it, Tammy, as I have over the last 15 years. It's been quite amazing to see that difference. We once were so focused on protecting the perimeter of an organization and the data was secondary. Now, given the regulatory environment, data has become king or queen, essentially, so we have to ensure that we're actually protecting that and protecting it well.

We also have to make sure that our compliance look is right as well, look and feel is right, because that's the other thing. GDPR has brought on a whole new way of thinking. The interesting thing about that is a lot of people thought it was just going to affect the EU and the U.K. But, as we know, it actually has a global impact and it affects you sitting in the States, and it affects me sitting in Australia.

As CISOs, we have to be are of that as well. We have to be aware of the regulatory environment in which our organization operates as well as the context of the organization.

Are CISOs Businesspeople or Technologists

Michael Krigsman: Are you primarily businesspeople or technologists?

Tammy Moskites: Yes.

Michael Krigsman: Yes. [Laughter]

Tammy Moskites: [Laughter]

Jo Stewart-Rattray: [Laughter]

Jo Stewart-Rattray: I would have said the same thing.

Tammy Moskites: Yes. [Laughter]

Michael Krigsman: Okay, maybe just elaborate on that yes.

Tammy Moskites: Okay.

Michael Krigsman: Just a teensy bit.

Tammy Moskites: You know it's so important to understand the business. You know when you work for an organization as a security leader, like we were talking earlier about trusted advisors, we have to make sure, as we're that trusted advisors, that we're really partnering with the business and understanding each piece of the business and the risk associated with them. We have to have that business hat on. If you don't have a business hat and you don't build those relationships with your business areas, the challenge you're going to have, day in and day out, is that you don't know what you're doing.

You can't secure and protect what you don't know you have, but you also have to help the business areas understand the risk and the risk profile that they're bringing to the table. I mean the proper controls that need to be in place. Everything needs to be a well-orchestrated machine, right?

We wear these hats. We have our compliance hat. We have our HR hat. We have our business hat. Sometimes we're wearing all the hats at one time, so it's really important. It's critical to have that business hat.

Jo Stewart-Rattray: Yeah, I agree, and I also think we are that conduit. I think I mentioned it before. We're a conduit to the technologists as well because we have to work with those deep technologists.

For me, it is really important to understand your key stakeholders. Who are the key stakeholders? They may actually extend beyond the regular boundaries of your organization as well, so you need to be aware of that. You need to be aware of vendor management, contract management. All of that becomes part of what we do as well.

Yes, we are. I guess we are really business folks. I came up from an infrastructure background, so I was a tech on that side, and now I'm certainly much more business, but I certainly still look and work with my technologists in that tech space. I guess, primarily business, secondary is being a technologist.

Tammy Moskites: Yeah, because I started off an actuarial and then I went into technology and then I found myself back in technology in security over the years. Now, with the business hat that I have to wear every single day, I thank God I had some of that foundational business knowledge to actually bring it all together.

Jo Stewart-Rattray: I was just going to say it's funny that Tammy mentioned that she started doing something else like actuarial. I think you'll find a lot of people who rise to the surface in their professions have done that; they've done something else. I was in entertainment originally, so there you go.

Michael Krigsman: Oh, really? What did you do?

Jo Stewart-Rattray: Oh, I worked in radio for a while and then I was doing a whole lot of work in logistics for rock and roll shows.

Michael Krigsman: I wish I had known that because we could have asked you to spin some songs for us, spin some tunes.

Jo Stewart-Rattray: [Laughter]

Age Discrimination: Women Over 50 in Technology

Michael Krigsman: [Laughter] Well, we'll do that next time. We have a question from Twitter and it's going back to [when] we were talking earlier about encouraging more women to become chief information security officers. There's a question about what can be done to make it possible for women who are over 50 who want to get involved with cybersecurity. Any thoughts on that?

Jo Stewart-Rattray: Yes, absolutely. I am an anti-ageist. As far as I'm concerned, it should have nothing to do with age. It's about your capability in the space, whether that be from the technology space or whether it be from the business space. It's about your capability and your vision. I don't think it should be about age.

