• Garrett O'Hara

    Garrett O’Hara is the Principal Technical Consultant at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies. When not talking about the cyber security landscape, data assurance approaches and business continuity Garrett can be found running, surfing or enjoying the many bars and eateries of Sydney's Northern Beaches.


    Add comment
Garrett O'Hara

To say that Jo is heavily involved in the cyber security industry is an understatement. Jo has worked in security leadership positions with a host of of organisations, and has also has served in industry bodies such as AIIM and ISACA, and was a civil society member of the official delegation to the UN’s 62nd Session of the Commission on the Status of Women.

Jo’s experience and knowledge of the cyber security industry was simply too large for just one episode, so we have split it in two. In this first episode Jo’s provides her perspective on security leadership, reporting structures, cyber strategy and budgeting. Stay tuned for part two of this conversation where Jo and Gar have a very frank conversation about gender diversity.


The Get Cyber Resilient Show Episode #48 Transcription

Garrett O'Hara: Welcome to the Get Cyber Resilient Podcast. I'm Garrett O'Hara and today I'll be speaking with Jo Stewart-Rattray, Chief Security Officer for Silver Chain. Jo was on a panel discussion recently and it became clear that she needed way more runway than a 20-minute conversation with three other panelists offered. To say Jo is heavily involved in our industry is an understatement. She's done security and security leadership practice within organizations, but also has served in industry bodies such as AIIM and ISACA and was part of the civil society member of the official delegation to the UN's 62nd session of Commission on the Status of Women. This was a big conversation, so we have split it into two parts. This episode covers Jo's perspective on security leadership, her insights into reporting structures, cyber security strategy and budgeting. Then we'll release part two of this conversation where we have a very frank conversation about gender diversity. For now, over to part one of the interview. Welcome to the Get Cyber Resilient Podcast. I'm Garrett O'Hara and today I am joined by Jo Stewart-Rattray, the chief security officer at Silver Chain. How are you doing today, Jo?

Jo Stewart-Rattray: Really well. Thank you, Garrett.

Garrett O'Hara: Awesome. So, so nice to get to talk to you again. This, for the audience's information, is off the back of a, a panel discussion that you were on. It was very clear that you had some very cool things and, and insights. And unfortunately, the time constraints on the day didn't let you do that. Thank you for agreeing to the conversation. I very much appreciate it.

Jo Stewart-Rattray: My pleasure.

Garrett O'Hara: So, look, we always like to start the conversation with the, the guest and doing a little bit of their bio. I was kind of doing the research on Jo. It sounds kind of creepy these days but, you know, in the spirit of the podcast I have to know, people that are coming on.

You have a really, really long list of things you've done, achievements, positions that you've held at a senior level. And, you know, some of the, the things I would call out, it’s like a chair COVID Working Group, Women's Leadership Advisory Council, past director, International Board of Directors, civil member of the Official Delegation to the UN 62nd Section of the Commission on the Status of Women at department of Prime Minister and cabinet in the office for women.

And I think that was a trip over to New York, which we'll hopefully get to a little bit later. Ma'am, and then you're heavily involved in the, She Leads Tech. So, I don't want to steal your thunder, but we're probably only going to get to cover some of your bio, but it'd be awesome to hear from you your journey, like how you got to where you are today.

Jo Stewart-Rattray: Yeah. I'm not going to start too far back, because that starts getting really long winded as we've already had a little chat about some of that. Yeah, I started out in infrastructure, so pretty keen on, on, data centers. You know, that, that was where I, I started my career in Tech. and from there I sort of wound my way up the corporate ranks and became a CIO. And I became a CIO interestingly in the electricity industries. And so, I ended up by being responsible. I was one of the first CEOs in Australia to be responsible for both near real time and real time operational control systems in SCADA as well as business [inaudible 00:03:26]. It so really interesting juxtaposition.

And so that was, that was where, my, I guess C-suite career began. I then got a tap on the shoulder from a large consulting firm and asked me whether I would like to come and do the security piece with them because the organization that I was involved with at the time was had the pilot of a security operations center for the national electricity grid.