Tammy Moskites: No, I agree about that. I've hired many executives over the years and the last thing I look at is age. I think that if you're just starting to get into the cyber role in your 40s, 50s, or whatever, the big thing is to focus on where you want to go and what your goals are, if it's a CISO, if you have the skillset. If you don't, get a mentor. Find somebody, a trusted advisor, to help you get there because all of us, I mean I mentor people. I know Jo mentors people. We all do, and we help folks get to that next level, so don't let age get to you. Just go for it.

Jo Stewart-Rattray: Yeah. No, I couldn't agree with you more. I think it's a really important thing. Certainly, if you don't ask, you don't get, so ask somebody. If you really would like someone to mentor you, ask them. The worst thing they can say is no, and you go to the next person. Absolutely, I think that's a really important thing is to have a sponsor. Sometimes it can be in your organization, somebody who is prepared to sponsor you to the next step as well.

Clearly, you're prepared to do the next step, do the hard work. So, yeah, look for that actively.

As I said, I don't believe age should be an issue whether you be at the young end of the scale or the more mature end. It should not make a difference. Besides which, when I hire, I'm so terrible at guessing age. You could be any age.

Finding Mentors

Michael Krigsman: You both mentioned mentors as really important. What are some of the characteristics of a good mentor, especially when it comes to cybersecurity?

Jo Stewart-Rattray: Let me take that one first. I actually have what I call in my life "shining lights." These are people who I admire, I respect, and I certainly respect their approaches professionally. They might not necessarily be all in cyber, and they're not all women, but they're people who have informed my career in some way.

In my board life, I have someone who has been my board mentor for probably ten years now, an amazing individual who I respect, who I know is part of my cheer squad as well who I can ring and I know I'm going to get some sage advice or a good telling off if I need it, like, "Pull yourself into shape, woman." That's the sort of stuff that I appreciate.

I think it depends on you, as well, as to who you choose to do that. You might like some tough love, but you also might like someone who will gently encourage you to the next step.

Tammy Moskites: I think mentorship is really important, and I've been writing a book, actually, on mentorship and success planning, which I'm still working on. Hopefully, I'll get it out next year. With that, I really focus on what I've called "trusted advisor." The reason why I call it a trusted advisor is that we have our bosses and our bosses help us get to the next level and should be your coach, work coach, right?

When you're looking for a mentor, you're looking for somebody that you can talk to, somebody that you could actually have that ability to speak freely without any fear of retribution. You might look in your company, but I would never go to my boss as my mentor. Right? But that doesn't work all the time.

When you're trying to find that career and you're trying to find it, focus it, even if it's a contract base. We're going to meet once a month. We're going to talk about these topics. It's a mentorship. We're going to do it for 18 months. By the way, if things aren't working, we can quit. It's okay to say, "You know what? This mentorship is not working."

The other key piece is that sometimes I mentor four or five people at any given time. Sometimes, between our schedules and, Jo, our schedules are crazy, right? Just like theirs are. If I can't do a mentorship, there are a lot of people I know that could, based on what your needs are or what your aspirations are, will allow me to help you find one. Don't be afraid to ask, "Help me find a sponsor. Help me find that trusted advisor."

Jo Stewart-Rattray: I think that's absolutely right, Tammy. I would agree with you. Your boss is never your mentor because they can't be giving you that pastoral care, if you like, on one side and then kicking your butt to get the figures or whatever it might be on the other side.

Tammy Moskites: Yeah.

Jo Stewart-Rattray: It just doesn't really work, so you do need to look outside. Even as a sponsor internally in the organization, not necessarily your boss either. It should be somebody I think that is a little bit away from it who can see, who can stand back and see the bigger picture for you.

You're right. I'm the same. I'm mentoring about four people at the moment, a couple of which are distant. They're not here in Australia even. That's possible as well, thank goodness, with Skype and all kinds of things. You can actually continue to do that work as well, but I think it's really important.

The other important part is, as Tammy has mentioned, you don't always click with somebody. To have a good mentor/protégée relationship, you actually have to be able to relate to the other person.

Tammy Moskites: Right.

Jo Stewart-Rattray: Sometimes that can be a problem. You can quit, and you can find somebody else. That's the way it goes, and you shouldn't feel bad about that if you find the person that you've chosen for your mentor is actually not right for you. But do put a time limit on it as well. That way you can say, "Let's try this for three months." If at the end of three months it doesn't work, go look for somebody who is more your cup of tea.

Michael Krigsman: It sounds like, for both of you, this concept of mentorship has been extremely important. It sounds like, for anybody who wants to enter this field--actually, it's true with any field--men or women, that this is kind of foundational.

Tammy Moskites: It is foundational, absolutely. I mentor both women and men. I actually have one gentleman I mentor that is a CEO of a company at this time. We can balance however you want to do it, but it's very important to have that person you can go to and bounce ideas off of as well.

Jo Stewart-Rattray: The trusted advisor idea is brilliant because that's exactly what you become as a mentor. It should be Chatham House Rules. Anything that's said in that mentoring environment stays in that mentoring environment as far as confidentiality is concerned. I know I mentor one woman who is an exceptional woman and has had some exceptional hardships in her life personally, but we made that rule very early on, so she can talk to me about anything that she wants to. It might actually have something to do with her personal life and how it impacts on her professional life. It can get to that kind of level but, again, it depends on the pairing as to whether that will work or not.

Tammy Moskites: And your goals. It depends on the goals of the relationship.

Jo Stewart-Rattray: Absolutely, because that's the thing. You should be setting goals for that relationship as well. What do I want to get out of this? Where do I want to go?

The wonderful woman I'm talking about, her big goal was to understand, for her, what work/life balance actually looks like. I think that we're about six months in, and I think she's beginning to achieve that. That's a really good thing.

CISO Role: Communication and Education

Michael Krigsman: Let's shift gears here slightly, going back to something that we spoke about that you touched on earlier, which is the role of communication and education as part of the very crucial activities that a CISO performs. You mentioned boards, senior executives, and non-technical senior executives, and so here is my question around that.

We heard the U.S. Congress interviewing, grilling senior execs from technology companies. It was obvious that these folks, that these congresspeople were not technical at all. They didn't even know the questions to ask. They were kind of clueless, frankly. And so, how do you talk about cybersecurity issues with senior execs who are just not technical, but they're the ones who control the budget and they're the ones running the organization? How do you do that?

Jo Stewart-Rattray: It's really about making sure that you speak the language of business. We go back to that point again. You have to speak a language that they understand.

"De-geek the speak," is my little motto. "De-geek the speak" because, if you geek it up, they're going to just look at you, their eyes will roll, and no doubt you'll lose them. You actually have to put forward a proposition that hits the mark for them.

You put forward a proposition around the reputation of the organization, around the protection of the data that the organization holds. What would happen if we had an Equifax breach? All of that sort of stuff is the way that you need to address it with those people.

It is educative, absolutely, but I think it's about speaking to them in a language that they understand and really talk about the impact, the risk and impact as well, and the consequence of what could happen if you don't go down this path because it is still cyber. It has become such a sexy term with a lot of people that they don't realize what that means behind it. They don't understand the work behind it, so you have to explain what that work is behind it but in their language.

Tammy Moskites: Yeah and you know I think to boards a lot. You do have some technical folks occasionally on the board, and then you have some folks that aren't as technically knowledgeable, but they do have questions they want to ask you that they saw on the Internet or they went to some board of director internal audit meeting and got these ten questions to ask your CISO.

The reason why I'm smiling is because some of them, even if you answer them, they're not going to have any idea what you're giving them back, right? But what you were saying around bringing the brand and the reputational risk, the big projects that are on their plate that they made investments in, in the last board meeting, talking about the successes and the challenges around those initiatives are always great.

Bringing up a topic that's in the news and then bringing it to them in a way that they understand. I always say, "Coloring Book Method." [Laughter] I like the de-geek guise, but I always say the Coloring Book Method is to just kind of come in there and explain to them, from a risk register perspective, and keep it at the highest level but, also, make sure that they understand that their critical data and what they have to do is their responsibility. They need that information still to make decisions. A very high level, making sure that we're really keeping it at a point where they know what to do with it.

Michael Krigsman: I was going to say, Jo, so keep it simple and relate the cyber security impacts to the effect on the business or cybersecurity issues to the impact on the business.

Jo Stewart-Rattray: Yeah, absolutely, Michael. That's a way that this whole piece can be understood if they know what it means to the organization. People will say to me, "What do you do for a living?" I help organizations protect their boundaries and their data.