So, security had become a real focus for me. And so, you know, I was asked, would you like to come work with us and manage our consulting team and, you know, blah blah. And so, I thought, no, this is an opportunity that I really can't say no to. So, I did that. And so, I went into the professional services space where I still, you know, I have two hats. I, I lead practice, an advisory practice, which is focused on security and Technology assurance. but I succonded myself to the role with, with Silver Chain Group as their chief security officer. So, and that was about just over a year ago.

And so, it, it really is good for me because it puts me, very much in touch with what my clients are facing every day. So, it puts me back at the coalface. So, I think it actually offers my clients the best of both worlds. Uh, and you know, of course in the interim to all of that, I, I went ahead and did a whole bunch of credentialing. So, you know, I have the ASARCO major credentials as, as well as a couple of degrees. So, you know, I just figured that I had to keep ahead of the game. And so that's lifelong learning is a thing for me.

Garrett O'Hara: The list of credentials is actually visually, nearly longer than your name, job title and company [laughing] put together. So that's a, that's sort of says everything you need to, to know. hello. So, you've obviously you've been around this for some time. and in those kind of leadership roles, which I think is obviously critical these days, how have you seen the role of what say CSO, but maybe broader security leadership? How have you seen that change over the time you've been involved?

Jo Stewart-Rattray: It has absolutely changed there. It's really, it's interesting because there are some things that have remained the same and there are other things that have changed dramatically. I think the relationship between CSOs, and CIOs has changed.

Garrett O'Hara: Yep.

Jo Stewart-Rattray: I also think that we still faced in this country, an issue around where the chief security officer or chief information security officer's role sits.

Garrett O'Hara: Yep.

Jo Stewart-Rattray: To me, it should not sit reporting to the CIO because that's who who's policing the police. Right? If they vested interests to me, the chief security officer should report directly to the CEO or the chief risk officer, because we're talking all security is about risk, right? So, that's, there's some of the things I've seen change is that that reporting structure, at least now we do have C-suite security officers were previously when I first started in security. Uh, that was not the case. Absolutely not the case. You were at best a security officer.

Garrett O'Hara: Yeah, absolutely. And what do you see? How do you see that player? So, if somebody is reporting into a CIO, I've even heard of a reporting into CFOs, like into the finance kind of function.

Jo Stewart-Rattray: Oh. Yeah.

Garrett O'Hara: No, that's-

Jo Stewart-Rattray: Garry-

Garrett O'Hara: That is literally been the reaction when that's been brought up functionally, can you run us through, like, what goes wrong when the reporting structure is wrong? What's the kind of on flow effect?

Jo Stewart-Rattray: Good question. Because it usually ends up that there's not enough resources and not enough attention paid. And so that, that's where all of the problems begin. You know, if you're a report to a CFO, it's always going to be focused on the dollars and cents the bottom line and how much you are costing the organization, as opposed to, if you don't do this, what's that cost to the organization. So, you know, it's, it's, it's kind of flipping the thinking. So, I, I, I'm certainly not a fan of that. Uh, if you're reporting to the wrong person, if you talk, reporting to the CIO, there's going to be that push again for the CIO's vested interest. "Oh, come on, we have to get this project through. Sign off on the security, just sign off on the security." Or you'll have a CIO even worse, he'll sign off on the security and then get you to retrofit it. Right?

Garrett O'Hara: Right.

Jo Stewart-Rattray: So that also doesn't work. So, I think when the reporting structure is wrong, you end up with, you're always chasing your own tail. And indeed that's, that's where you find that, that issues begin, leaks happen, breaches happen as a result of, of always chasing your tail.

Garrett O'Hara: Yeah, now, I definitely get you. So, do you feel like, it feels like there's a broader understanding of the importance of cyber security? You know, we're seeing big logos hit the news, the impacts. So, you know, the, and I hate the expression, but like the business side is starting to understand a little bit more about the risk and the importance of cyber. Do you feel like that's helping kind of erode some of the friction between like the CIO or there's an IT strategy that might not line up as you have just said with what best practice security looks like? Is that starting to erode based on the kind of mainstream realization, which I think I've just made up a word, but mainstream realization of cybersecurity?

Jo Stewart-Rattray: I love new words. That was great.

Garrett O'Hara: Thank you.

Jo Stewart-Rattray: It’s not even, it's not even big words these days. that's a whole other story. I, I think what we're seeing is we're certainly seeing, audit and risk committees and boards committees- and boards getting all excited about cyber. Cyber, cyber, cyber. Right? But what does that actually mean? You know, so there is a focus, but what is the focus on? And is there, the resourcing issue always comes down to the resourcing. And when I talk about resourcing, I'm talking about human resourcing and capital resourcing as well. You know, you need, you need, you need both. You also need the buy-in from across the business as well. So, there's the recognition. It's not just about it being a, we've got to do security it's because the IRCD told me, or I read this report in the fin review that told me it's, we've, it's about recognizing what happens if you don't have good security in place.

So, I think it's still an education process. I actually think that the security, the chief security officer's role is still about educating the general executive and indeed the board.

Garrett O'Hara: And then, I mean, one of the common themes is the communication part of risk to a board. And, you know, we've talked on the show quite a few times about how abstract cybersecurity is and some of the concepts when you're trying to... Suppose, when you're trying to get the importance of a program of works, when its security related across to a non-technical audience, generally, like that's quite difficult. Everyone can point to a burglary. We all understand that we can understand what a flood or a fire is, but I'd love to get your insights in terms of like communication to the non-technical audiences and things that have worked for you.

Jo Stewart-Rattray: Communication, communication, communication is absolutely the name of the game. It's also about cross, cross organizational collaboration. I think once you get that, that cross organizational collaboration, it's easier to have those discussions. so that's about, I always frame it as a security first approach. We need to look at security first and particularly in organizations for whom Technology is not their core business, particularly where I, I'm sitting at the moment. These people are extraordinary carers. They want to care. And look after people, you know, they're providing a hospital in the home services and indeed in some cases, palliative care in the home, you know, which is pretty tragic traumatic stuff.

So, for them, security is not the most important thing. So, you have to talk to them in terms that they understand. So, you talk about the privacy issues that because, you know, we now say, I certainly see now that privacy risks, security and physical security are actually converging.

And if you think of it as a Venn diagram, there's that bit in the middle where it all converters and we have to all be talking together. So, if I actually have, have developed relationships with my colleagues and all of those areas, so when I report to the board, I'm reporting in a holistic manner. So again, that means that it's in terms that they, that they are going to understand, because we are talking in terms of risk. We are talking in terms of privacy. We are talking in terms of the HVAC system, that's on the network, that's gonna, you know, gonna report back to somewhere else. So, all of that is, is, is how I, I take it in those terms that it has to be. it has to be holistic, and it has to be that cross-collaboration, it has to be security first. It has to be in the terms that the business understands.

Garrett O'Hara: Yeah, now definitely, definitely get you. Do you feel like that's the thing that has changed then in security leadership? Because one of the other themes that has come up quite a lot is how call it, the human side of cybersecurity has become more important and not end user awareness training, but navigating organizational politics to your point, building advocates in non-Technical or non-cyber functions so that when it comes time to present a program of work, so you are buy-in because you've invested the time over a year or two years. So, people they understand who Jo is, they understand where you're coming from, what the outcomes are for them. Is it like, is that a fair comment that that's changed in terms of security leadership?

Jo Stewart-Rattray: I think what's changed is trust and confidence. I think if you, if you listen to the business than if you almost take on a consulting, internal consulting role, listen to the business and you get their trust, and they'd begin to have confidence in you, it's more likely that you will get what you need to do your job better and therefore better protect the organization and the data that is the keys to the kingdom.

Garrett O'Hara: Yeah. Which makes sense. Here's the question. Do you feel like the, the role of the CSOs is actually well understood, maybe not in your organization specifically, but as you kind of speak to peers or, you know, have those conversations in the broader cyber security industry? What a CSO does and their kind of remit, do you feel like that's understood well, and clear, clearly?

Jo Stewart-Rattray: Oh. Probably not.

Garrett O'Hara: Yah.

Jo Stewart-Rattray: I think there's, there is that misunderstanding that it's all about, you know, zeros and ones. Well, we've just talked about communication, right?