It's about keeping it as simple as that. It's probably an understatement of what we actually do, but at least it's keeping it simple in terms that can be easily understood.

Data Governance

Michael Krigsman: What about data and governance and the hygiene? I've heard you both talk about and use this term "hygiene." What does that mean in this context?

Tammy Moskites: Good data hygiene means knowing where your critical data is, giving people only the access they need to access the data at the right time at the right place and making sure it's secured and you have controls around it. Data hygiene, right now, what we find is a lot of organizations don't even know where their data is. They don't know where it's located. It's not classified. It's not secured. It's not protected.

Really coming around and saying, "Here is the foundational things that we need to have," and part of that is the inventory of our data. Right? We have to classify that. I don't need to protect all the data in my organization because that would be impossible, but I do need to make sure that when we're cleaning things up and making sure that we're doing the right things is that that critical data, your crown jewels, the things that are your customer data is all in the right place with the right security controls around it.

Jo Stewart-Rattray: I think that's right. The understanding of what your data is, is incredibly important. Tammy mentioned about you don't know where your data is. Well, we live in a cloud world so, quite often, your data is not going to be local. It could very well be replicated offshore.

That's something to be considered as well. Where is it being replicated to? Where does it actually live? I know that under some circumstances under Australian law, there is particular information that has to be really protected like the crown jewels, so that needs to be kept un-replicated onshore.

Organizations are certainly beginning to. I'm seeing the beginnings of them questioning where my data is, and not just the data itself, but the backups of the data. So, that replication piece is really important to understand where your data is and how that's being protected, particularly as it traverses the world.

Michael Krigsman: We've been talking mostly about business-focused issues but, from a technology standpoint, what are some of the key issues, obstacles, or challenges that you see companies face?

Tammy Moskites: Right now, as I talk to customers, I've been fortunate enough. Like I said, I've been talking to CISOs for the last three, four years around the world. When they look at initiatives or technology initiatives that come through, they're coming so fast and they don't get security involved in the discovery phases.

When I look at the challenges that organizations are having around the technology-driven projects, they're making sure that security is embedded in the beginning in the discovery phases and the decision-making process. The CIO and the CISO now have to work in concert to make sure that things are successful.

Jo Stewart-Rattray: Absolutely. I actually started in my C-suite career as a CIO, so I've seen it from both sides. You're absolutely right. If you don't work in concert, then you've got a world of pain that's going to happen to you. You absolutely have to work together to be able to ensure that the protections and the controls are in place that should be from the ground up.

Also, that's really important when I see and hear a lot of senior execs and boards talking about data breach. Breach is a really big concern these days and it's getting more so, particularly as we look at more nation-state style attacks. That's becoming a real issue for organizations.

Tammy Moskites: Yeah, we're seeing a lot of phishing, malware, social engineering. That's been around forever, but it's still the most common ways to get into the organizations. They're utilizing malware. They're using false certificates to extrapolate data that's encrypted, so they're just stealing it without you even knowing it.

The ability to send phishing emails that are so creative and they look so good that people are getting ransomware attacks, et cetera. It just continues to proliferate the whole environment.

But I think it's important for organizations to continue security awareness training because people still click on things. People still do it. They're like, "Oh, well, do we really need this awareness again?" You're like, "Yeah, you really need that awareness." It's something that you have to keep fresh because we all get lax.

Michael Krigsman: We have seven minutes left, and there are a lot of things that we haven't spoken about. Let me ask you both a bunch of questions and I'll ask you to give short answers and, in your short answers, to kind of summarize everything you know and have ever learned.

How to Prevent Phishing Attacks

Okay, so number one: You were just talking about phishing, and it's a big problem. Just very quickly, what top-level things can companies do to reduce the threat of phishing?

Tammy Moskites: Phishing awareness, awareness, and awareness, and also do some phishing tests in your organization. Some people say that they're not effective. I find that they are effective and people get an opportunity to learn from their mistakes, but education is key.

Jo Stewart-Rattray: I absolutely agree with that. Education is the key.