Garrett O'Hara: Yeah.

Jo Stewart-Rattray: So, in fact, I think that, yes, zeros and ones play a part of it, but I think the good CSO is the one who can speak the language of business can, is, is in the right reporting on, because it goes back to what we're saying before about reporting line, reporting line, wrong, this whole thing. Doesn't it mean that actually shows that the role of a CSO is not well understood.

Garrett O'Hara: Yeah.

Jo Stewart-Rattray: So, I think that's, that's really important. I think that there is potentially a confusion between the role of a CIO and the C- CSO. Uh, so that's another discussion point is, is to, the differentiation. the understanding of security governance is, is not necessarily well understood. So, you know, they understand sometimes Technology governance, but they don't realize that Technology governance and security governance are two separate animals, but they are aligned. They must be aligned. Right? And they have to cascade from the overall organizational strategy.

Garrett O'Hara: And how does that conversation these days with the, like the CIO, you know, the people with its strategy, do you feel like you've got that buy-in in a way that you didn't before or in the industry that that's, that's become better? You know, the CSO, CIO aligns kind of on the same strategy or is there jostling for position and, you know, the-

Jo Stewart-Rattray: Oh, I think there's still jostling for position. I also think that there is.

Garrett O'Hara: Mm-hmm [affirmative].

Jo Stewart-Rattray: It depends on the organization indeed. Sometimes it depends on the personalities in those roles as well.

Garrett O'Hara: Yeah.

Jo Stewart-Rattray: As to how well they work together. You know, I'm a great believer in, you know, you've heard me talking about cost, collaborate, cross organizational collaboration. I'm a great one for getting more rubber on the road. You know, surely, we should be working together rather than against one another. This is not a competition, you know, nor is it nor is it, a popularity contest, you know, he's more popular than she is or whatever it really is about how you can work together to better service your client base internally and indeed therefore protects the organization.

Garrett O'Hara: Yeah, no, I definitely get you. And one of the things you mentioned as you were kind of talking through this stuff is the like non-Technical companies and obviously, you know, Silver Chain being, being kind of non-Technically on the Technical fundamentally, be very interested to get your perspective on that because I suspect, you know, organizations who are Technology companies, maybe, I don't know, sell software, do whatever. They'll, they'll probably have a fundamental understanding of the value of security versus, if I sold lumber for example, but that's my job, right? I mean, I should know everything about wood and have green works and you know, what way to go, a quarter saw like a log in, whatever stuff is involved in, lumber sales. I'm totally guessing here, but, um.

Jo Stewart-Rattray: You sound good. You sound like you know what you're talking about.

Garrett O'Hara: Okay. Thank you. but you know, like when I think about the, the expertise that's required to run a business in lumber or any of those kinds of non-Technical type of organizations, that's a real challenge. Like w- how, what's the, what's your insights, the approaches that you've seen work?

Jo Stewart-Rattray: I think the trick about that is when you, when you're talking to your fellow execs or those that those who are in the level above, perhaps it's about talking to them in the terms that they understand. And, and if it's about lumber, let's talk about lumber and how this affects your lumber business. How does this affect your business? What is the, danger to you importing more lumber if, if you have a security breach?

You know, all of that stuff is about, you have to put it into terms that, that people understand. So, in, in the Silver Chain world, I have to put it in terms that clinicians will understand. and you know, I, I was having a discussion recently about security awareness, for instance, when we talk about the people's side of security, you know, and, and one of the things that a clinician said to me is that we like to see people who look like us.

So, I thought that's interesting. So, for security awareness, they need to see somebody who looks like they're one of those, the nurse clinicians, who I call the road warriors, they're incredible. They're on the road looking after people. And I thought, isn't that interesting because they need to feel that they are a part of this. So, there's the people that they need to feel a part of the security hole, part of the Technology hole, even though they're from a non-Tech business. So, if you, if you insert a character that looks like them into your animations, then for security awareness, you might have a, more of a goal of getting the message across.

Garrett O'Hara: Yeah. That's a really interesting, interesting point. I hadn't really thought of it that if I'm honest before, you know, the, the importance of, you know, those kinds of those small nuances that are role-based or person based that, yeah. How often messaging just flies past somebody because they can't relate to the character, or they don't feel like it's relevant. You know, this is somebody in an office. Why would I care? I met on the roads on helping people as they, as they struggle, or, you know, palliative care and those kinds of things. yeah. Interesting. So would you, would you then point to [bespoke 00:19:28] kind of awareness training depending on the organizational types and because obviously there's a lot of overhead then in creating content and managing content and all that kind of stuff. Like what's the, what's the solution?

Jo Stewart-Rattray: Battle at the moment with myself determining what path... I want to refresh what we have, but how do, how do I make that look, you know, do I go down that bespoke path? Do I use something that's already out there, but it's neutral?

Garrett O'Hara: Hmm.

Jo Stewart-Rattray: And do I top and Tyler with perhaps of video from perhaps the CEO or from, you know, the, the, chief medical officer, that sort of stuff, you know, maybe, maybe that's what I need to do top and tail something else. So, it's, I actually still have a product that's not going to cost me a fortune, but by creating something bespoke, but having somebody who they trust and understand as being clinicians, as part of that, that overall offering.

Garrett O'Hara: And ultimately to get the message through, yeah, it's just, it's so, so critically important. It feels like the end user behavior changes become the conversation at the moment. how do we fix it? How do we fix the human risk side of things?

Jo Stewart-Rattray: The interesting thing is my master's degree, I have a major in educational psychology and everybody said, "The heck you're doing that for?" And I said, "Because I can just, I can see that lifespan developmental psychology or cognitive psychology are really, really important parts to the security landscape that we work in." And I'm so, so glad that I've done that because it really does help me in, in those people related parts of security.

And, you know, I think as a, as a CSO, there's more and more of that. I mean, there really are so much of what I do is, is either people or risk related, right? And even with the risk, you have to talk about to people about risky click behavior, for instance. And so, you have to frame it in terms that, that are going to be catchy, but they're going to understand what you mean quickly.

And so, and also understanding their behavior. And one of those things is, is, is if there is, demonstrable risky click behavior going on. Don't, don't crack it with somebody about it.

Garrett O'Hara: Yeah.

Jo Stewart-Rattray: Just have the discussion about, well, are you aware how risky that is? And it actually, what we can teach you here, you can take home and then be safe at home as well. So, it's, it's about that, giving them the what's in it for me and being understanding that they don't come from a Tech background. So, what they think is all right for them may not be all right for the organization.

Garrett O'Hara: Yep. Absolutely. The carrot versus stick is such an interesting one that it's, it's come up a few times, to be honest with you on the show, but also in previous conversations, there's one, a phase there where it today, the colder, the think tank though really was, it's sort of been more of a discussion on the open floor of visa, but it was really, really good. But there, there was commentary around the importance of culture when it comes to security and trust. And which, you know, you've mentioned already, but that idea that when something goes wrong, what you really need is an environment where people feel comfortable saying, "I might've made a mistake here. I want to let you know, rather than feeling, if I say anything about this, I'm going to get in so much trouble. So, I'm just going to pretend nothing happens."

Jo Stewart-Rattray: Yeah.

Garrett O'Hara: And then your end state is not where you want to be.

Jo Stewart-Rattray: It's interesting that you say that because, I did, I've done some work recently with the chief privacy officer and, the two of us did some webinars aimed, you know, for clinical staff, frontline staff. What happened was quite amazing was people were beginning to report things that might be a data breach.

Garrett O'Hara: Hmm.

Jo Stewart-Rattray: Not sure, but I'll report it. And one of the feedbacks that we kept getting was, "Jo, thank you so much. You made that process so easy." And, and we didn't feel like we were going to get the sack as a result of it, as it turned out, none of these were data breaches, but it was a fact, the fact that we just, we ran it through the process to prove, because we did say to them, look until we've run it through the protocol. We, we're not going to know whether this is a data breach or indeed, whether it's a notifiable data breach.

Garrett O'Hara: Hmm.