There was also a classic… here some years ago. The auditor general in the state of Western Australia was looking at the security of government organizations. They just left around, strategically, USBs on people's desks or in lunchrooms, and these had a phone-home effect on them, a dial-home effect on them. And so, they could see how many people didn't turn them in, didn't do anything with them, but they were labeled "Executive Salaries," and so people, of course, immediately stuck them into a machine.

That was a classic bit of social engineering. That was a couple of years ago, but I still see this sort of stuff happening where people will pick up a USB and go, "Yeah, right. Executive salaries, I better have a look at that."

Awareness, awareness, awareness, communicate, communicate, communicate right from the top to the bottom and back up again. I think that's really important.

Tammy Moskites: We did one that said "Confidential" on it and, on the other side, "If found, return to this address." I think we got 5 back out of 100. [Laughter]

Jo Stewart-Rattray: Yep. I would believe it. I would believe it.

Tammy Moskites: We had probably 20. I think it was like 24% shoved them into their computers.

Jo Stewart-Rattray: I guess the whole thing about the awareness piece, too, is it's that continual education. For us, it's kind of a challenge to find different ways of getting these messages across.

Tammy Moskites: Yeah.

Jo Stewart-Rattray: You can't just do the same old, same old.

Michael Krigsman: It sounds like you've both kind of been through a very similar exercise. As a layman outsider, I have to say I find it extraordinary to hear what you've just both been saying.

Jo Stewart-Rattray: You'd be surprised, Michael. There are so many of these things that you wouldn't consider to be an issue, but still are an issue today, such as privileged users, for instance. Let's get all of that out on the table, too.

One of the big things companies have issues with is privileged users. How much information does this person have? What are they doing with it? Can they send it offshore? Can they send it out of the organization? It only takes one rogue, and you've got all kinds of problems.

Tammy Moskites: Yeah. We're talking about that, right? You have user IDs and passwords for people, then the level of access they have. How do we control it? How do we control when they transfer to a new job within the same organization? Are they getting their access just what they need at the right time?

In addition to just like what was mentioned earlier about certificates, just like machine identities, which is a huge right now when we're finding more and more that people are losing data and companies are being breached because machines talk to machines and they use keys and certificates. We secure and protect the identities of people, but we're not securing and protecting the identities of machines. It's a huge problem.

Cybersecurity Advice for Managers

Michael Krigsman: Okay. Again, as we kind of finish up here, what advice do you have to organizations, to senior level managers, not necessarily the board, but senior-level managers? Really quickly, what advice do you have for those folks? Jo, want to start with you?

Jo Stewart-Rattray: Yeah, absolutely. Use your chief information security officer as a confidant, almost. Make sure that you work in concert with that person. Make sure that they understand your requirements and you understand the requirements. I think that, working in concert, is really, really important.

And -- this sounds like I've got a tip for you -- listen to your chief information security officer.

Michael Krigsman: Okay. Then, Tammy, what's the difference between a CIO and a CISO?

Tammy Moskites: The CIO and a CISO are both there to protect and manage assets and information, but from two different viewpoints, and that's a good thing. For an example, a CIO's function is really to ensure systems and information is available and accessible to whoever needs it, whereas the CISO's function is really to make sure that that information that's available is accessible and has the proper controls in place to make sure only the people that need it have access to it and that it's secured and protected in the way it's supposed to be.

Michael Krigsman: Then, as we finish up, what advice do you have? I'll ask each of you; what advice do you have for women? You mentioned this earlier, but for women who are watching and they say, "I don't know how to get to that point. What do I do?" What advice do you have?

Jo Stewart-Rattray: I would say, certainly hook into the She Leads Tech program. That's one way you can connect with other women, and you can network with other women. You don't know what opportunity that might lead to.

A very quick story: I was sitting on a sofa in a bar in Chicago, Illinois, talking to some fellow ISACA members. Another Australian came up to me and said, "Do you like the job that you're currently doing?"

I went, "Well, yeah, it's great."

And they said, "Do you like the organization?"
"Yeah, it's great."

"Would you consider taking another role?"

In six weeks, I had a brand new job, so those sort of things where you hook into those programs where there are likeminded people that you can network with, that could be your story too. That next job is just around the corner.

Michael Krigsman: Tammy, what are your thoughts? Really quickly because I have another question that I have to ask you both. [Laughter]

Tammy Moskites: Okay. No worries. I think that, from a woman's perspective, get involved with She Leads Tech. There's the Executive Women's Forum, which is a really great opportunity for you to get involved in. Find a mentor. Reach out. Be confident. Be good in your own skin.

The one thing I want to mention is, if you want to apply for a job, women look at job recommendations and they say that they have to almost meet 100% of the requirements before they apply for it whereas a man does about 50% of that and applies for it. This was a study. This was a study. It's not a Tammy ties thing. It's a study.

The thing that ended up happening is that we, as women -- if you have 80%, if you have 60%, apply for the job. Take a chance.

Women in Tech: Advice to Corporate Leaders

Michael Krigsman: Okay. We're out of time, but one more, one last question. Regarding getting more women involved, what advice do you have for corporate leaders?

Tammy Moskites: I encourage corporate leaders to make sure that they actually have programs and diversity programs within their organization. As I stated earlier, diversity is more than just bringing more women in. It's really bringing that diverse talent in, bringing the right people in for the job.

The way that you can bring more women is, I know at Accenture I'm involved in the diversity program and my focus is bringing more women into Accenture. They have a program that, by 2025, they want 50% of the workforce women, and they're well on their way to there. It's really just making sure your company is focused on it, but also volunteer. Go to HR. Volunteer your time.

Jo Stewart-Rattray: Employees, my piece of advice is to take the bias out. Take the bias out of the way you recruit.

Tammy Moskites: Yep.

Jo Stewart-Rattray: Make it so as working arrangements can be flexible to allow people to pick up primary care, to pick up and drop off kids at school for instance. That's really important. That actually is good for men as well who are in that position.

Absolutely, take the bias out. Try and interview as many women as men for these roles and, certainly, do it on merit. I'm with Tammy on that. You always have to recruit on merit. Just take the bias out of your approach.

Tammy Moskites: Make sure you're paying fairly. That's a big thing that human resources and the comp teams need to really understand. It's very important to make sure that the women's salaries are catching up to the men's.

Jo Stewart-Rattray: My advice to women on that is, if you're asked what your current salary is, make sure you go in armed with what the salary in the market for that role is. We sometimes do ourselves a disservice by being incredibly honest and saying, "Oh, I'm making $50,000," where in fact the job is worth $80,000. You have to make sure that you go in well-armed as well, ladies.

Michael Krigsman: Okay. We're out of time. Let me just ask you one last thing. [Laughter] Just given everything you know about security, what's the final piece of advice that you have to offer to any of the constituencies that you want, just really briefly?

Jo Stewart-Rattray: Be involved. I guess it was probably the best turning point in my career when I went from CIO to CISO. Be involved. If you want a job in this field, it's possible. If you want to protect your business, be involved with security. Really, from every perspective, you have to be a part of the security sphere given the world that we live in.

Michael Krigsman: Okay. It looks like, Tammy, you're going to get the final word here.

Tammy Moskites: Well, Jo spoke really clearly on it, but I'm telling you the main thing you want to do is be involved, be passionate, love what you do every day. Focus on doing the right things right and for the right reason. Keep your integrity. Honestly, that's the most important part of who we are as security leaders. And make sure that you build solid and maintain those relationships because it'll help others come into the business as we find ways to move into different areas of the business ourselves.

Michael Krigsman: Okay. We are out of time. Man, that was another fast, fast show. We've been speaking with two amazing chief information security officers, and I'd like to say thank you to you both. Tammy, thank you for being here, and I hope you come back another time.

Tammy Moskites: Thank you.

Michael Krigsman: Jo, thank you for being here at 4:00 in the morning Australian time. I hope you'll come back as well. Let's do it once again.

Jo Stewart-Rattray: I'd love to, Michael, and the birds are just waking up.

Michael Krigsman: All right. Thanks so much, everybody. I hope you have a great day. Be sure to go to We have lots and lots of similar and great, great videos. Be sure to subscribe on YouTube. Oh, and also, follow CXOTalk @CXOTalk on Twitter. Thanks a lot, everybody. Have a good one. Bye-bye.

Published Date: Dec 21, 2018

Author: Michael Krigsman

Episode ID: 572