Jo Stewart-Rattray: And so, they were sort of hanging on it is thinking, Oh my gosh. And so, when we just we them through the whole process. And so, they came back with that, that confidence that we're trying to instill. So, to me, that was really great feedback. And so that's beginning to build the culture when you build a culture of security it's it doesn't happen overnight.

Garrett O'Hara: Yeah.

Jo Stewart-Rattray: I was involved with writing a, um a book years ago called dev- Creating A Culture of Security and that what we were talking about there was how you, s- you begin this process with having an intentional culture of security, right? So, you start off by being very, very conscious of everything that you do, and you instill, instill, instill, and you eventually, over a period of time, it just becomes like, we know how to sit properly in a chair. We know how, you know that we're supposed to get up every 20 minutes. All of that stuff that we do with WHS, we try and do that with security. So, at the end of the day, it becomes, it goes from being intentional security to unintentional security, where people just do it.

Garrett O'Hara: Hmm.

Jo Stewart-Rattray: So that's part of the culture.

Garrett O'Hara: You've reminded me of, you've probably seen the love when you're learning something, you know, the consciously incompetent, consciously competent, consciously, you know, the way it moves through the kind of four-

Jo Stewart-Rattray: Yeah.

Garrett O'Hara: ... four ends. But you end up at a point where you're unconsciously competent, you know, you just know how to do the thing and you know how to do it well.

Jo Stewart-Rattray: Yep.

Garrett O'Hara: Do you think Joe, so just based on your masters, that cyber security has become more of a, across, what would you call it cross skill or cross modal, endeavor, you know, that you need to actually now start to understand you're the business security Technology, people, behavior change, you know, educational approaches? Yeah.

Jo Stewart-Rattray: Absolutely. I think it's, I mean, it's, you're right. I think in fact I would call it, probably multimodal because that's really how we all... Uh, this is a learning process for all of us. Right?

Garrett O'Hara: Yeah.

Jo Stewart-Rattray: And so, we all learn, generally we prefer a multimodal approach, so different ways of receiving the same information so as it actually sticks. Uh, and so I think that's definitely the case when we're talking about security, not just security awareness, but just generally, in that developing a security culture. Yep.

Garrett O'Hara: Yep. No, I definitely, yeah, I see it more and more, you know, it's interesting that people that are coming across are people from HO or completely different backgrounds, but doing really, really good and meaningful work in cyber security could maybe pivot a little bit and maybe to the more practical side of things. And, you know, the thing that nobody likes talking about, which is, you know, often money and today's environments from a Technology perspective, incredibly complex, there's lots of places. People could spend money in terms of, you know, messaging security versus web versus wellness training, CASBY, sassy.

There are so many different sorts of thread until you can spend money, literally in hundreds of different areas. And, but you've got finite budget, but you are really good to, you know, get your thoughts and what of Technical areas you're going to get most buy-in from book from. And then also the balance between the Technology side of things, and then the people and where, where is it best to allocate resources and budget?

Jo Stewart-Rattray: I don't believe in guessing this stuff, right? Or finger in the air. I reckon fishing is my number one problem. I don't know that I actually do not know that unless I do some review type work. And I must say my predecessors at, at Silver Chain had done some really good work in that space, but then it was a case of, "Okay, so I have all of this information, I need to do something with it." And so that's when you start to plan it out and, and you're right, you can't spend all the money at once. So, you actually then have to look at what is my greatest risk. And then you have to, so, you know, then you get your colleagues from risk involved to have them look at what has been put into the risk register previously and how that works into the picture.

Um, and you know, there are some things that have to be continually reviewed, gap analysis, vulnerability assessment, all of that stuff, to understand where you are and what needs to be remediated immediately. So, like, this is, again, this is a multi-layered approach, right?

Garrett O'Hara: Mm-hmm [affirmative].

Jo Stewart-Rattray: It's not, and it's not one size fits all. So, what for my organization might be the biggest risk may not be for your organization. So again, we have to understand the organization and the business in which, the context of that business in which we operate. So, all of that is really important to me. So, I do think that, at every step we need to look at what we have in place as well. This is another piece of work that I've been doing. What do we have in place? What do we have, what capability in-house do we have? Do we have this enormous suite of very sophisticated tools with lots of overlaps, which are costing us money?

So, you need to actually then have a look at the rationalization of all of that as well. So that's another thing that I'm really hot on is ensuring that, that you have the tools you need to do your job and that they are actually serving the purpose for which they were intended. Also, could you get the best out of these tools? Could you get better?

Garrett O'Hara: Hmm.

Jo Stewart-Rattray: So that might mean bringing professional services in to ensure that you actually have these configured properly and that they are actually with are supposed to, complement one another. They do. So, in a nutshell, there's a heck of a lot of work to do.

Garrett O'Hara: It sounds like it I've just feel a sense of fatigue as you're talking through, you know, just like never, uh-

Jo Stewart-Rattray: Oh, and a tur-

Garrett O'Hara: turning points.

Jo Stewart-Rattray: And of course, Garry we'd forgotten the people part in that.

Garrett O'Hara: Yeah. Yeah.

Jo Stewart-Rattray: Then you have to make sure the people that you have running all of those tools, A, you've got enough of them and, and B, they have the training that they need and that, that training is continually updated.

Garrett O'Hara: A huge thing is retention. So that's the other part as well. Like the, you know, the perceived lack of people to do security roles, what your, like, what are your strategies for keeping staff once you get them now, training, I think is a big thing. People need to feel growth, but any other things that you do without giving too much away so that, you know, you're not giving away your trade secrets and retaining stuff.

Jo Stewart-Rattray: I think it's about, again, it's about cooperation and collaboration. I have, people who work with me who are fantastic. And so, I make sure that we operate in such a year. I have to make the hard decisions, but on lots of things will work together. And so, I listen, you know, I'm a great believer in listening. So, you know, I'll listen to what they're saying to me about a particular situation and ask the options. They'll give me options. And then also I might actually say to them, "So what would you do about that?" And so, they'll give me their thoughts on it.

So, and we'll work together to come to come to a decision that I ended up by making the hard decision, but it's, again, it's that collaboration, cooperation and treating people as equals that I think helps to keep people on board because they feel valued. You've got to them... People have to understand how valued they actually are.

Garrett O'Hara: So true. Do you, do you think there's a cultural thing in Australia? And the reason I'm saying this is because so many from the US pointed out a thing that I think is true and I'm, you can probably tell my accent is ours. So, I've been here 20 years, but you know, I'm a citizen or, you know, consider myself Australian, but, you know, I wasn't born here. So, I feel like I have a perspective on this, but I would love to get yours, which is the, I think maybe what you've just said, points to it.

There are other countries that I think when the boss says something, people look for ways to say, yeah, that's right. You know, and they all kind of fall in line and kind of potentially not the best decision gets made because, you know, people are playing politics and, you know, trying to keep their, keep their jobs and jostling for position and all that stuff.

And a comment was made that in Australia, there's a tendency for when you've described collaboration. But also, I would say sometimes that people are vocal with their opinions in a useful, I would hope a useful way where, my experience, the best leaders are the ones who understand that the people in the trenches quite often have the best insights in terms of how to solve problems or the things that are actually wrong.

Is it a cultural thing? Do you see that in Australia? And, and, and I say this, because I know you've, you've sort of traveled as well, and you've probably got a perspective of, you know, some of the positions you've held are global position. So, you, you, I suspect have an insight into other countries and cultural differences in terms of leadership and subordinates, if we want to use that word and having interact. so it's a really long question, but yeah.

Jo Stewart-Rattray: No, no. I'll tell you a story. I, I was, living in between here and Singapore at one point. And I remember when I took, I, I started off, I think I was a managing consultant or something in this particular firm.

Garrett O'Hara: Hmm.

Jo Stewart-Rattray: And when I, had base, I'd been going up to Singapore quite a lot. And then I became the director. And so, I went up as my first trip as director. And all of a sudden, I realized that people, who had always called me Jo before and now calling me Director, mm-hmm [affirmative]. Okay. Whatever. And then it suddenly dawned on me when one night when I'm sitting there, you know, I'm, I'm only going to go back to the hotel or I might treat myself to it to a gin and tonic at raffles on the way home, you know. Uh, but so I just kept working and it was about 6:30 and one of my colleagues came in and said, "Uh, Jo." "Uh, yeah." "Uh, you are going home tonight as well?"

I said, "Yeah. Well, I think so. I just want to finish this off." And he said, "Well, have a look out there." And I'm, "Oh my gosh, how come everybody's still here?" "You're the director now. They won't go home until you go home."

Garrett O'Hara: Yeah.

Jo Stewart-Rattray: And I went, "Oh." So it was, it was this real shock to me because it had never happened before. And so, I just assumed that having a new title, I still had essentially the same responsibilities, but I just hadn't bought that was going to be a thing. So, I of course quickly toggled home said good night to everybody. Thanks Luke way very much for pointing that out to me. and so yes, there are very different, practices in the way that we operate in certain places around the world. So, I think you're right. I think Australia is, we do, certainly, as you're saying, we have that sort of much more laid-back approach.

Uh, and, and people, I encourage people to tell me what they think. I don't always like it.

Garrett O'Hara: Yeah.

Jo Stewart-Rattray: But at least they told me. Right? And so, you have to be prepared for the hard conversations when that happens, but I, I definitely think it's different in different parts of the world. So, I think that that's something that, is fascinating to me. but I still encourage even everywhere I've worked overseas; I still encourage people to come and talk to me. And, you know, like in Singapore there was the joke about the, we call it a jurrian melon challenge to be a human being with these people. They sit or we're going out for the whole of the staff are going out for lunch today, but we're going to a local restaurant. You might not want to come with us. I went, "Yeah, I do."

And so, they said, "Okay." And so over the course of lunch, they laid the challenge down, which was, "We're going to get you to eat jurrian melon, but we're going to take it easy with you. Cause jurrian actually tastes fantastic, it just smells bad. So, we started off with cream puffs with, with jurrian, cream in it. Then we went to ice cream. Then we went to a pudding and eventually we got to the melon and they were waiting for me to spit this thing out. This was over a course of months. Right? And so, all of a sudden, I got a gold star because I ate the jurrian melon. So, you know, there's, I think that's one of the important things is to be a human being, right?

Garrett O'Hara: You, you, you beat me. So, my similar story is out of Manila and said, run a project over there that was successful. And part of it was that I took everybody for dinner and one of the team brought a bag of balut. If you're familiar with that, the basically essentially fried pig, but it's in a fetus format. And, yeah, it, it, it didn't go well for me, unfortunately, because there was a table full of people and I was pretty gung-ho about it thinking like actually pretty adventurous when it comes to food. And put it in my mouth, started cheering it. And there were two things, there's the taste and the texture.

Um, but at a table in a reasonably decent restaurant in Manila ended up having to spit it back out into a plastic bag, much to my shame and sugar. And I was looked back in that and I had a moment where I just, I, you know, when your body just will not cooperate, it wasn't something I could push through on. But it didn't quite make the gold star in my case, but I think they were hyper entertained by the fact that I gave it a good go and was willing to at least try. And I've always taken-

Jo Stewart-Rattray: There you go, you're a human being. You see, you showed that a heart is a human thing.

Garrett O'Hara: The one thing I'd take a little bit of heart from is that Anthony Bowden, who's also pretty adventurous with food. Also sat at a bar, tried it and said, "Nah, this is not for me." So, I feel like-

Jo Stewart-Rattray: Really?

Garrett O'Hara: Yeah.

Jo Stewart-Rattray: Cause Bowden, the things Bowden used to put in his mouth used to stunned me.

Garrett O'Hara: Exactly. So, I feel like a little bit like I didn't let the team down so much, but there you go.

Big. Thanks again to Jo for that conversation. Part two will be released soon as we move into the topic of Gender Diversity and Diversity in general, as always thank you for listening to the ghetto Brazilian podcast, jump into our backer look and like subscribe and leave us a review. For now, I look forward to catching you on the next episode

Principal Technical Consultant

Garrett O’Hara is the Principal Technical Consultant at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies. When not talking about the cyber security landscape, data assurance approaches and business continuity Garrett can be found running, surfing or enjoying the many bars and eateries of Sydney's Northern Beaches.

User Name
Garrett O'Hara